X.509
Corporate CA chain
Certificate subject, issuer, serial, and fingerprint are accepted as-is, digested with SHA3-512, and recorded as the canonical identity state.
Adapters
Three enterprise identity pathways.
SPIFFE
Workload identity
SPIFFE ID, trust domain, and SVID digest are recorded. Short-lived workload credentials bind into a durable identity proof.
DID
Decentralized identifier
DID document, verification method, and controller are resolved through DIDKit and committed as an accepted state digest.
Proof packet
The record is the same shape for every adapter.
Procurement, audit, and compliance teams review a single packet schema. The adapter field identifies the upstream identity service; the rest of the record is uniform.
{
"type": "proofnet_attestobind_public_packet_v0",
"attesto_type": "identity_binding",
"adapter": "X.509 | SPIFFE | DID",
"identity_subject": "CN=... | spiffe://... | did:key:...",
"identity_state_digest": "sha3-512:...",
"binding_digest": "sha3-512:...",
"proofnet_pq_algorithm": "ML-DSA-87",
"canonical_digest": "SHA3-512",
"native_record": "proofnet_memory_block_first",
"public_safe": true
}
Why enterprises pick this path
Nothing in the stack has to change for day one.
01
Keep your CA
Existing PKI stays in place. Proofnet BTC accepts your chain as an adapter.
02
Keep SPIRE
Workload identity issuance continues under SPIRE. Proofnet records the verified SVID state.
03
Add PQ binding
The accepted identity state is digested and signed under ML-DSA-87, preparing for a post-quantum audit posture.
04
Audit one packet
Auditors review a single Proofnet record shape across all adapters instead of n+1 bespoke formats.