Prologue, Part One: January 2025, France
In the early hours of a Tuesday morning, David Balland and his wife were taken from their home and bundled into a delivery van by four men wearing balaclavas. His kidnappers chopped off his finger and sent it to his co-founder as proof of life, with a demand for ten million euros. Elite French police foiled the plot, and David was lucky to lose only a finger.1
David is the co-founder of Ledger, maker of the most widely used hardware cryptocurrency wallets in the world, designed to keep keys safe from every known digital attack.
Globally, “wrench attacks” – after Bruce Schneier’s caustic observation that a five-dollar wrench is sometimes more effective than a million-dollar cryptographic attack2 – had jumped 75% in a single year, running twice a week in France alone.3 These attackers are only too willing to extend coercion to the people you love.
Prologue, Part Two: September 1948, Pasadena
Shortly after World War II, twelve outstanding scientists joined Nobel laureate Linus Pauling at Caltech for the Hixon Symposium. These included Warren McCulloch, who with Walter Pitts had proven that neural networks could compute any logical function; Karl Lashley of Harvard, whose work on memory set the behavioral frame; and John von Neumann, then building the earliest stored-program computers.4
Von Neumann was famous for stripping any domain to its mathematical skeleton, identifying the irreducible axioms, and building back up. He had done it for quantum mechanics and game theory, and was doing it for computing and for life itself. The Hixon participants articulated that information has a cost; that memory has limits; that centralized control creates fragility; that the security of a message rests not on hiding the method but on the secrecy of the key; and that any system which ultimately depends on one human being to cooperate is vulnerable to any adversary who can control that human being’s body. They understood all of this in 1948, secured their new systems as best they could, and left the rest to us.
Let us do what von Neumann would have done. Let us axiomatize the problem.
Axiom One: The Janitor’s Key Ring
Every centralized identity system tends toward a single point of omnipotent access – and a single point of failure.
Think back to your elementary school: lockers, locked classrooms, a locked principal’s office – layered security, until you noticed the janitor carrying a ring with dozens of keys.
This is not a one-off failure of implementation, but rather a necessary consequence of centralization. Every centralized system requires at least one actor who can override all the others – the Domain Administrator, the Root Account, the God Account. The janitor, by any other name.
Saltzer and Schroeder codified the principle of least privilege in 19755; it is taught in every curriculum and violated in every enterprise deployment, because recovering from catastrophe – a locked-out administrator, a corrupted certificate store – demands a key that opens everything. The janitor is the convenient solution to the recovery problem, and the economics of attacking him are unbounded. Compromising a master key opens every lock at once, which is why the major enterprise breaches of the last decade targeted elevated credentials, not individual accounts.
There is a theoretical solution, though rarely used. A system can require several independent parties to act together – an m-of-n arrangement. The internet’s own root of trust is built this way: the DNSSEC key anchoring the entire domain name system is protected by a Shamir scheme split among seven Recovery Key Share Holders across continents, five of whom must physically convene to reconstruct it. It’s a textbook design and, to our knowledge, its disaster-recovery path has never been exercised in real life.6
Faced with a small risk of abuse versus the acute humiliation of being locked out of one’s own system, most people implicitly choose the master key. Ross Anderson documented the institutional version in 1994: retail banks whose systems failed not through broken cryptography but because the institutions would sooner accuse their own customers of theft than admit their security was in disarray.7 The janitor’s key ring: Pride goeth before a fall.
Axiom Two: The Melting Clock
Security is a cost-of-compute problem, and compute gets cheaper.
Claude Shannon proved in 1949 that exactly one cryptographic system is unconditionally secure: the one-time pad.8 Everything else is conditional – secure only while breaking it costs more compute than the adversary can assemble within the time the secret must hold. That is the defining security challenge of our era. Nation-state adversaries are collecting encrypted traffic today and storing it against the arrival of quantum computers running Shor’s algorithm: “Harvest Now, Decrypt Later.”9
The most famous example of this principle may be the Enigma machine. More than 150 quintillion configurations offered apparently infinite security – but cribs and operator errors collapsed the effective search space by a factor of up to a quadrillion, and mechanical compute finished the job. One modern reconstruction estimates that a brute-force requiring centuries on a single present-day computer falls, after that reduction, to roughly three minutes.10 It just takes one blow, accurately placed, to eliminate the security margin.
Every system has a compute horizon. Shannon proved only one escape exists, and it is impractical at scale. Our response is to keep rotating keys, upgrading algorithms, and building systems whose historical records remain verifiable after the methods that created them are superseded. The clock is always melting. Design for it.
Axiom Three: The Witness Problem
A secret is only as secure as the moment of its creation – and every moment it is exposed thereafter.
Every key has a birth event. Someone generated it; something witnessed the generation; the security of everything the key ever protects reaches backward to that moment. In 2019, attackers compromised SolarWinds’ build environment. For eighteen months, malicious code was inserted at compilation, before the legitimate certificate was applied. SolarWinds itself then signed the poison and shipped it to 18,000 organizations including the Pentagon and the Treasury.11 No downstream verification could detect it, because the verification tool was itself the product of the corrupted genesis. The U.S. government’s Venona project expressed the same axiom differently: Soviet one-time pads were reused – the key was witnessed more than once – and that alone unraveled years of otherwise impenetrable traffic.12
The design principle: the key owner should generate their own keys. The analogy is the voting booth – the poll worker confirms your eligibility and hands you a ballot, but you mark it in private. The authority establishes identity; the individual holds the genesis. This is partial self-sovereignty. Any system where a third party generates your keys has extended the attack surface backward into their infrastructure.
But genesis is only the first witness event. Imagine the witness set of a secret: every person, device, and service that has ever had the opportunity to observe it. Two facts follow. The witness set is monotone – it only grows; you can never un-witness. And under Axiom Six, every intelligent witness eventually becomes a correlated witness: whatever a networked, retaining, AI-adjacent system saw, the adversary can eventually see. Venona was not a genesis failure; it was re-witnessing. The only way to cover every practical precaution at once is to prefer witnesses that are few, dumb, offline, and destroyable.
Consider emailing a sensitive document through a free webmail service. One act adds your device, the provider’s storage and scanning pipelines, the recipient’s device, both parties’ effectively immortal archives, and every future breach of either account – many witnesses, all intelligent, all online, none destroyable.13
Now consider a dumb non-networked USB flatbed scanner and a factory-fresh thumb drive, handed over in person: two witnesses, both dumb, both offline, one destroyable. The same doctrine indicts the personal smartphone, the most heavily witnessed environment a human has ever carried: third-party keyboards are keystroke witnesses by design; camera rolls sync a photographed seed phrase to the cloud before the phone leaves your hand; the clipboard replicates across devices; and malware converts a device’s entire observation history to the adversary retroactively. Researchers have recovered keystrokes from ordinary call audio at 93–95% accuracy.14
Generate on dedicated silicon. Never photograph a secret. Never clipboard one. Mute the microphone while typing a password. The device that performs signing operations should never browse – a hardware wallet is nothing but this rule cast in silicon.
Axiom Four: The Secret Limit
Humans can hold approximately six secrets before one escapes.
In 1956 George Miller published the most cited paper in cognitive psychology: working memory holds roughly seven chunks before the oldest is displaced.15 A seventh secret evicts one of the others – one reason password reuse is universal.
Passkeys are a genuine advance against this axiom. A FIDO2 passkey, held in device hardware behind a biometric or PIN, cannot be verbally surrendered; the private key never leaves the Secure Enclave.16 There is no string of words to extract. Compare bitcoin’s BIP39 seed phrase – twelve or twenty-four words designed to be memorable so you can rebuild your wallet after the house fire – and equally surrenderable under coercion. The attacker only needs you to speak.
Passkeys solve the surrender problem. They do not solve the coercion problem. That distinction is Axiom Five.
Axiom Five: The Embodiment Problem
You can build a credential that cannot be surrendered. You cannot build a credential that cannot be coerced – unless you distribute the requirement.
Let’s go back to David Balland. He built the best hardware the industry offers. His keys were never transmitted, never in the cloud, never on a network. None of it mattered when the proverbial “guy with a wrench” knocked on his door. Every system that relies on one human being to cooperate is vulnerable to any adversary who can control that human being’s body. Cryptography operates at the level of mathematics; coercion operates at the level of pain, fear, and people you care about.
Surrender resistance means the credential cannot be communicated. Passkeys achieve this; there is nothing to give. Coercion resistance means the credential cannot be used by an adversary who controls the owner’s body. Passkeys do not achieve this; a hand can be placed on a sensor, a face held to a camera. The five-dollar wrench still works. Partial measures exist: SOE radio operators embedded pre-agreed errors in transmissions to signal capture17; the Edge wallet’s Duress Mode reveals a convincing decoy account under a separate PIN.18
But people are stronger together (or apart). If significant action requires, say, three of five designated parties – a spouse in one country, a lawyer in another, a colleague, a device in a vault – no single adversary controls enough bodies to meet the requirement. The gang that holds one person hostage cannot hold five people on different continents. And coercion includes its lawful variant: subpoenas, national-security letters, exit bans. No single legal system should be able to compel a quorum, any more than a single crew can seize one. Combined with time-locked transactions that give co-signers room to veto, the m-of-n model makes single-person coercion structurally insufficient.
Axiom Six: The End of Obscurity
AI eliminates the last refuge of security by hiding.
Kerckhoffs stated the principle in 1883: a system should be secure even if everything about it, except the key, is public.19 Security through obscurity is a bet that the adversary will be distracted – and for most of history that was a money-good bet, because systematic analysis was expensive. Logs were generated but not read; feeds recorded but not watched; patterns present but not correlated.
AI has ended this. It reads every log, correlates every metadata trail – and, most relevant to David Balland, it identifies from public blockchain data, social media, and property records exactly who holds significant cryptocurrency and where they live. The wrench epidemic is the direct consequence: the target-acquisition problem that once made such attacks so expensive can be purchased by the token. And the same force closes the loop on Axiom Three: every intelligent witness a secret has ever had is now a witness the adversary can eventually interview. Kerckhoffs was prescient in 1883. AI has made his principle mandatory. Any system that depends on the adversary not knowing who holds the secret has already failed.
Axiom Seven: The Hybrid Trap
The combination of any centralized system with any decentralized system produces the worst properties of both.
Stated plainly as a rule of composition, decentralization is not inherited by adjacency. If a centralized system is recognized as fragile, a distributed alternative is partially adopted, and now we have created more janitor’s key rings… have we really gained?
Apply a simple diagnostic, call it the phone-home test. If verifying an identity, a credential, or a certificate requires contacting the issuer at the moment of verification, the system is hybrid, and this axiom applies. OAuth is the everyday case – every flow phones home to an authorization server run by a handful of providers; the identity is portable in theory and lives in Mountain View in fact. And the phone-home is not a mere inconvenience. It is the foundational building block of every surveillance society: every call home is a record; every record, a log of behavior; every log, accumulated, a tool of control. The hybrid delivers the surveillance infrastructure gift-wrapped in the language of convenience.
The test indicts more than login screens – the web’s own certificate plumbing phones home. Every OCSP revocation check tells a certificate authority which site you are visiting, right now. When the Dutch certificate authority DigiNotar was breached in 2011 and its forged Google credential was turned against the public, the Fox-IT investigators identified the roughly 300,000 surveilled users – almost all in Iran – from the OCSP logs themselves.20 The phone-home built to protect them became the census of the victims.
The Ronin Network advertised five-of-nine multisig – textbook m-of-n. In fact one company, Sky Mavis, operated four of the nine validators, and had been allowlisted in November 2021 to sign for a fifth. When attackers breached Sky Mavis in March 2022, all five required signatures were reachable and so was $625 million.21 Decentralized on the label; janitor behind the curtain; the worst of both worlds.
Axiom Eight: Zooko’s Trilemma and Its Resolution
Human-meaningful, decentralized, and secure – choose any two. Until recently.
Zooko Wilcox-O’Hearn described the constraint in 2001: any naming system delivers at most two of three properties – names that are human-meaningful, decentralized, and secure.22 Domain names are meaningful and secure, but a central registrar hands them out. Bitcoin addresses are decentralized and secure, but no human reads 1A1zP1eP… Nicknames are meaningful and decentralized, but nothing stops two people from claiming “Dr. Smith,” or an impostor from claiming it first. For decades you genuinely had to choose. The trilemma is the axiom; what follows is the construction it forces.
The resolution is to stop demanding one name do all three jobs, and split the work across two layers. A W3C Decentralized Identifier anchored in a microledger supplies the decentralized, secure half: a machine-readable identifier no registrar controls and no impostor can forge. A verifiable credential supplies the human-meaningful half: a signed, checkable claim pinning a readable label – “Dr. Jane Smith, licensed dispensing pharmacist” – onto that identifier. A contact card that can prove itself. Neither layer satisfies all three properties alone; stacked, they do. And note what the stack does not require: the credential verifies by signature, not by calling anyone – it passes the phone-home test. This is also why passkeys work: device-bound key below, human-facing login above.
Axiom Nine: The Perimeter Fallacy
Security models assume the threat is outside. With AI agents, the caller is in the house.
The castle, with its walls, moat and gate, is the oldest security metaphor and enterprise networking inherits it directly. Zero Trust, Kindervag’s 2010 framework, stipulated what we already know: the caller is in the house.23 AI agents are the new “caller in the house”. Your agent is now authorized to read email, write code, query databases, call APIs, and execute transactions, all from inside the perimeter that was designed to exclude such threats. The attack surface is a continuously changing map of what each agent can reach. Securing it requires not a moat but an immutable audit log: a cryptographically verifiable record of what each agent can reach, has reached, and has done.
Axiom Ten: The Dead Key Problem
Identity systems that don’t maintain historical state are doomed to forget.
All keys die – expired, revoked, rotated. Key mortality is how security renews itself. But dead keys leave living records: every signature made by a dead key was real when it was made. If the key that signed a clinical-trial record in 2020 has rotated forty times by 2035, verifying that record requires an unbroken chain of certificate archives through every migration and acquisition in between. In practice the chain breaks, the record becomes unverifiable, and an unverifiable record is worthless to a regulator, a court, or an auditor. The signature industry’s own patch concedes the point twice over: the PAdES long-term-validation standard exists because default signatures stop verifying – and it works precisely by embedding the validation evidence in the document itself, removing the phone-home, so the record can be verified offline, decades later, by anyone.24
The Inca understood the problem centuries before silicon. Their empire administered twelve million people across two and a half million square miles largely through the quipu – knotted-string records of census, tribute, and stores – verifiable by any trained reader, anywhere, at any time.25 The specialists who kept them, the quipucamayoc, were marked in the body: stretched earlobes weighted with gold earspools, the orejones, “the big-eared ones.” One distinction is worth drawing precisely: the quipu is the audit log – what happened, when, in what quantity – while the quipucamayoc embodied the key log, the trusted identity layer authorizing the reading and writing of records.26 Two layers, solved without electronics. The Spanish Conquest, of course, was the wrench attack of that era.
The microledger architecture of did:webplus addresses this directly: every DID document contains a cryptographic hash of its predecessor, anchoring each version of an identity’s key state permanently to its history. A dead key lives in the chain. The chain is the institutional memory the quipu was built to provide. No quipucamayoc dies without leaving the record of every key they ever held.27
Coda: The Architecture We Can Finally Build
The Hixon Symposium produced no security framework. It produced something more durable: axioms about information, control, memory, and trust that were correct in 1948 and remain correct now. Our ten axioms are not new – many predate the Inca. What is new is the urgency, and it comes from the character of the adversary: an AI that never blinks, never tires, and never stops correlating has dissolved the protections that obscurity and inconvenience once provided. The wrench epidemic is the physical expression of the same surveillance infrastructure that serves nation-state espionage – the same tools, now available by subscription. With AI, the bad actors have the upper hand.
TL;DR: We’re only human. It’s easy to let our guard down, to let someone else generate our key for us, and to leave a copy under the mat in case we lock ourselves out. Paraphrasing Franklin, those who would give up a little Liberty to get a little temporary Convenience will find themselves with neither Liberty nor Convenience – so we must persuade ourselves that from today forward, someone is always looking over our shoulders, and they never get tired. So let’s resolve to generate our own keys, and not make copies. And to split those keys amongst our trusted friends – not somebody who makes more money selling our secrets than protecting them. And then log in yearly on our own country’s independence day to upgrade our security, so we stay ahead of the bad guys.
Why exactly ten, and why these? Because every identity system, whatever its implementation, is the same five things: secrets, held by humans, arranged in structures, evolving through time, bound to meaning – under an adversary with exactly three channels of attack. Each axiom is the irreducible constraint on one part of that anatomy: two for the adversary, two for the human, three for structure, two for time, one for meaning.
The systems that answer the adversary simultaneously – distributed, verifiable, historically durable, multi-party, with no single point of omnipotent access, no phone-home in the verification path, and no single human body as a required and sufficient condition for any significant action – can be built today. What is required is the commitment to a clean break: to stop building janitors’ key rings, to stop delegating secrets to human memory, to stop accepting phone-home architectures that double as surveillance infrastructure – and to build, finally, the identity architecture that earns the trust we are asked to place in it.
See the architecture in production
did:webplus adds a verifiable, append-only history to did:web using ordinary web infrastructure: the microledger behind Axiom Ten. It is open source and running across the U.S. pharmaceutical supply chain today.
Credits
Our thanks to the Decentralized Identity Foundation for providing a forum for this work, and to Grace Rachmany, Kim Hamilton Duffy, Dr. Juan Caballero, Dr. Victor Dods, and Alexander Colgan for their engagement. Kim Cameron’s “Laws of Identity” (2005) taught that identity systems obey discoverable principles and that the repeated failures of identity schemes were the predictable consequence of violating those principles.28 Christopher Allen’s “The Path to Self-Sovereign Identity” (2016) animated the decentralized identity movement.29 Anyone building in this field builds on both. So do we.
Sources and Notes
- Balland kidnapping and rescue: “French Police Rescue Co-Founder of Ledger After Kidnapping,” Fortune, January 24, 2025; “Ledger Co-Founder’s Kidnapping Sheds Light on Soaring Crypto Robberies,” CoinDesk, January 24, 2025. Balland’s wife was not publicly identified; she was found unharmed following the GIGN operation. ↩
- Schneier, Bruce. Beyond Fear: Thinking Sensibly About Security in an Uncertain World. New York: Copernicus Books, 2003. ↩
- CertiK, Hack3d: Annual Web3 Security Report, 2025, as cited in “Crypto Crime Is Getting Violent: Wrench Attacks Jumped 75% in 2026,” CoinDesk, February 2, 2026. Incident counts are aggregator-derived, not primary law-enforcement statistics. ↩
- Jeffress, Lloyd A., ed. Cerebral Mechanisms in Behavior: The Hixon Symposium. New York: Wiley, 1951; “First Hixon Symposium,” Engineering and Science 12, no. 1 (October 1948), Caltech Archives. The primary source lists twelve scientists; Norbert Wiener, a Macy Conferences colleague, was not among the Hixon speakers. ↩
- Saltzer, Jerome H., and Michael D. Schroeder. “The Protection of Information in Computer Systems.” Proceedings of the IEEE 63, no. 9 (1975): 1278–1308. ↩
- ICANN/IANA Root Zone DNSSEC KSK ceremony documentation (primary); Internet Society and APNIC explainers, 2015–2021 (secondary). Seven Recovery Key Share Holders, five required for disaster recovery; a separate group of seven Crypto Officers (three required) operates routine ceremonies. The claim that the disaster-recovery path has never been operationally invoked is accurate to public knowledge and should be caveated as such. ↩
- Anderson, Ross J. “Why Cryptosystems Fail.” Proceedings of the 1st ACM CCS (1993); revised in Communications of the ACM 37, no. 11 (1994): 32–40. Adjacent classic: Adams, Anne, and M. Angela Sasse, “Users Are Not the Enemy,” CACM 42, no. 12 (1999): 40–46. ↩
- Shannon, Claude E. “Communication Theory of Secrecy Systems.” Bell System Technical Journal 28, no. 4 (1949): 656–715. ↩
- Federal Reserve Board. “‘Harvest Now, Decrypt Later’: Examining Post-Quantum Cryptography and the Data Privacy Risks for Distributed Ledger Networks.” Finance and Economics Discussion Series 2025-093, Washington, DC, 2025. ↩
- Welchman, Gordon. The Hut Six Story (1982); Hinsley and Stripp, eds., Codebreakers (1993) – primary historical sources. The centuries-to-minutes reconstruction: Tang, Lee, and Russo, “Breaking Enigma” (MIT 6.857 course project, 2018) – an illustrative engineering estimate, not a historical measurement, and flagged as such in the text. ↩
- SolarWinds/Sunburst: FireEye disclosure, December 2020; “SolarWinds Hack Explained,” TechTarget, 2021; Cryptomathic, “Misuse of X.509 Certificates in the SolarWinds Attack,” 2021. For the post-compromise identity-forging phase, see the primary CISA guidance on the Golden SAML technique. ↩
- Benson, Robert Louis, and Michael Warner, eds. Venona: Soviet Espionage and the American Response, 1939–1957. Washington, DC: NSA/CIA, 1996. ↩
- Keteyian, Armen. “Digital Photocopiers Loaded With Secrets.” CBS News, April 2010. Nearly every digital copier built since 2002 contains a hard drive storing an image of every document processed; CBS bought four used machines for ~$300 each and recovered tens of thousands of documents in under twelve hours, including Buffalo PD Sex Crimes Division files and 300 pages of individual medical records; the investigation prompted a congressional referral to the FTC (Markey letter, April 29, 2010). ↩
- Harrison, Joshua, Ehsan Toreini, and Maryam Mehrnezhad. “A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards.” 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW); arXiv:2308.01074. 95% keystroke classification accuracy from a nearby phone’s microphone; 93% from Zoom call audio. ↩
- Miller, George A. “The Magical Number Seven, Plus or Minus Two.” Psychological Review 63, no. 2 (1956): 81–97. See also Baddeley and Hitch, “Working Memory” (1974). ↩
- FIDO Alliance. FIDO2: Web Authentication (WebAuthn), Level 2, W3C Recommendation, April 2021. ↩
- Foot, M. R. D. SOE: The Special Operations Executive, 1940–1946 (1984); Marks, Leo. Between Silk and Cyanide (1998). ↩
- Edge Wallet, “Duress Mode,” edge.app. Vendor documentation; verify current feature status before publication. ↩
- Kerckhoffs, Auguste. “La cryptographie militaire.” Journal des sciences militaires 9 (1883): 5–38. ↩
- Fox-IT. Black Tulip: Report of the Investigation into the DigiNotar Certificate Authority Breach. Interim report September 5, 2011 (J.R. Prins); final report published 2012. DigiNotar was breached June–July 2011; a rogue wildcard *.google.com certificate was abused in a man-in-the-middle attack on approximately 300,000 users, almost exclusively in Iran; Fox-IT identified the victim population from DigiNotar’s OCSP responder logs. More than 500 rogue certificates were issued; browser vendors revoked all DigiNotar roots and the company was declared bankrupt in September 2011. See also ENISA, “Operation Black Tulip: Certificate Authorities Lose Authority” (2011), which notes the OCSP-based victim count and the structural weakness that any one of ~600 default-trusted CAs can forge a certificate for any site. ↩
- Ronin Network exploit, March 23, 2022 (disclosed March 29): 173,600 ETH and 25.5M USDC, ≈$625M at disclosure. Five-of-nine validator threshold; Sky Mavis operated four validators and held a never-revoked November 2021 Axie DAO signing allowlist supplying the fifth. FBI attribution to Lazarus Group; OFAC designation April 2022. Sources: Sky Mavis/Ronin community disclosure (primary); CoinDesk, March 29, 2022; Halborn and SlowMist post-mortems (secondary). ↩
- Wilcox-O’Hearn, Zooko. “Names: Decentralized, Secure, Human-Meaningful: Choose Two.” Cryptography Mailing List, 2001. ↩
- Kindervag, John. “No More Chewy Centers: Introducing the Zero Trust Model of Information Security.” Forrester Research, 2010. ↩
- ETSI TS 102 778-4, “PDF Advanced Electronic Signature Profiles; Part 4: PAdES Long Term – PAdES-LTV Profile” (2009), superseded by ETSI EN 319 142 (2016) under the eIDAS Regulation (EU) No 910/2014. The LTV mechanism embeds validation-related information – OCSP responses and CRLs – in the document’s security store so signatures verify offline long after signing; ETSI’s stated purpose is signatures that remain verifiable for years or decades, including after underlying algorithms are superseded. ↩
- Urton, Gary. Signs of the Inka Khipu (2003); Rowe, John H., “Inca Culture at the Time of the Spanish Conquest,” in Handbook of South American Indians, vol. 2 (1946). Metropolitan Museum of Art Inca ear ornaments, accession no. 313272. Spanish destruction of Inca goldwork is documented extensively in the archaeological literature on the conquest. ↩
- The framing of the orejones’ gold earspools as an embodied authentication layer for the quipu audit-log system – and of the conquest as destroying the identity-credential layer while leaving audit data partially intact – does not appear to have been previously articulated in the cryptographic-identity or information-systems literature. Offered as an original analytical observation arising from this framework. ↩
- Dods, Victor, and Alex Colgan. “did:webplus DID Method Specification.” LedgerDomain Inc., Draft v0.4, 2024. ledgerdomain.github.io/did-webplus-spec. MIT licensed; maintained through the Decentralized Identity Foundation. Production deployments across the U.S. pharmaceutical supply chain demonstrate historical-signature verification at enterprise scale with sub-3-second latency and five-nines availability. ↩
- Cameron, Kim. “The Laws of Identity.” Microsoft Corporation, May 2005. The paper (dated May 11, 2005) is hosted at identityblog.com. Seven laws: user control and consent; minimal disclosure for a constrained use; justifiable parties; directed identity; pluralism of operators and technologies; human integration; consistent experience across contexts. Cameron’s laws remain the most widely used evaluation framework for identity systems in the academic literature. ↩
- Allen, Christopher. “The Path to Self-Sovereign Identity.” Life With Alacrity, April 2016. Ten principles: existence, control, access, transparency, persistence, portability, interoperability, consent, minimization, protection. For the ten-year-anniversary revision: Revisiting Self-Sovereign Identity, first community draft released April 26, 2026 – ten years to the day after the original – revising the original ten and introducing six new principles (Inalienability, Cognitive Liberty, Relational Autonomy, Stewardship, Equity, Anti-Coercive Design), organized into four layers (foundational, relational, technical, political). Published as a deliberately unfinished redline under CC-BY 4.0 at revisitingssi.com. ↩

