Verifier posture · Fail-closed
Fail-closed verification
When the verifier blocks the call. Fail-closed is a posture decision the relying party makes locally for high-risk actions. ECZ-ID does not decide for you.
When to fail closed
- For high-risk MCP tool calls that mutate state, move money, or release sensitive data.
- When the ResultState is MISMATCH, REVOKED, SUSPENDED, EXPIRED, or DEGRADED.
- When the relying-party policy_mode is REQUIRE and the ResultState is anything other than RESOLVER_VERIFIABLE.
When not to fail closed
- NO_PUBLIC_RESOLVER_PROOF_FOUND on a low-risk call where local policy_mode is OPEN or PREFER.
- SETUP_REQUIRED where the operator has been notified and is in active setup.
- NOT_APPLICABLE or UNSUPPORTED_TARGET on a check that does not apply to the target type.
No overclaim posture
- No public resolver proof found yet does not mean unsafe.
- Re-check before reliance.
- Local policy decides.
- The verifier does not create or change verification state.
ECZ-ID separates setup, verification state, and public proof so operators can prepare evidence and relying parties can re-check before they act. TrustOps handles setup. Resolver remains the public proof surface. The verifier does not create or change verification state. Start setup in TrustOps when you operate the target. Share resolver guidance when you do not. Local policy decides. Re-check before reliance.