7503c19b8f
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering. - Created helper methods for generating sample verdict inputs and computing canonical hashes. - Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics. - Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
34 lines
1.2 KiB
Markdown
34 lines
1.2 KiB
Markdown
# VEX Issuer Directory and Trust
|
|
|
|
Issuer trust is a first-class input to VEX decisioning. The issuer directory defines *who* a statement is from, *how* it is verified, and *how* policy should weigh it.
|
|
|
|
## Issuer Identity
|
|
|
|
An issuer can be identified by:
|
|
|
|
- Stable provider IDs (connector/provider identifiers)
|
|
- Cryptographic identity (certificate chain, key identifiers, transparency inclusion proof) when available
|
|
|
|
Tenants may define allowlists for acceptable issuer identities and/or map issuers into trust tiers.
|
|
|
|
## Trust Tiers and Weights
|
|
|
|
Trust is commonly expressed as:
|
|
|
|
- **Tier label** (e.g., vendor, distro, internal, untrusted)
|
|
- **Weight/confidence** used by consensus/policy to break ties and set posture
|
|
- **Verification requirements** (e.g., signature required for `not_affected` gating)
|
|
|
|
## Offline Trust
|
|
|
|
Offline deployments must be able to verify issuer identity without network access:
|
|
|
|
- Trust roots and allowlists are bundled in the Offline Kit
|
|
- Signature verification and transparency proofs are evaluated against bundled material
|
|
|
|
## References
|
|
|
|
- `docs/16_VEX_CONSENSUS_GUIDE.md`
|
|
- `docs/modules/excititor/architecture.md`
|
|
- `docs/modules/vex-lens/architecture.md`
|