AttestLayer

Writing

Writing on record-only evidence, verifier ergonomics, and partner delivery.

Short notes from the AttestLayer team on how record-only evidence rails work in real partner, reviewer, insurer, banking, and platform-API workflows.

Writing here is informational. It is not legal, audit, security, insurance, or investment advice.

Selected notes

Why record-only matters

Reviewers, buyers, and partners need to know exactly what was submitted and what was issued. Record-only packets keep the boundary explicit.

Coming soon.

What an evidence packet contains

Binder, manifest, signed receipt, hash trail, JWKS reference, offline verification path.

Coming soon.

FAIL burns 0

Why packageability review must fail closed and never consume credits.

Coming soon.

Partner-first delivery

Why service providers should keep their client relationship while AttestLayer runs the record-only rail.

Coming soon.

Verifier ergonomics

What reviewers actually need: predictable structure, signed receipts, JWKS, offline verification.

Coming soon.

Program lanes vs. certifications

Why an evidence profile is not a certification, and why that distinction protects the rail.

Coming soon.

Subscribe

Email writing@attestlayer.com if you would like to be notified when notes are published.

The AttestLayer trust model

AttestLayer’s trust model is intentionally narrow. It records what was submitted, what was accepted into scope, what was issued, and how the issued kit can be checked.

The model uses

  • SHA-256 artifact hashing
  • manifest-based evidence inventory
  • canonical receipt hashing
  • Ed25519 receipt signatures
  • JWKS public-key discovery
  • offline verification
  • fail-closed verification behavior

What it proves

  • files match the manifest
  • manifest matches the receipt
  • receipt key ID matches a public key
  • receipt signature verifies
  • the kit has not been modified since issuance

What it does not prove

  • company compliance status
  • company security status
  • controls are operating effectively
  • a buyer, auditor, insurer, bank, regulator, or PSP has accepted the packet
  • the evidence content is legally sufficient

Integrity and issuance evidence only. Not audit, certification, or compliance guarantee.