Trust Model
DeadLetter is built around cryptographic trust pinning instead of central user accounts.
No part of the system ever requires trusting the backend with plaintext data.
Root of Trust
The system has a single Root Signing Key.
This key:
- Lives only on the registry server
- Signs all user certificates
- Is fetched once by clients and ESP devices
- Is pinned locally and never auto‑updated
If the root key changes, all clients must explicitly clear trust.
This makes silent compromise of the registry impossible.
Certificate Structure
Each user has a certificate:
{
"handle": "alice",
"encPub": "<base64 X25519 public key>",
"keyId": "<random>",
"expiresAt": 1735689600
}
This certificate is signed by the root key using Ed25519.
Certificate Verification Flow
When a client or ESP wants to send or read messages:
- Fetch
/keys/from registry - Receive:
root_pub_b64- signing algorithm
- Pin the root key locally
- Fetch
/keys/<handle> - Verify signature using pinned root key
- Reject any unsigned or invalid certificate
ESP Trust Pinning
Each ESP device stores:
| Item | Stored In |
|---|---|
| Root public key fingerprint | NVS |
| Registry gateway address | NVS |
| Backend gateway address | NVS |
This prevents:
- Evil‑twin registry attacks
- Gateway redirection
- Silent man‑in‑the‑middle attacks
Fingerprint Verification
On first boot the ESP prints:
Root Trust Fingerprint:
aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99
This value is unique per installation.
Never trust the example above – always compare the fingerprint shown on your own ESP device with the one printed by your CLI.
This must be compared with the fingerprint shown by the CLI.
Only if both match is trust established.
Where this happens
This process is fully described in:
→ Device Setup → CLI Usage → Trust Commands
The sender ESP device is always the authority for fingerprint verification.
Trust Revocation
Trust is only reset when:
- The user runs the setup CLI again
- Or manually clears NVS
- Or reflashes firmware
There is no remote trust reset endpoint.
Why This Matters
This model guarantees:
| Threat | Outcome |
|---|---|
| Backend compromised | Cannot read messages |
| Registry compromised | Cannot forge certificates |
| Network MITM | Detected by pinned root key |
| Rogue ESP | Cannot impersonate other devices |
Trust Summary
DeadLetter does not trust infrastructure.
It only trusts:
- Locally pinned keys
- Cryptographic verification
- Physical access when provisioning