poztter.org / components

The pieces of a POZ record.

Overview · What is POZ? · Philosophy · FAQ

A POZ record is built from a small number of typed sections. Two are required — the Public Key Map and the Master Zone. The rest are optional zones that the Master delegates authority over, each governed independently.

flowchart TB M[Master Zone
0x0001 — root authority] K[Public Key Map
0x0000] M -.references.-> K IA[Identity Authority
0x0010] --> IZ[Identity Zone
0x0011] FA[Feed Authority
0x0020] --> FZ[Public Feed Zone
0x0021] EA[Email Authority
0x0030] --> EZ[Email Zone
0x0031] AA[Auth Authority
0x0040] --> AZ[Auth Zone
0x0041] SA[Service Authority
0x0050] --> SZ[Service Zone
0x0051] M -- delegates --> IA M -- delegates --> FA M -- delegates --> EA M -- delegates --> AA M -- delegates --> SA

fig 01 · the Master Zone delegates to one authority per zone type. each zone is independently signed and revocable.

required

0x0000

Public Key Map

Every key the record uses, identified by SHA-3 hash. All other sections refer to keys by index here, not by value.

Read

0x0001 · required

Master Zone

The root. Defines which keys control the record itself and which keys are delegated authority over each sub-zone. Hash-chained.

Read

models

model

Survivorship

How modification thresholds work. Groups, values, the ≥100 rule, and how to configure recovery without a single point of failure.

Read

model

Sub-zone Delegation

Grant and deny thresholds, evaluated independently. The asymmetry that makes fast revocation and deliberate authorization both natural.

Read

zones

0x0010 / 0x0011

Identity Zone

Bindings between handles on centralized providers and your POZ record. Two-phase activation. Independently signed entries.

Read

0x0020 / 0x0021

Public Feed Zone

Named feeds with multiple posting chains for resilience. Posts live on feed servers; the zone holds anchors and checkpoints.

Read

0x0030 / 0x0031

Email Zone

GUID-addressed inboxes with end-to-end encryption keys and verifiable conversation chains. Messages reference inboxes by GUID, never name.

Read

0x0040 / 0x0041

Auth Zone

Trust groups of fixed sizes (BASIC=2, STANDARD=4, SECURE=8). Sites declare a required size; users decide which keys go in each group.

Read

0x0050 / 0x0051

Service Zone

Where servers are. Pools of hosts with priority and weight, plus the CA key that signed each server's certificate. Other zones reference services by hash.

Read

protocol

Network Protocol

Three ports, one wire format. Plaintext queries, Noise NK private queries, and Noise NK record submission. Adaptive proof-of-work for DoS resistance.

Read

internal sections

0x8002

Private Key Map

Optional. When present, private keys should be encrypted at rest. Records distributed to third parties should not include this section.

0x8003

Zone History

Optional snapshots or diffs of past zone revisions for compact history storage.

0x8004

Key Names

Optional human-readable labels for keys ("Hardware Token", "Family Recovery"). Informational only.

Cross-zone references. Higher zones reference services by service hash (computed from the service entry's content). When infrastructure changes, the hash changes, which forces dependent zones to acknowledge the new configuration. A server can't quietly swap your mail host out from under you.