Clock skew, timestamps, and slot‑based consensus in Cardano and Cosmos
Time in a distributed system is never really “now”. It’s “what my local clock says, plus whatever lies the network is telling me”.
Blockchains sit right on that fault line. Consensus needs some notion of global progress (slots, rounds, deadlines), but every node only has its own drifting clock and some messages with timestamps.
This is how I think about time in blockchain systems: physical vs logical time, how we validate timestamps, and how slot‑based protocols like Cardano and Tendermint/Cosmos use time without letting it quietly break safety.
1. Why time is hard in distributed systems
In a single process, time is just “read the clock”.
In a distributed system you have:
- Each node has its own physical clock.
- Clocks drift and jump (NTP adjustments, VM hiccups).
- Messages are delayed, reordered, or lost.
- There's no global "tick" everyone sees at once.
Classic results in distributed systems say you can’t build a perfectly synchronized global clock in an asynchronous network; you can only bound drift and delay and design algorithms around those bounds.(Medium)
So blockchains use approximate time:
- as a guard rail for block timestamps (reject obviously wrong ones);
- as a scheduling grid (slots, rounds, timeouts);
- as an input to application logic (timelocks, expiry).
The art is to make consensus depend on time just enough to work, but not so much that a bad NTP config can fork the chain.
2. Block timestamps and validation windows
Most protocols attach a timestamp to each block header. Nodes then apply simple rules like:
- Reject blocks whose timestamp is too far in the past.
- Reject blocks whose timestamp is too far in the future.
The devil is in “too far”.
2.1 Bitcoin: median‑time‑past and +2h rule
Bitcoin uses a very pragmatic rule: a block timestamp is valid if it is:
- greater than the median of the previous 11 blocks’ timestamps (Median Time Past, MTP), and
- less than the node’s “network‑adjusted time” plus two hours.(Bitcoin Wiki)
ASCII:
lower bound: median(last 11 block times)
upper bound: local_network_time() + 2h
valid_timestamp = in_range(lower_bound, upper_bound)
Network‑adjusted time is itself a median of peer clocks, so you don’t trust your own wall clock entirely.(Bitcoin Wiki)
This doesn’t give you precise wall‑clock time (it’s deliberately fuzzy by an hour or so), but it’s good enough to:
- keep block timestamps roughly increasing;
- make time‑based scripts (nLockTime) work;
- prevent an attacker from pushing the chain’s notion of time arbitrarily far.(Bitcoin Stack Exchange)
2.2 Tendermint / Cosmos: median of validator times
Tendermint (Cosmos’ consensus engine) uses validators’ local times directly. When a block is committed, each validator includes a timestamp in its precommit; the final block time is the median of precommit timestamps from the voting power‑weighted validator set.(MDPI)
Visually:
Validator times: t1, t2, t3, ..., tn
Block time: median(t1..tn)
As long as at least 2f+1 honest validators exist (out of 3f+1), the median lies between honest clocks, so one wildly wrong clock can’t drag block time off a cliff.(MDPI)
Block time then feeds into:
- application logic (timeouts, expiries);
- IBC/relayer timeouts across Cosmos chains;
- rate limiting or fraud‑detection logic.
3. Slot‑based time in Cardano
Cardano goes further and bakes time directly into the consensus protocol via epochs and slots.
3.1 Wall clock → slot number
Roughly:
Wall-clock time
|
v
Slot number (discrete ticks: 0,1,2,...)
Epochs are ranges of slots.
Each slot has a fixed nominal length (per era).
The Ouroboros family of protocols uses slots to schedule leadership:
- for each slot, a VRF decides if a given stake key is the leader;
- if yes, that node is allowed to produce a block for that slot.(developers.cardano.org)
Locally, a node maps wall‑clock time to a slot by:
- knowing the genesis time;
- knowing the slot length for the current era;
- computing:
slot = floor((now - genesis_time) / slot_length)
with some extra care for era transitions where slot length changes.(Cardano Docs)
3.2 Slot length, propagation, and security
Slot length (tsl) is a key design parameter:
- shorter slots → higher potential TPS and lower time‑to‑finality;
- longer slots → more room for network delay and processing.
Work on PoS synchronisation (e.g. QuickSync) explicitly relates slot length to network propagation delay: you really want slot_length ≥ worst‑case block propagation.(arXiv)
ASCII trade‑off:
slot too short:
block may not reach 2/3 of stake before next slot,
causing missed opportunities or higher fork risk.
slot reasonable:
block has time to propagate,
honest majority sees a consistent chain tip.
Cardano’s own network design docs model propagation delay, clock skew and slot length together when reasoning about security margins.(Ouroboros Network)
3.3 Clock skew and “near‑future” blocks
Because slots are derived from local clocks, Cardano must tolerate some skew. The consensus code allows headers whose slots are slightly in the future relative to local time, but not too far; headers beyond that window are ignored for chain selection.(ouroboros-consensus.cardano.intersectmbo.org)
A 2024 “near future” bug report describes how overly generous acceptance of slightly future blocks could create a denial‑of‑service vector; tightening those bounds improved behaviour under adversarial timing.(Cardano Development Updates)
In practice, that leads to a simple mental model:
- If your node's clock is too far behind, you miss leadership opportunities.
- If it's too far ahead, you might produce blocks other nodes consider "from the future".
- The protocol defines a skew window so honest operators have room to drift a bit,
but not enough to destabilise slot-based consensus.
4. Clock synchronization in real deployments
Underneath all of this, nodes still depend on their local OS clocks.
Typical setup:
[ System clock ]
^
|
NTP/PTP/GPS
Operationally:
- you run at least one NTP client per host (or a local NTP/PTP service in the cluster);
- you monitor clock offset and NTP health;
- you alert if drift exceeds a small threshold (tens of ms for validators, maybe more for pure full nodes).
Cardano’s time‑handling docs explicitly assume a reasonably accurate wall clock: the currentSlot computation is only meaningful if now is within a bounded offset of real time.(Cardano Docs)
Tendermint’s reliance on validator timestamps implicitly assumes participating validators keep their clocks roughly in sync; large skew would show up as outlier timestamps, but if many operators misconfigure NTP, the median moves.(MDPI)
Production note. The ugliest time‑related incidents I’ve seen weren’t protocol bugs. They were NTP failures: a subset of validators drifting minutes off, then being slashed or missing blocks because their view of “now” diverged from everyone else’s. Ever since, I treat time sources as part of consensus infrastructure, not “just ops”.
5. Patterns for using time safely in consensus
A few design patterns have proven themselves across systems.
5.1 Prefer monotonic, consensus‑based time
Where possible, use time derived from the chain itself:
- Bitcoin’s MTP as a lower bound on future block timestamps;(Bitcoin Wiki)
- Tendermint’s median of validator timestamps as block time;(MDPI)
- Cardano’s slot number as the primary notion of “chain time”.(Cardano Docs)
These are all examples of logical time built on top of many noisy physical clocks.
5.2 Keep acceptance windows wide but explicit
Instead of expecting precise wall‑clock agreement, define windows:
- block timestamp must be >= consensus-based lower bound;
- block timestamp must be <= local_time + ε;
- slot numbers must not be "too far" ahead of local slot.
Bitcoin’s ±2 hour rule and Cardano’s slot skew bounds are both concrete instances.(Bitcoin Wiki)
The key is to:
- document ε clearly;
- test behaviour at the edge of those windows;
- avoid hidden or implicit checks scattered through code.
5.3 Separate “protocol time” from “UX time”
For application‑level logic:
- use block/slot height or chain‑based timestamps for things that must be tied to consensus (timelocks, vesting, expiry);
- use wall‑clock time only for UX (display, rate‑limiting at the edge), not for core correctness.
This avoids, for example, a dApp enforcing a wall‑clock expiry that doesn’t align with what the chain sees.
6. Testing time and synchronization
You can and should simulate bad time.
On a testnet or local cluster, I like to:
- Start a small network of nodes.
- Intentionally skew some clocks by +Δ or -Δ.
- Observe:
- which nodes accept/reject which blocks
- how leader election behaves (Cardano slots, Tendermint rounds)
- whether any node can be trivially DoS'ed by "future" blocks.
- Then:
- disable NTP on a subset,
- jump their clocks forward/back,
- watch consensus under stress.
For slot‑based PoS, I also run experiments varying:
- slot length vs measured block propagation;
- max clock skew;
- network partitions that temporarily distort perceived time.
Work like QuickSync’s analysis of slot length vs propagation delay gives you theoretical guardrails; simulations tell you whether your implementation actually lives within them.(arXiv)
Production note. One of the most useful tests we ran was a “frozen NTP” scenario: we paused time on half the nodes and let the others run. Consensus didn’t break, but slot‑leadership logs became misleading and some schedules drifted badly. That test led straight to better monitoring on NTP health and a clear playbook for time‑related incidents.
7. Closing thoughts
Time in distributed blockchain systems is always approximate and adversarial.
The patterns that seem to work are:
- Treat physical clocks as noisy inputs, not ground truth.
- Build a logical notion of time (slots, block time, MTP) on top of many clocks.
- Validate timestamps with explicit windows and simple, monotone rules.
- Choose slot lengths and timeouts with real propagation delays in mind.
- Treat clock synchronization as part of consensus, not just DevOps.
Cardano’s slot‑based Ouroboros, Cosmos’ Tendermint, and even Bitcoin’s rough timestamp rules are all different answers to the same question:
“How do we let time into consensus just enough to make progress, without letting a misconfigured clock or a malicious operator quietly break the system?”
If you design and operate with that tension in mind, your chains are much less likely to be surprised by time when it inevitably misbehaves.
Completion scope and production contract
This completion review turns the earlier conceptual treatment into a release-oriented engineering contract. It treats Time and Synchronization in Distributed Blockchain Systems as a cryptographic or distributed-security component, follows a key, message, transcript, proof, signature, hash input, or authenticated protocol event through validation and durable state, and separates normative requirements from implementation policy. The normative baseline is the named standard, security definition, test vectors, and maintained library contract; deployment defaults, caching, retry limits, and operator thresholds are explicitly local policy. 11
The intended audience is experienced developers and architects. Readers should understand the surrounding chain or application model, typed data structures, persistence, and basic security engineering. The scope includes correctness, implementation boundaries, deterministic tests, failure recovery, security, performance, and observability. It does not claim that the educational companion is a drop-in replacement for a maintained protocol or cryptographic library. Production adoption requires an independent threat model, compatibility testing against the authoritative implementation, and operational ownership. 12
The mental model used throughout is deliberately strict: untrusted input crosses entropy, parsing, key custody, verification, protocol, and storage boundaries; a validator derives facts under the named standard, security definition, test vectors, and maintained library contract; accepted transitions update domain-separated cryptographic state and explicitly authenticated protocol state; and observers consume committed facts, never optimistic intermediate mutations. A guarantee is stated only when it follows from those rules and assumptions. Heuristics such as fee selection, caching, peer scoring, timeouts, user messaging, or alert thresholds remain policy and may be tuned without redefining validity. 13
Reader contract and scope
For Time and Synchronization in Distributed Blockchain Systems, this review makes the exact user decision and the prerequisites needed to make it safely explicit. Start from one key, message, transcript, proof, signature, hash input, or authenticated protocol event and write down its origin, canonical representation, validation context, authority, and durable outcome. The cryptographic or distributed-security component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is domain-separated cryptographic state and explicitly authenticated protocol state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 11
The principal failure to design against is an attractive example being mistaken for a complete production design. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record a scope statement, excluded concerns, and a reviewable acceptance criterion. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
Precise vocabulary and authority
Treat precise vocabulary and authority as part of the executable design of Time and Synchronization in Distributed Blockchain Systems, not as documentation added after coding. The relevant operating envelope includes valid vectors, malformed encodings, chosen inputs, key rotation, retries, and hostile traffic. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across entropy, parsing, key custody, verification, protocol, and storage boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 12
A useful review asks how the design behaves under malleability, nonce reuse, biased randomness, side channels, parser differentials, key compromise, and denial of service. The unsafe outcome is teams using the same word for incompatible states or guarantees. Prevent it with explicit preconditions and postconditions, and retain a glossary tied to the normative authority for every overloaded term as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An security engineer or protocol operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Trust assumptions
The implementation of Time and Synchronization in Distributed Blockchain Systems should expose which actors, clocks, stores, libraries, and upstream systems may fail or act maliciously through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of domain-separated cryptographic state and explicitly authenticated protocol state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 13
Assume that an implicit trusted component invalidating the claimed guarantee will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is a trust-boundary diagram and an assumption register with owners. Keep secret scalars, seeds, nonces, key-encryption keys, authentication tags, and timing behavior out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Architecture and ownership
Verification for Time and Synchronization in Distributed Blockchain Systems must demonstrate component responsibilities and the direction in which facts and commands move at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 11
Make two components both believing they own the same transition a named negative test. The release packet should retain a context diagram, ownership table, and dependency rule, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave domain-separated cryptographic state and explicitly authenticated protocol state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
Canonical representation
For Time and Synchronization in Distributed Blockchain Systems, this review makes the byte-level or schema-level representation used for hashing, comparison, storage, and transport explicit. Start from one key, message, transcript, proof, signature, hash input, or authenticated protocol event and write down its origin, canonical representation, validation context, authority, and durable outcome. The cryptographic or distributed-security component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is domain-separated cryptographic state and explicitly authenticated protocol state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 12
The principal failure to design against is semantically equal values producing different identifiers or verification outcomes. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record golden encodings, round-trip tests, and rejection of non-canonical forms. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
State-machine model
Treat state-machine model as part of the executable design of Time and Synchronization in Distributed Blockchain Systems, not as documentation added after coding. The relevant operating envelope includes valid vectors, malformed encodings, chosen inputs, key rotation, retries, and hostile traffic. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across entropy, parsing, key custody, verification, protocol, and storage boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 13
A useful review asks how the design behaves under malleability, nonce reuse, biased randomness, side channels, parser differentials, key compromise, and denial of service. The unsafe outcome is an impossible intermediate state becoming durable after interruption. Prevent it with explicit preconditions and postconditions, and retain a transition table exercised by positive, negative, and replay tests as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An security engineer or protocol operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Invariants
The implementation of Time and Synchronization in Distributed Blockchain Systems should expose properties that must hold before and after every accepted operation through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of domain-separated cryptographic state and explicitly authenticated protocol state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 11
Assume that local success concealing corruption in a related aggregate or index will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is executable assertions at the narrowest authoritative boundary. Keep secret scalars, seeds, nonces, key-encryption keys, authentication tags, and timing behavior out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Validation pipeline
Verification for Time and Synchronization in Distributed Blockchain Systems must demonstrate cheap structural checks, contextual checks, authoritative verification, and commit order at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 12
Make expensive or stateful work running before malformed input is rejected a named negative test. The release packet should retain ordered validation stages with stable machine-readable rejection codes, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave domain-separated cryptographic state and explicitly authenticated protocol state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
Error semantics
For Time and Synchronization in Distributed Blockchain Systems, this review makes the distinction between invalid input, conflict, unavailable dependency, retryable interruption, and internal defect explicit. Start from one key, message, transcript, proof, signature, hash input, or authenticated protocol event and write down its origin, canonical representation, validation context, authority, and durable outcome. The cryptographic or distributed-security component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is domain-separated cryptographic state and explicitly authenticated protocol state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 13
The principal failure to design against is blind retries amplifying a permanent failure or changing user intent. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record typed errors mapped consistently across logs, metrics, APIs, and queues. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
Concurrency control
Treat concurrency control as part of the executable design of Time and Synchronization in Distributed Blockchain Systems, not as documentation added after coding. The relevant operating envelope includes valid vectors, malformed encodings, chosen inputs, key rotation, retries, and hostile traffic. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across entropy, parsing, key custody, verification, protocol, and storage boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 11
A useful review asks how the design behaves under malleability, nonce reuse, biased randomness, side channels, parser differentials, key compromise, and denial of service. The unsafe outcome is a check-then-act race accepting two individually plausible operations. Prevent it with explicit preconditions and postconditions, and retain a linearization argument plus stress tests at the chosen contention boundary as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An security engineer or protocol operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Idempotency and replay
The implementation of Time and Synchronization in Distributed Blockchain Systems should expose how duplicate delivery, process restart, and historical backfill preserve the same result through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of domain-separated cryptographic state and explicitly authenticated protocol state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 12
Assume that at-least-once delivery creating a second side effect will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is stable operation identities, deduplication state, and deterministic replay fixtures. Keep secret scalars, seeds, nonces, key-encryption keys, authentication tags, and timing behavior out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Persistence and atomicity
Verification for Time and Synchronization in Distributed Blockchain Systems must demonstrate which facts commit together and how derived views catch up at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 13
Make a crash exposing a cursor that claims work whose state was not committed a named negative test. The release packet should retain transaction boundaries, durable checkpoints, and reconciliation queries, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave domain-separated cryptographic state and explicitly authenticated protocol state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
API and schema contracts
For Time and Synchronization in Distributed Blockchain Systems, this review makes input limits, optionality, pagination, versioning, and compatibility behavior explicit. Start from one key, message, transcript, proof, signature, hash input, or authenticated protocol event and write down its origin, canonical representation, validation context, authority, and durable outcome. The cryptographic or distributed-security component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is domain-separated cryptographic state and explicitly authenticated protocol state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 11
The principal failure to design against is a technically valid deployment silently changing a consumer-visible meaning. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record consumer fixtures, schema-diff checks, and explicit deprecation windows. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.