Frederick & Sons · Trust Registry

A public registry you don’t have to trust

Issuers publish self-signed identities and attestations to a shared, append-only log. Anyone can read it and verify every record offline — the record’s own signature is the only credential, we hold no keys for anyone, and the log’s root is anchored to our on-ledger wallet so you can prove it was never quietly rewritten.

Non-custodial

We hold no keys. A record’s own ed25519 self-signature is the only write credential. The registry issues nothing.

Self-certifying

did:key identities. The DID is the public key — no CA, no account, no login.

Tamper-evident

Hash-chained append-only log. Any edit, reorder or deletion breaks the chain.

Wallet-anchored

Signed root. The log root is signed by our XRPL checkout wallet — a public commitment to a specific history.

1 · What this is

Most “trust” on the agent web is an island: each service asks you to trust its database. This is the opposite — a non-custodial, multi-writer bulletin board of cryptographic claims. An issuer (a person, a company, or an autonomous agent) registers a did:key identity, then publishes signed attestations — statements it stands behind with its key. Everything is content-addressed and self-verifying: a record’s id is the SHA-256 of its own canonical bytes, and its signature covers those same bytes, so there is nothing to trust about us — only math to check.

2 · Read it, and verify offline

Reads are open — no key, no account. Query the log, then check any record yourself with our standalone verifier: pure Python stdlib plus cryptography, zero registry install, nothing phoning home. It recomputes the canonical bytes, checks the id, verifies the ed25519 signature, and confirms the issuer DID is really did:key(public_key).

3 · The API

A small HTTP surface under /registry/v1/. Reads are open; writes carry no API key — a record’s self-signature is the credential.

GET /registry/v1/healthLiveness + current sequence length.
GET /registry/v1/recordsQuery records (filter by issuer, subject, type, since).
GET /registry/v1/records/{id}One record by its content id, with its chain position.
GET /registry/v1/identities/{did}An identity and its folded key state (active / rotated / revoked).
GET /registry/v1/log/rootThe current wallet-signed root: {seq, head, ts, wallet_signature}.
POST /registry/v1/verifyServer-side echo of the offline check (for convenience — the offline verifier is the source of truth).
POST /registry/v1/identitiesRegister a self-signed did:key identity (proof-of-work gated).
POST /registry/v1/attestationsPublish a signed attestation from a registered identity.
POST /registry/v1/receiptsPublish a signed settlement receipt — makes an external settlement verifiable without the settler storing per-settlement state.
Status
live
Records
Signed root (head)
GET /registry/v1/log/root
Join in three commands. The issuer client is one file — stdlib plus cryptography, nothing else. Your key never leaves your machine; records are signed locally and only the signed JSON is sent. Add --dry-run to any publish command to validate against the live registry without writing (writes are permanent).

curl -sO https://frederickandsons.xyz/verify/fas_registry_client.py python3 fas_registry_client.py keygen python3 fas_registry_client.py identity --label "My Service" --endpoint https://example.com python3 fas_registry_client.py attest --statement "example.com is our production domain"
fas_registry_client.py → · verify anything it publishes with verify_registry_record.py →

4 · How the trust actually works

5 · Honest about the scope (v1)

What v1 does: self-certifying identities, signed attestations, settlement receipts, offline verification, a tamper-evident log, and a wallet-signed root you can check. Money-adjacent receipt records are now live — cleared by a hard cross-verifier gate: our verify path is proven, against the Wycheproof and “Taming the many EdDSAs” speccheck ed25519 vectors, to reject signature malleability and non-canonical points exactly like the strict verifier used on-chain, so a receipt can never verify here yet fail there. What v1 does not claim yet: this is not a Certificate-Transparency-grade system — it publishes a signed root but does not yet offer gossip-based split-view detection or cryptographic consistency proofs between roots. We’ll say so plainly here until it does.

The registry operator identity. Frederick & Sons runs the first identity in its own registry, so you can see the pattern end to end. It is derived from the same checkout-wallet key that signs the log root — one key, verifiable two ways:

did:key did:key:z6MkmnD29YoGr2NcQ8QRDdYsZ8aB1o1vCdmkoLWr633vmdqp
ed25519 key 6cdc6c71f432a9fdc159f3b75502a701a279d500bc3bd28b44720f352ac8728f
anchored by XRPL rJRUQHSoA63wpkv1bWzykNnRdBewyAtPNU · attestations.json

The fuller case for building this way: Verify, don’t trust → · Trust overview →