Public key distribution is essential for independent verification of AI certificates. CertifiedData publishes its Ed25519 public key so any party can verify certificate authenticity without contacting the issuer, calling an API, or holding an account.
This is the same trust model used by TLS certificate authorities, software package signing, and code signing infrastructure — applied to AI artifact certification.
How public key verification works
CertifiedData signs each certificate payload with an Ed25519 private key. The corresponding public key is published at the well-known registry endpoint and never changes between key rotations.
Any verifier can load the public key, reconstruct the certificate payload, and run Ed25519 verification against the signature field. A valid result confirms the certificate was issued by CertifiedData and has not been modified.
- Private key: used internally by CertifiedData to sign certificates — never distributed
- Public key: published openly — any party can use it to verify any certificate
- Verification: cryptographic check using the public key and certificate signature
- No trust dependency: verification works even if certifieddata.io is unavailable
Why public distribution matters for AI governance
A verification system that requires contacting the issuer creates a single point of failure and a trust dependency. If the issuer is unavailable, unresponsive, or compromised, verification fails or becomes unreliable.
Public key distribution removes this dependency. Once a public key is known, historical certificates can be verified indefinitely — regardless of the issuer's operational status. This is critical for long-term AI governance records where certificates may need to be verified years after issuance.
The CertifiedData trust model
CertifiedData's verification model requires only three things: the artifact, the certificate, and the public key. No API access is required. No account is required. No permission from CertifiedData is required.
The public key is the only trust anchor. Any party that has the public key can independently verify any certificate ever issued by CertifiedData — past, present, or future certificates under the same key.
- No API required — verification is fully local
- No account required — anyone can verify
- No issuer contact required — verification is decentralized
- Historical certificates remain verifiable — indefinitely
Key rotation and certificate continuity
CertifiedData maintains a public key registry at /.well-known/certifieddata-registry.json. When key rotation occurs, older public keys remain in the registry alongside the current key, ensuring certificates signed under previous keys remain verifiable.
Each certificate records the public_key_id field, linking the certificate to the specific signing key used at issuance.
Frequently asked questions
Where is the CertifiedData public key stored?
CertifiedData publishes its public key at certifieddata.io/.well-known/certifieddata-registry.json. This endpoint is always accessible and does not require authentication.
What happens if the public key changes?
Old keys remain in the registry alongside new keys. Certificates always record which key was used for signing, so historical certificates remain verifiable after key rotation.
Can I verify certificates without an internet connection?
Yes, if you have previously obtained the public key. The actual cryptographic verification is a local operation requiring only the certificate JSON and the public key.
Verify using the published public key
CertifiedData's public key is available at the well-known registry endpoint. Any party can verify any certificate independently.