Goals
- Reduce the number of direct pairing sessions required to grow a network.
- Keep the user confirmation flow for direct pairing.
- Let receiving devices choose to accept or reject a vouch.
- Record the trust chain for audit and review.
- Support offline devices by queueing vouches.
Non goals
- Multi hop vouching. Only directly paired devices can vouch.
- Shared group keys or a central authority.
- Automatic trust propagation without user control.
Trust model
Direct pairings remain the base trust relationship. Proxy pairings are derived from a trusted voucher.Compatibility with direct confirmation
Proxy pairing builds on the direct confirmation flow. The direct pairing must reach a confirmed state before any vouching starts. The voucher then offers to vouch the new device to other devices. Receiving devices can auto accept or ask for user confirmation.Protocol additions
Resource model for UI
The vouching session is a resource that the UI can subscribe to withResourceChanged events.
Events for confirmation prompts
The vouching session is driven by resource updates. Events are only needed for confirmation prompts and UI entry points.Actions
Voucher flow
- The new device sends
PairingRequest. - The voucher enters the confirmation state and the user confirms.
- Direct pairing completes and session keys are stored.
- The voucher creates a
VouchingSessionresource inPending. - The voucher emits
ProxyPairingVouchingReadyso the UI can open a modal. - The user selects target devices and triggers
network.pair.vouch. - The background worker processes each target:
- Online devices move to
Waitingand receiveProxyPairingRequest. - Offline devices move to
Queuedand are stored invouching_queue.
- Online devices move to
- Responses update the vouch status to
AcceptedorRejected. - When all vouches reach a terminal state, the session becomes
Completed. - The voucher sends
ProxyPairingCompleteto the vouchee.
Receiving device flow
- Receive
ProxyPairingRequest. - Verify the voucher is a trusted, directly paired device.
- Verify the vouch signature and timestamp.
- Check that the vouchee is not already paired.
- If auto accept is enabled, accept and store the device.
- If manual confirmation is required, emit
ProxyPairingConfirmationRequired. - Send
ProxyPairingResponsewith accepted or rejected. - Store the vouchee as
pairing_type: Proxiedwhen accepted.
Vouchee flow
- Complete direct pairing with the voucher.
- Receive
ProxyPairingComplete. - Store accepted devices with
pairing_type: Proxied. - Update the device registry and emit resource updates.
Vouch payload signature
Session key derivation for proxied pairing
The receiving device and the vouchee derive keys from the voucher and vouchee shared secret.Persistent queue for offline devices
Queued vouches are stored insync.db so the system can retry when a device comes online.
- A worker polls the queue every 10 seconds.
- If a target device is online, send
ProxyPairingRequestand move the vouch toWaiting. - Remove entries after success or after the max retry count.
- Delete entries after
expires_at.
Configuration
auto_accept_vouched: trueauto_vouch_to_all: falsevouch_signature_max_age: 300vouch_response_timeout: 30
Security checks
- The voucher must be trusted and directly paired.
- The vouch signature must match the voucher public key.
- The vouch timestamp must be within the allowed window.
- The vouchee must not already be paired.
- Devices with unreliable or blocked trust levels reject proxy pairing.
Backwards compatibility
- Devices without proxy pairing ignore
ProxyPairingRequest. - The voucher records the lack of response as a rejection.
- Existing direct pairings remain unchanged.
Cleanup and retention
- Remove
VouchingSessiondata one hour after completion. - Remove queued vouches after seven days.
Testing
- Unit tests for vouch signature verification and timestamp checks.
- Integration tests for accept and reject flows.
- Queue processing tests for offline devices.
- Tests for trust level rules and auto accept settings.
Open questions
- Key rotation for proxied session keys.
- Whether to allow multi hop vouching in a future version.
- Vouch revocation when a voucher is unpaired.
