The “Who” Problem
A blockchain timestamp proves that a specific file existed at a specific time. But it doesn’t inherently prove who created that timestamp. Any person with access to the file could have computed the hash.
For many use cases, this doesn’t matter. If you’re timestamping your photography portfolio, the combination of the timestamp + your portfolio website + your known identity as a photographer is sufficient.
But for some situations, you need to formally link the proof to the person:
- Legal proceedings: Courts want to know who created the evidence
- IP disputes: The claimant’s identity is essential to the claim
- Regulatory compliance: Compliance records must be attributed to specific individuals
- Business contracts: Evidence must be linkable to the signing parties
This is what identity attestation provides.
How It Works
Step 1: Identity Verification
When you create a TimeProof account, you verify your email address. For Legal-Grade timestamps, additional verification may apply (depending on the attestation level). This identity information is stored in TimeProof’s secure application database — never on the blockchain.
Step 2: JWS Creation
When you create a Legal-Grade timestamp, TimeProof generates a JSON Web Signature (JWS) that contains:
{
"sub": "user_id",
"iat": 1709316000,
"hash": "a3f2b8c1d4e5...",
"txHash": "0x7a8b9c...",
"attestation": "identity_verified"
}This payload is signed with TimeProof’s private key. The signature proves:
- TimeProof issued this attestation (verified via public key)
- The specified user initiated the timestamp
- The attestation was created for this specific file hash and transaction
Step 3: Bundle Delivery
The signed JWS is included in your Legal-Grade evidence bundle alongside the timestamp certificate, Merkle proof, and verification guide.
Step 4: Third-Party Verification
Anyone can verify the attestation:
- Fetch TimeProof’s public keys from
/.well-known/jwks.json - Verify the JWS signature against the public key
- Confirm the hash in the attestation matches the file hash
- Confirm the transaction hash matches the blockchain record
No TimeProof account, API key, or payment required. Fully independent verification.
Design Decisions
Why application-level attestation (not on-chain identity)?
Putting identity on the blockchain creates permanent, public, immutable records of personal information. This is:
- A privacy disaster — identity information visible to anyone scanning the blockchain
- GDPR non-compliant — the right to erasure is impossible on an immutable ledger
- Unnecessary — identity verification doesn’t need to be decentralized
Application-level attestation gives you the proof benefit (JWS-signed identity link) without the privacy cost. Your identity stays in a secure database. The cryptographic proof of attestation is what travels with the evidence.
Why JWS (not a proprietary format)?
JSON Web Signature is an open standard (RFC 7515) used across the internet for authentication tokens, API security, and identity verification. It’s:
- Widely supported — libraries exist in every programming language
- Well-understood — security researchers have extensively analyzed the format
- Self-verifying — anyone with the public key can verify the signature
- Extensible — additional claims can be added without breaking compatibility
Using an open standard means your evidence doesn’t depend on TimeProof’s proprietary tooling. Any cryptographer, security engineer, or court-appointed expert can verify the attestation using standard tools.
Why /.well-known/jwks.json?
The .well-known directory is an IANA-registered standard (RFC 8615) for hosting service-specific metadata at predictable URLs. The JWKS (JSON Web Key Set) endpoint is the standard way to distribute public keys for JWS verification.
This means verification follows a well-known pattern:
- The verifier knows the issuer (TimeProof)
- They fetch the public keys from the standard location
- They verify the signature using standard cryptographic operations
No API documentation, authentication tokens, or custom integrations needed.
Privacy Model
Identity attestation is designed with privacy as a primary constraint:
| Data | Location | Visibility |
|---|---|---|
| Your name/email | TimeProof database | Private (account only) |
| Identity verification status | TimeProof database | Private |
| JWS attestation | Your evidence bundle | Controlled by you |
| File hash | Polygon blockchain | Public |
| Merkle root | Polygon blockchain | Public |
You decide who sees the JWS. It’s a file in your evidence bundle that you share when needed (with a court, a client, a counterparty). It doesn’t broadcast your identity — it provides proof of identity when you choose to present it.
When You Need Identity Attestation
You need it when:
- Filing evidence in legal proceedings
- Sending cease-and-desist letters with evidence
- Providing proof to regulatory bodies
- Establishing that a specific person created the timestamp
- The counterparty might challenge who created the evidence
You don’t need it when:
- Timestamping for personal records
- Building a creative timeline for your portfolio
- Internal compliance documentation
- Archiving research data
- General IP protection where your identity is established by context
Standard timestamps handle the majority of use cases: scheduled timestamps use 1 credit per file and verified instant timestamps use 2 credits per file. Legal-Grade with identity attestation is the higher-trust option when you need the formal, court-ready link between person and proof. It costs Starter and Pro: 50 credits up to 25 files, then +2/file. Business: 25 credits up to 25 files, then +1/file. Enterprise: included.