Version: 1.0.0 Date: 2026-01-11 Layer: VCP/I (Identity) Status: Complete
Part of the Value-Context Protocol (VCP) - Layer 1
This specification defines governance rules for UVC namespaces - who can create tokens, how namespaces are registered, and delegation policies.
- Introduction
- Namespace Tiers
- Registration Protocol
- Proof of Ownership
- Delegation Rules
- Dispute Resolution
- Security Considerations
Namespace governance ensures:
- Authenticity: Organizational namespaces belong to verified entities
- Non-collision: No two entities claim the same namespace
- Accountability: Namespace owners are contactable
- Flexibility: Multiple governance models for different use cases
- Minimal Centralization: Core namespaces only; everything else is delegated
- Proof-Based: Registration requires verifiable proof
- Dispute Process: Clear resolution for conflicts
- Expiration: Namespaces require renewal to prevent squatting
| Tier | Prefixes | Governance | Registration | Example |
|---|---|---|---|---|
| Core | family, work, secure, creative, reality |
Creed Space stewardship | Reserved | family.safe.guide |
| Organizational | company, school, ngo |
Delegated to org | Verified ownership | company.acme.legal |
| Community | religion, culture, community |
Community consensus | Multi-stakeholder | religion.buddhist.meditation |
| Personal | user |
Individual control | Self-service | user.alice.personal |
Governance: Creed Space maintains exclusive stewardship.
Characteristics:
- Reserved namespaces, not available for registration
- Universal semantics (same meaning everywhere)
- Backward compatibility guaranteed
- Governed by Creed Space advisory board
Reserved Prefixes:
CORE_NAMESPACES = {
'family', # Family/child-safe contexts
'work', # Professional/workplace contexts
'secure', # Security/privacy contexts
'creative', # Artistic/creative contexts
'reality', # Factual/grounded contexts
}Governance: Delegated to verified organizations.
Registration Requirements:
- Domain ownership verification (DNS TXT or HTTPS)
- Contact email at verified domain
- Acceptance of terms of service
- Annual renewal
Sub-prefixes:
| Prefix | Entity Type | Proof Type |
|---|---|---|
company |
For-profit business | Domain ownership |
school |
Educational institution | .edu domain or accreditation |
ngo |
Non-profit organization | 501(c)(3) or equivalent |
Governance: Multi-stakeholder community consensus.
Registration Requirements:
- Three or more stewards (multi-sig)
- Community charter defining governance
- Public deliberation process
- Annual steward rotation option
Sub-prefixes:
| Prefix | Scope | Governance |
|---|---|---|
religion |
Religious traditions | Recognized religious bodies |
culture |
Cultural/regional | Cultural organizations |
community |
Interest groups | Community-defined |
Governance: Individual control.
Registration Requirements:
- Email verification
- Username uniqueness check
- Terms acceptance
- No special characters (except
-,_)
┌─────────────────────────────────────────────────────────────────────┐
│ REGISTRATION FLOW │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ │
│ │ REQUESTOR │ 1. Submit registration request │
│ └──────┬───────┘ │
│ │ │
│ ▼ │
│ ┌──────────────┐ │
│ │ REGISTRY │ 2. Validate namespace format │
│ │ │ 3. Check availability │
│ │ │ 4. Verify proof of ownership │
│ └──────┬───────┘ │
│ │ │
│ ▼ │
│ ┌──────────────┐ │
│ │ VERIFICATION │ 5. DNS/email/multi-sig verification │
│ └──────┬───────┘ │
│ │ │
│ ▼ │
│ ┌──────────────┐ │
│ │ ISSUANCE │ 6. Generate namespace key │
│ │ │ 7. Record in registry │
│ │ │ 8. Return credentials │
│ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
from dataclasses import dataclass
from typing import Optional
from datetime import datetime
@dataclass
class NamespaceRegistrationRequest:
"""Request to register a namespace"""
# Required
namespace: str # e.g., "company.acme"
requestor_id: str # Identity of requestor
contact_email: str # Contact email
proof_type: str # "dns", "https", "multisig", "email"
proof_data: str # Proof-specific data
# Optional
delegation_policy: str = "closed" # "open", "verified", "closed"
charter_url: Optional[str] = None # For community namespaces
stewards: list = None # For multi-sig namespaces
@dataclass
class NamespaceRegistrationResponse:
"""Response to registration request"""
status: str # "approved", "pending", "rejected"
namespace: str
namespace_key: Optional[str] # Signing key for namespace
expiry: Optional[datetime] # Registration expiry
renewal_url: str
reason: Optional[str] # If rejectedpaths:
/v1/namespaces/register:
post:
summary: Register a namespace
requestBody:
content:
application/json:
schema:
type: object
required:
- namespace
- contact_email
- proof_type
- proof_data
properties:
namespace:
type: string
example: "company.acme"
contact_email:
type: string
format: email
proof_type:
type: string
enum: ["dns", "https", "multisig", "email"]
proof_data:
type: string
delegation_policy:
type: string
enum: ["open", "verified", "closed", "consensus"]
default: "closed"
responses:
201:
description: Registration approved
202:
description: Pending verification
400:
description: Invalid request
409:
description: Namespace already claimedFor: Organizational namespaces (company.*, school.*, ngo.*)
Process:
- Requestor claims
company.acme - Registry provides verification token:
vcp-verify=abc123xyz - Requestor adds DNS TXT record:
_vcp.acme.com TXT "vcp-verify=abc123xyz" - Registry verifies DNS record
- Namespace approved
import dns.resolver
class DNSVerifier:
"""Verify domain ownership via DNS TXT record"""
def verify(self, domain: str, expected_token: str) -> bool:
"""
Check for VCP verification TXT record.
Looks for: _vcp.{domain} TXT "vcp-verify={token}"
"""
try:
answers = dns.resolver.resolve(f'_vcp.{domain}', 'TXT')
for rdata in answers:
txt = str(rdata).strip('"')
if txt == f"vcp-verify={expected_token}":
return True
except dns.resolver.NXDOMAIN:
pass
except dns.resolver.NoAnswer:
pass
return FalseFor: Organizational namespaces (alternative to DNS)
Process:
- Requestor claims
company.acme - Registry provides verification file content
- Requestor hosts file at:
https://acme.com/.well-known/vcp-verify.txt - Registry fetches and verifies
import httpx
class HTTPSVerifier:
"""Verify domain ownership via HTTPS file"""
async def verify(self, domain: str, expected_token: str) -> bool:
"""
Check for VCP verification file.
Expects: https://{domain}/.well-known/vcp-verify.txt
Content: vcp-verify={token}
"""
url = f"https://{domain}/.well-known/vcp-verify.txt"
try:
async with httpx.AsyncClient() as client:
response = await client.get(url, timeout=10.0)
if response.status_code == 200:
content = response.text.strip()
return content == f"vcp-verify={expected_token}"
except Exception:
pass
return FalseFor: Community namespaces
Process:
- Define steward list (minimum 3)
- Each steward signs registration request
- Threshold signatures verified (e.g., 3-of-5)
- Namespace approved
from dataclasses import dataclass
from typing import List
@dataclass
class MultiSigProof:
"""Multi-signature proof of community ownership"""
stewards: List[str] # Public keys of stewards
threshold: int # Required signatures
signatures: List[str] # Collected signatures
message: str # What was signed
def is_valid(self) -> bool:
"""Check if threshold is met with valid signatures"""
valid_count = 0
for i, sig in enumerate(self.signatures):
if sig and verify_signature(self.stewards[i], self.message, sig):
valid_count += 1
return valid_count >= self.thresholdFor: Personal namespaces
Process:
- User requests
user.alice - Confirmation email sent to provided address
- User clicks verification link
- Namespace approved
| Policy | Description | Example |
|---|---|---|
| open | Anyone can create sub-namespaces | community.gaming.* |
| verified | Sub-namespace requires verification | company.acme.* |
| closed | Only owner can create | user.alice.* |
| consensus | Community vote required | religion.buddhist.* |
@dataclass
class DelegationGrant:
"""Grant to create sub-namespaces"""
parent_namespace: str # e.g., "company.acme"
child_segment: str # e.g., "legal" (for company.acme.legal)
grantee: str # Who receives delegation
policy: str # Delegation policy for child
expiry: datetime
signed_by: str # Parent namespace key
def full_namespace(self) -> str:
return f"{self.parent_namespace}.{self.child_segment}"paths:
/v1/namespaces/{namespace}/delegate:
post:
summary: Delegate sub-namespace
security:
- namespaceKey: []
parameters:
- name: namespace
in: path
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
type: object
required:
- child_segment
- grantee
properties:
child_segment:
type: string
example: "legal"
grantee:
type: string
description: Grantee public key or email
policy:
type: string
enum: ["open", "verified", "closed"]
default: "closed"
expiry_days:
type: integer
default: 365| Type | Description | Resolution |
|---|---|---|
| Squatting | Namespace claimed by non-owner | Proof of legitimate claim |
| Trademark | Namespace infringes trademark | Legal documentation |
| Abandonment | Namespace unused, blocking others | Grace period, then release |
| Impersonation | Misleading namespace | Review and possible revocation |
1. FILING
- Complainant submits dispute form
- Provides evidence of claim
- Pays dispute filing fee (refundable if valid)
2. REVIEW
- Registry reviews within 14 days
- Current holder notified
- Response period: 14 days
3. INVESTIGATION
- Evidence from both parties reviewed
- Third-party mediator if needed
- Decision within 30 days
4. RESOLUTION
- Namespace transferred, or
- Dispute rejected, or
- Compromise reached
@dataclass
class DisputeRequest:
"""Request to dispute a namespace"""
namespace: str # Disputed namespace
complainant: str # Who is filing
dispute_type: str # squatting, trademark, etc.
evidence: List[str] # URLs to evidence
claim_statement: str # Why complainant has right
requested_outcome: str # What complainant wants
@dataclass
class DisputeStatus:
"""Status of a dispute"""
dispute_id: str
namespace: str
status: str # filed, under_review, decided
filed_date: datetime
decision: Optional[str]
decision_date: Optional[datetime]- Keys are Ed25519 (same as VCP bundle signing)
- Key rotation supported with 30-day overlap
- Compromised keys can be revoked via email verification
- Hardware security module recommended for high-value namespaces
- Annual renewal required
- Grace period before release: 90 days
- High-value namespaces may have stricter requirements
- Reserved words cannot be registered
- Organizational namespaces require domain proof
- Similar-looking namespaces may be flagged
- Unicode normalization prevents homograph attacks
These cannot be used as namespace segments:
RESERVED_WORDS = {
# System
'system', 'admin', 'root', 'internal', 'api', 'test',
# VCP-specific
'vcp', 'uvc', 'creed', 'bundle', 'manifest',
# Common abuse targets
'official', 'verified', 'authentic', 'real',
}| Tier | Initial Term | Renewal | Grace Period |
|---|---|---|---|
| Core | Permanent | N/A | N/A |
| Organizational | 1 year | Annual | 90 days |
| Community | 1 year | Annual | 90 days |
| Personal | Permanent | N/A | Deletion after 2 years inactivity |
| Version | Date | Changes |
|---|---|---|
| 1.0.0 | 2026-01-11 | Initial specification |
This specification is released under CC BY 4.0. Contributions welcome.