Signal — Confiance des canaux
Des fraudeurs se font passer pour votre banque, votre transporteur ou votre boutique sur WhatsApp et Telegram. Signal confirme en quelques secondes si le message vient d’un canal officiel.
Technical reality: asymmetric strategies
WhatsApp Cloud API: when a message is forwarded to a business number, the webhook only includes the phone of the person who forwarded it, context.forwarded and the content — never the original sender. Forwarded WhatsApp checks can only analyze content/links; channel attribution comes from sender-side claims.
Telegram Bot API: forward_origin includes the original sender (except privacy → MessageOriginHiddenUser). Third-party verification enables real receiver-side attribution plus a native badge.
Brand Claim Boundary (cornerstone)
Each brand declares and signs its official perimeter: the only domains, WhatsApp numbers, Telegram channels and short links it uses. The engine asks whether the artifact is inside or outside the perimeter against a signed allowlist. The perimeter is the published Official Channel Log entry.
Golden rule: registry facts, not intent
SecureStamp never asserts intent. The verdict is a closed set of facts:
PERTENECEThe channel is inside the brand’s declared and signed perimeter.NO_PERTENECEThe channel is outside the perimeter, optionally with observed signals.COUNTERSTAMPThe brand issued a confirmed counter-stamp against the channel.DISPUTEDThe case is under dispute and due process.UNKNOWNThe brand has not declared a perimeter in SecureStamp.
The 5 states map to L1–L5. The strong L1 state requires a brand-signed counter-stamp in state confirmed; the algorithmic case never imputes intent.
Two logs (TLP model) + transparency
Official Channel Log — TLP:CLEAR: first-party assertions about a brand’s own channels. Public lookup, history and revocations.
Abuse Transparency Log — TLP:AMBER: third-party assertions. Only cryptographic commitments and aggregate counts are public; detail remains restricted. A concrete case is proven with a Merkle inclusion proof against the public tree head.
Counter-stamp lifecycle
Not an arbitrary blacklist: it has states and due process.
Only confirmed enables L1; disputedis the dispute path for the channel owner.
Trust Receipt (ES256, shared JWKS)
Every verification produces a Trust Receipt: ES256-signed, timestamped, with idSSF-EV-… and re-verifiable by anyone. It reuses SecureStamp’s notarial key, so a third party verifies a receipt with the same/.well-known/jwks.json used for email stamps. Header typ: SSCT-receipt.
API
| POST | /api/signal/verify | Runs the engine and returns a registry fact + signed Trust Receipt. |
| GET | /api/signal/receipts/{id} | Re-verifies a Trust Receipt against the public JWKS. |
| POST | /api/signal/brands | Declares/updates a brand perimeter. |
| POST | /api/signal/counter-stamps | Opens a counter-stamp. |
| PATCH | /api/signal/counter-stamps | Transitions counter-stamp state. |
Disclaimer: SecureStamp certifies that a channel belongs to a brand’s declared official perimeter and the integrity of the receipt. It does not certify sender intent or the truth of message content.