Revocation Propagation Evaluation

1. Mechanism and Primitive Description

The revocation propagation evaluation primitive operates over the lineage graph maintained by the mesh. Every admissibility decision — to admit a sensor reading, to act on a planner output, to permit a vehicle into a charging session, to allow a skill to operate — is a credentialed record that cites the credentials it depended on. Among those credentials are device-integrity attestations: signed claims by an attestation authority that a particular device is in a known-good configuration at a particular time. The lineage graph thus contains edges from every dependent decision back to the attestation it consumed.

When an attestation is revoked, the revocation enters the mesh as a credentialed event citing the revoking authority, the revoked credential, the revocation reason (tamper, recall, supersession, expiration, governance recall), and the revocation timestamp. The propagation primitive performs a reverse traversal of the lineage graph from the revoked credential to all dependent decisions. For each dependent decision, the primitive performs a credentialed re-evaluation under the new credential state: would this decision still admit if the revoked attestation were never trusted? The re-evaluation is itself a credentialed action with evidence (the revocation event, the prior decision record, the alternative credentials present), a decision (re-admit, downgrade, deactivate), and a lineage entry that connects to both the original decision and the revocation.

The cascade is not blanket. A decision that had multiple supporting credentials, only one of which is revoked, may continue to admit if the remaining credentials are sufficient. A decision whose claim was strictly conditional on the revoked attestation deactivates. A decision in a graceful-degradation class may downgrade — admitting under reduced privileges or with explicit lossiness annotations. Each path is admissibility-bound: the outcome is determined by re-running the admission rule against the new credential state, not by ad-hoc operator judgment.

Health monitoring observes the propagation. It surfaces propagation gaps (decisions not yet re-evaluated, endpoints holding stale attestation caches, evaluation failures), publishes them as credentialed monitoring events, and feeds them into the mesh's operational dashboards and dispute paths. The propagation is therefore both an admissibility primitive and a monitoring substrate.

2. Operating Parameters and Engineering Envelope

The primitive operates across a wide envelope of revocation rates, lineage-graph sizes, and latency requirements. Revocation rates can range from rare (a device recall once a year) to bursty (a fleet-wide tamper event affecting thousands of devices simultaneously). Lineage graph sizes range from thousands of decisions per device to millions in dense operational deployments. Latency requirements range from sub-second for safety-critical re-evaluations (a revoked attestation on an in-flight aircraft component) to minutes or hours for administrative re-evaluations.

The primitive is parameterized by lineage-graph indexing strategy. A fully indexed lineage graph supports immediate reverse traversal at the cost of index maintenance overhead; a lazily indexed graph defers traversal until evaluation time at the cost of evaluation latency. The choice depends on the deployment's revocation rate and latency tolerance. The primitive is also parameterized by re-evaluation depth: a shallow re-evaluation only re-checks first-order dependents; a deep re-evaluation propagates through cascade chains until quiescence.

Cache coherence is an engineering concern of first order. Endpoints often cache attestations to reduce the cost of repeated verification; a revocation must invalidate those caches reliably. The primitive declares cache-invalidation requirements as part of the revocation event and surfaces stale-cache endpoints as monitoring gaps. Cross-jurisdictional revocations carry additional complexity: an attestation revoked in one jurisdiction may not be immediately recognized in another, and the propagation primitive must respect the recognition graph between authorities.

The primitive must also be robust to contested revocation. A device operator may dispute a revocation; during the dispute, the primitive may apply a credentialed grace period, may apply the revocation provisionally pending dispute outcome, or may apply it immediately and reverse on dispute resolution. Each policy is declarable and recorded in lineage.

3. Alternative Embodiments

In a centralized-evaluator embodiment, a single credentialed monitoring service performs the lineage traversal and re-evaluation on revocation receipt. In a distributed-evaluator embodiment, each lineage-holding host evaluates its local dependents, with cross-host propagation through credentialed message-passing. In a byzantine-robust embodiment, multiple independent evaluators perform the same re-evaluation and a quorum of agreement is required before any deactivation takes effect; this protects against adversarial evaluators forcing spurious deactivations or suppressing legitimate ones.

In a push-propagation embodiment, the revoking authority broadcasts the revocation to all known dependents; in a pull-propagation embodiment, dependents periodically check attestation status against an authoritative source; in a hybrid embodiment, push provides timeliness and pull provides robustness against missed broadcasts. In a delta-propagation embodiment, only the change in attestation set is propagated rather than the full state, reducing bandwidth for large credential populations.

In a speculative-evaluation embodiment, the primitive pre-computes re-evaluations for likely revocation scenarios to bound worst-case real-time response. In a deferred-evaluation embodiment, low-criticality dependents are re-evaluated on a schedule rather than synchronously with revocation, with the deferral itself recorded as a credentialed exception.

4. Composition with Adjacent Primitives

Revocation propagation evaluation composes with the cascade-deactivation primitive: when a revocation forces deactivation of a dependent adaptation, the cascade primitive carries the deactivation forward through that adaptation's own dependents. The two primitives share the lineage graph and evaluate against the same five-property chain. It composes with the device-attestation primitive: attestation freshness, validity windows, and revocation lists are all consumed by the propagation evaluator.

It composes with the dispute-resolution primitive: a contested revocation enters a dispute path whose outcome may reverse the propagation, restore previously deactivated dependents, or modify the revocation reason retroactively. It composes with the byzantine-robust observer primitive: revocations affecting cross-operator decisions can require multi-observer co-signature, preventing unilateral revocation injection or suppression by a single authority.

It composes with the lineage-audit primitive: an auditor can replay the propagation effects of any revocation, traversing from the revocation event through every re-evaluated decision. It composes with the marketplace primitives: a revoked station or vehicle attestation propagates into in-progress and future settlements, with affected sessions re-evaluated under the new state. It composes with the cross-model portability primitive: revoking a model attestation cascades through translated adaptations and their dependents.

5. Prior-Art Distinctions

Conventional revocation infrastructure (CRL, OCSP, short-lived credentials) propagates revocation status but does not re-evaluate dependent decisions. A revoked certificate fails at next use; decisions admitted under the prior validity continue to stand without re-examination. There is no notion of a credentialed re-evaluation event, no admissibility-bound transition, no lineage of the re-evaluation itself. Cross-system propagation is bilateral and ad-hoc; cross-jurisdictional propagation is essentially absent.

Conventional attestation systems (TPM, remote attestation, supply-chain integrity) produce attestation records but do not maintain a lineage graph linking those records to downstream decisions. When an attestation is revoked, the dependent decisions are not identifiable from the attestation system itself; they must be reconstructed from operator logs, often imperfectly. Health monitoring is typically a separate plane of operator-internal telemetry rather than a credentialed event stream within the same governance frame.

The present primitive differs in that the lineage graph structurally connects attestations to their dependent decisions, the propagation traversal is a credentialed governance action, the re-evaluation is admissibility-bound and evidence-bearing, and the monitoring of propagation completeness is a first-class output of the primitive rather than an out-of-band operator activity. The five-property chain runs through every step.

6. Disclosure Scope

This disclosure encompasses revocation propagation evaluation for credentialed device-integrity attestations and other credentials within the spatial mesh of provisional 64/049,409. The disclosure covers the credentialed revocation event schema (revoking authority, revoked credential, revocation reason, timestamp), the lineage-graph reverse traversal that identifies dependent decisions, the credentialed re-evaluation that produces re-admit, downgrade, or deactivate outcomes under the new credential state, and the health-monitoring surface that reports propagation completeness and gaps. It covers the centralized, distributed, byzantine-robust, push, pull, hybrid, delta, speculative, and deferred embodiments described above, and equivalent embodiments preserving the admissibility-bound re-evaluation under the five-property chain.

The disclosure extends to the composition of revocation propagation evaluation with cascade deactivation, device attestation, dispute resolution, byzantine-robust observation, lineage audit, marketplace admission, and cross-model portability primitives of the broader mesh. It extends to alternative cache-coherence policies, alternative grace-period and provisional-application policies, alternative cross-jurisdictional recognition graphs, and alternative monitoring-event formats.

The disclosure does not depend on any specific cryptographic primitive, attestation hardware, lineage storage technology, or communications protocol. It is technology-agnostic at the implementation layer and architectural at the primitive layer. Practitioners skilled in distributed systems, attestation, and credentialed governance will recognize the structural elements and may implement them using contemporary or future technologies provided the lineage-bound re-evaluation, the admissibility-bound transition, and the five-property chain are preserved.