This page details the rigorous process by which each DEFONEOS BFT Council motion's owner cosign is verified, forming a critical pillar for DEFONEOS-SEAL eligibility and overall system integrity.
Every motion submitted to the DEFONEOS BFT Council requires an explicit digital cosign from the designated "Owner" (Ring 1). This ensures accountability and prevents unauthorised or unverified motions from entering the decision-making pipeline. The cosign is cryptographically linked to the motion content.
The owner cosign verification relies on a robust cryptographic chain:
For any MCP or component to achieve DEFONEOS-SEAL certification, all associated motions must meet the following owner cosign criteria:
The following script demonstrates how to programmatically verify an owner cosign for a given motion (example uses a placeholder motion ID). This can be integrated into automated CI/CD pipelines or compliance checks.
#!/bin/bash
MOTION_ID="example-motion-123"
OWNER_PUBLIC_KEY="[OWNER_PUBLIC_KEY_HEX]" # Replace with actual public key
MOTION_CONTENT_URL="https://www.csoai.org/motions/${MOTION_ID}/content.json"
MOTION_SIGIL_URL="https://www.csoai.org/motions/${MOTION_ID}/sigil.json"
echo "--- Fetching Motion Content ---"
MOTION_CONTENT=$(curl -s "$MOTION_CONTENT_URL")
if [ $? -ne 0 ]; then echo "Error fetching content."; exit 1; fi
echo "$MOTION_CONTENT" | head -n 5
echo "... (truncated)"
echo "--- Fetching Motion SIGIL Data ---"
MOTION_SIGIL=$(curl -s "$MOTION_SIGIL_URL")
if [ $? -ne 0 ]; then echo "Error fetching SIGIL."; exit 1; fi
SIGNED_HASH=$(echo "$MOTION_SIGIL" | jq -r '.signed_hash')
OWNER_SIGNATURE=$(echo "$MOTION_SIGIL" | jq -r '.owner_signature')
if [ -z "$SIGNED_HASH" ] || [ -z "$OWNER_SIGNATURE" ]; then
echo "Error: Signed hash or owner signature not found in SIGIL data."
exit 1
fi
echo "--- Recomputing BLAKE3 Hash ---"
RECOMPUTED_HASH=$(echo "$MOTION_CONTENT" | blake3 --no-names | awk '{print $1}')
if [ "$SIGNED_HASH" != "$RECOMPUTED_HASH" ]; then
echo "VERIFICATION FAILED: BLAKE3 hash mismatch."
echo " Signed Hash: $SIGNED_HASH"
echo " Recomputed Hash: $RECOMPUTED_HASH"
exit 1
else
echo "BLAKE3 Hash Match: OK"
fi
echo "--- Verifying Ed25519 Signature ---"
# This would require a local utility for Ed25519 verification against a public key
# Example (conceptual, requires specific crypto library/tool):
# ED25519_VERIFY_RESULT=$(echo "$RECOMPUTED_HASH" | ed25519_verify "$OWNER_SIGNATURE" "$OWNER_PUBLIC_KEY")
# if [ "$ED25519_VERIFY_RESULT" == "VALID" ]; then
# echo "Ed25519 Signature: VALID"
# else
# echo "Ed25519 Signature: INVALID"
# exit 1
# fi
echo "--- Owner Cosign Verification: PASSED ---"
Note: Full Ed25519 signature verification requires a local cryptographic utility (e.g., libsodium or pynacl) that can interpret the signature against the public key. The example above illustrates the logical flow.