Community infrastructure becomes fragile when credentials are scattered, peer trust is implicit, or identity authority drifts away from the people maintaining the node. The identity layer should define who can authenticate, who can recover, what peers are trusted for, and how compromises are contained without guesswork.
A node can participate in a shared ecosystem without surrendering all account, session, and administrative power to a distant service. The practical model is local authority first: local accounts, scoped federation mappings, and explicit separation between resident access, operator access, and peer-level trust.
Secrets become dangerous when copied for convenience. Credential custody should define where each secret class lives, who is allowed to retrieve it, whether a peer can hold an encrypted recovery copy, and what requires in-person or two-person access.
The goal is not to make recovery impossible. It is to keep recovery possible without turning every trusted peer into a routine holder of local secrets.
The clean model is explicit peer policy: what a peer may mirror, what it may verify, what it may help restore, and what it must never receive. This keeps federation cooperative without becoming an accidental single admin domain.
If key rotation only exists in theory, it will fail under pressure. Communities should know what rotates on schedule, what rotates after a steward departure, what rotates after a suspected compromise, and how local service continuity is preserved while that work happens.
The identity layer should shorten the most stressful moments: volunteer departure, suspected compromise, lost hardware, or peer dispute. That means a legible custody map, named recovery roles, enough local documentation that a new steward can restore access without becoming the next single point of failure, and clear linkage to the steward handbook and service-class runbooks that govern the response.
Revoke or rotate operator-facing credentials, review break-glass access, and confirm that no single departing steward was the only holder of critical recovery knowledge.
Invalidate affected device keys quickly, preserve logs, and prefer temporary restriction of remote admin over blind trust that the device is merely misplaced.
Move the affected peer to suspended state, preserve signed evidence, and continue local service wherever possible while the dispute is resolved through named stewards.
Restore from local media and approved peer escrow, then re-establish trust relationships intentionally rather than copying every old credential forward by habit.
Use the node spec for the local service environment that identity and trust policy must protect.
Open Node SpecThe federation guide explains peer relationships; this page defines how those relationships are trusted, scoped, and revoked.
Open Federation GuideThe runbook covers restores and incident handling. This page makes credential rotation and trust recovery more explicit.
Open Operations RunbookThe service matrix decides where systems live. This page decides how identity and trust wrap around those systems.
Open Service MatrixThe operator handbook defines steward roles, escalation ladders, and custody boundaries around these trust and credential events.
Open Operator HandbookThe service runbooks tie identity/session verification, relay checks, mirror health, and backup restoration to the trust boundaries documented here.
Open Service RunbooksIdentity policy is only real if communities can host and recover it on equipment they actually control.
Open Device BlueprintThe social layer benefits from federation-aware identity only when moderation, operator authority, and trust boundaries remain legible.
Open TheEtherNet