The Corsair Philosophy
Corsair is built on a single insight: security tools already generate the evidence, but nobody can cryptographically verify it.
Traditional GRC tools ask: "Did you document your controls?" Corsair asks: "Can you prove your controls are effective with a signed, verifiable credential?"
The proof that emerges from tool-generated evidence and cryptographic signing is fundamentally different from self-reported questionnaires.
Six Primitives. One Protocol.
Corsair operates like git for compliance. Six core primitives handle signing, transparency, discovery, verification, regression tracking, and real-time signals.
SIGN → LOG → PUBLISH → VERIFY → DIFF → SIGNAL
The Six Primitives (Default Path)
Every corsair sign invocation flows through the core primitives. No flags required.
| Primitive | Git Analogy | What It Does |
|---|---|---|
| SIGN | git commit | Parse tool output, record provenance, sign as JWT-VC (Ed25519) |
| LOG | git log | Register in SCITT transparency log (append-only) |
| PUBLISH | git push | Generate trust.txt (via corsair trust-txt generate) that points to SCITT + catalog |
| VERIFY | git verify-commit | Verify Ed25519 signature via DID:web resolution |
| DIFF | git diff | Compare two CPOEs, detect compliance regressions |
| SIGNAL | git webhooks | Real-time compliance change notifications via FLAGSHIP (SSF/CAEP) |
Tool Adapters (Mapping-First)
Corsair accepts structured output from security scanning tools and compliance platforms via mapping packs. Each mapping translates tool-native formats into the canonical evidence format for signing. You can still force the generic parser with --format generic, which bypasses mapping detection.
Mappings are JSON files loaded via CORSAIR_MAPPING_DIR, CORSAIR_MAPPING_FILE, the CLI --mapping flag, or corsair mappings add. Evidence-only mappings still produce a valid CPOE and surface data in credentialSubject.extensions. Use corsair mappings list to see what’s loaded and corsair mappings validate to verify mappings. Build packs with corsair mappings pack and sign them with corsair mappings sign. Mappings are evaluated by priority (higher wins), then filename order. Signed packs are verified when CORSAIR_MAPPING_PACK_PUBKEY is set.
| Input | How It Works |
|---|---|
mapping-pack | Auto-detected via mapping registry (tool-specific) |
generic | Any JSON with { metadata, controls[] } |
Provenance Model
Every CPOE records provenance — where the evidence came from. Corsair does not judge evidence quality. It records provenance, signs the result, and lets buyers decide what's sufficient.
| Source | Name | What It Means |
|---|---|---|
| self | Self-Assessed | Organization self-attests without automated evidence |
| tool | Tool-Generated | Security tool output produced the evidence |
| auditor | Auditor-Verified | Independent third party reviewed and verified the assessment |
Policy Artifacts
Policies let the relying party encode acceptance criteria without adding judgment:
- Require a specific issuer
- Require receipts + SCITT anchors
- Require evidence chain or input binding
They’re portable JSON files, consumed by corsair verify --policy <file>.
Evidence Chain
Every finding in Corsair is backed by a cryptographic evidence chain:
- Each evidence record is hashed with SHA-256
- Each hash includes the previous record's hash (chain)
- The chain digest is included in the Marque signature
- Tampering with any record breaks the chain
This ensures evidence integrity without trusting any central authority.
Marque Signing
A Marque is signed with Ed25519 (elliptic curve digital signature):
- Private key: Used by the
corsair signCLI to sign attestations - Public key: Shared with anyone who needs to verify
- Verification: Runs client-side via Web Crypto API at grcorsair.com/marque
No server, no account, no data sharing required for verification.
Parley Protocol
Parley is the trust exchange protocol that composes three open standards:
| Standard | Role | What It Provides |
|---|---|---|
| JWT-VC (W3C) | Proof | CPOE as a Verifiable Credential, Ed25519-signed |
| SCITT (IETF) | Audit trail | Append-only transparency log with COSE receipts and Merkle proofs |
| SSF/CAEP (OpenID) | Signals | Real-time compliance change notifications via FLAGSHIP |
Together, these ensure that compliance proofs are verifiable, auditable, and communicated in real time. Any JWT library can verify a CPOE. Zero vendor lock-in.