Four-root no-cascade revocation registry.
When a signing root rotates, sunsets, or is emergency-revoked, the event is recorded in an append-only log. Verifiers consult the registry to surface key status; customer mirrors retain the full history independent of H33's continued operations.
Invariants (architecture LOCKED v0.2)
- No-cascade: compromise of one root MUST NOT invalidate any other. Four roots, four independent logs, four independent custody locations.
- Records-forever: events are append-only. Customer mirrors are permitted and encouraged so the registry survives H33's operational continuity.
- No federation of Federal customer fingerprints: Federal customers operate their own registry. H33 does not federate Federal-customer keys.
- Static-JSON storage: registry is published as JSON files (this URL tree). No database. CDN-cacheable. Simple to mirror.
The four roots
Release Signing
Signs h33-verify binary releases. Closes the unsigned-checksum gap on /downloads/.
Commercial Attestation
Signs Commercial-profile attestation outputs: TDA, Submission, Bundle. The trust anchor for the H33 thesis.
PQ Envelope
Signs H33-PQ-1 envelopes on API delivery. Per-message provenance + replay detection.
Federal Attestation
H33-operated Federal-profile reference signatures (CNSA 2.0 aligned). Federal CUSTOMER keys remain customer-held.
Machine-readable surface
/revocation/index.json — registry root index. Lists the four H33-owned roots, the no-cascade invariant, the records-forever discipline, and per-root activation status.
/revocation/schema/log-entry.schema.json — JSON Schema for log entries. Validates registration, sunset, revocation, and reinstatement events.
Activation timing: when an R<n> ceremony completes, the corresponding /revocation/r<n>-…/log.json is populated with a registration event within 24 hours per the ceremony execution packet §9. The activation status in /revocation/index.json migrates from AWAITING_CEREMONY to OPERATIONAL automatically.