Security Analysis

Threat Model

Security and privacy reasoning for the Passport system

This document outlines the primary threats the system is designed to mitigate and the mechanisms employed to address each threat vector.

Threat Analysis

Threat 1

Forgery

Attacker creates fake passports or events to misrepresent assets.

Mitigations

  • Cryptographic signatures on all events
  • Verifier allowlist with key management
  • Hash anchoring for immutable attributes
  • Audit trails detect anomalies
Threat 2

PII Leakage

Personal information about owners/custodians is exposed through passport data.

Mitigations

  • Reference-only storage (no names, addresses)
  • Human identity (GardenID) is separate from asset data
  • Consent-gated access for all viewers
  • Minimal data collection by design
Threat 3

Unauthorized Access

Attacker gains access to passport data without consent.

Mitigations

  • Session-based authentication via GardenID
  • Time-limited access tokens
  • Consent revocation at any time
  • Scope-limited access grants
Threat 4

Replay Attacks

Attacker reuses old signatures or access tokens.

Mitigations

  • Timestamp validation on all events
  • Nonce-based signature schemes
  • Short-lived access tokens
  • Event sequence validation
Threat 5

History Manipulation

Attacker attempts to modify or delete past events.

Mitigations

  • Append-only data structure
  • Hash chaining between events
  • Distributed audit logs
  • Cryptographic proofs of existence

Never Store

The following data types must never be stored on any passport or in any event:

Full names of individuals
Physical addresses
Email addresses or phone numbers
Government ID numbers
Financial account details
Biometric data
IP addresses or device fingerprints
Unencrypted location data

Zero Tolerance Policy

Any system component that attempts to store prohibited data types must be rejected at the validation layer. There are no exceptions to this policy.

Defense in Depth

The Passport system employs multiple overlapping security layers:

Layer 1: Access Control

  • Session-based authentication (GardenID)
  • Explicit consent for all data access
  • Time-limited, scope-limited tokens

Layer 2: Data Integrity

  • Cryptographic signatures on events
  • Hash anchoring for attributes
  • Append-only data structures

Layer 3: Operational Security

  • Verifier allowlist management
  • Role-based authorization
  • Immutable audit logs

Layer 4: Privacy by Design

  • Reference-only custody storage
  • Human identity separation
  • Minimal data collection

Incident Response

Security Contacts

Security issues should be reported to the designated security team. The system supports emergency revocation and flagging procedures for compromised passports or verifier nodes.
SchemasView Glossary
Built with v0