Security posture for the public transparency log at registry.attestlayer.com.
The Registry is built as a public append-only transparency surface. Trust comes from published public keys, signed checkpoints, Merkle proofs, and public continuity material rather than from a private account session.
Security reports should be sent through the Registry-specific disclosure page at /vulnerability-disclosure.
Warranty disclaimer. To the maximum extent permitted by law, the registry.attestlayer.com surface, its public registry workflows, manifests, receipts, signed material, and related public material are provided on an as-is and as-available basis. AttestLayer disclaims all warranties, express or implied, including merchantability, fitness for a particular purpose, non-infringement, accuracy, completeness, uninterrupted availability, and any warranty that the service or its output will satisfy a specific buyer, procurement, security, audit, certification, insurance, regulator, payment, or legal outcome. AttestLayer outputs are evidence packages, not audit opinions, certifications, legal conclusions, or approval decisions.
No emergency reliance. The registry.attestlayer.com surface is not designed for, and must not be relied on as, an emergency, life-safety, medical, fraud-prevention, regulatory-filing, or time-critical compliance system. Counterparties and downstream parties must use appropriate emergency, regulatory, legal, financial, medical, or security channels for time-critical or safety-critical matters.
Registry signing keys follow a documented rotation policy. Active signing keys are rotated on a scheduled cadence and additionally on credible compromise indicators. Rotated keys remain published in the JWKS as historical entries for verification of previously signed material; only the current key may sign new material. Rotation events are reflected in the JWKS and in checkpoint metadata.
Private signing keys for Registry checkpoints are held in restricted custody. Key material is generated, stored, and used inside controlled environments; private keys are not exported in clear, are not shared with customers, and are not embedded in client code or downloadable kits. The public verification material (JWKS) is the only key surface intentionally exposed to the public Registry.
Registry state is anchored by an append-only checkpoint chain. Each checkpoint references the previous checkpoint hash, the current tree size, and a signature over that state. Relying parties can verify continuity by walking the checkpoint history and validating signatures against the published JWKS. Any break in continuity is detectable from public material alone.
AttestLayer maintains an incident response process covering detection, triage, containment, recovery, and post-incident review for Registry availability, integrity, and key compromise events. Where an incident affects the public Registry surface in a way that may impact reliance, AttestLayer aims to publish a notice on the Registry and, for known counterparties, a direct communication. Internal post-incident reviews are not published in full.
The public Registry surface is designed to expose only material intended to be public: packet identifiers, checkpoint hashes, signatures, JWKS, public metadata, and reference samples. Private customer payloads, personal data, and confidential business material are not intended to be present in public Registry entries. If private material is identified in a public entry, contact AttestLayer immediately so the entry can be reviewed.
