| 1. Definition | 2. Functional Requirements | 3. Syntax | 4. Semantics |
1 Definition
The Security Technology Taxonomy defines a structured classification of security technologies used within the MPAI‑PTF Trust Framework. It provides a vocabulary for describing technology classes—such as signature technology, hashing technology, encryption technology, key‑establishment technology, and post‑quantum technology—independent of specific algorithms or implementations.
The taxonomy enables PTF components to express requirements, capabilities, and constraints at the technology level, supporting algorithm agility, policy‑driven selection, and interoperability across heterogeneous systems and cryptographic ecosystems.
2 Functional Requirements
The Security Technology Taxonomy shall:
- Provide unique, stable identifiers for each class of security technology used within PTF.
- Classify technologies into categories such as:
- Signature technologies
- Hashing technologies
- Encryption technologies
- Key‑establishment technologies
- Message authentication technologies
- Confidentiality and integrity technologies
- Post‑quantum technologies
- Hybrid technologies
- Custom or deployment‑specific technologies
- Enable PTF components to express requirements at the technology class level, including:
- Required technology classes (e.g., “post‑quantum signature technology”)
- Allowed technology classes (e.g., “any SHA‑3 family hashing technology”)
- Prohibited technology classes (e.g., “no classical RSA key‑establishment”)
- Support algorithm agility by allowing:
- Profiles to specify technology‑level requirements
- Policies to constrain acceptable technology classes
- Verification components to validate technology‑class compliance
- Provide identifiers that are:
- Human‑readable
- Machine‑processable
- Version‑stable
- Allow deployments to define custom technology classes when needed.
- Serve as a parent classification layer for the Security Algorithm Taxonomy, enabling algorithms to be grouped by their underlying technology.
- Ensure that the taxonomy forms a single authoritative namespace for all PTF security technology classes.
3 Syntax
https://schemas.mpai.community/PTF/V1.0/data/Security.json
4 Semantics
| Label | Description |
|---|---|
| IdentityTechnologies | Technologies used to establish or verify identity. |
| – PKI-X509 | X.509 Public Key Infrastructure identity. |
| – DID-W3C | W3C Decentralized Identifier identity. |
| – VerifiableCredentials | W3C Verifiable Credentials for identity claims. |
| – SPIFFE | SPIFFE identity framework. |
| – TPM-Identity | TPM-backed hardware identity. |
| – SecureEnclave-Identity | Identity derived from hardware secure enclave. |
| – WebAuthn-FIDO2 | WebAuthn/FIDO2 identity authentication. |
| – PSK-Identity | Pre-shared key identity method. |
| – Custom | Implementation-specific identity technology. |
| AuthenticationTechnologies | Technologies used to authenticate an entity. |
| – mTLS | Mutual TLS authentication. |
| – OAuth2 | OAuth 2.0 authentication. |
| – OpenID-Connect | OpenID Connect authentication. |
| – JWT-JWS | Authentication via signed JWT/JWS tokens. |
| – Kerberos | Kerberos ticket-based authentication. |
| – SASL | SASL authentication mechanisms. |
| – HardwareSecurityKeys | Hardware key–based authentication (e.g., FIDO/U2F keys). |
| – TPM-Attestation | TPM-based authentication via attestation. |
| – TEE-Attestation | Trusted Execution Environment attestation authentication. |
| – Custom | Implementation-specific authentication technology. |
| AuthorizationTechnologies | Technologies used to express or enforce authorization. |
| – OAuth2-Scopes | OAuth 2.0 scope-based authorization. |
| – OPA-Rego | Authorization policies defined in OPA Rego. |
| – XACML | XACML authorization framework. |
| – RBAC | Role-Based Access Control. |
| – ABAC | Attribute-Based Access Control. |
| – PBAC | Policy-Based Access Control. |
| – Microsegmentation | Authorization via microsegmented network boundaries. |
| – ServiceMesh-Authorization | Service mesh–enforced authorization. |
| – Custom | Implementation-specific authorization technology. |
| IntegrityTechnologies | Technologies providing data or message integrity. |
| – SHA-256 | SHA‑256 hashing for integrity. |
| – SHA-384 | SHA‑384 hashing for integrity. |
| – SHA-512 | SHA‑512 hashing for integrity. |
| – BLAKE3 | BLAKE3 hashing for integrity. |
| – HMAC | Hash-based Message Authentication Code. |
| – RSA-PSS | RSA-PSS signature for integrity. |
| – ECDSA-P256 | ECDSA P‑256 signature for integrity. |
| – Ed25519 | Ed25519 signature for integrity. |
| – MerkleTree | Merkle tree–based integrity checking. |
| – AEAD-Integrity | Integrity from AEAD authenticated encryption. |
| – Custom | Implementation-specific integrity method. |
| ConfidentialityTechnologies | Technologies providing confidentiality protection. |
| – TLS-1.3 | TLS 1.3 protocol for confidentiality. |
| – mTLS | Mutual TLS with confidentiality. |
| – AES-256-GCM | AES‑256‑GCM authenticated encryption. |
| – ChaCha20-Poly1305 | ChaCha20‑Poly1305 authenticated encryption. |
| – RSA-OAEP | RSA‑OAEP encryption. |
| – EndToEndEncryption | End‑to‑end encrypted communication. |
| – TEE-ConfidentialCompute | Confidential computing inside a TEE. |
| – HomomorphicEncryption | Confidential computation via homomorphic encryption. |
| – SMPC | Secure multiparty computation. |
| – Custom | Implementation-specific confidentiality mechanism. |
| FreshnessReplayProtectionTech | Technologies preventing replay attacks and ensuring freshness. |
| – Nonces | Replay protection via nonces. |
| – Timestamps | Replay protection via timestamps. |
| – MonotonicCounters | Replay protection with monotonic counters. |
| – SequenceNumbers | Replay protection via sequence numbers. |
| – AntiReplayWindows | Replay protection via sliding windows. |
| – ChannelBinding | Replay protection via binding data to the channel. |
| – Custom | Implementation-specific replay protection technology. |
| AttestationTechnologies | Technologies providing attestation of execution environment or system state. |
| – TPM-RemoteAttestation | TPM remote attestation. |
| – TEE-SGX-Attestation | Intel SGX attestation. |
| – TEE-SEV-Attestation | AMD SEV attestation. |
| – TEE-TrustZone-Attestation | ARM TrustZone attestation. |
| – RuntimeIntegrityChecks | Runtime integrity verification mechanisms. |
| – RemoteMeasurementProtocols | Remote measurement–based integrity and attestation protocols. |
| – Custom | Implementation-specific attestation technology. |
| AuditabilityTechnologies | Technologies supporting tamper-evident auditability. |
| – TamperEvidentLogs | Logs designed to show tampering. |
| – WORM-Storage | Write‑Once‑Read‑Many immutable storage. |
| – SignedLogging-RFC5848 | Signed syslog messages (RFC 5848). |
| – BlockchainLogging | Audit logging anchored in blockchains. |
| – HashChainedLogs | Audit logs linked by cryptographic hashes. |
| – SIEM | Security Information and Event Management systems. |
| – ForensicTimestamping | Trusted forensic timestamping. |
| – Custom | Implementation-specific auditability technology. |
| InfrastructureAbstractionTech | Technologies abstracting or isolating infrastructure environments. |
| – VM-Isolation | Virtual machine isolation. |
| – ContainerIsolation | Container-level isolation. |
| – ServiceMesh | Service mesh network abstraction. |
| – MicroVM | Lightweight micro‑virtual machines. |
| – TEE | Trusted Execution Environments. |
| – HypervisorIsolation | Hypervisor‑based system isolation. |
| – Custom | Implementation-specific infrastructure abstraction technology. |
