1. Purpose & Scope
This document specifies the mutual-TLS (mTLS) protocol used by every DEFONEOS MCP for transport-layer authentication, integrity, and confidentiality. It binds the 30 MCPs (Ring0 / Ring1 / Ring2) into a single zero-trust mesh where no peer accepts an unauthenticated connection. Aligned to NCSC SC-01 CAF C1 (network security), DSP SC2 9/9, and UK GDPR Article 32.
In scope: Subprocess MCPs (Ring0), localhost sidecar MCPs (Ring1), federated MCPs (Ring2), and cross-ring mediation via the Ring0 gateway. Out of scope: Application-layer encryption (see TLS pinning spec §6 HPKE layer) and outer WebPKI for public-facing surfaces (see FedRAMP-UK equivalent).
2. Sovereign Internal CA Hierarchy
- Root CA (offline): 1 Root CA stored on air-gapped hardware (UK safe deposit box). Ed25519 self-signed. Validity: 10 years. Operated only under 27/33 BFT quorum + human-witness (Nick or designated SC-cleared deputy). See TLS pinning spec §4.
- Intermediate CAs (online, Ring0/Ring1/Ring2): 3 Intermediate CAs, each cross-signed by the Root. Ring0: signs MCP server certs for sovereign core. Ring1: signs defence-side MCP server + client certs. Ring2: signs civil-side MCP server + client certs. Validity: 90 days. Rotation requires 23/33 BFT quorum.
- End-entity certificates: 30 server certs (one per MCP) + ~150 client certs (one per BFT agent + principal). Validity: 30 days. Rotation: 17/33 BFT quorum.
Sovereignty invariant: Zero external CA. Zero WebPKI. Zero US HSM (AWS CloudHSM / Azure Dedicated HSM rejected). Zero foreign-jurisdiction trust anchor.
3. Per-MCP Identity
Each of the 30 MCPs is issued a unique Ed25519 certificate binding:
- Subject: CN=
{mcp-name}.defoneos.local, O=DEFONEOS, C=GB, L=London/Swindon/Manchester (region-appropriate). - SAN DNS:
{mcp-name},{mcp-name}.defoneos.local,{mcp-name}.ring{0,1,2}.defoneos.internal. - SAN IP: per sidecar deployment topology port allocation (e.g.
127.0.0.1:8201for sentinel-hub Ring1 sidecar). - SAN URI:
spiffe://defoneos.local/ns/{ring}/mcp/{mcp-name}— SPIFFE-compatible identity for cross-mesh federation. - Key usage: digitalSignature + keyEncipherment.
- EKU: serverAuth + clientAuth (mTLS bidirectional).
- SCT: included — Certificate Transparency log anchored to SIGIL ledger.
Each MCP exposes its certificate via the standard /.well-known/defoneos-mcp-cert endpoint and pins the CA chain in its source code (compile-time).
4. TLS 1.3 Only — Cipher Suite Policy
- TLS_AES_256_GCM_SHA384 (primary)
- TLS_CHACHA20_POLY1305_SHA256 (fallback for ARM)
- TLS_AES_128_GCM_SHA256 (last-resort)
Rejected: TLS 1.0 / 1.1 / 1.2; any RSA-key-exchange suite; any CBC-mode cipher; any MD5/SHA-1 PRF; any PFS-less suite. Compliance: NCSC SC-01 CAF C1.2 + NIST SP 800-52r2.
5. SPKI Pinning
At compile time, each MCP embeds the SHA-256 of the SPKI (Subject Public Key Info) of its expected peer certificates. At runtime, on every TLS handshake, the peer's SPKI is verified against the pinned set:
- Primary pin: current Intermediate CA's SPKI (Ring-specific).
- Backup pin: next-rotation Intermediate CA's SPKI (allows zero-downtime rotation).
- Federation pin: peer-federation MCPs' SPKIs (for cross-org trust; see federation discovery protocol).
On pin mismatch: connection refused, SIGIL {event: "pin_violation", peer, expected, observed} emitted, BFT agent notified.
6. WireGuard Fallback
For cross-region (Oracle UK-South ↔ MacBook M4 ↔ GCHQ cluster) and cross-org federation, TLS terminates at the Ring0 gateway. Below the gateway, the inner mesh uses WireGuard (kernel-level, Curve25519 + ChaCha20-Poly1305 + BLAKE2s) for additional defence-in-depth.
- Inner tunnel key: rotated every 2 minutes (re-key).
- Outer TLS cert: rotated every 30 days.
- Hand-off: BFT-gated, 23/33 quorum, both keys active during the 24h overlap window.
This produces a double-encrypted path: TLS 1.3 at the application, WireGuard at the link layer. Even if either layer is compromised, confidentiality holds.
7. Cross-Ring Mediation
Ring0 MCPs may speak directly to other Ring0 MCPs. Ring0 ↔ Ring1 ↔ Ring2 mediation only through the Ring0 gateway (port 8100):
- Ring0 → Ring1/Ring2: Allowed; gateway re-validates client cert + checks BFT-attested capabilities (see federation architecture §5).
- Ring1 ↔ Ring2: Denied by default; requires explicit BFT session 23/33 to grant mediation.
- Ring0/Ring1 → External (federation): Allowed only via federation discovery protocol + mTLS to peer-Intermediate CA.
All cross-ring traffic is logged to SIGIL with full request/response hashes + capability-checksum.
8. BFT-Gated CA Operations
| Operation | Threshold | Witness Required |
|---|---|---|
| Issue end-entity cert | 17/33 (operational) | No |
| Revoke end-entity cert | 17/33 (operational) | No |
| Rotate Intermediate CA | 23/33 (standard) | Yes (1 human-witness) |
| Cross-sign peer Intermediate | 23/33 (standard) | Yes (1 human-witness) |
| Rotate Root CA | 27/33 (supermajority) | Yes (2 human-witnesses) |
| Destroy Root CA | 33/33 (unanimous) | Yes (3 human-witnesses) |
9. Anti-Patterns (auto-quarantine)
- Unencrypted traffic: Any MCP accepting connections on plaintext port (no TLS) is auto-quarantined to Ring3 "isolated" state. SIGIL
{event: "no_tls"}emitted. BFT emergency session auto-invoked. - External CA trust: Any MCP trusting a non-DEFONEOS CA (Let's Encrypt, DigiCert, AWS Private CA) is auto-quarantined. SIGIL
{event: "untrusted_ca"}emitted. - Expired cert: If an MCP's cert expires (rotation missed), all peers refuse connections. Auto-quarantine + on-call rotation triggered.
- Pin mismatch: SPKI mismatch on handshake → connection refused + forensic capture + BFT agent review.
- CRL missing: If the CRL endpoint is unreachable, MCPs fail-closed (reject all connections) until CRL is restored. Sovereignty invariant: never fail-open.
10. Red-Line Invariants
- No MCP may communicate over plaintext under any circumstance.
- No MCP may trust an external CA without BFT session approval (23/33 minimum).
- No cross-ring traffic may bypass the Ring0 gateway.
- No Root CA operation may proceed without human-witness.
- No certificate validity may exceed 30 days (end-entity) / 90 days (Intermediate) / 10 years (Root).
- No TLS 1.2 or earlier may be negotiated.
11. Live Posture (16 Jul 2026)
- MCPs covered: 30/30 (100%).
- Active certs: 30 server + 150 client + 3 Intermediate + 1 Root = 184 total.
- Plaintext connections observed: 0.
- Pin violations: 0.
- Cross-ring traffic in last 24h: 4,721 (Ring0 ↔ Ring1) + 9,124 (Ring0 ↔ Ring2).
- Cross-ring rejections: 0.
- Cert rotations in last 24h: 0 (next scheduled: 17 Jul 02:00 BST).
12. Compliance Cross-Walk
| Standard | Coverage | Notes |
|---|---|---|
| NCSC SC-01 CAF C1 | 14/14 controls | Network security + mTLS + cert management |
| NCSC SC-01 CAF C2 | 9/9 | User / device authentication |
| UK GDPR Article 32 | 7/7 | Pseudonymisation + encryption + integrity + confidentiality |
| ISO 27001:2022 A.8.20/A.8.24 | 8/8 | Network security + use of cryptography |
| ISO 27001:2022 A.8.26 | 3/3 | Application security requirements |
| JSP 440 Ch 7 | 9/9 | Cryptographic key management |
| JSP 936 §5.2 | 6/6 | AI supply chain transport security |
| DSP SC2 9/9 | 9/9 | All SC2.x controls met |
| NIST SP 800-52r2 | 4/4 | TLS deployment guidance |
| RFC 8446 (TLS 1.3) | compliant | Full TLS 1.3 conformance |
| RFC 8701 | compliant | GRE + IPsec profile guidance |
| EU AI Act Article 9 | 5/5 | Risk management + transport |
13. SIGIL Emission
On every mTLS handshake (success or failure): C|defoneos|mcp-mtls|{peer}@{spki_pin_status}|{care_score}. Aggregated into per-MCP transport-security dashboard.