Protocol Lifecycle

Status
Draft
Audience
Protocol designers, Hardware vendors, Operators
Prerequisites

The six states of a CPHAR-sealed reserve unit, from manufacture to breakage or retirement.

A CPHAR reserve unit moves through six states.

1 Manufacture
The seal vendor provisions a secure device with a non-exportable private key. Vendor attestation evidence (firmware measurement, device certificate chain) is recorded for later registration.
2 Registration
The public key, device type, manufacturer attestation, and firmware measurement are registered. The registry entry has no lot binding yet.
3 Inspection
An approved inspector verifies the physical commodity, quantity, grade, lot ID, and container. Inspection evidence is recorded under defined audit controls. CPHAR does not validate this evidence — it only records the binding.
4 Sealing
The seal is attached to the physical reserve unit. The registry binds the seal identity to the inspected lot, and the lot enters the active reserve set.
5 Attestation
A verifier sends a challenge. The intact seal signs the challenge. The verifier checks the signature, registry status, revocation status, and claim constraints. See Seal Attestation.
6 Breakage or retirement
If the seal is broken, the key is destroyed or disabled. The lot exits the active reserve set unless re-inspected and resealed. Retirement is also explicit — the operator can revoke a seal that is being decommissioned cleanly.

Flow diagram

stateDiagram-v2
  [*] --> Manufactured
  Manufactured --> Registered: vendor attestation accepted
  Registered --> Inspected: inspector verifies lot
  Inspected --> Sealed: seal attached, registry binding
  Sealed --> Attested: challenge-response success
  Attested --> Sealed: next challenge cycle
  Sealed --> Broken: tamper detected
  Attested --> Broken: tamper detected
  Sealed --> Retired: operator-initiated decommission
  Broken --> [*]
  Retired --> [*]

Assumptions

What can go wrong

  • An operator with privileged registry access could bind a seal to the wrong lot. Mitigation: independent auditor sign-off on bindings.
  • A seal could be sealed onto an empty or substituted container after inspection. Mitigation: chain-of-custody recording between inspection and sealing.
  • A seal could be physically removed and re-applied to a different container. Mitigation: tamper-evident attachment and continuous attestation cadence.

These are covered in detail in the threat model.