Why a surface can trust your app
A protection your app emits is cryptographically provable — authentic, applied, and never exposing the child. Conformance is binary and testable. Trust is one signed file you verify offline. No phone-home, no gatekeeper.
A conformance mark is a pointer: it must resolve to a live entry in a signed registry, or it counts for nothing. That lets a stranger surface accept your signal and verify it in milliseconds.
Four things make a signal trustworthy: the contract every surface guarantees back, the two ways you prove you meet it, the list that verifies you offline, and the honest count of where we stand today.
Six things every surface MUST. Four it MUST‑NEVER.
What every surface that accepts your signal guarantees back. Short on purpose. Every clause is testable — pass or fail, no interpretation.
You MUST
6 obligationsYou MUST‑NEVER
4 red linesA standard, not a posture — every clause is testable.
As an assertion
Each clause is true or false of a running endpoint — no "reasonable efforts." A behavior you observe, not a value you claim.
By the suite
The suite throws crafted envelopes — valid, expired, mis-sealed, replayed, unlisted — and records what you do with each.
As evidence
Pass or fail published per clause with its test vector. Anyone can re-run it and reproduce the verdict.
Self-attest, or pass the suite
Start the day you ship; grow into accreditation. The difference isn't what you claim — it's who checked.
Implementer
Build to the contract, publish a signed self-attestation with evidence linked. No fee, no gate — today.
You can already exchange signals with other implementers. Not yet: the certified registry or the sensitive bands. The on-ramp, not the destination.
Certified & listed
Run the suite against a live endpoint. Pass, and your entry is signed into the public registry — resolvable anywhere.
Certification unlocks the accredited and steward tiers, the sensitive bands, and trust-list inclusion. Renewed, not granted once.
Both paths speak the same wire format and rule vocabulary — same software, different scope of trust. You never rebuild to graduate: point the suite at the endpoint you already run. A checkpoint, not a fork.
One signed file. Verifiable by anyone, offline.
The eIDAS model: one root signs a document that inlines every member's public keys. To check a signal, a verifier reads that file — no live call, no permission server in the path.
Green needs three or more independent accredited routers — so no operator captures the network. Today: zero. The honest state, published.
No one to ask
Keys are inlined in a file you already hold, so verifying never calls back. No permission server to be slow or down. The check is local arithmetic.
Expiry does the work
Every key has a hard expiry; the list is re-signed on a cadence. A retired member stops appearing — and any stale key fails on its own.
No single off-switch
A portable artifact: mirror, cache, pin it. No operator — not even the steward — can quietly drop a member from a copy you already verified.
Three tiers. Each routes a wider band.
What you may route scales with how thoroughly you're validated. Sensitive bands require a higher tier. Figures illustrative for Draft 4.
| Tier | Validation | Rule-bands it may route | Fee |
|---|---|---|---|
| Listed self-attested | Self-attestation; evidence published. | Open band — advisory signals (content ratings, policy availability). | Free |
| Accredited suite-verified | Passes the suite + annual SOC 2; listed in the registry. | Open + Restricted — enforcement and harm-context for known counterparties. | Cost-recovery |
| Steward governance | Accredited, plus governance seat and root custody. | All bands, including trust-list signing and succession. | By charter |
A tier is a scope, not a ranking. A Listed implementer is fully conformant for what it does. You move up by passing a test, not paying more.
Fees recover the cost of the suite and registry — the open band stays free. Bands map to sensitivity: an advisory rating is not a harm-context route about a specific child. Wider reach only with deeper proof.
Five checks before anything happens
Every inbound signal runs the same gauntlet. Any step fails, it's dropped. Trust is re-established on every message.
Fail-closed: uncertainty means do nothing. A signal that can't tie back to a current, listed key is treated like one that never arrived. Three common ways a message dies — none need a human.
Seen before
One-time identifier plus a timestamp window. A captured message replayed later is rejected at step 3.
Past expiry
A signature past its 180-day expiry — or absent from the latest list — fails at step 2. No revocation lookup.
Not sealed to you
Not encrypted to your key? Step 4 can't open it. No plaintext, nothing to enforce, nothing leaks.
We publish our zeros.
OCSS is pre-ratification — Draft 4. These are the real numbers today, not a target we'll backfill. The board updates as the coalition fills it.
Accredited entities
No party has passed the suite yet. The list is validly signed and empty.
Trust Committee
Forming. Seats filled by founding members as they join.
Interim steward
Due 2026‑07‑09 per charter. Phosra holds the root in trust until then.
Conformance suite
Drafting alongside Draft 4; not yet runnable end-to-end.
Reference emitter
Not shipped. The open-source signing/sending implementation is in progress.
Federation health
Zero independent routers reads Red — by design. Green at three.
These zeros are a starting line, not failures. The credible thing is showing the gauges honestly while the coalition closes them — each one verifiable in the live registry.
What "trust" actually means here
Four questions from parental-control teams weighing a pre-ratification standard.
If the registry is empty, what is there to trust?
The mechanism, not the membership. The list is validly signed, the envelope format is fixed, the contract is testable today. Trust is a property of the protocol; the member count is a separate, honest number that fills over time.
Who can revoke a bad actor, and how fast?
The root re-signs the list without them; on the next fetch, every verifier stops trusting them — no takedown, no per-verifier action. Keys also self-expire, so even a stalled list sheds stale members. Revocation is built into the data's lifecycle.
Can the infrastructure read the child's data my app routes?
No — that's the central guarantee. Payloads are sealed to the enforcing surface's key; a router moves an opaque envelope it can't open. "Never decrypt in transit" is a MUST‑NEVER clause with a test behind it. Routing reach and read access are split by design.
Why build before ratification?
The wire format and contract are stable enough to integrate against, and founding implementers shape the suite and bands before they lock. The tradeoff: details still move in Draft 4 (we mark what's settled). Early members trade a little churn for a seat at the table.
Be one of the first three accredited routers.
The federation turns green at three. Founding members shape the suite, hold Trust Committee seats, and top a registry that's empty today.
Draft 4 · coalition forming · browse the resources