Entropy Attestation — at1 entropy-attest
AT-1 does not replace SSL or x509 — the PKI stack already owns signed identity. What it adds is the one trust artifact it is uniquely positioned to issue: a verifiable certificate that a key/token-generation source passed the weak-RNG audit. It composes three things AT-1 already ships — the audit, an Ed25519 signature, and a hash-chained ledger (a Certificate-Transparency-style, append-only log of who attested what, when) — so the badge is re-checkable, not self-asserted.
Use it
# 1) a signer keypair (the entity vouching for the audit)
at1 entropy-attest keygen --out-key signer.key --out-pub signer.pub
# 2) audit a token/key source and issue a SIGNED attestation, logged to a transparency ledger
at1 entropy-attest issue tokens.txt --signing-key signer.key \
--out attestation.json --ledger attestations.at1
# 3) anyone with the public key + the source can RE-CHECK it
at1 entropy-attest verify attestation.json --pubkey signer.pub --target tokens.txt
# -> verified: true (forged verdict / swapped source / wrong key -> false)
at1 entropy-attest verify-ledger attestations.at1 # the hash chain holdsWhat an attestation binds
- The SHA-256 of the exact audited source (so the source can’t be swapped).
- The audit verdict (BROKEN / WEAK / PASS) and the recovered generator, if any.
- An Ed25519 signature over all of the above; optionally logged to a tamper-evident ledger.
Verification re-runs the audit on the same source and checks the signature and the source hash. Forge the verdict, swap the source, or present a different signer and it fails.
Who it’s for
A CA or HSM proving its RNG is sound; an IoT vendor attesting per-device key entropy at provisioning (supply-chain trust); a “keys audited” badge that survives an auditor’s re-check. Run it in CI or via the self-hostable at1 audit-service HTTP endpoint. Billed on the same RNG-audit subscription; see pricing.