Self-certifying peers. Local proof. No ambient trust.

Korium

A Rust cryptographic network fabric where discovery, routing, streams, pub-sub, tunneling, and authorization all converge on the same local verifier.

identity-hex 64 chars BLAKE3-derived, not raw pubkey hex
DID length ~80 chars stable under future signature swaps
grant expiry cap <= 300s enforced by the verifier
covered path 9 hops forwarded QUIC and tunnel tests
Overview

Korium is an autonomous network fabric.

Korium is valuable because it refuses to let connectivity become authority. Identity, discovery, routing, streams, pub-sub, tunneling, and authorization share one local-verifier trust model instead of being glued together by every application.

01

One security model

Identity, discovery, transport, stream admission, and L7 authorization are not glued together by each application. They share protocol-edge checks.

02

Self-certifying identity

Every peer is named by a did:korium URI derived from the public key. The pubkey travels in band, then BLAKE3-binds to the URI before signature verification.

03

No central resolver

Verification does not depend on a DID document fetch, CA, SPIRE server, key registry, or online root. The destination checks the evidence it received.

04

Authorization after authentication

mTLS proves key possession only. A Biscuit grant still has to match caller DID, service URN, resource, action, issuer policy, and expiry.

05

Identity-routed QUIC

Quinn runs over a Korium UDP substrate that routes by identity, observes addresses, signs probes, and forwards only bounded encrypted QUIC traffic.

06

NAT traversal as transport

PING, PONG, PUNCH, RTT tiering, observed addresses, DHT hints, and QUIC attempts feed the same identity-indexed routing state.

07

Production data planes

Direct QUIC, forwarded QUIC, adjacent NAT traversal, GossipSub, raw streams, request-response, and TCP tunneling are all carried by authenticated fabric paths.

08

Direct tunnel first

TCP tunnel entry tries native TLS 1.3 mTLS/TCP to the destination before falling back to encrypted QUIC TUNNEL streams over the mesh.

09

Wire bounds, not wishes

DHT values, liveness records, RPC bodies, GossipSub messages, grants, lookup expansion, tunnel concurrency, and caches all have explicit caps.

10

Auditable decisions

Verified grants return issuer, audience, service URN, action, resource, expiry, token digest, and app claims. Every decision can become a signed line.

11

PQ-aware identifier surface

IDs are BLAKE3-384 hashes, not raw public keys, so routing keys, logs, grants, and audit records stay compact if signature keys become much larger.

12

Owned subsystem boundaries

Identity, authority, authz, naming, DHT, transport, fabric, GossipSub, tunnel, and node composition each own distinct invariants.

Identity

Self-certifying identity with explicit cryptographic boundaries.

A Korium peer is named by a compact did:korium URI, but the verifier never treats the URI as the key. The raw public key is carried as evidence, BLAKE3-bound to the DID, then checked before any signature or transport claim is trusted.

01 DID names the peer

did:korium gives routing, grants, logs, and audits a stable peer name.

02 Pubkey proves the DID

The certificate carries the public key; the verifier hashes and compares it locally.

03 Crypto is scoped

Ed25519 authenticates current identities while BLAKE3-384 keeps identifiers compact.

04 PQS posture is precise

Hybrid confidentiality is supported, while identity signatures remain classical and explicit.

Encryption

Encrypted paths stay bound to identity.

Korium uses QUIC and TLS 1.3 mTLS for encrypted peer sessions, then carries those sessions over an identity-aware UDP substrate. Direct traffic, forwarded traffic, raw streams, pub-sub, and TCP tunnels all keep encryption separate from authority.

Session crypto TLS 1.3 mTLS over QUIC Peers authenticate live keys before encrypted streams are accepted.
Hybrid confidentiality PQ-aware key exchange posture Confidentiality can move toward hybrid PQS without turning signatures into a blanket PQ claim.
Encrypted overlay Direct QUIC and forwarded QUIC Transit nodes can forward ciphertext after bounded relay checks, not read it.
Tunnel fallback Native mTLS/TCP, then QUIC TUNNEL Local TCP access can fall back to authenticated encrypted mesh paths.

Direct QUIC

Node-to-node encrypted sessions with mTLS identity and service-scoped admission.

Forwarded QUIC

Relay paths forward bounded ciphertext after relay-token, TTL, and route checks.

TCP tunnel

Direct mTLS/TCP is tried first, then encrypted QUIC TUNNEL streams over the fabric.

Signed data planes

GossipSub, raw streams, and request-response keep signatures, replay windows, and size caps.

Authority

L4 admission and L7 rights are separate decisions.

Korium treats authentication as the beginning of authorization, not the end. L4 AuthZ decides whether a peer may open a service-bound stream. L7 AuthZ decides whether the caller may perform the requested action on the requested resource.

L4 peer proof mTLS DID binding

The peer proves key possession and the destination binds the key to the caller DID.

L4 service authority urn:korium:<ns>/<service>

Signed lease evidence proves which service identity an instance may serve.

L4 stream admission Caller, service, stream type

The fabric checks whether this peer can open this kind of stream to this service.

L7 invocation grant Biscuit right(resource, action)

The application request still needs an issuer-approved, audience-bound grant.

L4 caller

The authenticated caller DID must match the peer that opened the transport stream.

L4 service

The destination service URN must be backed by current signed lease evidence.

L4 stream

Stream type, route, relay token, TTL, and bounds are checked before the payload is useful.

L7 principal

principal() and audience() must bind to the same caller DID seen at L4.

L7 scope

The grant must match service URN, issuer policy, resource, and action exactly.

L7 freshness

exp() is mandatory, must be live, and is verifier-capped at 300 seconds.