Security model and disclosure

Architecture

Every attestation is a signed JWS. The issuer signs with an asymmetric key held in a managed key service; the private key is never exported. The reference verifier is stateless and verifies signatures locally, so verification works offline and needs no API key. Revocation is published as a W3C Status List 2021 bitmap.

Keys

Handle keys are generated on the device and shown once. IDN never stores a sponsor private key. The audit log is hash chained, so tampering with any row breaks the chain and is detectable.

Validation pack

We publish a software bill of materials, container vulnerability scans, a dependency policy, and an incident response document. Container images are signed. These artifacts are linked from the partner portal for the active testbed.

Reporting a vulnerability

Email security@idn.global. We acknowledge within two business days and aim to triage within five. Please do not open a public issue for security reports. Our policy is also published at /.well-known/security.txt.