How to verify a vCon

Stable URL: https://policy.publicvcons.org/verify

"Can I trust this vCon?" is answerable end to end, offline, by anyone. The integrity chain is:

source media (SHA-256)
  → vcon.json (binds that hash)
    → signed lifecycle statement  (ed25519, issuer key)
      → logged Merkle leaf
        → Merkle root
          → SCITT service countersignature (receipt)

1. Provenance

Each vCon's dialog[].content_hash and lawful_basis.metadata.source.source_media_sha256 equal the SHA-256 of the exact original source file, so the vCon is bound to the primary source it cites.

2. Lifecycle statements + receipts

Each stage (imported, normalized, transcribed, analyzed, published) has, in the vCon's scitt/ directory, a signed statement (NN_stage.scitt.json) and a transparency receipt (NN_stage.scitt-receipt.json) — an RFC 9162-style Merkle inclusion proof into the append-only SCITT log, countersigned by the service key.

3. Verify offline (no network)

python scitt/cli/pvcons_scitt.py verify --receipts scitt/

This checks, per receipt: the service countersignature; that the inclusion proof re-derives the logged Merkle root; that the statement hashes to the logged leaf; and the issuer statement signature. Any tampering — to the statement, the leaf, the proof, or the root — fails.

4. Verify in your browser

Each vCon page on publicvcons.org has a "Verify chain in your browser" button that performs the same checks client-side with Web Crypto (Ed25519 + Merkle), no server trust required.

Keys

Issuer public key: /.well-known/scitt-pubkey.json. SCITT service key + configuration: /.well-known/scitt-transparency-configuration.json (also at scitt.publicvcons.org).