Architecture
How the four pillars of Trinity work together to provide sovereign identity management.
System Overview
Trinity follows a "Sovereign Core" philosophy. The Root of Trust is always offline, and every component assumes the network is hostile. The architecture separates concerns cleanly across four independently deployable components.
The Four Pillars
| Component | Type | Tech Stack | Role |
|---|---|---|---|
| Authority | CLI | Go | Offline Root CA — key generation, signing, revocation, CRL management |
| Passport | Desktop App | Go + Wails | Identity vault — local key storage, CSR generation, certificate lifecycle |
| Spirit | Edge Worker | TypeScript | Zero-trust relay — stores encrypted CSRs on Cloudflare's edge |
| Connect | Server | Go + SQLite | Self-hosted hub — runs on any Linux machine for on-premise deployments |
Data Flow
Certificate Request Flow
- Passport generates a key pair locally and creates a CSR.
- The CSR is submitted to Spirit (or Connect) via HTTPS with a Bearer enrollment token.
- For Blind Drops: the CSR is encrypted with the Authority's Kyber-1024 public key before submission.
- The Admin pulls pending requests from Spirit/Connect to the Authority (air-gapped machine).
- Authority decrypts (if Blind Drop), reviews, and signs the CSR.
- The signed certificate is pushed back to Spirit/Connect.
- Passport polls for the signed certificate and imports it.
Trust Boundaries
| Boundary | Trust Level | Data Visible |
|---|---|---|
| Passport ↔ Spirit | Zero Trust | Encrypted blobs only (Spirit cannot read CSRs) |
| Spirit ↔ Authority | Air-Gap | Encrypted files transferred manually |
| Authority (internal) | Full Trust | Decrypted CSRs, private keys (passphrase protected) |
Security Layers
Layer 1: Transport Security
Standard TLS (HTTPS) between Passport and Spirit/Connect. Trinity treats this as insufficient — it's a baseline, not a guarantee.
Layer 2: Application-Level Encryption
The Trinity Protocol adds a second encryption layer using Kyber-1024 (post-quantum KEM) + AES-256-GCM. Even if TLS is compromised, the payloads remain encrypted.
Layer 3: Air-Gap Isolation
Root CA keys exist only on the Authority machine, which is never connected to any network. Signing happens offline, and only encrypted artifacts move between systems.
Cryptographic Primitives
| Purpose | Algorithm | Library |
|---|---|---|
| CA Signing | Ed25519 | Go stdlib |
| Key Exchange | Kyber-1024 (ML-KEM) | cloudflare/circl |
| Transport Encryption | AES-256-GCM | Go stdlib |
| Key Derivation | Blake2b-256 | golang.org/x/crypto |
| Vault Encryption | XChaCha20-Poly1305 | golang.org/x/crypto |
| Password Hashing | Argon2id | golang.org/x/crypto |
Deployment Topologies
Minimal (Individual / Small Team)
- Authority on a USB drive or air-gapped laptop.
- Passport installed on each developer's machine.
- CSRs exchanged via email ("Mailroom" workflow). No server needed.
Standard (Team / Organization)
- Authority on an air-gapped machine.
- Spirit deployed on Cloudflare Workers (free tier).
- Passport connects to Spirit for automated CSR submission.
Enterprise (On-Premise)
- Authority on a dedicated HSM or secure workstation.
- Connect self-hosted on an internal server.
- Passport distributed via MDM with custom branding.