7503c19b8f
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering. - Created helper methods for generating sample verdict inputs and computing canonical hashes. - Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics. - Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
1.2 KiB
1.2 KiB
VEX Issuer Directory and Trust
Issuer trust is a first-class input to VEX decisioning. The issuer directory defines who a statement is from, how it is verified, and how policy should weigh it.
Issuer Identity
An issuer can be identified by:
- Stable provider IDs (connector/provider identifiers)
- Cryptographic identity (certificate chain, key identifiers, transparency inclusion proof) when available
Tenants may define allowlists for acceptable issuer identities and/or map issuers into trust tiers.
Trust Tiers and Weights
Trust is commonly expressed as:
- Tier label (e.g., vendor, distro, internal, untrusted)
- Weight/confidence used by consensus/policy to break ties and set posture
- Verification requirements (e.g., signature required for
not_affectedgating)
Offline Trust
Offline deployments must be able to verify issuer identity without network access:
- Trust roots and allowlists are bundled in the Offline Kit
- Signature verification and transparency proofs are evaluated against bundled material
References
docs/16_VEX_CONSENSUS_GUIDE.mddocs/modules/excititor/architecture.mddocs/modules/vex-lens/architecture.md