Introduction
OSAP is an experimental protocol for signed source and provenance attestations. An attestation associates claims with an issuer, a content fingerprint, and a time. A verifier can check that record without treating the claims as facts.
The protocol is intended for developers, publishers, journalists, fact-checkers, and standards contributors working on portable provenance records. Attestations are detached from the assets they describe — files, pages, or any other sequence of bytes — and can be distributed or discovered in several ways.
Verification and policy are separate. A verifier checks the attestation, signature, issuer key, exact-byte fingerprint, revocation information, and any available related records. A user-selected trust bundle then evaluates the issuer for a given scope and period. The result is a set of distinct findings, not a general judgment that the content is true or authentic. See Verification and UI Labeling Requirements.
OSAP v0.1 defines a few roles:
- Sources issue attestations that make claims about content fingerprints.
- Relays and publishers distribute attestations.
- Transparency logs can record when attestations were observed.
- Verifiers check evidence and apply a selected trust bundle.
OSAP remains at experimental draft v0.1. Its schemas, labels, CLI, examples, and demos are reference material for standards discussion and implementation work. They are not a production trust system.