| Internet-Draft | UZPIF | March 2026 |
| Fisher | Expires 17 September 2026 | [Page] |
The Universal Zero-Port Interconnect Framework (UZPIF) describes a post-port networking model in which communication is established via outbound, identity-bound sessions to Rendezvous Nodes (RNs). By removing publicly reachable listening ports at endpoints, UZPIF changes exposure assumptions and can reduce unsolicited ingress and Internet-wide scanning pressure, but it does not by itself guarantee privacy, decentralisation, or availability.¶
This document outlines architectural motivation, a high-level security model, operational and economic considerations, a Pantheon trust and policy plane baseline, and an incremental migration approach. It is part of an experimental, research-oriented Independent Stream suite and defines the current normative baseline for trust objects, validation rules, and security semantics within the suite framework. Hard interoperability is expected for shared object semantics and validation rules. Full wire-level, clustering, and proof-family interoperability is not claimed everywhere yet; the remaining details are intentionally profile-defined or deferred in companion drafts or profiles. UZPIF is intended to be read alongside companion work describing the Universal Zero-Port Transport Protocol (UZP; [UZP]) and TLS-DPA ([TLS-DPA]).¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 17 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
This Internet-Draft is part of an experimental, research-oriented suite prepared for the Independent Stream. It is published to enable structured technical review, interoperability discussion, and disciplined specification development around the Universal Zero-Port Interconnect Framework (UZPIF).¶
Within that suite, this document defines the current normative baseline for trust objects, validation rules, and security semantics governing the suite's shared identities, Grants, RN roles, and trust relationships. Hard interoperability is expected for shared object semantics and validation rules.¶
The material is a research artefact. It does not claim technical completeness, production readiness, or endorsement by the IETF or any other standards body, and it is not presented as a standards-track specification.¶
Full wire-level, clustering, and proof-family interoperability is not claimed everywhere yet. Companion wire encodings, clustering details, proof families, and deployment profiles remain intentionally profile-defined or deferred, so this draft should not be read as claiming a fully closed transport, proof, or availability model.¶
It is designed for experimentation and profile-driven deployments within its target environment. Privacy, decentralisation, and RN availability remain deployment- and profile-dependent properties.¶
During conversion from internal research documents into IETF XML, care has been taken to:¶
preserve a clear distinction between normative and informative content;¶
use requirement language (e.g., "MUST", "SHOULD", "MAY") only where protocol behaviour is intentionally specified;¶
avoid any implication of registry finalisation, mandatory implementation, or standard-track status; and¶
maintain intellectual-property neutrality, with no implied patent grants or licensing commitments beyond the IETF Trust copyright licence applicable to Internet-Draft text.¶
Ongoing research, implementation, performance validation, and real-world pilot work remain outside the scope of this Internet-Draft text and may be pursued separately.¶
The Internet still commonly exposes services via publicly reachable transport ports, a legacy design choice that enables scanning and unsolicited connection attempts at global scale. Operationally, this contributes to exposure for denial-of-service attacks, credential attacks, and lateral movement within networks.¶
UZPIF (the framework) and UZP ([UZP]) (its transport protocol) remove the concept of exposed ports at endpoints. Both endpoints initiate outbound, identity-anchored sessions to a Rendezvous Node (RN), which only stitches traffic when identity, context, and declared purpose align under policy issued by Pantheon, the identity and policy plane.¶
The intent is a model where discoverability and session establishment are policy-mediated rather than assumed by default, and where application traffic can be end-to-end authenticated and encrypted. UZP ([UZP]) is designed to support performance properties such as:¶
Legacy applications and non-UZPIF-capable hardware are intended to continue to operate via a Hardware Integration Layer (HIL) that acts as the explicitly modelled compatibility edge between port-based protocols and identity-centric sessions.¶
A UZPIF-aligned design should be evaluated not only for its steady-state cryptographic model, but also for whether its bootstrap, recovery, downgrade, mediation, operational override, and observability paths reintroduce singular trust dependencies that the architecture is intended to avoid.¶
UZPIF builds on transport, security, and identity work embodied in QUIC [RFC9000], TLS 1.3 [RFC8446], and the Host Identity Protocol [RFC7401], while aligning with modern zero-trust guidance (e.g., NIST SP 800-207 [NIST-SP800-207]) and post-quantum cryptography standardisation efforts (e.g., the NIST PQC project [NIST-PQC]).¶
This document provides an architectural overview of UZPIF and the deployment conditions addressed by an identity-first, rendezvous-based model that avoids publicly reachable listeners.¶
UZPIF should therefore be read as part of an experimental, research-oriented Independent Stream suite and as the current normative baseline for trust objects, validation rules, and security semantics within the framework. Hard interoperability is expected for shared object semantics and validation rules. Full wire-level, clustering, and proof-family interoperability is not claimed everywhere yet; the remaining details are intentionally profile-defined or deferred. Removing listeners alone does not by itself solve privacy, decentralisation, or RN availability.¶
Investment in perimeter defences (e.g., DDoS mitigation and application firewalls) can yield diminishing returns as attackers automate scanning and exploit discovery at Internet scale.¶
Zero Trust Network Access (ZTNA) and SASE deployments indicate demand for identity-first networking, yet many approaches still expose TCP/UDP ingress and rely on perimeter constructs. [NIST-SP800-207]¶
Post-quantum cryptography efforts provide a path to identity-first transport without prohibitive performance regression as key encapsulation and signature schemes mature. [NIST-PQC]¶
Conventional VPNs and overlay networks typically retain the assumption that services listen on IP:port tuples, even if those ports are only reachable within a private address space or through a gateway. QUIC [RFC9000], TLS 1.3 [RFC8446], HIP [RFC7401], and systems such as Tor [Tor] demonstrate that identity, encryption, and rendezvous can be decoupled from raw addressing semantics, but they generally retain listener-based service reachability.¶
No listeners at endpoints.¶
Identity-as-address via identities (e.g., canonical and ephemeral identities) rather than IP:port.¶
Companion transport profiles define session and transport behaviour rather than inheriting a VPN tunnel abstraction.¶
Pantheon policy plane encoding purpose, context, and validity into every session.¶
Requirements Language: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] and [RFC8174] when, and only when, they appear in all capitals.¶
This Internet-Draft is primarily architectural; requirement language is used sparingly and only where behaviour is intentionally specified.¶
Endpoint. A host or service that participates in UZPIF by initiating outbound sessions.¶
Rendezvous Node. A mediator that accepts outbound sessions and stitches permitted flows.¶
Control-plane software used to operate an RN deployment, including policy decisions and transparency log publication.¶
An identity, attestation, and policy plane whose authorities bind identity, policy, and trust metadata to keys or selectors accepted under local policy, may validate or certify those bindings, and may issue credentials, Grants, and delegations over them; when federated, they rely on authority metadata, issuer discovery, cross-authority validation, and conflict handling.¶
Hardware Integration Layer. A constrained edge mediation component that exposes or terminates legacy port-based protocols on behalf of non-UZPIF-capable hardware, while participating in UZPIF as a policy-bound identity-aware gateway.¶
Canonical Identity. A long-term cryptographic identity used to identify an EP (or a delegated sub-identity).¶
Ephemeral Identity. A short-lived identity used for sessions, derived or issued under policy.¶
Zero-Port Interconnect Tunnel. An end-to-end encrypted tunnel stitched via one or more RNs.¶
A cryptographically verifiable evidence package that demonstrates RN protocol deviation without requiring a central adjudicator.¶
This section defines the normative signed-object backbone for the UZPIF suite, including Pantheon Grants, Pantheon Certificates (PCerts), bootstrap and recovery artefacts, revocation signals and threshold evidence as profiled by TLS-DPA ([TLS-DPA]), Proof-of-Reachability evidence as defined by UZP ([UZP]), RN set advertisements, RN transparency entries, Discovery Grants, Signed Checkpoints, Indexer Receipts, and Revocation Acknowledgement artefacts as profiled by outbound indexing ([OUTBOUND-INDEXING]), and related auditable objects. For interoperable exchange across the suite, such objects MUST use this common signed artefact envelope.¶
The envelope is wire-neutral: it does not define transport framing or carriage format. It does define a single logical object model, canonical serialisation, signature coverage rule, extension rule, and validation baseline so that conforming implementations do not sign the same logical object differently.¶
Each signed artefact consists of three top-level members: "envelope", "body", and "signatures". The top-level member set is closed; unknown top-level members MUST cause rejection. The "envelope" member carries the suite-wide semantics defined here. The "body" member carries the object-specific semantics defined by the relevant draft. The "signatures" member carries one or more embedded signatures over the canonical signature input defined below. Object-specific drafts MAY extend the body, but they MUST NOT redefine the envelope semantics, canonical serialisation, exact signature coverage, extension handling, object identifier derivation, algorithm identifier handling, epoch-versus-sequence precedence, detached-signature policy, or ordering rules defined in this section.¶
This section is normatively central for suite-interoperable signed objects. Companion drafts define only the body profile, object-specific eligibility checks, and any explicitly deferred proof-family behaviour for a registered object type. They MUST NOT redefine canonical serialisation, exact signature coverage, object identifier derivation, unknown-field handling, signature ordering, algorithm identifier comparison, epoch-versus-sequence precedence, or detached-signature policy. If a companion draft conflicts with this section, this section controls for suite-interoperable exchange.¶
{
"envelope": {
"version": 1,
"object_type": "grant",
"object_id": "urn:uzpif:obj:v1:sha256:6f9c8a4c...",
"issuer_authority_id": "authority:example",
"subject_id": "cid:subject",
"audience_id": "cid:audience",
"scope": "tenant=alpha;service=payments;action=connect",
"policy_id": "pantheon-connect",
"policy_version": "2026-03-13",
"issued_at": "2026-03-13T12:00:00Z",
"not_before": "2026-03-13T12:00:00Z",
"not_after": "2026-03-13T12:05:00Z",
"epoch": 44,
"sequence": 181,
"nonce": "4f1c8a9d...",
"key_id": "sig-main-2026q1",
"prev_hash": "sha256:...",
"log_ref": "log://rn.example/181"
},
"body": {
"requested_peer": "cid:peer",
"action": "connect",
"qos_class": "interactive"
},
"signatures": [
{
"key_id": "sig-main-2026q1",
"alg": "ed25519",
"value": "base64..."
}
]
}
This figure is illustrative only. The normative envelope semantics, canonical serialisation rules, and validation requirements are defined by the text in this section.¶
Producers and verifiers MUST use the JSON Canonicalization Scheme (JCS) defined in [RFC8785] over UTF-8 JSON text.¶
Object production and verification use two exact canonical preimages. First, the producer derives "object_id" from the JCS serialisation of {"body": body, "envelope": envelope_without_object_id}, where envelope_without_object_id is the final envelope with only the "object_id" member omitted. Second, after inserting the derived "object_id", the canonical signature input is exactly the UTF-8 octet string of the JCS serialisation of {"body": body, "envelope": envelope}. The top-level "signatures" member, any detached-signature container, and any transport wrapper are outside both canonical preimages.¶
The "object_id" value MUST be formatted as "urn:uzpif:obj:v1:sha256:<lowercase-hex>", where the digest is the SHA-256 hash of the object-id preimage described above. Verifiers MUST recompute and compare "object_id" before evaluating signatures. Adding, removing, or reordering signatures does not change "object_id". Any change to envelope or body content, including extensions, validity bounds, policy references, or sequence metadata, MUST produce a different "object_id".¶
Each accepted signature MUST cover the exact canonical signature input bytes and nothing else. Suite-interoperable signatures MUST NOT be computed over pretty-printed JSON, partially selected members, alternate canonicalisation schemes, XML renderings, CBOR transcodings, log wrappers, transport records, or presentation-layer containers.¶
If an object-specific schema admits optional defaults, producers MUST materialise the exact values to be signed before canonicalisation. Verifiers MUST recompute "object_id" and the signature input from the received values, not from locally inferred defaults or omitted aliases.¶
Non-finite numbers, duplicate member names, semantically equivalent but non-canonical encodings, or values that cannot be represented under [RFC8785] MUST cause rejection.¶
Every common signed artefact MUST include "version", "object_type", "object_id", "issuer_authority_id", "subject_id", "scope", "issued_at", "not_before", "not_after", "key_id", and at least one entry in "signatures". The "body" member MUST be a JSON object whose direct member set is closed by the declared "object_type": direct body members not defined for that object type, "extensions", or "critical_extensions" MUST cause rejection. "audience_id", "policy_id", "policy_version", "epoch", "sequence", "nonce", "prev_hash", and "log_ref" MUST be present when relevant to the object's semantics, replay model, or transparency linkage.¶
Authenticity alone is insufficient for reliance on a common signed artefact. A valid signature proves origin and integrity, but a relying party MUST also evaluate freshness, scope, supersession, audience binding where relevant, and policy eligibility before treating the artefact as current authority.¶
Identifies the envelope version so that parsers and relying parties can apply the correct validation rules. Suite-interoperable objects defined by this revision MUST set "version" to 1.¶
Classifies the artefact using the exact case-sensitive token registered in Section 5.3. For suite-interoperable exchange, aliases or profile-specific synonyms are invalid.¶
Provides the stable identifier for the logical signed object. Producers MUST derive it according to Section 5.1. The same envelope and body content MUST always produce the same object_id, regardless of signature count. Producers MUST NOT reuse an object_id for different envelope or body content.¶
Identifies the authority context under which the object is issued. It MUST map to signed authority metadata or other locally trusted issuer metadata.¶
Identifies the principal, resource set, or relationship primarily affected by the artefact.¶
Identifies the intended relying party or recipient when the artefact is not intended for universal consumption.¶
Defines the operational scope of the artefact, such as authorised actions, resource sets, tenant boundaries, RN context, or revocation domain.¶
Name the policy basis and version under which the artefact was issued when policy tracking matters.¶
Define issuance time and validity bounds. Artefacts outside their validity window MUST be rejected.¶
Provide ordering and conflict-detection context. If both are present, "epoch" takes precedence for semantic supersession and "sequence" orders objects within the same epoch or append-only stream. A higher "epoch" supersedes any lower "epoch" regardless of "sequence". If "epoch" is equal, a higher "sequence" is newer. A lower-epoch object MUST NOT supersede a higher-epoch object merely because its "sequence" is larger.¶
Carries replay-unique entropy for replay-sensitive artefacts such as Grants, PoR evidence, or session-bound authorisations. Re-usable objects that are not replay-sensitive MAY omit it.¶
Identifies the primary issuer key used for key discovery. It MUST match the first embedded signature entry after signature-array sorting and MUST match at least one embedded signature entry.¶
Link the artefact into an append-only sequence or an external transparency record when auditability or append-only verification is required.¶
The direct members of "body" are defined by the registered object-type profile. Unknown direct body members MUST cause rejection unless they are carried under "body.extensions".¶
Object-specific extension values MUST appear only under "body.extensions", which, if present, MUST be a JSON object. "body.critical_extensions", if present, MUST be an array of unique extension keys sorted in ascending lexicographic order, and each listed key MUST exist in "body.extensions". Extension keys MUST be unique namespaced ASCII strings. Unknown extension values MAY be ignored only if they are not listed in "body.critical_extensions". Unknown critical extensions MUST cause rejection. Unknown members in "envelope", in an embedded signature entry, or as direct body members MUST cause rejection.¶
The "object_type" member is a case-sensitive lowercase ASCII token. For suite-interoperable exchange, it MUST use one of the exact values registered in Table 1. Companion drafts define only the body profile and additional validation for their registered object types; they MUST NOT rename, alias, or reinterpret a registered value. New suite-wide object types require an explicit update to this registry.¶
Detached signatures are not permitted for any registered object type in this revision. A future suite revision MAY change that only by updating both this registry and Section 5.5.¶
| object_type | Body profile | Detached signatures |
|---|---|---|
| grant | Pantheon Grant body profile (Section 10.3) | No |
| pcert | Pantheon Certificate body profile (Section 10.2) | No |
| bootstrap-seed-bundle | Bootstrap trust seed bundle (Section 8.2.1.1) | No |
| bootstrap-admission | Bootstrap admission body profile (Section 8.2.1.2) | No |
| recovery-reenrolment-bundle | Recovery / Re-Enrolment body profile (Section 8.2.1.3) | No |
| rn-set-statement | RN set advertisement body profile (Section 8.5.2.1) | No |
| rn-transparency-entry | RN transparency log entry body profile (Section 8.6) | No |
| misbehaviour-proof | RN misbehaviour evidence body profile (Section 8.7) | No |
| revocation | TLS-DPA Revocation Signal body profile ([TLS-DPA]) | No |
| threshold-consensus-evidence | TLS-DPA threshold-consensus body profile ([TLS-DPA]) | No |
| por-evidence | UZP Proof-of-Reachability body profile ([UZP]) | No |
| discovery-grant | Outbound indexing Discovery Grant body profile ([OUTBOUND-INDEXING]) | No |
| index-transparency-entry | Outbound indexing transparency-entry body profile ([OUTBOUND-INDEXING]) | No |
| signed-checkpoint | Outbound indexing checkpoint body profile ([OUTBOUND-INDEXING]) | No |
| indexer-receipt | Outbound indexing receipt body profile ([OUTBOUND-INDEXING]) | No |
| revocation-acknowledgement | Outbound indexing revocation-acknowledgement body profile ([OUTBOUND-INDEXING]) | No |
The "alg" member is a case-sensitive ASCII token that identifies the exact signature verification procedure applied to the signature bytes in "value". Comparison is byte-for-byte. Aliases, case folding, numeric registry codes, OIDs, or implicit translation between naming schemes MUST NOT be used for suite-interoperable verification.¶
Trusted issuer metadata MUST bind each signing key identifier to one or more exact "alg" tokens. A verifier MUST accept a signature only when the signature entry's "alg" exactly matches a token bound to that key and local policy permits that algorithm for the declared object_type and time interval.¶
Composite or hybrid constructions, if used, MUST have their own exact "alg" token and verification procedure. They MUST NOT be represented by multiple "alg" values within one signature entry or by guessing from key type alone.¶
The "signatures" array MUST contain at least one embedded signature. Each embedded signature entry MUST contain exactly "key_id", "alg", and "value". The embedded-signature member set is closed.¶
The array order is significant for serialised interchange and MUST be sorted in ascending lexicographic order by "key_id", then "alg", then "value". Duplicate entries with the same "key_id" and "alg", or duplicate complete entries, MUST cause rejection. A received array that is not already in this order MUST cause rejection. The envelope "key_id" MUST identify the first embedded signature entry after sorting.¶
The "alg" value is mandatory and case-sensitive, and it is processed according to Section 5.4. A signature entry whose "alg" is absent, unknown, unsupported, mismatched to the key metadata, or forbidden by local policy MUST be treated as invalid. If the remaining valid signatures do not satisfy the required signature set, the object MUST be rejected.¶
Embedded signatures are the only interoperable signature form for the registered object types in Table 1. For those object types, detached signatures MUST NOT be used and MUST NOT count toward policy satisfaction. If a future suite revision explicitly permits detached signatures for a specific object type, each detached signature MUST cover the same canonical signature input as the embedded form and MUST carry "object_id", "key_id", "alg", and "signed_object_hash", where "signed_object_hash" is "sha256:<lowercase-hex>" over the canonical signature input. If both embedded and detached signatures are present for such a future object type, every signature MUST verify against the same canonical signature input and object_id; any mismatch MUST cause rejection.¶
Relying parties validating a common signed artefact MUST verify at least the following:¶
the top-level member set, envelope member set, embedded-signature member set, and object-type-specific direct body member set are well-formed and contain no unknown members except under "body.extensions";¶
the envelope version is supported for the declared object_type, and registered suite-wide object types defined by this revision use "version" equal to 1;¶
the declared object_type is an exact registered suite-wide token when interoperable suite exchange is claimed;¶
object_id recomputation succeeds;¶
issuer_authority_id is locally trusted, validly delegated, or otherwise accepted under the applicable federation policy;¶
the signing key identified by key_id is valid for the object_type and time interval, and the envelope key_id matches the first embedded signature entry after sorting;¶
signature ordering and duplicate checks succeed, and every accepted signature verifies over the exact canonical signature input;¶
each "alg" value exactly matches trusted key metadata and a locally permitted signature verification procedure for the declared object_type;¶
the required signature set satisfies local policy, including any threshold or quorum rule;¶
the current time falls within the declared validity interval;¶
audience_id matches the relying party when the object is audience-bound;¶
nonce uniqueness and epoch or sequence freshness checks succeed when replay resistance or state ordering matter;¶
the artefact has not been superseded, rendered stale under local policy, or made policy-ineligible for the relevant scope and decision;¶
prev_hash or log_ref, when present, are consistent with the relevant append-only or transparency evidence; and¶
body.critical_extensions, when present, is unique, sorted, references only keys present in body.extensions, and contains no unsupported critical extension names.¶
Objects sharing the same issuer_authority_id, object_type, subject_id, scope, and applicable epoch or sequence state, but with incompatible canonical signature inputs, MUST be treated as conflicting artefacts and processed according to Section 10.7.¶
This section is informative. It provides high-level role and flow sketches only. Authoritative session, handshake, stitching, failover, and proof semantics are defined in the companion UZP ([UZP]) and TLS-DPA ([TLS-DPA]) drafts. Authoritative shared object semantics are defined by the common signed artefact envelope and the object-specific sections of this document and the relevant companion drafts.¶
If any figure or shorthand message label in this section conflicts with the companion transport or handshake drafts, the companion drafts govern.¶
In UZPIF, both peers initiate outbound sessions towards an RN. After policy evaluation and authorisation, the RN stitches the two sessions into a tunnel (ZPIT) that carries end-to-end protected application data.¶
EP A (Initiator) RN EP B (Responder)
|---- outbound ----->| |
| |<---- outbound|
|<==== end-to-end encrypted ZPIT (stitched via RN) ====>|
This figure shows both endpoints initiating outbound sessions to the RN, which stitches them into a single ZPIT.¶
The labels in this figure are illustrative only; this document does not define authoritative wire messages or handshake ordering for the transport steps shown.¶
Prior to stitching, an EP is expected to obtain a signed authorisation ("Grant") from Pantheon, as defined in Section 10.3. Grants bind identity to purpose and validity constraints, enabling RNs to make consistent policy decisions. The authoritative Grant format and interoperability requirements are defined in Section 10.3 and Section 5.¶
EP Pantheon RN |-- Grant Request -->| | |<- Signed Grant ----| | |----------- Grant + CID/EID ----------------->|
This figure illustrates the basic grant request and issuance exchange between an EP and Pantheon.¶
The message labels are illustrative only. Authoritative Grant object semantics are defined in Section 10.3, and authoritative transport or handshake sequencing is defined in companion drafts.¶
The RN establishes a stitched tunnel only if both peers present acceptable identities and authorisations. The exact transport, stitching, failover, and protected-traffic semantics are defined in the companion UZP and TLS-DPA drafts.¶
EP A RN EP B |-- Join Request -->| | |<-- Stitch OK -----| | | |<-- Join Request --| | |-- Stitch OK ----->| | |<====== end-to-end encrypted ZPIT (SessionID-bound) ==========>|
This figure shows the RN joining two authorised sessions into a stitched tunnel without learning plaintext.¶
The message names and sequencing in this figure are illustrative only. Authoritative stitching, failover, and session semantics are defined in the companion UZP and TLS-DPA drafts.¶
UZPIF can be extended to multi-hop stitching, for example where a tenant requires multiple independently operated RNs and attestation chains. End-to-end protection is expected to remain between endpoints.¶
EP A -> RN1 -> RN2 -> EP B EP A <======== end-to-end AEAD protected traffic ========> EP B
This figure depicts a multi-hop RN chain while end-to-end AEAD protection remains between endpoints.¶
This subsection is a deployment sketch only and does not define authoritative multi-RN transport semantics.¶
Where attached equipment cannot natively participate in UZPIF, a Hardware Integration Layer (HIL) MAY mediate between legacy port-based protocols and UZPIF sessions. Real-world examples include industrial devices, medical and laboratory equipment, older appliances, embedded controllers, legacy PBXs, telephony systems, and other equipment whose firmware cannot be remodelled around identity-first session initiation or removal of hard-coded inbound listeners.¶
A HIL is a compatibility and containment boundary, not a redefinition of legacy protocols as identity-native. A HIL is not an exception to UZPIF. It is the explicitly modelled compatibility edge through which such equipment interacts with an identity-first deployment. A HIL does not make a legacy protocol identity-safe; it constrains and evidences the points at which a legacy protocol is permitted to interact with an identity-first system.¶
HILs MUST apply explicit policy, minimise exposed legacy surface, and produce auditable evidence for mediated actions. A deployment using a HIL MUST treat the attached device as outside the native UZPIF trust model unless that device is separately enrolled with its own identity and policy context. The HIL therefore terminates the trust boundary cleanly rather than treating legacy traffic as natively identity-bound.¶
A HIL used to bridge non-UZPIF-capable equipment:¶
MUST be explicitly identified as a translation boundary;¶
MUST terminate trust domains cleanly rather than representing legacy traffic as natively identity-bound;¶
MUST enforce a narrow allow-listed protocol surface for the specific attached device or device class;¶
MUST expose only the minimum necessary legacy port behaviour toward the attached equipment;¶
MUST NOT elevate unauthenticated legacy assertions into Pantheon, Grant, or attestation truth without validation;¶
SHOULD support one-way or brokered operation where possible rather than transparent raw pass-through; and¶
MUST be auditable as a security-critical adapter.¶
When a HIL mediates an action into UZPIF, it SHOULD bind that action to auditable evidence including:¶
A HIL secures the boundary between a UZPIF environment and a legacy device interface; it does not guarantee the integrity or confidentiality of the local physical segment behind that boundary. Deployments MUST treat the HIL-attached legacy domain as an independently exposed trust zone unless additional protections are present.¶
The HIL's protection applies to the mediated protocol boundary, not automatically to the local wire, serial line, bus, switch port, backplane, maintenance interface, or other attached legacy segment behind it. Compromise of that local segment may still permit false device input, spoofed local traffic, local firmware replacement, bus replay, serial-line manipulation, switch-port insertion, maintenance-port misuse, false sensor injection, or manipulation of translated events before they cross into the UZPIF-mediated side.¶
HIL containment therefore reduces and evidences legacy exposure, but it does not retroactively make the attached hardware domain cryptographically trustworthy. Where stronger assurance is required, deployments SHOULD consider physical controls, tamper detection, local attestation, secure serial or bus wrappers where available, and device-origin integrity checks where feasible.¶
A compromised HIL is especially dangerous because it sits at the boundary between legacy protocol behaviour and native identity-bound operation. A malicious or subverted HIL may spoof device status, fabricate translated events, widen the permitted legacy surface, create covert ingress, or launder insecure traffic into a deployment that appears to be operating under stronger trust assumptions.¶
HIL software manifests, configurations, policy bundles, and updates SHOULD be signed and auditable. No HIL software, configuration, or policy change SHALL become authoritative unless its manifest, version, signer set, scope, and policy eligibility validate successfully under the deployment's normal trust model.¶
HIL update, provisioning, and recovery channels MUST NOT become hidden sovereign authority paths. Local administrative overrides, emergency maintenance paths, or vendor tooling MUST NOT silently bypass the same validation model claimed for ordinary operation. This is aligned with the ICSD ([ICSD]) principle that privileged update or override paths must be modelled so that invalid states are rejected rather than normalised.¶
This document distinguishes three compatibility classes for legacy integration so that deployments can state clearly whether a device is fully mediated, tightly brokered, or merely forwarded.¶
The HIL terminates the legacy protocol and exposes a modelled, policy-bound interface into UZPIF. This is the RECOMMENDED integration model.¶
The HIL permits tightly scoped transport bridging for a specific session under explicit Grant, time, scope, and evidence rules. This MAY be used where full mediation is not feasible, but it provides weaker containment than Class A.¶
The HIL forwards arbitrary port traffic. This mode is outside the recommended security model, SHOULD NOT be used except as a bounded migration exception, and MUST NOT be represented as equivalent to native UZPIF participation or to Class A or Class B mediation.¶