Phase 7 Sprint 7.1 - Federation Proof-of-Origin

Threat Model

• Asset: federated evidence bundles received from SpectraStrike.
• Adversary: sender impersonation, signature forgery, bundle-field tampering.
• Trust boundary: federation verify API at telemetry gateway.

Attack Vectors Considered

• Forged bundle signature.
• Bundle mutation after signing.
• Schema extension with hidden unvalidated fields.

Mitigations Implemented

• Added strict signed evidence bundle schema (extra=forbid).
• Canonical signed fields defined:
  • operator_id
  • campaign_id
  • execution_hash
  • timestamp
  • nonce
  • signature
• Implemented Ed25519 proof-of-origin verification over canonical bundle message.
• Added federation verification endpoint guarded by service identity checks.
• Added tamper-evident audit log entries for accepted/rejected federation verifications.

Residual Risk

• Current proof covers origin authenticity; timestamp freshness windows for federation bundles can be tightened in next phase.

Future Improvements

• Add replay defense and strict time window enforcement for federation verification endpoint.
• Add key rotation metadata and bundle key-id support.