Why This Matters
Corsair proofs are verified against a domain-controlled DID and a trust.txt file. In most companies, GRC teams don’t control the root domain, so the safest, standard approach is a delegated subdomain (for example, trust.example.com). IT keeps control of the root domain, and GRC gets a narrow, auditable surface for compliance proofs. If that’s still too heavy, a delegated DNS TXT record can point to a hosted trust.txt.
What IT Is Being Asked To Do
Create a subdomain that GRC can control and host static files on, or add a single DNS TXT record to delegate trust.txt hosting.
https://trust.example.com/.well-known/trust.txthttps://trust.example.com/.well-known/did.jsonhttps://trust.example.com/.well-known/jwks.json
This is a small, one-time change and can be implemented with a CNAME or NS delegation.
Option A — CNAME (Simplest self-hosted)
IT adds a CNAME record:
trust.example.com CNAME grcorsair-trust.hosting-provider.com
GRC then hosts static files on that subdomain. IT retains control of the root domain.
Option B — Delegated trust.txt via DNS TXT (Lowest touch)
IT adds a TXT record that points to a hosted trust.txt (no web hosting required):
_corsair.example.com TXT "corsair-trusttxt=https://trust.example.com/trust.txt"
Optional integrity pinning (recommended):
_corsair.example.com TXT "corsair-trusttxt-sha256=<sha256>"
GRC can host the trust.txt anywhere (or use a managed host), and discovery stays anchored to the company’s DNS.
Option C — NS Delegation (Most Robust)
IT delegates a subdomain to GRC-controlled nameservers:
trust.example.com NS ns1.corsair-trust.net
trust.example.com NS ns2.corsair-trust.net
GRC manages DNS only for trust.example.com, nothing else.
Security Notes (For IT)
- The subdomain hosts static files only under
/.well-known/ - No login, no app, no email, no cookies
- Can be served from a locked-down static host with strict headers
- Scope is limited to trust and verification artifacts
Copy-Paste Request Email
Subject: Request to delegate trust subdomain for compliance proofs
Hi IT team,
We need a dedicated subdomain to publish compliance proof metadata (trust.txt + DID) for customer verification. This is a standard, low-risk setup similar to status.example.com or security.example.com.
Requested subdomain:
trust.example.com
Preferred DNS option (simple):
trust.example.com CNAME <our-static-host>
Low-touch alternative (delegated trust.txt):
_corsair.example.com TXT "corsair-trusttxt=https://trust.example.com/trust.txt"
_corsair.example.com TXT "corsair-trusttxt-sha256=<sha256>"
Files we will host (self-hosted option):
https://trust.example.com/.well-known/trust.txt
https://trust.example.com/.well-known/did.json
https://trust.example.com/.well-known/jwks.json
If using delegated trust.txt via TXT, we will only host:
https://trust.example.com/trust.txt
This is static content only and does not grant access to the root domain.
Thanks,
<Your Name>
GRC / Security
Next Step
Once the subdomain is live, generate DID + JWKS + trust.txt:
corsair did generate --domain trust.example.com --output did.json
corsair did jwks --domain trust.example.com --output jwks.json
corsair trust-txt generate --did did:web:trust.example.com
If you use delegated TXT instead of self-hosting, generate trust.txt the same way and host it at the delegated URL (for example https://trust.example.com/trust.txt). Discovery will follow the DNS record.