EdSSA Nano | mTLS | OAuth 2.0 / JWT | DPoP (RFC 9449) | SPIRE / SPIFFE | Vault dynamic secrets | PQ-hybrid TLS | SCMS (IEEE 1609.2) | Kerberos | |
|---|---|---|---|---|---|---|---|---|---|
| No central authority in the hot path | ● | ○ | ○ | ○ | ○ | ○ | |||
| No per-request central call | ● | ● | ● | ● | ○ | ● | ● | ||
| No PKI / CA infrastructure required | ● | ○ | ○ | ○ | ○ | ○ | ○ | ○ | |
| Survives multi-day disconnect | ● | ○ | ○ | ○ | ○ | ○ | |||
| Tolerates RF-contested / jamming envelopes | ● | ○ | ○ | ○ | ○ | ○ | |||
| Post-quantum credential security | ● | ○ | ○ | ○ | ○ | ○ | ● | ○ | ○ |
| Forward secrecy from key compromise | ● | ○ | ○ | ● | |||||
| Sub-microsecond verification budget | ● | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| Per-request audit emission, ~zero overhead | ● | ○ | ● | ○ | ○ | ||||
| Sovereign-clean (no foreign-controlled binding) | ● | ○ | ○ | ● | |||||
| Transport-agnostic | ● | ○ | ● | ● | ○ | ||||
| Standardised RFC / IEEE spec | ○ | ● | ● | ● | ○ | ● | ● | ||
| Decade of production deployment | ○ | ● | ● | ● | ○ | ● | ● |
● Yes Partial○ No
The two rows we don’t yet score on — RFC standardisation and decade-of-production-deployment — are the rows time will fill in. Everything above the line is a structural consequence of the architecture, not a roadmap promise.
This information is to our best knowledge. Specifics evolve fast and product configurations vary — please verify against the vendor’s current docs for your deployment, and report errors to contact@edssa.io. We’ll correct them.