Yes. There is no putting the genie back in the bottle.
> Then anyone can verify the provenance chain: Was this made by a human? Which AI created it? Has it been altered since creation? Who owns the rights to it?
Oops, seems like you are trying to put the genie back in the bottle.
---
What is the genie that got out?
*Trust*
What if someone tempered with the crypto? What if quantum starts breaking cryptography?
We will never, ever acquire trust in digital platforms again. It is bound to be ephemeral. That ephemeral part of it is what deus-ex-cryptos supporters don't understand. Maybe you can in fact fix the tech, but fixing the human minds is not going to work.
Consider me, for example. I'm an idiot in crypto. For me to trust it, I need to understand it completely. There is no way in hell I'm going to be able to learn all those algorithms, and no way in hell I'm going to inspect their implementations (it's too much work for a single person), and not doing that is not good enough for me anymore.
This brings back all the same cans of worms. Infiltrators in crypto implementations, bad actors, state influence.
So it's conceivable a non-currency blockchain could be a path forward.
In the old days, we had "signing parties" where your friends in meatspace would sign your key and that was robust. At least you know by N degrees of separation, if your friend had signed someone's key, then that someone was probably OK trust wise. Repeat for N degrees of separation on your keychain. That's "pretty good" trust with poor scalability.
We also had public key servers which would somehow link an email to a public key. I guess a key server could validate the email, so at least you know that email went with that key. And by reputation on the intertubes, you might infer a frequent committer (email) to some project seemed ok, so maybe you could trust them. Less trust with better scalability: keyservers and emails can always be pwned.
A blockchain is an immutable, global, ledger. Everyone knows what old entries were added by what key signing whatever payload; they're all cemented in there for the world to read. There's no way to un-publish an old entry. So I can put my pub key on there, then sign commits in my project with it. Now, you don't have to trust any email server or any keyserver: you can look at a new commit in that project, see who signed it, and then go find my key and earlier commits on that blockchain. You still don't know if I'm evil or not, but at least you know I'm the same signer of all the other commits.
