الانتقال إلى المحتوى الرئيسي

Zeq SSL

Symmetric, Zeqond-synchronised credentials. Every machine is its own CA.

Zeq-SSL replaces X.509 + ACME + TLS 1.3 with an all-symmetric, chain-resident credential scheme. Identity is an equation-hash row. The handshake is a 1-RTT HMAC derivation keyed by (local_credential_secret, peer_pubkey_seed, zeqond_number, nonces). No asymmetric key agreement. No certificate-chain walk. No external trust root.

When to use this

Use caseModeNotes
Agent ↔ agent over a private networkABoth sides share a ZSC vault
Server ↔ server within one deploymentASame DATABASE_URL → same vault
Cross-deployment peer with prior pairingBRun the first-touch ceremony once
Browser ↔ server(via bridge)Use /apps/zeq-ssl-bridge/ — HTTPS outer
Anonymous client to public servern/aUse plain HTTPS; Zeq-SSL is identified

What's in this section

Why this exists

The post-quantum migration roadmap for asymmetric crypto is uncertain. Symmetric primitives (AES-256-GCM, HMAC-SHA256, SHA-256) are Grover-resistant — effective 2^128 security against quantum cryptanalysis. Zeq-SSL trades first-touch identity (which strangers genuinely need asymmetric crypto for) in exchange for being PQ-safe by construction between any two machines that have ever exchanged a credential.

Zeq-SSL is post-quantum at the application layer for any two machines that have ever shared a credential. The outer transport's quantum posture is whatever the outer transport is.

Locked Phase-2 constants

ConstantValueNotes
Grace window after rotation128 Zeqonds (~99.5 s)Both old and new accepted
Clock-skew tolerance±2 Zeqonds (~1.55 s)Wider than singleton timeout (3 Z)
Record-layer rekeyevery 1 ZeqondForward secrecy on the HulyaPulse
Cipher suite (v1)ZEQ-SSL-AES256-GCM-HMAC-SHA256-V1Single enum
Native listener port:3009Mode 1 native
Browser bridge port:3010Mode 2 hybrid
Tally cost (issue / rotate)1 ZEQ eachVerification free
Audit-on-handshake defaultenabledPer-credential opt-out flag
Mode availabilityA and BBoth ship in Phase 2