Skip to content

Glossary

Shared vocabulary across Bedrock. Each term lists where it is authoritative.

Term Definition
Principal An identity the Directory issues tokens for — an operator, a device, or a server. Identified by principal_id.
principal_id Stable Directory-assigned UUID, constant across devices and key rotations. The authoritative identity after envelope verify.
device_id Stable per-device anchor — SHA-256(FIDO credential id) (operators) / SHA-256(device id) (devices). Keys one node row per physical device.
IdentityToken Directory-signed (Ed25519) token carried in every AuthEnvelope; binds a principal to roles, classification, principal_sign_key, key epoch. Verified by verify_identity_token.
ServerToken Directory-signed token for a router — pins hostname, max_classification, coverage_cells. Does not ride AuthEnvelope.
AuthEnvelope The wire wrapper: { identity_token, payload, nonce, issued_at_ms, device_signature }. Authenticity = the device signature. Canonical: common/src/auth_envelope.rs.
device_signature 64-byte Ed25519 signature over the canonical signing input, by the device's per-principal key. The per-message authenticity mechanism.
principal_sign_key The public half of the device's per-batch Ed25519 signing key, embedded in the IdentityToken; receivers verify device_signature against it.
Group key Directory-issued symmetric AES-256 key (/api/group-key, versioned by key_epoch). Intended for payload confidentiality. Currently dormant (no payload-crypto consumer); slated to back server-blind E2E content encryption (issue #7).
Key epoch Monotonic counter for group-key rotation; stamped on the IdentityToken (key_epoch) and advanced via a KeyRotation publication.
Nonce 12 random bytes per envelope; (principal_id, nonce) is cached for the 60 s replay window.
Replay window ±DEFAULT_REPLAY_WINDOW_MS (60 s) freshness/skew + replay-cache window.
RevocationList Directory-signed, sequence-monotonic snapshot of revoked_principals + devices (revoked device sign-keys). No cert-level revocation (token-only).
Directory The identity authority (directory repo) — FIDO2 login, token + group-key issuance, signing-key publication, revocation feed. Root of trust.
FIDO2 WebAuthn assertion used for operator login; no client certificate is involved.
Token-only identity Identity rests on the Directory's Ed25519 signature over the token. No X.509 client certificate; bound_cert_serial is reserved/removed. Certificates appear only in transport/federation TLS (see pki.md).
Zenoh The pub/sub transport (org.eclipse.zenoh). Routing is by key expression; locators are scheme-prefixed (quic/, tls/, tcp/, ws/, wss/).
Router / relay A server instance acting as a Zenoh transport router — relays, stores durable prefixes, federates with peer routers over mTLS.
Peer / client mode Peer = LAN mesh (multicast scout); client = single-router attach (gossip).
Coverage cell / geohash-5 A 5-char geohash naming the area a router serves (ServerToken.coverage_cells); the key namespace is cell-first (waypoint/<cell>/...).
Key expression The Zenoh routing path, e.g. waypoint/global/chat/<chat_id>/<msg_id>. See protocol/wire-protocol.md.
Classification banner Client UI indicator of the classification ceiling (derived from verified, non-expired sources). A display, not an enforcement boundary — enforcement is server/classification_gate.rs.
Classification floor The Bell-LaPadula min(sender.max_classification, server.max_classification) the server enforces per inbound payload.
Outbox Per-server store-and-forward queue on clients so messages to a disconnected server are not lost. Contract: protocol/outbox.md.
SIDC 20-digit MIL-STD-2525D / APP-6D Symbol Identification Code. Parser in common/src/sidc/, renderer in android/ui/symbols/.
APP-6 / MIL-STD-2525 NATO military map-symbology standard the SIDC encodes.
CoT / TAK Cursor-on-Target / TAK — the ATAK ecosystem interop format handled by the gateway.
Trust bundle Per-session CA PEM bundle (composed from servers' caCertPem) the client validates the router's TLS cert against; falls back to the system trust store.