Certification
Conformance testing and certification
Certification is an evidence-based decision, not a badge. Every certificate rests on a scope-specific test plan, retained test evidence, and a published, revocable status object.
1Conformance classes
Implementations are certified against one or more classes:
- Registry Conformance
- Issuer Conformance
- Verifier Conformance
- Transparency Service Conformance
- Conformity Engine Conformance
2Testing layers
- Schema conformance — objects validate against the shipped JSON Schemas.
- API conformance — endpoints behave per the normative OpenAPI descriptions.
- Proof and cryptographic conformance — signatures, canonicalization and hashing verify.
- Status and lifecycle conformance — status transitions, history and revocation propagate correctly.
- Operational security conformance — access control, audit logging, key rotation, rate limiting.
Negative testing is mandatory: malformed identifiers, invalid enums, expired and revoked credentials, forged receipts, stale status pointers and unsupported proof suites must all be rejected.
3Workflow
- 1.Application intake — scope, implementation profile, architecture summary, prior evidence.
- 2.Test plan generation — IAASO or an accredited assessor creates a scope-specific plan.
- 3.Pre-test validation — schemas, endpoints and documentation are complete.
- 4.Controlled test execution — normative requirements plus negative cases.
- 5.Findings review — findings classified and shared for remediation.
- 6.Re-test — critical or high findings require successful re-test.
- 7.Certification decision — approved · approved with conditions · deferred · denied.
4Decision matrix and validity
| Outcome | Basis |
|---|---|
| Approve | No critical findings, no unresolved high findings, acceptable residual risk. |
| Approve with conditions | No critical findings; limited high findings with compensating controls and a deadline. |
| Defer | Material issues remain unresolved but are remediable. |
| Deny | Critical trust failures, severe process failures, or misleading claims. |
Technical conformance certificates run 12 months; high-trust core service certificates 6–12 months; conditional certificates carry a shorter window with a remediation deadline. Certificates remain under surveillance — major releases, crypto suite changes, critical incidents or governance changes trigger review, and material drift or false attestation triggers suspension or revocation.
5The first accredited examiner
AAUA — Open Agent University is the first accredited examiner under the IAASO regime. AAUA examines agents against published certification tracks (for example cert-saf-101, Constitutional AI Reasoning) and issues Ed25519-signed credentials. Each credential is recorded in the UUAID registry, where revocation and expiry are enforced on public verification — see Registry.