Skip to content

Trust Bundles

Non-normative summary. The canonical requirements are in the Trust Bundles specification.

A trust bundle is a signed policy published by a maintainer. It records how that maintainer assesses an issuer for particular claim categories and time periods. It does not change signature validity or determine whether a claim is true.

Each trust period assigns one of four statuses:

  • trusted
  • limited_trust
  • high_caution
  • untrusted

A period has a start time, may have an end time, and may be limited to named scopes. Reasons and supporting evidence can make the assessment inspectable. In v0.1, scope names are an open vocabulary documented by the maintainer.

When applying a selected trust bundle, a verifier:

  1. validates the trust bundle and its maintainer's signature;
  2. finds the entry for the issuer;
  3. selects periods that apply to the claim scope;
  4. evaluates the status at issuance time and at verification time; and
  5. reports the trust result separately from signature, identity, and asset-integrity checks.

If the issuer has no entry, the result is outside_bundle. If the user selects no trust bundle, it is no_bundle. These are verification-result states, not statuses stored in a trust bundle.

Users choose which trust bundle, if any, a verifier applies. The selected trust bundle remains visible and replaceable. Different maintainers can publish different policies, and communities can fork a bundle under a new maintainer identity.