Zeq SSL
Symmetric, Zeqond-synchronised credentials. Every machine is its own CA.
Zeq-SSL replaces X.509 + ACME + TLS 1.3 with an all-symmetric, chain-resident
credential scheme. Identity is an equation-hash row. The handshake is a 1-RTT
HMAC derivation keyed by (local_credential_secret, peer_pubkey_seed, zeqond_number, nonces). No asymmetric key agreement. No certificate-chain
walk. No external trust root.
When to use this
| Use case | Mode | Notes |
|---|---|---|
| Agent ↔ agent over a private network | A | Both sides share a ZSC vault |
| Server ↔ server within one deployment | A | Same DATABASE_URL → same vault |
| Cross-deployment peer with prior pairing | B | Run the first-touch ceremony once |
| Browser ↔ server | (via bridge) | Use /apps/zeq-ssl-bridge/ — HTTPS outer |
| Anonymous client to public server | n/a | Use plain HTTPS; Zeq-SSL is identified |
What's in this section
- Quickstart — issue a credential, run a server.
- API reference — every endpoint and SDK call.
- Wire protocol — handshake frames, canonical JSON, parity.
- Bridge — browser-compatible HTTPS-terminating proxy.
- Trust graph — web-of-trust resolution rules.
Why this exists
The post-quantum migration roadmap for asymmetric crypto is uncertain. Symmetric primitives (AES-256-GCM, HMAC-SHA256, SHA-256) are Grover-resistant — effective 2^128 security against quantum cryptanalysis. Zeq-SSL trades first-touch identity (which strangers genuinely need asymmetric crypto for) in exchange for being PQ-safe by construction between any two machines that have ever exchanged a credential.
Zeq-SSL is post-quantum at the application layer for any two machines that have ever shared a credential. The outer transport's quantum posture is whatever the outer transport is.
Locked Phase-2 constants
| Constant | Value | Notes |
|---|---|---|
| Grace window after rotation | 128 Zeqonds (~99.5 s) | Both old and new accepted |
| Clock-skew tolerance | ±2 Zeqonds (~1.55 s) | Wider than singleton timeout (3 Z) |
| Record-layer rekey | every 1 Zeqond | Forward secrecy on the HulyaPulse |
| Cipher suite (v1) | ZEQ-SSL-AES256-GCM-HMAC-SHA256-V1 | Single enum |
| Native listener port | :3009 | Mode 1 native |
| Browser bridge port | :3010 | Mode 2 hybrid |
| Tally cost (issue / rotate) | 1 ZEQ each | Verification free |
| Audit-on-handshake default | enabled | Per-credential opt-out flag |
| Mode availability | A and B | Both ship in Phase 2 |