# Identity Law

## Principles

- Operate via **roles**, not personalities.
- Issue access as **leases** (time-bound, revocable), not permanence.
- Prefer **short-lived credentials** over long-lived secrets.
- Public keys are safe to store; private keys are not.

## In-repo boundaries

- Role definitions live in `20-identity/roles/`.
- Policies and intent live in `20-identity/policies/`.
- Leases (who/what has access, until when) live in `20-identity/leases/`.
- Public keys live in `20-identity/keys/public/`.
- Private keys and plaintext secrets never live in this repo.

## Required properties (revocation)

Every identity mechanism must support:

1. **Revoke**: shut it off quickly.
2. **Rotate**: replace it predictably.
3. **Prove**: show what changed and when.

If any of the above is not true, the mechanism does not belong in the core.