OCSS · Status & honesty · Draft 4 · the zeros we publish

§ 1

The zeros, loudly

A coalition this standard describes does not exist yet. These are the figures that are currently zero or forming. We would rather you read them here than discover them.

0

Accredited intermediaries

No party has been accredited onto the Trust List. The reference implementer (Phosra) operates one router; a healthy federation requires at least three, independently accredited. A Phosra-only world rates Red — by design.

Forming

Trust Committee

The body that seats accreditation decisions, the approved-assessor list, and editorial authority is not yet constituted. Until it seats, those decisions are published as they are finalized, not voted.

2026-07-09

Interim steward · designation due

The succession record's interim_steward is vacant. The §12.3 covenant requires it designated by name by this date. A vacancy after it is a conformance-suite failure (GOV-SC-01) and computes federation health Yellow.

2027-03-31

Second conformance runner · due (T1)

A second, independent runner of the conformance suite — selected by the Trust Committee under the §11.7 eligibility test — does not exist yet. Until it does, runner divergence is not yet recomputable.

In drafting

Conformance suite

The runnable suite (rule-payload JSON Schema, signed test vectors, reference verifier) is being written, targeted Q3 2026. The earned Certified mark is not yet claimable — no runnable suite with a second independent runner.

Not shipped

Reference emitter

The platform-side reference emitter the alert-profile CONSUME tests run against does not exist today. It is a named deliverable that ship-gates the v1.0 conformance claim — ours and anyone's.

§ 2

What is gated on what

These milestones are ordered, not a flat date list: each gate is held by the one before it. v1.0 is the last gate, not the first claim. A missed milestone reads no better than Yellow on federation health, computed from the published dates rather than asserted.

Execute the IPR instrumentnow · unexecuted
gates everything downstream
The irrevocable royalty-free license, the contributor patent-pledge, and the change-of-control succession covenant exist today as prose in the draft, not an executed instrument. Until a signed, dated instrument is published, the royalty-free guarantee is a committed destination, not a vested right.
Working groups accept a first outside proposalafter IPR execution
blocked until gate 1
The §12.4 working groups cannot safely accept an outside proposal until the IPR instrument is executed — an unexecuted policy is a promise about a document that does not exist.
Standards-track adoption callafter IPR execution
blocked until gate 1
No standards-track adoption call on draft-phosra-ocstf-00 can proceed before the instrument is executed. "Governed like FIDO" is blocked at gate one until then.
T0 — the key ceremony≤ 2026-09-30
moves the root off single-firm custody
Trust List signing moves from single-firm custody (Phosra) today to a 3-of-5 threshold key, generated at a witnessed ceremony with a recomputable transcript (no more than 2 of 5 holders sharing an affiliation). The transfer toward a neutral foundation is proposed, not executed; T0 has a named accountable owner due 2026-07-09.
T1 — the second conformance runner≤ 2027-03-31
makes runner divergence recomputable
A second, independent runner executes the published harness under its own signing key and publishes results at its own endpoint, so divergence between runners is recomputable by any third party from two signed result sets — not reported by either.
T2 — independent interopbefore any v1.0 release
a non-reference implementation passes
At least one implementation that is not the reference implementer's passes the conformance suite and records a pairwise interop transcript with a Certified implementation, signed by both parties and recomputable by any third party.
v1.0when every gate above closes
the result, not the workbench
The pre-release designation comes off by execution, not by revision. Until the Annex H gates close — the recomputable key ceremony, the two 2026-07-09 designations, a runnable suite, a published fee schedule, and a first transparency report, plus T2 interop — nothing in the document is a ratified standard or citable as v1.0.

§ 3

The verifiable exit

The anti-capture posture is the asset: trust the rails because the steward engineered its own inability to capture them — and that is checkable, not asserted. Two artifacts below are designed to be read by an adversary.

GET /.well-known/ocss/succession transfer proposed, not executed

// the signed §12.3 succession record, served unauthenticated
{
  "steward_of_record": "Phosra, Inc.",
  "interim_steward":  "",                 // VACANT — designation due 2026-07-09
  "covenant_ref":     "<hash:version>",    // content-addressed; a swap trips a 72h breach
  "transfer_status":  "held",             // held | in_transfer | runway_below_floor | transferred
  "target_gate":      "foundation transfer",
  "updated_at":       "2026-…"
}

The record is served, not announced: a change of control that does not update it within 72 hours is itself a covenant breach, observable from cache. transfer_status="held" is the honest present state — the foundation transfer is proposed, the steward still holds. And the federation-health code (below) rates the present, one-router world Red — by design: that is shipped logic, not a slogan.

verify-it-yourself · gated We are not presenting this record as passing. While interim_steward is vacant it is a live GOV-SC-01 condition; the public "verify the exit" call opens once the designation is published (due 2026-07-09). We will not claim a designation that does not exist.

Federation health · shipped logic

1 accredited router (the reference implementer)required for Green: 3

Red below 2 Yellow below 3 Green at ≥3 independently accredited

Today the network computes Red: one router is not a federation, and "N+M with one hub is just N×M renamed." Yellow is also computed from any overdue milestone above and from a vacant interim steward past 2026-07-09 — the health meter reads the gaps rather than asserting around them. The rule (Red below 2 · Yellow below 3 · Green ≥3) is in the reference implementation; see the Trust List and Governance.

§ 4

Built vs. exposed, today

What is implemented and what is a named next phase, stated separately so a diligence reviewer never has to discount a claim. Honesty about what is not shipped builds more trust than implying a running network.

Capability	Status	What that means
Signed succession record (§12.3)	live	Served at `GET /.well-known/ocss/succession`, ETag-conditional, `transfer_status=held`.
§9.4 institutional attestation export	live	The district-scoped signed-evidence CSV endpoint is implemented.
Receipt rail (Ed25519, RFC 8032)	live · golden-vector-tested	The hash-chained Receipt emitter is implemented and tested against golden vectors; the public query endpoint ships in a later phase.
Trust List compiler & closed-vocabulary parsers	live	The reference implementation of the compiler and the strict-parse rejection paths exists.
Public Trust Framework API (route / verify / accredit)	next phase	The hosted routing and accreditation plane is a named deliverable, not a live endpoint today.
Conformance suite + reference emitter	next phase	Suite in drafting (Q3 2026); the platform-side reference emitter does not exist yet.
Trust List root key ceremony (T0)	scheduled · ≤ 2026-09-30	Root is single-firm custody today; the 3-of-5 threshold ceremony is scheduled; transfer proposed, not executed.

Read the early, true version. Then help close a gate.

The fastest way to move any zero above is to implement against Draft 4 and self-attest. Implementing is always free, and never a precondition for anything.

Join the Coalition The conformance path