Certificate Issuance

Certificate issuance is the mechanism that makes the phrase “AIEP Certified” truthful and machine-verifiable.

AIEP does not require certification. Certification exists to protect users from false claims. When a system claims to be certified, it should be able to point to a certificate artefact and the verification material required to validate it.

The issuance lifecycle

A practical issuance process has four stages:

1. Application — the operator requests certification and supplies the required artefacts.
2. Assessment — the issuer validates the implementation against a published policy and schema set.
3. Issuance — a certificate artefact is created, signed, and published.
4. Ongoing validity — revocation or expiry is recorded if required.

Where certificates live

Certificates can be published by:

• the certified system (recommended: stable URL under its own AIEP surface)
• the issuer registry (optional mirror record)
• both (best practice for resilience)

What a certificate contains

A minimal certificate includes:

• certificate id
• issuer identity
• issuance timestamp
• policy version
• subject (the certified domain/system)
• signature and public key reference

Verification

Verification should be deterministic:

• retrieve the certificate artefact
• retrieve issuer verification material from the registry
• validate structure via schema
• verify signature
• check revocation/expiry status

This repo ships the public interfaces and schemas for that flow. The operational issuance services are implemented via Worker/registry infrastructure when you are ready.