Trust Model
OCC guarantees single-successor semantics within the verifier-accepted measurement and monotonicity domain of the enforcing boundary.
Assumptions
| Assumption | If it fails |
|---|---|
| Boundary isolation — TEE prevents external key access | All guarantees collapse |
| Key secrecy — Ed25519 private key never leaves boundary | Proof forgery becomes possible |
| Nonce freshness — ≥128 bits, never reused | Replay within a session |
| Honest measurement — hardware correctly measures enclave | Delegated to TEE vendor |
| Monotonic counter durability — survives restarts | Anti-rollback degrades to single session |
| Strict verifier policy — caller pins measurements + counters | Weak policy accepts more than intended |
Threat model
In-scope threats
Proof replay
minCounter in policy rejects old proofs
Measurement substitution
allowedMeasurements pins exact values
Signature forgery
Ed25519 unforgeability
Downgrade attack
Enforcement tier is signed; requireEnforcement rejects weaker tiers
Chain gap insertion
prevB64 chaining — any removed link breaks hash continuity
Out-of-scope threats
- • Signing key exfiltration — assumes boundary is secure
- • TEE firmware vulnerability — delegated to hardware vendor
- • Weak verifier policy — caller responsibility
- • Physical access to enclave host — outside threat model
Non-goals
- • Global ordering — no total ordering across independent boundaries
- • Cross-boundary double-spend — same artifact can be submitted to separate boundaries
- • Copy prevention — OCC does not prevent raw byte copying
- • Consensus replacement — OCC constrains a single boundary, not distributed parties
- • Metadata integrity — the metadata field is advisory and unsigned