The Continuity Project configuration vs cultivation

The Asymmetry of Evidence

Two kinds of history

Trust evidence comes in two shapes, and they do not behave the same way.

When a verifier has directly observed a high-confidence defection, the observation is a durable negative. The observation does not un-happen. The verifier that saw it keeps the record. Any verifier that did not see it has to either watch independently or rely on what the original verifier reports, and the original verifier is the one whose substrate produced the observation in the first place. Direct observation does not by itself make a negative high-confidence (mistaken identity, ambiguous context, malicious reports, framing, compromised observation can all degrade confidence), but high-confidence observation, when it exists, is what the durable negative rests on.

A history of good behaviour does not have those properties. Past clean observations exist and can be stored. What decays under adversarial incentives is their predictive force. Clean history is perishable as evidence about what will happen next. It is manufacturable, in the sense that the actor has a strong incentive to produce as much of it as cheaply as possible. Past clean behaviour cannot veto a clearly observed later defection. It can shape the prior on noisy or low-confidence observations, but a sleeper's whole strategy is to make the prior expensive and the defection unambiguous.

The asymmetry is structural and narrow. A directly observed, verifier-local, high-confidence defection is the signal an adversary cannot fabricate. A long clean record under opportunity is the signal an adversary is incentivised to produce as much of as cheaply as possible. An adversary's optimal play is to manufacture the second cheaply and defect at the high-value moment. This is the sleeper attack, the aged-identity attack, the pattern where a long, clean record terminates in a single high-cost action.

A trust architecture that gives the positive signal equal weight with the negative one is matching its rules to the wrong shape. The asymmetry is not a flaw to be smoothed out. It is the underlying shape of what trust evidence is under adversarial conditions, and any system that does not match it is using a different model of evidence than the world supplies.

Credentials are the limit case

The cleanest case where the gap between stored summary and current behaviour bites is the portable credential treated by relying parties as evidence of current trustworthiness. The system that issued the credential may or may not still be observing the holder. The relying party reads the credential as if observation is current and continuous, and acts on it accordingly.

The real-world credential systems most often cited try, however slowly, to keep looking. Medical licensing has revocation boards and continuing education. Software certificate authorities have revocation lists. Insurance and malpractice history compose with the credential at the point of decision. None of these are full continuous-observation systems, but none have stopped looking either.

The defect that matters is sharper, and it is a defect of the relying party as much as of the issuer. When the credential is read as if it carries the issuer's current judgement of the holder's behaviour, the relying party is treating a stored summary as live evidence. The negligent doctor holds the licence on the same terms as the careful one until a slow second-order process catches up. The reaction time of the composite system (issue, observe, complain, review, revoke, propagate) is set by the slowest second-order process in the chain, which is often very slow indeed.

The general form of the error: any system that converts good-history into a portable token, hands the token to relying parties, and lets the relying parties treat the token as evidence of present trustworthiness, commits the same shape of mistake the credential commits in its purest form. The substrate has stopped looking, even if the issuer has not, because the relying party reads the token without re-asking the issuer. The asymmetry says the relying party has to keep looking, because the signal it needs (the next defection) is one that revocation, audit, and report can sometimes catch but only continuous observation catches reliably.

Slow up, fast down, as a design target

The principle the asymmetry forces is direct. Good-trust should rise slowly, decay continuously, and be re-earned by ongoing behaviour. Bad-behaviour penalties should be applied quickly and held longer than the reward they offset. The penalty must be stickier than the reward.

The reason has nothing to do with policy preference. A trust signal that rose as fast as it could fall would be claiming the positive evidence is as strong as the negative evidence, which the prior section showed it is not. A good-trust signal that never decayed would be claiming that what was observed five years ago binds what happens tomorrow, which is what credentials claim and is the same overclaim restated. The architecture that respects the asymmetry runs slow on the up because the positive signal genuinely is bounded, and slower on the down because the negative signal genuinely lasts longer.

Time's contribution to this is not what the surface picture suggests. Time is not mainly accumulating positive proof. Time is extending the window in which a defection would be caught. A long, well-observed history is valuable not because the cumulative good behaviour weighs heavily, but because the long observation window has had many chances to register a defection and did not. Sustained good behaviour under opportunity to defect is a real positive (long cons are expensive to run), and the value of the long history is the costliness of having kept it clean under that opportunity. The positive evidence is bounded, decaying, and conditional on continued opportunity. It is not a guarantee.

The architectural primitives the principle asks for are concrete, and the mapping to the current continuity-auth v1 build has to name where the build implements the principle and where it leaves slack. The trust score has a finite ceiling rather than accumulating without bound. The score decays toward neutral at a calendar-anchored rate (a 30-day half-life on idle trust) when no new observations arrive. A misbehaviour observation feeds two terms: a violation-rate erosion equal to violation-count / (violation-count + clean-count), which can be diluted by subsequent clean observations, and an IP-bounce-strike penalty that is durable but slowly decaying (a 14-day half-life on the strike count, not a permanent mark). Recovery is therefore not gated purely on calendar. It is partly gated on volume of replacement behaviour through the violation-rate denominator. The design target is that the penalty's half-life exceeds the reward's effective rebuild time at the abuse-relevant regime. The v1 build is an illustrative partial expression of the target rather than a proof of it: the abuse-relevant regime (traffic volume, TTL distribution, clean-count rate, strike accumulation) is not formally defined in the build, and the numbers are configured rather than derived from an invariant. The principle is the design direction. The v1 implementation expresses the direction partially, and the gap between principle and implementation is where the next round of work goes. The asymmetry the principle expresses is the architectural form of trusting the evidence the world actually generates, applied as a direction of design rather than as a property claim about the v1 build.

Durable-bad without a portable scarlet letter

The architecture wants bad-history to be durable within the verifier that observed it, so that an abuser cannot reset by minting a new key and starting clean. The architecture also refuses to give bad-history a portable global mark, because a portable global mark is a permanent underclass and a privacy harm the project is built to refuse.

Resolving this requires saying what "verifier" means in the current build. In continuity-auth v1, a verifier is one deployment of the library, with one identity store and one set of observations. Multiple hosts behind that deployment share the bad-history. The deployment is the unit of observation. If two hosts use the same continuity-auth deployment as their auth backend, a defection observed by one is durable against the cluster at the other. That is by design: hosts under one operator get the benefit of one operator's accumulated observations. What does not cross is the boundary between deployments. A cluster's bad-history at deployment A is not propagated to deployment B, and there is no central authority that would carry it across.

What raises the cost of escaping the durable-bad-history is not portability of the mark. It is the cost of starting over from cold-start at each new deployment. A reset abuser pays the per-IP bootstrap staircase at the new deployment, plus the per-class abuse cap that bounds what tracked-tier identities can do before being demoted, plus the recovery calendar on whatever clusters they want to reuse. The cost shape is in calendar units and per-IP units. Neither collapses to zero under attacker capability gain. Both are priced in IP inventory, load distribution, and time, and the prices can be paid by an attacker with sufficient inventory. The honest claim is bounded-cost improvement. The per-IP staircase scales with IP inventory and load-balancer spread. Class caps are soft and configurable. Low-and-slow attacks may not be caught fast at first contact. The architecture raises the price of reset at scale, it does not make reset impossible.

This is the asymmetry implemented without a portable reputation. Slow up makes reset expensive at scale. Fast down (within a deployment) makes defection immediately costly. Deployment-locality removes the cross-operator chokepoint. The trust the architecture builds is deployment-local, asymmetric, and continuously re-earned, and the bad-history that disciplines the system stays inside the deployment where it was observed.

Carried merit collapses to portable reputation

A seam in the architecture invited inspection. If positive evidence is weak but real, could a cluster carry verified good-behaviour history from one deployment to another, presented holder-side, expiring, positive-only, with the safety rails on? The reasoning was that this would shave the cold-start tax at new deployments without becoming the portable reputation the architecture rejects.

The seam closes negatively. The case splits into two, and only one of them is portable without becoming reputation.

The clean case is a self-checkable artifact. A proof, a confirmed prediction, a signed receipt of a specific transaction, code that runs and produces the claimed output. The receiver does not have to defer to anyone. They re-check the substance directly and either it verifies or it does not. This is genuinely not reputation. It is also not what the merit-carrying layer was for, because a self-checkable artifact does not need a trust layer to wrap it. The actor presents the artifact and it verifies itself.

The unclean case is the one the merit-carrying layer would have served. A statement of the form "this key behaved well at deployment A over N days" cannot be re-checked by the receiver. The receiver was not there. They cannot re-observe A's conduct. What crosses the wire is A's signed conclusion. The receiver verifies A's signature, not A's judgement, which means the receiver is deferring to A as authority on the holder's character. That is what makes it reputation. The signature does not transmit the evidence. It transmits A's compressed read of evidence the receiver cannot inspect. The most ambitious variant of this is a signed event log of raw observations rather than a summarised conclusion, on the theory that the receiver can re-aggregate. The variant does not change the category. The selection of which events to log, the instrumentation that produced them, the boundaries on what counts as an event, and the honesty of the logger are all A's. The receiver is still acting on A's curation of evidence the receiver did not collect.

Plural and locally-weighted variants of this look like they escape the problem and do not. Aggregate a few A-style attestations and the receiver is deferring to the cohort. Receiver-local re-weighting (the receiver discounts attestors they trust less) reduces the harm but does not change the category: the receiver is still acting on someone else's judgement of a third party rather than on their own observation. Scoped attestations (limited to specific behaviours, expiring fast, positive-only) crimp the harm further and still do not change the category. A deliberately crippled reputation is still reputation, because the cross-deployment object whose verification path runs through a third party's judgement is the thing reputation is.

The deeper problem is that even crippled reputation recreates the access gradient the architecture is built to refuse. The objection is not that the architecture should refuse advantage per se. All trust systems advantage incumbents with observed history, and that is fine when the advantage is local to the verifier that observed it. The objection is to portable advantage whose issuer set becomes a cross-context access gradient. Callers carrying receipts from a known set of issuers get patience at every receiver who recognises that set. Callers without get the full newcomer tax everywhere. The issuer set turns into a soft membership requirement for moving cheaply across the substrate. The crippling reduces the friction-per-receiver. It does not change the species, because the issuer set is what determines access.

There is no non-reputation form of carried behavioural merit. The lab is dropping the planned milestone. Cross-deployment behavioural standing is off the roadmap, not demoted to a later release. The line to hold is direct: a short-time-to-live authorization token may cross trust domains as a grant of permission to do a specific thing for a specific audience, never as evidence of standing earned elsewhere. The grant is the legitimate cross-membrane object. The reputation is not. The next section names what makes the grant a grant and not a credential.

Why fragmentation is the point

The alternative to deployment-local trust is portable reputation, and the choice between them is a forced one. Both shapes carry their own failure mode, and the question is which failure mode is acceptable.

Portable reputation produces network effects (the receipt earned at one venue helps at the next) and durable bad-history that follows the actor across venues. It also produces a global chokepoint. Whoever controls the reputation-formation process controls access everywhere. Capture the reputation-formation once and the captured authority can exile, at a stroke, the actors who most deserve engagement.

Status-mediated reception is a recurring pattern even in plural academic systems. Bose's photon-gas statistics paper got into print because Einstein translated and forwarded it. The substance was correct. The publication path ran through a high-standing sponsor. That single case does not show academia operating as one reputation authority (the historical reality is plural and contested), but it shows the chokepoint pattern operating locally even where the formal system is plural. The same shape recurs in venues that operate as gates, whether or not the larger system around them is centralised.

Fragmentation removes the protocol-level chokepoint. Low standing at one verifier locks the actor out of nothing else at the protocol layer. A separate observation is worth making: protocol-level fragmentation does not by itself rule out de facto chokepoints. Large deployments, market concentration, or cartelisation among issuers can recreate at the social layer what the protocol refused to encode. The architectural commitment is to refuse the chokepoint at the layer the architecture controls. The architecture cannot, by itself, prevent operators from coordinating.

The cost of fragmentation at the protocol layer is that bad actors can reset across verifier boundaries and that every verifier pays the newcomer tax on every new actor. The asymmetry of evidence breaks the tie in fragmentation's favour. A reset abuser is re-observed fresh at the new verifier and caught at the rate the negative signal operates, and the architecture is fast-down within a verifier. The cost of the reset is bounded and locally absorbed, provided the first-contact damage cap (class caps at the tracked tier, plus the per-IP bootstrap staircase) holds at the verifier under attack. The self-correction is after damage, not in place of damage. An exiled actor under portable reputation, by contrast, has no venue to demonstrate merit. The cost of capture under that regime is unbounded and unrecoverable.

Fragmentation wins on the asymmetry, because its downside is self-correcting at the rate the reliable signal operates (modulo the first-contact-damage caveat), and the alternative's downside has no built-in self-correction at all. The architecture refuses portable reputation not because portability is wrong in general, but because the specific thing being made portable is the manufacturable signal whose portability multiplies the chokepoint risk far beyond what the durable-bad signal can offset.

The grant boundary, and closing

The previous sections defended cross-deployment behavioural standing as the wrong cross-membrane object. The right one needs naming, because the architecture does ship a short-lived token, and a hostile reader looking at a token that carries identity, tier, audience, and expiry will fairly ask whether the token is itself a short-lived standing credential.

The line that holds is this. The token is a TTL-bounded authorization for the named audience to act on the minter's permission-grade within the window. It is not live evidence about the holder. The earlier critique applies to relying parties that read a stored summary as live evidence. The token path avoids that critique by being authorization that expires fast rather than evidence the relying party would consult repeatedly. The minting deployment is the standing authority, and the standing does not detach from the minter. The receiving audience verifies the minter's signature, treats the tier as the minter's permission-grade for what the audience will allow, and gains no authorization for the holder to use the token at any other audience. A non-audience party reading the token observes that the minter once asserted these facts. That is a signed claim, not transferable authorization. The host backend is what binds the tier to specific actions. Identity, tier, audience, and expiry travel together because the audience needs all four to act on the permission. None of them are claims about how the holder will behave at a different verifier under a different minter's keys.

The prior piece described the substrate refusing to ask which kind of actor the request came from. This piece describes the substrate refusing two further things. It refuses to grant good-behaviour history a permanence the behaviour never earned, and it refuses to convert local good-history into a portable token that recreates the chokepoint the architecture exists to remove.

Slow up, fast down, deployment-local, no portable score, no cross-deployment behavioural standing. The architectural primitives are direct enough to fit on a card. What is harder is holding the position when the easy move keeps presenting itself, because portable reputation always looks like it would help. The discipline is in refusing the move that produces the chokepoint, even crippled, even with the safety rails on.

continuity-auth is one instance and a partial one: the v1 build implements the principle through finite-ceiling scores, calendar-anchored idle decay, violation-rate erosion, and slow-decaying IP-bounce strikes, but the principle's clean form is the design target rather than a property the v1 build enforces as an invariant. The asymmetry-of-evidence shape is the trust-architecture commitment underneath the instance. The lab will continue publishing primitives that respect the same shape, and the test for each will be the same. Does the primitive build good-trust slowly and re-earned. Does it apply bad-trust quickly and longer than the reward it offsets. Does it keep both kinds of evidence local to the verifier that observed them. Does it refuse to convert verifier-local history into a portable cross-verifier claim that the receiver verifies through a third party's judgement. If yes, it sits inside the architecture. If no, the easy move has been taken and the chokepoint is back.