Sprint X-tail · Cryptographic enrolment
Enrol a device key

Generate a P-256 keypair inside this browser's WebCrypto stack. The private key is stored non-extractably in IndexedDB (never leaves this device). The public key is sent to the server and written to device_keys, and the returned key_id is used as envelope.device when signing subsequent handshakes.

EA Rule 1: This page is the ONLY way a private key material is ever created for this member. The server never sees or possesses the private key. Signatures on /chain/v1/h* can only be produced by whoever holds this browser's IndexedDB.

Enrol a new key

Locally enrolled keys (this browser only)

Reading IndexedDB…

Source: IndexedDB · DB=flip360-chain-signer · store=keys. Read-only view — never leaves the browser.

Where this fits

  1. Enrol here → device_keys row + private key in IDB.
  2. Open /sign/referrer/h1 → sign a real H1 with the enrolled key.
  3. Server verifies signature via src/chain/verify.ts against the stored SPKI PEM.
  4. /chain/v1/h1 returns ok:true. Chain accepted. EA Rule 1 discharged.
Matt's page