Parley: Standards-Based Trust Exchange

Today we're shipping Parley — Corsair's standards-based trust exchange protocol. CPOEs (Certificates of Proof of Operational Effectiveness) are W3C Verifiable Credentials, compliance changes are broadcast via OpenID SSF/CAEP, and transparency logging follows the IETF SCITT architecture. The pipeline is simple: accept tool evidence, sign a proof, and make it verifiable anywhere.

The Problem: Questionnaire Theater

Vendors self-attest to 300+ questions. Customers review the answers. Nobody actually tests whether controls work.

If the goal is to replace questionnaire theater with cryptographic proof, the proof format can't be a walled garden. A vendor shouldn't need to convince their customer to install specific tooling just to verify an attestation.

The entire point of Pieces of Eight was universal verifiability. Anyone could cut, weigh, and bite a silver coin. CPOEs need the same property.

Three Standards, One Protocol

Parley composes three open standards:

W3C Verifiable Credentials 2.0 — The credential envelope. A CPOE is a VC with type: ["VerifiableCredential", "CorsairCPOE"], encoded as a JWT with alg: EdDSA. Any VC verifier can validate it. Ed25519 signing — same algorithm, deterministic signatures. The container is standard.

OpenID SSF / CAEP — Real-time compliance signals. We call this module FLAGSHIP (the command ship that signals fleet-wide changes). When a vendor's compliance status changes — drift detected, credential revoked — subscribers get a standardized Security Event Token immediately. No more quarterly reviews to discover that MFA was disabled three months ago.

IETF SCITT — Transparency logging. When a CPOE is issued, it can be registered in a SCITT append-only log. This provides non-repudiation (the issuer can't deny the attestation) and discoverability (anyone can audit the history). SCITT interfaces are defined; full transparency service integration tracks the IETF draft.

The JWT-VC Envelope

A Corsair CPOE:

eyJhbGciOiJFZERTQSIsInR5cCI6InZjK2p3dCJ9.eyJpc3MiOiJkaWQ6d2ViOmV4YW1wbGUuY29tIi...

The JWT format is understood by every identity platform, security tool, and compliance system that supports VCs. Same Ed25519 key. Same signing. Universally verifiable.

DID Identity

Organizations identify themselves with did:web — a DID that resolves to a JSON document at their domain. The public key is published at example.com/.well-known/did.json. Verifiers can automatically discover the key from the JWT header's kid claim.

FLAGSHIP Events

Three CAEP event types, with pirate names:

Events are encoded as RFC 8417 Security Event Tokens and delivered via push or poll.

What Makes This Different

• Ed25519 signing — Deterministic signatures, 64-byte, fast verification
• Evidence chains — SHA-256 hash chains with tamper-proof integrity
• Pirate names — MARQUE and FLAGSHIP (for real-time signals)
• Client-side verification — The web verifier verifies entirely in-browser
• Zero external signing dependencies — Node.js crypto module for key generation and signing
• Universal verification — Any W3C VC 2.0 verifier, any JWT library with EdDSA support

The core thesis: verify trust, don't assume it. Your tools already have the evidence — Corsair wraps it in standards that anyone can verify.

Shipped

• SCITT transparency service — Production Postgres-backed append-only log with COSE_Sign1 receipts (Ed25519), SHA-256 Merkle tree inclusion proofs, and zero external crypto dependencies
• FLAGSHIP push/poll delivery — SSF stream management with Postgres persistence, event queue, exponential backoff retry, and circuit breaker fault tolerance
• Production backend — Railway Postgres with Bun.sql, 4 migrations (7 tables), API endpoints for SSF configuration, stream CRUD, and SCITT registration

What's Next

• Selective disclosure — SD-JWT support for sharing partial assessment results
• Credential exchange — Automated vendor-to-customer CPOE sharing workflows

The goal remains: replace the $8.57 billion questionnaire theater industry with cryptographic proof. Parley makes that proof interoperable.