| Internet-Draft | UZPIF | March 2026 |
| Fisher | Expires 17 September 2026 | [Page] |
The Universal Zero-Port Interconnect Framework (UZPIF) describes a post-port networking model in which communication is established via outbound, identity-bound sessions to Rendezvous Nodes (RNs). By removing publicly reachable listening ports at endpoints, UZPIF changes exposure assumptions and can reduce unsolicited ingress and Internet-wide scanning pressure, but it does not by itself guarantee privacy, decentralisation, or availability.¶
This document outlines architectural motivation, a high-level security model, operational and economic considerations, a Pantheon trust and policy plane baseline, and an incremental migration approach. It is part of an experimental, research-oriented Independent Stream suite and defines the current normative baseline for trust objects, validation rules, and security semantics within the suite framework. Hard interoperability is expected for shared object semantics and validation rules. Full wire-level, clustering, and proof-family interoperability is not claimed everywhere yet; the remaining details are intentionally profile-defined or deferred in companion drafts or profiles. UZPIF is intended to be read alongside companion work describing the Universal Zero-Port Transport Protocol (UZP; [UZP]) and TLS-DPA ([TLS-DPA]).¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 17 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
This Internet-Draft is part of an experimental, research-oriented suite prepared for the Independent Stream. It is published to enable structured technical review, interoperability discussion, and disciplined specification development around the Universal Zero-Port Interconnect Framework (UZPIF).¶
Within that suite, this document defines the current normative baseline for trust objects, validation rules, and security semantics governing the suite's shared identities, Grants, RN roles, and trust relationships. Hard interoperability is expected for shared object semantics and validation rules.¶
The material is a research artefact. It does not claim technical completeness, production readiness, or endorsement by the IETF or any other standards body, and it is not presented as a standards-track specification.¶
Full wire-level, clustering, and proof-family interoperability is not claimed everywhere yet. Companion wire encodings, clustering details, proof families, and deployment profiles remain intentionally profile-defined or deferred, so this draft should not be read as claiming a fully closed transport, proof, or availability model.¶
It is designed for experimentation and profile-driven deployments within its target environment. Privacy, decentralisation, and RN availability remain deployment- and profile-dependent properties.¶
During conversion from internal research documents into IETF XML, care has been taken to:¶
preserve a clear distinction between normative and informative content;¶
use requirement language (e.g., "MUST", "SHOULD", "MAY") only where protocol behaviour is intentionally specified;¶
avoid any implication of registry finalisation, mandatory implementation, or standard-track status; and¶
maintain intellectual-property neutrality, with no implied patent grants or licensing commitments beyond the IETF Trust copyright licence applicable to Internet-Draft text.¶
Ongoing research, implementation, performance validation, and real-world pilot work remain outside the scope of this Internet-Draft text and may be pursued separately.¶
The Internet still commonly exposes services via publicly reachable transport ports, a legacy design choice that enables scanning and unsolicited connection attempts at global scale. Operationally, this contributes to exposure for denial-of-service attacks, credential attacks, and lateral movement within networks.¶
UZPIF (the framework) and UZP ([UZP]) (its transport protocol) remove the concept of exposed ports at endpoints. Both endpoints initiate outbound, identity-anchored sessions to a Rendezvous Node (RN), which only stitches traffic when identity, context, and declared purpose align under policy issued by Pantheon, the identity and policy plane.¶
The intent is a model where discoverability and session establishment are policy-mediated rather than assumed by default, and where application traffic can be end-to-end authenticated and encrypted. UZP ([UZP]) is designed to support performance properties such as:¶
Legacy applications and non-UZPIF-capable hardware are intended to continue to operate via a Hardware Integration Layer (HIL) that acts as the explicitly modelled compatibility edge between port-based protocols and identity-centric sessions.¶
A UZPIF-aligned design should be evaluated not only for its steady-state cryptographic model, but also for whether its bootstrap, recovery, downgrade, mediation, operational override, and observability paths reintroduce singular trust dependencies that the architecture is intended to avoid.¶
UZPIF builds on transport, security, and identity work embodied in QUIC [RFC9000], TLS 1.3 [RFC8446], and the Host Identity Protocol [RFC7401], while aligning with modern zero-trust guidance (e.g., NIST SP 800-207 [NIST-SP800-207]) and post-quantum cryptography standardisation efforts (e.g., the NIST PQC project [NIST-PQC]).¶
This document provides an architectural overview of UZPIF and the deployment conditions addressed by an identity-first, rendezvous-based model that avoids publicly reachable listeners.¶
UZPIF should therefore be read as part of an experimental, research-oriented Independent Stream suite and as the current normative baseline for trust objects, validation rules, and security semantics within the framework. Hard interoperability is expected for shared object semantics and validation rules. Full wire-level, clustering, and proof-family interoperability is not claimed everywhere yet; the remaining details are intentionally profile-defined or deferred. Removing listeners alone does not by itself solve privacy, decentralisation, or RN availability.¶
Investment in perimeter defences (e.g., DDoS mitigation and application firewalls) can yield diminishing returns as attackers automate scanning and exploit discovery at Internet scale.¶
Zero Trust Network Access (ZTNA) and SASE deployments indicate demand for identity-first networking, yet many approaches still expose TCP/UDP ingress and rely on perimeter constructs. [NIST-SP800-207]¶
Post-quantum cryptography efforts provide a path to identity-first transport without prohibitive performance regression as key encapsulation and signature schemes mature. [NIST-PQC]¶
Conventional VPNs and overlay networks typically retain the assumption that services listen on IP:port tuples, even if those ports are only reachable within a private address space or through a gateway. QUIC [RFC9000], TLS 1.3 [RFC8446], HIP [RFC7401], and systems such as Tor [Tor] demonstrate that identity, encryption, and rendezvous can be decoupled from raw addressing semantics, but they generally retain listener-based service reachability.¶
No listeners at endpoints.¶
Identity-as-address via identities (e.g., canonical and ephemeral identities) rather than IP:port.¶
Companion transport profiles define session and transport behaviour rather than inheriting a VPN tunnel abstraction.¶
Pantheon policy plane encoding purpose, context, and validity into every session.¶
Requirements Language: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] and [RFC8174] when, and only when, they appear in all capitals.¶
This Internet-Draft is primarily architectural; requirement language is used sparingly and only where behaviour is intentionally specified.¶
Endpoint. A host or service that participates in UZPIF by initiating outbound sessions.¶
Rendezvous Node. A mediator that accepts outbound sessions and stitches permitted flows.¶
Control-plane software used to operate an RN deployment, including policy decisions and transparency log publication.¶
An identity, attestation, and policy plane whose authorities bind identity, policy, and trust metadata to keys or selectors accepted under local policy, may validate or certify those bindings, and may issue credentials, Grants, and delegations over them; when federated, they rely on authority metadata, issuer discovery, cross-authority validation, and conflict handling.¶
Hardware Integration Layer. A constrained edge mediation component that exposes or terminates legacy port-based protocols on behalf of non-UZPIF-capable hardware, while participating in UZPIF as a policy-bound identity-aware gateway.¶
Canonical Identity. A long-term cryptographic identity used to identify an EP (or a delegated sub-identity).¶
Ephemeral Identity. A short-lived identity used for sessions, derived or issued under policy.¶
Zero-Port Interconnect Tunnel. An end-to-end encrypted tunnel stitched via one or more RNs.¶
A cryptographically verifiable evidence package that demonstrates RN protocol deviation without requiring a central adjudicator.¶
This section defines the normative signed-object backbone for the UZPIF suite, including Pantheon Grants, Pantheon Certificates (PCerts), bootstrap and recovery artefacts, revocation signals and threshold evidence as profiled by TLS-DPA ([TLS-DPA]), Proof-of-Reachability evidence as defined by UZP ([UZP]), RN set advertisements, RN transparency entries, Discovery Grants, Signed Checkpoints, Indexer Receipts, and Revocation Acknowledgement artefacts as profiled by outbound indexing ([OUTBOUND-INDEXING]), and related auditable objects. For interoperable exchange across the suite, such objects MUST use this common signed artefact envelope.¶
The envelope is wire-neutral: it does not define transport framing or carriage format. It does define a single logical object model, canonical serialisation, signature coverage rule, extension rule, and validation baseline so that conforming implementations do not sign the same logical object differently.¶
Each signed artefact consists of three top-level members: "envelope", "body", and "signatures". The top-level member set is closed; unknown top-level members MUST cause rejection. The "envelope" member carries the suite-wide semantics defined here. The "body" member carries the object-specific semantics defined by the relevant draft. The "signatures" member carries one or more embedded signatures over the canonical signature input defined below. Object-specific drafts MAY extend the body, but they MUST NOT redefine the envelope semantics, canonical serialisation, exact signature coverage, extension handling, object identifier derivation, algorithm identifier handling, epoch-versus-sequence precedence, detached-signature policy, or ordering rules defined in this section.¶
This section is normatively central for suite-interoperable signed objects. Companion drafts define only the body profile, object-specific eligibility checks, and any explicitly deferred proof-family behaviour for a registered object type. They MUST NOT redefine canonical serialisation, exact signature coverage, object identifier derivation, unknown-field handling, signature ordering, algorithm identifier comparison, epoch-versus-sequence precedence, or detached-signature policy. If a companion draft conflicts with this section, this section controls for suite-interoperable exchange.¶
{
"envelope": {
"version": 1,
"object_type": "grant",
"object_id": "urn:uzpif:obj:v1:sha256:6f9c8a4c...",
"issuer_authority_id": "authority:example",
"subject_id": "cid:subject",
"audience_id": "cid:audience",
"scope": "tenant=alpha;service=payments;action=connect",
"policy_id": "pantheon-connect",
"policy_version": "2026-03-13",
"issued_at": "2026-03-13T12:00:00Z",
"not_before": "2026-03-13T12:00:00Z",
"not_after": "2026-03-13T12:05:00Z",
"epoch": 44,
"sequence": 181,
"nonce": "4f1c8a9d...",
"key_id": "sig-main-2026q1",
"prev_hash": "sha256:...",
"log_ref": "log://rn.example/181"
},
"body": {
"requested_peer": "cid:peer",
"action": "connect",
"qos_class": "interactive"
},
"signatures": [
{
"key_id": "sig-main-2026q1",
"alg": "ed25519",
"value": "base64..."
}
]
}
This figure is illustrative only. The normative envelope semantics, canonical serialisation rules, and validation requirements are defined by the text in this section.¶
Producers and verifiers MUST use the JSON Canonicalization Scheme (JCS) defined in [RFC8785] over UTF-8 JSON text.¶
Object production and verification use two exact canonical preimages. First, the producer derives "object_id" from the JCS serialisation of {"body": body, "envelope": envelope_without_object_id}, where envelope_without_object_id is the final envelope with only the "object_id" member omitted. Second, after inserting the derived "object_id", the canonical signature input is exactly the UTF-8 octet string of the JCS serialisation of {"body": body, "envelope": envelope}. The top-level "signatures" member, any detached-signature container, and any transport wrapper are outside both canonical preimages.¶
The "object_id" value MUST be formatted as "urn:uzpif:obj:v1:sha256:<lowercase-hex>", where the digest is the SHA-256 hash of the object-id preimage described above. Verifiers MUST recompute and compare "object_id" before evaluating signatures. Adding, removing, or reordering signatures does not change "object_id". Any change to envelope or body content, including extensions, validity bounds, policy references, or sequence metadata, MUST produce a different "object_id".¶
Each accepted signature MUST cover the exact canonical signature input bytes and nothing else. Suite-interoperable signatures MUST NOT be computed over pretty-printed JSON, partially selected members, alternate canonicalisation schemes, XML renderings, CBOR transcodings, log wrappers, transport records, or presentation-layer containers.¶
If an object-specific schema admits optional defaults, producers MUST materialise the exact values to be signed before canonicalisation. Verifiers MUST recompute "object_id" and the signature input from the received values, not from locally inferred defaults or omitted aliases.¶
Non-finite numbers, duplicate member names, semantically equivalent but non-canonical encodings, or values that cannot be represented under [RFC8785] MUST cause rejection.¶
Every common signed artefact MUST include "version", "object_type", "object_id", "issuer_authority_id", "subject_id", "scope", "issued_at", "not_before", "not_after", "key_id", and at least one entry in "signatures". The "body" member MUST be a JSON object whose direct member set is closed by the declared "object_type": direct body members not defined for that object type, "extensions", or "critical_extensions" MUST cause rejection. "audience_id", "policy_id", "policy_version", "epoch", "sequence", "nonce", "prev_hash", and "log_ref" MUST be present when relevant to the object's semantics, replay model, or transparency linkage.¶
Authenticity alone is insufficient for reliance on a common signed artefact. A valid signature proves origin and integrity, but a relying party MUST also evaluate freshness, scope, supersession, audience binding where relevant, and policy eligibility before treating the artefact as current authority.¶
Identifies the envelope version so that parsers and relying parties can apply the correct validation rules. Suite-interoperable objects defined by this revision MUST set "version" to 1.¶
Classifies the artefact using the exact case-sensitive token registered in Section 5.3. For suite-interoperable exchange, aliases or profile-specific synonyms are invalid.¶
Provides the stable identifier for the logical signed object. Producers MUST derive it according to Section 5.1. The same envelope and body content MUST always produce the same object_id, regardless of signature count. Producers MUST NOT reuse an object_id for different envelope or body content.¶
Identifies the authority context under which the object is issued. It MUST map to signed authority metadata or other locally trusted issuer metadata.¶
Identifies the principal, resource set, or relationship primarily affected by the artefact.¶
Identifies the intended relying party or recipient when the artefact is not intended for universal consumption.¶
Defines the operational scope of the artefact, such as authorised actions, resource sets, tenant boundaries, RN context, or revocation domain.¶
Name the policy basis and version under which the artefact was issued when policy tracking matters.¶
Define issuance time and validity bounds. Artefacts outside their validity window MUST be rejected.¶
Provide ordering and conflict-detection context. If both are present, "epoch" takes precedence for semantic supersession and "sequence" orders objects within the same epoch or append-only stream. A higher "epoch" supersedes any lower "epoch" regardless of "sequence". If "epoch" is equal, a higher "sequence" is newer. A lower-epoch object MUST NOT supersede a higher-epoch object merely because its "sequence" is larger.¶
Carries replay-unique entropy for replay-sensitive artefacts such as Grants, PoR evidence, or session-bound authorisations. Re-usable objects that are not replay-sensitive MAY omit it.¶
Identifies the primary issuer key used for key discovery. It MUST match the first embedded signature entry after signature-array sorting and MUST match at least one embedded signature entry.¶
Link the artefact into an append-only sequence or an external transparency record when auditability or append-only verification is required.¶
The direct members of "body" are defined by the registered object-type profile. Unknown direct body members MUST cause rejection unless they are carried under "body.extensions".¶
Object-specific extension values MUST appear only under "body.extensions", which, if present, MUST be a JSON object. "body.critical_extensions", if present, MUST be an array of unique extension keys sorted in ascending lexicographic order, and each listed key MUST exist in "body.extensions". Extension keys MUST be unique namespaced ASCII strings. Unknown extension values MAY be ignored only if they are not listed in "body.critical_extensions". Unknown critical extensions MUST cause rejection. Unknown members in "envelope", in an embedded signature entry, or as direct body members MUST cause rejection.¶
The "object_type" member is a case-sensitive lowercase ASCII token. For suite-interoperable exchange, it MUST use one of the exact values registered in Table 1. Companion drafts define only the body profile and additional validation for their registered object types; they MUST NOT rename, alias, or reinterpret a registered value. New suite-wide object types require an explicit update to this registry.¶
Detached signatures are not permitted for any registered object type in this revision. A future suite revision MAY change that only by updating both this registry and Section 5.5.¶
| object_type | Body profile | Detached signatures |
|---|---|---|
| grant | Pantheon Grant body profile (Section 10.3) | No |
| pcert | Pantheon Certificate body profile (Section 10.2) | No |
| bootstrap-seed-bundle | Bootstrap trust seed bundle (Section 8.2.1.1) | No |
| bootstrap-admission | Bootstrap admission body profile (Section 8.2.1.2) | No |
| recovery-reenrolment-bundle | Recovery / Re-Enrolment body profile (Section 8.2.1.3) | No |
| rn-set-statement | RN set advertisement body profile (Section 8.5.2.1) | No |
| rn-transparency-entry | RN transparency log entry body profile (Section 8.6) | No |
| misbehaviour-proof | RN misbehaviour evidence body profile (Section 8.7) | No |
| revocation | TLS-DPA Revocation Signal body profile ([TLS-DPA]) | No |
| threshold-consensus-evidence | TLS-DPA threshold-consensus body profile ([TLS-DPA]) | No |
| por-evidence | UZP Proof-of-Reachability body profile ([UZP]) | No |
| discovery-grant | Outbound indexing Discovery Grant body profile ([OUTBOUND-INDEXING]) | No |
| index-transparency-entry | Outbound indexing transparency-entry body profile ([OUTBOUND-INDEXING]) | No |
| signed-checkpoint | Outbound indexing checkpoint body profile ([OUTBOUND-INDEXING]) | No |
| indexer-receipt | Outbound indexing receipt body profile ([OUTBOUND-INDEXING]) | No |
| revocation-acknowledgement | Outbound indexing revocation-acknowledgement body profile ([OUTBOUND-INDEXING]) | No |
The "alg" member is a case-sensitive ASCII token that identifies the exact signature verification procedure applied to the signature bytes in "value". Comparison is byte-for-byte. Aliases, case folding, numeric registry codes, OIDs, or implicit translation between naming schemes MUST NOT be used for suite-interoperable verification.¶
Trusted issuer metadata MUST bind each signing key identifier to one or more exact "alg" tokens. A verifier MUST accept a signature only when the signature entry's "alg" exactly matches a token bound to that key and local policy permits that algorithm for the declared object_type and time interval.¶
Composite or hybrid constructions, if used, MUST have their own exact "alg" token and verification procedure. They MUST NOT be represented by multiple "alg" values within one signature entry or by guessing from key type alone.¶
The "signatures" array MUST contain at least one embedded signature. Each embedded signature entry MUST contain exactly "key_id", "alg", and "value". The embedded-signature member set is closed.¶
The array order is significant for serialised interchange and MUST be sorted in ascending lexicographic order by "key_id", then "alg", then "value". Duplicate entries with the same "key_id" and "alg", or duplicate complete entries, MUST cause rejection. A received array that is not already in this order MUST cause rejection. The envelope "key_id" MUST identify the first embedded signature entry after sorting.¶
The "alg" value is mandatory and case-sensitive, and it is processed according to Section 5.4. A signature entry whose "alg" is absent, unknown, unsupported, mismatched to the key metadata, or forbidden by local policy MUST be treated as invalid. If the remaining valid signatures do not satisfy the required signature set, the object MUST be rejected.¶
Embedded signatures are the only interoperable signature form for the registered object types in Table 1. For those object types, detached signatures MUST NOT be used and MUST NOT count toward policy satisfaction. If a future suite revision explicitly permits detached signatures for a specific object type, each detached signature MUST cover the same canonical signature input as the embedded form and MUST carry "object_id", "key_id", "alg", and "signed_object_hash", where "signed_object_hash" is "sha256:<lowercase-hex>" over the canonical signature input. If both embedded and detached signatures are present for such a future object type, every signature MUST verify against the same canonical signature input and object_id; any mismatch MUST cause rejection.¶
Relying parties validating a common signed artefact MUST verify at least the following:¶
the top-level member set, envelope member set, embedded-signature member set, and object-type-specific direct body member set are well-formed and contain no unknown members except under "body.extensions";¶
the envelope version is supported for the declared object_type, and registered suite-wide object types defined by this revision use "version" equal to 1;¶
the declared object_type is an exact registered suite-wide token when interoperable suite exchange is claimed;¶
object_id recomputation succeeds;¶
issuer_authority_id is locally trusted, validly delegated, or otherwise accepted under the applicable federation policy;¶
the signing key identified by key_id is valid for the object_type and time interval, and the envelope key_id matches the first embedded signature entry after sorting;¶
signature ordering and duplicate checks succeed, and every accepted signature verifies over the exact canonical signature input;¶
each "alg" value exactly matches trusted key metadata and a locally permitted signature verification procedure for the declared object_type;¶
the required signature set satisfies local policy, including any threshold or quorum rule;¶
the current time falls within the declared validity interval;¶
audience_id matches the relying party when the object is audience-bound;¶
nonce uniqueness and epoch or sequence freshness checks succeed when replay resistance or state ordering matter;¶
the artefact has not been superseded, rendered stale under local policy, or made policy-ineligible for the relevant scope and decision;¶
prev_hash or log_ref, when present, are consistent with the relevant append-only or transparency evidence; and¶
body.critical_extensions, when present, is unique, sorted, references only keys present in body.extensions, and contains no unsupported critical extension names.¶
Objects sharing the same issuer_authority_id, object_type, subject_id, scope, and applicable epoch or sequence state, but with incompatible canonical signature inputs, MUST be treated as conflicting artefacts and processed according to Section 10.7.¶
This section is informative. It provides high-level role and flow sketches only. Authoritative session, handshake, stitching, failover, and proof semantics are defined in the companion UZP ([UZP]) and TLS-DPA ([TLS-DPA]) drafts. Authoritative shared object semantics are defined by the common signed artefact envelope and the object-specific sections of this document and the relevant companion drafts.¶
If any figure or shorthand message label in this section conflicts with the companion transport or handshake drafts, the companion drafts govern.¶
In UZPIF, both peers initiate outbound sessions towards an RN. After policy evaluation and authorisation, the RN stitches the two sessions into a tunnel (ZPIT) that carries end-to-end protected application data.¶
EP A (Initiator) RN EP B (Responder)
|---- outbound ----->| |
| |<---- outbound|
|<==== end-to-end encrypted ZPIT (stitched via RN) ====>|
This figure shows both endpoints initiating outbound sessions to the RN, which stitches them into a single ZPIT.¶
The labels in this figure are illustrative only; this document does not define authoritative wire messages or handshake ordering for the transport steps shown.¶
Prior to stitching, an EP is expected to obtain a signed authorisation ("Grant") from Pantheon, as defined in Section 10.3. Grants bind identity to purpose and validity constraints, enabling RNs to make consistent policy decisions. The authoritative Grant format and interoperability requirements are defined in Section 10.3 and Section 5.¶
EP Pantheon RN |-- Grant Request -->| | |<- Signed Grant ----| | |----------- Grant + CID/EID ----------------->|
This figure illustrates the basic grant request and issuance exchange between an EP and Pantheon.¶
The message labels are illustrative only. Authoritative Grant object semantics are defined in Section 10.3, and authoritative transport or handshake sequencing is defined in companion drafts.¶
The RN establishes a stitched tunnel only if both peers present acceptable identities and authorisations. The exact transport, stitching, failover, and protected-traffic semantics are defined in the companion UZP and TLS-DPA drafts.¶
EP A RN EP B |-- Join Request -->| | |<-- Stitch OK -----| | | |<-- Join Request --| | |-- Stitch OK ----->| | |<====== end-to-end encrypted ZPIT (SessionID-bound) ==========>|
This figure shows the RN joining two authorised sessions into a stitched tunnel without learning plaintext.¶
The message names and sequencing in this figure are illustrative only. Authoritative stitching, failover, and session semantics are defined in the companion UZP and TLS-DPA drafts.¶
UZPIF can be extended to multi-hop stitching, for example where a tenant requires multiple independently operated RNs and attestation chains. End-to-end protection is expected to remain between endpoints.¶
EP A -> RN1 -> RN2 -> EP B EP A <======== end-to-end AEAD protected traffic ========> EP B
This figure depicts a multi-hop RN chain while end-to-end AEAD protection remains between endpoints.¶
This subsection is a deployment sketch only and does not define authoritative multi-RN transport semantics.¶
Where attached equipment cannot natively participate in UZPIF, a Hardware Integration Layer (HIL) MAY mediate between legacy port-based protocols and UZPIF sessions. Real-world examples include industrial devices, medical and laboratory equipment, older appliances, embedded controllers, legacy PBXs, telephony systems, and other equipment whose firmware cannot be remodelled around identity-first session initiation or removal of hard-coded inbound listeners.¶
A HIL is a compatibility and containment boundary, not a redefinition of legacy protocols as identity-native. A HIL is not an exception to UZPIF. It is the explicitly modelled compatibility edge through which such equipment interacts with an identity-first deployment. A HIL does not make a legacy protocol identity-safe; it constrains and evidences the points at which a legacy protocol is permitted to interact with an identity-first system.¶
HILs MUST apply explicit policy, minimise exposed legacy surface, and produce auditable evidence for mediated actions. A deployment using a HIL MUST treat the attached device as outside the native UZPIF trust model unless that device is separately enrolled with its own identity and policy context. The HIL therefore terminates the trust boundary cleanly rather than treating legacy traffic as natively identity-bound.¶
A HIL used to bridge non-UZPIF-capable equipment:¶
MUST be explicitly identified as a translation boundary;¶
MUST terminate trust domains cleanly rather than representing legacy traffic as natively identity-bound;¶
MUST enforce a narrow allow-listed protocol surface for the specific attached device or device class;¶
MUST expose only the minimum necessary legacy port behaviour toward the attached equipment;¶
MUST NOT elevate unauthenticated legacy assertions into Pantheon, Grant, or attestation truth without validation;¶
SHOULD support one-way or brokered operation where possible rather than transparent raw pass-through; and¶
MUST be auditable as a security-critical adapter.¶
When a HIL mediates an action into UZPIF, it SHOULD bind that action to auditable evidence including:¶
A HIL secures the boundary between a UZPIF environment and a legacy device interface; it does not guarantee the integrity or confidentiality of the local physical segment behind that boundary. Deployments MUST treat the HIL-attached legacy domain as an independently exposed trust zone unless additional protections are present.¶
The HIL's protection applies to the mediated protocol boundary, not automatically to the local wire, serial line, bus, switch port, backplane, maintenance interface, or other attached legacy segment behind it. Compromise of that local segment may still permit false device input, spoofed local traffic, local firmware replacement, bus replay, serial-line manipulation, switch-port insertion, maintenance-port misuse, false sensor injection, or manipulation of translated events before they cross into the UZPIF-mediated side.¶
HIL containment therefore reduces and evidences legacy exposure, but it does not retroactively make the attached hardware domain cryptographically trustworthy. Where stronger assurance is required, deployments SHOULD consider physical controls, tamper detection, local attestation, secure serial or bus wrappers where available, and device-origin integrity checks where feasible.¶
A compromised HIL is especially dangerous because it sits at the boundary between legacy protocol behaviour and native identity-bound operation. A malicious or subverted HIL may spoof device status, fabricate translated events, widen the permitted legacy surface, create covert ingress, or launder insecure traffic into a deployment that appears to be operating under stronger trust assumptions.¶
HIL software manifests, configurations, policy bundles, and updates SHOULD be signed and auditable. No HIL software, configuration, or policy change SHALL become authoritative unless its manifest, version, signer set, scope, and policy eligibility validate successfully under the deployment's normal trust model.¶
HIL update, provisioning, and recovery channels MUST NOT become hidden sovereign authority paths. Local administrative overrides, emergency maintenance paths, or vendor tooling MUST NOT silently bypass the same validation model claimed for ordinary operation. This is aligned with the ICSD ([ICSD]) principle that privileged update or override paths must be modelled so that invalid states are rejected rather than normalised.¶
This document distinguishes three compatibility classes for legacy integration so that deployments can state clearly whether a device is fully mediated, tightly brokered, or merely forwarded.¶
The HIL terminates the legacy protocol and exposes a modelled, policy-bound interface into UZPIF. This is the RECOMMENDED integration model.¶
The HIL permits tightly scoped transport bridging for a specific session under explicit Grant, time, scope, and evidence rules. This MAY be used where full mediation is not feasible, but it provides weaker containment than Class A.¶
The HIL forwards arbitrary port traffic. This mode is outside the recommended security model, SHOULD NOT be used except as a bounded migration exception, and MUST NOT be represented as equivalent to native UZPIF participation or to Class A or Class B mediation.¶
To avoid governance ambiguity, the UZPIF stack does not define or require the following:¶
Pantheon is the identity, attestation, and policy plane for UZPIF. It MAY be deployed as a single authority or as a multi-authority federation. As specified in Section 8, Pantheon federation is not a mandatory hierarchy and does not imply a single global authority.¶
A deployment MUST NOT claim interoperable Pantheon federation unless relying parties can obtain authority metadata, discover issuers, apply cross-authority validation, and process conflicts or split-brain conditions using the rules in this section or a stricter profile. Without those capabilities, Pantheon remains a local authority deployment rather than an interoperable federation.¶
Pantheon objects exchanged across authorities MUST use the common signed artefact envelope defined in Section 5.¶
Pantheon authorities bind identity, policy, and trust metadata to keys or selectors accepted under policy.¶
Deployments MAY use locally generated or externally attested keys if policy allows; Pantheon authorities validate or certify those bindings rather than being required to generate the underlying private keys.¶
In the suite baseline, Pantheon authorities issue credentials, Grants, and delegations over accepted bindings rather than being required to generate or custody the underlying private keys.¶
Pantheon commonly binds or delegates the following identity-bearing material:¶
long-term public signing keys bound to CIDs;¶
ephemeral session keys or ephemeral public keys bound to EIDs under policy; and¶
delegated sub-identities, selectors, or delegated credentials for services or microprocesses.¶
This identity approach is conceptually aligned with HIP's separation of endpoint identities from locators [RFC7401], but elevated to a policy plane.¶
Pantheon Certificates (PCerts) used for interoperable federation SHOULD include at least the following elements:¶
an issuer authority identifier;¶
a CID and public signing key (and optionally a post-quantum key encapsulation key);¶
purpose tags (e.g., service, role, tenant);¶
validity bounds (time or epoch); and¶
optional attestation claims (e.g., hardware trust or enclave measurement).¶
A PCert binds identity, scope, and trust metadata to an asserted public key. It does not by itself state how the corresponding private key was generated or who holds custody of it unless explicit attestation claims in the object-specific body say so.¶
Profiles MAY extend PCerts with additional fields, but interoperable federation requires enough issuer, subject, and validity information for cross-authority validation under Section 10.6.¶
For interoperable exchange, a PCert MUST use the common signed artefact envelope with "object_type" set to "pcert". The certificate-specific fields listed above populate the object-specific body and MUST NOT redefine envelope semantics.¶
A Grant is described as a signed assertion binding:¶
the CID/EID of the requester;¶
the requested peer identity;¶
purpose and action;¶
a time window and replay nonce; and¶
an authorised quality-of-service (QoS) class.¶
For interoperable exchange across the suite, a Grant MUST be represented as a signed artefact with "object_type" set to "grant", using the envelope defined in Section 5.¶
This section is the canonical suite-level Grant definition for the architecture described in UZPIF. Companion drafts such as UZP, TLS-DPA, and outbound indexing may add object-specific fields or application-specific constraints in the object-specific body, but they MUST preserve this baseline Grant semantics and the shared artefact envelope.¶
Issuer discovery is deliberately non-centralised. A relying party MAY discover an authority and its signed metadata through one or more of the following mechanisms:¶
No global registry, mandatory directory, or single discovery service is required for Pantheon federation. Deployments MAY combine discovery mechanisms and MAY continue to rely on cached metadata when fresh discovery is temporarily unavailable, subject to local expiry policy. An authority without discoverable or locally provisioned metadata MUST NOT be treated as an interoperable federation participant.¶
Pantheon federation MUST distinguish between issuer misbehaviour and federation divergence. These cases are not equivalent and MUST NOT be processed using a single merge rule.¶
If the same authority issues conflicting signed objects for the same epoch and scope, relying parties MUST treat the condition as evidence of authority misbehaviour. The conflicting objects SHOULD be retained as auditable evidence and MAY trigger local distrust, quarantine, or incident-response policy.¶
If different authorities publish conflicting signed views for the same subject, scope, or revocation state, relying parties MUST treat the condition as federation divergence. Such conflicts MUST NOT be auto-merged or silently normalised. Resolution MUST be performed by local policy, an explicit federation profile, or quorum rules agreed by the deployment.¶
Until resolved, implementations SHOULD fail closed for authorisation-expanding decisions and SHOULD surface the divergence to operators or relying services with enough issuer metadata to support audit and review.¶
RNs and endpoints may publish attestations such as:¶
Attestation artefacts SHOULD be published in transparency logs retrievable by relying parties. Storage and serving MAY be provided by Pantheon services, RN Controllers, or both, mirroring transparency and verifiability goals in broader zero-trust guidance. [NIST-SP800-207]¶
The following caching guidance is illustrative deployment guidance rather than a protocol-level interoperability requirement. Deployment profiles MAY tighten or relax these values according to their revocation, freshness, and transparency policies.¶
Authenticity alone is insufficient for continued reliance on cached authority. Before cached metadata, PCerts, Grants, or attestation material are used for security-relevant decisions, implementations SHOULD evaluate freshness, scope, sequence or epoch where applicable, and current policy eligibility under local stale-state rules. Authorisation-expanding decisions SHOULD require revalidation once a locally permitted stale window has been exceeded or when superseding state may exist.¶
Endpoints may cache:¶
authority metadata for the shorter of its stated validity interval or a locally configured cache cap;¶
PCerts for a locally configured interval appropriate to the deployment's revocation and freshness model (for example, up to 24 hours in low-churn environments);¶
Grants for the shorter of their validity window or session lifetime; and¶
attestation proofs for the duration of RN handshake paths.¶
UZPIF and UZP ([UZP]) intentionally reuse established transport and cryptographic primitives, but change where and how they are bound to identity, policy, and reachability. In particular, QUIC [RFC9000] and TLS 1.3 [RFC8446] demonstrate encrypted transports with modern handshake properties, while UZPIF shifts the reachability model away from listening endpoints.¶
| Dimension | UZPIF/UZP ([UZP]) | Traditional TCP/TLS | QUIC/TLS |
|---|---|---|---|
| Exposure | No open ports (endpoints are not publicly listening) | Open ports and/or proxies | Open ports at network edge |
| Identity | Mandatory cryptographic identity | Typically TLS-level identity only | TLS-level identity |
| Transport semantics | Defined by companion transport profile | TCP byte-stream transport | QUIC stream transport |
| RN trust | Drop/delay only (no end-to-end plaintext visibility expected) | N/A | N/A |
| Latency control | Deterministic pacing (design goal) | Congestion control variants (e.g., Reno/CUBIC) | Congestion control variants (e.g., BBR/CUBIC) |
| Legacy applications | Supported via HIL (intended) | Native | Often requires gateways or adaptation |
| Post-quantum readiness | Designed for cryptographic agility | Inconsistent deployment | Emerging |
This section sketches attacker classes and example controls. It is not a complete security analysis and will evolve with implementation experience.¶
Attacker classes include:¶
Internet-wide scanners;¶
botnets seeking command-and-control beacons;¶
malicious RNs (assumed capable of drop/delay/reorder);¶
insiders with credentials; and¶
traffic analysts performing correlation.¶
Existing rendezvous and overlay systems (e.g., Tor [Tor]) and NAT traversal mechanisms based on STUN [RFC5389] and TURN [RFC5766] demonstrate the power of indirection, but they still assume exposed or discoverable listeners somewhere in the path. UZPIF's design intent is to remove those listeners from the endpoint security model.¶
Example controls discussed for UZPIF include:¶
Capital expenditure reduction: reduced reliance on perimeter appliances and complex DMZ designs.¶
Operational expenditure reduction: fewer ACL/NAT rule changes and less inbound exposure management.¶
Risk reduction: reduced externally visible attack surface.¶
Potential service models: governance and RN validation as managed components.¶
UZPIF is intended for incremental deployment alongside existing TCP/TLS and QUIC-based stacks [RFC8446] and [RFC9000].¶
Deploy an RN: Introduce an outbound-only rendezvous node.¶
Deploy the HIL: Install the Hardware Integration Layer at endpoints or device edges where legacy applications or hardware require mediated compatibility.¶
Dual-stack operation: Run UZP ([UZP]) alongside existing TCP/TLS.¶
Cutover: Migrate services gradually to zero-port operation.¶
UZPIF's central security claim is that avoiding publicly reachable listeners at endpoints reduces exposure to scanning and unsolicited ingress. However, the framework introduces reliance on identity, authorisation, and policy evaluation components (e.g., Pantheon and RNs) whose compromise or misconfiguration could impact availability and authorisation correctness.¶
The threat model in Section 12 discusses attacker classes and candidate controls. Future revisions of this document (and the companion UZP ([UZP]) and TLS-DPA ([TLS-DPA]) documents) are expected to provide a more systematic analysis, including key management, revocation, attestation trust, and traffic analysis resistance.¶
UZPIF shifts primary access control from network-coordinate filtering toward cryptographic identity, Grants, and invariant-bound policy enforcement. Network address and open-port exposure therefore cease to be the primary admission model in a native UZPIF deployment.¶
Traditional firewalls, DPI systems, and other middleboxes MAY remain useful for containment, telemetry, egress control, QoS enforcement, volumetric denial-of-service handling, forensic monitoring, HIL containment, regulatory inspection domains, and non-UZPIF legacy enclaves. However, they MUST NOT be treated as authoritative truth sources for identity or policy validity.¶
UZPIF does not assume that packet visibility implies authority. Where middleboxes remain deployed, they operate as bounded policy, containment, or observability components rather than as trust anchors that define whether an identity or Grant is valid.¶
Some deployments will require explicit policy enforcement, enterprise inspection, regulated access, or other observability controls. This document does not define a universal lawful-intercept or hidden inspection authority for UZPIF.¶
Where compliance, monitoring, mediation, or inspection components are deployed, they MUST remain explicit, bounded, and cryptographically distinguishable from protocol truth. The existence of such a component MUST NOT silently redefine endpoint identity, Pantheon authority, Grant validity, revocation state, or other authorisation-relevant truth in the UZPIF suite.¶
A compliance or inspection function MAY enforce local policy, provide observability, or participate in a regulated deployment boundary, but it MUST be treated as a deployment-specific control surface rather than as implicit sovereign protocol authority. Operator or institutional pressure to insert monitoring MUST NOT be satisfied by silently converting middleboxes, RNs, HILs, or auxiliary services into hidden trust anchors.¶
Network-address and port-oriented monitoring may lose significant explanatory power in UZPIF environments. Legacy network-centric visibility therefore becomes incomplete rather than useless: defenders may see less value in source or destination address patterns, open-port exposure, unsolicited inbound attempts, protocol signatures, or packet-shape heuristics than in conventional port-based environments.¶
This does not imply that UZPIF blinds defenders. It does mean that security analytics SHOULD rely increasingly on identity-aware telemetry, authority artefacts, Grant usage patterns, rendezvous behaviour, and policy-verification events rather than on legacy assumptions about open-port exposure. Otherwise, Shadow IT activity, stealthy misuse of valid outbound behaviour, unauthorised stitching requests, abuse of legitimate-looking identity objects, or compromised internal workloads acting within apparently allowed tunnel patterns may become harder to explain or detect.¶
Privacy-related properties in UZPIF MUST be separated. Reduced service discoverability means that publicly reachable listeners and routine unsolicited scanning lose some value. Encrypted content protection means that authorised endpoints can protect payloads and application content from intermediaries. Traffic-pattern privacy concerns whether observers can still infer communication existence, counterpart relationships, cadence, timing, or operational significance from metadata. Improvement in one of these properties MUST NOT be represented as automatically delivering the other two.¶
Effective deployment profiles SHOULD expose auditable telemetry such as Grant issuance and usage logs, RN selection patterns, failed stitching attempts, revocation-consistency signals, identity or authority anomalies, HIL mediation events, downgrade or compatibility-mode activation, and unusual policy-bound session graphs. Such telemetry SHOULD remain explicit, policy-bound, and reviewable rather than being inferred indirectly from legacy packet visibility alone.¶
Time is a security-relevant input in the UZPIF suite. Grant expiry, revocation freshness, log checkpoints, replay defence, policy activation windows, and software or patch manifest validity all depend on time evaluation. Implementations MUST therefore treat local time and time-derived freshness decisions as part of the trusted security boundary rather than as a purely operational convenience.¶
Policy decisions that depend on time SHOULD tolerate bounded clock drift as defined by deployment policy or a stricter profile. However, no single unauthenticated time source SHALL become a mandatory truth anchor for continued protocol validity. Deployments SHOULD use independently checkable, redundant, or otherwise policy-vetted time inputs where time correctness materially affects authorisation or freshness decisions.¶
When time is uncertain, inconsistent, or outside locally permitted drift bounds, implementations SHOULD degrade safely rather than silently accepting stale or not-yet-valid authority. Safe degradation MAY include rejecting time-sensitive artefacts, requiring revalidation, narrowing replay windows, surfacing operator alarms, or falling back to more conservative local policy.¶
This document does not define a suite-wide time synchronisation protocol. It does define the security posture that incorrect or manipulated time MUST NOT silently widen authority, revive expired Grants, delay emergency revocation effect, or normalise ambiguous checkpoint ordering without explicit local policy.¶
UZPIF deployments may support native operation, HIL-mediated operation, brokered compatibility modes, legacy transport fallback, optional transparency behaviour, or advisory revocation thresholds. These modes create downgrade risk if an attacker can force the system onto a weaker posture while preserving the appearance of normal operation.¶
Fallback and degraded modes MUST be explicit, observable, and policy-bound. An implementation MUST NOT silently downgrade from native identity-first operation to mediated, brokered, legacy-compatible, transparency-reduced, or revocation-weakened behaviour without an allowed policy rule and locally observable state indicating that the downgrade occurred.¶
Peers, operators, or relying services SHOULD be able to determine whether a session or decision is operating in native, mediated, brokered, or otherwise degraded mode. Degraded operation MUST NOT silently inherit the same trust posture, authority scope, or audit assumptions as native operation. Profiles SHOULD narrow permissions, reduce session lifetime, strengthen revalidation requirements, or require additional operator visibility when compatibility or degraded modes are active.¶
Suppressed transparency checks, unavailable revocation evidence, weaker identity binding rules, or temporary compatibility exceptions MUST be treated as explicit trust reductions rather than harmless operational details. If the required stronger mode cannot be established, implementations SHOULD fail closed for authorisation-expanding behaviour unless local policy explicitly permits the weaker mode for a bounded scope and duration.¶
Real-world deployments may require emergency action during outage, recovery, migration, or incident containment. However, a break-glass path that silently disables normal trust checks is itself a high-risk authority path.¶
Any emergency override MUST be explicit, narrowly scoped, time-bounded, auditable, and incapable of silently becoming normal steady-state policy. A break-glass decision MUST NOT be normalised as an invisible standing exception to identity validation, Grant evaluation, revocation processing, transparency expectations, or other authorisation-relevant checks in the UZPIF suite.¶
Deployment profiles SHOULD record the triggering reason, affected scope, approving authority, activation time, expiry condition, and review outcome for such overrides. Emergency operation SHOULD surface clear local state to operators and relying parties when the stronger normal posture has been reduced.¶
UZPIF can materially reduce direct service and endpoint discoverability without guaranteeing metadata indistinguishability. Removing publicly reachable listening ports does not, by itself, provide strong privacy or anonymity. Unscannable is not the same as unseen. Rendezvous, transparency, and indexing infrastructure MAY still expose valuable metadata such as which parties communicate, which RN or RN cluster they use, how often they communicate, when sessions occur, how long they persist, retry patterns, topology clusters, discovery behaviour, revocation bursts, patch or rollout waves, and whether bursts correlate with alarms, updates, or emergency operations.¶
Even where payload plaintext remains protected, this metadata can support correlation, surveillance, tenant mapping, operational fingerprinting, or coercive analysis. A Rendezvous Node or indexing service that is not a truth anchor may still become a surveillance anchor if deployments over-retain, over-expose, or casually centralise metadata visibility.¶
Reduced discoverability, encrypted content protection, and traffic-pattern privacy are separate design axes. UZPIF can reduce unsolicited inbound exposure and support protected payload transport while still leaving observable metadata patterns available to infrastructure operators or network observers. Observers such as carriers, backbone operators, ISPs, or state-level monitors may still infer communication existence, cadence, rendezvous relationships, and operational timing from outbound rendezvous patterns unless additional privacy-preserving measures are deployed. Claims about strong observation resistance or traffic-pattern privacy MUST therefore be bounded and profile-dependent.¶
Operators SHOULD minimise metadata retention, restrict unnecessary visibility, and avoid collecting or exposing finer-grained metadata than is needed for security, accountability, or operational continuity. Deployment profiles SHOULD define retention bounds, access controls, aggregation rules, and disclosure controls for security-relevant logs, receipts, checkpoints, and session records.¶
Privacy-sensitive profiles MAY use identifier rotation, cover traffic, padding, batching, aggregation, timing obfuscation, multi-RN distribution, traffic shaping, delayed publication, or metadata-minimising RN policy to reduce correlation risk where those measures are compatible with the deployment's accountability and performance goals. Removal of inbound ports alone MUST NOT be treated as sufficient support for broader privacy claims.¶
UZPIF and its companion mechanisms introduce stateful verification paths, including handshake processing, PoR validation, Grant verification, transparency checking, authority discovery or resolution, repeated stitching attempts, and HIL-mediated translation work. These paths may improve exposure relative to openly listening services while still creating denial-of-service or state-exhaustion risk if attackers can force expensive pre-authorisation work at scale.¶
Removing inbound exposure from endpoints does not eliminate denial-of-service risk; it shifts strategic pressure toward rendezvous and control-plane infrastructure. UZPIF therefore redistributes attack surface away from broad endpoint exposure and toward smaller sets of highly defended coordination infrastructure. UZPIF-compliant deployments MUST therefore treat RN availability as a first-class design concern rather than as an operational afterthought.¶
RNs are likely focal points for volumetric, state-exhaustion, and coordination-disruption attacks. Endpoint hardening alone does not solve network-wide availability. Deployments SHOULD assume deliberate RN-targeted overload attempts and SHOULD use plurality, geographic dispersion, bounded-state processing, rate controls, admission pacing, queue isolation, and failure isolation where practical. The availability of RN infrastructure also depends partly on underlying transport and routing ecosystems that are outside the protocol's direct control, so protocol and deployment design SHOULD minimise the consequences of temporary RN overload, routing impairment, or RN loss.¶
Expensive cryptographic verification, policy evaluation, federation lookups, or translation work SHOULD occur as late as safely possible in the processing path. Stateless screening, bounded-prestate admission checks, puzzles, quotas, or other low-cost filters SHOULD be preferred where practical before allocating scarce state or invoking high-cost validation.¶
RNs, HILs, and related control-plane services SHOULD rate-limit, queue-bound, or otherwise constrain untrusted requests before high-cost cryptographic or policy evaluation where feasible. Implementations SHOULD separate basic survivability controls from richer verification paths so that overload of one validation function does not automatically collapse unrelated session handling or local containment.¶
Basic survivability SHOULD NOT depend on a single always-available validation bottleneck such as one authority-resolution path, one transparency endpoint, or one high-cost policy service. Deployment profiles SHOULD define bounded-failure behaviour, degraded but observable operation, and local overload policy so that exhaustion pressure does not silently widen authority or force unsafe fallback.¶
This document has no IANA actions.¶
UZPIF is an architectural framework and does not define protocol parameters requiring registries.¶