Trust · Integrity · Independent verification

What can be independently proven.

CEYO verification confirms integrity and provenance under declared policy scope.

It does not confirm correctness, fairness, legality, or compliance conclusions. The trust model is intentionally narrow: prove what was sealed, who can verify it, and which policy boundary governed capture.

Trust summary Integrity · Provenance · Scope

Artifacts are deterministically canonicalized before sealing.
Sealing produces tamper-evident records that third parties can validate.
Key custody remains with the operator in a non-custodial model.

View guarantees Verification spec

Policy boundary

Field inclusion rules are fixed before artifact generation.

Non-custodial keys

Signing keys remain under operator control.

Canonical record

Deterministic serialization makes recomputation possible.

Independent verification

Third parties can validate integrity without default exposure of internals.

Guarantees

Guarantees vs. non-guarantees.

Institutional review depends on clear boundaries. This page separates what CEYO can actually prove from what it deliberately does not claim.

What CEYO can prove

Integrity

The artifact has not been modified since sealing if digest and signature validation still succeed.

Provenance

The signature validates against the declared public key reference or trusted verification chain.

Policy boundary

Policy ID, version, and policy hash where used identify the scope that governed artifact generation.

Deterministic path

Canonicalization produces reproducible bytes so independent verifiers can recompute the same input to hashing.

What CEYO does not claim

Decision correctness

Record integrity is not the same as correctness of model output or human judgment.

Compliance certification

CEYO does not certify regulatory compliance or provide legal conclusions.

Universal reproducibility

Verification confirms the declared artifact path, not replay of every inference condition beyond scope.

Threat model

Common integrity risks.

Trust is not just what CEYO proves when things go right. It is also about what kinds of integrity failures can be detected, bounded, or delegated to operator controls.

Tampering after capture Integrity

Modification of an artifact after it is generated.

Canonicalization, hashing, and signature validation create tamper-evidence. Any post-seal modification breaks digest or signature verification.

Replay outside context Context

Reuse of a valid artifact outside its intended operational setting.

Artifacts can include timestamps, request identifiers, environment markers, and policy references within scope so replay outside expected context is detectable.

Selective omission Coverage

Failure to generate artifacts for some events.

Operators can correlate artifact identifiers against upstream request logs, audit logs, or retention controls to detect gaps in coverage.

Key compromise Custody

Signing key compromise in the operator environment.

CEYO is non-custodial. Mitigation depends on operator-side governance: protected storage, rotation, revocation, and incident response procedures.

Verification spec

Deterministic review procedure.

Independent verification is mechanical. It does not depend on trusting the producer’s description of what happened.

Verification steps Deterministic procedure

Canonicalize the artifact payload using the recorded scheme, such as RFC 8785.
Recompute the SHA-256 digest over the canonical bytes.
Validate the digital signature using the referenced public key or trusted verification chain.
Confirm policy ID, version, disclosure tier, and policy hash alignment where applicable.

Output states may include PASS, FAIL, and POLICY_MISMATCH. Successful verification confirms integrity and provenance under policy scope, not correctness of model output.

Request walkthrough View sample outputs