Independent, on-chain proof that plc.directory serves a DID's
complete, current, and non-equivocated history — exposed as a graduated status any
resolver or PDS can enforce unilaterally, with no network coordination and no
protocol change.
atproto identities are a signed, hash-linked log of operations served from one directory. Every op is self-certifying — but a single signature can't tell you whether you were shown the whole history. Email solved the same gap with a layered stack:
Each operation is signed by a then-valid rotation key. Per-op authenticity — already there.
The layer a signature structurally can't provide: was I shown the complete, current, non-equivocated history? Verified on-chain.
Each opted-in DID's full operation log is re-verified from genesis inside a Starknet
contract — the network proves the computation and settles to Ethereum; there is no bespoke
prover and no trusted snapshot. The contract commits a proven DID→document root. A resolver
fetches a document from the directory and checks it against that root, getting back a
status. plc.directory stays canonical; DIDMARC is a read-side witness that
anyone turns on alone — the way an email receiver enables DMARC.
p=none).Adoption is the DMARC ramp:
start by logging the status, then quarantine on diverged, then refuse to relay
— each resolver decides on its own.