Parley Protocol

Overview

Parley is Corsair's trust exchange protocol — the mechanism by which organizations share and verify compliance attestations. Named after the pirate parley (a negotiation between parties under a flag of truce), the protocol enables trustless verification of operational effectiveness.

Parley composes three open standards into a single coherent protocol:

JWT-VC (proof) + SCITT (log) + SSF/CAEP (signal)

Each standard handles a different aspect of the trust lifecycle:

• JWT-VC — The attestation itself (what happened)
• SCITT — The public record (that it happened)
• SSF/CAEP — The notification (when things change)

Parley also supports dependency proofs that link upstream CPOEs, enabling a composable trust graph.

Three-Standard Composition

1. JWT-VC (The Proof)

W3C Verifiable Credentials 2.0 provides the credential data model. A CPOE becomes a VC with:

• @context: W3C VC 2.0 + Corsair credential context
• type: ["VerifiableCredential", "CorsairCPOE"]
• issuer: DID of the assessing organization
• credentialSubject: Assessment scope, summary, evidence chain (chainDigest), frameworks

The JWT encoding (vc+jwt) means the signature IS the JWT — no separate proof object needed.

2. SCITT (The Log)

IETF Supply Chain Integrity, Transparency, and Trust provides the transparency log. When a CPOE is issued, it can be registered with a SCITT transparency service:

• Registration: Submit the JWT-VC as a SCITT statement
• Receipt: Get back a COSE receipt proving inclusion in the log
• Verification: Anyone can verify the CPOE was registered at a specific time

SCITT ensures that CPOEs are auditable and that issuers cannot silently revoke or modify attestations without detection.

Proof-only mode lets issuers register only a hash commitment (no statement stored) while still receiving a COSE receipt.

3. SSF/CAEP (The Signal)

OpenID Shared Signals Framework and Continuous Access Evaluation Protocol provide real-time notifications. When compliance status changes, subscribers are notified immediately:

• COLORS_CHANGED: Trust tier changed (e.g., self-assessed to ai-verified)
• FLEET_ALERT: Drift detected, controls degraded
• PAPERS_CHANGED: CPOE issued, renewed, or revoked
• MARQUE_REVOKED: Emergency revocation

See the FLAGSHIP Events page for details.

End-to-End Flow

1. EVIDENCE  Corsair accepts structured output from security tools (scanners, CI checks, API exports)
2. SIGN      Provenance recorded, CPOE signed as JWT-VC with Ed25519
3. LOG       (Optional) JWT-VC registered in SCITT transparency log
4. PUBLISH   (Optional) Vendor publishes trust.txt for discovery
5. VERIFY    Requestor verifies locally (via trust.txt discovery or direct share)
6. DIFF      Compare CPOEs over time to track compliance changes
7. SIGNAL    (Optional) SSF/CAEP stream delivers real-time compliance signals
8. RENEW     Periodic re-assessment produces new JWT-VC, old one expires

DID Identity

Parley uses did:web for issuer identity. Organizations publish a DID document at their domain:

https://example.com/.well-known/did.json

This document contains the Ed25519 public key used for verification. The DID is embedded in the JWT-VC as the issuer claim, enabling automatic key discovery during verification.