The Dumb Relay

The relay is infrastructure, not a service. It moves encrypted blobs from one device to another. It doesn’t know what’s in them, who sent them, or why. That’s the whole point.

TL;DR

  • It’s a buffer, not a database. Blobs are deleted on delivery.
  • One thing per device: an Inbox of undelivered blobs addressed to that device’s public key.
  • It barely knows anything. Recipient keys, who’s currently connected. Not senders, not groups, not content.
  • Doesn’t matter who runs it. Self-host, public instance, someone else’s — same security story.

What “dumb” means

A traditional sync server is smart in the worst sense. It knows your account, your devices, your data model. It can enforce permissions, resolve conflicts, answer queries. It can also read your data, hand it to a third party, or get a subpoena and produce it.

The trueseal relay had all of that taken out on purpose. No users, no groups, no idea which devices are related. It receives blobs addressed to a public key, holds them if the recipient is offline, delivers them when the recipient connects. Everything else, it doesn’t do.

This is zero-trust as a structural fact rather than a promise. The relay isn’t trusted because there’s nothing it could betray even if it wanted to.

What the relay holds

Each device has an Inbox — a set of undelivered blobs addressed to that device’s public key. The Inbox only exists while there’s something in it. Deliver a blob and it’s gone immediately. Reconnect a device, drain its inbox, done.

Blobs that never get delivered — recipient permanently offline, lost, abandoned — get reaped after a TTL. Again: buffer, not log.

What the relay knows

Two things, both unavoidable:

  • Which noise keys have active connections. Needed to deliver to online devices without polling.
  • The recipient public key on each blob. Needed to put the blob into the right inbox.

Beyond that, nothing. It doesn’t know who sent a blob (push sessions use throwaway ephemeral keypairs), it doesn’t know which devices belong to the same group (no concept of groups exists), and it can’t see content (everything is encrypted before it ever arrives).

An operator can watch which public keys receive blobs and when. They can’t watch contents, can’t see senders, and can’t tell which keys are talking to each other.

Self-hosting and operator trust

Because the relay is zero-knowledge, the question of who’s operating it stops mattering. Public instance, your own $5 VPS, a friend’s box — the security guarantees are the same.

The relay has its own long-term keypair. Connecting devices verify the relay’s identity through the Noise XX handshake before sending anything. The relay’s public key is distributed out-of-band by whoever runs it — baked into a client, posted on a landing page, shared as a QR. The relay doesn’t discover itself.

Always in the path

For remote sync the relay is always in the path. No peer-to-peer mode, no NAT traversal, no STUN, no TURN. Both devices connect outbound to the relay and the relay bridges them. The reasoning is in Not a P2P System — short version: NAT traversal over the open internet is a swamp, and “real” P2P usually falls back to a relay anyway.