Life is hard, have a token.

By Jay Kuri
2025-10-08

OR - Tokens, Not Keys: A Better Way to Think About Digital Trust

When people first see Vouchsafe, it’s natural to compare it to familiar systems like PGP, PKI, or even DIDs, after all, they use the same terms… keys, signatures, identity.

Unfortunately, while the comparison is natural, it is also misleading. Vouchsafe’s model of trust is different, and today I’ll show you how.

How Traditional Systems Think About Trust

In PKI or GPG, trust is bound to a key. If you trust the key, you’re essentially saying:

• “I trust this person, for anything, indefinitely - unless I explicitly revoke it.”

This is almost never what we actually want, so to be useful, two things happen:

1) Every ecosystem must bolt-on its own special rules to limit the scope of tust. The Arch User Repository trusts keys only for publishing. Debian maintainers have their own policies. Email encryption invents its own webs of trust.

2) Revocation of trust becomes central. You have to be able to cancel the trust… which is why PKI needs global CRLs and responders.

In other words, the primitives (keys, identities) are the same everywhere, but the way trust is applied is different every time.

How We Actually Trust

In everyday life, we rarely trust people “for everything, forever.”

Instead, we trust people in specific situations:

• A valet can park your car at the hotel right now.
• A babysitter can watch your kids tonight.
• A contractor can remodel your kitchen, not walk in anytime.

In other words, Trust is scoped, temporary, and renewable.

Vouchsafe: Trust Lives in Tokens

Vouchsafe’s model maps more closely to the model we use in real life.

Instead of keys being the basic unit of trust, tokens are.

What that means is with Vouchsafe you don’t say ‘I trust this person forever’ you say I trust this token for this purpose for this precise period of time.

To continue our earlier valet example, the valet issues a “park Alice’s car” token and Alice vouches for it for 5 minutes. This means the valet is trusted to drive the car for that precise period of time and no longer. Alice doesn’t have to revoke the trust, because it expires automatically and relatively quickly.

This works because:

• A token says: who issued it, what it’s for, and how long it lasts.
• Identities are URNs, cryptographically bound to keys.
• Tokens can be vouched for, delegated, or revoked - all explicitly, all cryptographically.
• And when the time’s up, the token naturally expires.

Built-In, Not Bolted-On

In PKI and GPG, scoped trust isn’t part of the design, it’s something every ecosystem has to invent for itself.

• The Arch User Repository limits keys to package publishing.
• Debian maintainers have their own signing rules.
• Email tools bolt on webs of trust.

Each solution is different because the primitive (a forever-valid key) doesn’t provide scope by itself.

With Vouchsafe, scoped trust is built in.

• A token already says who issued it, what it’s for, and when it expires.
• Delegation and revocation are explicit and standardized.

That means trust isn’t an ad-hoc policy anymore, it’s part of the token. Every system can express trust in the same, portable language, instead of reinventing the rules.

Why It Matters

By centering trust in tokens, Vouchsafe makes digital trust behave more like real trust:

• Scoped: meaningful for a specific purpose.
• Temporary: naturally expires, no global revocation needed.
• Portable: tokens move across systems as self-contained bundles.
• Offline: everything you need to verify is in the token itself.

A Better Mental Model: SSH Keys++

We’ve talked about what doesn’t match the Vouchsafe model, but there is is a better match for the vouchsafe model that you are already familiar with: SSH Keys.

With SSH keys:

• You generate multiple keys, each for different contexts (work, GitHub, personal).
• You decide which keys to trust for which servers.
• There’s no central authority; trust is configured locally.
• Keys can be rotated or dropped without breaking your entire identity.

That’s already much closer to Vouchsafe than PKI is.

But Vouchsafe is SSH keys++:

• General-purpose trust. Not just for logging into machines, but for any context where scoped trust matters.
• Tokens, not just keys. Each signed token says who issued it, what it’s for, and when it expires.
• Built-in delegation. Alice can vouch for Bob’s token; Bob can vouch for Carol’s.
• Expiration by default. Trust ends naturally, no manual cleanup.
• Self-contained verification. Everything you need is in the token itself - even offline.

If SSH was the leap from passwords to per-context keys, Vouchsafe is the leap from raw keys to portable, renewable, trust tokens.

There is too much, let me sum up.

What Vouchsafe does is shift the primitive of trust from keys to tokens. That one change makes digital trust line up with how real trust works: scoped, temporary, renewable, and easy to communicate. Instead of every ecosystem reinventing its own way to express limited trust, Vouchsafe provides a simple, standardized envelope. You still decide who you trust and what you trust them for, but now you can say it in a way that anyone can verify, anywhere, even offline.