AttestLayer

Standards

FES-1.0 and the program lane catalogue.

AttestLayer publishes an evidence packet specification (FES-1.0-preview) and a catalogue of evidence profiles called program lanes. Specifications standardize the packet shape, not the underlying compliance outcome.

FES-1.0 and program lanes describe packet structure and verification expectations. They do not certify compliance, security, resilience, or legal sufficiency.

FES-1.0-preview

Packet structure

Binder PDF, manifest JSON, signed receipt, artifact hashes, JWKS reference, offline verification path.

Receipt rules

Canonical hashing and Ed25519 signature with a publishable key ID.

Verification rules

Fail-closed. Missing files, malformed receipts, mismatched hashes, or missing keys must return FAIL.

Public reference

OpenAPI snapshot and verifier sample kit available on api.attestlayer.com.

Open api.attestlayer.com

Program lanes catalogue

AGENT-01

AI agent authority and action evidence.

Open lane

PAY-01

High-value payment and funds-movement evidence.

Open lane

ID-01

Authority and identity evidence.

Open lane

HUMAN-01

Human approval and change evidence.

Open lane

VENDOR

Vendor diligence evidence.

Open lane

DORA/VENDOR

Operational resilience and third-party evidence (illustrative profile, not legal DORA certification).

Open lane

What standards do not do

  • do not certify customer compliance, security, or resilience
  • do not replace audits, regulators, lawyers, or insurers
  • do not guarantee buyer, regulator, insurer, or PSP acceptance
  • do not opine on the truthfulness of submitted records

The AttestLayer trust model

AttestLayer’s trust model is intentionally narrow. It records what was submitted, what was accepted into scope, what was issued, and how the issued kit can be checked.

The model uses

  • SHA-256 artifact hashing
  • manifest-based evidence inventory
  • canonical receipt hashing
  • Ed25519 receipt signatures
  • JWKS public-key discovery
  • offline verification
  • fail-closed verification behavior

What it proves

  • files match the manifest
  • manifest matches the receipt
  • receipt key ID matches a public key
  • receipt signature verifies
  • the kit has not been modified since issuance

What it does not prove

  • company compliance status
  • company security status
  • controls are operating effectively
  • a buyer, auditor, insurer, bank, regulator, or PSP has accepted the packet
  • the evidence content is legally sufficient

Integrity and issuance evidence only. Not audit, certification, or compliance guarantee.