Certificate Issuance
Certificate issuance is the mechanism that makes the phrase “AIEP Certified” truthful and machine-verifiable.
AIEP does not require certification. Certification exists to protect users from false claims. When a system claims to be certified, it should be able to point to a certificate artefact and the verification material required to validate it.
The issuance lifecycle
A practical issuance process has four stages:
- Application — the operator requests certification and supplies the required artefacts.
- Assessment — the issuer validates the implementation against a published policy and schema set.
- Issuance — a certificate artefact is created, signed, and published.
- Ongoing validity — revocation or expiry is recorded if required.
Where certificates live
Certificates can be published by:
- the certified system (recommended: stable URL under its own AIEP surface)
- the issuer registry (optional mirror record)
- both (best practice for resilience)
What a certificate contains
A minimal certificate includes:
- certificate id
- issuer identity
- issuance timestamp
- policy version
- subject (the certified domain/system)
- signature and public key reference
Verification
Verification should be deterministic:
- retrieve the certificate artefact
- retrieve issuer verification material from the registry
- validate structure via schema
- verify signature
- check revocation/expiry status
This repo ships the public interfaces and schemas for that flow. The operational issuance services are implemented via Worker/registry infrastructure when you are ready.