Skip to content

Commit 7295a2f

Browse files
committed
editorial: coherence pass after the Q11 and crypto-agility changes
Add a JOSE/PASETO entry to the primer's borrowings catalogue, which the spec now leans on but the list omitted, and remove a declines/declined repetition in the Section 7.1 envelope description. Full pass over spec, primer, README, extensions, and vectors found no other drift from the open-question split, Q11 close, or crypto-agility separation. Signed-off-by: Chris Raynor <chris@raynor.tech>
1 parent d141f5d commit 7295a2f

2 files changed

Lines changed: 2 additions & 1 deletion

File tree

primer.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -224,6 +224,7 @@ The specification leans on other systems' scar tissue. The load-bearing borrowin
224224
- **The aviation security model** supplies transitive trust: a small set of named regime tiers, a trust floor carried with the payload and lowered by the weakest hop, and re-screening at the destination's discretion. Named tiers, not a continuous trust score, because a score is illegible and gameable.
225225
- **PKI's revocation problem** supplies the grant lifecycle: offline-verifiable delegation and timely revocation are in fundamental tension, so in safety contexts short-lived grants that must be renewed beat long-lived grants that must be revoked. Expiry is a connectivity-free dead-man's switch.
226226
- **Blockchain** is mined for primitives and refused as architecture: hash-linked logs (tamper-evidence without consensus), threshold signatures (one stable verification key over a churning committee), self-certifying identifiers. Global total-order consensus in a dispatch path is a category error; resource-side fencing gives a stronger local guarantee instantly.
227+
- **JOSE's `alg` attacks** (`alg: none`, and the RS256-to-HS256 key confusion) supply the algorithm-agility discipline: an algorithm field a token can set is the vulnerability, not the hedge. The specification keeps agility but takes the choice off the artifact, binding the algorithm to the trusted anchor (the signer's key, the content address) and leaving the verifier an allowlist. That is PASETO's anti-negotiation posture, reached here through identity-binding rather than versioned cipher suites.
227228
- **libp2p** is the closest existing substrate (peer identity as key hash, modular transports, mDNS and DHT discovery, protocol negotiation), but it was declined as the base: it is welded to protobuf peer identifiers, which the canonical-encoding mandate rules out, so the substrate machinery is reimplemented behind a thin port instead (question 11, resolved).
228229

229230
The deliberate posture throughout is compose, not replace. Zenoh, DDS, SPIFFE, DIDs, UCAN, TUF, Zigbee, Matter: every incumbent named in the specification is a potential host or component, not a competitor. The project admires them; the contract layer exists because no one of them spans the four concerns, not because any of them is wrong.

spec.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,7 @@ Authoring surface -> Contract definitions -> Wire encoding -> Tra
281281
```
282282

283283
- **Authoring**: YAML for static declarative definitions; Starlark for programmatic ones (parameterized or templated generation, with deterministic sandboxed evaluation and no arbitrary I/O). Both compile to identical contract definitions, and the choice is ergonomic, not semantic. This equivalence is a load-bearing invariant, not a convenience: programmatic authoring MUST NOT express anything a static definition could not, and a node never receives or runs Starlark, only the compiled declarative contract. The day generation can emit what a static definition cannot, the legibility separation has been broken.
284-
- **Wire**: a compact, schema-defined binary encoding, compiled, never authored by hand and never surfaced to users. It is an encoding, not a transport, and rides whatever transport Section 6 selects. The encoding is **deterministic CBOR**, mandated as the one universal artifact form, not a per-deployment choice. Definitions, grants, and attestations are content-addressed and signed (Section 7.2), so the same logical artifact MUST produce identical bytes everywhere, or a hash or a signature stops verifying the moment it crosses a bridge (Section 6.4). The requirements the encoding meets are load-bearing. It MUST be canonical, so verification stays byte-identical. It MUST be implementable on a constrained device without a heavy toolchain or a transitive dependency tree. It SHOULD stay inspectable enough to diagnose in the field. CBOR meets all three. Protobuf does not: it is non-canonical by default, opaque on the wire, and heavy to embed, and a libp2p substrate would drag it in (question 11). The signed envelope is a minimal owned shape, canonical-CBOR claims plus a signature plus a small header. It is a JWT-family construct, a CBOR Web Token in all but the COSE wrapper, and it declines that wrapper deliberately. COSE was evaluated and declined: it is heavier than the requirement, and it does not by itself enforce the exactly-one-valid-encoding rule that content-addressing needs.
284+
- **Wire**: a compact, schema-defined binary encoding, compiled, never authored by hand and never surfaced to users. It is an encoding, not a transport, and rides whatever transport Section 6 selects. The encoding is **deterministic CBOR**, mandated as the one universal artifact form, not a per-deployment choice. Definitions, grants, and attestations are content-addressed and signed (Section 7.2), so the same logical artifact MUST produce identical bytes everywhere, or a hash or a signature stops verifying the moment it crosses a bridge (Section 6.4). The requirements the encoding meets are load-bearing. It MUST be canonical, so verification stays byte-identical. It MUST be implementable on a constrained device without a heavy toolchain or a transitive dependency tree. It SHOULD stay inspectable enough to diagnose in the field. CBOR meets all three. Protobuf does not: it is non-canonical by default, opaque on the wire, and heavy to embed, and a libp2p substrate would drag it in (question 11). The signed envelope is a minimal owned shape, canonical-CBOR claims plus a signature plus a small header. It is a JWT-family construct, a CBOR Web Token in all but the COSE wrapper. COSE was evaluated and declined: it is heavier than the requirement, and it does not by itself enforce the exactly-one-valid-encoding rule that content-addressing needs.
285285

286286
The mandated encoding is future-proofed by two declared mechanisms, kept deliberately separate (the separation law, Section 1), because a wire format outlives the assumptions it was written under and the two kinds of change must not gate each other.
287287

0 commit comments

Comments
 (0)