editorial: note durable-identifier hash permanence in Section 3

A rotation-surviving identifier is welded to its minting hash. State that
algorithm agility re-mints new identifiers and artifacts but cannot
re-hash a live identity, whose forgery resistance rests on second-preimage
resistance, and that re-anchoring under a stronger digest is a Q20
interlock not built now. Closes the honesty gap on the SHA-256 default
without reopening the agility mechanism.

Signed-off-by: Chris Raynor <chris@raynor.tech>

Author: cbraynor

spec.md

@@ -81,7 +81,7 @@ The contract model treats four properties as independent axes. Implementations M
 | **Role** | What part does it play here? | A role defined by a steward, carrying a required interface and a declared safe state. Filled by binding an identity into it. | Schema is discoverable; the binding is granted, not discovered |
 | **Edge direction** | Which way does this capability flow? | A per-capability edge label (produce, consume, request-response). Not a node property. | Declared per capability |
 
-An identifier is **self-certifying** when, given the identifier and a live peer, possession of the corresponding private key is verifiable locally, with no registry or naming authority consulted. Whoever proves possession is the identified node, and nothing else can be; spoofing a name requires breaking the key or the digest, never capturing a registry. The construction is defined at its general shape, and the familiar simple forms are recovered as its degenerate (the degenerate-case law, Section 1). The general identifier is **rotation-surviving**. An inception event binds the initial key and pre-commits a digest of its successor. The digest of that event is the stable identifier, and a signed, hash-linked key-event log carries each later rotation forward, so the identity outlives any single key. The pre-commitment is load-bearing. An attacker who captures the current key cannot rotate the identifier, because the successor key is revealed only at rotation. A compromised key therefore buys impersonation for a bounded, recoverable window, never permanent capture of the identity, the same bound as Section 4.6.2. The degenerate forms drop the history. A named cryptographic **digest of the key**, supplied alongside the key for verification, is the rotation-surviving identifier with an empty history, and a deployment that will never rotate MAY collapse its inception event to the bare digest. A **raw encoded key** is the same with the digest elided, self-contained but welded to one key algorithm. The normative commitment is to the property, not to a pinned encoding. The construction family is fixed here, and the wire encoding and reference signature algorithm are fixed in Section 7.1; what remains open is the concrete byte encoding of the identifier, chosen together with the substrate (open question 11). The witness runs a degenerate form and a durable principal the general one, with no new identity code between them (Section 9.3 and open question 20).
+An identifier is **self-certifying** when, given the identifier and a live peer, possession of the corresponding private key is verifiable locally, with no registry or naming authority consulted. Whoever proves possession is the identified node, and nothing else can be; spoofing a name requires breaking the key or the digest, never capturing a registry. The construction is defined at its general shape, and the familiar simple forms are recovered as its degenerate (the degenerate-case law, Section 1). The general identifier is **rotation-surviving**. An inception event binds the initial key and pre-commits a digest of its successor. The digest of that event is the stable identifier, and a signed, hash-linked key-event log carries each later rotation forward, so the identity outlives any single key. The pre-commitment is load-bearing. An attacker who captures the current key cannot rotate the identifier, because the successor key is revealed only at rotation. A compromised key therefore buys impersonation for a bounded, recoverable window, never permanent capture of the identity, the same bound as Section 4.6.2. The degenerate forms drop the history. A named cryptographic **digest of the key**, supplied alongside the key for verification, is the rotation-surviving identifier with an empty history, and a deployment that will never rotate MAY collapse its inception event to the bare digest. A **raw encoded key** is the same with the digest elided, self-contained but welded to one key algorithm. The normative commitment is to the property, not to a pinned encoding. The construction family is fixed here, and the wire encoding and reference signature algorithm are fixed in Section 7.1; what remains open is the concrete byte encoding of the identifier, chosen together with the substrate (open question 11). A durable identifier is welded to the hash that minted it. Algorithm agility (Section 7.1) re-mints new identifiers and artifacts under a stronger hash, but it cannot retroactively re-hash a live identity, whose forgery resistance rests instead on the second-preimage resistance of its minting hash, the robust property that outlives broken collision resistance. Re-anchoring a durable identity under a stronger digest, by pre-committing the new-algorithm digest in the key-event log as key pre-rotation pre-commits the successor key, is an interlock with open question 20 and is not built now. The witness runs a degenerate form and a durable principal the general one, with no new identity code between them (Section 9.3 and open question 20).
 
 ### 3.1 Producer and consumer are per-edge labels