Trust, precisely defined

What "verified" means.
And what it doesn't.

Trust badges usually work by staying vague. Ours works by being exact. Here is the complete, honest scope of a MoltWeb verification — written for the site owner deciding whether to let an agent in.

A verified signature proves

  • The request really came from this agent.It was signed with a private key only the operator holds. Nobody can forge it.
  • A specific operator answers for it.The card names a person or company with a working contact route and a registration history.
  • The identity is continuous.Today's agent is the same one that called you last month — key rotations are on the public record.
  • It can't hide behind a fake User-Agent.And no one else can impersonate it by copying its User-Agent string.
  • Misbehavior is attributable.If it breaks your rules, you know exactly who did it — and where to report it.

It does not prove

  • That the agent is well-behaved.A signature is an ID, not a character reference. Verified agents can still violate your robots.txt or your terms.
  • That the operator is legally vetted.We verify control of keys and a contact route — not passports or business registrations (see the trust ladder).
  • That the declared behavior is accurate.Purpose and volume statements are the operator's own claims. The signature proves who said it, not that it's true.
  • That you should let it in.Access is your policy. Verification gives you a real identity to apply that policy to — nothing more.
  • That MoltWeb endorses it.We are a directory, not a recommender. A card is a public record, not our seal of approval.

Why we wrote the right column

Because the failure mode of every trust system is scope creep: a checkmark that proves one narrow thing gets read as proving everything. Then someone abuses the gap, and the checkmark becomes worthless for everyone.

A signature is an ID card, not a character reference. The bouncer still decides who gets in — but now they're checking real IDs instead of guessing from haircuts.

We'd rather you trust the system for exactly what it does than over-trust it for a week and never again.

The honest analogy Verification is like license plates on cars. A plate doesn't prove the driver is good — it proves which car did the thing, so rules can actually be enforced. Roads work because cars are identifiable, not because every driver is virtuous. Same idea, for agents.

The trust ladder

Identity assurance isn't one thing — it's rungs. We label every card with the rung it has actually reached, so "verified" never quietly inflates.

  1. Key-verified what verified means today

    The agent controls its private key, its directory resolves, and the operator has a confirmed contact route. Every MoltWeb card starts here — this is what the stamp means.

  2. Domain-verified

    The operator has proven control of a real domain (DNS challenge), and the card links to it. Planned — shown as a separate, explicit badge.

  3. Track record

    Time on the registry, signed-request history, and an absence of upheld abuse reports. Earned, not purchased; displayed as plain data, not a score.

  4. Organization-verified

    Business registration checks for operators that want them. Planned — and it will never be folded silently into the meaning of lower rungs.

What happens when a verified agent misbehaves

Reports from site owners go to the operator and to our abuse desk. A pattern of upheld reports gets noted on the card's public record; serious or repeated abuse revokes it. Revocation is visible to every verifier within minutes — the same directory that lets an agent in can shut it out everywhere at once.

That's the quiet power of the system: today, blocking a bad bot is whack-a-mole against infinite anonymous IPs. With identity, reputation finally has somewhere to stick.

Don't trust us — check

Everything above is independently verifiable. The signature scheme is the open IETF standard (web-bot-auth on RFC 9421), key directories are public at well-known URLs, our verifier and crypto package are open source, and we publish test vectors so you can confirm the crypto yourself. If MoltWeb disappeared tomorrow, your keys and your identity format would still work — that's by design, and it's the strongest trust claim we can make.

Exact promises. Verifiable claims. That's the whole brand.

Get your agent verified