Trust-Anchor Honesty

The protocol unbundles centralisation from the wire. It does not eliminate it from operations. This page says so in writing.

Forward-looking concept

Honest framing about where centralisation still lives is load-bearing for the pitch. A reader who concludes “there is no central authority anywhere” will be surprised by the bootstrap layer; better to surface it up front.

Protocol vs. operations

The protocol layer is genuinely sovereign per kernel. Trust establishment is bilateral, key pinning is per-peer, revocation propagates via gossip. There is no master key, no validator election, no quorum threshold for routine action.

Every kernel still has to answer the operational question: “which kernel public keys do I accept handshakes from in the first place?” The answer is necessarily out-of-band. In practice it will be one of: an industry consortium roster (an ISAC-equivalent for the relevant sector); an out-of-band PKI (a CA regardless of what it is called); operator-mediated key exchange (does not scale past dozens of peers); or a sector regulator publishing the canonical roster (likely outcome for finance and healthcare).

The honest framing in three sentences

Trust-anchor bootstrap is operations, not protocol. Chiodos is a sovereignty-preserving overlay on top of an anchor that the participants choose, not a replacement for the anchor itself. That is a real improvement over a single hardcoded anchor; it is not the same as “no central authority.”

Sectoring: who issues the roster

Operational trust-anchor cost varies by sector and drives go-to-market sequencing. The table below maps the bootstrap surface across the sectors covered in CHIODOS_TRUST_ANCHOR_COSTS.md. Each row names the roster issuer that is closest to existing today, the bootstrap path an early adopter would take, the ceiling on organic peer count before that path breaks, and the primary risk against the chiodos framing.

Sector	Roster issuer	Bootstrap path	Peer-count ceiling	Primary risk
Banking (interbank)	SWIFT PKI	Bind a kernel key to a BIC; ride CSP v2026 attestation	High (SWIFT scale)	Sectoral PKI compromise is high-blast-radius
Federal government	FPKI / FedRAMP	Pin FPKI as trust source; FBCA cross-cert path	High (whole-of-government)	Regulator-published roster is a regulatory-capture vector
Healthcare	DirectTrust + H-ISAC	Add a chiodos kernel-key endpoint to DirectTrust’s 2026 accreditation refresh	High (2.7M Direct endpoints)	HIPAA / HITECH downstream-liability framing slows clinical scenarios
Energy (electric IOUs)	E-ISAC / NERC	Map a chiodos passport to a NERC CIP-tagged BES Cyber System	Medium (electric subsector only)	NERC enforcement coupling chills cross-org co-signing
General SaaS	None today	Operator-mediated key exchange between vendor pairs	Low (~50 peers per kernel)	Cliques never reach the network effects the cross-vendor pitch depends on
Mid-market enterprise	None today	Operator-mediated key exchange or vendor-issued roster	Low	Vendor-issued rosters fragment the federation graph; competing roster issuers do not intersect

Migration is a renewable contract

A participant declares its accepted bootstrap roots in its passport. The relevant property is set-valued: a passport may declare accepted_bootstrap_roots = [SWIFT_PKI_root, DirectTrust_root] and a peer accepts the passport if at least one root is also accepted on the peer’s side. Migrations from one anchor to another are not a fork; they are an additive change at the next anchor epoch.

Worked example: a mid-market vendor runs operator-mediated key exchange against three buyer counterparties. The buyers later coordinate around a sectoral consortium that publishes a signed roster. The vendor onboards once, then issues a passport revision whose accepted_bootstrap_roots adds the consortium root alongside the existing operator-pinned keys. A peer that still relies on operator-mediated trust sees no change: the original pinned key is still in the set. A peer that prefers the consortium root sees a passport whose root set now intersects its own. The handshake completes either way; the kernel does not have to know which root each side honoured.

What the peer sees during the swap, in order: the new passport with an extended root set arrives over gossip; the local kernel verifies that the new passport is signed by the previous passport’s kernel key (continuity); the local kernel checks intersection with its own accepted roots and finds the intersection unchanged or widened; the next handshake under the new passport completes with no operator action required. No replay, no manual reconciliation, no global roster reconciliation step. The chiodos protocol does not federate roster issuers itself: it only requires that two participants share at least one accepted root.

Making the swap visible

Every passport is verifiable end-to-end at handshake time, including which bootstrap roots it declares as accepted. Trust-anchor migrations (a sector moving from operator-mediated exchange to a published roster, or adding a second roster alongside an existing one) are visible to every peer that verifies the passport. The substrate does not subsidise cross-issuer reconciliation, and that is deliberate: subsidising it would re-centralise the bootstrap that section 2.5 deliberately decentralises.

Sequencing implications

The sector table above sorts naturally into three tiers, and the sequencing decision falls out of that sort.

Tier 1 leads. Banks (interbank) via SWIFT PKI and federal government via FPKI are the two cleanest anchors in production today. The work is a binding profile, not new infrastructure: a chiodos kernel key bound to a BIC, or pinned under FPKI, ships in 1-3 months. These are the go-to-market beachheads because the bootstrap cost is near zero and the destination policy work is the only real path-finding.
Tier 2 follows on the consortium pitch. Non-bank financial services via FS-ISAC, healthcare clinical scenarios via H-ISAC, electric utilities via E-ISAC, vehicle OEMs via Auto-ISAC, and aviation via Aviation-ISAC all have a credible roster issuer with no published roster yet. The second-wave SOC-consortium pitch depends on these ISACs treating “publish a signed kernel-key roster” as a first-class data type alongside their existing membership service. Fixed cost per ISAC is under $500K; marginal cost per member is negligible. The pitch is not “build a chiodos consortium”; it is “extend your existing membership service.”
Tier 3 waits. Gas and water utilities, surface freight, the non-mobile slice of telecommunications, maritime, and state / local / tribal government all lack both production PKI and a sectoral roster issuer with the funding to act as one. In these sectors the chiodos protocol design must keep operator-mediated exchange first-class because it is the only viable bootstrap for the next several years.

The second-wave SOC-consortium pitch lives or dies on Tier 2 execution. If the named ISACs publish signed rosters on a defined roadmap, Tier 3 sectors can opt in as their own anchors mature; if they do not, Tier 3 stays a permanent backwater and the cross-vendor network effect never lights up.

PreviousBilateral Co-Sign NextSelective Disclosure