Security Architecture
PEAC's security model is designed around offline verification, fail-closed defaults, and no implicit network I/O. This page links to the detailed security specifications in the protocol repository.
For vulnerability reporting and disclosure policy, see Security Policy.
Verification Security
| Document | Description |
|---|---|
| Verifier Security Model | Trust boundaries, key resolution, signature verification, claim validation |
| Security Considerations | Threat model, attack vectors, mitigations |
| Trust Pinning Policy | Issuer allowlists, key pinning, trust-on-first-use |
| Kernel Constraints | Fail-closed validation in issue() and verify() paths |
Transport Security
| Document | Description |
|---|---|
| HTTP Transport Security | CORS, rate limiting, size limits, localhost binding |
| MCP Compliance Matrix | MCP security controls: session isolation, SSRF prevention, static policy |
| OWASP ASI Mapping | ASI-01 through ASI-10 zero-trust control mapping |
Issuer Operations
| Document | Description |
|---|---|
| Issuer Ops Baseline | Key management, rotation, revocation, JWKS publication |
| Hot-Path Resilience | Issuance reliability, graceful degradation, circuit breakers |
| Key Rotation | 5-state FSM, 30-day overlap, kid reuse detection |
Security Defaults
PEAC ships with fail-closed security defaults:
- Issuer allowlist required: verifiers must explicitly trust issuers
- Unknown tags rejected: unrecognized receipt fields produce errors
- Replay protection: nonce and timestamp validation required
- SSRF prevention by design: no ambient key discovery, no implicit fetch
- Ed25519 only: single algorithm, no algorithm confusion attacks
- JOSE hardening: embedded keys rejected,
critrejected,b64:falserejected,ziprejected
Related
- Security Policy: Vulnerability reporting and disclosure
- Wire Format: JOSE hardening and signature requirements
- Conformance Levels: 192 conformance requirements including security vectors