Skip to content

ATTESTATION PROTOCOL · ROYALTY-FREE · STANDARDS-TRACK FOR QUIC

An open protocol, drafted for the IETF.

The protocol belongs to the ecosystem. The engineering moat is ours.

EdSSA-over-QUIC is drafted for the IETF as an additive, non-TLS attestation binding for QUIC — provisioned at its own QUIC version codepoint, it serves machine-to-machine attestation use cases that TLS 1.3 within QUIC does not address. It rides alongside TLS, not in place of it. Royalty-free for conforming implementations. Defended by a deep patent portfolio underneath.

Internet-Draft · CFRG · QUIC WG · RAND-Z licensing · Helsinki HQ

Why open

You cannot be foundational without being open.

Every foundational protocol of the last forty years — TCP/IP, DNS, HTTP, TLS — became foundational by being implementable by anyone, free of royalty. Vendor-locked protocols become products. Open protocols become substrate.

The machine-to-machine authentication layer of the 2030s internet will follow the same pattern. An authentication mechanism for agentic AI, vehicle-to-infrastructure, satellite mesh and critical infrastructure cannot be the property of a single vendor. The ecosystem will not standardise on something it cannot freely implement, audit, or fork.

EdSSA is built on this premise from inception. The protocol is written as an Internet-Draft for the IETF, to be published royalty-free for conforming implementations under BCP 79 once the patent filings that underwrite that licence are on record. The reference implementation is open for independent audit. The formal verification work will be co-authored with academic cryptographers.

The patent portfolio that protects the company sits underneath all of that, active and expanding. The patents defend the company; the open protocol defends the ecosystem. Both have to be true at the same time.

Protocol

Open, royalty-free.

EdSSA-over-QUIC drafted as an Internet-Draft for the IETF. RAND-Z licensing committed for any implementation that conforms to the spec. The protocol belongs to the ecosystem.

Implementation

High-performance, commercial.

Rust reference implementation shipping in named phases. Sub-microsecond verification, cache-resident. Hardware acceleration roadmap. Commercial license for production deployment. This is where the engineering moat lives.

Platform

Enterprise-grade operations.

Fleet management panel, regulator-grade audit emission, compromise recovery, HSM integration, managed deployment and support. Tiered from a free community edition to datacenter site licences.

The trajectory

From draft to RFC, in the open.

Standardisation moves on its own clock, and we plan around the IETF’s cadence rather than against it. The trajectory below sequences the public standards work against the patent calendar so that nothing premature is disclosed, and so that the ecosystem can begin implementing on the same schedule the IETF itself moves on.

2027

Internet-Draft, individual submission.

draft-westerholm-quic-edssa-00Published as an individual submission once the continuation filings that underwrite the royalty-free licence are on record, then circulated on the CFRG mailing list for cryptographic review. Mandatory IPR disclosure filed under BCP 79 at submission.

2027–2028

CFRG presentation, formal review.

Thirty-minute slot at an IETF meeting’s Crypto Forum Research Group session. Tamarin / ProVerif formal verification co-authored with an academic partner. Independent security review report published.

H2 2027

QUIC WG adoption, Hackathon interop.

Two independent implementations interoperating at an IETF Hackathon. Approach to QUIC WG with additive framing — EdSSA is provisioned at a new QUIC version codepoint (the seam RFC 9000 §7 reserves for an alternative handshake), serving attestation use cases TLS 1.3 within QUIC cannot.

2028+

Working Group adoption, then RFC.

BoF or working-group adoption call. Successive draft revisions through Last Call. Standards-Track or Experimental RFC. IANA registrations assigned. The protocol becomes substrate.

IPR posture

Royalty-free for conforming implementations. Unambiguous and committed.

The IETF requires disclosure of patents that read on a normative specification. The disclosure for EdSSA-over-QUIC will be filed at the time the Internet-Draft is published, identifying the relevant patent applications and stating an unambiguous licensing posture for implementers.

The posture is royalty-free for conforming implementations: anyone who implements the published specification, in software or hardware, for any purpose — commercial, open-source, academic, government — receives a royalty-free license to the patent claims that read on the specification. No per-deployment fee. No per-instance fee. No discriminatory terms.

Commercial rights are retained for non-conforming use cases, for accelerated proprietary implementations, and for the extension surfaces that will be specified in later documents. This is the same posture IETF member companies including Cisco, Mozilla, Cloudflare and Google have used to contribute patents to specifications they helped author.

What this means for you

Implement freely. Audit freely. Fork freely.

Build a conforming EdSSA implementation in any language, on any platform, for any market. Ship it under any open-source licence or commercial licence you choose. No royalty payable to EdSSA.

What this means for us

The commercial moat lives in implementation and operations.

Our value to customers is engineering excellence, operational depth, and the patent portfolio defending the company against competitors who would race us on price alone with a sub-par implementation.

Allies and process

The standards push is not a solo effort.

Academic cryptography partner.

Formal verification of the protocol with Tamarin or ProVerif, co-authored with a university cryptography group. The Signal Protocol, MLS (RFC 9420) and TLS 1.3 all have formal models; EdSSA will too. The proof is the bedrock the IETF expects under any new cryptographic mechanism.

Independent adversarial review.

A tier-1 adversarial security review firm engaged to attack the protocol before public review. The published report — positive or fixed-and-published — is the credibility artifact that distinguishes a serious protocol from a press release.

Interop at IETF Hackathon.

Two independent implementations talking to each other at an IETF Hackathon is the canonical demonstration of “this is a real protocol.” The standards body will not adopt a single-vendor specification; interop is the entry ticket.

Sovereign and European engagement.

Engagement with EU and Finnish sovereign cyber agencies on sovereignty, NIS2, CER, DORA, and the post-quantum migration. A sovereign-grade reference for a decentralised authentication layer originating in Helsinki is a structural fit with EU strategic autonomy goals.

Why this works

Patents defend the company. Standards open the ecosystem. Both have to be true.

Founders are often told the choice is binary: patent your invention and stay closed, or open-source it and lose the moat. The pattern that actually built foundational infrastructure — from IBM’s patent contributions to the Apache and Linux ecosystems, to Cisco’s contributions to IETF protocols, to Cloudflare’s patent pledges around QUIC — tells a different story.

Hold the patent portfolio deep and defensive. Publish the protocol open and royalty-free for conforming implementations. Build the commercial business on engineering excellence and operational depth, not on protocol exclusivity. The patents prevent a competitor from ambushing you with a parallel filing; the openness prevents the ecosystem from routing around you to a free alternative.

EdSSA is built explicitly on this model. The Internet-Draft, the CFRG presentation, the formal-verification paper, and the open reference implementation are not concessions; they are the distribution strategy.

Want to implement EdSSA?
Want to review the protocol?
Want to co-author the next draft?

Let’s talk.

Talk to us →