Follow-up from PR #4505 (distributed brand.json) — explicitly listed as out of scope there.
The tradeoff
Mutual assertion as the trust primitive means ownership is publicly disclosed at well-known URLs. The leaf says `house_domain: A`; A's `brand_refs[]` says "yes, this is mine." Both halves are crawler-readable.
This trade is deliberate: protocol-level verifiability is the whole point. ads.txt/sellers.json made the same trade and it shipped at industry scale.
But it conflicts with how some real publishers operate:
- PE rollups often hold competing brands in a single portfolio and don't want public attribution that exposes the competitive structure to acquirers, employees, or competitors.
- White-label arrangements (Kroger → Harris Teeter; Albertsons → Safeway): the parent runs the brand but consumer-facing communication maintains separate identities.
- Holding companies during M&A negotiations may not want post-deal ownership to be machine-readable before the deal closes.
Today's monolithic shape (inline `brands[]`) lets a parent quietly omit children from the published portfolio — the parent's brand.json doesn't have to list every brand they own. That implicit opacity is what some publishers rely on.
The distributed shape exposes this. A leaf with `house_domain` published is making a public claim about its parent regardless of whether the parent reciprocates.
Options
A. Stay as-shipped. Mutual assertion = public disclosure. Publishers who want opacity use the inline shape (or simply don't publish brand.json for sensitive holdings). Document this explicitly so it's a feature, not a bug.
B. Add an opt-out flag. `brand.json` gains `opt_out_of_reciprocation: true` on the brand side or a flag on `brand_refs[]` that says "don't expose this relationship publicly." But this destroys the value of mutual assertion — if either side can opt out unilaterally, the trust primitive collapses.
C. Tiered visibility. A house can publish two portfolios: a public one with the mutually-asserted brands and a private one accessible only to authorized parties (signed requests, AdCP credentials). Complicates the discovery model; arguably out of scope for brand.json.
Recommendation (for discussion)
A, with a clear documentation paragraph that mutual assertion is a deliberate privacy/verifiability tradeoff and not all corporate structures should publish via this path. Owners who want opacity have an honest choice: don't publish, or publish via inline.
The protocol shouldn't add an opt-out that lets one side break the primitive — that recreates the "who claims what, no way to verify" problem.
Scope guard
Corporate-structure secrecy is a business choice, not a protocol gap. The protocol's job is to support the publishers who do want verifiability.
Related
Follow-up from PR #4505 (distributed brand.json) — explicitly listed as out of scope there.
The tradeoff
Mutual assertion as the trust primitive means ownership is publicly disclosed at well-known URLs. The leaf says `house_domain: A`; A's `brand_refs[]` says "yes, this is mine." Both halves are crawler-readable.
This trade is deliberate: protocol-level verifiability is the whole point. ads.txt/sellers.json made the same trade and it shipped at industry scale.
But it conflicts with how some real publishers operate:
Today's monolithic shape (inline `brands[]`) lets a parent quietly omit children from the published portfolio — the parent's brand.json doesn't have to list every brand they own. That implicit opacity is what some publishers rely on.
The distributed shape exposes this. A leaf with `house_domain` published is making a public claim about its parent regardless of whether the parent reciprocates.
Options
A. Stay as-shipped. Mutual assertion = public disclosure. Publishers who want opacity use the inline shape (or simply don't publish brand.json for sensitive holdings). Document this explicitly so it's a feature, not a bug.
B. Add an opt-out flag. `brand.json` gains `opt_out_of_reciprocation: true` on the brand side or a flag on `brand_refs[]` that says "don't expose this relationship publicly." But this destroys the value of mutual assertion — if either side can opt out unilaterally, the trust primitive collapses.
C. Tiered visibility. A house can publish two portfolios: a public one with the mutually-asserted brands and a private one accessible only to authorized parties (signed requests, AdCP credentials). Complicates the discovery model; arguably out of scope for brand.json.
Recommendation (for discussion)
A, with a clear documentation paragraph that mutual assertion is a deliberate privacy/verifiability tradeoff and not all corporate structures should publish via this path. Owners who want opacity have an honest choice: don't publish, or publish via inline.
The protocol shouldn't add an opt-out that lets one side break the primitive — that recreates the "who claims what, no way to verify" problem.
Scope guard
Corporate-structure secrecy is a business choice, not a protocol gap. The protocol's job is to support the publishers who do want verifiability.
Related