Omitly ยท Security

Cryptography

Every cryptographic primitive in Omitly, drawn directly from our cryptographic bill of materials (CBOM v1). We publish this so a reviewer can evaluate exactly what we use and how โ€” not take our word for it.

On FIPS: where an algorithm is FIPS-approved, our implementation is not a CMVP-validated module. We state this as "approved algorithm, non-validated implementation" throughout โ€” never "FIPS compliant."

Tamper-evidence seal โ€” signing & verification

Primitivesignature ยท Ed25519
Implementationed25519-dalek 2
PurposeSigns the entire delivered PDF (trailing %%OMITLY-SEAL appendix); verify_strict rejects non-canonical/malleable signatures. Per-install key โ€” integrity, not identity (see CLAUDE.md invariant #2).
FIPS postureFIPS 186-5 approved algorithm; ed25519-dalek is NOT a CMVP-validated module. State "approved algorithm, non-validated implementation" โ€” never "FIPS compliant".
Sourcesrc-tauri/src/seal.rs

Offline license verification

Primitivesignature ยท Ed25519
Implementationed25519-dalek 2
PurposeVerifies Omitly Pro license signatures fully offline, no network, no PII.
FIPS postureSame posture as the seal above โ€” FIPS 186-5 approved algorithm, non-validated implementation.
Sourcecrates/licensing/src/lib.rs

Document / report hashing

Primitivehash
Implementationsha2 0.10
PurposeAudit-report and delivered-bytes hashing feeding the seal + license verification digests.
FIPS postureFIPS 180-4 approved algorithm; sha2 is NOT a CMVP-validated module.
Sourcesrc-tauri/src/seal.rs, crates/licensing/src/lib.rs

PAdES signing โ€” CMS SignedData

Implementationcryptographic-message-syntax 0.28
PurposeBuilds RFC 5652 CMS SignedData over a BYOC (bring-your-own-certificate) RSA or ECDSA key for PAdES interop with real-world PDF viewers (Acrobat). The crate does not fix one algorithm โ€” RSA vs ECDSA is determined by the imported certificate. Composes with, never precedes, the Ed25519 seal (CLAUDE.md invariant #6). Algorithm floors: SHA-1-issued certs and RSA <2048 bits are refused outright; RSA <3072 warns (NIST SP 800-131A / ASD ISM). Revocation (OCSP/CRL) is NOT checked in this milestone.
Sourcesrc-tauri/src/sign.rs

X.509 certificate parsing

Implementationx509-certificate 0.25
PurposeParses/validates imported signing certificates for PAdES (algorithm floor + expiry re-checked at sign time, not just import โ€” CLAUDE.md invariant #9).
Sourcesrc-tauri/src/sign.rs

Crypto backend for CMS/X.509

Primitiveother
Implementationring 0.17
PurposeDirect dependency of both cryptographic-message-syntax and x509-certificate (confirmed via Cargo.lock reverse-dependency trace, not assumed) โ€” the actual crypto backend behind their CMS/X.509 operations, not just a transitive pull-through.

Signing-key seed generation

Primitivedrbg
Implementationgetrandom 0.2
PurposeSeeds the per-install Ed25519 seal signing key.
FIPS postureOS-provided CSPRNG accessed via getrandom, not a crate-implemented DRBG construction โ€” closest available CycloneDX primitive, noted here for precision.
Sourcesrc-tauri/src/seal.rs

Post-quantum

Omitly's signatures (Ed25519) are classical. The tamper-evidence seal and licence signatures are integrity mechanisms with short-lived trust relationships, not long-term confidentiality โ€” a harvest-now-decrypt-later adversary gains nothing, as no document content is ever encrypted or transmitted. We track NIST PQC standardization and will publish a migration statement before it is materially relevant to this threat model.