Sessions, devices, and future hardware trust
Today: Rune Token suite sign-in and short-lived operator sessions for consoles. Device trust via the Rune agent. Roadmap: deeper hardware-rooted attestation
How access works today
User authenticates at the site IdP (device trust and/or OTP).
Required console mints app-scoped suite activation.
Stella, Thala, and other RPs receive HttpOnly BFF cookies — same person, app-scoped rights.
Sensitive actions use short-lived server sessions — secrets are not left in browser JavaScript.
Long-term hardware trust (roadmap)
National-scale eID proved the model. We may go further: hardware-rooted, offline-capable attestation for high-assurance fleets.
Hardware-rooted trust
TPM 2.0 / secure enclave binding, FIDO2 passkeys, measured boot — identity lives in silicon you control, not a SaaS directory.
Post-quantum ready
Hybrid classical + ML-DSA / SLH-DSA signatures and CRYSTALS-Kyber key exchange — crypto agility baked in before harvest-now-decrypt-later becomes urgent.
Offline ZK attestations
Prove role, clearance, or fleet membership with zero-knowledge proofs on air-gapped Stella nodes — no PII broadcast, no central verifier required.
Mesh revocation
Issuance and CRL sync across your Thala fleet over LAN-only channels — instant lockout without internet, without trusting a third-party OCSP.
Architecture principles
- Air-gap issuance ceremonies — USB / NFC operator workflow, no cloud enrollment
- Continuous integrity attestation within your perimeter only
- Separation of identity, authorization, and session — short-lived scoped tokens
- Open Rust reference implementation — auditable, deployable on your metal
- Interoperable with Stella ops gate and Thala fleet policies
Related modules (in repo)
DeviceAnchor — TPM EK hash, measured boot PCRs, optional FIDO2 cred binding.
HybridKeyPair — ML-DSA / SLH-DSA + classical agility interfaces.
ZkAttestor — offline membership proofs for fleet and clearance claims.
RevocationMesh — LAN CRL sync target for Thala fleet distribution.
Phase 1 live: suite sign-in and short-lived operator sessions. Rune agent for air-gap device login. Phase 2 roadmap: hardware bind options — not required for current SKUs.
← Back to platforms