Subnet345

Glossary

What is a verifier separated from the emitter?

The architectural property that the process running the recompute is distinct from the emitter that wrote the chain, and shares no credentials, state, or code with it. Independent walk, independent result.

§ 01 Definition

The one who checks is not the one who wrote.

Verifier separated from emitter is the architectural property of a hash-chained record whereby the process running the recompute is distinct from the emitter that wrote the chain. The emitter writes entries and hash-links them; the verifier reads the stored entries and recomputes each entry’s hash forward from an anchored checkpoint. They do not share credentials, state, or code that could allow the emitter to influence the walk. When the verifier completes the walk, the result is a statement by a party the emitter did not control.

Verifier separated from emitter is not “the emitter proves the chain is valid.” An emitter-attested statement about the chain’s integrity is a self-attestation: the party that wrote the record is also the party asserting its correctness. Separation is what turns a chain-plus-verify from a self-attestation into an independent verification. The scope of that verification is a different question, handled by what is recompute at the anchored recent horizon; this entry defines the separation property that makes any independent recompute meaningful in the first place.

§ 02 Why it matters

Intact is not the same as honestly checked.

An examiner or auditor asking whether a record is trustworthy is asking about two things at once: is the record intact, and did the party who ran the check have the ability to look at it honestly? Hash-chaining answers the first. Verifier separation answers the second. If the same process that wrote the chain also runs the walk, the walk cannot be trusted to catch what the emitter would want to hide. The verifier has to be far enough from the emitter that the emitter cannot poison the walk by controlling the walker’s code, its input, or the anchor value it compares against.

The separation does not require a third party outside the operator’s boundary. A separately-operated verifier process inside the same boundary, reading the stored entries from a store the emitter cannot modify at read-time, and comparing the terminal hash to an externally-anchored checkpoint, delivers the property. What matters is that the emitter and the verifier are architecturally distinct, and that the anchor lives outside the emitter’s control. The substrate the record runs on is what makes the separation a property of the record rather than a security posture the operator has to build.

§ 03 Questions

Verifier separation, answered.

How is verifier separated from emitter different from just running a verifier?

Any process that walks a hash chain can be called a verifier. Separation is the additional property that this walker is not the same process, and does not share code or credentials with, the emitter that wrote the chain. Without separation, the walker is running whatever the emitter allows it to run against whatever the emitter decides to show it. With separation, the walker reads the stored entries directly and computes independently. See what is a hash-chained external anchor for the anchor that closes the loop against a wholesale replacement.

What separations matter?

Three: (1) the verifier code is not code the emitter wrote or can rewrite at verify time; (2) the verifier reads the stored entries directly from a store the emitter cannot mutate at read-time; (3) the anchor value the verifier compares against is held on a substrate the emitter does not fully control. Each closes a distinct attack path: emitter-supplied verifier code, emitter-mutable input, emitter-forgeable anchor.

What does the substrate provide to make this separation real?

The substrate stores the emitted entries in a location the verifier reads directly, exposes the anchor value to the verifier from an externally-held commitment, and runs the verifier as a process the emitter does not launch, configure, or supply code to. Together these turn “independent verification” from a claim about intent into a property of the architecture. See what is audit-of-action for the record the independently-verified chain produces.

Let the record be checked by someone the emitter does not control.