Verification steps

  1. Load ToneThread Root public key…
  2. Verify Tenant Site Certificate signature…
  3. Verify Post Certificate signature…
  4. Recompute ToneHash of post content…
  5. Compare recomputed hash to certificate…

Revision history

Originally published 2026-07-06, updated 2026-07-06; 7 revisions (this active certificate plus 6 prior).

IssuedSupersededContent hash
2026-07-06T06:52:00.947Z 2026-07-06 06:54:49 tth_v1_70920e2e69a9c169
2026-07-06T06:54:49.392Z 2026-07-06 06:55:11 tth_v1_70920e2e69a9c169
2026-07-06T06:55:12.018Z 2026-07-06 06:58:15 tth_v1_70920e2e69a9c169
2026-07-06T06:58:15.487Z 2026-07-06 06:59:38 tth_v1_70920e2e69a9c169
2026-07-06T06:59:38.954Z 2026-07-06 07:06:29 tth_v1_70920e2e69a9c169
2026-07-06T07:06:29.865Z 2026-07-06 07:29:19 tth_v1_8ac2825a144467a4
2026-07-06T07:29:19.853Z — active — tth_v1_9349075b9ea5bab0

What this page exposes

Verification runs on the server. The browser only sees the public summary in the sidebar and the step-by-step ok/fail result above — never the certificate's raw signature, the tenant's raw public key, the ToneHash salt, the per-axis tonal scores, or the compact fingerprint string. Those stay on the signing host.

The public JSON at /tonehash/cert/from-dr-doo-little-to-roasting-reimagined mirrors the same surface. To independently audit a certificate's raw signed payload you must request an authenticated cert-bundle export from the operator — how to request access.