What is a Marque?
A Marque is a cryptographically signed document that attests to the results of a Corsair compliance assessment. Named after the historical Letter of Marque that authorized privateers, it serves as a Certificate of Proof of Operational Effectiveness (CPOE).
JWT-VC Format
Corsair packages CPOEs as W3C Verifiable Credentials encoded as JWTs:
eyJhbGciOiJFZERTQSIsInR5cCI6InZjK2p3dCIsImtpZCI6ImRpZDp3ZWI6ZXhhbXBsZS5jb20ja2V5LTEifQ...
The JWT contains:
- Header:
{ alg: "EdDSA", typ: "vc+jwt", kid: "did:web:domain#key-1" } - Payload: W3C VC 2.0 claims with CPOE credential subject and
parley: "2.0" - Signature: Ed25519 over header.payload (the JWT IS the proof)
The CPOE credential subject maps directly to the assessment results:
{
"type": "CorsairCPOE",
"schemaVersion": "1.0",
"scope": "SOC 2 Type II — Cloud Infrastructure Controls",
"provenance": {
"source": "tool",
"sourceIdentity": "Scanner v1.2",
"sourceDate": "2026-01-15T00:00:00Z"
},
"summary": { "controlsTested": 24, "controlsPassed": 22, "overallScore": 92 },
"extensions": {
"mapping": { "id": "toolx-evidence-only", "evidenceOnly": true },
"passthrough": { "summary": { "passed": 12, "failed": 2 } }
},
"dependencies": [
{
"issuer": "did:web:vendor.com",
"scope": "SOC 2 Type II — Infrastructure",
"cpoe": "https://vendor.com/cpoe.jwt",
"digest": "sha256:4b2c...d91"
}
]
}
The provenance field records where the evidence came from.
The extensions field is optional and is used for passthrough data or mapping metadata (evidence-only CPOEs).
The dependencies field is optional and links to upstream CPOEs for composable trust graphs.
Extensions must be namespaced (mapping, passthrough, x-, or ext.). ext.oidc is reserved for keyless signing delegation metadata and may include mapped identity claims when configured.
Any W3C VC 2.0 verifier can validate a Corsair credential — verification is not locked to Corsair tooling.
Signing
Corsair uses Ed25519 (Edwards-curve Digital Signature Algorithm) for signing:
- Zero external dependencies — uses Node.js built-in
cryptomodule - 64-byte signatures, 32-byte keys
- Deterministic — same input always produces same signature
- Fast verification (important for client-side use)
DID Identity
Corsair uses did:web for issuer identity. Organizations publish a DID document at:
https://example.com/.well-known/did.json
The DID document contains the Ed25519 public key. During verification, the kid in the JWT header points to the DID URL, enabling automatic key discovery.
Provenance
Every CPOE records provenance — who produced the underlying evidence:
| Source | Meaning |
|---|---|
| self | Organization self-attests without automated evidence |
| tool | Security tooling (scanner output, API export) produced the evidence |
| auditor | Independent third party reviewed and verified |
Corsair does not judge evidence quality. It records provenance and lets buyers decide what's sufficient.
Verification
Marque verification is fully client-side at grcorsair.com/marque:
- Paste the Marque JWT and the issuer's public key
- Web Crypto API verifies the Ed25519 signature
- Evidence chain integrity is validated
- Expiry date is checked
No data leaves the browser. No server calls. No Corsair account needed.
Cross-platform verification is also supported:
- Corsair CLI —
bun bin/corsair-verify.ts - Any JWT library — jose, jsonwebtoken, etc. with EdDSA support
- W3C VC verifiers — Any spec-compliant implementation
Sanitization
Before signing, Corsair sanitizes sensitive data:
- AWS Account IDs -> redacted
- ARNs -> redacted
- IP addresses -> redacted
- File paths -> redacted
- API keys -> redacted
The Marque contains assessment results, not raw infrastructure details.