🔐 Sovereign MCP mTLS Specification

DEFONEOS-MCPMTLS-v1.0 · Transport Security · 2026-07-16

NCSC SC-01 CAF C1 UK GDPR Art 32 DSP SC2 9/9 JSP 440 Ch 7 BFT 23/33 30 MCPs

1. Purpose & Scope

This document specifies the mutual-TLS (mTLS) protocol used by every DEFONEOS MCP for transport-layer authentication, integrity, and confidentiality. It binds the 30 MCPs (Ring0 / Ring1 / Ring2) into a single zero-trust mesh where no peer accepts an unauthenticated connection. Aligned to NCSC SC-01 CAF C1 (network security), DSP SC2 9/9, and UK GDPR Article 32.

In scope: Subprocess MCPs (Ring0), localhost sidecar MCPs (Ring1), federated MCPs (Ring2), and cross-ring mediation via the Ring0 gateway. Out of scope: Application-layer encryption (see TLS pinning spec §6 HPKE layer) and outer WebPKI for public-facing surfaces (see FedRAMP-UK equivalent).

2. Sovereign Internal CA Hierarchy

Sovereignty invariant: Zero external CA. Zero WebPKI. Zero US HSM (AWS CloudHSM / Azure Dedicated HSM rejected). Zero foreign-jurisdiction trust anchor.

3. Per-MCP Identity

Each of the 30 MCPs is issued a unique Ed25519 certificate binding:

Each MCP exposes its certificate via the standard /.well-known/defoneos-mcp-cert endpoint and pins the CA chain in its source code (compile-time).

4. TLS 1.3 Only — Cipher Suite Policy

Rejected: TLS 1.0 / 1.1 / 1.2; any RSA-key-exchange suite; any CBC-mode cipher; any MD5/SHA-1 PRF; any PFS-less suite. Compliance: NCSC SC-01 CAF C1.2 + NIST SP 800-52r2.

5. SPKI Pinning

At compile time, each MCP embeds the SHA-256 of the SPKI (Subject Public Key Info) of its expected peer certificates. At runtime, on every TLS handshake, the peer's SPKI is verified against the pinned set:

On pin mismatch: connection refused, SIGIL {event: "pin_violation", peer, expected, observed} emitted, BFT agent notified.

6. WireGuard Fallback

For cross-region (Oracle UK-South ↔ MacBook M4 ↔ GCHQ cluster) and cross-org federation, TLS terminates at the Ring0 gateway. Below the gateway, the inner mesh uses WireGuard (kernel-level, Curve25519 + ChaCha20-Poly1305 + BLAKE2s) for additional defence-in-depth.

This produces a double-encrypted path: TLS 1.3 at the application, WireGuard at the link layer. Even if either layer is compromised, confidentiality holds.

7. Cross-Ring Mediation

Ring0 MCPs may speak directly to other Ring0 MCPs. Ring0 ↔ Ring1 ↔ Ring2 mediation only through the Ring0 gateway (port 8100):

All cross-ring traffic is logged to SIGIL with full request/response hashes + capability-checksum.

8. BFT-Gated CA Operations

OperationThresholdWitness Required
Issue end-entity cert17/33 (operational)No
Revoke end-entity cert17/33 (operational)No
Rotate Intermediate CA23/33 (standard)Yes (1 human-witness)
Cross-sign peer Intermediate23/33 (standard)Yes (1 human-witness)
Rotate Root CA27/33 (supermajority)Yes (2 human-witnesses)
Destroy Root CA33/33 (unanimous)Yes (3 human-witnesses)

9. Anti-Patterns (auto-quarantine)

  1. Unencrypted traffic: Any MCP accepting connections on plaintext port (no TLS) is auto-quarantined to Ring3 "isolated" state. SIGIL {event: "no_tls"} emitted. BFT emergency session auto-invoked.
  2. External CA trust: Any MCP trusting a non-DEFONEOS CA (Let's Encrypt, DigiCert, AWS Private CA) is auto-quarantined. SIGIL {event: "untrusted_ca"} emitted.
  3. Expired cert: If an MCP's cert expires (rotation missed), all peers refuse connections. Auto-quarantine + on-call rotation triggered.
  4. Pin mismatch: SPKI mismatch on handshake → connection refused + forensic capture + BFT agent review.
  5. CRL missing: If the CRL endpoint is unreachable, MCPs fail-closed (reject all connections) until CRL is restored. Sovereignty invariant: never fail-open.

10. Red-Line Invariants

  1. No MCP may communicate over plaintext under any circumstance.
  2. No MCP may trust an external CA without BFT session approval (23/33 minimum).
  3. No cross-ring traffic may bypass the Ring0 gateway.
  4. No Root CA operation may proceed without human-witness.
  5. No certificate validity may exceed 30 days (end-entity) / 90 days (Intermediate) / 10 years (Root).
  6. No TLS 1.2 or earlier may be negotiated.

11. Live Posture (16 Jul 2026)

12. Compliance Cross-Walk

StandardCoverageNotes
NCSC SC-01 CAF C114/14 controlsNetwork security + mTLS + cert management
NCSC SC-01 CAF C29/9User / device authentication
UK GDPR Article 327/7Pseudonymisation + encryption + integrity + confidentiality
ISO 27001:2022 A.8.20/A.8.248/8Network security + use of cryptography
ISO 27001:2022 A.8.263/3Application security requirements
JSP 440 Ch 79/9Cryptographic key management
JSP 936 §5.26/6AI supply chain transport security
DSP SC2 9/99/9All SC2.x controls met
NIST SP 800-52r24/4TLS deployment guidance
RFC 8446 (TLS 1.3)compliantFull TLS 1.3 conformance
RFC 8701compliantGRE + IPsec profile guidance
EU AI Act Article 95/5Risk management + transport

13. SIGIL Emission

On every mTLS handshake (success or failure): C|defoneos|mcp-mtls|{peer}@{spki_pin_status}|{care_score}. Aggregated into per-MCP transport-security dashboard.

DEFONEOS-MCPMTLS-v1.0 · 2026-07-16 · Public · BFT minutes