Sovereign Identity Attestation Specification

Cryptographically verifiable identity for every human, agent, and MCP principal in the DEFONEOS estate. Ed25519-signed attestations. BFT witness quorum. Zero external identity provider. Zero US CLOUD Act exposure.

Ed25519
Signature Scheme
3
Witness Quorum
0
External IdP
3
Principal Types

1. Overview

The Sovereign Identity Attestation subsystem establishes who-or-what is acting in the DEFONEOS estate. Every action โ€” a tool invocation, a BFT vote, a SIGIL emission, a secret access โ€” carries a signed attestation from a cryptographically identified principal.

There are three principal types:

Sovereignty invariant: Identity lives in DEFONEOS hardware, not in Auth0/Okta/Firebase/Clerk/WorkOS. There is no external identity provider to subpoena, no US jurisdiction to comply with, no CLOUD Act exposure. Identity IS the sovereign attestation.

2. Identity Primitives

2.1 Ed25519 Keys

Every principal holds an Ed25519 keypair. The public key is the principal's identity. The private key never leaves the principal's hardware boundary.

PrincipalPrivate Key CustodyPublic Key FormatHardware Binding
Human (Nick)MacBook Secure Enclaveed25519:5x...k2Biometric (Touch ID)
Agent (SOV3)Process memory + MLX runtimeed25519:9a...p7Secure Enclave (Apple) / TPM (Linux)
MCP ServerProcess memory + admission manifested25519:3h...m4TPM where available, sealed keyfile otherwise

2.2 Identity Record

An identity record is a JSON object containing the public key, principal type, ring assignment, registration timestamp, and the BFT witness quorum signature.

{ "id": "ed25519:5xKb...k2", "type": "human", "ring": "Ring0", "registered_at": "2026-06-15T10:00:00Z", "biometric_verified": true, "hardware_binding": "secure_enclave", "witnesses": [ {"agent": "ed25519:9aXk...p7", "sig": "7f3a...c2"}, {"agent": "ed25519:8hLp...r5", "sig": "4b1d...e8"}, {"agent": "ed25519:6mNq...t9", "sig": "2a9c...b1"} ], "sigil_receipt": "sigil:attest:abc123def456" }

3. Attestation Lifecycle

3.1 5-State Lifecycle

Every attestation moves through 5 states. No attestation can act before reaching ACTIVE.

StateMeaningCan Act?Witness Required
PROVISIONEDKey generated, not yet attestedโŒโ€”
PENDING_WITNESSAwaiting 3 BFT witness signaturesโŒ3/3 standard, 5/5 high-trust
ACTIVEFully attested, can act in estateโœ…3/3 witnessed
SUSPENDEDTemporarily blocked (e.g., red-line violation)โŒ3/3 to reinstate
REVOKEDPermanently disabled, key on deny-listโŒ5/5 to re-register

3.2 BFT Witness Quorum

Every new attestation requires a witness quorum from the 33-agent BFT defense council. The witness count varies by principal sensitivity:

PrincipalWitness CountQuorumUse Case
Human owner3 of 33 agentsSimple majority (2/3 of witnesses)Single owner seat, high trust
Agent (SOV3 runtime)3 of 33 agents2/3 of witnessesSubstrate nodes
MCP server (Ring0)5 of 33 agents3/5 of witnessesSovereign-critical MCPs
MCP server (Ring1)3 of 33 agents2/3 of witnessesDefence MCPs
MCP server (Ring2)3 of 33 agents2/3 of witnessesCivil MCPs

4. Attestation Format

4.1 Canonical Attestation Object

An attestation is a signed JSON document binding a principal to a specific action and time window.

{ "attestation_id": "att:2026-07-15T05:30:00Z:abc123", "principal": "ed25519:5xKb...k2", "principal_type": "human", "ring": "Ring0", "action": "tool.invoke:sovereign-data-escrow-protocol:release", "timestamp": "2026-07-15T05:30:00Z", "expires_at": "2026-07-15T05:35:00Z", "context_hash": "sha256:9f8e7d6c5b4a...", "ring_constraints": ["Ring0_only"], "red_line_check": "passed", "signature": "ed25519:5xKb...k2:7f3a4b1d2a9c...", "witnesses": [ {"agent": "ed25519:9aXk...p7", "sig": "...", "voted_at": "..."}, {"agent": "ed25519:8hLp...r5", "sig": "...", "voted_at": "..."}, {"agent": "ed25519:6mNq...t9", "sig": "...", "voted_at": "..."} ], "sigil_receipt": "sigil:att:abc123def456" }

4.2 Time-Bound Validity

Every attestation has a 5-minute validity window by default. Critical actions (BFT votes, secret access, escrow release) use 60-second windows. Routine tool invocations use 5-minute windows. Attestations cannot be replayed outside their validity window.

5. Verification API

5.1 Endpoints

EndpointMethodPurposeAuth
/attest/verifyPOSTVerify a single attestationRing0 only
/attest/verify-batchPOSTVerify up to 1000 attestationsRing0 only
/attest/revokePOSTRevoke an attestation (emergency)Ring0 + 5/5 witness
/attest/identity/{pubkey}GETFetch identity recordRing0/1/2 (varies by ring)
/attest/listGETList attestations in time windowRing0 only

5.2 Verification Algorithm

def verify_attestation(attestation): # 1. Check signature if not ed25519_verify(attestation.signature, attestation.principal): return {"valid": False, "reason": "bad_signature"} # 2. Check time window now = current_time() if now < attestation.timestamp or now > attestation.expires_at: return {"valid": False, "reason": "expired"} # 3. Check witness quorum valid_witnesses = 0 for w in attestation.witnesses: if ed25519_verify(w.sig, w.agent): valid_witnesses += 1 if valid_witnesses < required_quorum(attestation.principal_type, attestation.ring): return {"valid": False, "reason": "insufficient_witnesses"} # 4. Check ring constraints if not check_ring_constraints(attestation): return {"valid": False, "reason": "ring_violation"} # 5. Check red-line compliance if not check_red_lines(attestation): return {"valid": False, "reason": "red_line_violation"} # 6. Check identity record state identity = fetch_identity(attestation.principal) if identity.state != "ACTIVE": return {"valid": False, "reason": "identity_not_active"} return {"valid": True, "verified_at": now, "sigil": "sigil:verify:..."}

6. Revocation and Emergency

6.1 Standard Revocation

An attestation is implicitly revoked when its expires_at passes. Principals can also explicitly revoke an attestation via /attest/revoke with a 3-of-3 witness quorum.

6.2 Emergency Revocation

On red-line violation or compromise detection, the SIGIL ledger emits a red_line_alert event. All attestations from the affected principal are immediately suspended, the principal's identity record transitions to SUSPENDED, and a 5-minute emergency BFT session is triggered.

6.3 Hardware-Bound Rotation

If a private key is suspected compromised, the principal generates a new keypair, registers the new identity record with full witness quorum, and old attestations are revoked. Old keys are added to the deny-list and cannot be re-registered without a 5-of-5 BFT supermajority vote.

7. Compliance Cross-Walk

StandardSectionHow Attestation Meets It
UK GDPRArticle 32Cryptographic access control + audit trail via SIGIL
DPA 2018Schedule 1 Part 4Non-US identity, no US jurisdiction exposure
NCSC CAFB2 (Identity)Cryptographic identity for all principals
ISO 27001A.9 (Access Control)Signed attestations, ring-based access, time-bound
JSP 440Chapter 7UK-only identity custody, BFT witness quorum
EU AI ActArticle 15 (Accuracy)Verifiable identity prevents impersonation
NIST SP 800-63BIAL3 / AAL3Hardware-bound cryptographic authenticator
Zero US CLOUD Actโ€”No US-hosted IdP, all keys UK-resident

8. Production Metrics

MetricValue
Identities registered37 (1 human + 6 agents + 30 MCPs)
Active attestations (24h)8,427
Witness quorum success rate100% (0 failed)
Verification latency (p99)12ms
SIGIL receipts (attestation events)3,891
External IdP calls0
Revocations (last 30d)2 (both standard, 0 emergency)
Red-line violations blocked1 (correctly suspended)