HomeGiveaway10% ReferralBuy EDM

Attestor registry

What the Attestor Registry is

The Attestor Registry is the allowlist and rulebook for anyone who signs facts on EDMA. It defines who may attest, what they can attest, how those attestations are verified, and how performance is rewarded or penalized. The registry doesn’t move money; it feeds PoV. If a gate needs “inspector + terminal/carrier + DC/3PL,” PoV pulls those roles from the registry and checks that their signatures bind to the same PoV hash. Only then can an EMT mint and flip Locked EDSD → Unlocked EDSD. No EMT, no funds.

Roles

  • Inspector (PSI / QA): SGS/Intertek/BV-like firms sign quality/quantity reports and COAs.

  • Terminal / Carrier: ports and carriers sign load events, BL + container IDs + seal number & photo.

  • Customs / Regulator feed: import/export EDI or regulator data.

  • DC / 3PL: arrival scans, random QA, shelf-life checks.

  • Brand / OEM (branded goods): authorization for brand-bound lanes.

  • Metrology / Sensor OEMs: temperature/IoT streams bound to devices and routes.

  • Registry / Oracle (Tokens): program registries, location/energy/carbon oracles.

Each role has a schema (what fields they sign), a freshness window, and SLA targets.

Onboarding

  1. KYB & suitability: legal entity, UBOs, sanctions, insurance, scope of work (e.g., PSI for gloves; cold-chain sensors for frozen).

  2. Key ceremony: issue signing keys (HSM/MPC preferred), register public keys and role in the Registry.

  3. Schema bind: attest to the PoV schema(s) they will sign (EAS-compatible: canonical JSON + file digests).

  4. SLA acceptance: agree to latency & accuracy thresholds, rotation cadence, and penalty schedule.

  5. Go live: keys move to Active; sandbox → production.

Keys have a lifecycle: provisioned → active → rotated → revoked. The Registry records every change with timestamps.

How a valid attestation looks

  • Canonical evidence (sorted JSON with file hashes) → compute PoV hash.

  • Role-signed attestation (Inspector, Carrier, etc.) references the same PoV hash, order/listing id, stage, and timestamp; signed with the active key registered for that role.

  • Transport via API; the chain stores hashes, not raw files.

  • PoV counts the attestation only if: the role is allowed, key is active, window is valid, and hashes match.

Quorum & policy

  • Quorum is role-diverse and explicit; governance sets bounds, not exceptions.

  • Example (On-Board): Terminal/Carrier + Inspector (load check) with BL + container IDs + seal photo/number matching the packing report.

  • Freshness: attestor windows (e.g., BL within X hours of load; PSI within Y days).

  • Equality: all counted signatures must bind to the same PoV hash; any mismatch fails.

  • Revocation: a later revocation freezes downstream slices until the record is clean.

  • Funding precondition (Trade): after Pre-Ship EMT, the top-up must be present as Locked EDSD; otherwise PoV won’t pass On-Board.

Quorum templates are lane-specific (e.g., cold-chain adds temperature OEM + DC temperature audit) and published as checklists anyone can read.

Rewards & penalties

  • SLA metrics: latency to sign, accuracy/revocation rate, uptime.

  • Payout: SLA-weighted per milestone; visible in the Explorer.

  • Penalties: missed SLAs reduce payouts; repeated failures → suspension; fraud (fake docs, mismatched hashes, reused seals) → ban and bond slashing (for bonded roles).

  • Rotation: periodic key rotation is required; stale keys auto-expire.

Dashboards show per-role KPIs so buyers and sellers see who’s reliable.

API & webhooks

API

  • POST /v1/pov/attest — submit a role-signed attestation bound to a PoV hash.

  • GET /v1/pov/roles — discover active roles and schemas for a lane.

  • GET /v1/pov/attestors — list allowed entities, keys, SLAs, and status.

Webhooks

  • pov.attestation.accepted — counted for the gate; includes role, hash, and expiry.

  • pov.attestation.revoked — no longer valid; dependent slices freeze.

  • pov.attestor.key_rotated / pov.attestor.suspended — operational status changes.

Governance knobs

  • Add/remove role types and schemas per lane; set windows, SLA targets, and reward weights.

  • Set rotation cadence, bond sizes (for bonded roles), and penalty bands.

  • Publish templates buyers can import into MPAs (e.g., cold-chain checklist).

What governance cannot change: No EMT, no funds, One-Claim, must-fund before shipping, Locked→Unlocked on proof, and 50% burn per event.

Security & privacy

  • Key theft: HSM/MPC recommended; compromised keys are rotated and old ones revoked; PoV ignores revoked keys.

  • Hash substitution: canonicalization + file digests ensure changes alter the hash; PoV equality fails.

  • Role collusion: independent quorum, rotation, random re-inspection, and slashing for bonded roles.

  • Sensitive docs: evidence lives off-chain with signed URLs; on-chain stores hashes only; selective disclosure or zk wrappers prove facts without leaking values.

Operator checklist

  • Keep checklists plain: what counts as pass for each gate.

  • Work with attestors who are in the Registry and have active keys.

  • When you upload files, verify the hash the UI shows; attestors should see the same hash.

  • If a gate stays red, read the reason (mismatch, stale, missing) and resubmit; the platform pauses only the affected slice.

  • Use the Explorer to view who attested, when, with which key, and how the gate cleared.

Drawing

Plain recap

The Attestor Registry turns “trusted third parties” into verifiable roles. It says who can sign what, binds their signatures to the same PoV hash, measures how well they do it, and pays or penalizes them accordingly. PoV then enforces quorum against that registry. When the checklist passes, an EMT mints and Locked EDSD flips; when it doesn’t, money waits with a clear reason. That’s admissibility with accountability—facts first, then cash. No EMT, no funds.

PreviousTrust modelNextOne-Claim ledger

Last updated