Overview

This note presents a structured trust architecture designed for Handle-style hierarchical identifier systems.

In such systems, trust cannot be modeled as a single certificate chain. Instead, two fundamentally different trust relationships must be handled independently:

  1. Transport Trust—establishing secure communication between systems.
  2. Delegation Trust—determining which prefix identities are authorized to manage specific resource scopes.

Traditional PKI models are highly effective at proving identity, but hierarchical identifier systems require explicit validation of authority lineage.

This document introduces a dual-chain model that separates these concerns into:

  • A transport chain, based on X.509 and mTLS
  • An authorization chain, based on hierarchical prefix delegation

These two chains cooperate but evolve independently.


Core Motivation

Handle-based systems are not merely naming systems.

They combine:

  • hierarchical namespace management
  • service location
  • administrative delegation

Transport trust and authorization trust in the dual-chain architecture

According to the specifications defined in:

  • RFC 3650—Handle System Overview
  • RFC 3651—Handle Namespace and Service Definition

a prefix identity is not just an identifier—it is an authority boundary.

In multi-tenant environments, a single system may host multiple independent prefix identities. This introduces a structural requirement:

System Identity ≠ Prefix Authority

Attempting to encode both concerns into a single PKI chain results in:

  • tightly coupled trust semantics
  • slow authorization updates
  • poor isolation between tenants
  • difficult auditability

System and resource planes in the dual-chain architecture

The dual-chain architecture addresses these issues by decomposing trust into independent layers.


Architectural Principle

The dual-chain model is based on a simple structural separation:

Authentication Layer
(Transport Identity)

Authorization Layer
(Resource Scope Authority)

Each layer answers a different question:

Transport Chain:

Who is communicating?

Authorization Chain:

What is this entity allowed to control?

This separation aligns with the principle emphasized in:

  • NIST SP 800-207 (Zero Trust Architecture)

Authentication success does not imply authorization success.


System-Level Impact

The dual-chain architecture introduces several important system-level properties:

Independent Lifecycle Management

Transport certificates and authorization certificates can evolve independently.

This enables:

  • Transport key rotation without changing authorization scope
  • Authorization updates without disrupting communication channels

Explicit Delegation Lineage

Authority relationships become verifiable chains rather than implicit logic.

Each prefix authority can be traced through:

Root → Prefix → SubPrefix

This enables:

  • structured validation
  • deterministic authorization decisions
  • traceable authority inheritance

Multi-Tenant Isolation

Multiple prefix authorities can coexist on the same system while maintaining strict administrative boundaries.

Authorization lineage enforces:

  • tenant isolation
  • scoped privilege delegation
  • bounded authority propagation

Improved Security Posture

Separating trust layers reduces the blast radius of failures.

Examples:

  • A compromised transport certificate does not automatically grant resource control
  • A revoked prefix authorization does not terminate system connectivity

This separation enables targeted revocation strategies.


Relationship to Existing Models

This architecture is not an invention from scratch.

It is an engineering synthesis of several established trust paradigms:

Handle System Model (RFC 3650 / 3651)

Provides:

  • hierarchical namespace structure
  • administrative delegation primitives
  • service discovery mechanisms

The dual-chain model extends this structure into explicit trust decomposition.


PKIX / X.509 (RFC 5280)

Provides:

  • mature identity validation
  • certificate path verification
  • secure channel establishment

The transport chain directly leverages these capabilities.


SPKI / SDSI (RFC 2692 / RFC 2693)

Provides:

  • authorization-centric certificate logic
  • delegation semantics
  • capability-oriented trust reasoning

These concepts strongly influence the authorization chain.


Zero Trust Architecture (NIST SP 800-207)

Provides:

  • separation of authentication and authorization
  • continuous authorization evaluation
  • least-privilege enforcement

The dual-chain model aligns closely with these principles.


Design Role in This Research Topic

This document serves as:

The foundational trust model for the IRP research topic.

Subsequent articles in this topic can build upon this model, including:

  • Delegation chain validation algorithms
  • Prefix authority resolution logic
  • Multi-level authorization evaluation
  • Distributed namespace trust propagation
  • AI infrastructure identity isolation models

Understanding this dual-chain design is essential for interpreting later system behavior analyses.