Internet-Draft VAP-LAP February 2026
Yamakawa Expires 28 August 2026 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-ailex-vap-legal-ai-provenance-02
Published:
Intended Status:
Experimental
Expires:
Author:
S. Yamakawa, Ed.
AILEX LLC / VeritasChain Standards Organization

Verifiable AI Provenance (VAP) Framework and Legal AI Profile (LAP)

Abstract

This document specifies the Verifiable AI Provenance (VAP) Framework, a cross-domain upper framework for cryptographically verifiable decision audit trails in high-risk AI systems, along with the Legal AI Profile (LAP), a domain-specific instantiation for legal AI and LegalTech systems.

VAP defines common infrastructure including hash chain integrity, digital signatures, unified conformance levels (Bronze/Silver/Gold), external anchoring via RFC 3161 Time-Stamp Protocol and compatible transparency services (including IETF SCITT), a Completeness Invariant pattern guaranteeing no selective logging, standardized Evidence Pack format for regulatory submission, and privacy-preserving verification protocols.

LAP extends VAP for the judicial AI domain, addressing unique requirements including attorney oversight verification (Human Override Coverage), three-pipeline completeness invariants for legal consultation, document generation, and fact-checking, tiered content retention with legal hold protocols for judicial discovery compliance, graduated override enforcement mechanisms, and privacy- preserving fields designed to maintain attorney-client privilege while enabling third-party auditability.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 28 August 2026.

Table of Contents

1. Introduction

The deployment of AI systems in high-risk domains -- including finance, healthcare, transportation, and the administration of justice -- creates a structural accountability gap. AI decisions that affect fundamental rights and societal infrastructure lack standardized, cryptographically verifiable audit trails that independent third parties can inspect.

Current approaches rely on trust-based governance: AI providers assert that their systems are safe and well-logged, but no independent party can cryptographically verify these claims. The Verifiable AI Provenance (VAP) Framework addresses this gap by defining a "Verify, Don't Trust" architecture for AI decision provenance.

This document defines two complementary specifications:

  1. VAP Framework (Part I): A cross-domain upper framework defining common infrastructure for verifiable AI provenance applicable to any high-risk AI domain.
  2. Legal AI Profile (LAP) (Part II): A domain-specific profile for legal AI systems, addressing requirements arising from professional regulation of attorneys and high-risk AI system governance.

1.1. Scope

VAP targets AI systems where "system failure could cause significant and irreversible harm to human life, societal infrastructure, or democratic institutions." This intentionally strict scope distinguishes VAP from general-purpose logging frameworks.

LAP specifically addresses legal AI systems that provide AI-powered legal consultation, document generation, and fact-checking services to licensed attorneys.

1.2. Design Philosophy

The core principle is "Verify, Don't Trust." Rather than relying on AI providers' claims about the safety and integrity of their systems, VAP enables independent, cryptographic verification of every AI decision's provenance, completeness, and human oversight.

NOTE: This Internet-Draft is the authoritative specification for the VAP Framework and LAP Profile. Where differences exist between this document and other published descriptions of the VAP Framework (e.g., companion white papers or implementation guides), this Internet-Draft takes precedence.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2.1. Terminology

VAP
Verifiable AI Provenance Framework - the cross-domain upper framework defined in this document.
Profile
A domain-specific instantiation of VAP (e.g., VCP for finance, CAP for content, LAP for legal).
LAP
Legal AI Profile - the judicial AI domain profile defined in this document.
Provenance
Cryptographically verifiable record of data origin, derivation, and history.
Completeness Invariant
A mathematical guarantee that every attempt event has exactly one corresponding outcome event.
Evidence Pack
A self-contained, signed package of provenance events suitable for regulatory submission and third-party audit.
External Anchor
Registration of a Merkle root hash with an external trusted timestamping service such as [RFC3161] or a compatible transparency log such as IETF SCITT [IETF-SCITT].
Human Override
An event recording a human professional's review, approval, modification, or rejection of an AI-generated output.
Override Coverage
The ratio of AI outputs reviewed by a human professional to total AI outputs, expressed as a percentage.
Causal Link
A reference from an outcome event to its originating attempt event, establishing referential integrity within a pipeline.
Content Retention Tier
One of three levels of content preservation (Full Content, Recoverable Hash, Hash-Only) defining the availability of original event content at a given point in the retention lifecycle.
Legal Hold
A directive freezing the current retention tier for events within scope, preventing content deletion or tier transition during litigation, investigation, or regulatory inquiry.
Override Enforcement Level
One of four graduated control levels (Metric Only, Warn, Gate, Strict) governing how the system responds when AI outputs lack corresponding HUMAN_OVERRIDE events.
Hash Input
The canonical byte sequence over which EventHash is computed, defined as the JCS-canonicalized event with the security.event_hash, security.signature, and security.sign_algo fields removed. See Section 4.2.

3. VAP Framework Architecture

3.1. Layer Model

VAP is organized into four core layers, a common infrastructure layer, and a domain profile layer:

Integrity Layer
Hash chain, digital signatures, timestamps (REQUIRED for all levels).
Provenance Layer
Actor, input, context, action, and outcome recording (REQUIRED).
Accountability Layer
Operator identification, approval chain, delegation records (REQUIRED for operator_id; RECOMMENDED for approval chain).
Traceability Layer
Trace IDs, causal links, cross-profile references (REQUIRED for trace_id; OPTIONAL for cross-references).
Common Infrastructure
Conformance levels, external anchoring, completeness invariant, evidence packs, privacy-preserving verification, retention framework (availability depends on conformance level).
Domain Profile Layer
Domain-specific event types, data model extensions, regulatory mappings (defined per profile).

3.2. Domain Profiles

VAP supports multiple domain profiles. Each profile MUST define:

  1. Event Types: Domain-specific event type taxonomy.
  2. Data Model Extensions: Additional fields beyond the VAP common event structure.
  3. Conformance Mapping: Mapping to VAP Bronze/Silver/Gold levels.
  4. Regulatory Alignment: Mapping to applicable regulations (informative).
  5. Completeness Invariant Application: How the completeness invariant applies to domain-specific event flows.

Registered profiles include VCP (Finance), CAP (Content/Creative AI), and LAP (Legal AI, defined in Part II of this document). Additional profiles for automotive (DVP), medical (MAP), and public administration (PAP) domains are under development.

4. Cryptographic Foundation

4.1. Algorithm Requirements

All VAP-conformant implementations MUST support the primary algorithms listed below. Implementations SHOULD support at least one alternative algorithm in each category for migration purposes. Post-quantum algorithms are listed for future migration readiness and are currently OPTIONAL.

Table 1: Required Cryptographic Algorithms
Category Primary (MTI) Alternative Post-Quantum (Future MTI)
Hash SHA-256 SHA-384, SHA-512 SHA3-256
Signature Ed25519 ([RFC8032]) ECDSA P-256 ([RFC6979]) ML-DSA-65 ([FIPS204])
Encryption AES-256-GCM ChaCha20-Poly1305 N/A (see KEM row)
KEM N/A (classical key exchange) N/A ML-KEM-1024 ([FIPS203])

Note: The Post-Quantum signature algorithm ML-DSA-65 (formerly known as CRYSTALS-Dilithium, renamed upon FIPS 204 standardization in August 2024) provides security equivalent to AES-192. This parameter set was selected as a balance between signature size (3,309 bytes) and security margin for legal audit trails requiring multi-decade retention. ML-DSA-44 (AES-128 equivalent) was considered insufficient for the intended retention periods; ML-DSA-87 (AES-256 equivalent) imposes significantly larger signatures (4,627 bytes) with marginal practical benefit for this use case.

Note: ML-KEM-1024 (formerly known as CRYSTALS-Kyber, renamed upon FIPS 203 standardization in August 2024) is a key encapsulation mechanism (KEM), not an encryption algorithm. It is listed separately from symmetric encryption because KEM and symmetric encryption serve different roles: KEM establishes shared secrets for key agreement, while AES-256-GCM provides authenticated encryption of content.

Implementations MUST include algorithm identifiers in all cryptographic fields. The following table defines the canonical algorithm identifiers used in field values and wire-format prefixes:

Table 2: Canonical Algorithm Identifiers
Algorithm Field Value (hash_algo / sign_algo) Wire Prefix (in encoded strings) Reference
SHA-256 "sha-256" "sha-256:" NIST FIPS 180-4
SHA-384 "sha-384" "sha-384:" NIST FIPS 180-4
SHA-512 "sha-512" "sha-512:" NIST FIPS 180-4
SHA3-256 "sha3-256" "sha3-256:" NIST FIPS 202
Ed25519 "ed25519" "ed25519:" [RFC8032]
ECDSA P-256 "ecdsa-p256" "ecdsa-p256:" [RFC6979]
ML-DSA-65 "ml-dsa-65" "ml-dsa-65:" [FIPS204]

All algorithm identifiers MUST be lowercase ASCII strings with hyphens as separators. The field value and wire prefix use the same string (the wire prefix appends a colon as delimiter). Implementations MUST perform case-insensitive comparison when validating algorithm identifiers but MUST produce lowercase output. These identifiers enable crypto agility and algorithm migration as specified in Section 4.4.

4.2. Hash Chain Specification

Events MUST be linked in a hash chain where each event's hash includes the hash of the preceding event.

The Hash Input is computed by removing the following fields from the event before canonicalization:

  • security.event_hash
  • security.signature

The remaining fields (including security.hash_algo, security.sign_algo, and security.signer_id) are retained in the hash input. This explicit exclusion list prevents circular references (event_hash cannot be included in its own computation) and ensures that implementations agree on the hash input.

The computation proceeds as follows:

  HashInput[n] = Event[n] with {security.event_hash,
                                security.signature} removed

  EventHash[n] = HashAlgo(JCS-Canonicalize(HashInput[n]))

  where:
    Event[n].header.prev_hash = EventHash[n-1]
    Event[0].header.prev_hash = null  (genesis event)
    HashAlgo is the algorithm specified in security.hash_algo
    JCS-Canonicalize follows RFC 8785

Canonicalization MUST follow [RFC8785] (JSON Canonicalization Scheme).

Chain integrity verification MUST confirm:

  1. Each event's EventHash matches the recomputed hash over the Hash Input.
  2. Each event's prev_hash matches the preceding event's EventHash.
  3. The genesis event has a null prev_hash.
  4. The hash_algo specified in each event is a supported algorithm.

4.3. Digital Signature Requirements

Every event MUST be signed. The signature MUST be computed over the EventHash bytes (not over the raw event):

  Signature = SignAlgo.Sign(PrivateKey, EventHash_bytes)

The signature MUST be encoded as follows:

  security.signature = sign_algo_id ":" Base64url(Signature_bytes)

where sign_algo_id is the canonical algorithm identifier from Table 2 matching the security.sign_algo field (e.g., "ed25519", "ecdsa-p256"), and Base64url encoding follows [RFC4648] Section 5 (URL-safe alphabet, no padding).

The primary mandatory-to-implement (MTI) signature algorithm is Ed25519 [RFC8032]. Implementations MUST support Ed25519 and SHOULD support at least one additional algorithm from Table 1 for migration purposes.

4.4. Algorithm Migration

VAP is designed for crypto agility per BCP 201 [RFC7696]. Algorithm migration proceeds as follows:

  1. A new algorithm is added to the supported set via a specification update.
  2. Implementations begin producing events with the new algorithm alongside the existing algorithm (dual-signing period, RECOMMENDED minimum 6 months).
  3. Once all verifiers support the new algorithm, the old algorithm is deprecated.
  4. After a deprecation notice period (RECOMMENDED minimum 12 months), implementations MAY stop producing events with the old algorithm.

During migration, the hash chain MAY contain events signed with different algorithms. Verifiers MUST support all algorithms that appear in the chain being verified.

4.4.1. Post-Quantum Readiness

Audit trails with multi-decade retention periods (up to 10 years at Gold level) face exposure to "harvest now, decrypt later" attacks. NIST has announced timelines for deprecating RSA and ECC algorithms (targeted deprecation by 2030, disallowance by 2035).

Implementations with Gold-level retention requirements SHOULD prepare for post-quantum transition by:

  • Tracking ML-DSA (FIPS 204) readiness in their cryptographic libraries.
  • Planning for hybrid classical+PQ signing approaches during the transition period, per the guidance in [RFC9794].
  • Ensuring that signed Evidence Packs can be re-signed with post-quantum algorithms when available, while preserving the original classical signature chain for historical verification.

5. Common Event Structure

All VAP-conformant events MUST include the following fields:

{
  "vap_version": "1.3",
  "profile": {
    "id": "string (VCP|CAP|LAP|DVP|MAP|PAP)",
    "version": "semver string"
  },
  "header": {
    "event_id": "UUIDv7 (RFC 9562)",
    "chain_id": "UUIDv7",
    "prev_hash": "sha-256:<64 lowercase hex chars> | null",
    "timestamp": "RFC 3339 datetime with timezone",
    "event_type": "string (profile-specific)",
    "causal_link": {
      "target_event_id": "UUIDv7 | null",
      "link_type": "string (OUTCOME_OF|OVERRIDE_OF|HOLD_ON|
                            RECOVERY_OF|TIER_CHANGE_OF|null)"
    }
  },
  "provenance": {
    "actor": {
      "actor_id": "string",
      "actor_hash": "sha-256:<64 lowercase hex chars>",
      "role": "string"
    },
    "input": { },
    "context": { },
    "action": { },
    "outcome": { }
  },
  "accountability": {
    "operator_id": "string",
    "last_approval_by": "string",
    "approval_timestamp": "RFC 3339"
  },
  "domain_payload": { },
  "security": {
    "event_hash": "sha-256:<64 lowercase hex chars>",
    "hash_algo": "sha-256",
    "signature": "ed25519:base64url...",
    "sign_algo": "ed25519",
    "signer_id": "string"
  }
}

Event identifiers MUST use UUIDv7 ([RFC9562]) to ensure time-ordered sortability. JSON canonicalization MUST follow [RFC8785].

The profile.id field MUST be 1-4 uppercase ASCII characters matching a registered profile identifier (see Section 21.2). Note that profile identifiers use uppercase (e.g., "LAP") while algorithm identifiers use lowercase (e.g., "sha-256") per Table 2; this distinction is intentional and reflects their different registries.

Timestamps MUST conform to [RFC3339] (a profile of ISO 8601) and MUST include a timezone offset or "Z" for UTC. Implementations SHOULD use UTC for all timestamps.

The header.causal_link field provides a standardized location for referential integrity across all profiles. Outcome events MUST set target_event_id to the originating attempt event's identifier and link_type to "OUTCOME_OF". HUMAN_OVERRIDE events MUST set target_event_id to the target output event and link_type to "OVERRIDE_OF". Events with no causal link MUST set both fields to null.

Hash values MUST be encoded as lowercase hexadecimal strings, prefixed with the canonical algorithm identifier (from Table 2) followed by a colon (e.g., "sha-256:a1b2c3..."). The hexadecimal string MUST be the exact length corresponding to the hash output (64 characters for sha-256, 96 for sha-384, 128 for sha-512).

All text fields MUST be encoded as UTF-8 ([RFC3629]).

5.1. Numeric Value Encoding

Fields representing monetary amounts, cryptographic values, or high-precision measurements SHOULD be encoded as JSON strings rather than JSON numbers. This recommendation is motivated by:

  • IEEE 754 double-precision floating-point, the only numeric type in JSON (per [RFC8259], Section 6), cannot exactly represent all decimal values. Financial and legal contexts require exact decimal representation.
  • JSON parsers across programming languages exhibit inconsistent behavior for large integers (exceeding 2^53) and high-precision decimals, leading to silent data corruption.
  • Canonicalization stability: [RFC8785] defines specific rules for numeric serialization, but string encoding avoids parser-dependent numeric reformatting entirely, ensuring consistent hash computation across implementations.

Fields where exact precision is not critical (e.g., event_count, token_count) MAY use JSON numbers. Implementations MUST document which fields use string encoding. Implementations that use JSON numbers for counters MUST ensure that any numeric-to-string conversion performed during canonicalization is deterministic and documented, to avoid signature verification ambiguity across languages and libraries.

6. Conformance Levels

VAP defines three conformance levels applicable to all domain profiles. Each level inherits all requirements of lower levels (Gold is a superset of Silver, which is a superset of Bronze).

6.1. Bronze Level

Target: SMEs, early adopters. Core capabilities:

  • Event logging for all AI decision points (REQUIRED)
  • Hash chain linking all events using a supported hash algorithm (REQUIRED)
  • Digital signature on every event using a supported signature algorithm (REQUIRED)
  • [RFC3339] timestamps with timezone (REQUIRED)
  • UUIDv7 event identifiers (REQUIRED)
  • Minimum 6-month retention (REQUIRED)
  • Event structure validation against the Common Event Structure (Section 5) with at minimum all REQUIRED fields present and correctly typed (REQUIRED)

Note: Formal JSON Schema definitions for validation are provided in Appendix "Appendix B. Validation Requirements". Bronze implementations MUST validate the presence and type of all REQUIRED fields defined in Section 5.

6.2. Silver Level

Target: Enterprise, regulated industries. Additional requirements beyond Bronze:

  • Daily external anchoring to a trusted timestamping service conforming to [RFC3161] (with [RFC5816] ESSCertIDv2 support) or an equivalent transparency log (REQUIRED)
  • Completeness Invariant verification (REQUIRED)
  • Evidence Pack generation capability (REQUIRED)
  • Sensitive data hashing for privacy preservation (REQUIRED)
  • Minimum 2-year retention (REQUIRED)
  • Merkle tree construction per Section 7.3 (REQUIRED)
  • Third-party verification endpoint conforming to Section 12 (REQUIRED)

6.3. Gold Level

Target: Highly regulated industries. Additional requirements beyond Silver:

  • Hourly external anchoring (REQUIRED)
  • HSM for signing key storage, [FIPS140-3] Level 2 or above (REQUIRED). Note: FIPS 140-2 validated modules MAY be used during the transition period ending September 2026, after which FIPS 140-3 is REQUIRED.
  • Integration with a transparency log service such as IETF SCITT [IETF-SCITT] or equivalent (REQUIRED)
  • Real-time audit API conforming to Section 12 (REQUIRED)
  • Minimum 5-year retention (REQUIRED)
  • 24-hour incident response and evidence preservation (REQUIRED)
  • Geographic redundancy, minimum 2 regions (REQUIRED)
  • Annual third-party audit (REQUIRED)
  • Crypto-shredding support (REQUIRED)

7. External Anchoring

External anchoring proves that events existed at a specific point in time, preventing backdating, forward-dating, and log forking.

7.1. Anchoring Service Types

VAP defines an abstract anchoring interface that can be realized by multiple service types. The baseline anchoring service is [RFC3161] Time-Stamp Authority (TSA), with [RFC5816] support for ESSCertIDv2 (enabling SHA-256 certificate identification instead of SHA-1). Additional service types include transparency logs and public blockchains.

RFC 3161 TSA (Baseline)
Traditional enterprise timestamping via X.509 PKI ([RFC3161]). This is the normative baseline. Trust model: CA trust hierarchy. Implementations MUST support [RFC5816] for SHA-256-based certificate identification.
Transparency Log (e.g., IETF SCITT)
Append-only transparency logs providing public verifiability. IETF SCITT ([IETF-SCITT]) is one such service; implementations MAY use any transparency log providing equivalent append-only and inclusion-proof guarantees. Registration via SCRAPI ([IETF-SCRAPI]) is RECOMMENDED for SCITT integration. Trust model: public append-only log with cryptographic inclusion proofs.
Blockchain
Bitcoin or Ethereum anchoring for maximum decentralization. Trust model: PoW/PoS consensus. This option is non-normative and provided for environments requiring decentralized trust.

Gold Level implementations MUST use at least one transparency log service (such as SCITT) or equivalent, in addition to or instead of RFC 3161 TSA. Implementations SHOULD use multiple independent anchoring services for critical deployments.

7.2. Anchor Record Format 

{
  "anchor_id": "UUIDv7",
  "anchor_type": "RFC3161 | TRANSPARENCY_LOG | BLOCKCHAIN",
  "merkle_root": "sha-256:<64 lowercase hex chars>",
  "event_count": 1000,
  "first_event_id": "UUIDv7",
  "last_event_id": "UUIDv7",
  "first_event_timestamp": "RFC 3339",
  "last_event_timestamp": "RFC 3339",
  "anchor_timestamp": "RFC 3339",
  "anchor_proof": { },
  "service_endpoint": "https://tsa.example.com"
}

The anchor_proof field is an object whose structure depends on the anchor_type:

RFC3161
anchor_proof MUST contain: "tst_token" (Base64url-encoded RFC 3161 TimeStampToken per [RFC4648] Section 5), "hash_algo" (algorithm used in TSA request), and "tsa_cert_hash" (SHA-256 hash of the TSA certificate). Verification: parse the TimeStampToken, confirm the imprint matches the merkle_root, and validate the TSA signature chain.
TRANSPARENCY_LOG
anchor_proof MUST contain: "inclusion_proof" (array of Base64url-encoded sibling hashes from leaf to root), "tree_size" (integer, total leaves at time of inclusion), "leaf_index" (integer, position of this entry), and "log_id" (identifier of the transparency log). Verification follows the Merkle audit path algorithm defined in [RFC9162] Section 2.1.3.
BLOCKCHAIN
anchor_proof MUST contain: "tx_id" (transaction identifier as hex string), "block_height" (integer), "chain" (e.g., "bitcoin", "ethereum"), and "confirmations" (integer, number of confirmations at recording time). This anchor type is non-normative.

7.3. Merkle Tree Construction

Events MUST be batched into a binary Merkle hash tree for efficient anchoring and selective disclosure. The tree construction follows [RFC9162] (Certificate Transparency Version 2.0) Section 2, which obsoletes [RFC6962]:

  MTH({})       = SHA-256()    (empty hash for zero inputs)
  MTH({d(0)})   = SHA-256(0x00 || d(0))
  MTH(D[n])     = SHA-256(0x01 || MTH(D[0:k]) || MTH(D[k:n]))

  where:
    D[n] is the list of n event hashes
    k is the largest power of 2 less than n
    0x00 is the leaf node prefix
    0x01 is the interior node prefix
    || denotes concatenation

This construction uses domain separation prefixes (0x00 for leaves, 0x01 for interior nodes) to prevent second-preimage attacks, and handles non-power-of-two leaf counts without duplicating leaves, consistent with [RFC9162].

The resulting Merkle root is submitted to the external anchoring service. Merkle inclusion proofs enable selective disclosure: a verifier can confirm that a specific event is included in an anchored batch without accessing other events in the batch.

8. Completeness Invariant

The Completeness Invariant is a mathematical guarantee that every "attempt" event has exactly one corresponding "outcome" event. This prevents selective logging -- the omission of inconvenient records.

General form:

  For each pipeline P:
    Count(P_ATTEMPT) = Count(P_SUCCESS)
                     + Count(P_DENY)
                     + Count(P_ERROR)

The invariant enforces three properties:

Completeness
Every ATTEMPT has an outcome. Violation indicates missing events.
Uniqueness
Each ATTEMPT has exactly one outcome. Violation indicates duplicate records.
Referential Integrity
Every outcome contains a causal link (via header.causal_link.target_event_id) to its originating ATTEMPT. Violation indicates orphan events.

Domain profiles MUST specify which event types constitute attempts and outcomes for the invariant. Each outcome event MUST set header.causal_link.target_event_id to the originating attempt event's event_id and header.causal_link.link_type to "OUTCOME_OF".

Verification SHOULD account for a configurable grace period for in-flight operations. The grace period MUST NOT exceed 300 seconds (RECOMMENDED default: 60 seconds). If an ATTEMPT event has no corresponding outcome event after the grace period has elapsed, a verification implementation SHOULD treat this as a completeness violation. Implementations MAY emit a synthetic TIMEOUT_ERROR outcome event when the grace period expires, to maintain the invariant.

9. Evidence Pack Specification

An Evidence Pack is a self-contained, signed package of provenance events suitable for regulatory submission and third-party audit.

9.1. Pack Structure

An Evidence Pack MUST contain:

  • manifest.json: Pack metadata and integrity information
  • events/: Event batches (max 10,000 events per file)
  • anchors/: External anchor records
  • merkle/: Merkle tree structure and selective disclosure proofs
  • keys/: Public keys for signature verification
  • signatures/: Pack-level signature

The Evidence Pack SHOULD be packaged as a ZIP archive with the media type application/vap-evidence-pack+zip (see Section 21.1). The manifest MUST use the media type application/vap-manifest+json.

9.2. Pack Manifest

The manifest MUST include the following fields:

pack_id (REQUIRED)
UUIDv7 uniquely identifying this Evidence Pack.
vap_version (REQUIRED)
VAP framework version (e.g., "1.3").
profile (REQUIRED)
Object containing profile id and version.
conformance_level (REQUIRED)
"Bronze", "Silver", or "Gold".
generated_at (REQUIRED)
[RFC3339] timestamp of pack generation.
time_range (REQUIRED)
Object with start and end [RFC3339] timestamps.
statistics (REQUIRED)
Object containing total_events and events_by_type breakdown.
completeness_verification (REQUIRED for Silver+)
Object containing invariant_type, invariant_valid boolean, grace_period_seconds, and per-pipeline results.
integrity (REQUIRED)
Object containing checksums (SHA-256 per file), merkle_root, and pack_hash.