From DNS query to verified data exchange — in milliseconds.

Stargate transforms email infrastructure from trust-dependent to trust-verified. Every message exchange between organizations resolves cryptographic identity, establishes policy consent, and creates an auditable trail — without adding workflow overhead or changing how end users work.

Book a 30-minute architecture walkthrough

Current trust systems force organisations to depend on central authorities for every identity check and every data exchange. Vereign's architecture eliminates these dependencies by enabling each organisation to control its own cryptographic identity and verify others directly. This is how it works in practice, from key management to verified data exchange.

What happens when you send a message

The 7-step sequence below is the path every Stargate-enabled message takes — from the moment your DNS client makes a query to the moment data arrives verified and audited at its destination.

1

Step 1: DNS Proxy intercepts the query

When your application resolves a counterparty's domain (e.g., hospital-b.ch), the Stargate DNS Proxy intercepts the query before it reaches your upstream resolver. This is the entry point — no changes to application code required. The proxy operates transparently at the network layer.

2

Step 2: Identity Agent checks counterparty status

The Identity Agent queries the counterparty's Stargate-published identity record. Two outcomes: the counterparty is Stargate-enabled (proceed with full cryptographic verification) or it is not (fall back to standard delivery, flagging the message as unverified). This is how Stargate achieves backward compatibility — it never blocks messages to non-Stargate counterparts.

3

Step 3: WireGuard tunnel established using DKMS-derived keys

If the counterparty is Stargate-enabled, a WireGuard VPN tunnel is established using keys derived from the DKMS identity records of both organizations. These keys are not issued by a central certificate authority — they are derived from each organization's own KERI key event log. The tunnel is bilateral: each party is authenticated to the other independently.

4

Step 4: Policy Engine evaluates consent

Before any data moves, Stargate's policy engine (Open Policy Agent, OPA) evaluates whether this data exchange is authorized under both parties' policies. For healthcare data, the FHIR Resolver checks resource-level consent: patient consent records, organizational authorizations, and sector-specific regulations (EHDS, Swiss DPA) are evaluated in real time. Data that is not authorized by policy does not move.

5

Step 5: Token translated locally

Your existing OAuth tokens and X.509 certificates remain valid. Stargate's compatibility bridge translates KERI-anchored credentials to JWT or X.509 format at the receiving end — locally, without contacting any external authority. Your identity infrastructure does not change. Stargate extends it to operate across organizational boundaries.

6

Step 6: Data exchanged over encrypted mesh

With policy consent confirmed and the encrypted WireGuard tunnel established, the data exchange proceeds. SEAL (Secure Evidence and Authenticity Layer) wraps every message with a verifiable authenticity layer — the receiving organization can prove who sent the data, when it was sent, and that it has not been modified in transit. This replaces S/MIME's dependency on third-party certificate authorities with bilateral DKMS-derived verification.

7

Step 7: Audit trail recorded in KEL/TEL

Every exchange creates an entry in KERI's Key Event Log (KEL) and Transaction Event Log (TEL). These logs are tamper-evident and independently verifiable by any party — not just by a central log server. For regulated sectors, this means cross-organizational audit trails that are cryptographically sound and available without centralized infrastructure. Your compliance team can verify any exchange independently, at any time.

Five layers of trust infrastructure

Stargate's trust stack is designed in layers. Each layer does one thing well and hands off cleanly to the next. Existing infrastructure plugs into the compatibility layer — nothing is ripped out.

Stargate's five-layer trust architecture — identity anchored at the edge, policy at the centre, compatibility at the surface
Stargate Five-Layer Trust Architecture Stargate Five-Layer Trust Architecture Each layer handles one concern — trust flows upward from identity to audit 5 Audit KEL · TEL Tamper-evident Key Event & Transaction Event Logs Independently verifiable audit trails — no central log server 4 Compatibility JWT · X.509 · OAuth Translates KERI credentials to formats existing systems understand Stargate extends your token infrastructure — does not replace it 3 Authorization OPA · ACDC · FHIR Policy engine evaluates consent before any data moves Machine-readable data sharing agreements at infrastructure layer 2 Transport WireGuard Encrypted bilateral tunnel — keys derived from DKMS, not issued by CA No third party can intercept or revoke — each org controls its own keys 1 Identity DKMS · KERI Cryptographic root — each organization controls its own key event log PKI at the edge — no central authority, bilateral trust establishment trust flows up Foundation (sovereign) Policy centre Compatibility Audit surface

What stays. What changes.

Stargate is not a replacement project. It is an extension of the infrastructure you already operate. The table below shows what you keep and what Stargate adds.

443 GDPR data breaches reported daily across Europe, with cumulative fines exceeding EUR 1.2 billion — DLA Piper GDPR Fines and Data Breach Survey

What stays

  • OAuth 2.0 / OIDC — continues to handle internal authentication and local token issuance. No changes required.
  • X.509 certificates — remain valid. The KERI-to-X.509 bridge translates at the boundary without touching your PKI.
  • JWT — your token format is unchanged. Stargate produces KERI-anchored verifiable credentials that translate to JWT at the receiving end.
  • SMTP / DKIM / DMARC — email routing and anti-spam infrastructure remains in place. SEAL adds a verifiable authenticity layer on top of DKIM, not instead of it.
  • Existing workflows — end users send email as before. The trust verification is invisible to them.

What changes

  • Centralized certificate authority dependency — replaced by bilateral DKMS-anchored key derivation. No third party can revoke your organization's ability to communicate.
  • Trust-on-first-use email — replaced by cryptographically verified organizational identity on every exchange. Phishing and impersonation attacks on organizational communication are structurally prevented.
  • Manual consent workflows — replaced by policy-engine-evaluated consent (OPA). Data sharing agreements are machine-readable and enforced at the infrastructure layer.
  • Fragmented audit trails — replaced by cryptographically linked KEL/TEL records that are independently verifiable across organizational boundaries.

Others tried decentralised identity. What makes this different?

This is the right question. Three well-funded projects failed to deliver decentralised identity at scale:

  • Sovrin — The Sovrin Foundation ran out of operating capital in 2023. Its Hyperledger Indy blockchain required ongoing validator node coordination and a funded foundation to maintain governance. When the foundation could not sustain itself, the network stalled. The failure mode was not technical — it was governance and economic: blockchain dependency created a coordination problem that required centralized management to solve.
  • uPort — ConsenSys's identity project was rebranded as Serto, then pivoted away from the identity space entirely. uPort built on Ethereum, which meant every identity operation had gas fees and on-chain transaction latency. Production-scale identity management — millions of events per day — is not economically viable on a public blockchain.
  • Jolocom — Pivoted away from identity infrastructure after failing to achieve production adoption. The common failure pattern across SSI projects: dependence on blockchain infrastructure that cannot scale economically, or foundation governance that cannot sustain itself.

KERI is structurally different. It has no blockchain dependency. Key events are anchored in append-only logs that each controller maintains independently — no shared ledger, no gas fees, no foundation governance required. The network does not need a central coordinator because trust is established bilaterally between parties, not validated by a shared global state.

The institutional validation: GLEIF — the Global Legal Entity Identifier Foundation — operates the global LEI system for financial institutions in 180 countries. GLEIF chose KERI for the vLEI (verifiable Legal Entity Identifier) system. This is not a proof-of-concept. It is production infrastructure verifying the identity of financial institutions globally. Stargate builds on the same KERI foundation that GLEIF validated at institutional scale.

Want to understand how this fits your organisation?

See how verified trust infrastructure applies to your specific requirements and regulatory environment.

See how this applies to your sector Book an architecture review Explore partnership opportunities
Swiss Data Protection GDPR Compliant Open Source AGPLv3+ Swiss Hosting