NathanaelRitz | Calgary • AB
PDF_RESUME

Software Engineer, Cloud-native & Distributed Systems Design

Designing and building privacy-first, cloud-native distributed systems. Passionate about system design where security, privacy, and great devUX converge.

Strategy & Architecture

Interoperable Architectures, Integration Patterns, Strategic Systems Design

Cloud & Infrastructure

Hybrid Multi-Cloud, Cost Optimization, Resilient Data Federation

Security & DevOps

Zero-Trust Principles, Container Orchestration, CI/CD Automation

Contact

01 //
Protocol_Work

Current R&D

FACTS (Factor-based Attestation & Credential Transport): A multi-modal system primitive for Just-in-Time identity. Rather than a stored secret, FACTS fundamentally disarms bearer-tokens by treating identity as a runtime derivation based on the convergence of known good runtime state.

  • Post-auth PSK Research Continuous Attestation
    Devised Time-based Ephemeral Liveness Signals (TELS), a specification for ephemeral post-auth PSKs enabling real-time verification with 0-RTT session resumption
  • Transport Composability Authz+Authn achieved orthogonal to transport
    Implemented single security model across three independent transport bindings (TLS 1.3 extension, REST/HTTPS, SAE air-gapped) demonstrating architectural flexibility and reusability.
  • Static Artifact Exchange Air-gapped, asynchronous key agreement
    Designed zero-trust transport topology with zero-parsing invariant for asynchronous cryptographic exchanges suitable for IoT and constrained supply-chain contexts.

Explore FACTS ↗

02 //
Engineering

FACTS Reference Implementation

Production Rust Toolchain

facts-cli (notary operations, attester/verifier agents), facts-toolchain (core cryptographic libraries), achieving sub-millisecond key derivation with proper zeroization.

Multi-Transport Demonstration

Docker orchestration harness proving protocol composability across TLS 1.3 extension (0-RTT, PSK ratcheting), REST/HTTPS (stateless challenge/response), and SAE (air-gapped asynchronous).

Formal Security Analysis

ProVerif symbolic model proving injective correspondence (replay prevention), trust chain integrity, forward secrecy, and inert credential property under active adversary assumptions.

Browser Integration

Real-world WebAuthn demo using @hpke/core (RFC 9180), Ed25519 notary signing, PRF extension for hardware-rooted factor encryption, demonstrating production viability.

CleanPix SaaS Multi-Cloud Deployment

Impact Highlights

  • Multi-Cloud Platform Design:18-year journey from monolithic legacy systems to federated multi-cloud architecture spanning 5 providers with event-driven Kafka backbone.
  • Cost Optimization: Strategic provider selection and resource allocation achieving 77% infrastructure cost reduction while improving availability and performance.
  • Resilience Engineering: Cross-provider replication topology for MySQL and storage with proven zero-loss recovery during production failures.

03 //
IETF_Engagement

  • Engaging Diverse IETF Working Groups: Participating in technical discussions across OAuth, RATS, and WIMSE working groups on workload identity, attestation semantics, and authentication vs authorization boundaries.

Ephemeral Compute Attestation (ECA)

IETF Internet-Draft

Formal protocol specification for secure machine identity bootstrapping. Three-phase challenge-response ceremony using composable cryptographic factors.

VIEW_DRAFT ↗

Static Artifact Exchange (SAE)

IETF Internet-Draft

Minimal hardened transport for asynchronous artifact exchange via stateless repositories. Eliminates parser vulnerabilities via "publish-then-poll" design.

VIEW_DRAFT ↗

Relationship to FACTS: Evolving from experimental IETF Internet-Drafts [above], FACTS introduces a unified protocol suite for establishing "Day 1" identity bootstrap and enforcing "Day 2" continuous integrity with refined terminology: Boot Factor (BF) → Provisioning Factor (PF), Instance Factor (IF) → Evidence Factor (EF).

04 //
Ops_History

Protocol design inspired from real-world ops

18 years operating production systems directly informed FACTS protocol design. Real-world operational pain points—credential rotation, identity bootstrap in ephemeral environments, trust anchor heterogeneity across cloud providers—drove architectural decisions. FACTS represents applying systems thinking from infrastructure management to cryptographic protocol engineering.

Head of Infrastructure & Principal System Designer

CleanPix Corp | 2012 — Present

Owning the technical roadmap and architectural vision for a mission-critical SaaS platform. Responsible for bridging business goals with distributed systems implementation.

  • Strategic Cost Optimization: Designed and executed a federated multi-cloud architecture across 5 heterogeneous providers. This strategy eliminated single-vendor dependency and drove a 77% reduction in infrastructure opex while increasing availability.
  • System Modernization: Led the architectural decomposition of legacy services, introducing an event-driven Kafka backbone that reduced P95 latencies by >1000ms and enabled asynchronous scaling.
  • Resilience Engineering: Engineered the disaster recovery protocol and cross-provider replication topology (MySQL/Storage), proven in production during a critical storage failure with zero data loss and sub-48h RTO.
  • Engineering Standards: Established CI/CD and BDD methodologies, moving the engineering culture from manual release cycles to automated, zero-downtime deployments.

Product Champion & Integration Lead

CleanPix Corp | 2009 — 2012

  • Modernized a legacy web application (JSP/JavaScript) to improve user experience and cross-system engagement.
  • Facilitated alignment between business requirements and technical implementation, crafting user stories for testable integrations.

Infrastructure Integration Specialist

CleanPix Corp | 2008 — 2009

  • Coordinated development, staging, and production rollouts to ensure component interoperability.
  • Led a full system rebuild after a hardware transition, reintegrating data flows to maintain business continuity.

Customer Service Representative

CleanPix Corp | 2007 — 2008

  • Managed customer onboarding and guided new users through initial setup.

05 //
Skill_Stack

Distributed Systems

  • Multi-cloud federation
  • Event-driven architecture (Kafka)
  • Zero-trust design
  • Disaster recovery & business continuity
  • Stateless server architecture
  • Horizontal scalability

Applied Cryptography

  • HPKE (RFC 9180)
  • TLS 1.3 Extensions (0-RTT, PSK)
  • OAuth 2.0/DPoP (RFC 9449)
  • WebAuthn/FIDO2 (PRF Extension)
  • HKDF, AEAD

Security Architecture

  • Zero Trust Architecture
  • Hardware security (TPM, Secure Enclave)
  • Air-gapped transport protocols
  • Continuous attestation
  • Identity binding mechanisms

Implementation

  • Rust (production-grade, memory-safe)
  • JavaScript
  • Docker orchestration
  • CI/CD automation
  • CLI tooling
  • DNS operations

Formal Methods

  • ProVerif symbolic modeling
  • Dolev-Yao adversary assumptions
  • Security property verification
  • Inert credential proofs

Standards Bodies

  • IETF (OAuth, RATS, WIMSE)
  • W3C (WebAuthn)
  • IETF I-D authorship
  • Cross-WG collaboration
  • Peer review incorporation

06 //
Education

Diploma, Digital Graphics Communication

SAIT (Southern Alberta Institute of Technology), Calgary, AB | 2007

Foundation in UX/design evolved into specialization in systems architecture and integration.