الانتقال إلى المحتوى الرئيسي
securestamp.org/whitepaper
v0.3 — June 2026

Technical Whitepaper

SecureStamp Trust Protocol

An open standard for verifiable origin and intent before sensitive action

Version: 0.3Date: June 2026Status: Draftprotocol@securestamp.org
0

Abstract

SecureStamp is an open protocol for establishing verifiable trust before a digital communication becomes a sensitive action. It addresses phishing, impersonation, account-change requests, payment instructions, support messages, QR links and AI-polished social engineering by providing a multi-signal verification layer for origin, official channels, counterparties and action intent.

The protocol defines verification channels (DNS TXT records, HTTP headers, API registration, Signal channel boundaries and Agent Trust calls), deterministic decision outputs such as Action Verdict and Safe Next Step, and append-only audit records with signed receipts. Client plugins and agents surface those results before a user or workflow clicks, replies, pays, changes a counterparty record or shares sensitive data.

Trust resolves to a five-level scale (L1–L5). Technical signals alone cap at L4 (probably legitimate); the top level, L5 (Certified), is reached only through a notarial record — an ES256-signed attestation of the message envelope issued at send time and matched by the verifier — combined with an approved business-identity (KYB) check. L5 certifies origin and envelope integrity, not the truthfulness of content or permission to execute an unrelated action.

On top of origin, the protocol defines Confidential Mail for verified identities, SecureStamp Signal for official messaging-channel boundaries, and the Agent Trust API + MCP Guard so software agents can consult Proof-of-Intent before acting. The protocol verifies facts of registration and declared policy; it does not accuse a sender of intent.

1

The Problem

AI has made digital deception cheap, polished and context-aware. A fraudulent message can carry the right logo, tone and timing, and it can ask for a transfer, bank-account change, login, QR payment, support escalation or internal approval. The problem is no longer only identifying visible mistakes in a message; it is confirming origin, counterparty and action before the request becomes execution.

1.1 Limitations of existing standards

SPF verifies that an IP is authorized to send on behalf of a domain. DKIM verifies message integrity and domain association. DMARC ties them together with a policy. But none of these standards prove that a payment instruction, credential request, vendor change or agent action matches a declared counterparty policy.

A domain can pass all three checks and still carry a manipulated request, a compromised workflow, a lookalike counterparty, or a message generated by AI that pressures a human or agent into acting too quickly.

1.2 Pre-action experience

Humans and agents need a reliable signal at the instant before action: click, reply, approve, pay, share credentials, update records or execute an automated workflow. Without a shared protocol, the burden falls on discipline, manual callbacks and visual judgment.

2

Design Goals

The protocol is designed around four non-negotiable properties:

2.1

Open & Auditable

The protocol specification, scoring algorithm, and ledger are publicly inspectable. No closed black boxes in the trust chain.

2.2

Privacy-First

Message content does not need to leave the user's device. Risk analysis can run locally, while API calls carry only structured signals, hashes, domains, channels or counterparty identifiers.

2.3

Pre-Action Compatible

Works alongside email, browser, messaging and agent workflows. The protocol authorizes the next safe step; it does not execute payments, delete data or move funds.

2.4

Decentralizable

The trust registry can be operated by independent nodes. No single entity controls the protocol or can revoke trust globally.

3

Protocol

3.1 Registration

An organization registers domains, senders, official channels and counterparty policies at securestamp.online. Registration creates verifiable records anchored on the audit ledger and scoped to the tenant or public perimeter as appropriate.

3.2 Publication (three channels)

DNS TXT record — the domain publishes a TXT record at _securestamp.example.com containing the stamp ID and verify URL. This is the most robust channel as it is controlled by the domain owner and queried independently of private message body.

HTTP header — mail servers add an X-SecureStamp SMTP header to outgoing messages. This requires mail server configuration but provides per-message verification with a signed JWT payload.

API registration — organizations register channels, counterparties and action policies with SecureStamp directly, enabling real-time verification lookups without DNS propagation delays.

3.3 Verification

When a plugin, verifier or agent encounters a message or requested action, it queries POST /api/trust/check or the Action Verdict API with the origin, domain, channel, abstract risk signals or source hash. The API returns a structured trust response, Safe Next Step or signed receipt without requiring raw message content.

4

Trust Model & Notarial L5

The trust score is a deterministic function of twelve signals grouped into five dimensions. The scoring algorithm is open and versioned. Crucially, technical signals describe a floor, not a ceiling: SPF/DKIM/DMARC and reputation are commodity checks that can only attest a message is probably legitimate (L4). They never, on their own, prove who sent a specific message. The single path above that floor is the notarial layer (§4.3).

DimensionSignalsWeight
Origin AuthenticationSPF, DKIM, DMARC, registry state30%
Domain & Channel ReputationAge, registration, SSL, CT logs, perimeter25%
Protocol RegistrationSecureStamp registry, stamp and channel validity20%
Counterparty & Policy MatchDeclared policies, known instructions, tenant graph15%
Local Risk SignalsDevice-side patterns for social engineering or risky requests10%

4.1 Five trust levels

Signals and the notarial layer resolve to a five-level scale. Levels L1–L4 are a function of technical signals, registered origin and policy context; L5 requires a notarial match plus an approved identity. Declared policy rules can force a decision toward caution regardless of score.

  • L5 — Certified · Notarial match + KYBThe origin or message envelope matches a notarial record issued by a registered identity with approved business-identity (KYB). Certifies origin + envelope integrity.
  • L4 — Probably legitimate · Technical floorDomain is technically sound (SPF/DKIM/DMARC, reputation) but carries no notarial seal. The most a commodity check can assert.
  • L3 — Neutral · MixedSome signals degraded; no strong positive or negative.
  • L2 — Suspicious · DegradedMultiple weak or failing signals. The user or agent is warned before acting.
  • L1 — High risk · Failing / policy conflictCritical signals fail, or a declared policy conflict requires verification by another channel before action.

4.2 The notarial layer

An issuer registers a notarial record at issue time. The record is an ES256-signed attestation over a canonical hash of the message envelope — sender, ordered recipients, and subject — never the body. The recipient's client recomputes the same canonical hash and asks POST /api/verify/email to compare it against the signed record, yielding one of certified_match, token_valid_hash_mismatch, token_invalid or not_registered.

Forgery resistance rests entirely on the signing key, not on secrecy of the scheme: without the issuer's private key an attacker cannot mint a valid record, and altering any covered field changes the hash and breaks the match. Signing keys are rotated and the corresponding public keys are published as a JWKS set (key-id pinned), so any party can verify a signature — current or recently rotated — without trusting SecureStamp at run time.

L5 certifies that a message or origin matches a registered issuer and that its covered envelope is intact. It makes no claim about whether the content is true or whether a requested action should execute without context. This boundary is a deliberate, non-negotiable property of the protocol.

4.3 KYB gate

A notarial match alone reaches the certified band only when the issuing organization has passed a business-identity (KYB) review. Until identity is approved, an otherwise-perfect notarial match is capped at L4. This binds the cryptographic claim (“this registered identity issued this record”) to a vetted real-world identity (“and we verified who that organization is”).

5

Ledger & Transparency

5.1 Technology

The SecureStamp audit ledger is append-only and records signed transparency entries for stamp issuance, revocation, score changes and abuse events. The production storage model is designed for deterministic reads, tamper-evident hashes and independent verification without exposing private message content.

5.2 What is recorded

Every stamp issuance, revocation, and score change is written to the ledger as an immutable transaction. Ledger entries contain only stamp IDs and cryptographic hashes — never personal data or message content.

5.3 Verification

Any party can independently verify a stamp's authenticity and history by querying the public ledger endpoint at GET /v1/ledger/tx/:txHash.

6

Decision Surfaces

The plugin and agent layers surface trust signals where decisions happen: inbox, browser, messaging, API and automated workflow. Available surfaces:

Gmail (Chrome MV3)
v0.6.6Active
Outlook / Microsoft 365 (Office.js)
v1.8.4Active
Safari Extension
v1.1.1Active
Apple Mail
v1.1.0Active
CLI (@securestamp/cli)
v1.0.0Active
MCP Guard (@securestamp/mcp-guard)
v0.1.0Active
7

Confidential Mail (E2EE)

Confidential Mail is an optional layer that lets two verified identities exchange messages no intermediary — including SecureStamp and the mail providers — can read. Identity verification answers who sent a message; this layer answers only the intended recipient can read it. The two compose: encryption is keyed to identities the protocol can already vouch for.

7.1 Cryptographic suite (SSCM-1)

The default suite is SSCM-1: ECDH P-256 key agreement, HKDF-SHA256 derivation, and AES-256-GCM content encryption. A per-message key encrypts the body and is wrapped for each recipient via an ephemeral ECDH agreement, so recipient key identifiers stay opaque (Bcc is not leaked). All key generation and encryption happen on the client; private keys are non-extractable and never leave the device.

7.2 Verified-identity directory

Senders publish only their public keys to a directory. Directory and preflight responses are themselves ES256-signed (verifiable via the same JWKS as the notarial layer), so a client can confirm it is encrypting to the genuine recipient key and not a substituted one. First-seen keys are pinned (TOFU).

7.3 Recovery & sender proof

Each message carries a sender signature (proof-of-possession) the recipient verifies against the directory, distinguishing a genuine sender from a replay. Users hold an individual recovery file, and organizations may hold a recovery key — both are client-side secrets SecureStamp cannot read. The mode is strict by design: if any recipient lacks an active key the client blocks the send rather than silently downgrading to plaintext. The suite is crypto-agile (SSCM-2 X25519, SSCM-3 post- quantum hybrid are reserved).

8

Privacy

Privacy is enforced at the architecture level, not through policy:

  • Message body text never leaves the user's device — the ML classifier runs entirely locally (WASM/TFLite).
  • ML reports sent to the API contain only numeric scores and metadata counts, never matched phrases or text excerpts.
  • Plugin analytics events contain only plan tier, event name, and risk level — no raw message content.
  • Trust and Action APIs receive origins, domains, channels, source hashes or structured risk signals, not raw message bodies.
  • Confidential Mail is end-to-end encrypted (SSCM-1): the server stores only public keys and opaque ciphertext, and can never read message content or recipient lists.
  • 404 error logs store only the URL path and locale — no user identifiers or session data.
9

Security

9.1 Stamp forgery resistance

Each stamp contains an ES256-signed JWT payload anchored to the ledger. Copying a stamp image provides no benefit — the plugin verifies the signature at verification time, not the visual.

9.2 Plugin threat model

Plugins operate with minimal permissions. Chrome MV3 restricts background page access. Office.js sandboxes the plugin within the Outlook renderer. No plugin has access to the full email body in production mode.

9.3 API security

All API keys are prefixed and hashed before storage. The system supports key rotation without service interruption. All mutation endpoints require valid JWT or API key authentication. Rate limiting is enforced at the Vercel WAF edge before reaching application code.

10

Roadmap

Q3 2026
  • Chrome Web Store publication
  • Microsoft AppSource submission
  • SecureStamp node operator program (beta)
Q4 2026
  • Multi-node transparency review program
  • Public transparency log explorer
  • SSTP v1 protocol finalization
2027
  • iOS/Android Mail integration
  • Enterprise SMTP gateway plugin
  • IETF Internet-Draft submission
11

References

SecureStamp Trust Protocol — securestamp.org — protocol@securestamp.org

Whitepaper — SecureStamp Trust Protocol | SecureStamp Foundation