# VEX Issuer Directory and Trust

Issuer trust is a first-class input to VEX decisioning. The issuer directory defines *who* a statement is from, *how* it is verified, and *how* policy should weigh it.

## Issuer Identity

An issuer can be identified by:

- Stable provider IDs (connector/provider identifiers)
- Cryptographic identity (certificate chain, key identifiers, transparency inclusion proof) when available

Tenants may define allowlists for acceptable issuer identities and/or map issuers into trust tiers.

## Trust Tiers and Weights

Trust is commonly expressed as:

- **Tier label** (e.g., vendor, distro, internal, untrusted)
- **Weight/confidence** used by consensus/policy to break ties and set posture
- **Verification requirements** (e.g., signature required for `not_affected` gating)

## Offline Trust

Offline deployments must be able to verify issuer identity without network access:

- Trust roots and allowlists are bundled in the Offline Kit
- Signature verification and transparency proofs are evaluated against bundled material

## References

- `docs/16_VEX_CONSENSUS_GUIDE.md`
- `docs/modules/excititor/architecture.md`
- `docs/modules/vex-lens/architecture.md`