Registry Transparency Policy
Every PASS attestation issued by AttestLayer is recorded in a public, append-only transparency registry at registry.attestlayer.com. This policy explains what the registry guarantees, what it contains, and how anyone can verify it independently.
What Is the Registry?
The AttestLayer Registry is a CT-style transparency log (inspired by Certificate Transparency, RFC 6962). It provides:
- Append-only Merkle tree — entries can never be modified or deleted
- Signed Tree Heads (checkpoints) — every 60 seconds, the registry publishes a signed checkpoint containing the current Merkle root
- Inclusion proofs — any client can verify that a specific attestation is included in the tree
- Consistency proofs — any monitor can verify that the tree only grows (no rollbacks)
- Offline verification — kits ship with a registry receipt that can be verified without contacting AttestLayer servers
What Does Each Leaf Contain?
Every leaf in the registry is a commitment — it contains cryptographic hashes and minimal metadata, never customer data or artifacts. Specifically:
| Field | Description |
|---|---|
| leaf_hash | SHA-256 of the leaf payload (base64url) |
| statement_hash | SHA-256 of the signed receipt JSON |
| manifest_root | SHA-256 root of the issued kit manifest |
| lane_id | Attestation lane (e.g. PAY-01, AGENT-01) |
| profile_id | Stable profile identifier |
| issuer_kid | Key ID of the issuer signing key |
| issued_at | RFC 3339 timestamp of issuance |
| outcome | Always PASS (only PASS entries are logged) |
| client_nonce_hash | SHA-256 of client-supplied anti-fabrication nonce |
| intake_policy_hash | SHA-256 of the intake policy version |
| kit_digest | SHA-256 of the final kit ZIP |
Cryptographic Properties
- Hash algorithm: SHA-256 only (no algorithm agility)
- Signature algorithm: Ed25519 only
- Canonicalization: RFC 8785 JSON Canonicalization Scheme (JCS)
- Domain separation: CT-style —
0x00prefix for leaves,0x01for internal nodes - Binary encoding: base64url without padding
- Timestamps: RFC 3339 UTC (trailing "Z")
Checkpoint Cadence
The registry mints a new signed checkpoint (Signed Tree Head) every 60 seconds. The maximum merge delay is 10 minutes — any accepted leaf will appear in a signed checkpoint within 10 minutes of acceptance.
Each checkpoint chains to its predecessor via prev_checkpoint_hash, forming an immutable sequence. Checkpoint signatures use the registry's Ed25519 key, published at /v1/jwks/registry.jwks.json.
Anti-Fabrication (Client Nonce)
Every attestation includes a client nonce — a random value generated by the client before submission. The registry stores only the hash (client_nonce_hash); the raw nonce is shipped in the kit as registry/client_nonce.txt.
This proves the attestation was created after the nonce was generated andbefore the checkpoint was signed — preventing both backdating and forward-dating.
Zero PII Guarantee
The registry contains zero personally identifiable information. No customer names, company names, email addresses, or file contents are ever stored. All records are cryptographic commitments (hashes) and minimal metadata.
How to Verify
- Online: Query
GET /v1/proofs/inclusion?leaf_hash=YOUR_LEAF_HASHat registry.attestlayer.com - Offline: Use the
registry/registry_receipt.jsonshipped in every PASS kit. It contains the leaf, checkpoint, and Merkle inclusion proof — all verifiable with the registry's public key alone. - Verify Kit: Download the standalone verification kit from /v1/verify-kit.zip
Registry API Endpoints
| Endpoint | Description |
|---|---|
| GET /v1/entries/{leaf_hash}.json | Leaf record |
| GET /v1/proofs/inclusion?leaf_hash=X | Inclusion proof |
| GET /v1/proofs/consistency?from_size=A&to_size=B | Consistency proof |
| GET /v1/checkpoints/latest.json | Latest Signed Tree Head |
| GET /v1/checkpoints/{hash}.json | Specific checkpoint |
| GET /v1/jwks/registry.jwks.json | Registry public keys |
| GET /v1/verify-kit.zip | Offline verification kit |
| GET /v1/stats | Registry statistics |
Specification
The registry implements REG-1.0, a transparency log specification designed for attestation registries. The full specification is available at registry.attestlayer.com/v1/spec/REG-1.0.md.