§ 05 of 05 — Stage Five · Maintain
The four rooms before this taught how an identity is named, told apart from its namesakes, classified, and connected. This room is about what happens after — for decades — to keep that identity true. Names change. Records get corrected. Entities get merged, split, transliterated, and re-transliterated. Cataloging is not clerical work; it is the ongoing care of identity, meaning, relationships, and trust. Stage 5 walks one record's ledger of changes, then asks the harder question: what would it take to verify all this against something stronger than institutional reputation?
Each entry below is a real type of change a real authority record undergoes over its lifetime. The dates are anchored to public events where they are documented and are representative otherwise — what matters here is the shape of the stewardship work: who acts, what gets recorded, and why each kind of edit matters. Click any row to read the editorial note.
VIAF 27066711 · LC n79018049
Every entry below carries the sibling hashes needed to prove it is a member of this root. Expand any entry and click verify — the browser recomputes the root from the entry up the tree and confirms the match.
Curated · entries are real change-types; specific dates are anchored where public and representative otherwise
Live · Merkle root computed at build, verified in browser via SubtleCrypto
Each entry above is a piece of institutional labor performed for free, by people whose job titles do not say 'identity engineer'. The maintenance is what makes the identifier worth pointing at decades later. Without it, every persistent identifier is just a string that used to resolve.
Stage 1 introduced an entityMd5 — a content fingerprint OCLC publishes alongside each WorldCat entity, used by downstream consumers to detect when a record has changed. The fingerprint is a useful primitive but it is change-detection, not tamper-evidence — and it is computed by the same institution whose record it attests to. A verifiable trust layer would have to do three things the current architecture does not.
Every committed change to an authority record is signed by the cataloger's institution. The signature attests not just that the record changed but that a specific actor — LC, DNB, VIAF — endorsed the change. Verification no longer requires trusting the host. The signature is checkable against the institution's published key.
The ledger of changes is committed to a Merkle tree, with each new entry chained to the previous root hash. A consumer holding a recent root can prove that any earlier entry has not been silently rewritten — and the cluster's history becomes auditable end-to-end with the storage cost of a single hash.
Demonstrated above on Authority Arc's own ledger — try the verify button on any entry.
The Merkle roots are co-signed and replicated across multiple authorities — LC, DNB, VIAF, and any peer that wants to participate — so no single host can revise the past unilaterally. Stewardship becomes verifiable in the cryptographic sense, not just the reputational one.
None of this is exotic. The primitives are forty years old. What is missing is a deployment that takes institutional stewardship seriously enough to commit to it cryptographically — to say, here is what we changed, here is who changed it, here is the chain that proves we did not rewrite the past. The catalog is already keeping the records. The next layer is keeping the records keepable.
Amodern technology stack maintains its identifiers for as long as the company that owns them remains solvent. A library catalog maintains its identifiers for as long as the institution remains. The difference matters because the time horizons are different by orders of magnitude — and because the work to bridge that gap is done in public, by people who are usually not paid commensurate with the responsibility.
The premise of this arc has been that the discipline of cataloging is a kind of identity engineering — older than the web, broader in scope than most modern entity-resolution systems, and conducted under a much harder constraint: the answers have to stay true, not just locally correct. Stewardship is the part that does not show up on the page. The identifier on top of every record is the visible end of a promise that thousands of people, over decades, have agreed to keep.
If the modern era brings any improvement to this picture, it is not algorithmic. The cataloging work itself will not be automated; it requires judgment about evidence, and the evidence itself is unstructured human testimony. What modern primitives can offer is the layer beneath the work — a way to make the stewardship checkable, to chain the changes to a public log, to let a consumer in 2080 verify that a record they see today is the record their predecessor wrote, signed by the institution that wrote it.
The five rooms of this museum end here. What it is meant to leave you with is not a feeling that any of this is solved — none of it is — but a better sense of which problems are old, which are new, and which ones the field has been quietly thinking about longer than any of the names you would normally associate with them. The catalog is one of the longest-running working identity systems on the planet. It is worth knowing what shape it has.