+
+ # In order to get a Blob from Keep, you have to prove either
+ # [a] you have recently written it to Keep yourself, or
+ # [b] apiserver has recently decided that you should be able to read it
+ #
+ # To ensure that the requestor of a blob is authorized to read it,
+ # Keep requires clients to timestamp the blob locator with an expiry
+ # time, and to sign the timestamped locator with their API token.
+ #
+ # A signed blob locator has the form:
+ # locator_hash +A blob_signature @ timestamp
+ # where the timestamp is a Unix time expressed as a hexadecimal value,
+ # and the blob_signature is the signed locator_hash + API token + timestamp.
+ #