This section describes various accounts used in SKFS.

The most important element of cryptographic security is to protect cryptographic keys from unauthorized entities. All unauthorized entities, when launching an attack on a system, must compromise some credential of the system before attempting to gain access to cryptographic keys. No matter which credential gets compromised first, the target credential required by attackers is the root superuser of the system or the strongkey owner of the application—the credential authorized to execute the web service application's cryptographic functions. The web service applicationID has direct access to key material, while the superuser—with the ability to assume any user's identity on a system, including that of the applicationID—has indirect access.

Consequently, protecting data on the SKFS server comes down to ensuring that the web service application credential is protected, while placing strong controls on the superuser of the system.