This document specifies GQTS Core as a protocol profile for publishing trust-service verification material under the GIDAS framework.

GQTS Core defines discovery, append-only directed linear signed-token history invariants, merge-reconciliation semantics, and a deterministic verifier algorithm. Endpoint contracts are published in openapi.yaml and rendered at ./openapi/.

This is an unofficial draft.

This document is technical and does not itself create legal recognition, supervisory status, or jurisdictional qualification.

AI assistance disclosure: this draft used OpenAI GPT-5 Codex for drafting support, structure proposals, and editorial rewrites. Human editor review controls normative intent and accepted wording.

The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.

Conforming implementations MUST satisfy all requirements for at least one conformance class in Conformance Classes.

This specification defines externally observable data models, protocol outcomes, and verifier algorithms. It does not define implementation architecture, runtime internals, or performance strategies.

NOTE: The openapi.yaml contracts are indicative and are not yet normative. Official schemas will be finalized after the first reference implementation.

Positioning and Adoption Model

This section is informative. It expresses stakeholder adoption pathways as explicit goal -> required artifact/interface -> verifier behavior -> adoption pathway mappings.

Stakeholder Goal Required Artifact/Interface Verifier Behavior Adoption Pathway
Device and platform manufacturers Provide auditable key-custody and signer-intent evidence surfaces. Controller/key evidence objects and integrity proofs exposed through GQTS logs. Verify proof chains, key-state continuity, and event-history integrity. Publish conformance targets and expose machine-verifiable evidence interfaces.
Wallet and application implementers Implement end-user controlled signing and attestation workflows. Event envelopes, proof objects, and service descriptors conforming to OpenAPI schemas. Validate deterministic event processing and proof verification outcomes. Ship profile-conformant interfaces and publish conformance evidence artifacts.
Standards development organizations Define interoperable profiles and test suites. Profile constraints, test assertions, and registry/discovery policies. Execute profile test assertions against normative schemas and algorithms. Publish profile work items and normative deltas over GQTS Core.
Governments and regulators Publish authoritative policy and recognition inputs. Authoritative registries, trusted lists, and governance discovery endpoints. Separate cryptographic validity outputs from legal recognition outputs. Adopt compatibility mappings without changing core cryptographic semantics.
Auditors, CABs, and assessors Evaluate conformance using machine-verifiable evidence. Conformance reports, test transcripts, and evidence artifacts bound to requirement IDs. Check requirement-level traceability and deterministic failure handling. Issue assessment outputs bound to reproducible verification procedures.
Verifiers and relying parties Make deterministic acceptance decisions from evidence. Scheme/type/event retrieval endpoints and policy input registries. Execute verifier algorithm and reject unverifiable or inconsistent states. Integrate GQTS retrieval and verification as a policy-separated trust layer.

Framework Naming

Framework Interaction

GQTS Core is the publication and verifier-retrieval substrate used by GIDAS component artifacts. GDIS defines identity-binding evidence objects [GDIS-CORE], and GQSCD defines device/controller assurance evidence objects [GQSCD-CORE]. GQTS defines host, event-log, and deterministic verification behavior for those artifacts without redefining their component-specific semantics. Wallet-private proof artifacts remain outside GQTS storage scope; GQTS publishes public verification material and optional blinded verification references only.

The following figures are informative presentation aids and do not define additional conformance requirements.

Framework Interaction

Framework interaction model GDIS and GQSCD evidence flow into GQTS publication and retrieval. Verifiers run deterministic checks and separate policy outputs. GDIS Evidence Identity Binding GQSCD Evidence Device Assurance GQTS Core Publish + Replicate + Retrieve Verifier Mechanical Validity Policy Layer Recognition Status
GQTS defines the shared publication substrate; component evidence semantics remain in GDIS and GQSCD.

Publication and Verification Loop

Publication and verification loop Event submission is validated, appended, retrieved with head checks, and verified deterministically before policy output. Submit Event POST ingest Validate Schema + Proof Append Log Head updated Head Compare cheap divergence check Deterministic Verify Mechanical + Policy
Invalid input is rejected before append; accepted history is verified through deterministic checks and separated policy processing.

Scope

This specification covers:

This specification does not:

Terminology

GQTS host
An HTTP origin that serves GQTS resources and MAY ingest, replicate, and gossip append-only signed-token history material.
service descriptor
A machine-readable object describing one trust-service instance, its type, and its current token-chain head state.
scheme descriptor
A machine-readable governance-scoped object describing naming rules, proof profile, canonicalization profile, and publication floor requirements.
verification material
Publicly retrievable trust data used by verifiers, including verification methods, controller references, status metadata, and signed event history. Wallet-private claims are out of scope.
event namespace
A scoped signed-token stream identified by a log identifier where entries form an append-only directed linear history.
head token
Identifier of the latest accepted token for an event namespace, used for cheap synchronization checks before heavy retrieval.
merge token
A signed token that reconciles competing candidate heads while preserving one canonical previous-token pointer in the accepted chain.
bad node
A candidate event entry that fails deterministic acceptance checks (for example schema, previous-token linkage, key-lineage constraints, or proof verification) and is therefore rejected from accepted history.
mechanical validity
A verifier result stating that schema constraints, signatures/proofs, canonicalization, and signed-token chain requirements were satisfied.
recognition status
A policy output derived from external governance sources (for example trusted lists, legal registries, contractual trust anchors), separate from mechanical validity.
governance code
A normalized identifier for governance-scoped objects. In this profile, values MUST be lowercase ASCII and match the pattern defined by the OpenAPI schema `GovernanceCode`.

Data Model Semantics Baseline

JSON payload semantics in this specification follow RFC 8259 [RFC8259]. Data-model terms such as list, set, tuple, and byte sequence follow WHATWG Infra terminology unless a profile states an explicit override [INFRA].

Protocols and APIs

Indicative Endpoint Contract (Draft)

Endpoint contracts are published in `./openapi.yaml` (OpenAPI 3.1.2). In this draft they are indicative ("suuntaa antavia") and may change before final schema lock after the first reference implementation. Rendered documentation is available at `./openapi/`.

This ReSpec document MUST NOT restate endpoint wire contracts. It defines invariant constraints, threat-model boundaries, and verifier processing semantics that apply to OpenAPI-delivered objects.

Operation Anchors

OperationId Purpose
getSchemeDescriptor Fetch governance-scoped scheme metadata.
getEndpointKindCatalog Fetch declared endpoint-kind taxonomy for a governance profile.
getTypeDescriptor Fetch one trust-service descriptor with current head-token state.
getEventLogView Fetch event-log head view or event page for a namespace.
postEventIngest Submit an ingest event; acceptance and state-transition semantics are defined in the draft OpenAPI contract.
getEventHeadMeta Fetch compact event-head metadata for low-cost divergence checks.
getEventById Fetch one immutable event object by identifier.

Schema Anchors

Media Type Governance

Media types in this profile follow RFC 6838 [RFC6838] and use the structured syntax suffix +json where semantics are JSON. Profile revisions MUST preserve backward compatibility expectations or publish a versioned media-type change policy.

Endpoint-Kind Taxonomy (Normative)

Endpoint Kind Primary Operation Anchors Primary Schema Anchors Consistency Model
scheme getSchemeDescriptor, getEndpointKindCatalog SchemeDescriptor, EndpointKindCatalog Mutable with explicit versioning and validators.
type getTypeDescriptor ServiceDescriptor Mutable with explicit head-token references.
event getEventHeadMeta, getEventLogView, postEventIngest, getEventById EventHeadMeta, EventLogView, EventEnvelope, AsyncReceipt Append-only history with explicit merge tokens.

Normative Requirements

Each normative requirement in this document is mapped to OpenAPI operation and schema anchors. Protocol invariants are defined here; draft wire contracts are tracked in OpenAPI. Each mapped operation carries the matching `x-gqts-requirement` extension in `openapi.yaml`.

  1. REQ-GQTS-01 Discovery Scope: Implementations MUST support governance-scoped discovery via getSchemeDescriptor and schema constraints in SchemeDescriptor.
  2. REQ-GQTS-02 Endpoint-Kind Publication: Implementations MUST publish endpoint-kind mapping material via getEndpointKindCatalog conforming to EndpointKindCatalog.
  3. REQ-GQTS-03 Service Descriptor Integrity: Implementations MUST expose current service head-token state through getTypeDescriptor using ServiceDescriptor.
  4. REQ-GQTS-04 Low-Cost Divergence Detection: Verifiers and peers SHOULD compare compact head-token metadata via getEventHeadMeta before heavy sync work.
  5. REQ-GQTS-05 Append-Only Retrieval: Event history retrieval MUST use getEventLogView and EventLogView, preserving append-only interpretation rules.
  6. REQ-GQTS-06 Asynchronous Ingest: Event ingest/gossip MUST be modeled as asynchronous acceptance through postEventIngest and corresponding ingestion-receipt objects represented by AsyncReceipt.
  7. REQ-GQTS-07 Immutable Event Addressing: Event-object retrieval MUST use getEventById and validate EventEnvelope.

Normative Source Constraints

External Fact Layer

Mandate (law/standards)

Statements about legal effect are constrained to this section. GQTS Core does not define legal recognition; it defines technical evidence and verification behavior.

Compatibility profiling and assessment workflows MAY map conformance evidence to ETSI trust-service policy and assessment baselines where applicable [ETSI-319401]. Such mapping does not change cryptographic verification outcomes defined by this specification.

Well-Known URI Governance

GQTS discovery uses `/.well-known/` semantics and therefore depends on RFC 8615 rules and the IANA Well-Known URI registry process [RFC8615] [IANA-WKU].

Qualification Terminology Discipline

Terms such as "qualified", "notified", "listed", or "recognized" MUST be backed by independently verifiable legal or regulatory sources in the target jurisdiction, such as EU eIDAS legal texts and trusted-list frameworks where applicable [EU-910/2014] [EU-910-CONS] [EU-2024/1183] [EU-TRUSTED-LISTS].

OpenAPI Contract Authority

Endpoint behavior is published in OpenAPI 3.1.2 [OPENAPI-3.1.2]. In this draft, those schemas are indicative ("suuntaa antavia") and become normative only after the first reference implementation freezes the contract set. ReSpec prose in this document is interpretive for invariants and verifier processing only.

Architecture

Well-Known Discovery Path

The default discovery namespace is: /.well-known/gidas/gqts/<kind>/<id>.

<kind> is an enumerated token set: type, event, scheme. <id> is either a UUID-like service/log identifier or a governance code value validated by GovernanceCode.

Tamper-Evident History Invariants

Open Participation Replication

Replication is open participation: any origin MAY operate as a GQTS host and gossip GQTS material. Governance profiles MAY define minimum publication targets, but MUST NOT define a maximum or exclusive host set by schema.

Admission control is protocol-validity based: hosts MUST validate incoming event objects against applicable OpenAPI schema constraints and proof-verification requirements before acceptance. Invalid entries MUST be rejected and MUST NOT be merged into accepted history; when reporting endpoints exist, hosts SHOULD expose bad-node diagnostics.

Caching and Conditional Retrieval

Hosts SHOULD expose `ETag` values aligned with the current head token. Verifiers and peers SHOULD use conditional retrieval (`If-None-Match`) before transferring event pages [RFC9110]. Immutable event retrieval and append-only log views MUST declare cache behavior explicitly in the OpenAPI contract.

Threat Model

Mechanical Verifier Algorithm

  1. Resolve service descriptor and scheme descriptor metadata using getTypeDescriptor and getSchemeDescriptor.
  2. Fetch a cheap head view using getEventLogView with conditional headers.
  3. If head token values from peer hosts are equal, skip heavy merge processing.
  4. If head token values differ, fetch only missing chain segments and validate canonicalization, previous-token linkage, root-to-head verification-method lineage, and proof material for each candidate head.
  5. Classify any candidate entry that fails deterministic checks as a bad node, reject it from accepted history, and optionally report it.
  6. Accept merge only when represented as an explicit merge token that reconciles candidate heads while preserving one canonical previous-token pointer.
  7. Produce separate outputs: (a) mechanical validity, (b) recognition status from external governance inputs.

Verifier Pipeline View (Informative)

Verifier pipeline The verifier resolves descriptors, checks head divergence, fetches missing chain segments, verifies proofs and token-link constraints, and emits separate mechanical and policy outputs. Resolve scheme + service Compare Heads cheap branch check Fetch Missing chain segments Verify schema + chain + proof Output A Mechanical Validity Output B Recognition Status
This figure summarizes the algorithmic step order; normative processing behavior remains defined by the textual algorithm above.

Trust decisions MUST consume both outputs. A positive mechanical result without an accepted governance source yields cryptographic validity only.

Deterministic processing requirements: verifiers MUST apply the canonicalization and proof profile declared by SchemeDescriptor; MUST validate previousEventId linkage, sequence monotonicity, and rotation constraints for each processed event; MUST verify every event proof against its declared cryptosuite profile; and MUST emit a deterministic failure code from ErrorCode whenever any required check fails.

Proof Profile Baseline

Unless a profile explicitly overrides this behavior, proof objects for event integrity MUST follow the VC Data Integrity proof model [VC-DATA-INTEGRITY] and MUST include type, cryptosuite, and proofValue. ECDSA profiles MUST align identifiers and verification rules with [VC-DI-ECDSA].

Verification method resolution SHOULD align with Controlled Identifiers [CONTROLLER-DOCUMENT].

Proof verification MUST be deterministic: canonicalization input, signature/proof verification input, and verification method resolution MUST produce identical acceptance outcomes for identical artifacts.

A valid signature/proof already binds the integrity of canonicalized token content. Standalone content-hash claims are protocol overhead in this version and MUST be ignored for acceptance, conflict detection, and merge decisions.

Verification Failure Semantics

Verification failures MUST be reported using deterministic error codes represented by ErrorCode and conveyed through ProblemDetails.code.

Error Code Failure Condition
ERR_SCHEMA_VALIDATION Input object fails schema or required-field constraints.
ERR_CANONICALIZATION_FAILURE Canonicalization cannot be completed deterministically.
ERR_TOKEN_CHAIN_LINK_INVALID Directed linear token linkage does not fit accepted history constraints.
ERR_UNSUPPORTED_CRYPTOSUITE Proof declares a cryptosuite not supported by the verifier profile.
ERR_PROOF_VERIFICATION_FAILED Cryptographic proof verification returns invalid.
ERR_ROTATION_CHAIN_INVALID Verification method rotation is not valid under declared chain rules.
ERR_HISTORY_CONFLICT Conflicting candidate history cannot be accepted or reconciled.
ERR_POLICY_INPUT_UNAVAILABLE Required external governance input cannot be resolved.
ERR_POLICY_REJECTED Policy-layer checks reject an otherwise mechanically valid artifact.

Architecture Rationale (Non-Normative)

Architecture Layer

GQTS is the reusable event-log substrate for framework components that already depend on decentralized verifier retrieval under the `/.well-known/gidas/...` namespace, including GDIS and GQSCD artifacts [GDIS-CORE] [GQSCD-CORE].

Event-Log Properties

Referenced mechanisms such as CEL and did:webvh converge on the same core properties: canonical bytes before signing, directed linear history, explicit proof material, and retrieval-portable verification. [CEL] [DID-WEBVH]

GQTS keeps these properties as mandatory invariants while allowing application profiles (for example GDIS bindings, trust registries, or device evidence publication) to define their own event payload semantics.

Well-Known Registration Baseline

This profile uses the `/.well-known/gidas/` umbrella namespace, with GQTS resources under `/.well-known/gidas/gqts/`. Deployments using this namespace SHOULD follow RFC 8615 and IANA well-known registration procedures [RFC8615] [IANA-WKU].

Conformance Classes

Class Required Requirements Required Outcomes
Host REQ-GQTS-01, REQ-GQTS-02, REQ-GQTS-03, REQ-GQTS-05, REQ-GQTS-06, REQ-GQTS-07 Governance-scoped discovery, append-only event retrieval, asynchronous ingest, and immutable event addressing with deterministic acceptance rules.
Verifier REQ-GQTS-01, REQ-GQTS-03, REQ-GQTS-04, REQ-GQTS-05, REQ-GQTS-07 Deterministic execution of the Mechanical Verifier Algorithm with separate outputs for mechanical validity and recognition status.
Scheme Publisher REQ-GQTS-01, REQ-GQTS-02, REQ-GQTS-03 Publication of governance-scoped descriptors and endpoint-kind mappings that remain consistent with declared protocol invariants.

Conformance Reporting

A conformance claim MUST be accompanied by a machine-readable conformance report.

Field Requirement
implementationId, version Unique implementation identifier and version string.
conformanceClasses Declared conformance class set.
requirementCoverage Coverage list using `REQ-GQTS-xx` identifiers.
testResults Test assertion identifiers and execution outcomes.
cryptosuiteProfile Supported cryptosuites and verification profile declaration.
negativeTestCoverage Failure-code coverage for `ErrorCode` negative tests.
policyInputs Governance/policy input sources used for recognition-status evaluation.

Security Considerations

Privacy Considerations

Implementation Status Note

A reference implementation and API-focused example set for GQTS Core is in active development. The first reference implementation is the stabilization point for freezing currently indicative ("suuntaa antavia") OpenAPI schemas into normative contracts.

References

Core Protocol and Registry References

Proof And Controller References

Event-Log References and Inputs

Law and Policy Inputs