Staging — blog preview only.
Skip to content

Verified trust is cryptographic, not a button

Scheduled

3 min read By NT²

If the app will not let you tap Mark verified, that is intentional. Trust in NT² is tied to events that can be checked, not moods that cannot.

The button you will not find

Some security products let you flag a contact as trusted because it feels good in the moment.

NT² does not offer Mark verified on the contact detail screen.

That surprises people who expect trust to work like a star rating or a blocked-list toggle you flip whenever you change your mind about someone.

The design choice is narrower: verified means the software has recorded a cryptographic proof event, not that you have decided someone is nice.

Human judgment still matters — enormously. The app just refuses to pretend your judgment is the same thing as a verified signing key relationship.

Three trust states, three different jobs

Each secure contact carries a trustState you can read but not manually promote:

StateWhat it means in practice
Invite pendingYou started an outbound invite; waiting for their side of the exchange.
UnverifiedTheir vault identity is on file, but the relationship has not yet earned a proof event NT² treats as verified. Review carefully before high-sensitivity shares.
VerifiedA proof path completed — see below. Preferred for mnemonics, production keys, ID scans.
BlockedNew inbound from this contact stops; history you already accepted stays unless you remove it separately.

Unverified is not an insult. It is honesty. "I know which vault this is" is not the same as "I have completed the checks I want before sending a seed phrase."

When verified actually happens

NT² sets verified only after one of these paths:

  1. Inbound invite accept — you confirm the fingerprint in the accept sheet and the invite carries a valid signature.
  2. Reciprocal completion — your pending outbound contact is completed by the counterparty's signed invite.
  3. Successful vault-to-vault share accept — you decrypt and import an encrypted share from a known contact through Inbox.

Notice what is missing: a settings switch, a long-press menu, or a "we've known each other for years" override.

That keeps the badge meaningful. Verified tells you a check happened that ties this contact row to a verified vault identity event — not that you should stop thinking.

Why vibes are a weak trust layer

Display names are user-chosen. Chat headers are spoofable. Email addresses get compromised.

A signing key fingerprint confirmed out-of-band is a different kind of anchor. It connects "the person I mean" to "the vault that signed this package" in a way NT² can re-check on every inbound message.

This is where Vault Key DID identity meets interpersonal trust. The DID article explains the infrastructure; this post is about the social habit on top:

  • Confirm fingerprints on a call or in person before high-stakes shares.
  • Treat unverified contacts as "identity saved, proof incomplete."
  • Do not ask software to replace a conversation you were going to have anyway.

Verified is not permanent trust

Even a verified contact does not auto-accept future shares. Inbox still asks accept or decline. Share still selects fields. Block still exists when a relationship ends.

Verified means the relationship crossed a proof threshold NT² can record. It does not mean "trust forever" or "send everything."

For ending trust deliberately, read When trust should end.

How this fits the series

Contacts name the relationship (Secure contacts are trust relationships). Reciprocal invites make it two-way (One-way invite, mutual trust). Verified states record proof without a fake button — this post.

Next: three sharing modes and three trust models in Three ways to share, three kinds of trust.

For identity under the hood, see Threshold Vault and Key DID. Follow the RSS feed.

Last updated 2026-10-31

Related stories