Creating additional delegations is possible, yes. If I’m not mistaken, the limit is ~10 delegation levels that can be used at most.
If so, what would this look like?
So in the current model that is used with II, we have one delegation and the root is the II canister.
So:
II canister signs delegation on session key
Session key signs canister call envelopes (and includes the delegation as specified here in sender_delegation), to get the identity of the II issued public key.
Now, to add additional delegation levels, the scenario could look like this:
II canister signs delegation on some key A
Key A signs a delegation on Key B
Key B signs canister call envelopes (and includes both delegations issued in step 1 and 2 as specified here in sender_delegation), to get the identity of the II issued public key. The caller will still be the II issued public key from step 1.
Note that in step two there is an opportunity to further restrict the permissions associated with the delegation. In particular, the delegation from key A to B might have a shorter expiration time and / or a more restricted set of allowed targets.
@icme: In particular key A and B might belong to different parts of the application, where A might be some sort of session management system and B a consumer that only requires some limited access to certain things.