Trust Model
OCC guarantees single-successor semantics within the verifier-accepted measurement and monotonicity domain of the enforcing boundary.
Assumptions
| Assumption | If it fails |
|---|---|
| Boundary isolation - TEE prevents external key access | All guarantees collapse |
| Key secrecy - Ed25519 private key never leaves boundary | Proof forgery becomes possible |
| Nonce freshness - ≥128 bits, never reused | Replay within a session |
| Honest measurement - hardware correctly measures enclave | Delegated to TEE vendor |
| Monotonic counter durability - survives restarts | Anti-rollback degrades to single session |
| Strict verifier policy - caller pins measurements + counters | Weak policy accepts more than intended |
Threat model
In-scope threats
Proof replay
minCounter in policy rejects old proofs
Measurement substitution
allowedMeasurements pins exact values
Signature forgery
Ed25519 unforgeability
Downgrade attack
Enforcement tier is signed; requireEnforcement rejects weaker tiers
Chain gap insertion
prevB64 chaining: any removed link breaks hash continuity
Out-of-scope threats
- • Signing key exfiltration - assumes boundary is secure
- • TEE firmware vulnerability - delegated to hardware vendor
- • Weak verifier policy - caller responsibility
- • Physical access to enclave host - outside threat model
Non-goals
- • Global ordering - no total ordering across independent boundaries
- • Cross-boundary double-spend - same artifact can be submitted to separate boundaries
- • Copy prevention - OCC does not prevent raw byte copying
- • Consensus replacement - OCC constrains a single boundary, not distributed parties
- • Metadata integrity - the metadata field is advisory and unsigned