Witness-List Rotation Policy — quarterly, public, ring-by-ring, SIGIL-anchored.
This page defines how the 33-agent BFT defence council selects and rotates its witnesses. The witness list is the cryptographic anchor of every motion: three witnesses per motion, drawn from distinct rings, with Ed25519 signatures that bind the motion to a specific composition of the council at a specific moment. Rotation prevents witness-key compromise from becoming a permanent backdoor; quarterly cadence matches the BFT council ring-rotation cadence; SIGIL anchoring makes every witness-list snapshot independently verifiable.
33-agent BFT Quarterly rotation SIGIL-anchored
1 · Purpose and threat model
The witness list is the cryptographic anchor of every motion the council votes on. If a witness key is compromised, an attacker could in principle forge witness signatures on a malicious motion; the council treats this as a credible threat because agents may be software-only and may run on hardware with imperfect operational security. The rotation policy is designed so that:
- Witness keys have a bounded lifetime (max 90 days for R2/R3/R4, max 180 days for R5).
- Witness selection is deterministic from a verifiable random function (VRF) seeded by the SIGIL ledger digest of the previous rotation snapshot, so no single party can choose which agents witness a given motion.
- Witness-list snapshots are themselves signed and anchored in the SIGIL ledger, so any third party can verify that a motion was witnessed by the agents who were on the witness list at the time of the motion.
- Key compromise triggers an emergency rotation governed by sovereign-incident-response-runbook.
2 · Rotation cadence by ring
| Ring | Seats | Rotation cadence | Trigger | Witness duty |
|---|---|---|---|---|
| R1 · Owner seat | 1 | n/a (single human) | None (single human) | Co-sign on DEFONEOS-SEAL only |
| R2 · Defence prime seats | 6 | Quarterly (1 Jan, 1 Apr, 1 Jul, 1 Oct) | Calendar boundary + ≥ 90 days since last rotation | May witness standard / red-line / owner-seat motions (3 of 6 selected per motion) |
| R3 · Compliance officer seats | 8 | Quarterly | Calendar boundary + ≥ 90 days since last rotation | May witness standard / red-line / owner-seat motions (3 of 8 selected per motion) |
| R4 · Operator seats | 12 | Monthly | Calendar boundary + ≥ 28 days since last rotation | May witness standard / red-line / owner-seat motions (3 of 12 selected per motion) |
| R5 · Public witness seats | 6 | Semi-annually (1 Jan, 1 Jul) | Calendar boundary + ≥ 180 days since last rotation | May witness standard / red-line / owner-seat motions; mandatory for owner-seat motions (≥ 1 of 6 selected per owner-seat motion) |
3 · Selection procedure
For every motion, three witnesses are selected by a deterministic VRF seeded by the SIGIL ledger digest of the most recent rotation snapshot and the motion's nonce. The VRF output is a sorted list of eligible seats; the top three seats from distinct rings are the witnesses.
- Fetch rotation snapshot digest:
D = sha256(snapshot.json). - Compute VRF output:
V = VRF(sk_council, D || motion.nonce). - Sort eligible seats by
(ring_id, seat_id)and assign pseudo-random weights from V. - Select top three seats subject to ring-distinctness constraint.
- Witness-list snapshot for the motion includes the three selected seats, their public keys (Ed25519), and the VRF proof.
Canonical witness-list snapshot (excerpt — motion-142)
{
"motion_id": "motion-142",
"rotation_snapshot_digest": "sha256-1d2c3b4a5e6f...",
"rotation_snapshot_url": "https://www.csoai.org/witness/2026-Q3.json",
"vrf_proof": "vrf-9a8b7c6d5e4f...",
"witnesses": [
{"seat": "agent.r5.seat-1", "ring": "R5", "pubkey": "ed25519:c5e0a89d...", "weight": 0.98},
{"seat": "agent.r4.seat-7", "ring": "R4", "pubkey": "ed25519:9d8c7b6a...", "weight": 0.92},
{"seat": "agent.r3.seat-2", "ring": "R3", "pubkey": "ed25519:2c3d4e5f...", "weight": 0.89}
],
"ring_distinctness": "verified (R5, R4, R3 all distinct)",
"snapshot_signed_by": "ed25519:bft-counil-snapshot-signer-2026-Q3",
"snapshot_signed_at": "2026-07-01T00:00:00Z"
}
4 · SIGIL-anchored snapshots
A rotation snapshot is a JSON document listing all 33 active agents and their public keys, signed by the BFT council's snapshot-signer key, and anchored in the SIGIL ledger. Snapshots are published to /witness/YYYY-QN.json (quarterly for R2/R3/R4, monthly for R4 detail) and /witness/YYYY-QN-detail.json (full operator rotation).
| Snapshot | Date | Seats | Signer | Ledger anchor |
|---|---|---|---|---|
| 2026-Q3 (active) | 2026-07-01T00:00:00Z | 33 | bft-council-snapshot-signer-2026-Q3 | sigil://ledger/2026-07-01T00:00:00Z/bft-snapshot |
| 2026-Q2 (expired) | 2026-04-01T00:00:00Z | 33 | bft-council-snapshot-signer-2026-Q2 | sigil://ledger/2026-04-01T00:00:00Z/bft-snapshot |
| 2026-Q1 (expired) | 2026-01-01T00:00:00Z | 33 | bft-council-snapshot-signer-2026-Q1 | sigil://ledger/2026-01-01T00:00:00Z/bft-snapshot |
5 · Quorum and minority-case witness duties
The witness list has additional duties beyond the standard three-witness scheme. In particular:
- Owner-seat unanimous motions (DEFONEOS-SEAL issuance) — at least one R5 (public witness) seat must be selected. This ensures that any credential the compartment issues has at least one public-interest witness, in addition to the owner co-sign.
- Emergency containment motions (15-minute window) — at least one R3 (compliance officer) seat must be selected. This ensures a compliance perspective is recorded on any fast-quorum emergency action.
- Red-line supermajority motions (compartment rule change) — at least one R5 and one R3 seat must be selected. This ensures both public-interest and compliance perspectives are recorded.
6 · Key-compromise response procedure
If a witness key is suspected or confirmed compromised, the following procedure runs (full detail in the incident response runbook):
- Owner declares a SEV-1 incident and triggers emergency containment motion.
- Emergency rotation snapshot is published, immediately retiring all keys on the suspected-compromise path.
- All motions witnessed by the compromised key in the prior 30 days are re-voted with fresh witnesses.
- SIGIL ledger records the compromise and the re-vote tally.
- Public disclosure follows the sovereign-disclosure-policy 90-day window if the compromise resulted in a forged motion or public surface change.
7 · Current witness list (live)
The current active snapshot is 2026-Q3, dated 2026-07-01. The 33 active seats are listed below; the live witness-list snapshot URL is /witness/2026-Q3.json.
| Ring | Seat | Holder (role) | Pubkey fingerprint | Last rotation | Next rotation |
|---|---|---|---|---|---|
| R1 | agent.r1.seat-1 | Human owner (co-sign) | ed25519:owner-2026-05-14 | 2026-05-14 | n/a |
| R2 | agent.r2.seat-1 | Defence prime #1 | ed25519:prime1-q3-2026 | 2026-07-01 | 2026-10-01 |
| R2 | agent.r2.seat-2 | Defence prime #2 | ed25519:prime2-q3-2026 | 2026-07-01 | 2026-10-01 |
| R2 | agent.r2.seat-3 | Defence prime #3 | ed25519:prime3-q3-2026 | 2026-07-01 | 2026-10-01 |
| R2 | agent.r2.seat-4 | Defence prime #4 | ed25519:prime4-q3-2026 | 2026-07-01 | 2026-10-01 |
| R2 | agent.r2.seat-5 | Defence prime #5 | ed25519:prime5-q3-2026 | 2026-07-01 | 2026-10-01 |
| R2 | agent.r2.seat-6 | Defence prime #6 | ed25519:prime6-q3-2026 | 2026-07-01 | 2026-10-01 |
| R3 | agent.r3.seat-1..8 | Compliance officers (NCSC CHECK × 2, ISO 42001 × 2, JSP 936 × 2, JSP 604 × 2) | ed25519:comp1..8-q3-2026 | 2026-07-01 | 2026-10-01 |
| R4 | agent.r4.seat-1..12 | Active sovereign operators (solo SC-cleared × 4, dept × 4, MOD × 4) | ed25519:op1..12-q3-2026 | 2026-07-01 (monthly refresh for full list at /witness/2026-07-detail.json) | 2026-08-01 |
| R5 | agent.r5.seat-1..6 | Public witnesses (academic × 2, civil-society × 2, press × 2) | ed25519:pub1..6-h1-2026 | 2026-07-01 (semi-annual) | 2027-01-01 |
8 · Curl verification (3 tests)
Any third party can run these three tests in <60s on a fresh VM and confirm the witness-list rotation policy is being executed correctly.
Test 1 — fetch current snapshot
curl -fsS https://www.csoai.org/witness/2026-Q3.json | jq -r '.seats | length' # expect: 33
Test 2 — verify snapshot signature
curl -fsS https://www.csoai.org/witness/2026-Q3.json -o /tmp/snap.json curl -fsS https://www.csoai.org/pubkeys/bft-council-snapshot-signer-2026-Q3.pub -o /tmp/key curl -fsS https://www.csoai.org/witness/2026-Q3.json.sig -o /tmp/snap.sig openssl pkeyutl -verify -pubin -inkey /tmp/key -in /tmp/snap.json -rawin -sigfile /tmp/snap.sig # expect: Signature Verified Successfully
Test 3 — fetch last motion's witnesses and verify ring-distinctness
curl -fsS https://www.csoai.org/minutes/motion-142.json | jq -r '.witnesses[] | .ring' | sort -u | wc -l # expect: 3 (three distinct rings)
9 · Red-line invariants
- Witness keys have bounded lifetime — max 90 days for R2/R3/R4, max 180 days for R5; rotation is mandatory at calendar boundaries.
- Witness selection is deterministic and verifiable — VRF output is published for every motion; the same input always yields the same witness set.
- Witness-list snapshots are SIGIL-anchored — every snapshot's digest is committed to the SIGIL ledger at rotation time.
- Witness duty is ring-distinct — three witnesses per motion must come from three distinct rings; no two witnesses from the same ring.
- Owner-seat motions require an R5 witness — at least one public-interest witness on every DEFONEOS-SEAL issuance, regardless of other witnesses.
- Key compromise triggers emergency rotation — no compromise is allowed to persist beyond one SIGIL ledger anchor cycle (≤ 15 min for SEV-1, ≤ 4 h for SEV-2).
- Compartments never share witness keys — the witness keys in csoai-defoneos are distinct from any key in meok-defoneos or dagon; cross-compartment witness signatures are rejected at the SIGIL anchor step.