@@ -111,7 +111,7 @@ echo "✅ Contract-signing key created (limited to signing only)"
111111```
112112
113113As we wrote previously: creating separate keys for separate purposes
114- limited the exposure if any key is compromised. Though it might usually
114+ limits the exposure if any key is compromised. Though it might usually
115115be difficult to manage a "bag of keys," XIDs make it easy because you
116116can register your keys there.
117117
@@ -133,7 +133,7 @@ echo "✅ Added attestation key to XID"
133133
134134#### Key Type Comparison
135135
136- This of course expands the set of keys that Amira has in use
136+ This of course expands the set of keys that Amira has in use.
137137
138138| Key Type | Purpose | Verified Against | Added In |
139139| ----------| ---------| ------------------| ----------|
@@ -233,8 +233,8 @@ echo "$CONTRACT_PUBKEYS" > envelopes/key-contract-public-4-01.ur
233233
234234#### XID Version Comparison
235235
236- The fourth version of Amira's XID adds a key, just like we did in
237- [ §2.1] ( 02_1_Creating_Self_Attestations.md ) .
236+ The fifth edition of Amira's XID adds another key, mirroring the work
237+ in [ §2.1] ( 02_1_Creating_Self_Attestations.md ) .
238238
239239| XID Version | New Content | Created In |
240240| -------------| -------------| ------------|
@@ -272,22 +272,25 @@ BEN_XID_ID=$(envelope xid id "$BEN_XID")
272272echo "✅ Ben's XID created: $BEN_XID_ID"
273273```
274274
275- You should of course save a copy of this :
275+ You should of course save a copy of Ben's materials :
276276
277277```
278278echo "$BEN_XID" > envelopes/Ben-xid-private-4-01.envelope
279+ echo "$BEN_PRVKEYS" > envelopes/key-ben-private-4-01.ur
280+ echo "$BEN_PUBKEYS" > envelopes/key-ben-public-4-01.ur
279281```
280282
281283### Step 5: Create the CLA Document
282284
283- Though CLAs today are often signed as text files with GPG, Gordian
285+ Today, CLAs are often signed as text files with GPG, but Gordian
284286Envelope offers better integration of the signing process, which is
285287why Ben uses it.
286288
287- Ben's projects uses a standard Individual CLA, which he generates from
288- a shell script for each individual contributor. It's based on the
289- Apache 2.0 license. Ben keeps a local copy of the license and has also
290- created a hash of it.
289+ Ben's projects uses a standard Individual CLA basd on the Apache 2.0
290+ license that he generates from a shell script for each individual
291+ contributor. Ben keeps a local copy of the Apache 2.0 license that
292+ he's referencing and has also created a hash of it.
293+
291294
292295```
293296curl -q https://www.apache.org/licenses/LICENSE-2.0.txt > envelopes/license-apache-4-01.txt
@@ -297,7 +300,7 @@ shasum -a 256 envelopes/license-apache-4-01.txt > envelopes/license-apache-4-01-
297300That hash is essentially a proof of the license: Ben can later offer
298301the license and show it hashes to the shasum he incudes in the
299302CLA. It's the same methodology as used to created commitments, but in
300- this case Ben is committing to the text of a file, mainly for legal
303+ ˜ this case Ben is committing to the text of a file, mainly for legal
301304clarity. (More on that in §4.2.)
302305
303306Ben's CLA includes a subenvelope with a clear definition of the
@@ -308,7 +311,8 @@ read hash filename < envelopes/license-apache-4-01-hash.txt
308311LICENSE=$(envelope subject type string "Apache-2.0")
309312LICENSE=$(envelope assertion add pred-obj known 'dereferenceVia' string "https://www.apache.org/licenses/LICENSE-2.0.txt" $LICENSE)
310313LICENSE=$(envelope assertion add pred-obj known 'date' string "2004-01-00T00:00-00:00" $LICENSE)
311- LICENSE=$(envelope assertion add pred-obj string 'contractHash' string $hash $LICENSE)
314+ LICENSE=$(envelope assertion add pred-obj string "contractHash" string $hash $LICENSE)
315+ LICENSE=$(envelope assertion add pred-obj string "hashAlgorithm" string "shasum256" $LICENSE)
312316```
313317
314318He also creates subenvelopes to provide details on both himself and BRadvoc8:
@@ -320,7 +324,8 @@ CONTRIBUTOR=$(envelope subject type ur $XID_ID)
320324CONTRIBUTOR=$(envelope assertion add pred-obj known 'nickname' string "BRadvoc8" $CONTRIBUTOR)
321325```
322326
323- The CLA itself defines one of the modules for SisterSpaces:
327+ We're now ready to build the main CLA envelope. It starts by defining
328+ one of the modules for SisterSpaces:
324329
325330```
326331CLA=$(envelope subject type string "Individual Contributor License Agreement")
@@ -336,7 +341,7 @@ CLA=$(envelope assertion add pred-obj string "grantsPatentLicense" string "for c
336341CLA=$(envelope assertion add pred-obj string "contributorRepresents" string "original work with authority to grant license" "$CLA")
337342```
338343
339- It also incorporates the subenvelopes that Ben's script creates :
344+ It also incorporates the subenvelopes that Ben's script created :
340345
341346```
342347CLA=$(envelope assertion add pred-obj string "licenseType" envelope "$LICENSE" "$CLA")
@@ -362,11 +367,12 @@ envelope format "$CLA"
362367| "grantsPatentLicense": "for contributions containing patentable technology"
363368| "licenseType": "Apache-2.0" [
364369| "contractHash": "cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30"
370+ | "hashAlgorithm": "shasum256"
365371| 'date': "2004-01-00T00:00-00:00"
366372| 'dereferenceVia': "https://www.apache.org/licenses/LICENSE-2.0.txt"
367373| ]
368374| "project": "SisterSpaces SecureAuth Library"
369- | "projectManager": XID(59be46b6 ) [
375+ | "projectManager": XID(a80e2c23 ) [
370376| 'nickname': "Ben (SisterSpaces)"
371377| ]
372378| ]
@@ -378,7 +384,7 @@ For Amira, signing the contract is a simple application of her new contract key.
378384
379385### Step 6: Sign with Contract Key
380386
381- Amira stats out by dating her signing of the contract. The date isn't
387+ Amira starts out by dating her signing of the contract. The date isn't
382388verifiable, but it will be assured by BRadvoc8's signature. Afterward,
383389she wraps and signs as usual.
384390
@@ -416,7 +422,7 @@ simultaneously locking in the date as assured by the signer.
416422
417423## Part IV: Verifying a CLA
418424
419- Maintaing a standard workflow for a CLA ensures the maintenance of
425+ Maintaining a standard workflow for a CLA ensures the maintenance of
420426rights necessary to support open software. Here, we return to Ben's
421427point of view as he receives Amira's signed CLA and verifies that it's
422428OK.
445451
446452| ✅ One of the signatures verified!
447453| ur:envelope/lrtpsotansgylftanshflfaohdcxhleosstafpwzesmsaychonvtpfbztyytcmhfmonefluylabzgtcmbbpseycnzcuytansgrhdcxmwaycebgqdrslksogrrnhygmhtdthtctaymkuroxueptgtehvwzosgeyfnlepkfgoycscstpsojziajljtjyjphsiajydpjeihkkhdcxrfdnqztslsdelyrsttvlcwbsnnsscfnlzeuekscyjsssbyneehgtjncsmkinhpsfoycsfncsfdoefnmnhd
448-
449454```
450455
4514563 . Review contributor reputation (optional)
@@ -490,25 +495,27 @@ envelope format $SIGNED_ACCEPTED_CLA
490495| "grantsPatentLicense": "for contributions containing patentable technology"
491496| "licenseType": "Apache-2.0" [
492497| "contractHash": "cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30"
498+ | "hashAlgorithm": "shasum256"
493499| 'date': "2004-01-00T00:00-00:00"
494500| 'dereferenceVia': "https://www.apache.org/licenses/LICENSE-2.0.txt"
495501| ]
496502| "project": "SisterSpaces SecureAuth Library"
497- | "projectManager": XID(59be46b6 ) [
503+ | "projectManager": XID(a80e2c23 ) [
498504| 'nickname': "Ben (SisterSpaces)"
499505| ]
500- | 'date': "2026-03-25T11:14 -10:00"
506+ | 'date': "2026-03-31T08:23 -10:00"
501507| ]
502508| } [
503509| 'signed': Signature(Ed25519)
504510| ]
505511| } [
506- | "acceptedBy": XID(59be46b6 )
507- | 'date': "2026-03-25T11:46 -10:00"
512+ | "acceptedBy": XID(a80e2c23 )
513+ | 'date': "2026-03-31T08:27 -10:00"
508514| ]
509515| } [
510516| 'signed': Signature(Ed25519)
511517| ]
518+
512519```
513520
514521The final steps are bureaucratic:
0 commit comments