| That’s exactly the right framing — those questions matter. In many cases, a secure hash alone is enough to prove integrity (“this file hasn’t changed”).
The gap usually appears around time and independence. A hash answers what, but not always: when the hash existed, who can verify that claim later, or whether the timestamp depends on the same system that controls the data. In practice, people handle this today with a mix of: hashes stored in internal systems, logs, emails, screenshots, or third-party platforms. These work operationally, but during disputes or audits they often collapse back to “trust the system that says so”. The approach I’m interested in is minimal: hash the data locally, bind that hash to a point in time via an external, neutral timestamp, keep verification possible long after the fact, without access to the original system or data. Not as a legal silver bullet, but as a technical primitive: integrity + existence at time T, independently verifiable. Curious to hear what you’ve seen work reliably when trust in the original system is no longer assumed. |