# Identity and Authorization Model

In many traditional systems, network access is granted first and refined later through authentication and authorization. A connection is established based on network location, and identity is used only after access already exists. This creates implicit trust at the network level and increases the surface area exposed before policy checks are applied.

Enigma reverses this order. Identity is verified first, authorization is evaluated next, and network access is created only if those checks succeed. Connectivity does not exist by default and is not tied to location. Network access is established only when it is explicitly permitted, reducing unnecessary exposure and removing assumptions based on network position.

<figure><picture><source srcset="/files/RvkIuSf4DNNK9IGKw9R1" media="(prefers-color-scheme: dark)"><img src="/files/WE499pkCooz1D8V73m3i" alt=""></picture><figcaption></figcaption></figure>

*<mark style="color:$info;">Identity-scoped access prevents visibility and lateral movement.</mark>*

```
TRADITIONAL:
  Network Access → Authentication → Authorization

ENIGMA:
  Authentication → Authorization → Network Access
  (prove identity) → (check policy) → (only then, connect)
```

J1 defines how a user is admitted into the network and issued a constrained, time-bound identity. The protocol covers initial identity verification, enrollment token issuance, and on-device key generation, establishing the cryptographic basis for authenticated access. Because this step anchors all subsequent trust and routing decisions, compromise at this layer would enable impersonation, interception, or unauthorized access, making it one of the system’s highest-risk entry points.

```angular-ts
// J1: USER ENROLLMENT PROTOCOL

// Phase A: Enrollment Token Acquisition
function requestEnrollment(user, enrollmentService):
    claim = user.createIdentityClaim()
    proof = user.proveIdentity()  // External verification

    // Service validates with Controller
    approved = controller.validateClaim(claim, proof)

    if approved:
        token = JWT.create({
            sub: hash(claim),
            iss: enrollmentService.id,
            aud: "ravid_network",
            exp: now() + TOKEN_VALIDITY,
            epoch: currentEpoch,
            constraints: {
                allowed_services: ["service_a", "service_b"],
                max_sessions: 3
            },
            nonce: randomBytes(32)
        })
        return token.signWith(enrollmentService.privateKey)

// Phase B: Key Generation (on user device)
function generateIdentityKeys():
    sk_user = secureRandom(32)           // Private key (secure enclave)
    pk_user = Ed25519.publicKey(sk_user) // Public key

    csr = createCSR({
        subject: identityClaim,
        publicKey: pk_user,
        extensions: {
            keyUsage: ["digital_signature", "key_encipherment"],
            epochBound: currentEpoch,
            tokenHash: hash(enrollmentToken)
        }
    })

    return signCSR(csr, sk_user)

// Phase C: Certificate Issuance
function issueCertificate(enrollmentToken, signedCSR, edgeRouter):
    // Validation checks
    assert verifyTokenSignature(enrollmentToken)
    assert tokenNotExpired(enrollmentToken)
    assert tokenNotRevoked(enrollmentToken)
    assert verifyCSRSignature(signedCSR)
    assert epochIsCurrent(signedCSR.epochBound)

    // Issue X.509 certificate
    cert = CA.issueCertificate({
        version: 3,
        serialNumber: generateUnique128Bit(),
        issuer: "CN=RAVID Intermediate CA, O=Enigma",
        subject: "CN=<identity_id>, O=Enigma Users",
        publicKey: signedCSR.publicKey,
        validity: {notBefore: now(), notAfter: now() + CERT_VALIDITY},
        extensions: {
            subjectAltName: "URI:enigma:identity:<id>",
            ravidEpochBound: currentEpoch,
            ravidServiceBindings: allowedServices,
            crlDistributionPoints: revocationEndpoint
        }
    })

    return CA.sign(cert)

// Phase D: Authenticated Session (mTLS)
function establishSession(userCert, edgeRouter):
    // Full mutual TLS handshake
    clientHello = {versions, cipherSuites, keyShare}
    serverHello = edgeRouter.respond(clientHello)

    // Both sides present certificates
    user.presentCertificate(userCert)
    edgeRouter.presentCertificate(routerCert)

    // Derive session keys
    sharedSecret = ECDH(user.ephemeralKey, router.ephemeralKey)
    sessionKeys = HKDF(sharedSecret, user.pk, router.pk)

    return EncryptedSession(sessionKeys)
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.engma.io/ravid/identity-and-authorization-model.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.