Definition: The Attested AI Specification defines the normative rules for producing and verifying governance evidence. Mechanism: It mandates deterministic canonicalization, SHA-256 hashing, and Ed25519 signing. Value: Any third party can independently verify evidence without network access. Output: Conformant implementations produce interoperable, tamper-evident artifacts.

Specification v1.0

Normative Specification

This document defines the technical requirements for producing and verifying offline-verifiable governance evidence.

1. Canonicalization

What canonicalization rules MUST implementations follow?

All JSON objects MUST be canonicalized before hashing or signing using the following rules:

  • MUST use UTF-8 encoding
  • MUST sort object keys lexicographically (byte order)
  • MUST NOT include insignificant whitespace
  • MUST preserve array element order
  • MUST format timestamps as ISO 8601 UTC with "Z" suffix

Reference: Compatible with JCS (RFC 8785). Implementations MAY use JCS libraries directly.

2. Hashing

What hash algorithm MUST be used?

All cryptographic hashes MUST use SHA-256 computed over canonical bytes.

// Hash computation
hash = SHA-256(canonical_bytes)
// Output encoding
hash_hex = lowercase_hex(hash)
hash_b64url = base64url(hash)

How MUST key identifiers be computed?

key_id = lowercase_hex(SHA-256(raw_public_key_bytes))[0:16]

The key_id is the first 16 hex characters (8 bytes) of the SHA-256 hash of the raw public key bytes.

3. Signing

What signature algorithm MUST be used?

All signatures MUST use Ed25519 computed over canonical bytes with the signature field omitted.

// Signature computation
message = canonicalize(object WITHOUT signature field)
signature = Ed25519_Sign(private_key, message)
// Signature encoding
signature_b64 = base64(signature)

Normative: Implementations MUST omit the signature field before canonicalization. Including the signature field in the message will produce invalid signatures.

4. Policy Artifact Schema

What fields MUST a Policy Artifact contain?

{
  "policy_v": "1",
  "policy_id": "<hex: SHA-256 of canonical policy>",
  "policy_version": "<semver>",
  "created_at": "<ISO 8601 UTC>",
  "issuer": {
    "public_key": "<base64>",
    "key_id": "<16 hex chars>",
    "signature": "<base64>"
  },
  "subject": {
    "subject_type": "FILESYSTEM | CONTAINER | CUSTOM",
    "subject_manifest_ref": "<path to manifest>"
  },
  "measurement_set": [
    {
      "type": "FILE_DIGEST | CONFIG_DIGEST | SBOM_DIGEST",
      "path": "<relative POSIX path>",
      "normalize": { ... }
    }
  ],
  "drift_rules": {
    "mode": "STRICT_HASH_MATCH"
  },
  "enforcement_mapping": {
    "DRIFT_DETECTED": "CONTINUE | QUARANTINE | KILL",
    "SIGNATURE_INVALID": "QUARANTINE | KILL"
  },
  "ttl": {
    "enabled": true,
    "expires_at": "<ISO 8601 UTC>"
  }
}

How MUST policy_id be computed?

  1. Remove issuer.signature and policy_id fields from the artifact
  2. Canonicalize the remaining object
  3. Compute SHA-256 of canonical bytes
  4. Encode as lowercase hex
  5. Set policy_id to this value
  6. Sign the artifact (with policy_id present, signature absent)

5. Enforcement Receipt Schema

What fields MUST an Enforcement Receipt contain?

{
  "receipt_v": "1",
  "receipt_id": "<hex: computed from canonical receipt>",
  "run_id": "<hex: 16-64 chars>",
  "counter": <integer: starts at 1>,
  "timestamp": "<ISO 8601 UTC>",
  "event_type": "POLICY_LOADED | MEASUREMENT_OK | DRIFT_DETECTED | ENFORCED | BUNDLE_EXPORTED",
  "decision": {
    "action": "CONTINUE | QUARANTINE | KILL | NONE",
    "reason_code": "OK | HASH_MISMATCH | TTL_EXPIRED | SIGNATURE_INVALID",
    "details": "<string>"
  },
  "policy": {
    "policy_id": "<hex>"
  },
  "chain": {
    "prev_receipt_hash": "<hex: or 64 zeros for first>",
    "this_receipt_hash": "<hex>"
  },
  "signer": {
    "public_key": "<base64>",
    "key_id": "<16 hex chars>",
    "signature": "<base64>"
  }
}

How MUST receipts be chained?

  • prev_receipt_hash of receipt N MUST equal this_receipt_hash of receipt N-1
  • First receipt MUST have prev_receipt_hash = 64 zeros
  • counter MUST be monotonically increasing per run_id

6. Evidence Bundle Schema

What MUST an Evidence Bundle contain?

/bundle_manifest.json
/policy/policy_artifact.json
/subject/subject_manifest.json
/receipts/0001.json
/receipts/0002.json
...
/receipts/chain_head.json
/verifier/verify.js
/verifier/VERSION.txt
/README.txt

What determinism rules MUST bundles follow?

  • MUST sort ZIP entries lexicographically
  • SHOULD use STORE compression to avoid metadata variance
  • MUST include SHA-256 checksums for all files in manifest

7. Verifier Contract

What checks MUST a conformant verifier perform?

  1. Bundle integrity: Verify all file checksums match manifest
  2. Policy validity: Recompute policy_id, verify signature
  3. Receipt signatures: Verify each receipt signature
  4. Receipt hashes: Verify receipt_id and this_receipt_hash
  5. Chain continuity: Verify prev_receipt_hash chain, counter sequence
  6. Policy consistency: Verify all receipts reference same policy_id
  7. Required events: Verify all required event types present

What verdicts MUST a verifier output?

PASS

All checks passed. Evidence is cryptographically valid.

PASS_WITH_CAVEATS

Core checks passed. Some optional checks skipped or degraded.

FAIL

One or more checks failed. Evidence integrity compromised.

Determinism: Given identical bundle bytes, a conformant verifier MUST produce identical output. This enables independent verification by any third party.

NextConformance Tests →ReferenceGlossary →