A Provider–Consumer trust framework where both sides run the same Nexus stack, the channel is mutually authenticated and pinned, capital is anchored to Cardano, and trust is bootstrapped out-of-band onto a secure offline device.
Six working parts and one transit layer. Walk through them in order — provider organisation, the provider's nexus, the pinned x509 mutual auth, satellite as the carrier, the consumer's mirrored nexus, and the out-of-band bootstrap that makes it all start.
Click any step above to walk through how a Provider stands up a verifiable channel to a Consumer running on a secure offline device.
Protocols and Accountability carry the trust spine. The other six areas exist to make that spine operable — to keep capital sustaining it, to keep the codes flowing, to keep the runbooks current.
Sets the threat model: hostile network, sovereign offline consumer, provider liable for capital. Fixes the non-negotiables every other area inherits.
Owns the human-to-human handover that delivers the bootstrap code. The only step the wire cannot do.
Ships the mirrored Nexus, the Provider Nexus client, certificate-provisioning tooling, and the first-boot installer.
The core stack. mTLS for the channel, x509 pinning for endpoint identity, KERI AIDs behind the certs, ACDC inside the envelope.
The capital behind the provider organisation — the thing the on-chain anchor ultimately attests to. Funds the witnesses, the satellite link, the CA.
The operational runbooks: how a device is enrolled, how certs are rotated, how a lost device is revoked from the pinning table.
Publishes the provider's capital attestations on-chain. Any consumer, regulator, or third party can verify without permission.
Not hub-and-spoke, not full mirror. The Consumer holds the generic surface plus its own slice. The Provider holds everything; the Consumer holds enough to verify what concerns it.
From transit at the bottom to credential at the top — each layer earns its place by collapsing a specific trust surface that the layer below cannot.
| Layer | Protocol | Role | What it collapses |
|---|---|---|---|
| Transit | Satellite LEO | Bearer network. Routes independently of national ISPs. | Reachability dependence on hostile or unavailable terrestrial paths. |
| Transport | TCP · IP · TLS 1.3 | Encrypted, ordered byte stream between fixed peer addresses. | Passive interception and tampering. |
| Mutual auth | mTLS · x509 pinned | Both ends present a certificate. Peer must match pinned SPKI at pinned IP. | Public CA compromise, DNS spoofing, permissive intermediates. |
| Identity | KERI AID + KEL | Self-certifying identifiers with witnessed, append-only key event logs. | Reliance on central identity providers and certificate revocation lists. |
| Credential | ACDC + SAID chain | Authentic Chained Data Containers naming AIDs, SPKIs, scope, expiry. | Bearer-token forgery and unverifiable claims of enrolment. |
| Anchor | Cardano on-chain | Public, censorship-resistant ledger for capital attestations. | Provider self-reporting. Anyone can verify without asking. |
| Bootstrap | OOB single-use code | Hash committed in KEL; burned on first redemption. | Remote enrolment of rogue devices via the online channel alone. |
Every layer of the framework maps to a commodity service already in operation. There is nothing to build at the infrastructure tier — only to assemble. A working two-node pilot fits inside a few thousand dollars upfront and roughly three hundred a month to run.
| Layer | Use existing | What you do | Indicative cost (AUD) |
|---|---|---|---|
| Transit | Starlink | Order a Standard kit for each site. Two sites for a Provider–Consumer pilot. Fixed IPs are an account setting. | $599 hardware + $139/mo per site |
| Provider host | Any small VPS or on-prem | Linux box behind the Starlink router. Nexus runtime as a containerised process. Static config, no orchestration. | $10–40/mo |
| Consumer host | Mini-PC or secure-element device | Off-the-shelf small-form-factor PC or rugged compute box. Nexus runtime + secure element for key storage. | $400–800 hardware |
| Mutual auth | Self-signed x509 + pinning | Generate certs locally, pin SPKI hashes on both ends. No public CA required for a closed pair. | $0 |
| Identity | KERIA + signify-py | Open-source KERI agent on each side. AID generation, KEL management, dip/ixn events — all in the library. | $0 |
| Witnesses | Community witness pool or three small VPS | Three witnesses for 2-of-3 threshold. Either join an existing pool or run your own across geographies. | $0 (pooled) or $15–30/mo (self-run) |
| Anchor | Cardano mainnet | Anchor KEL digests and ACDC SAIDs in transaction metadata. Standard send via cardano-cli or a Blockfrost API. | ~$0.06 per anchor event |
| OOB bootstrap | Printed sealed envelope or physical handover | QR code on a card. Time-limited, single-use, hash-committed in advance. | Stationery + courier |
Two Starlink kits, one VPS, one mini-PC, three pooled witnesses, Cardano mainnet anchoring. No bespoke infrastructure.
Using public infrastructure is not a cost compromise — it is a trust property. A bespoke satellite network or a private blockchain would mean trusting one operator's continuity. Starlink and Cardano are independently sustained, publicly observable, and outlast any single provider's commitment. The framework gets stronger because no part of the stack depends on the provider organisation itself remaining solvent.
Ten steps that trade a single-use, human-delivered secret for a cryptographically-anchored, delegated consumer identity. After step ten, the code is dead and every interaction stands on KERI events alone.
ixn on its own KEL committing only hash(code), expiry, and consumer reference. The code itself never touches the ledger.dip naming the provider AID as delegator. The a (anchors) field carries hash(code) — binding cryptographic identity to the human-channel handshake.hash(code) against the unspent commitment, confirms the expiry window, validates the bootstrap x509 chain, then seals the dip with an ixn on its own KEL.ixn to its own KEL anchoring the ACDC's SAID. This is the consumer's permanent record — independent of the provider, verifiable against the witness network.ixn marking hash(code) as spent. Any future replay fails at step 05. The OOB secret is dead.Properties of the design that are easy to miss in the diagram but hard to recover if optimised away.
The code authenticates nothing on its own — only hash(code) is checked, and only as a seal inside a delegated inception. The code's job is to prove the human-channel handover happened, then die.
Not later — at step 03. Skip pre-rotation here and you cannot rotate the consumer key after enrolment without re-running the whole bootstrap from scratch.
The bootstrap x509 and the long-lived x509 are deliberately separate. The bootstrap cert can be widely provisioned at manufacture; the long-lived one is consumer-specific and only earns its pinning at step 07.
The provider's KEL carries issue (01), seal (05), burn (09) for every bootstrap. That triple is the auditable trace of the whole flow — reconstructable by anyone with read access to the KEL, without ever seeing the code.
The Consumer does not hold a clone of the Provider Nexus. It holds the generic surface — protocol, schemas, witness pointers, the Provider's public capital attestation — plus its own slice of the relationship: its ACDC, its enrolment scope, its interaction history. It never holds other consumers' data and never holds the Provider's private operational state. Symmetric where it matters for verification; asymmetric where it matters for confidentiality.
The framework's strongest property is its symmetry. Because every layer maps to commodity infrastructure already in operation, the framework's continuity is not the provider's burden alone — Starlink and Cardano outlast any single deployment. Sustainability still funds the satellite plans and the small witness footprint; Protocols and Accountability hold the spine.