OCSS · DRAFT 4 · THE STANDARD

The one standard a child-safety app implements once.

Build once. A Rules layer for what a protection means; a Trust Framework for how it moves and who's trusted. Open, vendor-neutral.

115 rule categories 91 laws mapped 30+ jurisdictions 9 capability layers
ACT 1 · WHAT AN APP BUILDS TO

Two layers under one umbrella

Build both once. Each evolves on its own — vocabulary grows, routing hardens, neither touches the other.

OCSS · one umbrella, two layers
LAYER 1 · VOCABULARY OCSS Rules what a protection means — 115 typed categories algorithmic_audit os_age_signal_ingest parental_consent_gate not_for_minors_block + 106 more — one registry, read identically by every surface. registry/ocss-rules.json · 9 capability layers LAYER 2 · ROUTING + TRUST OCSS Trust Framework how protections move & who's trusted Signed two-layer envelope Ed25519 outer · JWE inner · router-blind Trust List eIDAS-style · who's accredited, at what tier OCSS specification
Like WebAuthn + CTAP under FIDO2: the Trust Framework carries OCSS Rules as typed payloads. Format and vocabulary version independently.
OCSS · ONE UMBRELLA, TWO LAYERS
OCSSspecification
LAYER 1 · VOCABULARY
OCSS Ruleswhat a protection means — 115 typed categories
algorithmic_audit os_age_signal_ingest parental_consent_gate not_for_minors_block + 106 more
One registry, read identically by every surface. registry/ocss-rules.json · 9 capability layers
LAYER 2 · ROUTING + TRUST
OCSS Trust Frameworkhow protections move & who's trusted
Signed two-layer envelopeEd25519 outer · JWE inner · router-blind
Trust ListeIDAS-style · who's accredited, at what tier
Like WebAuthn + CTAP under FIDO2: the Trust Framework carries OCSS Rules as typed payloads. Format and vocabulary version independently.
THE INTEGRATION ECONOMICS

Integrate once. Protect every accredited surface.

No more one integration per device, network, and platform. Build to OCSS once; reach everywhere a child is.

integration economics · N×M → N+M
TODAY a custom integration per surface — N × M child-safety apps surfaces OCSS WITH OCSS integrate once — N + M, one signed hub OCSS signed hub child-safety apps surfaces
Integrate once. The next surface added reaches every app for free. (Robust protection needs ≥3 independent surfaces.)
INTEGRATION ECONOMICS · N×M → N+M
TODAY · N × M
A custom integration per surface — every app wired to every surface.
child-safety apps
surfaces
3 apps × 3 surfaces = 9 point-to-point integrations.
WITH OCSS · N + M
Integrate once — every app and every surface meets at one signed hub.
child-safety appsbuild to OCSS once
OCSSsigned hub · verified to root
signed envelope
surfaceseach added surface reaches every app
Integrate once. The next surface added reaches every app for free. (Robust protection needs ≥3 independent surfaces.)
VOCABULARY ↔ LAW

115 rules, mapped to 91 laws

Every category exists because a statute demands it. One protection satisfies obligations across many jurisdictions at once.

115Rule categories
91Laws mapped
30+Jurisdictions
9Capability layers
algorithmic_auditKOSA not_for_minors_blockUK OSA os_age_signal_ingestCA AB 1043 parental_consent_gateCOPPA

Four of 115. Full matrix in Resources.

ACT 2 · HOW A PROTECTION FLOWS

One protection, app to surface

A parent sets a rule. It travels six stages — app to surface — and no intermediary ever reads the child's data.

signal flow · app → surface
01 Encode 02 Seal 03 Route 04 Verify 05 Enforce 06 Record
Six stages, app to surface. The router (03) carries but never opens — see below.
STAGE 01
Encode

Parent's rule becomes a typed OCSS category — parental_consent_gate.

STAGE 02
Seal

App seals it as the JWE inner layer; routing rides outside.

STAGE 03
Route

Carried by outer headers. Routed, never read.

STAGE 04
Verify

Surface verifies the Ed25519 signature against the Trust List.

STAGE 05
Enforce

Applied at DNS, router, OS or app — on its own terms.

STAGE 06
Record

Signed, PII-free receipt. Regulator-replayable.

THE CENTRAL INVARIANT

The router-blind envelope

One rule above all: networks that carry the protection never read the child's data. Routing outside, protection sealed inside.

two-layer envelope · routing outside, protection sealed inside
OUTER routing headers + Ed25519 signature — carried, never decrypted router sees routing only INNER JWE typed protection — only the surface opens it MUST-NEVER decrypt in transit Receipt — signed · PII-free · regulator-replayable
Carriers never read the data. The surface opens the protection; a regulator replays the receipt without seeing a child's data.
TWO-LAYER ENVELOPE · ROUTING OUTSIDE, SEALED INSIDE
OUTERrouting headers + Ed25519 signature — carried, never decrypted
router sees routing only
INNERJWE typed protection — only the surface opens it
MUST-NEVER decrypt in transit
Receiptsigned · PII-free · regulator-replayable
Carriers never read the data. The surface opens the protection; a regulator replays the receipt without seeing a child's data.
WHERE ENFORCEMENT LANDS

Five surfaces, one protection

One signed signal, honored everywhere a child meets the network — each surface enforces on its own terms.

DNS MDM Router App OS

Resolver blocks, device policy, network filtering, in-app gating, OS age signals — one OCSS envelope drives them all.

READ THE SPEC

Everything an app builds to: normative text, registry, conformance contract.

Pre-ratification (Draft 4) and honest about it. Contract, trust model, and empty-by-design registry — all published as written, zeros included.