Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Misbehavior & switching

The registrar is a hired commodity, and two mechanisms make that literal: a conflicting-head proof turns a rewritten log into portable, checkable evidence, and an epoch transition lets an employer move to a different registrar without invalidating a single previously issued attestation. The proof machinery is in crates/confed-core.

Conflicting-head proofs

A signed head is a registrar’s claim about the state of an employer’s log at a given sequence number. Because the log is hash-chained, there is exactly one honest head per sequence number. If a registrar ever signs two heads for the same employer and sequence but with different hashes, it has rewritten history that was already witnessed — and that pair of signed heads is the proof.

The proof is self-verifying: anyone can confirm that both heads carry a valid signature from the same key, name the same employer and sequence, and disagree on the hash. Nobody has to trust the party presenting it. The wallet, the Signer, the dashboard, and the verifier all run this check, and a detected conflict raises an unmissable alarm with one-tap export of the proof.

Witnesses

A proof only exists if both conflicting heads were witnessed, so Tenure spreads heads widely: every operation receipt hands a fresh head to the worker’s wallet, the Signer retains every head it has seen, and checkpoints are mirrored to at least two independent locations. This protection runs both ways — an employer or registrar cannot backdate a hire or scrub a tenure period after it was witnessed, and a worker’s receipts survive the employer’s infrastructure shutting down.

The registrar / payroll switch

Switching registrar (or payroll system) is a signed epoch transition that preserves every previously issued attestation and stops the old registrar from authorizing new state after the cutover:

  1. The old registrar freezes writes at a sequence number — or the employer declares one unilaterally if the registrar is unresponsive or hostile.
  2. The Signer closes the current epoch at that sequence, using its own witnessed head if the registrar’s claim looks suspect.
  3. The new registrar imports the ragequit file, replays it in full, and reports its computed head; the Signer cross-checks that head against the ones it witnessed.
  4. The Signer opens the next epoch, naming the new registrar and chaining to the old epoch’s final head, and issues a fresh delegation.
  5. The new artifacts are published to mirrors; wallets and verifiers confirm the employer signatures and re-point.

Because each epoch is employer-signed and chains to the previous one’s final head, a verifier accepts attestations from both the old and new epochs, while the old registrar can no longer author valid state. The one stated limitation: offline clients converge on the next sync — the switch is a signed cutover, not an instant global flip.

The ragequit file

The ragequit file is the employer’s full signed log plus epoch chain, exportable at any time. It is the substrate of the switch and of Tenure’s strongest claim: a credential still verifies after the original registrar is switched off entirely. A downloaded bundle verifies offline with no registrar in the loop, and a worker who witnessed the old head can validate the transition against it. The switch drill exercises the whole sequence end to end.

Failure modes

SituationOutcome
Employer goes out of businessAttestations still verify, with their as_of dates and an “employer record frozen” note once heads stop advancing
Registrar downVerification proceeds from cached bundles and mirrors with a stale-head warning; issuance pauses; nothing already issued is affected
KYB attester key compromisedThe attestation is revoked and affected employers downgrade to “identity unverified” pending re-attestation; HSM custody and attester plurality limit the blast radius
Worker device lostRecovery re-points the worker’s attestations to a fresh key and re-delivers receipts
Fake-employer reportInvestigated by the attester; a confirmed case revokes the KYB attestation, and every verdict that relied on it becomes invalid
Conflicting heads detectedUnmissable alarm everywhere, one-tap proof export, and the employer initiates a switch