$SK =$ Secret Key (aka. Private Key) $PK =$ Public Key # Initial Connection(s) ```sequence Participant Node Participant Coordinator Note right of Coordinator: Generate CA:SK & CA:PK\n \nSigns CA:PK with CA:SK (CA:S)\n \nPublishes (CA:PK || CA:S) as CA:C Note left of Node: Generate N:SK & N:PK Node->Coordinator: Establishes connection Coordinator->Node: Sends CA:PK Note left of Node: Signs CA:PK with N:SK (N:CA:S) Node->Coordinator: Sends N:PK, N:CA:S Note right of Coordinator: Verify N:CA:S using N:PK\n \nThus proving the node\nhas N:SK via signing Note right of Coordinator: Signs N:PK with CA:SK (N:CA:S)\n \n(N:PK || N:CA:S) becomes (N:C)\n \nSave N:C to certificate store\n \nThe "fingerprint" of\nN:C would be H(N:C) Coordinator->Node: Sends N:C Note left of Node: Save N:C for future use ``` # Subsequent Connection ### AKA "phase 2" or node-to-node ```sequence Participant Node Participant Coordinator Node->Coordinator: Establishes connection Coordinator->Node: Sends CA:PK\n(renamed to CO:PK to avoid confusion) Note left of Node: Signs CO:PK with N:SK (N:CO:S) Node->Coordinator: Sends N:C, N:CO:S Note right of Coordinator: Lookup N:C in CRL\nby "fingerprint" Note right of Coordinator: Verify N:C by splitting into\nN:PK && N:CA:S\n \nVerify N:CA:S using CA:PK from CA:C\n \nThus proving the cert\nis valid and the N:PK is real Note right of Coordinator: Verify N:CO:S with N:PK\n from N:C\n \nThus proving that the\nnode has knowledge of N:SK ```