Today we're introducing Marque — Corsair's cryptographically signed attestation system that replaces self-attested questionnaires with verifiable proof.
The Problem with Questionnaires
Compliance questionnaires are built entirely on trust. Here's how it works today:
- Company A sends Company B a 300-question security questionnaire
- Company B's compliance team answers the questions
- Company A reviews the answers and assigns a risk rating
- Everyone moves on
The problem? Company B has every incentive to overstate their security posture. And Company A has no way to verify the answers.
This is questionnaire theater.
How Marque Works
A Marque is a W3C Verifiable Credential — a JWT signed with Ed25519 that contains the results of a compliance assessment:
eyJhbGciOiJFZERTQSIsInR5cCI6InZjK2p3dCIsImtpZCI6ImRpZDp3ZWI6ZXhhbXBsZS5jb20ja2V5LTEifQ...
The JWT payload contains a CPOE credential subject with assessment scope, control test results, evidence chain metadata, and framework mappings. The credential type is ["VerifiableCredential", "CorsairCPOE"].
The vendor runs their security tools (scanners, CI checks, API exports) and feeds the structured output to Corsair. Corsair records provenance and signs the results as a JWT-VC with Ed25519. The resulting Marque can be verified by anyone — using Corsair tooling, any W3C VC verifier, or any JWT library with EdDSA support. No Corsair account needed, no server calls, no data sharing.
Client-Side Verification
Visit grcorsair.com/marque to verify any Marque document. The verification runs entirely in your browser using the Web Crypto API. Your data never leaves your machine.
This is a critical trust property: the verification infrastructure itself must be trustworthy.
Pieces of Eight for the Digital Age
We call our attestation units CPOEs — Certificates of Proof of Operational Effectiveness. The name comes from the historical Pieces of Eight, the Spanish silver coins that became the world's first global currency.
Pieces of Eight worked because anyone could verify them: cut them, weigh them, bite them. CPOEs work the same way: anyone can verify the Ed25519 signature using standard tooling.
Trust through verification, not through promises.