Pilot Identity and Non-Repudiation
1. OAuth2 / OIDC User Identity Verification
The Authorization Server (e.g. login.gov) authenticates the user and issues a signed JWT containing claims like sub, email, and exp. The client verifies the signature using the AS’s public keys fetched from /.well-known/jwks.json — mechanically similar to how a browser verifies a CA-signed certificate.
Comparison to CA chain of trust
| CA Chain | OAuth2 / OIDC |
|---|---|
| Root CA | Authorization Server |
| Leaf certificate | JWT token |
| CA’s private key signs the cert | AS’s private key signs the JWT |
| Browser verifies with CA’s public key | Client verifies with AS’s public key |
Issuer / expiry fields | iss / exp claims |
| Trust store (pre-installed, out-of-band) | Explicit client configuration |
The fundamental difference
In the CA model, trust is cryptographically hierarchical — it terminates at a root whose key was distributed out-of-band by your OS vendor, independent of any single party. No website can subvert it unilaterally.
In OAuth2, trust is unilateral. The client decides to trust an Authorization Server — there is no higher authority certifying that login.gov or Okta is a legitimate identity provider. That relationship is a business and policy decision, not a cryptographic one. If the Authorization Server lies about a user’s identity, the client has no way to detect it. The HTTPS connection to /.well-known/jwks.json relies on the CA chain to confirm the server’s identity — but that only proves you reached the real server, not that it is being honest.
2. IdP Federation Breaks the Chain
When an application trusts an intermediary IdP (e.g. Auth0) that is itself federated with an upstream IdP (e.g. login.gov), the user authenticates with the upstream provider, but the application only ever sees a token issued by the broker. Auth0 validates the upstream assertion and re-issues its own JWT.
Is the upstream IdP visible in the token?
Yes, if Auth0 is configured to include it. Relevant claims:
{
"iss": "https://your-tenant.auth0.com/",
"idp": "login.gov",
"amr": ["govt-identity-proofed", "mfa"],
"acr": "http://idmanagement.gov/ns/assurance/ial/2"
}idp— identifies the upstream provideramr— how the user was authenticatedacr— assurance level (login.gov uses NIST 800-63 URIs)
Can it be verified?
Only partially. The application can cryptographically verify that Auth0 signed the JWT. It cannot verify that login.gov’s original assertion to Auth0 was legitimate — it must trust Auth0 to have validated it correctly.
Federation extends the unilateral trust chain
Your app
→ trusts Auth0 (unilateral, policy decision)
→ Auth0 trusts login.gov (unilateral, policy decision)
→ login.gov trusts its own identity proofingEach hop is a policy and contractual decision, not a cryptographic one. There is no equivalent of a Root CA certifying that Auth0 is a legitimate broker — unlike the CA chain of trust, there is no ultimate authority anchoring the chain.
3. Preserving the Chain of Trust to the Identity Issuer
Standard OAuth2 federation breaks the cryptographic chain. Two approaches restore it.
PIV / CAC smart cards
Used by the US government for employees. The card holds an X.509 certificate issued by a government CA that chains up to the Federal Common Policy Root CA. Authentication produces a signature verifiable all the way to that root — no intermediary can lie. The limitation is that it requires physical hardware, making it impractical for consumer applications.
Verifiable Credentials (W3C)
The modern general-purpose solution. The issuer (e.g. login.gov) signs a credential with its private key and gives it to the user, who stores it in a digital wallet. When authenticating, the user presents the credential directly to the application, which verifies the issuer’s signature against the issuer’s published public key. No broker in the middle.
The trust chain becomes: issuer's key → credential → your app — analogous to the CA chain of trust, with the issuer’s published key as the trust anchor.
Verifiable Credentials are not yet mainstream — the ecosystem lacks a universal wallet and consistent government adoption. The EU is ahead with the EUDI Wallet, mandated across member states by 2026.
Comparison
| Approach | Chain of trust to issuer? | Practical today? |
|---|---|---|
| OAuth2 / OIDC federation | No — policy trust only | Yes |
| PIV / CAC smart card | Yes — full X.509 chain | Government / enterprise only |
| Verifiable Credentials | Yes — cryptographic proof | Emerging |
4. Non-Repudiation and Cross-Agency Evidence
When ATOMx must produce credible evidence that a specific government user initiated an action — evidence that a third-party agency will accept — an intermediary IdP is architecturally incompatible with that requirement.
If Auth0 or a similar broker is in the middle, the government’s reasonable response to “John Doe authorized this flight” is: “we trust login.gov, we don’t trust Auth0 — Auth0 could have fabricated or modified that claim.” The intermediary breaks the evidentiary chain.
What is required: non-repudiation
Non-repudiation is the property that a user cannot deny having performed an action, and that a third party can independently verify they did. For this to hold across organizational boundaries, the proof must chain back to an authority the third party already trusts — with no intermediary in between.
Options
| Approach | Non-repudiation | Operational cost |
|---|---|---|
| Direct OIDC federation per agency | Yes — original govt-signed JWT retained | High |
| PIV / CAC smart card | Yes — user signs with card, chains to Federal Root CA | Requires hardware |
| Verifiable Credentials | Yes — govt-issued credential presented directly | Ecosystem still maturing |
| Intermediary IdP (Auth0 etc.) | No — third party must trust the broker | Low |
Direct OIDC federation — ATOMx federates directly with each agency IdP (login.gov, DoD, etc.) and retains the original government-signed JWT in the audit record. The agency can verify their own signature on it without trusting ATOMx as an intermediary.
PIV / CAC — the user signs the action with their smart card’s private key. The signature chains to the Federal Common Policy Root CA and is self-contained and verifiable by any agency that trusts that root. The strongest option for non-repudiation.
Verifiable Credentials — the government-issued credential is presented directly and attached to the audit record, with no intermediary in the trust chain.
Recommendation
The audit record must contain either the original government-signed JWT or a user-generated cryptographic signature — something the government can verify without trusting ATOMx as an intermediary. This points to direct federation at minimum, and PIV / Verifiable Credentials where strong non-repudiation is a hard requirement.
5. NIST 800-63 Assurance Levels
ATOMx pilot identity maps to NIST SP 800-63-3 assurance levels. Each level constrains which trust-ladder cell a pilot can occupy.
| Level Family | What It Asserts | ATOMx Mapping |
|---|---|---|
| IAL — Identity Assurance Level | Confidence in the identity-proofing process | IAL2 minimum for “Strongly Verified” pilot; IAL3 preferred for L5 hardware-anchored flights |
| AAL — Authenticator Assurance Level | Confidence in the authentication act at session start | AAL2 minimum (multi-factor); AAL3 (hardware authenticator + verifier impersonation resistance) for L5 |
| FAL — Federation Assurance Level | Confidence in federated assertions | FAL2 minimum for federated sessions; FAL3 with holder-of-key for high-assurance |
acr claims in OIDC tokens (§2) carry the IAL/AAL URIs (http://idmanagement.gov/ns/assurance/ial/2, etc.). Verifiers that ignore acr are effectively treating IAL2 and IAL3 as equivalent — the trust-ladder mapping requires reading and enforcing these claims.
6. FIDO2 / WebAuthn and Passkeys
PIV / CAC are excellent for federal personnel but are not feasible for the broader pilot population. FIDO2 / WebAuthn is the practical successor: a hardware authenticator (security key, platform authenticator, or attested mobile device) generates a per-relying-party keypair, never reveals the private key, and produces a signed assertion at authentication time.
For ATOMx pilots without a federal credential, a FIDO2 authenticator paired with login.gov-grade IAL2 proofing approaches the non-repudiation property of PIV without the smart-card logistics. Passkeys (synced credentials) are accepted at AAL2 but capped below AAL3 because the private key may exist on multiple devices.
7. Mobile Driver’s License (mDL)
ISO/IEC 18013-5 mDL is the natural Verifiable-Credential bridge for state-issued identity. As state issuers come online and mDL wallets stabilize (timeline 2026–2028), ATOMx will accept mDL presentations as identity-proofing evidence with the issuing state’s public key as the trust anchor — analogous to PIV chaining to the Federal Common Policy Root. mDL is not in MVP scope but the trust-ladder is designed to admit it without re-architecting.
8. Identity Lifecycle and Edge Cases
| Concern | ATOMx Approach |
|---|---|
| login.gov outage | Strongly Verified tier degrades to Weakly Verified for the duration of the outage; recent sessions remain valid until token expiry; ATOMx tracks per-channel availability and surfaces “identity-source degraded” to authority watch floors |
| Identity-proofing vendor diversity | login.gov uses LexisNexis / Socure under the hood; ATOMx does not pin a specific vendor — proofing-result metadata is captured but not chained |
| Session length / step-up auth | Session tokens are short-lived; sensitive actions (issuing a flight, accepting an authorization) trigger step-up authentication regardless of session age |
| Account recovery | Recovery flows are the issuer’s responsibility (login.gov, agency IdP); ATOMx records the recovery event but does not gate it. A recovered identity does not regain its old session — credentials must be re-presented |
| Lost / stolen authenticator | Pilot revokes authenticator with issuer; ATOMx propagates revocation to active authorizations; flights in progress retain their issued capsule but the pilot cannot start new ones |
| Deceased pilot | Authority-initiated revocation cascade; affiliated operators notified; outstanding authorizations revoked |
| Name change / identity update | Issuer re-proofs identity; ATOMx records the rebinding event with both old and new identifiers in the audit ledger; affiliations migrate |
| Sybil resistance | Strongly Verified channels rely on the issuer’s IAL2/IAL3 controls; “Declared” and “Anonymous” rows of the trust ladder offer no Sybil resistance and are not accepted for issued authorizations |
| International pilots without US federal IdP | Bilateral agreements (eIDAS / EUDI Wallet, ICAO frameworks) are tracked as a roadmap item; today, foreign pilots flying in US airspace require sponsorship by a US-credentialed operator |
| Minor pilots (under 18) | Permitted under Part 107 with adult sponsor; identity-proofing channel constrained to those that accept minors; trust-ladder cell unchanged |
9. The Pilot Identity Channels in ATOMx
PRDs and the whitepaper reference “verified pilot identity” abstractly. The concrete channels named across meetings are:
| Channel | Tier | Notes |
|---|---|---|
| login.gov | Strongly Verified | Primary federal channel; NIST 800-63 IAL2 |
| PIV / CAC | Strongly Verified | Federal personnel; chains to Federal Common Policy Root CA |
| Agency SSO + biometric | Strongly Verified | State and local |
| Clear / TSA PreCheck / passport-grade KYC | Strongly Verified | Commercial tier; introduced Apr 3, 2026 |
| FAA FTN | Weakly Verified | Verified against IACRA but does not prove the holder is present; must be paired with login.gov or equivalent |
| Part 107 credential proofing | Weakly Verified | sUAS recreational/commercial baseline |
| Remote ID Operator field | Declared | Self-reported |
| Anonymous | Unknown | No declared identity |
FAA DiSCVR is referenced as a correlation source, not as a primary identity-proofing channel — its availability for direct identity verification is constrained.
10. Cross-References
- The PKI substrate this page assumes: PKI and Chains of Trust
- The trust-ladder cells driven by pilot identity: Trust Ladder §4
- How the verified pilot identity is bound into the authorization package: Authorization Package §1
- Pilot enrollment lifecycle: Onboarding Operators and Pilots
- Pilot-identity-related threats (impersonation, broker compromise, stolen authenticator, Sybil): Threat Model §2 and §10
Implementation Readiness — Open Questions
Each entry below identifies a decision not yet locked. Items marked (ADR) should be formalized as an Architecture Decision Record before implementation begins. Items marked (blocking) must be resolved before the relevant feature can be built.
| # | Question | Owner | ADR? | Blocking? |
|---|---|---|---|---|
| 1 | Which IdP do we integrate first at MVP — direct login.gov OIDC, or an Auth0/Okta broker fronting login.gov? §4 argues against brokers for non-repudiation, but operational cost of direct-per-agency federation is high. Need a locked decision on the MVP topology and the migration path if we start with a broker. | Engineering + Security | Yes — “ATOMx Primary IdP Topology and Federation Strategy” | Yes |
| 2 | What are the contractual and SLA terms for federation with login.gov (and later DoD, agency IdPs)? Onboarding timeline, rate limits, claim-set negotiation, and IAL2 attestation language need to be settled before we can build the relying-party integration. | Product + Legal + External (GSA / login.gov) | No | Yes |
| 3 | What is the FIDO2 / WebAuthn attestation policy? Do we require attested authenticators (and which AAGUIDs / FIDO MDS trust list), accept self-attestation, and is the synced-passkey AAL2 cap enforced in code or by policy alone? | Security + Engineering | Yes — “FIDO2 Attestation and Passkey Acceptance Policy” | Yes for L4/L5 |
| 4 | mDL adoption timeline and state-issuer trust list — which states’ mDLs do we accept, how is the IACA root list maintained and rotated, and who owns the operational trust store? §7 defers this past MVP but the schema must admit it. | Product + Security | Yes — “mDL Acceptance and State Issuer Trust List Governance” | No (post-MVP) |
| 5 | Account recovery flows — §8 says recovery is the issuer’s responsibility, but ATOMx-side behavior on rebinding (session invalidation, affiliation migration, audit semantics, replay-attack window) needs explicit rules and edge cases. | Product + Security | Yes — “Identity Rebinding and Recovery Event Handling” | Yes |
| 6 | Session-management specifics — exact access-token lifetime, refresh-token rotation policy, idle vs. absolute session caps, and the concrete list of step-up triggers (which actions, which AAL required). §8 names the pattern but not the numbers. | Engineering + Security | Yes — “Session Lifetime, Refresh, and Step-Up Authentication Triggers” | Yes |
| 7 | PIV / CAC technical integration — smart-card middleware (OpenSC vs. vendor), browser/OS APIs (WebAuthn-CTAP2 PIV bridge vs. native client), and whether MVP supports web-only or requires a desktop companion. | Engineering | Yes — “PIV/CAC Client Integration Architecture” | Yes for federal pilots |
| 8 | International pilots — §8 says foreign pilots require US-credentialed operator sponsorship today. Is that the locked MVP policy, and what is the roadmap commitment for eIDAS / EUDI Wallet / ICAO acceptance? | Product + Legal | No (policy decision, not architecture) | No |
| 9 | Sole-proprietor pilot / operator collapse — when a single human is both pilot and operator, do we issue two distinct identities or collapse them, and how does the affiliation graph represent it? Affects authorization-package binding. | Product + Engineering | Yes — “Sole-Proprietor Identity and Operator Collapse Rules” | Yes |
| 10 | Minor-pilot enrollment workflow — §8 mentions adult sponsor and constrained channels but does not specify the proofing flow, consent capture, sponsor-revocation cascade, or how the affiliation graph models the sponsor link. | Product + Legal | Yes — “Minor Pilot Enrollment and Sponsor Affiliation Model” | No (not MVP scope) |
| 11 | Identity-proofing vendor selection beyond login.gov — §8 notes login.gov uses LexisNexis / Socure transparently. For the Commercial tier (Clear, TSA PreCheck, passport-grade KYC, introduced Apr 3 2026), which vendor(s) do we contract with, and what claims/evidence do we retain? | Product + Security + External (vendor) | Yes — “Commercial-Tier Identity Proofing Vendor Selection” | Yes for Commercial tier |
| 12 | login.gov outage handling — §8 says the tier degrades to Weakly Verified and sessions remain valid until expiry. Need concrete rules: max degradation window, what authority operations are blocked vs. allowed, alerting thresholds, and the manual override procedure. | Security + Product | Yes — “login.gov Availability Degradation and Failover Policy” | Yes |