![](data:image/svg+xml,%3Csvg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"%3E%3Crect width="16" height="16" rx="4" fill="%23093bff"/%3E%3Ctext x="8" y="11" text-anchor="middle" font-size="9" font-family="Arial,Helvetica,sans-serif" fill="white"%3EO%3C/text%3E%3C/svg%3E)
Trust model
OpenAuthCert badges are designed to be portable proof objects. Vendors can embed them in documentation, customers can verify them offline, and the community can audit every change.
Signature model
- Badges are signed with Ed25519, providing strong security with a compact key size.
- The canonical payload excludes the
digital_signaturefield and is serialized with sorted keys. - The public key is published at
/public_key.pemfor anyone to use. - Signatures are verified using the same algorithm in browsers (Web Crypto) and in tooling.
- The signed payload includes
expires_at, so a badge is intrinsically time-bounded — like a TLS certificate, it lapses to expired on its own without any further action, and the verify tool reports that even when the signature is still valid.
Freshness, not just authenticity
A valid signature proves a badge is authentic and untampered, but not that it is still current. Always check the lifecycle status too:
- Expired — past
expires_at; the vendor must renew. - Revoked — explicitly withdrawn (see Governance).
The verify tool, the badge server's /verify endpoint, and the embeddable status SVG all surface this lifecycle status, not just signature validity.
Verifying badges on the command line
The repository includes the oac CLI (packages/cli) for signing and verification:
node packages/cli/dist/cli.js verify \
registry/badge-registry/acme-cloud/cloud-sso/1.0.0.json \
--pub specs/badge-spec/public.pemIt reads the badge, canonicalizes it with the shared @openauthcert/core algorithm, and verifies the signature against the PEM key — the exact same canonicalization the browser verifier uses. Use it as a reference for your own automation.
Embedding badges with JSON-LD
Vendors can publish a signed badge on their sites using JSON-LD:
{
"@context": "https://schema.org",
"@type": "CreativeWork",
"name": "OpenAuthCert badge",
"url": "https://vendor.example.com/security/badges/cloud-sso",
"identifier": {
"@type": "PropertyValue",
"name": "OpenAuthCert",
"value": "acme-cloud/cloud-sso/1.0.0"
},
"subjectOf": {
"@type": "Dataset",
"name": "Badge payload",
"distribution": {
"@type": "DataDownload",
"encodingFormat": "application/json",
"contentUrl": "https://openauthcert.org/registry/badge-registry/acme-cloud/cloud-sso/1.0.0.json"
}
}
}Publish the JSON-LD snippet on a page and link directly to the badge JSON in the registry. Encourage customers to use the verify tool before relying on any badge.