Skip to content

Introduction

OSAP is an experimental protocol for signed source and provenance attestations. An attestation associates claims with an issuer, a content fingerprint, and a time. A verifier can check that record without treating the claims as facts.

The protocol is intended for developers, publishers, journalists, fact-checkers, and standards contributors working on portable provenance records. Attestations are detached from the assets they describe — files, pages, or any other sequence of bytes — and can be distributed or discovered in several ways.

Verification and policy are separate. A verifier checks the attestation, signature, issuer key, exact-byte fingerprint, revocation information, and any available related records. A user-selected trust bundle then evaluates the issuer for a given scope and period. The result is a set of distinct findings, not a general judgment that the content is true or authentic. See Verification and UI Labeling Requirements.

OSAP v0.1 defines a few roles:

  • Sources issue attestations that make claims about content fingerprints.
  • Relays and publishers distribute attestations.
  • Transparency logs can record when attestations were observed.
  • Verifiers check evidence and apply a selected trust bundle.

OSAP remains at experimental draft v0.1. Its schemas, labels, CLI, examples, and demos are reference material for standards discussion and implementation work. They are not a production trust system.