Authority Taxonomy: Hierarchical Credentialing Structure

Mechanism

The taxonomy defines four roles through their evidentiary and operational signatures. A sensor is an authority whose credential certifies that the holder produces primary observations from instrumentation under named accuracy and freshness bounds; the sensor's outputs are signed measurements with calibration metadata. An aggregator is an authority whose credential certifies that the holder combines primary observations from named sensors under a published aggregation rule; the aggregator's outputs are signed composite estimates that reference the source sensors and the rule. A publisher is an authority whose credential certifies that the holder distributes observations or aggregates to named consuming scopes under a published distribution policy; the publisher's outputs are signed delivery envelopes that name the distributed payload and the recipient scope. A regulator is an authority whose credential certifies that the holder issues policy that binds the other three roles within a named jurisdictional scope; the regulator's outputs are signed policy artifacts that the other roles consume.

Each role's credential descriptor names the role, the issuing super-authority, the scope (geographic, jurisdictional, sectoral), the bounds (accuracy for sensors, aggregation rules for aggregators, distribution scopes for publishers, policy domains for regulators), and the audit obligations (what records the role must emit, at what cadence, into which lineage substrate). A consuming participant evaluates an incoming artifact against the artifact's role descriptor: a payload claiming to be a sensor reading is admitted only if the signing credential is valid and certifies sensor authority within a scope that covers the payload's claim; a payload claiming to be an aggregate is admitted only if the credential certifies aggregator authority and the named source sensors are themselves admissible; and so on for publishers and regulators.

Cross-authority routes are the structural mechanism by which mesh operations span roles. A typical cross-authority route begins at a sensor (raw measurement), traverses an aggregator (composite estimate), reaches a publisher (delivery to consumer scope), and is governed by a regulator (jurisdictional policy). The route is encoded as a chain of signed envelopes; each envelope names the predecessor envelope by hash, the role transition (sensor-to-aggregator, aggregator-to-publisher), the credentialed authorization for the transition, and the audit record emitted at the transition. The audit obligation is non-optional: a transition without a corresponding audit record renders the resulting envelope inadmissible to downstream consumers.

The taxonomy is itself published as a credentialed artifact by a super-authority that the participating consumers admit through their own policy. Consumers who admit different super-authorities may operate within different taxonomies; the architecture supports inter-taxonomy bridging through publisher-mediated cross-recognition envelopes that name the originating taxonomy, the receiving taxonomy, and the mapping between them. The bridging envelopes are themselves cross-authority routes subject to the same audit obligation.

Operating Parameters

Each role's scope is parameterized by geographic bounds (a polygon or zone identifier), jurisdictional bounds (a regulator identifier), sectoral bounds (a domain identifier such as "roadway," "airspace," "harbor," "grid"), and temporal bounds (a validity window with explicit start and expiry). A sensor credentialed for "roadway, state-of-X, 2026-01-01 through 2026-12-31" cannot produce admissible observations outside any of those bounds; an attempt to use the credential outside its scope is recorded as a scope violation and the resulting payload is excluded.

Sensor accuracy and freshness bounds are parameterized as numeric tolerances published in the credential. A sensor whose credential names "positional accuracy 0.5 m at 95% confidence, freshness 1 second" emits observations within those bounds; a consuming aggregator that requires tighter tolerances refuses the observation; a regulator that revises the tolerance issues a credentialed update. Aggregation-rule bounds are parameterized similarly: an aggregator names the admissible source sensor classes, the combination function (mean, weighted median, Kalman fusion), and the residual-uncertainty propagation rule; downstream consumers admit the aggregate against these published parameters.

Publisher distribution-scope bounds are parameterized as recipient classes with admission rules. A publisher may distribute to "credentialed operators within zone X," "regulated participants of authority Y," or "public scope." Each class carries different envelope contents (full payload, redacted payload, summary payload) and different audit requirements (per-recipient log, per-class log, public log). The publisher's policy specifies which classes a given payload may flow into.

Regulator policy bounds are parameterized as policy domains (which roles the regulator may govern), policy types (binding, advisory, optional), and revision cadence (how frequently the regulator may issue updates and what synchronization the consumers must perform). Cross-regulator overlap is handled by precedence rules that the consumers admit; in jurisdictions with concurrent regulators, the consumer's policy specifies which regulator's policy prevails for which payload class.

Audit-obligation bounds are parameterized per role: sensors emit measurement-and-calibration logs at sampling cadence; aggregators emit aggregation logs at aggregation cadence; publishers emit distribution logs at delivery cadence; regulators emit policy-issuance logs at update cadence. The lineage substrate retains all four streams and supports cross-stream queries that reconstruct any payload's full provenance.

Alternative Embodiments

In a single-jurisdiction transportation embodiment, a state DOT acts as regulator, certified roadside units act as sensors, the DOT's traffic-management center acts as aggregator, and the DOT's information service acts as publisher. The four roles are held by distinct entities under a common regulator; cross-authority routes traverse the four roles in canonical order and produce audit lineage that the DOT retains for compliance.

In a multi-jurisdiction shipping embodiment, port authorities, coastal regulators, and international maritime authorities each occupy regulator roles within their respective jurisdictions; vessel-borne sensors and shore-based sensors produce primary observations; classification societies and port operators produce aggregates; shipping lines and regulator information services act as publishers. Cross-jurisdictional routes traverse multiple regulators through cross-recognition envelopes; the audit lineage spans all participating jurisdictions.

In a defense-coalition embodiment, allied national authorities each hold regulator roles for their own forces; sensors deployed by any coalition member produce observations admissible to other members through credentialed cross-recognition; coalition command authorities hold the cross-recognition publisher role. The audit lineage supports after-action reconstruction across coalition partners while preserving each partner's sovereignty over its own primary records.

In a smart-grid embodiment, utility regulators hold the regulator role; metering devices and grid-condition sensors hold sensor roles; utility operations centers hold aggregator roles; consumer-facing portals and regulator data services hold publisher roles. The taxonomy supports the differential authority of the various participants without collapsing them into a single "trusted" or "untrusted" class.

In a degraded-trust embodiment, a known-compromised authority is downgraded by a regulator-issued revocation envelope. Downstream consumers continue to operate using cached pre-revocation observations within a stated tolerance and refuse new observations from the revoked authority; the lineage records the revocation event and its propagation. The embodiment supports continuity of operation under authority-compromise events without requiring a re-architecture.

In a community-mesh embodiment, peer participants take on lightweight versions of all four roles within a self-organized scope. The architecture supports the embodiment by allowing super-authorities at any scale; the audit obligations remain in force, and the credential descriptors specify the smaller scope explicitly.

Composition

The taxonomy composes with the composite admissibility evaluator: the role identification of an artifact's signing credential becomes one input to the evaluator's predicate, alongside spatial context, freshness, and consumer policy. An evaluator that admits regulator policy at high weight, aggregates at moderate weight, sensor primaries at moderate weight conditioned on aggregator endorsement, and publisher envelopes at routing-only weight produces structurally different decisions than an evaluator that treats all signed artifacts uniformly.

Sideways, the taxonomy composes with spatial inference routing so that the role of an artifact's authority becomes part of the spatial-context tuple; a sensor primary from a roadway sensor is not interchangeable with an aggregator estimate from a traffic-management aggregator, even when both pertain to the same location. It composes with personal-layer privilege so that the consumer's own authority over the personal layer is recognized as a first-class authority class with its own scope and audit obligation. It composes with the lineage substrate by sharing the chained-record format and by writing role-transition events into the same audit stream as routing and execution events.

Composition with the credentialed-update path allows the taxonomy itself to evolve. A super-authority may add a new role (a "validator" role for third-party verification of aggregator outputs, a "redactor" role for privacy-preserving distribution), revise scope parameters, or adjust audit obligations through credentialed updates that the participating consumers admit at well-defined synchronization points. The architecture treats taxonomy evolution as a first-class operation rather than as a re-architecture event.

Prior-Art Differentiation

Conventional public-key infrastructures certify identity but not role; a signed payload is admitted on the strength of a valid signature, with role distinctions imposed (if at all) by application-layer logic that the PKI does not enforce. Role-based access control systems define roles for human operators interacting with applications but do not extend the role concept to machine-to-machine evidence flow with bounded scope and audit obligations. Existing sensor-network credentialing schemes typically certify sensor identity without distinguishing aggregator, publisher, and regulator roles or specifying cross-authority audit.

The disclosed taxonomy differs structurally. Roles are not application-layer conventions; they are credential-level distinctions that the admissibility evaluator enforces. Scope is not a deployment configuration; it is a credentialed parameter that travels with every signed artifact. Cross-authority routes are not implicit chains; they are explicit envelopes with credentialed transition authorization and required audit records. The taxonomy is not a fixed schema; it is itself a credentialed artifact that evolves through governance updates. The combination of role-typed credentials, parameterized scopes, audited cross-authority routes, and credentialed taxonomy evolution is the operative novelty.

Disclosure Scope

This disclosure covers the spatial-mesh authority taxonomy comprising sensor, aggregator, publisher, and regulator roles, including the role-typed credential descriptors that name scope, bounds, and audit obligations; the cross-authority routing envelopes that traverse role transitions under credentialed authorization with required audit records; the role-aware composite admissibility evaluator that admits artifacts according to role and scope; and the embodiments described above. The disclosure extends to single-jurisdiction, multi-jurisdiction, defense-coalition, smart-grid, degraded-trust, and community-mesh embodiments. The disclosure further extends to the composition of the taxonomy with spatial inference routing, personal-layer privilege, and lineage substrates as described, and to the credentialed-update path through which super-authorities evolve the taxonomy itself — adding roles, revising scopes, adjusting audit obligations — without re-deployment of the underlying mesh.

The disclosure further covers any system that combines (a) role-typed credentials distinguishing sensor, aggregator, publisher, and regulator (or functional equivalents under different naming) at the credential level rather than at the application layer, (b) parameterized scopes that travel with each signed artifact and are enforced by the admissibility evaluator, (c) cross-authority routing envelopes that record role transitions with credentialed authorization and required audit, and (d) credentialed evolution of the taxonomy itself by a super-authority whose updates the participating consumers admit through their own policy. Variations in role naming, in the number of roles (so long as the structural distinctions of primary observation, composition, distribution, and policy issuance are preserved), in the cryptographic representation of credentials, and in the encoding of cross-authority envelopes are within the disclosure's scope. Embodiments that flatten the taxonomy to a single trust class, that omit credentialed audit at role transitions, or that fix the taxonomy at deployment without a credentialed evolution path, fall outside the disclosed mechanism.