Registry Transparency Policy
Canonical transparency policy for registry.attestlayer.com.
This is the canonical public registry policy for registry.attestlayer.com. Buyer and partner sites may summarize how their workflows rely on the registry, but the trust model, checkpoint model, and publication rules for the registry itself are stated here.
What the registry guarantees
- An append-only Merkle tree for published PASS attestations and related public commitments.
- Signed checkpoints that allow third parties to verify tree continuity over time.
- Public inclusion and consistency proof endpoints.
- Public issuer and registry JWKS endpoints for independent verification.
- Offline verification support through downloadable verification bundles.
What the registry contains
Registry entries are commitments, not evidence payloads. By design, the registry is not a customer document repository.
| Included | Not included |
|---|
| Leaf hashes, statement hashes, manifest roots, key identifiers, issuance timestamps, lane/profile identifiers, checkpoint data. | Customer names, email addresses, raw uploaded files, audit opinions, legal opinions, or secret materials. |
Current trust status
Checkpoint signatures are currently issued by AttestLayer's registry key. External witnessing, external anchoring, or other trust extensions should only be relied on when the Registry explicitly marks them active on the public surface.
The public registry proves publication, continuity, and cryptographic linkage. It does not by itself prove a broader compliance conclusion or business suitability for a relying party.
How to rely on the registry
- Verify the receipt or statement against the published issuer key.
- Check inclusion and checkpoint continuity using the public proof endpoints.
- Confirm the trust assumptions you rely on are actually active on the Registry surface.
- Use the offline verification kit when you need a self-contained verification path.
Questions about the registry trust model can be sent to security@attestlayer.com.
Registry is a public read-only transparency surface. It is not a checkout, subscription, or customer account portal.
