04 · Reference implementation

Running code, and what it does not cover

A reference implementation exists to prove a specification is buildable and to find the places where it is wrong. This one found two Critical defects in its own specification. It also leaves two of the five roles entirely unbuilt, and this page says which.

Roles built
3 of 5Publisher, Log, Consumer
Canonicaliser
30/30RFC 8785 golden vectors
Authority
12/12BI-004 §7.2 algorithm
Consumer
43/43CON-1 … CON-16

Download the implementations What is not built

Contents
  1. 01  Portability, not adoption
  2. 02  What is built
  3. 03  Reference Publisher and Log
  4. 04  Reference Consumer #001
  5. 05  What building it found
  6. 06  What is not built
  7. 07  Why these results are self-reported
  8. 08  Run it against us

01

Portability, not adoption

The acceptance criterion for this family is not how many people use MassMediaHub. It is whether a publisher can leave it.

A competing implementation must be able to implement these specifications, interoperate with any conformant log, and accept a publisher migrating away from MassMediaHub — without losing identity, provenance, or correction continuity.

A feature that makes migration harder is a defect, not a moat.

BI-009 §7.4

That sentence is a normative acceptance criterion, not a value statement. It is why the specification mints no identifiers, operates no registry, and defines no conformance mark: each of those would be a thing a publisher could not take with them.

The test we would like you to try

Stand up a Publisher that is not ours. Point it at a log that is not ours. Serve an object whose canonical IRI is on your own domain. Nothing in this family should require our cooperation, our software, or our permission.

If it does, that is a bug in the specification, and we want it as a bug report — not as a customer.

02

What is built

Five roles are defined. Three are implemented. Two are not.

Reference Implementation #001 — role coverage
Role Component Status
Publisher massmediahub-ri-001 Built
Log Operator massmediahub-ri-001 Built — one log, ours
Consumer massmediahub-consumer-001 Built — CON-1 … CON-16, 43/43
Monitor Not built
Auditor Not built

Source: audit/CONFORMANCE-REPORT.md · audit/MANIFEST.json

03

Reference Publisher and Log

massmediahub-ri-001

The Publisher produces conformant Broadcast Objects and signs supersession statements. The Log merges them into an append-only Merkle tree and issues proofs.

Components

Modules, and the specification section each implements
ModuleResponsibilityImplements
MMH-CORE Object store, versioning, the single JCS canonicaliser, versionId BI-002 §4, §6
MMH-RESOLVE Canonical IRI serving, content negotiation, Memento, Signposting BI-002 §4.5, §5
MMH-INGEST Essence ingest, fixity, manifestations, C2PA BI-002 §9
MMH-DERIVE Transcript, entity, translation — and their provenance BI-002 §10, §11, §13.2
MMH-RIGHTS Rights, ODRL, AI usage BI-002 §12
MMH-AUTH Authority document, keys, delegation, signing BI-004
MMH-DIST Append-only distribution log BI-002 §17
MMH-ARCHIVE OAIS, tombstones, fixity audit BI-002 §18

One canonicaliser, used three times

The same RFC 8785 implementation computes versionId, signs authority statements, and hashes Merkle leaves. Two canonicalisers would mean a forked log — the same statement hashing differently depending on which code path reached it, with no error raised anywhere.

It is gated by 30 golden vectors, and it is the first thing an independent implementer should check against their own.

Verified: core/test_canonical.py30/30 passed

Authority verification

MMH-AUTH implements the twelve-step algorithm of BI-004 §7.2, including the rule that decides whether the whole family works: authority is evaluated as of the log timestamp, not now.

Test A1′ exists to fail

A consumer that resolves the current Authority Document instead of the one that was live when the statement was merged would invalidate a publisher's entire correction history on their first key rotation — and it would pass every happy-path test before doing so.

A1′ has no purpose except to catch that. If you write this bug, it will tell you.

Verified: core/test_authority.py12/12 passed

Append-only is enforced below the application

A log is append-only because the database refuses to do anything else — triggers and role-level grants, not application logic. Application logic can be bypassed by the next developer in a hurry. A revoked UPDATE grant cannot.

Source: db/ · MMH-001-IMPLEMENTATION-DESIGN.md

04

Reference Consumer #001

massmediahub-consumer-001 Closes K-7 at the implementation layer

Until this was built, no consumer existed anywhere that honoured a correction. A correction protocol with zero honouring consumers is a paper, not infrastructure.

What it does

  • Subscribes to the logs an object lists, and enforces a Maximum Poll Interval — a consumer that polls once a week has not implemented this protocol
  • Verifies each Signed Tree Head, and a consistency proof against the last head it saw
  • Independently re-verifies publisher authority — even though the log already accepted the statement. The log is not trusted to have checked.
  • Resolves the Authority Document as of the committed first-merge timestamp, via Memento
  • Purges retrieval indexes, embeddings, and grounding data within the MAD for the severity
  • Emits an auditable record of what was purged, when, and under whose authority
  • Refuses forged withdrawals — and leaves the content up

The refusal path is the same requirement, not a separate one

A consumer that honours every withdrawal it is handed has built a censorship vector, not a correction protocol.

MMH-RC-001-DESIGN.md
Tested in both directions
ScenarioRequired outcome
Valid legal-withdrawal, correct scope Purged within the hour
Cross-origin forged withdrawal Rejectedcontent stays up
Withdrawal signed by a correct-scoped key Rejectedcontent stays up
Log restates a committed timestamp by 1 ms Rejected — hard verification failure

The rows that say content stays up are the ones a naive implementation fails — and it fails them silently, while its tests stay green.

Where the purge cannot be completed, it says so

The consumer can prove it purged retrieval indexes, embeddings, and grounding. It cannot prove absence from model weights, and it does not claim to.

Where content has reached weights, it reports compliance incomplete, with the reason — it does not quietly mark itself compliant.

Source: CON-16 · audit/KNOWN-ISSUES.md K-4

Verified: tests/test_consumer.py43/43 passed, covering CON-1CON-16, plus the C-1 timestamp regression and the Maximum Poll Interval.

05

What building it found

A reference implementation earns its name by breaking the specification it implements. This one did, twice, at Critical severity.

Critical C-2 Resolved

The reference canonicaliser was not RFC 8785

It sorted JSON keys by Unicode code point. RFC 8785 requires UTF-16 code-unit order. It also emitted 1e-07 where the standard requires 1e-7.

The defect was in our code, and the specification's own test suite did not catch it — because the suite had been written against the same wrong assumption.

Fixed And promoted to a gating suite: 30 golden vectors, disqualifying at every role and level. The gate exists because we failed it.

Critical C-1 Resolved

The log could silently rewrite the past

The log's timestamp decides whether a signing key was authorised when a correction was made. It was not committed to the Merkle tree at all, so a log could restate it after the fact — breaking no leaf hash and no consistency proof.

Fixed The leaf now binds the first-merge timestamp. A one-millisecond restatement is a hard verification failure, and the Consumer tests it.

Full security review

06

What is not built

Two of the five roles have no implementation, by us or by anyone. Sixteen assertions are unexercised.

No Monitor and no Auditor exist

Gossip is a MUST. Without an auditor that gossips, there is no defence against a log equivocating — presenting one history to one consumer and a different history to another, with both proofs verifying.

The protocol specifies that defence. Nothing implements it. That is stated here rather than left for a reviewer to discover in the conformance report.

Source: BI-008 §9, §10 · audit/CONFORMANCE-REPORT.md

There is only one log, and we operate it

Level 3 requires two independent logs — distinct legal entities, no common control, distinct trust anchors, derived from each log's own published metadata rather than from a flag the operator sets.

MassMediaHub cannot reach Level 3 alone, and its own conformance code refuses to claim otherwise. A correction protocol whose only log is run by the reference implementer has a chokepoint exactly where it claims not to have one.

Source: BI-008 §11.4.1 · erratum E-1

Two Level 3 assertions cannot be validated at all

OBJ-3.3 and OBJ-3.4 validate an ODRL profile that BI-005 would have defined. BI-005 does not exist and is not being written.

Those assertions report not-validated, never pass.

07

Why these results are self-reported

Every number on this page was produced by our code, running our test suite, against our specification. That is worth exactly what it sounds like.

What 43/43 proves, and what it does not

Proves: the protocol is implementable. A conforming Consumer can be built, and it honours corrections and refuses forgeries.

Does not prove: that the protocol is interoperable. One implementation passing its own authors' suite says nothing about whether a second, independent implementation would agree with it — and C-2 is proof that we can write a suite that agrees with our own bug.

Source: audit/KNOWN-ISSUES.md · K-7 residual

The single most valuable thing an external reviewer can do is write an independent Consumer, or an independent RFC 8785 canonicaliser, and find where it disagrees with ours.

K-7 asked for a conforming Consumer. One now exists — ours. The residual is open, and it stays on this page until someone with no stake in this succeeding closes it.

08

Run it against us

Everything below runs offline, against the published package, with no privileged access and no cooperation from us.

Reference implementation suites
cd implementations/massmediahub-ri-001/core
python3 test_canonical.py              # 30/30 — RFC 8785 golden vectors (the C-2 gate)
python3 test_authority.py              # 12/12 — BI-004 §7.2, incl. test A1' (effective time)

cd ../../massmediahub-consumer-001
python3 tests/test_consumer.py         # 43/43 — CON-1 … CON-16, both directions

Verify the bytes first: sha256sum -c SHA256SUMS.txt

If you write one thing, write a canonicaliser

Implement RFC 8785 yourself and check that your leaf hashes match ours. If they disagree, one of us is wrong — and it has been us before.

Download the implementations Conformance

Submit an Independent Engineering Review

Email

Security findings, interoperability reports, conformance issues, implementation feedback, and specification comments are welcome.

Substantive technical reviews may be published, with attribution unless anonymity is requested.

Frozen Broadcast Infrastructure™ v1.0-FC1 · Final Candidate 1 · Not Final

This specification family is published for independent engineering review. It is not to be operationally relied upon. MassMediaHub is Reference Implementation #001 — one implementation, not the specification.