Electing a new owner when the founder is gone

When there is no key and no plan

The earlier article on ownership covers the careful path: back the key up, escrow it inside the hive, name a successor while you still can. That assumes someone was thinking about the day the founder leaves. Often nobody was. The person who set the hive up moved on, took the only copy of the key with them, and left no successor behind. The team is down to the machines that were already admitted and the corpus they still sync.

Without a recovery path, that is the end of governance. The facts keep flowing. No one can admit a new teammate or change a rule. The hive ages in place. The question is whether the people still holding admitted devices can agree on a new owner without one of them being able to seize the seat alone.

A vote among the machines that were already trusted

They can, if the owner switched the option on first. The owner sets two numbers. The first is how many admitted devices must agree before a new owner is seated. The second is how many days the owner must be silent before an election is even allowed to finish. With those set, the path is short.

An admitted device proposes a new owner. It either mints a fresh key on the spot or points at a key held somewhere safe. The proposal gets a content address, so every machine refers to the same one rather than arguing over which is which. The other admitted devices vote for it. When the number of endorsements reaches the quorum and the silence period has passed, the same proposal installs the same new owner on every node, because each node replays the identical signed history and reaches the identical result. No one announces the new owner. The hive arrives at the answer on its own.

The authority here is membership, not the lost key. A proposal carries a signature from an admitted device, and a vote does too. A machine that only synced the corpus to read it has nothing to sign with that counts. That matters because it closes the obvious attack: you cannot create a majority by generating keys, since the votes that count come only from devices a past owner already admitted.

The dead-man switch

The hard part of any election scheme is making sure it can never be turned against a person who is still here. A recovery path that doubles as a coup is worse than no recovery path. The guard is the silence period, and it works as a dead-man switch.

An election cannot complete while the owner is active. Any action signed by the owner key resets the clock, and there is an explicit way to send that signal on purpose: a heartbeat. An owner who is alive and paying attention does nothing special and stays owner, because ordinary governance work already counts. An owner who suspects an election is brewing sends one heartbeat and shuts the window. Only real, sustained silence, the kind that means the key is gone, lets the vote land.

So the feature has two faces depending on who you are. To an absent owner’s team it is the way back from a dead disk. To a living owner it is harmless, because the team cannot move while you are still signing. You hold the seat for as long as you show up, and the day you stop showing up for good, the people you trusted enough to admit can carry it on. That is the same bargain as the rest of ownership. You keep the call while you are here, and you make sure the call survives you when you are not.

Frequently asked

Related