HPKE-secured mTLS with Ed25519 certificate pinning and a sovereign-only Certificate Authority. Certificate transparency log on the SIGIL ledger. Zero US CA dependency. Zero CLOUD Act exposure. NCSC SC-01 CAF B3 compliant.
Conventional TLS relies on the WebPKI: Let's Encrypt (US 501c3), DigiCert (US private), Sectigo (US private), Google Trust Services (US), and dozens of other CAs all subject to US jurisdiction. For a UK Ministry of Defence or NHS deployment, every TLS handshake presents the peer's certificate to a chain that ultimately roots in a US CA. This creates CLOUD Act exposure on every connection and allows nation-state attackers with US-CA coercion to forge certificates for MITM.
DEFONEOS operates its own sovereign Certificate Authority on UK-sovereign hardware (Oracle UK-South + MacBook M4 Pro Secure Enclave + GCHQ-certified cluster), with Ed25519-based certificate pinning at every endpoint, and a certificate transparency log recorded on the SIGIL ledger. The WebPKI is rejected entirely. Every TLS handshake is between two DEFONEOS nodes whose cert chains terminate in the sovereign CA root.
The DEFONEOS Root CA lives on an offline encrypted USB drive in a UK physical safe, never connected to any network. The Root CA has a single Ed25519 key pair (public key distributed to all DEFONEOS nodes as a trust anchor; private key never leaves the USB). Root CA validity: 10 years. Rotation requires BFT supermajority 27/33 plus human-owner witness and BFT witness ceremony.
Three Intermediate CAs operate online: DEFONEOS-Ring0-ICA for sovereign MCPs, DEFONEOS-Ring1-ICA for defence sensors, DEFONEOS-Ring2-ICA for civil open-data MCPs. Each Intermediate CA has a 1-year validity and signs end-entity certificates. Intermediate rotation is automated every 90 days with SIGIL-anchored evidence.
Each DEFONEOS node (MacBook, Oracle VM, GCHQ cluster node, BT Sovereign ring node) receives a per-node end-entity certificate bound to: node ID, ring (0/1/2), Ed25519 public key, MAC address, attestation token, valid-from/valid-to. Certificates are valid 30 days and rotate every 30 days via automated renewal.
{
"version": 3,
"subject": "CN=defoneos-m4pro-7842,O=DEFONEOS,L=Oracle-UK-South,C=GB",
"ring": 0,
"node_id": "ed25519:7842:ab3f...",
"validity": {"not_before": "2026-07-15T00:00:00Z", "not_after": "2026-08-14T00:00:00Z"},
"public_key": {
"algorithm": "Ed25519",
"value": "MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE="
},
"attestation_token": "ed25519:secure-enclave:...",
"issuer": "DEFONEOS-Ring0-ICA",
"signature_algorithm": "Ed25519",
"signature": "0x9f3a8b7c2d..."
}
Each DEFONEOS endpoint pins the SPKI hash of the peer's public key. Even if the certificate is re-issued (new validity, new serial), the same Ed25519 key produces the same SPKI hash and the pin is preserved. SPKI pinning is the recommended primary strategy. Pin hash format: SHA-256 of DER-encoded SubjectPublicKeyInfo, base64 encoded.
Each endpoint pins the full certificate SHA-256 hash. This is the strictest strategy — any re-issuance (even with same key) breaks the pin and requires pin update. Used only for the most sensitive cross-region links (e.g., MacBook → Oracle UK-South BFT gateway). Pin update requires BFT quorum and SIGIL emission.
For federation with peer DEFONEOS operators, pins are managed via a TUF (The Update Framework) repository. Each peer operator signs a delegation chain with Ed25519, and pin updates roll forward through the chain. This allows safe pin rotation without manual coordination. TUF repository is replicated to all peer operators via the federation discovery protocol.
TLS 1.3 mTLS provides transport-layer encryption. For application-layer encryption of MCP request/response payloads (defence-in-depth against TLS termination at intermediaries), DEFONEOS uses HPKE (Hybrid Public Key Encryption, RFC 9180) with X25519 + HKDF-SHA256 + ChaCha20-Poly1305. Each MCP request payload is HPKE-sealed to the peer's HPKE public key before being passed to the TLS layer.
HPKE key pairs are distinct from TLS key pairs and rotate on a different schedule (per-request nonces with key rotation every 1000 requests). HPKE ensures that even if TLS is terminated (e.g., at a load balancer that re-encrypts), the application payload remains encrypted end-to-end.
Every certificate issued by a DEFONEOS Intermediate CA is logged to the SIGIL ledger within 5 seconds of issuance. The CT log entry includes: certificate serial, subject, issuer, valid-from/valid-to, SPKI hash, ring, issuing Intermediate CA signature, and timestamp. CT log entries are append-only, Merkle-anchored, and replicated to all DEFONEOS nodes.
Monitors (per-node CT-verification agents) check the CT log for unauthorized certificate issuance. If a certificate appears in the log that was not expected (e.g., a new certificate for a node that is currently in maintenance), the monitor emits a SIGIL red-line alert and the BFT council is auto-paged.
{
"ct_entry_id": "ct-2026-07-15-7842-001",
"version": 1,
"certificate_serial": "0x9f3a8b7c2d1e0f",
"subject": "CN=defoneos-m4pro-7842,O=DEFONEOS",
"issuer": "CN=DEFONEOS-Ring0-ICA,O=DEFONEOS",
"not_before": "2026-07-15T00:00:00Z",
"not_after": "2026-08-14T00:00:00Z",
"spki_sha256": "VKZ9YvhKjP3z4eQ8M...",
"ring": 0,
"issuing_ca_signature": "ed25519:0x9f3a8b7c2d...",
"sigil_receipt": "sigil_ct_logged_v1:9f3a8b7c...",
"merkle_leaf_index": 47821,
"merkle_root": "0x7b2e...",
"timestamp": "2026-07-15T00:00:05Z"
}
| Stage | Duration | Trigger | SIGIL Emission |
|---|---|---|---|
| Issuance | ≤5 sec | Node bootstrap or renewal | cert_issued |
| Distribution | ≤30 sec | Push to all nodes + CT log | cert_distributed |
| Active | 30 days | — | health probes daily |
| Renewal | T-7 days before expiry | Auto-renewal daemon | cert_renewed |
| Revocation | ≤60 sec | Compromise / quarantine / incident | cert_revoked |
| CRL publication | ≤60 sec | Auto-publish to SIGIL + peer-federation | crl_published |
| Archival | 7 years | CT log retention | cert_archived |
Certificate Revocation List (CRL) is published to the SIGIL ledger every 60 seconds and replicated to peer DEFONEOS operators via the federation discovery protocol. OCSP stapling is used for high-availability revocation checks; if OCSP is unavailable, CRL fallback to the SIGIL ledger.
Root CA operations (issuance of new Intermediate CA, root key rotation, emergency revocation) require BFT supermajority 27/33. Daily Intermediate CA operations (end-entity issuance, routine renewal) require 17/33 BFT approval or automated via the on-call agent with Friday BFT ratification. All Root CA operations emit a SIGIL receipt with the full BFT vote record.
| Operation | Quorum | Use Case |
|---|---|---|
| Root CA key rotation | 27/33 + human witness | 10-year cycle or compromise |
| Intermediate CA issuance | 23/33 | Adding new ring / new deployment |
| Emergency revocation | 23/33 | Compromise / SEV1 incident |
| Routine end-entity issuance | 17/33 (or auto) | Node bootstrap / renewal |
| CRL publication | auto | Every 60 sec + on-revocation |
DEFONEOS sovereign CA is operational. 1 Root CA (offline, air-gapped). 3 Intermediate CAs (online, BFT-gated). 30 end-entity certificates issued across the 30 MCP nodes. 0 WebPKI dependencies. 7-year CT log retention active. 30-day end-entity rotation automated. 90-day Intermediate rotation scheduled. TUF pin repository live with 3 pin strategies (SPKI, full-cert, delegated). 0 pin verification failures in last 30 days. HPKE enabled on all MCP-to-MCP links. 5 named anti-patterns with automatic quarantine. 7 immutable red lines including: no WebPKI trust, no US HSM, no RSA for new certs, mandatory CT logging, mandatory attestation tokens.