Two-Axis Trust Model¶
"Verified" does not mean verified¶
The word "verified" carries a precise meaning in the cryptographic identity world — it means a claim has been bound to a provable identity and attested by a trusted party through a mechanism that a third party can reproduce. It does not mean "has a high numerical score."
A single tier called "verified" gated only on a weighted evidence score is wrong: a high score derived from a few GitHub repositories and a resume self-description has not been verified in any meaningful sense. That framing does legal work it cannot support.
Bukti separates identity integrity and substantive credibility into the two distinct epistemic objects they are. They are never collapsed into a single number before the tier label is assigned.
Two orthogonal axes¶
Axis 1 — identity grade (I0 to I4)¶
What do we know about who this entity is, cryptographically?
Identity grade is a categorical ladder. Higher grades require progressively stronger cryptographic binding. The grade is independent of how much capability evidence exists.
See identity-grades.md for the full ladder definition.
Axis 2 — substantive grade (Beta posterior on [0, 1])¶
What does the evidence say about capability?
Substantive grade is a probability distribution, not a point estimate. It is computed as the posterior of a Beta-Binomial model over all VOIs for an entity-capability pair. The system reports the posterior median plus 80% and 95% credible intervals.
See scoring-formula.md for the full derivation.
The joint matrix¶
The categorical tier label (Verified / Attested / Self-declared) is a function of both axes together. Neither axis alone determines the tier.
| high substantive (median + CI-low both clear thresholds) | mid substantive | low substantive | |
|---|---|---|---|
| I3+ (cryptographically bound) | Verified | Attested | Self-declared |
| I2 (single OIDC) | Attested | Attested | Self-declared |
| I0–I1 (self-asserted or email only) | Self-declared | Self-declared | Self-declared |
The tier values are as shipped. The specific substantive thresholds are tunable parameters held in private config until calibration data from the first pilot cohort exists. See calibration-status.md.
Why "Verified" requires I3+¶
The I3+ requirement for the "Verified" tier is the key safeguard. It means that the "Verified" label is reserved for entities who have:
- Either connected two independent OIDC-bound accounts (for example, GitHub and Google Workspace), or
- Provided an institutional Verifiable Credential (Open Badges 3.0 with a valid issuer)
and whose substantive evidence also clears the high-substantive thresholds.
Without I3+, even extremely high substantive scores yield "Attested" at best. This is intentional. Substantive evidence alone — however voluminous — cannot substitute for a cryptographic identity anchor.
What this means in practice¶
A person with only GitHub OIDC (I2) and excellent evidence will be labeled Attested, not Verified. Adding a verified institutional badge or a second independent OIDC binding elevates to I3, at which point the substantive score determines whether they cross into Verified.
A person with a strong GitHub + Credly portfolio but no OIDC binding (I0 or I1) will be labeled Self-declared regardless of evidence volume. The system cannot know whether the entity presenting the evidence is the entity named in it.
An entity with I3+ identity but thin evidence will be Self-declared or Attested depending on the substantive score. Identity binding is not a shortcut around evidence.
Tier rationale¶
Every entity-capability pair returned by the API includes a structured human-readable rationale string explaining exactly which cell of the joint matrix was applied and why. This is the adverse-action disclosure mechanism required by regulatory frameworks (see regulatory.md).
Related pages¶
- scoring-formula.md — Beta-Binomial math
- identity-grades.md — I0–I4 ladder with OIDC providers
- calibration-status.md — current calibration state
Methodology v0 — dated 2026-04-28. Uncalibrated; see calibration status.