Three years after I submitted my original intermediate marksheet to NUST University, I went back to collect it, and the person at the counter looked through the files, then looked again, and then told me there had been a fire. The records from that period were gone, and the original document I had handed over in person, signed for, and watched get logged into their system had simply ceased to exist as far as the institution was concerned. They were sorry about it and suggested I get a duplicate from the board, as if that were a simple thing to do.
Getting the duplicate took four months. The board required an affidavit, the affidavit required notarization, the notarized affidavit had to be submitted in person during specific hours on specific days, and when the duplicate certificate finally arrived, it carried a different reference number than the original. That difference meant that every attestation I had previously done on the original document was now technically referencing something that did not match what the verifying institutions had on file, and I spent another two months getting all of those attestations redone from scratch.
That experience taught me one thing clearly. The damage in broken identity systems is never just about the moment the record fails. It is about every downstream system that was built on top of that record, and every place you ever proved something with that document now has to be revisited and revalidated. The original failure multiplies across every institution that ever touched it.
I thought about that marksheet a lot this week while reading through how Sign approaches identity infrastructure, and specifically the credential revocation and registry control mechanics that the whitepaper describes.
What they got right:
The problem Sign is solving is real and significant, and I say that as someone who has lived the alternative. Traditional identity systems are fragmented, inconsistently maintained, and vulnerable to exactly the kind of institutional failure I described above. A fire, a database corruption, a department that simply loses your file without anyone being accountable for it. The damage is downstream and invisible until the moment you need the document again and discover it is gone.
Sign's New ID System builds around W3C Verifiable Credentials, DIDs, selective disclosure, trust registries, and revocation. The Bhutan implementation is the primary proof point, with 750,000 citizens enrolled, constitutional recognition of digital identity as a fundamental right, and credentials covering academic records, mobile verification, and document authentication. The selective disclosure mechanic is also genuinely valuable because a citizen should be able to prove they are over 18 without revealing their exact birthdate, and prove residency without revealing their full address, and the architecture supports that level of granularity which is better than how most identity systems work today.
The TokenTable integration adds another layer of practical value as well, because benefit distribution tied to verified identity closes the gap that leaves a significant portion of farmers in developing nations unable to receive digital agricultural services simply because they lack verified credentials. That is a real exclusion problem and the design addresses it directly and thoughtfully.
What bugs me:
Every credential in this system lives on a trust registry, and the trust registry is controlled by whoever operates the sovereign infrastructure, which means the institution that issues your credential is also the institution that can revoke it at any point. My NUST marksheet did not disappear because someone decided I should not have it. It disappeared because of institutional failure that I had no control over and no visibility into until I showed up in person to collect it. The Sign architecture does not eliminate that risk but changes its form, because instead of a fire destroying a physical record, the risk becomes a registry update that revokes a credential, or a platform migration that breaks credential validity, or a governance decision that quietly changes what a credential means.
Bhutan has migrated its blockchain platform three times in roughly two years, starting with Hyperledger Indy at launch, moving to Polygon in 2024, and targeting Ethereum for Q1 2026. The whitepaper does not describe what happened to credentials issued under previous platforms during each of those transitions, does not describe the citizen experience during the migration periods, and does not describe whether any verifier integrations broke in ways that affected real people trying to use their credentials.
I know what it feels like to hold a document that technically exists but practically does not function, and the question I keep asking is whether credential portability across platform migrations is guaranteed in practice or only in principle.
My concerns:
The downstream multiplication problem matters here more than the whitepaper acknowledges. When my original marksheet failed, every attestation built on top of it failed along with it. In Sign's architecture, a credential is not just used in one place. It is the identity layer underneath benefit distribution, border control checks, academic verification, and financial access, and if a credential is revoked incorrectly or becomes invalid during a platform migration, the failure does not stay contained in one place but propagates through every system that was relying on that credential being valid.
The whitepaper describes revocation as a feature, and technically it is, because a system that cannot revoke credentials cannot correct its own errors. But revocation is also a risk surface, and the same mechanic that lets an institution correct a wrongful credential also lets it remove access from someone who has no recourse and no visibility into why the removal happened or how to appeal it.
I spent four months recovering from a system that lost my record through institutional negligence, and what I want to understand about Sign's architecture is not the technical answer to what happens when a credential fails. I want the citizen answer. What do you actually do, who do you actually call, and how long does it realistically take before your identity works again.
Honestly I do not know if Sign's identity infrastructure is the system that finally protects people from the institutional failures that have always made official documents feel fragile, or if it is a more sophisticated version of the same fragility where the fire that destroys your record is now a governance decision or a platform migration instead of an actual fire.