Trust Threshold Configuration
Overview
The min_trust_threshold setting controls trust-gated TLS verification at the network transport layer. This setting determines the minimum trust score required for a peer to establish a QUIC/TLS connection.
Configuration
Add to your icn.toml configuration file under the [network] section:
[network]
listen_addr = "0.0.0.0:7777"
rpc_port = 5601
mdns_enabled = true
bootstrap_peers = []
min_trust_threshold = 0.1 # Default: 0.1
Trust Score Thresholds
| Threshold | Trust Class | Description |
|---|---|---|
| 0.0 | None (disabled) | Accept all authenticated DIDs. Trust-gated TLS is disabled but DID-TLS binding still provides cryptographic authentication. |
| 0.1 | Known | Require at least one trust edge. Peer must have at least one trust relationship. |
| 0.4 | Partner | Require "Partner" trust class. Peer is a known collaborator. |
| 0.7 | Federated | Require "Federated" trust class. Peer is highly trusted. |
Use Cases
Local Development (min_trust_threshold = 0.0)
For local testing with multiple nodes that don't have pre-established trust relationships:
[network]
min_trust_threshold = 0.0
Benefits:
- Nodes can connect immediately without trust setup
- Simplifies local development and testing
- Still maintains DID-TLS binding for authentication
Security Note: This is only recommended for controlled environments where all nodes are pre-authorized.
Cooperative Deployments (min_trust_threshold = 0.0)
For closed cooperative networks where all nodes are known and trusted:
[network]
min_trust_threshold = 0.0
Use When:
- All nodes in the deployment are pre-authorized
- Network is isolated or behind firewall
- Nodes are managed by the same organization/cooperative
- Trust relationships are managed out-of-band
Public Networks (min_trust_threshold = 0.1 or higher)
For networks that accept connections from external peers:
[network]
min_trust_threshold = 0.1 # or higher
Benefits:
- Protects against untrusted connections
- Enforces trust-based access control
- Only peers with established trust relationships can connect
Recommended for:
- Public-facing nodes
- Federation endpoints
- Nodes accepting external connections
Deployment Examples
Docker/Kubernetes Cooperative Deployment
The deploy-coop.sh script automatically sets min_trust_threshold = 0.0 for cooperative deployments:
./deploy/k8s/multi-node/scripts/deploy-coop.sh alpha "Alpha Cooperative"
This allows cooperative nodes to connect without pre-established trust relationships.
Manual Configuration
Edit /etc/icn/icn.toml or your config file:
[network]
listen_addr = "0.0.0.0:7777"
rpc_port = 5601
mdns_enabled = true
bootstrap_peers = []
min_trust_threshold = 0.0 # For cooperative deployment
Then restart the daemon:
sudo systemctl restart icnd
# or
kubectl rollout restart deployment/icn-alpha -n icn-coop-alpha
Security Considerations
What min_trust_threshold = 0.0 Still Provides
Even with trust-gated TLS disabled, you still get:
- DID-TLS Binding: Every connection is authenticated to a specific DID using Ed25519 signatures
- Transport Encryption: All connections use TLS 1.3 with QUIC
- Message Signing: All messages are cryptographically signed by the sender
- Replay Protection: Nonce-based replay guards prevent message replay attacks
What Changes
With min_trust_threshold = 0.0:
- Any authenticated DID can establish a connection
- Trust scores are still computed and used for rate limiting
- Access control is enforced at the application layer (gossip topics, contracts, etc.)
Best Practices
- Controlled Environments: Use 0.0 only in trusted, controlled deployments
- Monitor Connections: Even with 0.0, monitor who connects to your node
- Application-Layer Security: Trust-gated gossip topics and contracts still enforce trust requirements
- Review Periodically: Re-evaluate trust threshold as your network grows
Troubleshooting
Issue: Nodes reject each other with "insufficient trust"
Symptoms:
๐ Connection rejected: DID did:icn:z... has insufficient trust (score: 0.000, required: 0.100)
Solution:
Set min_trust_threshold = 0.0 in the network configuration for cooperative deployments.
Issue: Want to re-enable trust gating
Solution:
Establish trust relationships between nodes:
icnctl trust add <peer-did> --score 0.5Update configuration to re-enable trust threshold:
[network] min_trust_threshold = 0.1Restart the daemon
Related Documentation
- ARCHITECTURE.md - System architecture and trust model
- production-hardening.md - Security hardening measures
- DEPLOYMENT_GUIDE.md - Kubernetes deployment guide
Version History
- v0.1.0: Trust threshold is hardcoded to 0.1
- v0.2.0: Trust threshold is configurable via
network.min_trust_threshold