Architecture

Federated Authorization Architecture

KIFP defines a formal protocol for identity-bound transaction authorization across sovereign jurisdictions. The architecture is designed so that biometric data never enters the protocol, authorization credentials expire within seconds, and every sovereign participant operates independent national infrastructure under their own authority.

Topology

Federation Architecture Overview

Federation architecture: Root Authority connected to three Sovereign Nodes, each connected to Edge Appliances

Core Primitives

KIFP defines three cryptographic primitives:

TTL: Persistent

Federated Identity Key (FIK)

A persistent identity anchor issued by the Root Authority of the enrolling jurisdiction. The FIK links a verified identity to a cryptographic key pair without containing or referencing biometric data. It establishes that an individual has been verified. It does not identify the individual by name, biometric, or any personally identifiable attribute.

TTL: 120 seconds

Retailer-Scoped Authorization Token (RSAT)

A single-transaction authorization credential with a maximum lifetime of 120 seconds. Each RSAT uses a fresh ephemeral key pair — generated for that transaction and destroyed immediately after use. Compromise of one RSAT affects exactly one transaction. There is no master key at the edge.

TTL: 60 seconds

Federated Identity Assertion (FIA)

A cross-jurisdictional authorization credential with a maximum lifetime of 60 seconds. FIAs enable an individual enrolled in one jurisdiction to transact in another under a bilateral federation agreement. FIAs are non-linkable by design — they cannot be used to track an individual across transactions or jurisdictions.

Sovereign Nodes

Each participating jurisdiction operates a Sovereign Node — the national gateway to the KIFP federation.

A Sovereign Node:

  • Authorizes all KIFP transactions within its jurisdiction
  • Enforces national governance policies
  • Issues identity credentials through the Root Authority
  • Exchanges federation assertions with peer nodes under bilateral agreement
  • Maintains revocation authority over all identities within its jurisdiction
  • Operates under national custody on sovereign soil

The Sovereign Node is national infrastructure. KeyIdentity provides the protocol specification and certified software. The sovereign operates the node.

Edge Appliance Model

At the point of transaction, a certified hardware device performs biometric verification locally.

The Edge Appliance:

  • Verifies the individual's face against a locally stored encrypted template
  • Never transmits biometric data over any network
  • Requests authorization from the Sovereign Node upon successful verification
  • Destroys the transaction signing key after each use
  • Self-destructs all cryptographic material if physically tampered with

No biometric data leaves the device. This is a hardware-enforced property. The biometric processing pipeline runs inside the device's secure enclave, which has no network stack. The hardware does not provide a path for biometric data to leave the device.

Trust Chain

Root Authority
    Hardware Security Module — Guardian-governed, threshold-protected
        |
        +-- Sovereign Node
        |       National gateway — sovereign-operated, policy-enforced
        |           |
        |           +-- Edge Appliance
        |           |       Local biometric verification — no data transmission
        |           |           |
        |           |           +-- RSAT — 120-second, single-transaction, ephemeral key
        |           |
        |           +-- FIA — 60-second, cross-sovereign, non-linkable
        |
        +-- Revocation authority — top-down, auditable at every level

Every element of the trust chain traces back to a hardware security module protected by threshold cryptography. The chain is hierarchical, auditable, and revocable at every level.