NAMCHE

Network Authenticated Mesh Certificate Hub & Exchange

The gateway where Math itself verifies your identity. No human CA required.

v2.8.2
"In the high passes of the Himalayas, the Sherpa does not consult a distant committee. The Sherpa reads the snow, the wind, the angle of the ice. The mountain itself is the arbiter."

Overview

NAMCHE replaces human-operated Certificate Authorities with pure mathematical verification. Instead of trusting a third party to vouch for an identity, NAMCHE uses cryptographic proofs that anyone can verify independently.

The Problem with Traditional PKI

  • Single point of failure — CA compromise affects all certificates
  • Human judgment — Humans can be bribed, coerced, or make mistakes
  • Jurisdictional — CAs are bound by legal frameworks that may conflict
  • Centralized trust — "Trust me because I say so"

The NAMCHE Solution

Traditional:
Human says "trust this" → You trust it
NAMCHE:
Math proves "this is valid" → You verify it

The 7 Gates

Every identity document (DOKO) must pass through 7 mathematical gates. Each gate is a binary check — pass or fail. There is no "maybe."

1️⃣

STRUCTURE_OK

Valid DOKO format with all required fields present

2️⃣

SIGNATURE_OK

ML-DSA-65 signature verifies against public key

3️⃣

NODEID_OK

NodeID matches two-part derivation (network + instance)

4️⃣

TEMPORAL_OK

Not expired, not from future (±5min clock skew tolerance)

5️⃣

NETWORK_OK

Correct network name (derived from codebase hash)

6️⃣

NOT_REVOKED

Not in mesh-distributed revocation log

7️⃣

DOMAINS_OK

Quorum-verified domain claims (Sybil-resistant)

Gate Results

The verification result is a bitmask showing which gates passed: 

// All gates passed (127 = 0b1111111)
{
  "verified": true,
  "gates": 127,
  "gatesChecked": [
    "STRUCTURE_OK",
    "SIGNATURE_OK", 
    "NODEID_OK",
    "TEMPORAL_OK",
    "NETWORK_OK",
    "NOT_REVOKED",
    "DOMAINS_OK"
  ],
  "dokoHash": "sha3-256:a1b2c3..."
}

// Gate 2 failed (signature invalid)
{
  "verified": false,
  "gates": 1,
  "failedGate": "SIGNATURE_OK",
  "error": "Signature verification failed"
}

Usage

import { NamcheGateway } from 'yakmesh/security';

// Create gateway instance
const gateway = new NamcheGateway({
  networkName: 'mobius-rabi-junction',
  clockSkewTolerance: 5 * 60 * 1000,  // 5 minutes
});

// Verify a DOKO
const result = await gateway.verify(peerDoko);

if (result.verified) {
  console.log('✓ Identity verified through all 7 gates');
  console.log('Gates passed:', result.gatesChecked);
} else {
  console.log('✗ Verification failed at:', result.failedGate);
  console.log('Reason:', result.error);
}

// Check specific gate
if (result.gates & gateway.GATE.SIGNATURE_OK) {
  console.log('Signature is valid');
}

Sybil Attack Protection

The domain verification gate (Gate 7) includes multiple layers of Sybil attack protection:

Age Requirement

Verifiers must have beacons older than 7 days

IP Diversity

Minimum 3 different /24 subnets required

ASN Diversity

Minimum 2 different Autonomous Systems

Claimant Exclusion

Domain claimant cannot verify themselves

Events

gateway.on('verification-passed', ({ nodeId, dokoHash, gates }) => {
  console.log(
ode ${nodeId} verified successfully`);
});

gateway.on('verification-failed', ({ nodeId, failedGate, error }) => {
  console.log(
ode ${nodeId} failed at gate ${failedGate}: ${error}`);
});

gateway.on('doko-cached', ({ nodeId, expiresAt }) => {
  console.log(`DOKO cached for ${nodeId} until ${expiresAt}`);
});

Continue the Journey

← Previous
NAKPAK

Onion routing
Next →
DOKO

Identity certificates