--- title: "Core Concepts" description: "Understand the foundational concepts behind XI Objects: provenance, trust chains, the XIO protocol, and content fingerprinting." published: 2026-02-18T18:06:35.020688+00:00 updated: 2026-02-18T18:06:35.020688+00:00 url: https://xiobjects.com/docs/xio/concepts source: XI Objects --- # Core Concepts This section introduces the key ideas that underpin XI Objects. Understanding these concepts will help you make the most of the platform. ## Provenance **Provenance** is the record of origin and history of a piece of content. In the digital world, provenance answers fundamental questions: - *Who created this content?* - *When was it created?* - *Has it been modified since creation?* - *Can authorship be independently verified?* XI Objects implements provenance through **trust blocks**, cryptographically signed metadata embedded directly in content. Trust blocks are tamper-evident: any modification to the content invalidates the Ed25519 signature. ## Trust Blocks The trust block is at the heart of how XI Objects proves provenance. When content is signed, a JSON trust header is embedded containing: - A **BLAKE3 hash** of the canonicalized content - An **Ed25519 signature** over the canonical bytes - The signer's **public key** and **key ID** - The **X.509 certificate chain** (leaf → intermediate → root) - A **timestamp** and **context string** identifying the signing purpose This makes every signed artifact self-contained. A verifier can check the signature, hash, and certificate chain without contacting the original signer. ## Trust Chains XI Objects uses a hierarchical certificate model rooted in the **Institute of Provenance Root CA**: ```mermaid graph TD A[Institute of Provenance Root CA] --> B[Control Intermediate CA] B --> C[Leaf Certificate] C --> D[Signed Content] style A fill:#582c7e,stroke:#7a4a9e,color:#fff style B fill:#1a1a2e,stroke:#7a4a9e,color:#e1d5b9 style C fill:#1a1a2e,stroke:#7a4a9e,color:#e1d5b9 style D fill:#0a0e1a,stroke:#ff3a00,color:#e1d5b9 ``` - **Institute of Provenance Root CA**: The root certificate authority and ultimate trust anchor (Ed25519, long-lived) - **Control Intermediate CA**: Intermediate certificates held by certified Orbital operators (Ed25519, multi-year validity) - **Leaf Certificate**: Short-lived certificates issued to content creators and services (hours to days lifespan) - **Signed Content**: Content with an embedded trust block carrying the full certificate chain ## The XIO Protocol XI Objects operates using a custom **DNS-like binary wire protocol**, not a traditional REST API. The protocol defines: - **Message format**: Header with transaction ID, flags, opcodes, and question/answer/authority/additional sections (structurally similar to DNS) - **Record types**: Standard types (A, AAAA, CNAME, TXT) plus XI Objects extensions: - `XIO` (65001): Signed data records - `Proof` (65002): Sparse Merkle Tree inclusion/exclusion proofs - `XSIGN` (65003): Signing metadata with certificate chains and attribution - `XFPR` (65004): Fingerprint records for content identity verification - **Opcodes**: `Query`, `Issue`, `Revoke`, `Proof`, `Head`, `Meta` - **Domain names**: Content and identities are addressed using `.xio` domain names with label-based hierarchical naming This protocol is transported over HTTP. Clients POST binary messages to Orbital nodes at the `/query` endpoint. ## Waveform-Based Fingerprinting Traditional cryptographic hashes (SHA-256, BLAKE3) change completely if even a single pixel is altered. XI Objects uses **waveform-based fingerprinting**, a dual-pipeline approach that produces transformation-resistant identifiers: | Operation | Cryptographic Hash Match | Spectral Fingerprint Match | |-----------|:---:|:---:| | Original image | ✅ | ✅ | | Resized to 50% | ❌ | ✅ | | JPEG compressed | ❌ | ✅ | | Screenshot | ❌ | ✅ | | Color-adjusted | ❌ | ✅ | | Cropped significantly | ❌ | ⚠️ Partial | | Completely different image | ❌ | ❌ | The fingerprint pipeline uses Luminance Waveform Analysis (LWA) for forensic manipulation detection and a discriminative pipeline for content identity matching, producing compact vectors that can be compared via cosine similarity. This allows XI Objects to identify content even after common transformations like compression, resizing, and format conversion. ## Cryptographic Primitives XI Objects uses a focused set of modern cryptographic primitives: | Purpose | Algorithm | Details | |---------|-----------|---------| | Digital signatures | **Ed25519** | High-performance elliptic curve signatures | | Content hashing | **BLAKE3** | Primary hash for trust blocks and content addressing | | Interop hashing | **SHA-256** | Optional, for compatibility with external systems | | Verifiable data | **Sparse Merkle Trees** | Proofs of inclusion/exclusion for certificate and record state | ## Verification When verifying signed content, XI Objects checks the full trust chain: 1. **Hash validity**: Recompute the BLAKE3 hash of the canonicalized content and compare to the trust block 2. **Signature validity**: Verify the Ed25519 signature against the public key 3. **Chain integrity**: Walk the X.509 certificate chain from leaf to the Institute of Provenance Root CA 4. **Revocation status**: Check that no certificate in the chain has been revoked 5. **Temporal validity**: Confirm the certificate was valid at the time of signing