Threat Model
What Ephemera protects against, what it does not, and why.
Threats & Mitigations
| Threat | Mitigation |
|---|---|
| Stolen SSH private key | Keys are ephemeral. Certificates expire in minutes, limiting exposure window. |
| Credential phishing | WebAuthn is phishing-resistant. TOTP is fallback only. |
| Unauthorized privilege escalation | JIT Sudo requires fresh MFA approval per session. Logged centrally. |
| Audit log tampering | Merkle-chained ledger. Remote syslog mirroring to isolated sink. |
| CA key compromise | Encrypted at rest. Zero-downtime rotation with multi-CA trust model. |
| Single-point recovery failure | Shamir secret sharing (k-of-n) for backup decryption. |
Explicit Non-Goals
The following are intentionally excluded from Ephemera's scope:
| Feature | Reason |
|---|---|
| SSH MITM Proxy | Violates end-to-end encryption; adds attack surface. |
| Custom SSH Protocol | Unnecessary complexity. Native OpenSSH is sufficient. |
| Cloud Dependency | Designed for sovereign, air-gapped deployments. |
| Session Replay UI | Recording research is decentralized; no central player planned. |
| QR-Based Shard Recovery | JSON file shards are simpler and more portable. |
| C PAM Module | pam_exec with Python is portable and auditable. |
Inherent Security Trade-offs
The following behaviors are inherent properties of Ephemera's technical design (time-bound credentials, availability models, and quorum cryptography) and are documented as expected boundaries of the threat model:
- Post-authorization credential persistence — As an inherent property of time-bound credentials, a valid certificate remains authorized until its cryptographic expiry even if the initiating endpoint is subsequently compromised.
- Decoupled availability and issuance — In a sovereign deployment model, the inability to reach the CA server prevents new issuance but does not revoke existing, valid sessions until their natural expiration.
- Quorum-based recovery boundaries — Quorum cryptography (k-of-n) technically permits recovery if k custodians collude. This is an intended property of the cryptographic model selected for sovereign disaster recovery.
Security Disclosure Philosophy
Certain implementation details are intentionally omitted from public documentation. Ephemera follows a "disclose-the-model, protect-the-keys" philosophy.
Commitment to Transparent Security
Explicit acknowledgment of security boundaries increases systemic trust. In high-assurance
infrastructure, documenting the technical limits of cryptographic models is essential for
informed risk management.