This module processes a collection of certificates to yield an authorization result. The SPKI theory RFC [2] describes a tuple-reduction process as an example. The Pisces implementation uses a search mechanism that has the same semantics.
This module is a little out of date. It uses the pisces.spkilib.database interface instead of the higher-level pisces.spkilib.keystore interface. It will be revised before the final version 1.0 release.
A Verifier uses an access control list acl, a collection of certificates cert, and a collection of public keys keys to make access control decisions. Each argument should be a database from pisces.spkilib.database: acl is a ACL, cert is a CertificateDatabase, and keys is a PrincipalDatabase.
This method searches through the collection of certificates to find a valid chain from an access control list entry to the principal making the request. The return value is a sequence of certificates forming a valid chain. The first entry in the sequence is a pisces.spkilib.spki.Entry object. Each subsequent element will be a certificate delegating some permissions from the previous element to the next element. The last element will delegate permissions to the principal.
There is a delegate argument, because there can not be more than one non-delegate-able certificate between a valid delegate-able certificate and the principal requesting permission. That one certificate is the one that grants permissions to the principal, but doesn't allow the principal to delegate further. The delegate flag should always be true when called recursively.
A ReferenceMonitor provides a simpler interface to a Verifier. The constructor arguments for ReferenceMonitor are the same as for Verifier.