BitSeal
Effective June 4, 2026

Authority key ceremony.

A public attestation of the cryptographic key that signs BitSeal seal manifests. Includes generation facts, storage, access controls, and instructions for any third party to reproduce the fingerprint offline.

Plain-English summary

Every BitSeal web seal is signed with a single Ed25519 private key held by Orygn LLC. The matching public key is published below and at /.well-known/bitseal-authority-key.json. Anyone who holds the public key, a manifest, and the signature can verify a seal independently of BitSeal's hosted infrastructure using any standard Ed25519 verifier. This document records who generated the key, how it is stored, and who may access it.

1. Purpose

This Key Ceremony document exists so that any third party relying on a BitSeal seal, whether to audit a file, defend a legal position, or evaluate the credibility of BitSeal as a provenance service, can answer three questions without having to rely on Orygn's public statements alone.

  • Which exact public key is the canonical BitSeal Authority key today.
  • Under what conditions the matching private key was generated and is held.
  • What we can and cannot attest to about its history.

Where we do not have a formal attestation of a historical fact, this document says so plainly. A ceremony document that invents details is worth less than one that is honest about gaps.

2. Current Authority key

The values below are derived at page request time from the Authority public key published as BITSEAL_AUTHORITY_PUBLIC_KEY_PEM, which is set to the public half of the KMS-resident signing key at provisioning time. They update immediately on key rotation and always match the value served at the well-known endpoint.

Algorithm
Ed25519 over edwards25519
Fingerprint (SHA-256, colon-hex)
86:6C:6F:8C:1A:D2:A9:98:AF:21:5B:10:62:41:21:20:35:92:D0:34:3B:DE:B5:01:A9:E5:E1:DA:04:CD:3C:48
Fingerprint (SHA-256, base64)
hmxvjBrSqZivIVsQYkEhIDWS0DQ73rUBqeXh2gTNPEg=
Raw public-key bytes (hex, 32 bytes)
cf9f8ccef179d0f43b1bccdc2c20cdd916cd09a15ac32017bfd9865fcf16de4f
Public key (PEM, SubjectPublicKeyInfo)
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAz5+MzvF50PQ7G8zcLCDN2RbNCaFawyAXv9mGX88W3k8=
-----END PUBLIC KEY-----

Manifest specifications signed by this key

The Authority key signs two manifest formats. Both share the same BLAKE3 Merkle construction; they differ only in the bytes the Ed25519 signature covers. Every seal carries an explicitseal_mode field so verifiers can dispatch unambiguously.

v1Original layout
seal_mode = merkle-blake3-64k-v1
Signed message: 32-byte root_hash || 8-byte little-endian double timestamp_utc (40 bytes total)
Status: Active for all seals issued before 2026-05-29 (or with BITSEAL_SEAL_FORMAT=v1 set).
v2Post-audit layout
seal_mode = merkle-blake3-64k-v2
Signed message: SHA3-512 (FIPS 202) of the canonical UTF-8 bytes of the manifest with the signature field removed
Status: Default for all seals issued on or after 2026-05-29. Closes audit findings H2, M4, L4.

3. Generation record

The current Authority key was generated under the ceremony procedure published in our Rotation Policy. The facts below are the contemporaneous record of that generation event. A second, retired record follows below for the original Authority key (in service 2026-04-19 through 2026-05-29), which is preserved here in full so any seal issued under it remains independently auditable. Any relying party can recompute the current public-key fingerprint in Section 2 from the same PEM using the steps in Section 6, a mismatch between what this page claims and what the well-known endpoint serves is the strongest signal that something is wrong.

Current key (in service from 2026-05-29, AWS KMS hardware custody)

Generated at (UTC)
2026-05-29 (UTC date; the precise CreateKey instant is preserved in CloudTrail under Orygn's control and is available on operator request)
Algorithm
Ed25519 (RFC 8032, curve edwards25519)
Generator
aws kms create-key --key-spec ECC_NIST_EDWARDS25519 --key-usage SIGN_VERIFY
AWS region
us-east-1
KMS key ID
c74ed76f-615f-49dd-b9cb-994266554479
KMS key alias
alias/bitseal-authority-key
Key custody
AWS KMS HSM, single-region, FIPS 140-3 Security Level 3 validated module (CMVP Cert #4884, effective 2025-02-20, covering all AWS commercial and GovCloud regions including us-east-1). The private key was generated inside the HSM and AWS KMS does not permit export of asymmetric key material once it has been generated inside a CMK with origin AWS_KMS. The plaintext private key has never existed outside the HSM, including for AWS personnel.
Entropy source
AWS KMS hardware random number generator inside the HSM (NIST SP 800-90A compliant DRBG, seeded from on-board hardware entropy under the FIPS 140-3 Level 3 validation cited above).
Operator
Daniel Okwor, Orygn LLC.
Post-generation handling
Public key retrieved via aws kms get-public-key, the returned DER converted to PEM, then pinned into the Vercel production environment as BITSEAL_AUTHORITY_PUBLIC_KEY_PEM alongside BITSEAL_KMS_KEY_ID (the key ARN) and BITSEAL_SIGNING_BACKEND=kms. The private key was never seen, never exported, never transmitted by any party. Production signing is performed by a single narrow IAM principal, bitseal-kms-vercel-runtime, whose inline policy BitSealRuntimeKmsAccess grants only kms:Sign, kms:GetPublicKey, and kms:DescribeKey on this specific key ARN.

Previous key (in service 2026-04-19 through 2026-05-29, software custody, now retired)

The original Authority key was a software-generated Ed25519 key held as a Vercel environment variable. It was retired on 2026-05-29 when the AWS KMS key above took over signing, and its public half was moved into the historical-keys list under key_id = pre-kms-2026-04-19 with effective_from = 2026-04-19 and effective_until = 2026-05-29. The retired public key appears in Section 5 below and in the historical_keys array at the well-known endpoint. Seals issued during its effective window remain independently verifiable forever; BitSeal's verifier dispatches to it automatically by timestamp. The retired private key bytes were deleted from every Vercel environment at the time of cutover; there is no surviving copy in any other system held by Orygn.

Generated at (UTC)
2026-04-19T18:21:33Z
Retired at
2026-05-29 (UTC)
Algorithm
Ed25519 (RFC 8032, curve edwards25519)
Generator
node:crypto generateKeyPairSync('ed25519')
Node.js version
v24.12.0
Platform
Windows 11 (build 10.0.26200)
Entropy source
Operating-system CSPRNG reached through Node's bundled OpenSSL (BCryptGenRandom on Windows).
Operator
Daniel Okwor, Orygn LLC.
Post-generation handling
PKCS#8-PEM private key written to a file outside the Git working tree, then uploaded as the BITSEAL_PRIVATE_KEY environment variable for the Production, Preview, and Development environments of the hosting project, over an authenticated CLI session. The private key was never committed to source control. On 2026-05-29 it was removed from every Vercel environment in the same authenticated CLI session used to install it.

Why a clean first-generation ceremony

Before the original Authority key recorded above, a pre-launch Ed25519 key had existed in the hosting environment variables since early development so that the signing code path could be exercised in staging. That key was never used to sign any externally-published seal and is not honored as a historical Authority key. Rather than publish a ceremony document with gaps around its generation, we rotated to the new key recorded under the full procedure. The pre-launch key is discarded and does not appear in Section 5.

What this record does and does not prove

  • It establishes a self-consistent, timestamped statement of how each key was generated, under what procedure, on what platform.
  • For the current KMS key, it commits the operator to a specific KMS key ID, region, and IAM-policy shape. The corresponding CloudTrail CreateKey and IAM events are preserved under Orygn's control and a redacted extract is available on operator request to an auditor with a legitimate need.
  • It is signed by the current Authority key itself via the Self-Attestation Signature in Section 7, which proves that whoever holds the current signing capability is willing to bind themselves to the text of this document.

4. Storage and access controls

The Authority private key is held inside AWS KMS in the AWS account and region recorded in Section 3. It was generated inside an AWS KMS HSM and cannot be exported. The only operation any caller can perform with this key is the AWS KMS Sign API. The full list of named subprocessors is at /legal/subprocessors.

At rest
Inside an AWS KMS HSM in the region recorded in Section 3. AWS KMS does not permit export of asymmetric key material once it has been generated inside a CMK with origin AWS_KMS. The plaintext private key bytes are not visible to any human, any software outside the HSM, or any AWS employee.
In use
For each new seal, the BitSeal runtime sends a 64-byte SHA3-512 digest (v2) or a 40-byte root_hash plus timestamp message (v1) over TLS to the AWS KMS Sign API. The HSM signs inside its boundary and returns the 64-byte Ed25519 signature. The signed message and the signature traverse the wire, the private key does not.
In transit
The private key is never in transit, full stop. Only the message being signed and the resulting signature traverse the wire, both over TLS between the BitSeal runtime and the regional KMS endpoint.
Access
One IAM principal can call kms:Sign against this key:bitseal-kms-vercel-runtime, with an inline policy (BitSealRuntimeKmsAccess) granting only kms:Sign, kms:GetPublicKey, and kms:DescribeKey on this specific key ARN. No other principal, including Orygn personnel, has signing permission on this key. The runtime principal's access keys are stored in the Vercel production environment as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Residual attack surface: an attacker who exfiltrates the runtime IAM access key from the Vercel environment can produce valid Authority signatures against the current key for as long as they hold the credential, but cannot extract the private key, cannot list other AWS resources, cannot delete the key, and cannot escalate to other AWS principals. The recovery path under that scenario is documented in the Rotation Policy as an emergency rotation trigger.

This represents the conclusion of the HSM-migration roadmap item previously listed in this section and in the BitSeal Security threat model. The current state is FIPS 140-3 Security Level 3 HSM-backed Ed25519 signing, by inheritance from the AWS KMS HSM module validated under CMVP Cert #4884.

5. Historical keys

When the current Authority key is rotated, its public key is moved into the historical list so that seals signed under the retired key remain independently verifiable forever. Historical keys are never deleted.

pre-kms-2026-04-19
from 2026-04-19 to 2026-05-29
18:40:5A:9B:9A:5A:61:95:E5:E7:A4:32:B9:20:BB:24:C0:BC:00:04:1D:9D:25:EB:0A:24:0B:32:BE:0E:C7:C8

6. Independent verification

There are two things you may want to reproduce offline: the public-key fingerprint above (proves the key shown here is the key being used), and the signature on any specific seal (proves a given manifest was actually signed by that key). Both are documented below.

Reproducing the fingerprint with OpenSSL

curl -s https://bitseal.orygn.tech/.well-known/bitseal-authority-key.json \
  | jq -r .current_key.public_key_pem \
  | openssl pkey -pubin -pubout -outform der \
  | openssl dgst -sha256

Reproducing the fingerprint with the BitSeal SDK

pip install bitseal
python -m bitseal.verify --fingerprint

If the fingerprint you compute does not match Section 2, stop trusting the page you are reading and email [email protected]. Mismatch is the single strongest signal that the hosted ledger or CDN has been tampered with.

Verifying a seal signature

Every seal manifest carries a seal_mode field telling a verifier which signature layout to use. The SDK does this automatically; python -m bitseal.verify --root <hex> fetches the seal, reads seal_mode, and dispatches to the matching path. The manual recipes for each layout are:

v1Legacy 40-byte layout
seal_mode = merkle-blake3-64k-v1
Signed message: hex-decode root_hash (32 bytes), then append the IEEE 754 little-endian double of timestamp_utc (8 bytes); Ed25519-verify those 40 bytes against current_key.public_key_pem
Status: Use this path for any seal with seal_mode = merkle-blake3-64k-v1 (all seals issued before 2026-05-29).
v2Canonical SHA3-512 layout
seal_mode = merkle-blake3-64k-v2
Signed message: recursively sort the manifest's JSON keys lexicographically, drop the signature field, emit with no whitespace and no JSON floats, UTF-8 encode, SHA3-512 those bytes to a 64-byte digest, then Ed25519-verify against current_key.public_key_pem
Status: Use this path for any seal with seal_mode = merkle-blake3-64k-v2. Test vectors below let third parties validate their implementation byte-for-byte.

Verifying both layouts requires no BitSeal code. Any conforming Ed25519 implementation plus the public key from Section 2 is sufficient. The SDK source is open at OrygnsCode/BitSeal-SDK for reference.

7. Self-attestation signature

A detached Ed25519 signature over the canonical text of this document, signed by the Authority key itself, is available at /api/legal/ceremony-attestation. The endpoint returns a JSON bundle containing the canonical text that was signed, the Ed25519 signature, the public-key fingerprint, the canonical content fact-sheet, and a server-side timestamp.

Signing a document about the Authority key with the Authority key is deliberately recursive and has one narrow property: it proves that whoever held the Authority key at the moment the endpoint was called was willing to bind themselves to the text of this document at that time. It does not prove that the signer is Orygn, that binding comes from the domain, TLS certificate, and corporate records.

What the V2 attestation binds to

The canonical text is six lines, UTF-8, LF-only, with a trailing newline on the last line. The signature covers exactly those bytes:

BITSEAL_CEREMONY_ATTESTATION_V2
content_sha256: <64-char hex>
document: /legal/key-ceremony
effective_date: 2026-06-04
key_fingerprint_sha256: <colon-hex>
signed_at_utc: <ISO 8601>

The content_sha256 line binds the signature to the structured facts of this ceremony: the authority identity, key fingerprint, raw public key, the v1 + v2 manifest specs the key signs, and the canonical service URLs. The exact bytes that hash to content_sha256 are shown below.

Canonical content (hashed by content_sha256)

BITSEAL_KEY_CEREMONY_CONTENT_V1
authority_ceremony_url: https://bitseal.orygn.tech/legal/key-ceremony
authority_organization: Orygn LLC
authority_service_url: https://bitseal.orygn.tech
effective_date: 2026-04-19
key_algorithm: Ed25519
key_curve: edwards25519
key_fingerprint_sha256_colon: 86:6C:6F:8C:1A:D2:A9:98:AF:21:5B:10:62:41:21:20:35:92:D0:34:3B:DE:B5:01:A9:E5:E1:DA:04:CD:3C:48
key_fingerprint_sha256_hex: 866c6f8c1ad2a998af215b10624121203592d0343bdeb501a9e5e1da04cd3c48
key_public_raw_hex: cf9f8ccef179d0f43b1bccdc2c20cdd916cd09a15ac32017bfd9865fcf16de4f
manifest_spec_url: https://github.com/OrygnsCode/BitSeal/blob/main/spec/v2-manifest.md
manifest_spec_v1: merkle-blake3-64k-v1
manifest_spec_v2: merkle-blake3-64k-v2
SHA-256(canonical_content) = a58176813d9dc270e93b5e9c1e5adc103cf7b8793f7211d064e22447762f2f40

Reproduce the binding by running sha256sum over those exact bytes (no trailing whitespace beyond the single final newline) and checking the result against the canonical_content_sha256 field on the attestation endpoint. If the two differ, the attestation does not correspond to the facts shown here.

A future revision will add a secondary, off-key signature from a personal signing identity held by the Orygn operator so that the self-reference is broken. Until that is in place, treat the self-attestation as a consistency check, not an independent identity check.

8. Changes and amendments

This document is versioned. Every substantive change bumps the effective date at the top of this page. Prior versions are available on request at [email protected].

Contact

Key-ceremony inquiries and fingerprint disputes
[email protected]
Orygn LLC, a Texas limited liability company.