docs: Layer 4 — rotation, revocation, key lifecycle
Captures the decisions from the Layer 4 conversation with Scott: Default narrowing on a single post = Layer 2 revocation (existing). Advanced narrowing of read access = full re-issue with optional supersedes_post_id link (network-heavy, opt-in). V_me rotation = the persona-wide revocation primitive. Generate new V_me, distribute to non-revoked vouchees via next bio-post batch. Receiver-chain model: receivers append new V_me alongside old (not overwrite). Trial-unwrap iterates the chain. Grandfather by default: CDN is V_me-blind, so rotation does NOT auto-cascade comment deletions. Revoked vouchee retains comment authority on old posts unless author opts to cascade per-pub_x revocations. Per-post cascade is opt-in. Local-only own_post_slot_provenance table lets author query "which pub_x's in my posts were sealed under V_me_old?" and publish per-pub_x RevocationEntries. New optional KeyBurnDiff primitive (signed header-diff) swaps a V_me_old wrap_slot for a V_me_new one in-place on a specific post. For the leaked-V_me scenario. Body CEK unchanged. Skeleton's PostKeyRotation record removed entirely. Layer 1 updated: rotation is append-only at receivers; pointer to Layer 4. Multi-epoch bio-post-batch toggle hook added. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Scott Reimers
parent
4123e032cb
commit
971766cb3c
3 changed files with 130 additions and 79 deletions
29
sessions.md
29
sessions.md
|
|
@ -65,6 +65,35 @@ See `CONTRIBUTING.md` for the protocol. See `AGENTS.md` for the Claude-specific
|
|||
|
||||
**Stopping point**: commit `b8b38a6` (Layer 1) + new commit for Layer 2 both on branch; not merged. Awaiting Scott.
|
||||
|
||||
### Update 2026-05-13 — Layer 4 written (rotation + revocation + key lifecycle)
|
||||
|
||||
Iterative session with Scott. Recap of where the model landed:
|
||||
|
||||
**Rotation/revocation model (now in spec)**:
|
||||
- Default narrowing of comment authority on a post = Layer 2 revocation (existing mechanism). No new wire primitive.
|
||||
- Advanced narrowing of read access = full re-issue with `supersedes_post_id` link. Discouraged due to network overhead.
|
||||
- `V_me` rotation = the persona-wide revocation primitive. Generate new V_me, distribute via next bio-post batch to non-revoked vouchees only. Revoked person retains old V_me.
|
||||
- Receiver-chain model: receiver appends new V_me to `vouch_keys_received` (does NOT overwrite). Trial-unwrap iterates the chain. UX-wise the "current" key is the newest; older epochs are archived but kept for historical decrypts.
|
||||
- **Grandfather-by-default**: CDN is V_me-blind, so rotation does NOT auto-cascade comment deletion. Revoked vouchee keeps comment authority on old posts unless the author opts to cascade per-pub_x revocations.
|
||||
- **Per-post cascade is opt-in**: author can query a local `own_post_slot_provenance` table to find pub_x's sealed under V_me_old in any of their posts, then publish per-pub_x RevocationEntries to cascade.
|
||||
- **Key-burn primitive (new, optional)**: signed `KeyBurnDiff` swaps an old wrap_slot for a new one in-place on a specific post. Used when V_me leaked and the author wants to scrub it from the CDN copy of old posts. Body CEK unchanged; affects future fresh-decrypts only.
|
||||
|
||||
**Cryptographic stack confirmed (Scott reconfirmed)**:
|
||||
- Body encryption: symmetric ChaCha20-Poly1305 under CEK. PQ-safe.
|
||||
- Wrap_slots: AEAD under V_x. PQ-safe.
|
||||
- Comment signing: **asymmetric Ed25519** (per-V_x per-post `(pub_x, priv_x)`). NOT PQ-safe; ML-DSA-65 migration deferred. Scott confirmed the asymmetric-for-signing tradeoff is intentional — it's what makes CDN-level bandwidth-DoS filtering work.
|
||||
|
||||
**Files touched in this round**:
|
||||
- `docs/fof-spec/layer-4-keypair-rotation.md`: full rewrite from skeleton.
|
||||
- `docs/fof-spec/layer-1-vouch-primitive.md`: rotation language updated to point at Layer 4's append-only model; multi-epoch UI hook added.
|
||||
|
||||
**Branch state**: `docs/fof-spec-layer1-bio-grants` (despite the name, holds all Layer 1–4 spec work). Commit pending. Not merged per Scott's standing instruction.
|
||||
|
||||
**Pending**:
|
||||
- Layer 5 (unlock cache + prefilter): existing skeleton text still reflects single per-post keypair model. Needs reconciliation with per-V_x model from Layer 2.
|
||||
- Layer 3 (Mode 1): partially-superseded banner still present. Needs Scott/Opus reconciliation pass.
|
||||
- Layer 6 (revocation): stub still. Largely obviated by Layer 4 work.
|
||||
|
||||
### Update 2026-04-24 — Layer 3 round 2 (last two open questions)
|
||||
|
||||
Two follow-up questions resolved:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue