惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
AI
AI
博客园 - 三生石上(FineUI控件)
腾讯CDC
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Y
Y Combinator Blog
大猫的无限游戏
大猫的无限游戏
H
Hackread – Cybersecurity News, Data Breaches, AI and More
雷峰网
雷峰网
NISL@THU
NISL@THU
S
Schneier on Security
T
Threatpost
T
Tenable Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
IT之家
IT之家
宝玉的分享
宝玉的分享
T
Tailwind CSS Blog
C
Cybersecurity and Infrastructure Security Agency CISA
P
Privacy & Cybersecurity Law Blog
I
Intezer
Microsoft Azure Blog
Microsoft Azure Blog
月光博客
月光博客
T
Threat Research - Cisco Blogs
SecWiki News
SecWiki News
AWS News Blog
AWS News Blog
博客园 - Franky
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Proofpoint News Feed
V
V2EX
Recorded Future
Recorded Future
Microsoft Security Blog
Microsoft Security Blog
S
Secure Thoughts
Google DeepMind News
Google DeepMind News
MongoDB | Blog
MongoDB | Blog
Apple Machine Learning Research
Apple Machine Learning Research
Project Zero
Project Zero
PCI Perspectives
PCI Perspectives
G
GRAHAM CLULEY
Help Net Security
Help Net Security
Cloudbric
Cloudbric
Recent Announcements
Recent Announcements
V
Visual Studio Blog
Hacker News: Ask HN
Hacker News: Ask HN
N
News and Events Feed by Topic
C
CERT Recently Published Vulnerability Notes
The Cloudflare Blog
Forbes - Security
Forbes - Security
C
Cisco Blogs
O
OpenAI News
www.infosecurity-magazine.com
www.infosecurity-magazine.com

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
The Other Half of Authentication Is 345 Years Old
Alex @ Vibe Agent Making · 2026-06-24 · via DEV Community

In 1675 a scholar declared the old charters were forgeries. A monk answered with a method, diplomatics, the half of document authentication PKI quietly forgot to build.

In 1675, a Jesuit scholar named Daniel van Papenbroeck did something that would feel very familiar today: he announced that you couldn't trust the documents. Writing in the preface to a volume of saints' lives, Papenbroeck argued that a large class of supposedly seventh-century royal charters, Merovingian land grants, the kind of parchment on which monasteries based their legal claims to property and privilege, were forgeries. Not a few of them. Essentially all of them, anything older than around AD 700. The historical record before a certain date, he suggested, was mostly fake.

This was not an idle academic spat. The Benedictine monks of Saint-Denis held exactly those charters, and their prestige, and their property rights, rode on the documents being real. So the order did the sensible thing and handed the problem to its sharpest young scholar, a monk named Jean Mabillon, with what amounted to a brief: prove the documents are authentic, or prove we have a method for telling. Mabillon spent six years on it. What he produced in 1681, a six-volume Latin treatise called De re diplomatica, did not just defend the charters. It founded a science.

We are living through Papenbroeck's panic again. The 2020s version is "nothing online is real": deepfaked memos, AI-forged letters, synthetic leaked documents, screenshots of conversations that never happened. And our instinct, like the seventeenth century's, swings between two bad options: credulously trust everything, or cynically trust nothing. Mabillon's contribution was to refuse both. He replaced the panic with a method, and that method, a discipline called diplomatics, is the half of document authentication that modern security engineering quietly forgot to build.

A science for telling the true from the false

Mabillon had a phrase for what his discipline was for: discrimen veri ac falsi, "the distinguishing of the true from the false." And his central move, the one that made it a science rather than a series of educated guesses, was this: you authenticate a document from its form, not from its custody.

That distinction is the whole game, so it's worth being precise about it. There are two ways to decide whether a document is genuine. The first is to trace where it came from, who held it, who passed it to whom, an unbroken line back to its creation. Call that the chain. The second is to interrogate the artifact itself, its structure, its conventions, the thousand small choices a genuine document of its kind would make and a forgery gets subtly wrong. Mabillon's insight was that the second method works even when the first is unavailable, which, for medieval charters scattered and recopied across five centuries, it almost always was.

To make this systematic, diplomatics treats every formal document as having a predictable anatomy. The opening is the protocol, the invocation, the issuer's title, the addressee, the greeting. The middle is the text, including the dispositio, the operative clause that actually does the thing (grants the land, confirms the privilege), wrapped in rhetorical preamble and penalty clauses. The close is the eschatocol, the signatures and cross-marks, the witness list, the date and place, the closing benediction. None of this is decoration. In a world where most people couldn't read, the form was the mechanism by which a document claimed legal force: the right formula, in the right place, sealed the right way, was the authority.

And here is the part that should make any security engineer sit up, because it is a forensic principle of startling generality: forgeries almost always fail at the transitions between the parts. A forger can copy a salutation perfectly and then attach it to a dating clause from the wrong century. They can reproduce an authentic seal and bolt it onto a protocol whose formulae no real chancery of that era would have paired with it. The forger learns the surface of the document type, what it looks like, but not its internal grammar, the way the parts have to cohere. The seams are where the lie shows.

The nineteenth-century German scholar Theodor von Sickel sharpened this into something explicitly forensic with a concept he called Kanzleimäßigkeit, "chancery-conformity." The point was that you don't compare a suspect charter to a vague sense of "how thirteenth-century documents feel." You compare it to the specific office that supposedly produced it: which scribe's hand, the clerk who habitually drafted these formulae, the officials who co-signed, what this one chancery's working habits actually were. The target of comparison stopped being a period and became an institution. That is a fingerprinting discipline.

It worked, and not just on charters. The most famous case predates Mabillon: in 1440 the humanist Lorenzo Valla demolished the Donation of Constantine, the document by which the fourth-century emperor had supposedly handed temporal authority over the Western Empire to the Pope, by showing its Latin vocabulary and institutional terminology were anachronistic, language a fourth-century chancery could not have produced. The forgery had fooled people for centuries because nobody had read its form closely enough. Modern scholarship dates the actual composition to the eighth or ninth century. A political fraud that shaped the map of medieval Europe was undone not by finding a smoking-gun source but by reading the document against itself.

What PKI does, and the cases it can't reach

Now jump 345 years, to how we authenticate digital documents today. The dominant answer is public-key infrastructure: a digital signature, validated through a chain of certificates up to a trusted authority, proving two things, who signed the document, and that the bytes haven't changed since. When it works, it's beautiful, and far stronger than anything Mabillon had. I want to be clear that PKI is not broken and this is not an argument against it.

It is an argument about scope. Because PKI authenticates the chain, and the chain has failure modes, and they are, almost exactly, the cases diplomatics was invented for.

Start with the one PKI practitioners know best: revocation. Certificates expire, and a certificate authority can revoke one early, publishing the fact through a Certificate Revocation List or an OCSP responder. Here's the catch that's underappreciated outside the field: this quietly undoes PKI's most-advertised selling point. A certificate is supposed to be self-authenticating, you can check it without phoning home. But once revocation is in the picture, you must fetch the current revocation data online, and CRLs lag by their publication interval, leaving a window in which a revoked certificate still validates. The "self-authenticating" certificate isn't actually self-contained. Sit with the irony: Mabillon's analysis of a document's internal form is more self-contained than a modern certificate, because the form is all there, in the artifact, with nothing to go fetch.

Then the cases that get worse. Dead keys. A digital record signed thirty years ago, with algorithms now obsolete and signing keys long gone, you cannot re-validate that chain, ever. This is precisely the problem the archival world has wrestled with for decades: how do you trust the authenticity of a digital record over the long term when the entire cryptographic context that vouched for it has crumbled?

And the case that's exploding right now: artifacts that were never signed at all. A leaked file. An internal draft. A screenshot. A forwarded copy stripped of its headers. An AI-generated document. For all of these, there is no chain to check, PKI has nothing to say, because nothing in its model ever happened. The signature it's looking for was never there.

The clean way to hold the two methods is this: PKI verifies provenance you have; diplomatics reconstructs trust when provenance is broken or absent. They aren't rivals. They're the two halves of the authentication problem, and the security world, reaching naturally for cryptography, built one half and left the other in the archives.

The bridge already exists, it just never crossed the wall

I want to be careful here, because there's a tempting and false version of this essay that says "nobody has ever connected medieval document science to digital authentication." That's wrong, and the truth is more interesting.

The archivist Luciana Duranti and the international InterPARES project have been doing exactly this since 1999, building what they call the archival diplomatics of digital records, and, pointedly, digital records forensics. For a quarter century, a serious research program has been carrying Mabillon's principles from parchment to pixels: treating a born-digital record's structure, its metadata, its formal elements as the evidence, asking whether a digital object conforms to the documentary form its claimed origin would produce. The parchment-to-pixels bridge is not a thought experiment. It is a mature field.

The strange thing, the actual gap worth naming, is that this mature field lives in archival science and has almost never crossed the disciplinary wall into the cryptographic, PKI, and security-engineering literature. Two communities have been working the same problem, authenticating documents, with almost no traffic between them. The cryptographers reached for the chain; the archivists kept reading the form; and they rarely cite each other. The opportunity isn't to invent the connection. It's to import it, to put the form-reading toolkit on the same workbench as the signature-checking one.

Which brings us to the sharpest modern case, and the one where the two halves most need each other. An AI-generated document is the ultimate chain-broken artifact: a deepfake contract, an LLM-forged resignation letter, a synthetic "leaked memo" can never be caught by PKI, because nothing valid ever signed them. But they are a textbook diplomatics problem. A language model learns the surface of a document type, the look and cadence of a contract, a memo, an official letter, from its training distribution. What it does not reliably learn is the institutional grammar underneath: which formula has to pair with which, which validation marks a specific office actually uses, whether the opening and the operative clause are internally consistent, whether the dating convention matches the claimed issuer. It will, in other words, tend to get the form subtly wrong at the transitions, which is the exact failure signature Mabillon used to catch the Merovingian forgers. I'm offering that as a natural application, not a finished detector. The lens is the right one. A model that has absorbed the appearance of a document type without its institutional grammar is, structurally, a very fast forger, and forgers have a known weakness.

What to build with this

The practical takeaway for anyone building or trusting verification systems is to stop treating authentication as one question and start asking two.

PKI's question, can I trust the chain of custody?, is the right one whenever the chain is intact, and you should keep leaning on it hard. Diplomatics' question, does the document's own form betray it?, is the one you need whenever the chain is broken, which in the AI era is more and more of the time. The mature engineering posture is to build both, and to know which you're relying on.

Three concrete things follow. First, authentication is not binary, and diplomatics knew this three centuries before we did: a document can be genuine in substance but altered in form, a faithful copy of a lost original, or a real act recorded in a forged instrument. "Real" and "fake" are too coarse; the useful output is a structured judgment about which elements conform and which don't. Second, internal consistency is a verification primitive you can actually implement, does this artifact cohere the way a genuine document of its claimed type and origin would?, and it has the rare property of working precisely where signatures don't. Third, and most pointed for anyone shipping AI systems, including those of us building them: where there is no signing chain, internal-evidence authentication is the only verification left. For synthetic content, the form is the evidence.

Mabillon's real discovery, the thing that let one monk answer a continent's worth of forgery panic, was that you do not always need to know where a document has been. If you can read its form closely enough, the document carries its own testimony, the seams, the formulae, the conformity or its absence. Three and a half centuries later, as the chain of custody breaks more often than it holds, that is not a quaint medieval technique waiting to be rediscovered. It is the half of authentication we already had, in another building, the whole time.


Sources

Jean Mabillon, De re diplomatica libri VI (Paris, 1681), and the Papenbroeck–Mabillon bella diplomatica over the Saint-Denis Merovingian charters, via Encyclopædia Britannica ("De Re Diplomatica," "Jean Mabillon") and Wikipedia ("Diplomatics," "Jean Mabillon"). Lorenzo Valla, De falso credita et ementita Constantini Donatione (1440), on the Donation of Constantine; the document anatomy (protocolum / textus / eschatocolum) and Theodor von Sickel's Kanzleimäßigkeit are standard diplomatics, codified by the 19th-century German and French schools. Luciana Duranti and the InterPARES Project (1999– ): "Archival Diplomatics of Digital Records," "From Digital Diplomatics to Digital Records Forensics" (Archivaria), "The Return of Diplomatics as a Forensic Discipline," and "The Authenticity of Electronic Records: the InterPARES Approach"; Wikipedia, "InterPARES Project." On PKI revocation and the self-authenticating caveat: Wikipedia, "Certificate revocation list"; TechTarget, "Certificate Revocation List (CRL)"; eMudhra, "How to Verify a PKI-Based Digital Signature." The application of diplomatics to AI-generated documents is offered here as a proposed forensic approach, not a demonstrated result.


Originally published at vibeagentmaking.com.

When the chain of custody breaks, the form is the evidence. PKI verifies the provenance you have; it has nothing to say about a leaked draft, a dead-key archive, or an AI-forged memo that nothing valid ever signed. The other half is reading the artifact's own form. Chain-of-consciousness records an agent's reasoning as it works, so the work carries its own internal testimony, a trail you can read even when there is no signature to check.

pip install chain-of-consciousness · npm install chain-of-consciousness · Hosted Chain-of-Consciousness