New Book: The Bitcoin Economy , Read free online or get your own copy. Read Now Buy on Amazon
Private Technical Review

Proofnet BTC Identity adapters

This review room shows how verified identity state from KERI, DID, SPIFFE, Sigstore, C2PA, OpenID4VC, X.509, or Proofnet Native can be bound into Proofnet BTC with ML-DSA-87 signing, SHA3-512 canonical digestion, and durable Memory Block replay.

Review identity adapters Blockie app login demo Sovereign AI demo Reviewer packet Build list Bitcoin row commitments
Review scope

Inside the review packet

Reviewers can inspect the adapter evidence, binding record, and replay boundary without receiving secret key material.

Identity

AttestoBind review packet

Framework positioning for KERI, DID, SPIFFE, Sigstore, C2PA, OpenID4VC, X.509, and Proofnet Native identity binding.

ML-DSA-87SHA3-512Adapters
Record layer

Memory Blocks

Explains the native record path: proof packet first, memory-block attesto second, optional Bitcoin anchor when needed.

Native recordReplayOptional anchor
Hardware

Toshi PQ1

Hardware signing boundary for ML-DSA-87: public key and signature are exportable; private key material stays on device.

On-devicePublic outputNo seed exposure
Sovereign AI

Blockie app login demo

Clickable web replica of the Blockie Talkie app with live website AI, tabbed operator views, proof JSON, and the Sovereign AI pilot workflow.

Proofnet AIMemory BlocksBlockie Talkie
Security boundary: the packet contains public-safe verification artifacts only. Private key material, wallet secrets, production OOBI infrastructure, and node credentials are not included.
Build status

Review packet build is checked.

Every checked box below is available in this private review packet. The full build list is directly below under four-track execution and every identity adapter.

Open four-track build list Open adapter build list

Adapter selector

Built: Proofnet Native, KERI, DID, SPIFFE, Sigstore, C2PA, OpenID4VC, and X.509 are selectable.

Selected verification output

Built: the selected adapter prints scheme, subject, dependency, license, state digest, binding digest, signature result, Memory Block state, and anchor state.

KERI replay evidence

Built: KERIpy path, AID, OOBI review fixture, KEL inception plus rotation, KeyStateRecord facts, and source fingerprint are shown.

Four-track spread

Built: each adapter expands into proof layer, workflow layer, enterprise deployment, and network-scale replay.

Memory Block first path

Built: every packet treats Proofnet Memory Blocks as the native replay record and Bitcoin anchoring as optional timestamping.

Side-by-side comparison

Built: the selected adapter is compared against the same adapter with Proofnet BTC binding added underneath it.

Downloadable packet exports

Built: selected JSON, all adapter JSON packets, selected verification, all verification outputs, selected brief, and all briefs.

Public-safe review boundary

Built: no wallet seed, passcode, biometric secret, production credential, upstream private key, or signing secret is included.

Deployment boundary: these checks describe the review packet and interoperability contract. Live customer endpoints, production OOBIs, service credentials, and hardware signing policy attach behind this same packet shape.
Reviewer flow

Access flow

01

Request

Reviewer submits the demo request form with organization, scope, and contact email.

02

Approve

Blockie Talkie LLC approves the reviewer scope and issues access.

03

Login

Reviewer opens the Login link and authenticates with the issued credentials.

04

Review

Reviewer inspects scoped proof packets and follows up for a technical session when needed.

Identity adapter selector

Choose the upstream identity layer.

Every option emits the same Proofnet BTC identity_binding attesto. KERI is selected by default because it has the deepest replay evidence in this packet.

Scheme
Dependency
License
Subject
Sequence
Depth
Selected adapter evidence

KERI / KERIpy


      

    

  


  

    

      
Trust path

      
Same Proofnet binding contract for every adapter.

      
The upstream identity system can change. The Proofnet record stays deterministic, signed, and replayable.

    

    

      
01Adapter choice
Selected identity layer.

      
02Verified state
Adapter evidence normalized.

      
03State digest
SHA3-512 canonical state.

      
04Binding JSON
Stable signed message.

      
05ML-DSA-87
Proofnet PQ signature.

      
06Memory Block
Native attesto record.

      
07External anchor
Optional Bitcoin timestamp.

    

  


  

    

      
Build list

      
Four tracks to network-scale maturity.

      
The review room shows the whole path from adapter proof to production identity workflows, enterprise deployment, and network-scale verification.

    

    

      
01
Adapter proof layer
Selectable identity adapters, deterministic state digest, ML-DSA-87 signature, Memory Block attesto, and optional Bitcoin anchor.

      
02
Identity workflows
Credential issue, receive, present, revoke flows; KERIA or equivalent agents; external OOBIs; witness policy; wallet/admin UX.

      
03
Enterprise deployment
Tenant setup, RBAC, API keys, service tokens, audit logs, adapter preference policy, compliance exports, and lifecycle management.

      
04
Network scale
Cross-organization verification, Memory Block replication, hardware-backed signing, optional anchoring policy, and partner/standards integrations.

    

    

      
Track
Review-room evidence
Production build adds
Status

      
Adapter proof layer
Live selector, KERI deep replay, adapter packets, SHA3-512 digests, ML-DSA-87 verification output.
Customer-specific adapter fixtures and policy defaults.
Phase 4 input

      
Credential and wallet workflows
Credential and wallet boundaries are mapped; KERI recovery/rebind is represented as public-safe evidence.
ACDC/vLEI issue, receive, present, revoke flows; public OOBI endpoints; KERIA agent integration; witness policy.
Phase 4 track

      
Enterprise deployment
Adapter preference model, proof packet shape, and security boundary are visible.
Admin console, tenant scopes, reviewer access, API/service credentials, audit exports, SIEM hooks, compliance reports.
Phase 4 track

      
Network scale
Memory Block first path and optional Bitcoin anchor are shown in every packet.
Multi-party verification, replicated Memory Blocks, Toshi PQ1 signing policy, anchor scheduling, partner and standards integrations.
Phase 4 target

    

    

      Review framing: the same identity_binding contract carries every adapter to Phase 4: proof packet, workflow, enterprise policy, network-scale replay, Memory Blocks, and optional anchoring.
    

  


  

    

      
Adapter build list

      
Phase 4 build list for every adapter.

      
Each upstream identity layer gets the same Proofnet BTC finish line: deterministic binding, workflow coverage, enterprise controls, and cross-organization replay.

      

        Print packet
      

    

    

      How to read this board: each row is an identity adapter and each checked box is one reviewable track in the packet. The check mark means the track is represented as public-safe evidence, exportable Markdown, JSON, or verification output; it does not mean customer-specific infrastructure or private credentials are exposed in this static room.
    

    

      

        
Adapter

        
Proof layer

        
Workflow layer

        
Enterprise layer

        
Network scale

      

      

        
Proofnet Native

        
Node identity, PQ key state, Memory Block attesto.

        
Enroll, rotate, recover, move device, Toshi PQ1 sign.

        
Policy defaults, reviewer scope, audit export.

        
Cross-node replay, replicated Memory Blocks, anchor policy.

      

      

        
KERI / KERIpy

        
AID, OOBI review fixture, KEL replay, KeyStateRecord.

        
Rotation, recovery, ACDC/vLEI issue, receive, present, revoke.

        
KERIA path, public OOBIs, witness policy, reviewer scopes.

        
Cross-organization replay over the accepted KERI state.

      

      

        
DID / DIDKit

        
DID document, verification method, resolver output digest.

        
VC/VP issue, present, status, revoke, method policy.

        
Resolver policy, tenant method selection, audit exports.

        
Multi-method federation, trust registries, partner verification.

      

      

        
SPIFFE / SPIRE

        
SPIFFE ID, trust domain, SVID digest, workload identity.

        
Workload enroll, rotate, expire, service identity consent.

        
Trust-domain policy, workload role, service audit.

        
Federated trust domains, service mesh replay, workload audit.

      

      

        
Sigstore / Rekor

        
Artifact digest, signing identity, Rekor inclusion proof.

        
CI/CD admission, release approval, provenance verification.

        
Release gates, provenance export, software audit policy.

        
Cross-org software supply chain, build policy, release replay.

      

      

        
C2PA

        
Manifest digest, asset digest, signer, assertion set.

        
Claim verify, transform, update, revoke, chain-of-custody.

        
Media policy, review scopes, compliance exports.

        
Content provenance networks, media audit, custody replay.

      

      

        
OpenID4VC

        
Issuer, holder, credential digest, presentation digest.

        
Offer, receive, present, status, revoke, verifier policy.

        
Issuer policy, verifier routes, tenant audit export.

        
Federated credential exchange, trust registry, compliance export.

      

      

        
X.509

        
Certificate chain, subject, issuer, serial, fingerprint.

        
Issue, renew, rotate, revoke, OCSP/CRL status.

        
CA policy, certificate profile, audit export.

        
Enterprise PKI, mTLS/device identity, CA policy replay.

      

    

    
    

      
      
    

    

      
Adapter
Proof layer
Workflow layer
Network-scale target

      
Proofnet Native
Node identity, PQ key state, Memory Block attesto.
Node enroll, rotate, recover, move device, Toshi PQ1 sign.
Cross-node replay, replicated Memory Blocks, anchor policy.

      
KERI / KERIpy
AID, OOBI, KEL replay, KeyStateRecord, witness fields.
Rotation, recovery, ACDC/vLEI issue, receive, present, revoke.
KERIA, public OOBIs, witness policy, cross-org replay.

      
DID / DIDKit
DID document, verification method, resolver output digest.
VC/VP issue, present, status, revoke, method policy.
Multi-method federation, trust registries, partner verification.

      
SPIFFE / SPIRE
SPIFFE ID, trust domain, SVID digest.
Workload enroll, rotate, expire, service identity consent.
Federated trust domains, service mesh replay, workload audit.

      
Sigstore / Rekor
Artifact digest, signing identity, Rekor inclusion proof.
CI/CD admission, release approval, provenance verification.
Cross-org software supply chain, build policy, release replay.

      
C2PA
Manifest digest, asset digest, signer, assertions.
Claim verify, transform, update, revoke, chain-of-custody.
Content provenance networks, media audit, custody replay.

      
OpenID4VC
Issuer, holder, credential digest, presentation digest.
Offer, receive, present, status, revoke, verifier policy.
Federated credential exchange, trust registry, compliance export.

      
X.509
Certificate chain, subject, issuer, serial, fingerprint.
Issue, renew, rotate, revoke, OCSP/CRL status.
Enterprise PKI, mTLS/device identity, CA policy replay.

    

  


  

    

      
Four-track execution

      
KERI / KERIpy Phase 4 packet

      
The selected adapter is expanded across all four tracks: proof, workflow, enterprise deployment, and network-scale replay.

    

    

      

        
01 · Proof layer

        
Verify and bind state

        

        
SHA3-512ML-DSA-87Memory Block

      

      

        
02 · Workflow layer

        
Operate the identity lifecycle

        

        
issuepresentrevokerecover

      

      

        
03 · Enterprise layer

        
Apply tenant policy

        

        
RBACauditpolicy

      

      

        
04 · Network scale

        
Replay across organizations

        

        
replicationpartnersoptional anchor

      

    

    

      
Execution artifact

      

    

  


  

    

      
AttestoBind + KERI

      
Private KERI review packet

      
KERI remains the identity layer. Proofnet BTC supplies the post-quantum binding layer and durable Memory Block record beneath it.

    


    

      

        
KERI input

        
AID, OOBI, KEL

        
A KERI AID is resolved through a controller OOBI review fixture. The KEL replay includes an inception event and one rotation event.

        
OOBI resolvedicp -> rotsequence 1

      

      

        
Proofnet binding

        
ML-DSA-87 + SHA3-512

        
The verified key state is normalized into an identity_binding attesto, digested with SHA3-512, and bound with a Proofnet post-quantum signature.

        
identity_bindingML-DSA-87SHA3-512

      

      

        
Record layer

        
Memory Block first

        
The binding is a Proofnet-native attesto first. Bitcoin anchoring can timestamp the same digest later without changing the original signed packet.

        
Memory Blocksoptional BTCreplayable

      

    


    

      Summary: KERI proves the live identity state. Proofnet BTC records exactly what state was accepted, signs that record with post-quantum cryptography, and keeps it replayable even if the original OOBI endpoint, agent, or resolver is unavailable later.
    

  


  

    

      
KERI evidence

      
What this packet demonstrates

    

    

      
01
Resolve OOBI
Controller OOBI resolves for AID EDl3VS8x...sf483 using the KERIpy adapter path.

      
02
Replay KEL
Two key events are replayed: inception and rotation. Final sequence is 1.

      
03
Extract key state
KeyStateRecord material is used as the verified upstream state for the Proofnet binding.

      
04
Bind state
Proofnet signs the canonical binding and prepares it for Memory Blocks.

    


    

KERI AID: EDl3VS8xBlDp-x9RU4HEDE0n6cum4PW9HI9tEEnsf483
KERIpy dependency: deps/keripy, Apache-2.0
OOBI status: resolved
KEL replay: icp -> rot
Final event digest: EMMUNVQgoZIJyR6LtrTHqxt9umkFREpRlynjXeAYgWNJ
Binding digest: sha3-512:6c6a6dd3272a1ae0d31bb7de1fd8bf30ed27a1a213cb1c54a10879fe13fac2d15c41f5098918f37b7af2bec29af2f1d28ad749eced2b5c420754503340b5a49c
Result: verified
    

  


  

    

      
KERI replay depth

      
KERIpy replay evidence

      
The packet pins KERIpy under deps/keripy, creates an AID, replays an inception plus rotation KEL, resolves a controller OOBI review fixture, extracts KERI key state, and computes the Proofnet binding over that verified state.

    

    

      
Scenariolocal_http_oobi_resolution_with_icp_rot_replay

      
KEL stream971 bytes

      
KEL events2 events

      
Runtimeverified

    

    
OOBI endpoint: controller OOBI review fixture
OOBI role: controller
OOBI CID: EDl3VS8xBlDp-x9RU4HEDE0n6cum4PW9HI9tEEnsf483
Direct replay status: verified
OOBI resolution status: resolved
Key state source: KERIpy KeyStateRecord after controller OOBI resolution

    

      Production boundary: this packet demonstrates the adapter path with a controller OOBI review fixture. Production deployments can attach external OOBI endpoints, KERIA agents, and witness infrastructure without changing the Proofnet binding contract.
    

  


  

    

      
Replay artifact

      
KEL event replay

      
The replay shows the inception and rotation events used to derive the accepted key state before Proofnet signs the binding record.

    

    

      
Sequence
Event
SAID / digest
Raw bytes

      
0
inception (icp)
EDl3VS8xBlDp-x9RU4HEDE0n6cum4PW9HI9tEEnsf483
sha3-512:8cc593940084d34a...e019c83d982
459

      
1
rotation (rot)
EMMUNVQgoZIJyR6LtrTHqxt9umkFREpRlynjXeAYgWNJ
sha3-512:7a4497c369d9139a...50a39a6d6
512

      
stream
combined KEL
sha3-512:a802c80ac17fbe038d97075759fd5cf2f1ae387ce56f24833886fb1eb4d5db8bc0c35879f955ad1017ba97dff647b87d9a259a241e5f77f26c3a0304fac59d34
971

    

  


  

    

      
Key state extraction

      
KERI key state bound by Proofnet

      
These are the accepted KERI facts carried into the binding record and preserved for later replay.

    

    

      

        
Dependency

        
KERIpy adapter

        
deps/keripy, Apache-2.0, package 2.0.0-dev6, pinned commit 5e5674219c70. The packet records dependency path, version, commit, and license.

        
permissiveoptional runtimevendored source

      

      

        
Current state

        
Rotated key state

        
Current establishment digest is EMMUNVQgoZIJyR6LtrTHqxt9umkFREpRlynjXeAYgWNJ. Event type is rot; final sequence is 1.

        
sequence 1rotationverified

      

      

        
Thresholds

        
Signing and witnesses

        
Signing key count is 1, signing threshold is 1, next-key commitment count is 1, witness count is 0, and witness threshold is 0.

        
keys presentcommitment presentwitness fields present

      

    

    
KERI state checks:
aid_present: true
sequence_present: true
event_digest_present: true
signing_keys_present: true
signing_threshold_present: true
next_key_commitments_present: true
witness_threshold_present: true
source_fingerprint: sha3-512:ef6e61d4bd74535edafe2e9307a66c34c63de1765bd132ae8f3512ddd6023317aa6c440d1361749e478aab010dcd7621873e69ae65962404fb2989296d4d7974

  


  

    

      
Selected adapter packet

      
Adapter binding packet

      
The selected adapter produces verified identity evidence, and Proofnet BTC binds that state with the same post-quantum record path.

    

    

      

        
Identity input

        
Adapter subject

        

        
schemelicense

      

      

        
Adapter evidence

        
Evidence summary

        

        
dependencynormalized state

      

      

        
Proofnet binding

        
ML-DSA-87 + SHA3-512

        
The accepted state is normalized into an identity_binding attesto, digested with SHA3-512, signed with ML-DSA-87, and prepared for Memory Blocks.

        
identity_bindingMemory Block first

      

    

    

  


  

    

      
Adapter framework

      
Identity adapters remain selectable

      
Proofnet BTC accepts multiple permissive identity inputs under the same identity_binding contract. KERI is the deepest adapter in this review packet.

    

    

      
Adapter
Evidence
Dependency
Status

      
Proofnet Native
Node identity verified without external dependencies
core / Proofnet core
enabled

      
KERI / KERIpy
Controller OOBI review fixture, KEL icp -> rot, KeyStateRecord extraction
deps/keripy / Apache-2.0
deep

      
DID / DIDKit
DID document resolution and verification method digest
deps/didkit / Apache-2.0
enabled

      
SPIFFE / SPIRE
SPIFFE ID, trust domain, SVID digest
deps/spire / Apache-2.0
enabled

      
Sigstore / Rekor
Bundle fixture, artifact digest, checkpoint, inclusion proof
deps/sigstore-python / Apache-2.0
enabled

      
C2PA
Manifest digest, asset digest, signer, assertions
deps/c2pa-rs / Apache-2.0 OR MIT
enabled

      
OpenID4VC
Issuer, holder, credential digest, presentation digest
deps/openid4vc / Apache-2.0
enabled

      
X.509
Certificate subject, issuer, serial, fingerprint
deps/cryptography / Apache-2.0 OR BSD-3-Clause
enabled

    

  


  

    

      
Side by side

      
KERI classical vs. KERI + Proofnet BTC

    

    

      
Layer
KERI
KERI + Proofnet BTC

      
Identity handle
KERI AID
Same KERI AID bound into a Proofnet attesto

      
Verified state
KEL sequence, current keys, next-key commitments
KERIpy KeyStateRecord after OOBI resolution plus deterministic state digest

      
Signature primitive
Classical identity app stack
Proofnet adds ML-DSA-87 binding signature

      
Verification record
KERI/KERIA state, witnesses, receipts, and OOBIs
KERIpy replay evidence plus SHA3-512 digest and identity_binding attesto

      
Failure boundary
Live identity systems can rotate, expire, disappear, or be unavailable
Proofnet preserves the verified state accepted at binding time

      
Durability
Ledger-less or ledger-portable identity history
Proofnet Memory Block first, optional Bitcoin timestamp

      
Collaboration boundary
KERI remains the identity layer
Proofnet contributes the PQ primitive and attesto layer

    

  


  

    

      
KERI ecosystem parity

      
KERI ecosystem coverage

      
This matrix maps common wallet, agent, and developer expectations to the evidence included in the Proofnet packet.

    

    

      
Area
KERI ecosystem UI
Proofnet demo parity
Status

      
Identifiers
AID list, individual or group identity selection, current key state.
KERI AID, KEL sequence, event digest, current key count, threshold.
covered

      
Connections
OOBI, QR, peer or dApp connection request, pending connection state.
Controller OOBI review fixture resolved through KERIpy and bound.
covered

      
Credentials
ACDC or vLEI credential cards, present, receive, revoke flows.
Credential content stays above Proofnet; the binding leaves KERI credential semantics intact.
credential workflow

      
Signing consent
Wallet or extension prompt before signing.
Verifier output shows exact signed message, digest, PQ key, and tamper boundary.
covered

      
Agent boundary
KERIA holds agent state while user secrets stay at the edge.
KERIpy is pinned under deps, runtime stays optional, Proofnet core remains isolated.
covered

      
Witnesses
Witness threshold and receipts establish accepted key-event state.
Witness threshold and witness count are extracted into the proof packet.
covered

      
Rotation
Current keys, next-key commitments, and sequence number are central UI facts.
Current signing key count, next commitment count, and sequence are bound.
covered

      
Recovery
Wallet recovery, passcode, biometrics, or operations password.
Proofnet binds prior and current KERI states as separate historical records. No wallet recovery secret is exported.
covered

      
Developer/API
Swagger/OpenAPI, KERIpy docs, KERIA docs, CLI paths.
Source links, replay report, verifier output, and downloadable packet are included.
covered

    

  


  

    

      
Wallet and recovery

      
Rotation and recovery binding

      
A recovery/rebind fixture shows sequence 0 and sequence 1 as separate Proofnet records, with the current binding marked as latest.

    

    

      

        
Prior state

        
Historical binding

        
Prior sequence 0 remains verifiable as its own identity_binding record.

        
sha3-512:36e2b214...historical

      

      

        
Current state

        
Latest binding

        
Current sequence 1 is rebound after rotation or recovery and becomes the latest accepted state.

        
sha3-512:9d3351f9...latest

      

      

        
Secret boundary

        
No wallet secrets exported

        
No seed phrase, passcode, biometric secret, private key, or wallet recovery credential is placed into the Proofnet packet.

        
public evidence onlysafe fixture

      

    

    

      
01
Identifier
Choose an individual or group AID from a wallet or agent.

      
02
Connection
Resolve an OOBI, QR, peer, website, or dApp request.

      
03
Consent
Show the exact signed message, digest, PQ key, and tamper result.

      
04
Verification
Replay KEL, verify ML-DSA-87, commit Memory Block, optionally anchor.

    

  


  

    

      
Proof packet

      
Forwardable brief and JSON fixture

      
The packet keeps the claim narrow: KERI identity semantics remain intact while Proofnet BTC adds primitive-level post-quantum assurance and durable Memory Block replay.

    

    

      

        
Verification output

        
KERI AID: present
KERI key state: extracted
KERIpy dependency: pinned
KERIpy OOBI: resolved
KEL replay: verified
Proofnet PQ key: present
Binding digest: valid
Signed message: valid
Proofnet PQ signature: valid
Memory Block attesto: ready
Bitcoin anchor: not_requested
Result: verified

        

          
          
          
        

      

      

        
JSON packet

        
{
  "type": "proofnet_identity_binding_v0",
  "attesto_type": "identity_binding",
  "identity_scheme": "keri",
  "identity_subject": "EDl3VS8xBlDp-x9RU4HEDE0n6cum4PW9HI9tEEnsf483",
  "identity_state_version": "keri-key-state-v1",
  "identity_state_sequence": 1,
  "identity_state_digest": "sha3-512:ef6e61d4bd74535edafe2e9307a66c34c63de1765bd132ae8f3512ddd6023317aa6c440d1361749e478aab010dcd7621873e69ae65962404fb2989296d4d7974",
  "binding_digest": "sha3-512:6c6a6dd3272a1ae0d31bb7de1fd8bf30ed27a1a213cb1c54a10879fe13fac2d15c41f5098918f37b7af2bec29af2f1d28ad749eced2b5c420754503340b5a49c",
  "proofnet_node_id": "proofnet-pq1-demo-node-001",
  "proofnet_pq_algorithm": "ML-DSA-87",
  "proofnet_pq_sig_domain": "PROOFNET|identity_binding|v1",
  "keripy_replay": {
    "status": "verified",
    "oobi": "resolved",
    "kel_events": ["icp", "rot"],
    "final_sequence": 1,
    "final_event_digest": "EMMUNVQgoZIJyR6LtrTHqxt9umkFREpRlynjXeAYgWNJ"
  },
  "native_record": "proofnet_memory_block_first",
  "bitcoin_anchor": "not_requested"
}

        

          
          
          
          
        

      

      

        
Forwardable brief

        
# Proofnet BTC + KERI Review Brief

Prepared by: Blockie Talkie LLC
Product: Proofnet BTC / AttestoBind identity adapter framework
Team: Anthony Derbidge, Drew Derbidge, and Jamie Derbidge, MPA
Contact: info@proofnetbtc.com
Private review: https://proofnetbtc.com/private/

## Executive summary

KERI remains the identity semantics layer: AIDs, OOBIs, key event logs, witnesses, receipts, rotations, wallets, agents, and credentials. Proofnet BTC does not replace KERI. It adds a post-quantum proof layer that records the exact KERI state accepted at verification time.

The review packet resolves a KERI AID through KERIpy, replays an inception plus rotation KEL, extracts the verified KeyStateRecord, normalizes that accepted state into an identity_binding attesto, digests the canonical record with SHA3-512, and binds it with an ML-DSA-87 Proofnet BTC signature.

The result is a durable, replayable, post-quantum record. Proofnet Memory Blocks are the native record layer. Bitcoin anchoring is optional external timestamping, not a requirement for the KERI bridge.

## Why it matters

KERI is strong at decentralized identity semantics and key-event history. Long-lived systems also need an independent record of what was accepted, when it was accepted, and which cryptographic state was bound. Proofnet BTC preserves that record even if a resolver, OOBI endpoint, agent, wallet, or witness configuration changes later.

## Evidence in this packet

- KERI AID present and bound.
- KERIpy dependency pinned under deps/keripy with Apache-2.0 licensing.
- Controller OOBI review fixture resolved.
- KEL replay includes inception plus rotation.
- Final sequence is 1.
- KeyStateRecord material is used as verified upstream state.
- SHA3-512 state digest and binding digest are deterministic.
- ML-DSA-87 Proofnet BTC signature claim is present.
- Memory Block attesto path is ready.
- Bitcoin anchor is not requested for this packet.

## Build tracks

- Adapter proof layer: selectable adapters, SHA3-512 state digests, ML-DSA-87 binding, Memory Block attesto, optional Bitcoin anchor.
- Credential and wallet workflows: credential issue, receive, present, revoke, agent, OOBI, witness, wallet, and admin UX.
- Enterprise deployment: tenants, RBAC, service credentials, audit logs, adapter policies, compliance exports, and reviewer access.
- Network scale: cross-organization verification, replicated Memory Blocks, Toshi PQ1 signing policy, anchoring policy, and standards integrations.

## Adapter readiness board

| Adapter | Proof layer | Workflow layer | Enterprise layer | Network scale |
| --- | --- | --- | --- | --- |
| Proofnet Native | [x] Node identity, PQ key state, Memory Block attesto. | [x] Enroll, rotate, recover, move device, Toshi PQ1 sign. | [x] Policy defaults, reviewer scope, audit export. | [x] Cross-node replay, replicated Memory Blocks, anchor policy. |
| KERI / KERIpy | [x] AID, OOBI review fixture, KEL replay, KeyStateRecord. | [x] Rotation, recovery, ACDC/vLEI issue, receive, present, revoke. | [x] KERIA path, public OOBIs, witness policy, reviewer scopes. | [x] Cross-organization replay over the accepted KERI state. |
| DID / DIDKit | [x] DID document, verification method, resolver output digest. | [x] VC/VP issue, present, status, revoke, method policy. | [x] Resolver policy, tenant method selection, audit exports. | [x] Multi-method federation, trust registries, partner verification. |
| SPIFFE / SPIRE | [x] SPIFFE ID, trust domain, SVID digest, workload identity. | [x] Workload enroll, rotate, expire, service identity consent. | [x] Trust-domain policy, workload role, service audit. | [x] Federated trust domains, service mesh replay, workload audit. |
| Sigstore / Rekor | [x] Artifact digest, signing identity, Rekor inclusion proof. | [x] CI/CD admission, release approval, provenance verification. | [x] Release gates, provenance export, software audit policy. | [x] Cross-org software supply chain, build policy, release replay. |
| C2PA | [x] Manifest digest, asset digest, signer, assertion set. | [x] Claim verify, transform, update, revoke, chain-of-custody. | [x] Media policy, review scopes, compliance exports. | [x] Content provenance networks, media audit, custody replay. |
| OpenID4VC | [x] Issuer, holder, credential digest, presentation digest. | [x] Offer, receive, present, status, revoke, verifier policy. | [x] Issuer policy, verifier routes, tenant audit export. | [x] Federated credential exchange, trust registry, compliance export. |
| X.509 | [x] Certificate chain, subject, issuer, serial, fingerprint. | [x] Issue, renew, rotate, revoke, OCSP/CRL status. | [x] CA policy, certificate profile, audit export. | [x] Enterprise PKI, mTLS/device identity, CA policy replay. |

        

          
          
          
        

      

    

  


  

    

      
Review links

      
Public packet, docs, and commercial scope

    

    

      

        
Public demo

        
AttestoBind verifier

        
Adapter selector and public-safe binding fixtures for Proofnet Native, KERI, DID, SPIFFE, Sigstore, C2PA, OpenID4VC, and X.509.

      

      

        
Engineer docs

        
AttestoBind docs

        
Record fields, CLI shape, service API surface, adapter matrix, and security boundary.

      

      

        
Offerings

        
Commercial modules

        
AttestoBind Core, AttestoBind KERI, supply chain, enterprise identity, anchoring, and hardware signing.

      

      

        
Sovereign AI

        
Private pilot demo

        
Institution and educator review room with endpoint boundary, signed AI output packet, cost spread, and internal-forwarding brief.