Trust Verification

DUADP implements a 5-tier trust model with automated cryptographic verification. Every agent published to the network is verified against its claimed trust tier.

🌐

Tier 1

community

Valid JSON schema — minimum bar for inclusion

•Valid apiVersion
•Valid kind (Skill/Agent/Tool)
•metadata.name present

✍️

Tier 2

signed

Ed25519/ES256 signature present and well-formed

•Signature field present
•Algorithm is Ed25519 or ES256
•Signature value + signer present

🔑

Tier 3

verified-signature

DID resolves and public key matches signature

•DID present in identity
•DID resolves (did:web or did:key)
•Verification methods found in DID Document

✅

Tier 4

verified

DID + domain ownership proof via DNS or .well-known

•did:web domain matches
•.well-known/duadp.json exists
•node_id in manifest matches domain

🏛️

Tier 5

official

Manual attestation by OSSA governance body

•Governance review completed
•Attestation signed by OSSA authority
•Cannot be auto-verified

Try It — Verify a Manifest

Paste an OSSA manifest below and verify its trust tier.

Verification Result

Paste a manifest and click Verify to see results

CLI Quick Start

# Scaffold a manifest

$ duadp init

# Verify trust tier

$ duadp verify ai.json

# Publish to a node

$ duadp publish --node https://discover.duadp.org

# Federated search

$ duadp search "code review" --federated

How Trust Verification Works

On Publish

When a resource is published via POST /api/v1/publish, the node runs all 5 trust checks automatically. If the verified tier is lower than the claimed tier, the resource is downgraded to the verified level.

DID Resolution

For did:web identifiers, the node fetches the DID Document from the domain's .well-known/did.json and verifies that verification methods exist. did:key is self-verifying.

Revocation

Revoked resources are propagated across the federation via gossip protocol. Once revoked, a GAID cannot be re-registered on any federated node. Revocation records include reason codes and origin node tracking.