Skip to main content

Verification

Two-way back-link check (properties)

How the resolver verifies that a property belongs to an entity.

Property verification is the clearest example of OLPN's mutual-back-link model. For a claim to verify, the entity must name the property and the property must name the entity. Either side without the other is not enough.

The two halves

Entity side

The entity's olpn.json has a properties[] array. Each entry names a property the entity claims ownership of:

{
  "network_id": "§:entity:jane.law",
  "properties": [
    {
      "id": "§:property:jane.law",
      "url": "https://jane.law",
      "type": "Website",
      "ownership": [{ "network_id": "§:entity:jane.law" }]
    }
  ]
}

Property side

The property's olpn-property.json has an ownership[] array. Each entry names an entity claiming ownership:

{
  "olpn_property": {
    "id": "§:property:jane.law",
    "url": "https://jane.law",
    "ownership": [
      { "network_id": "§:entity:jane.law" }
    ]
  }
}

The check

The resolver:

  1. Extracts the property's domain from the entity's claim. For §:property:jane.law, that's jane.law.
  2. Fetches https://jane.law/olpn-property.json (or the HTML embed if that fails).
  3. Parses the document. Must have olpn_property.ownership as an array.
  4. Searches ownership[] for an entry whose network_id matches the entity being verified, case-insensitively.
  5. If found, the property verifies. The resolver attaches a verified: true flag and a timestamp. If not, the property is dropped.

Why both sides

Requiring both directions prevents two attacks:

  • Hijacked domain claim. Alice cannot claim Bob's domain as her property, because Bob controls the olpn-property.json and won't list Alice as an owner.
  • Unsolicited attribution. Bob cannot attribute a property to Alice without Alice's consent, because Alice's olpn.json has to list the property too, and Alice controls that document.

Either side on its own is just a claim. The conjunction is a verifiable attestation.

Multi-owner properties

A property with multiple owners verifies each one independently. If ownership[] lists Alice, Bob, and Carol, and only Alice's olpn.json includes this property in properties[], then only Alice's ownership verifies. Bob and Carol are named in ownership[] but the back-link from their side is missing, so they don't verify.

The self-property case

Most entities publish at a single domain and claim that domain as a property (§:property:{same-domain}). In this case the entity's olpn.json and the property's olpn-property.json are served from the same origin. The resolver still does the full two-way check; the self-property isn't special-cased. Symmetry is cheap to enforce.

Failure modes

  • No olpn-property.json at the domain. The claim fails. No fallback to "the domain exists, so the claim must be true".
  • olpn-property.json exists but has no ownership[]. The claim fails.
  • ownership[] lists a different entity. The claim fails.
  • HTTP error or timeout fetching the property document. The claim fails. Future resolvers may retry or mark as "temporarily unverified", but the reference implementation treats it as failure.