Security Model
EWP's security model addresses identity binding, replay attacks, and content integrity.
Trust Boundaries
| Operation | Trust Requirement |
|---|---|
GET /ewp/* | None — public data, no authentication |
POST /ewp/connections | Valid EIP-712 signature from followerAddress; verified identity at both followerUrl and followeeUrl |
DELETE /ewp/connections | Valid EIP-712 signature from followerAddress or followeeAddress |
POST /ewp/publications | Valid EIP-712 signature from publisherAddress + active follow relationship |
PATCH /ewp/nodes/:address | Valid EIP-712 signature from the node owner |
Security Properties
Signer Binding
Every cross-node write operation requires an EIP-712 signature. Receivers recover the signer address via ecrecover and compare it against the identity field declared in the message.
Replay Resistance
CreateConnection and DestroyConnection messages include a timestamp validated within a ±1-hour window.
Connection Termination Race Protection
Termination requests are rejected when the targeted connection was established after the termination was signed.
Follower URL Integrity
CreateConnection requires the followee to verify that followerUrl belongs to followerAddress. This prevents directing replication notification traffic to arbitrary endpoints.
Replication Idempotency
Replication notifications are not time-windowed. Duplication is prevented by content-addressed deduplication on (contentHash, publisherAddress, timestamp).
Content Integrity
contentHash in StatementOfSource is a SHA-256 commitment to the exact Content Unit. Followers MUST recompute the hash after fetching.
Profile Update Ordering
NodeProfileUpdate.timestamp is monotonically ordered. Peers MUST reject updates with timestamp ≤ their current updatedAt.
URL Change Verification
When a NodeProfileUpdate carries a new url, the receiver MUST verify the new URL belongs to the same owner.
State Isolation
A valid signature alone is insufficient for POST /ewp/publications. The publisher MUST also be in the receiver's follow list.
Timestamp Trust Model
StatementOfSource.timestamp is declared by the publisher and is not validated against any external clock. Verifiers accept the publisher's declared time.
Threat Model
| Threat | Mitigation |
|---|---|
| Identity impersonation | Signature recovery |
| Message replay (connection ops) | ±1-hour timestamp window |
| Termination / re-follow race | createdAt check |
| Unauthorized content ingestion | Follow relationship check |
| Replication flood | Content-addressed deduplication |
| Content tampering | SHA-256 recomputation |
| Stale profile injection | Monotonic timestamps |
| URL hijacking | Back-verification of new URL |
| followerUrl redirect / DDoS amplification | followerUrl verified against followerAddress |
What EWP Does NOT Protect Against
- Private key compromise (user responsibility)
- Node operator malicious behavior
- Network-level attacks (HTTPS provides transport security)
- Rate limiting abuse (implementation responsibility)