Possession is the credential
Verified badges, JWTs and X.509 certificates resolve trust once and keep honoring the reference long after the reality behind it has moved.
A verified badge on a social platform authenticates a claim, not a person. On Mastodon, the software that runs infosec.exchange, profile verification works by checking a link. The account lists a URL, the linked page carries a link back to the profile with the rel=“me” attribute, and the system confirms the two references point at each other. When they do, the profile displays a verified marker. That marker asserts one thing and one thing only: at the moment the check ran, whoever controlled the profile also controlled the linked resource. It does not assert who that party is, and it does not assert that the relationship still holds an hour later.
The same shape governs the broader move toward client-side authentication that the platform, and the wider web, has been optimizing for. A JSON Web Token, defined in RFC 7519, is signed once at issuance and carries a set of claims about the bearer. The client holds it and presents it. The server reads the signature, checks the expiry, and admits whoever arrives holding a valid token. Under OAuth 2.0, the bearer token is the authorization: possession is the credential. The trust decision has been packaged into an artifact and handed to the edge, where it is read rather than re-derived. The system does not ask who is presenting the token. It asks whether the token is well formed.
This is what these systems are built to do. A verified badge, a rel=“me” match, a signed JWT, an OAuth bearer token are all the same class of object. Each is a reference to a decision made at a fixed point in time, retrieved and honored at a later one. The mechanism resolves the reference and returns a verdict. It is fast, it is deterministic, and it is exactly what the designers specified. The appearance of trust delegation is produced perfectly. Whether that appearance still corresponds to anything is a separate question the mechanism was never asked to answer.
The assumption underneath all of this is that a trust decision, once made, describes a stable fact. Verification was modeled as a property of the identity rather than a property of a moment. When Mastodon’s rel=“me” check succeeds, the result is stored and displayed as an attribute of the account, not as a timestamped observation that is already decaying. The badge does not say verified on the 3rd of a given month under these conditions. It says verified, present tense, indefinitely. Control of a domain was treated as durable, and the display of that control was treated as continuous.
The token model rests on the same premise. A JWT under RFC 7519 freezes its claims at the instant of issuance and asserts them for the full lifetime of the token. An OAuth 2.0 access token is honored on presentation regardless of what has happened to the underlying account, session, or relationship since the token was minted. Trust was treated as persistent, and it was treated as transferable across the states of the system. The conditions that justified the original decision are assumed to travel forward with the artifact, unchanged, because the artifact itself is unchanged. The signature still validates. Therefore the claim is still true. That inference is the entire foundation.
What this buys is scale. Re-deriving trust on every interaction is expensive, so the system substitutes a proxy: the presence of a valid reference stands in for the reality it was meant to describe. The proxy is cheaper to check, easier to cache, and simpler to distribute across clients. The design optimized for the cost of the check, and in doing so it fixed the answer in place. The reference persists. The reality it points at is free to move, and nothing in the mechanism is watching for it to do so.
What changed was not the mechanism and not the sophistication of anyone attacking it. What changed was the validity of the assumption. A platform that increasingly relies on client-side authentication is a platform in motion. Domains that passed a rel=“me” check expire and are re-registered by someone else. Accounts that earned a verified marker are sold, abandoned, or repurposed while the marker persists. A token issued under one set of conditions is presented under another. In each case the artifact is intact and the reality it references has quietly diverged. The signature still validates. The relationship it certified is gone.
The system did not re-evaluate any of this, because it was never built to. It inherited trust from a past state and carried it forward without asking whether that state still exists. A Mastodon instance does not re-run its verification on every render; it displays the stored result. An OAuth 2.0 resource server does not reconstruct the circumstances of issuance; it validates the token in front of it. The behavior is identical to the day the decision was made, which is precisely the problem. The world moved and the reference did not, so the reference now points somewhere the designers never intended.
That assumption, that a verified identity describes a stable and continuing fact, no longer holds. It did not hold gradually, and it did not announce that it had stopped holding. The badge still shows. The token still validates. The rel=“me” match, checked once, still returns true in the cache even after the domain on the other end has changed hands. The appearance of trust delegation is fully preserved. The validation that was supposed to sit behind it has expired without any signal, because the system measures the presence of the reference and has no channel through which reality can report that it has diverged from it.
The failure, when it arrives, is not a bypass. Nothing is broken into. When a client presents a JSON Web Token to an OAuth 2.0 resource server, the server reads the signature, confirms it was produced by the expected issuing key, checks that the expiry has not passed, and admits the request. Every one of those steps succeeds. The token is well formed, the signature is intact, the clock agrees. The server returns exactly the verdict it was built to return. What it validated was the reference: proof that some authority, at some earlier moment, signed this set of claims. What it did not validate, because it has no channel through which to validate it, is whether those claims still describe the relationship in front of it.
This is the substitution at the center of the model. Integrity of content was replaced by identity of source. Mastodon’s rel=“me” check does not establish whether the party behind the linked domain is the same party who set up the link; it establishes that the two references point at each other, and it establishes that once. The OAuth 2.0 server does not reconstruct why the token was issued; it confirms who signed it. In both cases the system verifies where the assertion came from and treats that provenance as a proxy for the assertion’s continued truth. The source is authenticated. The content is assumed. A signed artifact from a trusted issuer is honored on the strength of the signature, not on the strength of anything the signature certifies about the present.
From the outside, nothing distinguishes the sound case from the decayed one. A request carrying a valid JWT for an account that changed hands last week is byte-for-byte indistinguishable from one carrying a valid JWT for an account still under its original control. The badge renders identically whether the verified domain is still held by the same party or has been re-registered by a stranger. The resource server records a successful authorization in both cases, because in both cases the authorization succeeded. There is no error, no anomaly, no signal at the edge that reality has moved away from the reference. The system executed its expected behavior perfectly, and the expected behavior is the entire exposure.
The pattern is execution based on reference, not verification. A decision is made once and converted into a durable artifact. From that point forward the system acts on the presence of the artifact rather than re-deriving the decision. The reference is cheap to check and the decision is expensive to remake, so the reference wins, and the system’s behavior becomes a function of whether a token, a match, or a badge is present, never a function of whether the condition it stood for still holds.
The same mechanism runs underneath X.509 and the certificate validation that secures most of the web. A certificate is a signed assertion by a certificate authority that a given key belongs to a given name, valid until a stated expiry. A client presented with that certificate validates the signature chain up to a trusted root and checks the dates. That is a reference lookup: proof that a CA, at issuance, made a binding. The channel through which reality is supposed to report that the binding no longer holds, that the key was compromised and the certificate revoked, is revocation checking through a CRL or OCSP, and that channel is routinely cached, soft-failed, or skipped. So a revoked certificate keeps validating. The signature is still good. The CA already withdrew the trust, and the client, acting on the reference, never hears about it.
It is the same object as the verified badge and the bearer token, wearing different standards. In each case provenance is fixed in an artifact, the artifact is honored on presentation, and the mechanism that would report divergence is either absent or too slow to arrive in time. The domain changes hands, the account is repurposed, the key is compromised, and the reference sits unchanged, returning the verdict it was built to return. The universality is not a coincidence of these particular systems. It is what happens whenever a system resolves a reference instead of reverifying a condition, which is nearly everywhere trust has to scale.
The system resolves trust once. It does not revalidate, because revalidation was never the design. Resolution was.
The badge still shows. The token still validates. The certificate chain still checks. None of that describes the present. It describes a moment that has already passed.
The control exists. The outcome does not.
Keep Reading
systems driftCompiling Python to metal deletes your security boundary
Compiling Python 3.14 to native code removes the interpreter that revalidated logic on every run, collapsing continuous trust into a single build-time event.
security automationNot a pricing problem
Why security automation like Splunk SOAR and ML triage costs more than the engineer it replaced: systems execute on referenced trust, not verification.
OAuth 2.0Bearer tokens vouch for nobody
Alibaba's restriction of Claude Code exposes how OAuth 2.0 bearer tokens resolve a past verification instead of validating the entity acting now.
Stay in the loop
New writing delivered when it's ready. No schedule, no spam.