Proof of Human

Jan Carlo Mityorn

✦

Proof of Human

Why I started cryptographically signing my work — and why you might have to eventually

Jan Carlo Mityorn·April 20, 2026·4 min read

Content is infinite now. The proof that a person made it is not.

The Floor Drops Out

When I decided to start publishing again, I looked into the current landscape. I already had a rough sense of it — AI-generated content has been everywhere for years — but the actual scale still landed harder than expected.

Automated pipelines are producing text, images, audio, and video at a volume no human can match. Content itself has become a commodity — not because quality doesn't matter, but because existence no longer confers value. A carefully written essay is indistinguishable at a glance from a thousand machine-generated approximations of the same thing. Content farms have poisoned the well for everyone.

The practical consequence: what you made matters less than proving you made it.

The Authorship Layer

This isn't a new problem — plagiarism and misattribution have existed forever — but the current situation is different in kind, not degree. It's no longer about one person stealing another's work. It's about a general collapse of the link between content and any human being at all. When the default assumption becomes "this was probably generated," the burden of proof inverts. The question stops being is this stolen and becomes is this real.

Cryptographic signing solves this. Not perfectly, not forever — but better than nothing, and better than what most people are doing.

An Accidental Advantage

Living in Spain turns out to be useful here. All residents — Spanish nationals and foreign residents alike, anyone with a DNI or NIE — can get a free digital certificate from the FNMT-RCM, Spain's national mint and stamp authority. This isn't a novelty item. It has the same legal standing as a wet signature for interacting with public institutions, filing taxes, signing contracts.

The certificate is tied to your verified identity through an in-person vetting process. When you sign something with it, you're producing a legally valid signature that links you — the physical person who showed up with their passport — to that document. Most people use it to file taxes. I use it to sign my articles.

What C2PA Actually Does

The provenance standard I'm using is C2PA — the Coalition for Content Provenance and Authenticity, developed jointly by Adobe, Microsoft, the BBC, and others. Its output is called a Content Credential.

When I finish an article, I compile a record of its creation: voice recordings, transcripts, edit history — every meaningful step from raw dictation to final draft. C2PA turns this into a manifest, a structured list of assertions about who made the content, when, and how. Each piece of data gets hashed — a short fingerprint derived mathematically from the content, such that changing even a single character produces a completely different fingerprint. The manifest is then signed with my FNMT certificate.

Signing is not encryption — worth being precise. Encryption hides content. Signing is the opposite: it makes something publicly readable but tamper-evident. Anyone can inspect the manifest; if someone alters it, the signature breaks. The FNMT certificate chain — back to the Spanish state — gives it legal weight on top of the cryptographic proof.

Result: a file that says, in a form any C2PA-compatible tool can verify — this content was made by the person who holds this certificate, through these steps, at this time.

Nailing It to the Blockchain

One weakness remains in a pure C2PA setup: the timestamp. The FNMT certificate proves who signed it, but if the timestamp only lives inside the manifest, a determined adversary could argue the clock was manipulated. For that, I use OpenTimestamps.

OpenTimestamps anchors a document's existence to the Bitcoin blockchain — permanently, without trusting anyone. It takes the hash of my signed manifest, combines it with hashes from other documents being submitted around the same time into a structure called a Merkle tree, and records a single hash — the root of that tree — in a Bitcoin transaction. Once confirmed, the moment is locked. Nobody can go back and alter it.

My document doesn't appear on the blockchain — only a fingerprint of it, buried in a tree of other fingerprints. But that's enough: I can prove mathematically that my manifest existed at or before the block it's anchored to, and Bitcoin's timestamps come from the network itself, not from any party I'd need to trust.

C2PA plus OpenTimestamps: who and when, in a form that doesn't rely on my say-so.

Where This Goes

C2PA is gaining traction. The EU AI Act, coming into full effect this year, requires disclosure labeling for AI-generated content — C2PA's AI assertion field is the natural mechanism. Samsung started integrating it into camera hardware last year. Adobe has been building it into Creative Cloud for a while.

Whether C2PA becomes the permanent solution is a different question. It's built on existing PKI infrastructure — the same certificate authority system underlying HTTPS — which carries its own trust assumptions and failure modes. The underlying problem it solves, anchoring authorship to a verifiable identity at a specific moment in time, isn't going away. Better tools will come, or at least different ones.

For now, this is what exists, and it's more than most people are using. The bar for proving human provenance isn't high yet. That's exactly why it's worth clearing early.