Continuity When the Keys Change

A trust exists.

An office of trustee exists within it. A holder — Trustee A — occupies the office.

The holder, when acting on behalf of the trust, signs records. The signature is produced by a cryptographic credential: a key, a token, a certificate. The credential is the instrument through which the holder speaks in the chain.

It is important to be precise here. The credential is not the holder. The holder is not the office. The office is not the trust. There are four distinct things, each at a different level of permanence, each bound to the next by an explicit, witnessed record.

The holder holds the office through a credential. The credential is, for now, key v1.

The credential must change.

Perhaps the device storing the key was lost or compromised. Perhaps the certificate is approaching expiry. Perhaps a stronger signing scheme has been adopted by the institution. Perhaps a regulator has mandated rotation. The reason does not matter to the protocol.

What matters is that, from this point forward, a different credential will sign records on behalf of the holder.

This is the moment most institutions fear. If credentials are how identity is established, and credentials change, has identity been broken? Has continuity been broken? Has provenance been broken?

None of these things have been broken. But the chain must record the rotation correctly, or future readers will not be able to verify what came before and what came after.

The holder attests to the new credential.

The trust files a record. Class: Constitutional. Event: Holder Credential Rotated. Three witnesses of the highest threshold seal it. The old credential signs its last record. The new credential signs its first.

Both credentials appear in the rotation record. Both are bound, by witness seal, to the same holder. The chain does not abandon the past. The chain extends the past.

The rotation is not a deletion. The rotation is a binding. The old credential is not unmade. It is, from this moment forward, marked as superseded, but it remains in the chain, exactly where it always was, signing exactly what it always signed.

The past is preserved. The future is bound. The transition is recorded.

Continuity was not protected by trusting the new credential.

Continuity was protected by binding the new credential, in a witnessed and sealed record, to the holder who already existed in the chain.

The trust does not have a new holder. The office does not have a new occupant. The credential is new. The identity is not.

Provenance is preserved because every record before the rotation links cryptographically to every record after — through the rotation record itself. The rotation record is the bridge between the two epochs of credential. Without the rotation record, the bridge would be missing. With it, the chain is unbroken.

This is what the protocol means by provenance. Not that the keys never change. That the changes are themselves on the chain.

The same holder.

Holding a new key.

This is what most software systems do wrong. They treat the key as the identity, and when the key changes they treat it as a new identity. They are forced to migrate, or to re-onboard, or to break their own history. They do this because they confused the instrument with the person.

The protocol does not make this mistake. The protocol treats the holder as the identity, and the key as a credential bound, for some period, to the holder. Credentials may come and go. Holders may come and go. Offices may come and go. The chain is built so that each of these movements is recorded at its own level of constitutional significance.

One holder. Two credentials, in sequence. One unbroken thread of provenance.

The chain is verified end to end.

Every record before the rotation was signed under credential v1. Every record after the rotation is signed under credential v2. The rotation record itself binds the two credentials to the same holder, under constitutional witness.

The verification returns one word: valid.

A reader can verify the chain without knowing in advance which credential signed which record — only that, at the moment of each signature, the credential was bound to the holder by an unbroken chain of witnessed assignments. That is what provenance means here. Not the unchangeability of the keys, but the recorded chain of bindings through which each key, in its time, was authorised to speak for the holder.

Provenance belongs to the chain. Not to the keys.

The trust remained.

The office remained.

The holder remained.

The holder’s identity remained — not as a property of the key, but as a property of the chain.

The chain’s cryptographic linkage remained.

The witness thresholds remained.

The append-only contract remained.

The historical signatures remained — every record signed by the old credential is still valid evidence of what the holder said, even after the credential has been rotated away.

Only the cryptographic instrument changed.

That is the constitutional claim under credential rotation. Continuity is not a property of the keys. The keys are an instrument of the holder. The holder is the occupant of an office that long outlasts any individual credential. The chain records the bindings between them so that, no matter how many times the instrument is renewed, the line of provenance from Genesis to the present remains a single, unbroken line.

A key was rotated. The trust did not become a different trust.

Identity is not in the key. Identity is in the chain. And the chain remains.