Who, and with what key¶

Two layers underpin everything above them and tend to be discussed least, because neither produces anything a reader can point at. One governs people. The other governs systems. Between them they decide who the whole estate actually answers to, which is why this is where power quietly settles.

Identity¶

Many people assume an intelligence estate revolves around its databases. It revolves around identity. The store holds the material; the identity layer decides who is allowed to reach into it, and that second question turns out to be the one that confers power.

The questions the layer exists to answer are mundane to state and expensive to enforce. Who are you. What role do you hold. Which compartments are you cleared for. Which operations are you attached to. What may you search, and what may you take away. A service of any size runs substantial machinery to answer these: certificate authorities and a PKI, smart cards and hardware tokens, privileged access management, and access control that is either role-based or, increasingly, attribute-based, so that reach can be narrowed by clearance, compartment, and posting at once.

For the city, the identity layer has a civic face. The Office’s vetting record is the disclosure boundary made administrative: before it, a person is a private citizen with a hobby; after it, the same person is a cleared source with a formal relationship and a compartment they may read. The record is the token. The clearance is the attribute. The capacity to decide who may do what can be worth more than the storage it governs.

Key management¶

If identity governs people, cryptography governs systems, and the two questions rhyme. The ordinary components are hardware security modules, a national cryptographic authority, key escrow, certificate infrastructure, and the distribution arrangements that get keys to where they are needed without losing custody of them on the way.

The reason sovereignty arguments keep circling back to keys is that control of the keys can decide who ultimately controls access, regardless of who owns the hardware. The city states this more plainly than most, because its rented compute comes as golems, and a golem works because of the word in its head. Whoever holds the word holds the golem. Location is not control: a golem standing in a yard inside the walls is still a Trust golem if the word was written under the Trust’s arrangements and the Trust can, in principle, read it.

This is why the periodic announcements of a sovereign arrangement are rarely about moving work off Golem Trust Computing and almost always about who gets to hold the word once it is there: the keys kept locally, the logs kept locally, the right to speak to the golem narrowed to people the city has chosen. The compute barely moves. The custody does, and the custody is the part that was ever sovereign.