Governance specification for the genealogy ecosystem. Defines who participates, what credentials exist, how authority is delegated, and what obligations each role carries. Generated by
/keri:design0-ecosystem.
The Genealogy Ecosystem trust framework establishes a KERI-native governance model for the family history research industry. It replaces centralized platform trust (Ancestry, MyHeritage, 23andMe) with cryptographically verifiable relationships using Autonomic Identifiers (AIDs), Authentic Chained Data Containers (ACDCs), and consensus-based authority.
The core principle: the ecosystem does not certify truth – it makes provenance visible. Every research claim, record digitization, and identity resolution is a signed assertion by an identified participant. Trust emerges from the visible balance of endorsements and disputes, not from a gatekept stamp of approval. Individuals curate their own genealogy view by choosing which claims to accept.
Scope: Restructures family history research around cryptographically verifiable relationships between people, records, and evidence. Individuals own their research as portable, signed artifacts that carry provenance from source archives through researchers to families. The ecosystem eliminates the need to trust any single platform by making the evidence itself trustworthy.
Regulatory basis: State genetic privacy laws, GINA, state adoption record sealing statutes, state vital records access laws, GDPR (where applicable), indigenous/tribal records sovereignty, copyright law for digitized expressions.
The Genealogy Ecosystem has no central governing body. Governance is emergent – participants choose which issuers, researchers, and certification bodies to trust based on their visible track records. This reflects the industry reality: no single organization has authority over all genealogical knowledge.
Standards (shared schemas, protocol versions, infrastructure requirements) are maintained through open community processes. Schema adoption is organic – schemas that prove useful gain adoption; those that don’t are abandoned. The ecosystem provides the framework for interoperability; it does not mandate participation or enforce compliance.
The ecosystem does not enforce these regulations. ACDCs can encode legal constraints (e.g., “sealed per state statute until 2075”), and the signed audit trail provides evidence for external legal proceedings. Individuals are responsible for their own legal compliance.
This trust framework is versioned. Changes to credential schemas, role definitions, or delegation rules require a new version published to the ecosystem’s schema registry. Participants MUST verify framework version before issuing or accepting credentials.
| Role | Display Name | Witness Pool | Watcher Network | Agent Service | ACDC Registry |
|---|---|---|---|---|---|
archive |
Archive | Yes | No | Yes | Yes |
digitizer |
Digitizer | No | No | Yes | Yes |
indexer |
Indexer | No | No | Yes | Yes |
record_attestor |
Record Attestor | No | No | Yes | Yes |
record_host |
Record Host | Yes | Yes | Yes | Yes |
researcher |
Researcher | No | No | Yes | Yes |
individual |
Individual | No | No | Yes | No |
certification_body |
Certification Body | Yes | No | Yes | Yes |
algorithm_service |
Algorithm Service | No | Yes | Yes | No |
dna_service |
DNA Service | Yes | No | Yes | Yes |
archive)Description: Custodian of original physical records. Root authority in the provenance chain. Examples: county courthouses, churches, national archives, libraries, historical societies. Issues record custody credentials and authorizes digitization of their collections.
Governance obligations:
Credentials issued: record_custody, digitization_authorization Credentials required to participate: none (root authority)
digitizer)Description: Creates digital copies of physical records. Ranges from professional scanning companies to individual volunteers photographing gravestones (e.g., Findagrave contributors). Issues digitization record credentials with provenance back to the source object.
Governance obligations:
Credentials issued: digitization_record, source_link Credentials required to participate: none (digitization_authorization optional but strengthens provenance)
indexer)Description: Transcribes and tags digitized records to make them searchable. May be volunteers (like FamilySearch indexers), professionals, or AI services. Issues index entry credentials linking transcribed data to digitization records.
Governance obligations:
Credentials issued: index_entry Credentials required to participate: none
record_attestor)Description: Verifies the fidelity of a digital copy to its physical original. May be an archive employee, a certified records examiner, or a trusted third party. Issues record attestation credentials that strengthen the provenance chain.
Governance obligations:
Credentials issued: record_attestation Credentials required to participate: none
record_host)Description: Stores and serves digital record copies. The decentralized replacement for Ancestry/MyHeritage hosting. Anyone can be a record host – individuals, companies, nonprofits. Heaviest infrastructure role due to content serving at scale.
Governance obligations:
Credentials issued: none Credentials required to participate: hosting_agreement
researcher)Description: Interprets records and makes claims about people and relationships. Ranges from professional genealogists to hobbyists. Issues research claims, identity resolution claims, disputes, and endorsements. Reputation emerges from visible claim history – not from a gatekept certification.
Governance obligations:
Credentials issued: research_claim, identity_resolution, source_link, dispute_claim, endorsement Credentials required to participate: none (professional_certification optional but carries organic weight)
individual)Description: Person researching their own family history. Curates a personal genealogy view by accepting or rejecting research claims from others. Owns their research graph, DNA results, and identity links. Lightest infrastructure role – just an agent to manage their personal view.
Governance obligations:
Credentials issued: dispute_claim, endorsement Credentials required to participate: none
certification_body)Description: Issues professional credentials for genealogists. Includes certification boards (e.g., Board for Certification of Genealogists), universities, genealogy institutes, and training programs. Authority is organic and reputation-based – the ecosystem does not anoint any single body.
Governance obligations:
Credentials issued: professional_certification, program_accreditation Credentials required to participate: none (authority is reputation-based)
algorithm_service)Description: Provides corroboration scoring, matching, search indexing, and hint generation over the public claim graph. The decentralized replacement for Ancestry’s matching algorithm. Competitive service layer – anyone can build one. Reads the claim graph via watcher network, computes scores, and presents simplified views.
Governance obligations:
Credentials issued: none Credentials required to participate: none
dna_service)Description: Processes genetic samples and issues DNA result credentials held by the individual, not stored by the platform. Includes ethnicity estimates and kinship matches. Results are selective disclosure – the individual controls what is revealed and to whom.
Governance obligations:
Credentials issued: dna_result, ethnicity_estimate, kinship_match Credentials required to participate: none
Each credential type has designated issuer roles. Only AIDs operating in the appropriate role may issue that credential type. Issuance MUST:
For credentials without chaining requirements (most credentials in this ecosystem), the issuer’s identity and visible track record are the basis of trust. For chained credentials (digitization_authorization, hosting_agreement, ethnicity_estimate, kinship_match), the issuer MUST hold the upstream credential.
rev event anchored in the issuer’s KELThe ecosystem does not enforce disputes or impose liability. All actions are signed and attributable. Disputes are expressed as signed dispute_claim credentials visible in the public claim graph. Endorsements are signed endorsement credentials. Consensus emerges from the visible balance of disputes and endorsements. Algorithm services compute corroboration scores from this data. Individuals decide what to trust.
Duplicity (equivocation) detected by watchers constitutes evidence of bad faith. The signed audit trail provides evidence for any external proceedings, but the ecosystem itself does not adjudicate.
Roles operating witness pools (archive, record_host, certification_body, dna_service) MUST:
Roles subscribing to watcher networks (record_host, algorithm_service) MUST:
All roles run KERIA agents and MUST:
Verifiers MUST request only the minimum credential fields required for their purpose. Selective disclosure credentials MUST be presented in compact form unless the verifier demonstrates a legitimate need for full disclosure.
Credential holders control presentation. No credential may be verified without the holder initiating the IPEX presentation exchange. The holder’s agent MUST prompt for consent before disclosing attributes.
The ecosystem supports time-locked and event-triggered disclosure for sensitive records:
Privacy decisions follow a hierarchy:
When a record or research claim identifies a living person, and that person holds an AID in the ecosystem, they MUST be notified. Living persons may:
Notification requires an identity ecosystem bridge for contact resolution.
The ecosystem carries no liability. It is a protocol and set of shared schemas, not an organization or platform. There is no central operator to hold liable.
All actions in the ecosystem are signed by identified participants. The signed audit trail provides evidence for external legal proceedings. Participants are individually accountable for:
Consumers of research claims, identity resolutions, and other assertions are responsible for evaluating the provenance and corroboration of claims before relying on them. The ecosystem makes provenance visible – it does not guarantee truth.
Witness pool operators are responsible for availability and first-seen integrity. Watcher operators are responsible for timely duplicity reporting. These are operational obligations, not legal guarantees.
Bridge credentials: individual identity verification
Data flows:
Cross-ecosystem credential verification requires both ecosystems to publish compatible OOBIs and recognize each other’s governance frameworks. Bridge credentials MUST chain from a credential recognized in both ecosystems.
Facts extracted from records (names, dates, places, relationships) are not copyrightable and belong to whoever discovers them. No participant can revoke your knowledge of a fact.
Specific digitizations (photographs, scans, transcriptions) may carry copyright controlled by the digitizer or archive. Copyright terms are encoded in digitization_authorization and hosting_agreement credentials.
Research claims, identity resolutions, disputes, endorsements, and your personal genealogy view are signed by YOUR AID. No other participant can revoke, delete, or modify your research. The worst case is that a provenance chain breaks (an upstream attestation is revoked), but your claims and your data remain intact and portable.
When a credential is revoked, the issuer withdraws their attestation. The TEL records the revocation. But revocation does not reach into your device and delete data. Your local copies, extracted facts, and research graph are unaffected.
/keri:design1-service to design services within this ecosystemcredential-catalog.md define the ACDC a block for each type