Vouchsafe: A Zero-Infrastructure Capability Graph Model for Offline Identity and Trust
Jay Kuri
TL;DR
The paper tackles the problem that traditional identity and trust systems depend on fragile online infrastructure, which fails in disaster, disconnected, or adversarial settings. It introduces the Zero-Infrastructure Capability Graph (ZI-CG), a formal model in which identity, delegation, revocation, and termination are encoded as self-verifying, content-addressed tokens whose validity is determined entirely by local evaluation. The authors instantiate this model with Vouchsafe, a complete offline implementation using standard primitives (Ed25519, SHA-256, JWTs) that requires no new cryptography or online services. They provide a rigorous formalization of tokens, state resolution, capability graphs, and deterministic evaluation, along with a security analysis and discussion of practical applications, limitations, and future directions. The work demonstrates that a practical, offline-verifiable trust substrate can be built today, enabling resilient trust for workflows in infrastructure-poor environments and decentralized, arena-ready deployments.
Abstract
Modern identity and trust systems collapse in the environments where they are needed most: disaster zones, disconnected or damaged networks, and adversarial conditions such as censorship or infrastructure interference. These systems depend on functioning networks to reach online authorities, resolvers, directories, and revocation services, leaving trust unverifiable whenever communication is unavailable or untrusted. This work demonstrates that secure identity and trust are possible without such infrastructure. We introduce the Zero-Infrastructure Capability Graph (ZI-CG), a model showing that identity, delegation, and revocation can be represented as self-contained, signed statements whose validity is determined entirely by local, deterministic evaluation. We further present Vouchsafe, a complete working instantiation of this model built using widely deployed primitives including Ed25519, SHA-256, and structured JSON Web Tokens, requiring no new cryptography or online services. The results show that a practical, offline-verifiable trust substrate can be constructed today using only the cryptographic data presented at evaluation time.
