every-channel/every.channel
1
0
Fork 0
Code Releases Activity Actions 2
every.channel/evolution/proposals/ECP-0024-zktls-manifest-provenance.md
every.channel 897e556bea
every.channel: sanitized baseline
2026-02-15 16:17:27 -05:00

55 lines
1.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ECP-0024: zkTLS provenance proofs for HTTPS-derived manifests
Status: Draft
## Problem / context
We want optional provenance for manifests derived from HTTPS origins (e.g. HLS), without relying on the origin to sign our data. zkTLS can prove that a manifest was derived from a TLS session to a given origin, while keeping the session private.
## Decision
Add an optional zkTLS attestation per epoch:
- Produce a zkTLS proof that the manifests chunk hashes (or their Merkle root) were derived from bytes fetched over HTTPS from a specific origin.
- Attach the proof metadata to the manifest as provenance, without replacing our own signatures.
## Details
### Provenance model
- zkTLS is used **once per epoch** and applies to a specific manifest body.
- The proof binds:
- HTTPS origin hostname
- time window / epoch id
- manifest_id (or merkle_root)
- The manifest remains signed by local identities; zkTLS does **not** replace signing.
### Data placement
- Manifest `metadata` includes a provenance entry, e.g.:
- `provenance.zktls.origin = https://example.com`
- `provenance.zktls.proof_ref = <hash-or-uri>`
- `provenance.zktls.scope = merkle_root|manifest_id`
### Verification
- Clients may ignore zkTLS (default) or require it for certain origins.
- Verification is a policy decision, not a consensus rule.
## Alternatives considered
- TLS handshake signatures for data integrity: rejected (TLS does not sign application bytes).
- Forcing all origins to sign manifests: rejected (not feasible for public broadcasters).
## Rollout / teardown plan
1. Define provenance metadata fields in `ec-core`.
2. Add a proof attachment path in the ingest pipeline.
3. Integrate a zkTLS provider behind a feature flag.
Teardown: omit provenance metadata and continue using signed manifests.
## Open questions
- Which zkTLS system to integrate first (TLSNotary-style, zkTLS SDK, or custom)?
- Should provenance be per-epoch only, or per-manifest revision?
View git blame Copy permalink