open protocol for relational trust · validation-as-a-service on top
Quidnug is a decentralized protocol where every node decides who to trust from its own perspective. Keys are recoverable without central escrow. Every state change is signed and replay-safe. We operate the public network and offer domain validation as a paid service on top of it, but the whole protocol is Apache 2.0 and you can run it yourself.
Why you would bother
Universal reputation scores, centralized certificate authorities, and "just email us to reset your key" are the compromises you live with when a system refuses to model trust honestly. Every one of them becomes the failure that puts the platform on the front page.
A credit bureau says you are 712. A ride-share rates you 4.81. A social platform flags you "good standing". The number exists so the platform can delegate judgment; the moment judgment is contested (an error in the file, a vindictive rider, a shadow ban) the subject has no recourse, because the number is authoritative by fiat. Quidnug refuses to produce the number and forces each viewer to answer for themselves.
Every platform that holds a "reset my key" switch is one phishing email from a mass takeover. The 2016 DNC breach, the 2022 FTX signer extraction, the quiet cascade of SIM-swap hijacks every quarter: all are "the reset switch was too reachable" by another name. Guardian recovery makes recovery slow, public, and countersignable, which is what you want for anything valuable.
Most "audit logs" are app-owned rows in a database that the app can edit. Most "signed artifacts" are code-signed by a CI key that rotates silently. When someone eventually asks "did this specific key actually authorize this event at this moment", the answer is usually a shrug. Quidnug makes "signed by whom" the only way state changes.
How trust works
Instead of "Bob has a reputation", Quidnug captures "Alice trusts Bob at 0.9 for home contracting, signed on 2026-03-14". That statement is a cryptographic edge. Many such edges form a trust graph, and the protocol answers questions by walking it from the observer's perspective only.
Direct trust is exactly what Alice signed. Transitive trust composes
multiplicatively along a path (Carol trusts Alice at 0.8, Alice
trusts Bob at 0.9, so Carol trusts Bob at 0.72). If
multiple paths exist, Quidnug takes the maximum:
one strong recommendation beats a crowd of weak ones. The default
traversal depth is five hops.
What you don't get is a number that exists independent of any viewer. Ask a different observer, get a different answer. That is correct behavior. The platform refuses to launder disagreement into consensus.
How domains scope trust
A trust edge is not valid "in general". It is valid in a specific domain, named with DNS-like dot-notation. A doctor attested by a state medical board is not automatically trusted to sign smart-contract oracle readings. An oracle trusted for ETH/USD is not automatically trusted to issue college diplomas. Cross-domain capture attacks simply do not compose.
Domains can inherit along the parent/child axis when the app opts
in (a trust edge at texas.medical-board.gov can be
used to answer queries in
credentials.texas.medical-board.gov). Inheritance
never crosses siblings, and the protocol makes cross-subtree
trust leakage impossible by construction.
Pick domain names that look like what they are. Align depth to the authority structure you actually have. Reserve a top-level segment for your organization so domain collisions across federated deployments cannot happen.
How consensus works
Quidnug does not produce one globally-agreed chain. It produces per-observer chains tied to each node's trust graph. Proof-of-Trust tiers every incoming block into one of four buckets based on how much the observer trusts the validator who signed it. If you trust a validator, you build on their blocks. If you don't, you don't. Nobody votes about it.
This fits the shape of real consortium problems. A medical consortium where different hospitals trust different CA roots should not agree on attestations signed by the "wrong" root. A cross-jurisdictional election where counties trust their own officials should not replicate precinct blocks from another county's official. A cross-merchant fraud signal network should let each merchant weight reporters differently.
What Quidnug is not: a BFT chain, a Nakamoto chain, or a high-TPS payment rail. There is no coordinator, no "voting", and no block reward. Throughput targets thousands per second per node with aggressive tuning, not millions. This is the price of honesty about disagreement.
How keys live and die
Real systems deal with lost laptops, stolen phones, forgotten passphrases, departing employees, and compromised signing services. Central escrow (the "email us to reset" approach) turns every recovery into a phishing vector and every customer support agent into a potential single point of failure. Quidnug replaces that with a cryptographic protocol: M guardians you chose in advance, a time-lock, and a veto window.
A rotation can be initiated by the subject alone (if they still have the current key) or by any M of their N guardians (if they don't). A time-lock, default 24 hours, opens a veto window: if the rotation was initiated maliciously, the real subject can cancel it. At the end of the window, a guardian commits and the subject's key is replaced.
The threat model is honest. A stolen key cannot rotate itself to
lock the subject out, because rotation requires a fresh anchor
that the subject or quorum authorizes. A compromised M of N
quorum can rotate the subject's key; this is why you
pick guardians carefully and keep a veto key. AnchorInvalidation
shuts an epoch down immediately if you suspect compromise early.
Transaction lifecycle
Applications don't mutate state by PUT-ing JSON at a REST endpoint. They build a typed transaction, sign it with their current epoch key, submit it, and watch it land. The node verifies the signature, checks the nonce ledger for replay, anchors it into a block, and gossips the block to peers. Each peer then tiers the block on its own terms.
Nonces are per-signer monotonic: your next nonce has to be
strictly higher than any nonce the network has seen from you.
That gives replay protection without a global counter and without
coordination. If you submit a stale nonce, the node returns
NONCE_REPLAY and nothing lands.
Seven core transaction types carry all protocol-level state:
TRUST, IDENTITY, TITLE,
EVENT, ANCHOR, GUARDIAN_*,
and FORK_BLOCK. Applications compose workflows on
top. Event streams give you append-only, monotonically sequenced
per-subject logs for audit trails, supply chains, and state
machines.
qrp-0001 · first app-level protocol
QRP-0001 is the first Quidnug Review Proposal: a domain-level protocol for reviews, comments, helpfulness voting, flagging, and verified purchases, built entirely from the primitives above. Drop-in widgets for React, Vue, Astro, plain HTML, Shopify, and WordPress ship today.
All three primitives render the same underlying data at three information densities. Zero JS dependencies. Full Schema.org JSON-LD carried alongside for SEO.
Three rating-visualization primitives (qn-aurora,
qn-constellation, qn-trace) render
per-observer weighted ratings at three information densities.
The rating value is one of many signals encoded; confidence,
trust proximity, freshness, and the delta from the crowd
average all carry through.
The trust-weight formula is a product of four factors (Topical trust, Helpfulness, Activity, Recency). Missing any factor sets the weight to zero for that review, so 500 sybil accounts with no trust path to you contribute exactly nothing to your effective rating.
30-second demo
One binary, one HTTP API, one canonical-bytes signing format shared across every SDK. A signature produced in Python verifies byte-for-byte in Go, Rust, JavaScript, or on the reference node.
# 1. Create Alice's identity
curl -X POST http://localhost:8080/api/identities \
-d '{"quidId":"alice","name":"Alice","creator":"alice"}'
# 2. Alice trusts Bob at 0.9 for "contractors.home"
curl -X POST http://localhost:8080/api/trust \
-d '{"truster":"alice","trustee":"bob","trustLevel":0.9,
"domain":"contractors.home"}'
# 3. Query trust from Alice's perspective
curl "http://localhost:8080/api/trust/alice/bob?domain=contractors.home"
# {"trustLevel":0.9,"trustPath":["alice","bob"],...}from quidnug import Client, Quid
client = Client("http://localhost:8080")
alice = Quid.generate("alice")
bob = Quid.generate("bob")
client.register_identity(alice)
client.register_identity(bob)
client.grant_trust(alice, trustee=bob,
trust_level=0.9,
domain="contractors.home")
r = client.query_trust(observer="alice",
target="bob",
domain="contractors.home")
print(r.trust_level) # 0.9
print(r.trust_path) # ["alice", "bob"]package main
import (
"context"
"github.com/quidnug/quidnug/pkg/client"
)
func main() {
c := client.New("http://localhost:8080")
ctx := context.Background()
alice, _ := client.NewQuid("alice")
bob, _ := client.NewQuid("bob")
c.RegisterIdentity(ctx, alice)
c.RegisterIdentity(ctx, bob)
c.GrantTrust(ctx, alice, bob, 0.9, "contractors.home")
r, _ := c.QueryTrust(ctx, "alice", "bob", "contractors.home")
_ = r
}import { Client, Quid } from '@quidnug/client';
const client = new Client('http://localhost:8080');
const alice = await Quid.generate('alice');
const bob = await Quid.generate('bob');
await client.registerIdentity(alice);
await client.registerIdentity(bob);
await client.grantTrust(alice, {
trustee: bob,
trustLevel: 0.9,
domain: 'contractors.home',
});
const r = await client.queryTrust({
observer: 'alice', target: 'bob',
domain: 'contractors.home',
});
console.log(r.trustLevel, r.trustPath);use quidnug::{Client, Quid};
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let client = Client::new("http://localhost:8080");
let alice = Quid::generate("alice")?;
let bob = Quid::generate("bob")?;
client.register_identity(&alice).await?;
client.register_identity(&bob).await?;
client.grant_trust(&alice, &bob, 0.9,
"contractors.home").await?;
let r = client.query_trust("alice", "bob",
"contractors.home").await?;
println!("{} {:?}", r.trust_level, r.trust_path);
Ok(())
}the service
Running your own Quidnug node is free and fully supported. But if you want a third-party-signed attestation that your domain really belongs to you, continuously re-verified, visible to any Quidnug-speaking system, that is what we sell. Same shape as Let's Encrypt, for Quidnug domain identities.
pricing
Start free on one domain with email verification. Upgrade to Pro when you need DNS ownership and a predictable recheck cadence. Upgrade to Business when your customers want a legal-entity-attested badge. Upgrade to Governance Partner when you want to co-operate the public network.
DNS providers
One-click TXT record creation for the three big cloud DNS providers, scoped tokens that cannot touch your other records, and a manual-paste fallback that works with any registrar. Consumer registrars (Namecheap, GoDaddy, Porkbun) roll in over the first quarter.
blog · 9 posts · 10 decks
Each post ships with a companion slide deck you can flip
through in the browser or download as .pptx.
Topics span consensus theory, reputation systems, AI
agent identity, media provenance, and the failure modes
of the incumbents.
*Selective disclosure plus cryptographic credibility plus trust-graph vouching is the architecture modern whistleblower platforms actually need.*
*Trust-anchored provenance fixes the voluntary carbon market's phantom-credit problem.*
*How signed event streams replace ALCOA+ paper-trail compliance, and why FDA inspectors will prefer them.*
*Every CISO is answering vendor questionnaires. The answers are lies. Here's the architecture that fixes it.*
Where it fits
Each use case is a full implementation plan: problem statement, architecture with sequence diagrams, concrete SDK code, and a threat model. Pick your domain, read the design, clone the examples.
**FinTech · Supply chain · Multi-party validation**
**FinTech · DeFi · Decentralized data feeds · Aggregation trust**
**FinTech · High-value · Full key lifecycle management**
**FinTech · High-value · M-of-N signing · Guardian recovery**
**FinTech · Cross-organization data sharing · Relational trust**
**AI · Agent safety · Time-locked grants · Emergency revocation**
**AI · Media provenance · C2PA+ · Editing chain of custody**
**AI · Provenance · Audit trails · Copyright attestation**
**AI · Federated learning · Multi-party cryptographic attestation**
**Cross-industry · Education · Licensing · Certifications**
**Open source · Supply-chain security · GPG replacement**
**Cross-industry · Critical internet infrastructure · Anti-centralization**
**Infrastructure · Split-horizon · Private records · Federated-by-default**
**Cross-industry · Patient-controlled access · Emergency override**
A global, cross-site review substrate where every rating is weighted by **the observer's** trust graph, not by an average that treats every reviewer as identical. Reviewer identity is portable; reputation is per-vertical; sites and revie…
Client libraries
Protocol SDKs at the base bind the full wire format in every major language. Reviews widgets sit on top, wrapping QRP-0001 as drop-in UI. Platform plugins wrap the widgets for Shopify and WordPress so non-engineers install from an app store. Signatures verify interchangeably across the whole stack.
where this sits
Quidnug isn't positioned against public chains, DID + VC, Sigstore, PGP web-of-trust, or OAuth/OIDC. Each solves a different problem well. The comparisons below spell out exactly where each neighbor wins and where the "who trusts whom from my perspective" question makes Quidnug the right answer.
| Relational trust | Guardian recovery | Domain scoping | No universal score | Self-hosted | No on-chain cost | |
|---|---|---|---|---|---|---|
| Quidnug | yes | yes | yes | yes | yes | yes |
| Public chain | partial | partial | no | no | partial | no |
| DID + VC | no | partial | partial | partial | yes | yes |
| Sigstore | no | no | no | yes | partial | yes |
| PGP WoT | yes | no | no | yes | yes | yes |
| OAuth / OIDC | no | partial | no | no | no | yes |
Each cell is shorthand. Follow the per-comparison links for the actual argument, including where the other tool wins.
The public network
We operate three seed nodes under quidnug.com. Any
operator can bring up their own node and propose bilateral trust
with the seeds: we'll tier your blocks, if you tier ours. The
protocol enforces the rest.
The public network is not a permissioned consortium and it is not
a permissionless chain. It is a trust graph seeded by
quidnug.com that grows by bilateral consent in
specific domains under a reserved network.quidnug.com
tree. No secrets are exchanged. No service-level agreement is
offered. Either side can unilaterally revoke by publishing a
trust edge at level zero.
Under the hood
The reference node is a single static Go binary. Six cooperating subsystems handle trust path discovery, nonce enforcement, guardian state, block tiering, gossip, and bootstrapping. Every protocol feature ships as a numbered Quidnug Design Proposal with rationale, compatibility analysis, and migration plan.
Honest sizing
Join the waitlist to claim a domain on the free tier, or run the entire open-source stack yourself and never send us a dollar. Both paths are first-class; the protocol is not hostage to the service.