Part V · 1 — Identity and transport
This is where the theory lands. Every Koder Stack choice for *proving who you are* and protecting what moves is a primitive from the earlier parts, chosen on purpose — not an accidental default.
1.1 Koder ID — the Stack's identity
Koder ID (services/foundation/id) is the single identity provider for the whole Stack: an OAuth/OIDC server that every login passes through. Its cryptographic choices map directly onto Part II:
| Function | Primitive | Part |
|---|---|---|
| Password hash | Argon2id (\(m\)19 MiB, \(t\)2, \(p\)=1) | II — KDF/passwords |
| Session token | 256-bit random + HMAC-SHA256 | II — MAC |
| JWT signature | Ed25519 (not HS256/RS256) | II — signature |
| Passwordless login | Passkeys / WebAuthn | II — asymmetric |
JWT signing with Ed25519 is the exemplary decision: the public key is published at /.well-known/jwks.json, and any service verifies the token without sharing a secret — exactly the non-repudiation property that separates signature from MAC (Part I). And passkeys take this to login: the private key never leaves the device; the server keeps only the public one.
1.2 TLS in Koder Jet
All web traffic passes through Koder Jet (infra/net/jet), the Stack's single server. The TLS posture is Part III applied:
- TLS 1.3 only for new sites (1.2 with ECDHE-AEAD only in legacy compat).
- AEAD suites only: AES-GCM and ChaCha20-Poly1305 (preferred without AES-NI) —
- Key exchange X25519, with the X25519MLKEM768 hybrid in pilot — the
Part IV already entering production.
- Forbidden: TLS 1.0/1.1, RC4, 3DES, MD5, SHA-1, RSA key transport, CBC modes
— the whole list of historical weaknesses from the earlier parts.
- HSTS with
preloadon all subdomains; HTTPS only, 301 redirect(
policies/security.kmd).
The certificates come from services/foundation/certs via ACME DNS-01 (ClouDNS), chained through the web PKI — with automatic rotation every 90 days (short validity instead of revocation).
1.3 Hardened SSH
Access to servers and to Koder Flow uses OpenSSH 9.6+ with strict KEX (Terrapin attack mitigation):
- Host keys Ed25519; key-only authentication (password off); root by key
only.
- KEX
sntrup761x25519— note: already post-quantum hybrid, like TLS. - Cipher ChaCha20-Poly1305 (AEAD); MAC HMAC-SHA-512-ETM (encrypt-then-MAC).
It is the same fit as TLS — key exchange + AEAD + MAC — in a different protocol, reinforcing the lesson of Part III: the protocols change, the primitives and the pattern repeat.
Dense reference: exact suites, full SSH config, and the hybrid pilot in
14-koder-applied. Next: Data and keys — encryption at rest and the key lifecycle.