OCSS Overview

Phosra implements OCSS; the OCSS stewardship body owns the standard.

The Open Child Safety Specification (OCSS) is a vendor-neutral open standard for age-appropriate access control. It publishes the rule vocabulary, signing semantics, Trust Framework, and conformance suite that any provider — including Phosra — can implement. The normative text, 115-category rule registry, and conformance requirements live at openchildsafety.com. They are not hosted here.


What OCSS is

OCSS defines two layers that together form the specification:

The rule vocabulary

A 115-category rule registry (67 anchored / 48 provisional) mapping age-appropriate access-control requirements to machine-checkable categories. Categories like addictive_pattern_block, commercial_data_ban, and ai_chatbot_tier_gate are typed identifiers every conformant provider interprets identically — the vocabulary is the portable unit of agreement across devices, networks, and regulators.

The registry is published as part of the OCSS specification at openchildsafety.com and tracks legislation from ~90 jurisdictions globally.

The Trust Framework

The routing and trust layer: the two-layer signed envelope, the eIDAS-style Trust List of accredited parties, accreditation tiers, and the signed-verb model that governs how signals move and which parties are trusted to move them. See Trust Framework for details.


Phosra's role

The relationship between Phosra and OCSS is the same as Yubico shipping a FIDO2-conformant authentication key: Yubico implements FIDO2; the FIDO Alliance owns the standard. Phosra implements OCSS; the OCSS stewardship body owns the standard.

Or: Stripe is a conformant PCI-DSS implementer; the PCI Security Standards Council owns PCI-DSS. Phosra is a conformant OCSS provider; the OCSS stewardship body owns OCSS.

In practice this means:

  • Phosra is an accredited provider on the OCSS Trust Framework — it holds a steward-of-record designation and serves the signed Trust List and succession record that any party can fetch and verify.
  • Phosra is the reference implementer — it contributes the reference Go server and TypeScript library (@openchildsafety/ocss) that other implementers can build from.
  • Phosra is one network on OCSS — if Phosra disappeared tomorrow, the spec, the rule registry, and the conformance suite live on at openchildsafety.com. No single SaaS contract owns child-safety plumbing.

What Phosra does not own

  • The OCSS specification text.
  • The 115-category rule registry.
  • The conformance suite or the "OCSS Certified" designation — that status is earned from the standard, not issued by Phosra.
  • The @openchildsafety/ocss library surface: Phosra re-exports it verbatim in the /protocol subpath of @phosra/sdk-dev. Zero Phosra cryptographic logic is added.

OCSS is a pre-release standard — currently an individual IETF Internet-Draft (Draft 4), not yet ratified by any standards body. Phosra is building toward OCSS Certified: a status earned from the standard's own conformance suite. Conformance evidence is something a regulator can weigh — it is not a compliance determination or a safe harbor (OCSS §5.1).


Where to read the standard

The OCSS specification, rule registry, and conformance suite are at openchildsafety.com.

Phosra's own API documentation — this site — covers only the Phosra-specific management surface and the integration patterns for building against the standard. If there is ever a conflict between what is written here and what is written at openchildsafety.com, the standard wins.


Next

  • Trust Framework — the routing/trust layer in detail: envelopes, Trust List, accreditation tiers, signed verbs.
  • OCSS Protocol SDK — using @openchildsafety/ocss via @phosra/sdk-dev/protocol.
  • Conformance Status — live vs. preview surface-by-surface.