the semantic gap
why attacks succeed when signatures don't fail
across different systems, the same failure shows up: cryptographically perfect signatures on wrong payloads.
the signature is valid. the provenance is clean. the bytes match. and the thing you signed is not what you meant to sign.
what existing tools verify
each system answers its own question. none answers: does this match intent?
identity verification
tools: pki, sigstore/fulcio, spiffe
question answered: who is this?
what it catches: impersonation, unsigned content
what it misses: legitimate signer, wrong payload
provenance verification
tools: slsa, in-toto, guac
question answered: where did this come from?
what it catches: build tampering, missing attestations
what it misses: correct provenance, manipulated content
integrity verification
tools: checksums, merkle trees, rekor
question answered: were the bytes tampered?
what it catches: bit-flip, modification after signing
what it misses: original bytes were already wrong
authorization
tools: opa, cedar, rego
question answered: is this action permitted?
what it catches: policy violations
what it misses: permitted action on wrong target
the gap: semantic verification
semantic verification: checking that the payload matches the stated intent, not just that it's signed by the right entity or came from the right place.
historically, identity + integrity seemed sufficient. attacks evolved. now the bottleneck is semantic.
trust stack position
┌─────────────────────────────────────────────────────┐
│ layer 5: authorization │
│ "is this action permitted?" │
│ (opa, cedar, rego) │
├─────────────────────────────────────────────────────┤
│ layer 4: semantics ← 1seal │
│ "does this match intent?" │
│ (last-mile verification) │
├─────────────────────────────────────────────────────┤
│ layer 3: provenance │
│ "where did this come from?" │
│ (slsa, in-toto, guac) │
├─────────────────────────────────────────────────────┤
│ layer 2: integrity │
│ "were the bytes tampered?" │
│ (checksums, merkle trees, rekor) │
├─────────────────────────────────────────────────────┤
│ layer 1: identity │
│ "who is this?" │
│ (pki, sigstore/fulcio, spiffe) │
└─────────────────────────────────────────────────────┘how the gap is exploited
attack patterns that exploit the semantic gap
payload substitution
pattern: the payload submitted for signing is not what the operator intended
examples: build artifact swapped, transaction parameters modified, config replaced
why signatures miss: signature verifies what was presented, not what was intended
look-alike attacks
pattern: identifiers that resemble legitimate targets
examples: address poisoning, typosquatting, homoglyph substitution
why signatures miss: attacker's address is cryptographically valid
policy drift
pattern: configuration changed without proper review
examples: security settings weakened, permissions expanded, thresholds lowered
why signatures miss: new config is signed by authorized entity
context injection
pattern: manipulation of context that influences signing decisions
examples: agent memory injection, environment variable tampering, metadata manipulation
why signatures miss: signature doesn't cover context
parameter tampering
pattern: modification of parameters between intent and payload
examples: amount changed, recipient modified, timestamp backdated
why signatures miss: tampered version is what gets signed
closing the gap
semantic verification before signing. local invariants. deterministic checks. and operational protocols that ensure the verification itself doesn't become a problem.