← Machine Authority Protocol

Governance

Who decides what goes into the spec, and what stops Plaw from deciding everything.

Rules

  1. MIT-licensed. The spec is not Plaw's. Normative text, schemas, and test vectors belong to the protocol. If Plaw shuts down tomorrow, the spec keeps shipping.
  2. No single-org majority. Maintainer council seats are capped: no single company gets a majority. That includes Plaw. Enforced in GOVERNANCE.md, not by promise.
  3. Open process. All normative changes go through public PRs and public discussion. Private channels do not advance spec text.
  4. Public votes, supermajority + quorum. Council decisions require a ⅔ supermajority of voting maintainers with quorum > ½ of seated maintainers, conducted in public on GitHub so the tally and individual votes are part of the permanent record.
  5. Recusal on conflict. Any maintainer with a direct material interest in a vote MUST recuse; recusals are recorded in the public tally and count toward neither quorum nor the supermajority.
  6. Stability rule. After v1.0, any breaking change ships a 12–month deprecation window. No exceptions for our own product.

Conflict of interest, declared

Plaw, Inc. sells Veto, a commercial action-authorization platform. Plaw wrote the v1.0 specifications because Veto needed a wire format that didn't exist. That is the conflict. The mitigations:

  • Plaw maintainers hold at most a plurality on the council, never a majority — from v1.0 onward.
  • The spec is MIT-licensed; no rights revert to Plaw.
  • The repository moves to a neutral machineauthority GitHub organization as founding co-maintainers are confirmed. It currently lives at github.com/PlawIO/machineauthority-protocol.
  • Veto is a reference implementation, not the standard. The same relationship Cedar has to Amazon, SPIRE has to SPIFFE, Cosign has to Sigstore.

This pattern — commercial sponsor seeds an open spec, then submits to a multi-org council — is how SPIFFE (seeded by Scytale), OpenTelemetry (Google/LightStep/Microsoft/Uber), and Sigstore (Red Hat/Google/Purdue) all reached real adoption.

Status

The v1.0 specifications are stable. Founding co-maintainer recruitment is open; until additional maintainers are confirmed, the single-organization cap (⅓) is held in escrow and substantive normative changes pause until the council reaches at least three independent organizations. Organizations interested in co-maintainership of any of the four specifications can open a Discussion on GitHub.

Reference implementation

Veto (Plaw, Inc.) is a reference implementation of the Machine Authority Protocol. It is a conformant implementation — not the standard itself. The relationship is the same as Cedar to Amazon, SPIRE to SPIFFE, or Cosign to Sigstore.