DSSE / in-toto attestation signing story of the
SZLHOLDINGS/szl-govsign kernel
· PAE + ECDSA P-256 signed and verified in YOUR browser via WebCrypto
initialising…
HONESTY: the keypair below is a DEMO keypair generated locally in your browser at this page-load.
It is NOT an SZL production signing key, and the envelope it signs is NOT an official SZL attestation.
What IS real: the kernel source fetched live below (REPORTED, keyless), the PAE spec test vector,
and every hash/signature operation executed here (MEASURED-in-your-browser).
If any fetch or crypto step fails, this page says UNAVAILABLE — it fabricates nothing.
1 · The kernel's PAE, cross-checked against the DSSE spec vector
The kernel's pae.py implements PAE(type, body) = "DSSEv1" SP LEN(type) SP type SP LEN(body) SP body.
This page re-implements that encoding in JS and checks it against the canonical DSSE spec test vector
(PAE("http://example.com/HelloWorld", "hello world")). checking…
2 · Live in-browser DSSE sign & verify DEMO KEY
Subject digest = SHA-256 of the actually fetchedpae.py bytes (computed here, now).
The in-toto Statement v1 is PAE-encoded exactly as the kernel does, signed with the browser-generated ECDSA P-256 key, then verified.
DSSE envelope (generated here)
signature format: raw IEEE P1363 (r||s) as produced by WebCrypto · keyid demo-p256-inbrowser
…
demo public key (JWK, generated this page-load)
3 · The real kernel source REPORTED
Fetched keyless from huggingface.co/SZLHOLDINGS/szl-govsign (branch main) when you loaded this page — passed through verbatim.
Doctrine: Λ = Conjecture 1 (advisory, never proven) · no fabricated numbers · honest UNAVAILABLE on any failure ·
0 runtime CDN (WebCrypto + inline JS only) ·
SZL Holdings estate ·
kernel suite hub