Parley Protocol

Overview

Parley is Corsair's trust exchange protocol — the mechanism by which organizations share and verify compliance attestations. Named after the pirate parley (a negotiation between parties under a flag of truce), the protocol enables trustless verification of operational effectiveness.

Parley composes three open standards into a single coherent protocol:

JWT-VC (proof) + SCITT (log) + SSF/CAEP (signal)

Each standard handles a different aspect of the trust lifecycle:

• JWT-VC — The attestation itself (what happened)
• SCITT — The public record (that it happened)
• SSF/CAEP — The notification (when things change)

Parley also supports dependency proofs that link upstream CPOEs, enabling a composable trust graph.

Three-Standard Composition

1. JWT-VC (The Proof)

W3C Verifiable Credentials 2.0 provides the credential data model. A CPOE becomes a VC with:

• @context: W3C VC 2.0 + Corsair credential context
• type: ["VerifiableCredential", "CorsairCPOE"]
• issuer: DID of the assessing organization
• credentialSubject: Assessment scope, summary, evidence chain (chainDigest), frameworks

The JWT encoding (vc+jwt) means the signature IS the JWT — no separate proof object needed.

2. SCITT (The Log)

IETF Supply Chain Integrity, Transparency, and Trust provides the transparency log. When a CPOE is issued, it can be registered with a SCITT transparency service:

• Registration: Submit the JWT-VC as a SCITT statement
• Receipt: Get back a COSE receipt proving inclusion in the log
• Verification: Anyone can verify the CPOE was registered at a specific time

SCITT ensures that CPOEs are auditable and that issuers cannot silently revoke or modify attestations without detection.

Proof-only mode lets issuers register only a hash commitment (no statement stored) while still receiving a COSE receipt.

3. SSF/CAEP (The Signal)

OpenID Shared Signals Framework and Continuous Access Evaluation Protocol provide real-time notifications. When compliance status changes, subscribers are notified immediately:

• COLORS_CHANGED: Trust tier changed (e.g., self-assessed to ai-verified)
• FLEET_ALERT: Drift detected, controls degraded
• PAPERS_CHANGED: CPOE issued, renewed, or revoked
• MARQUE_REVOKED: Emergency revocation

See the FLAGSHIP Events page for details.

End-to-End Flow

1. EVIDENCE  Corsair accepts structured output from security tools (scanners, CI checks, API exports)
2. SIGN      Provenance recorded, CPOE signed as JWT-VC with Ed25519
3. LOG       (Optional) JWT-VC registered in SCITT transparency log
4. PUBLISH   (Optional) Vendor publishes trust.txt for discovery (/.well-known or delegated DNS)
5. VERIFY    Requestor verifies locally (via trust.txt discovery or direct share)
6. DIFF      Compare CPOEs over time to track compliance changes
7. SIGNAL    (Optional) SSF/CAEP stream delivers real-time compliance signals
8. RENEW     Periodic re-assessment produces new JWT-VC, old one expires

DID Identity

Parley uses did:web for issuer identity. Organizations publish a DID document at their domain:

https://example.com/.well-known/did.json

This document contains the Ed25519 public key used for verification. The DID is embedded in the JWT-VC as the issuer claim, enabling automatic key discovery during verification.