Security model

What we mitigate. What we don't. Plainly.

Honest threat modeling matters more than a hardened logo bar. This page describes what the Beacons architecture mitigates by design, what it does not, and where the residual responsibility lives.

11.1 — Identity compromise

Key compromise propagates downstream.

If a peer's lineage signing key is compromised:

  • The compromised peer's DID is revoked at its parent (OAS Spec §15.1).
  • All descendants of the compromised peer are evaluated for compromise and revoked as needed.
  • The fleet's policy engine recomputes ACLs on the next tick — the compromised peer (and any descendants) are removed from all fleet routes.
  • The audit chain records the revocation event with the compromised DID, the parent DID that issued the revocation, and the timestamp.

11.2 — Capability token compromise

Revocation in seconds.

If an Arsenal ACT is leaked:

  • The token can be revoked at the issuing Arsenal broker.
  • On next policy recomputation (seconds), the policy engine refuses to admit any peer presenting the revoked token.
  • All existing tunnels associated with the leaked token are torn down by the coordinator — not just future enrollments.

11.3 — Coordinator compromise

The coordinator holds no peer private keys.

  • The coordinator does not hold private keys for any peer. It only holds public keys and policy state.
  • All inter-service traffic uses mTLS with certificates rotated automatically.
  • The audit chain is anchored to Sigil so a coordinator that tries to retroactively rewrite history is detected within one anchor cycle.
  • Multi-region coordinators are independent — compromising one region does not compromise the others.

11.4 — Relay compromise

A compromised relay cannot decrypt payloads.

The TURN-equivalent relay forwards encrypted WireGuard packets. Even a compromised relay cannot decrypt peer traffic because the WireGuard session keys are never available to the relay. A compromised relay can:

  • Drop traffic (denial of service).
  • Observe metadata (which peers are talking to which).

It cannot decrypt payloads. End-to-end encryption is preserved.

11.5 — SIM compromise

Treated as peer revocation.

A compromised SIM can be:

  • Suspended at the cellular provider (immediate data-plane revocation).
  • Removed from the fleet's policy (immediate mesh revocation).
  • Audited via the SIM's `did:oas` lineage event in the audit chain.

11.6 — Quantum readiness

Ed25519 today. PQC when standardized.

Ed25519 is not quantum-resistant. When NIST PQC schemes are standardized, Beacons will support PQC-bound peer identities alongside Ed25519 during a transition period. This is a future spec-version concern, not a Phase 0–7 concern.

Disclosure

Tell us if something is wrong.

We accept vulnerability reports at security@beacons.sh. Triage SLAs and rewards are described on the responsible disclosure page. Trust posture and certifications are tracked on the trust center.

Open a fleet

The mesh that fits agents and humans.

A `did:oas`-rooted private mesh that ships peer configurations to any device, anywhere, by policy — not by hand.

Open consoleRead the quickstart