chore: consolidate platform split checks
This commit is contained in:
134
docs/POSTBOX_E2EE_ARCHITECTURE.md
Normal file
134
docs/POSTBOX_E2EE_ARCHITECTURE.md
Normal file
@@ -0,0 +1,134 @@
|
||||
# Postbox End-To-End Encryption Architecture
|
||||
|
||||
This document records the strategic encryption target for GovOPlaN postboxes.
|
||||
It does not require the first postbox implementation to ship full E2EE, but it
|
||||
defines the architecture so early data models and APIs do not make the stronger
|
||||
model impossible.
|
||||
|
||||
The core principle is that a postbox can become a trusted administrative
|
||||
communication channel without requiring the server to see plaintext content.
|
||||
The server may route, store, authorize, audit, retain, and expire messages while
|
||||
message bodies and attachments remain client-encrypted.
|
||||
|
||||
## Goals
|
||||
|
||||
- asynchronous encrypted delivery for internal and portal-facing postboxes
|
||||
- personal, organizational, role-bound, and function-bound postboxes
|
||||
- attachments encrypted with the message
|
||||
- access based on current role/function membership when configured
|
||||
- honest retraction and expiry semantics
|
||||
- auditable key access, delivery, and fetch events
|
||||
- support for external recipients without platform accounts
|
||||
- replaceable identity and trust providers
|
||||
|
||||
## Envelope Model
|
||||
|
||||
The target model is envelope encryption:
|
||||
|
||||
- Generate one random data encryption key per message or attachment set.
|
||||
- Encrypt content with an authenticated encryption algorithm.
|
||||
- Wrap the data encryption key for each authorized recipient or role mailbox.
|
||||
- Store only ciphertext, wrapped keys, signed manifests, and governed metadata
|
||||
on the server.
|
||||
|
||||
Algorithm choices should remain replaceable behind a crypto profile. The first
|
||||
profile should prefer standard, reviewed primitives such as HPKE for key
|
||||
wrapping and AEAD encryption for content.
|
||||
|
||||
## Identity And Device Keys
|
||||
|
||||
The platform should distinguish:
|
||||
|
||||
- account identity
|
||||
- tenant membership
|
||||
- role/function assignment
|
||||
- device key
|
||||
- postbox binding
|
||||
|
||||
Identity providers and directories can authenticate users and provide membership
|
||||
facts, but they must not see postbox private keys or message plaintext.
|
||||
|
||||
The trust layer should provide:
|
||||
|
||||
- public key directory
|
||||
- account or identity signing keys
|
||||
- per-device encryption keys
|
||||
- device registration and revocation
|
||||
- key rotation and epoch tracking
|
||||
- recovery policy hooks
|
||||
|
||||
## Role And Function Postboxes
|
||||
|
||||
Role-bound access needs special handling. A postbox can be bound to an
|
||||
organizational unit and a role or function. Current members can access current
|
||||
messages according to policy; former members should lose access to not-yet
|
||||
fetched material when revocation is still technically enforceable.
|
||||
|
||||
The target design should support role encryption keys or an equivalent
|
||||
rewrapping service:
|
||||
|
||||
- sender encrypts the content key for the role/function postbox
|
||||
- access service verifies current membership and required assurance
|
||||
- trust service rewraps the content key to the actor's current device key
|
||||
- audit records the key access decision and fetch event
|
||||
|
||||
Key epochs are required when role membership changes. Older messages may remain
|
||||
readable according to policy, but new access must use the current epoch.
|
||||
|
||||
## External Recipients
|
||||
|
||||
External recipients may need one-time or time-limited access without a full
|
||||
platform account. The target model should support capability links or invitation
|
||||
tokens that are:
|
||||
|
||||
- scoped to specific message or attachment resources
|
||||
- time-limited
|
||||
- optionally one-time
|
||||
- protected by an out-of-band secret, passphrase, or stronger external identity
|
||||
proof
|
||||
- revocable before key fetch
|
||||
- fully audited
|
||||
|
||||
## Retraction Semantics
|
||||
|
||||
GovOPlaN should be honest about retraction.
|
||||
|
||||
Before a recipient fetches a key or decrypts content, the system can revoke
|
||||
tokens, remove wrapped-key access, expire links, and delete ciphertext according
|
||||
to retention policy.
|
||||
|
||||
After a recipient has decrypted or copied plaintext, the system cannot make the
|
||||
recipient forget it. The platform can only record access, revoke future access,
|
||||
notify parties, and apply legal or organizational controls.
|
||||
|
||||
The UI must explain this distinction whenever it offers expiry, retraction, or
|
||||
message withdrawal.
|
||||
|
||||
## Server Responsibilities
|
||||
|
||||
The server remains important even when content is encrypted:
|
||||
|
||||
- store ciphertext and signed manifests
|
||||
- store routing and policy metadata
|
||||
- enforce access before key release or rewrapping
|
||||
- provide public key directory access
|
||||
- emit notifications without plaintext content
|
||||
- record audit events
|
||||
- enforce retention and expiry where possible
|
||||
- expose diagnostics for delivery and key-access failures
|
||||
|
||||
## Module Ownership
|
||||
|
||||
- `govoplan-postbox` owns postbox bindings, postbox messages, message metadata,
|
||||
and postbox UI.
|
||||
- `govoplan-identity-trust` owns device keys, public key directory, key epochs,
|
||||
and assurance integration.
|
||||
- `govoplan-access` owns current identity, membership, function, delegation, and
|
||||
permission decisions.
|
||||
- `govoplan-policy` owns retention, retraction, and security policy decisions.
|
||||
- `govoplan-audit` owns durable audit traces.
|
||||
- `govoplan-files` owns managed file storage when encrypted postbox attachments
|
||||
are backed by file objects.
|
||||
|
||||
No module should import another module's internals to decrypt content. All
|
||||
interaction must use capabilities, DTOs, and audited service contracts.
|
||||
Reference in New Issue
Block a user