a walk-through, in plain language
How a verum is made.
Six steps. About thirty seconds. The cryptography is real; the witnesses are real; the artifact is downloadable, portable, and verifiable by anyone without contacting V3RUM.
You give it something to seal.
A document, a contract, a photograph, a TSL8 cargo, a pasted block of text — anything. Your browser computes a SHA-256 hash of it, locally. The original content never leaves your machine. Only the hash participates in the seal.
The hash is a fingerprint. Two different documents have astronomically different hashes. Verifying later that "this hash matches that document" is trivial; reversing a hash to figure out the document is computationally impossible.
Your device proves it's you.
A WebAuthn passkey ceremony — Touch ID, Face ID, Windows Hello, or a hardware security key — produces a cryptographic signature over the hash. The signature is hardware-attested: it can only have come from a genuine secure-enclave chip, authorized by your biometric or PIN.
Your fingerprint or face never leaves your device. The biometric is the gate that authorizes the chip to sign; the chip is what's actually attested to.
Public randomness gets pulled in.
Your browser fetches the current value from the drand League of Entropy beacon — a public randomness source generated by a global consortium, signed with threshold cryptography, published every three seconds. The value cannot be predicted before it's published. Including it in your seal proves the seal couldn't have been made before that moment.
drand is run by the Cloudflare, EPFL, Protocol Labs, and a dozen other organizations. To compromise it, you'd need to compromise more than half the consortium simultaneously. As public randomness sources go, it's about as trustworthy as the internet currently produces.
A Bitcoin block hash anchors the time.
The latest block hash from the Bitcoin chain is fetched and embedded. This is another "this couldn't have existed before" proof — the block hash is the result of the network's collective proof-of-work, and a specific block hash didn't exist before that block was mined.
To forge this, you'd need to either go back in time or mount a 51% attack on the Bitcoin network. The economic cost of the latter is roughly the price of every ASIC mining rig on Earth, plus the energy to run them long enough to fork.
More witnesses arrive (in v1.0).
The v0.1 preview includes the four witnesses above. The v1.0 spec extends this to a full constellation: paired GPS fixes from phone and watch, BLE proximity between your devices, an RFC 3161 timestamp from an independent authority, market state from major exchanges, news headline hashes, atmospheric observation from the nearest weather station, an AI-gate acknowledgment if you're using one, and any decorative witnesses you choose to include.
Each witness adds to the score. None is required. The constellation gets stronger monotonically as more witnesses arrive — and a single bad sensor, vendor outage, or spoofing attempt can't take down the seal.
The verum is assembled.
All the witnesses, your hash, your signature, the timestamps, and your declared
identity claim are packed into a single JSON document. The document is hashed.
The result is downloadable as .verum.json — a portable, verifiable
artifact you can attach to anything.
Anyone can verify it. They read the spec, fetch the public witness values from their original sources, check the math, and confirm the signature. V3RUM the organization is not in the loop. The format is the trust anchor.
That's it.
The whole ceremony takes about thirty seconds in the browser. The artifact lives forever, or as long as the witness sources remain individually verifiable — and where any one source fails, the substitutability rules in the spec let a successor witness take its place without invalidating existing verums.