every-channel/every.channel
1
0
Fork 0
Code Releases Activity Actions 2

every.channel: sanitized baseline

Browse source
This commit is contained in:
every.channel 2026-02-15 16:17:27 -05:00
commit 897e556bea
No known key found for this signature in database
258 changed files with 74298 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

33
evolution/proposals/ECP-0011-stream-encryption.md Normal file
View file

@ -0,0 +1,33 @@
# ECP-0011: stream encryption keys
Status: Draft
## Problem
We need a consistent encryption model so streams can be protected in transit while remaining discoverable by stream id.
## Decision
Derive a symmetric stream key deterministically from the stream id, with an optional network secret:
- `stream_key = BLAKE3-derive("every.channel stream key v1", network_secret || 0x00 || stream_id)`
- If `network_secret` is absent, the key is public and provides obfuscation only.
- If `network_secret` is present, the stream is private to holders of the secret.
Encryption will be applied at the object layer (MoQ objects), not at the transport layer. This allows relays to store and forward encrypted objects without visibility.
## Consequences
- Streams can be encrypted deterministically without coordination.
- Private swarms can be created by sharing a network secret.
## Alternatives considered
- Per-session negotiated keys: rejected because it prevents deterministic convergence.
- PKI per stream: deferred due to operational complexity.
## Rollout / teardown
- Add key derivation helper in `ec-crypto`.
- Implement object-layer encryption in the MoQ publisher.
- Add configuration for network secret.