Verification Is Not Trust
Non-normative overview. Normative verification and trust-evaluation requirements are defined in Verification and Trust Bundles.
OSAP separates evidence checks from policy decisions.
A verifier reports whether:
- the document has the expected OSAP v0.1 structure;
- the available asset bytes match a signed fingerprint;
- the issuer key can be resolved and was valid at issuance;
- the signature is valid;
- the attestation has been revoked or corrected.
When optional transparency-log data is available, a verifier can also report an earlier attestation for the same exact-byte fingerprint.
These findings do not establish whether the issuer's claims are true. If the user selects a trust bundle, the verifier also applies that policy to the issuer. Evaluation is scoped and time-aware, so different bundles can produce different assessments of the same signed claim. With no selected bundle, the issuer is not evaluated.
For a valid signature from an issuer absent from the selected bundle, the result can include:
- ✓ Signature valid: signed by
trustme.example - ⚠ Issuer outside selected trust bundle
- ⚠ Claim is made by issuer, not proven as true
If an issuer was trusted at issuance but has a more cautious current status, the verifier reports both periods:
- ✓ Signature valid: signed by
example-news.org - ⓘ Published during previously trusted period
- ⚠ Source currently marked high caution by selected trust bundle
The complete result keeps these labels separate. It does not reduce them to an overall pass, score, or “verified” badge. See UI Labeling Requirements.