# Crypto profiles and trust

StellaOps supports regional crypto profiles and offline trust roots. Profiles
control signing algorithms, verification rules, and provider selection.

Crypto profiles
- Compliance profile id: world, fips, gost, sm, kcmvp, eidas.
- Provider registry selects preferred crypto implementations.
- Simulation mode provides a remote signer for pre-certification testing.

Trust and signing
- DSSE is the default for bundle manifests and attestations.
- Trust roots are distributed in RootPack snapshots for offline validation.
- Optional TUF metadata can be bundled in sealed environments.

Signed time anchors
- Offline time anchors include issuedAt, notAfter, and signature.
- Time anchors are verified locally against trust roots.

Rotation
- Rotate roots with overlapping validity windows.
- Ship new roots in the next offline bundle and re-sign manifests.
- Maintain audit logs for rotation events.

Evidence expectations
- JWKS exports for active providers.
- Fixed-message sign and verify logs for audit trails.

Related references
- docs/security/crypto-profile-configuration.md
- docs/security/trust-and-signing.md
- docs/security/crypto-simulation-services.md
- docs/security/crypto-compliance.md
- docs/airgap/staleness-and-time.md