Open governance · neutral org

Governance.

SignedReceipts is maintained by an independent working group. No single vendor controls the specification, and no commercial entity owns the badge mark beyond its CC-BY-ND grant.

Structure

The SignedReceipts source archives hold every specification artefact and reference implementation. The current maintainer set is two engineers acting in their personal capacity, one external auditor from a GRC platform, and one external cryptographer. Maintainer status is merit-based, not vendor-based; merit is demonstrated through accepted contributions, not affiliation.

Licences

ArtefactLicenceWhy
SpecificationCC-BY-4.0Attribution required; no sharealike friction for adopters.
JSON SchemasCC0Maximum reuse without attribution overhead.
Reference implementationsApache-2.0Patent grant; permissive.
Conformance corpusApache-2.0 (code) + CC0 (vectors)Vectors must remain trivially redistributable.
Badge markCC-BY-NDPrevents modification that dilutes the conformance signal.

Contribution process

  1. Email the working group (badges@cloakapi.io) describing the proposed change before drafting a patch.
  2. Fork the repository, draft the change, and add or update conformance fixtures where applicable.
  3. Open the pull request. Normative changes require approval from two maintainers; one of those approvals must come from a maintainer not affiliated with the largest deployed implementation.
  4. Breaking format changes require a major version bump. Backward-compatible additions ride a minor version.

Badge revocation

Badges may be revoked when an implementation no longer passes the conformance suite, or when a vendor uses the mark to claim compatibility outside the conditions of /badge/. Revocations are tracked in signedreceipts/badges/REVOCATIONS.md. A revoked vendor receives 30 days' notice to remediate before public removal from /implementations/.

IETF Internet-Draft

Submitted as draft-cloakapi-signedreceipt-00 to SECDISPATCH. Mirrored at signedreceipts/draft-ietf. The working group's intent is to seek a chartered IETF working group during 2026 with the goal of progressing OpenReceipt along a Standards Track.

Roadmap

Q2 2026
Errata round
Schema clarifications, additional test vectors for edge cases discovered post-ratification.
Q3 2026
ML-DSA preview
Optional alg=ml-dsa-65 path. Conformance suite extension. PQC migration story.
Q4 2026
Chain anchoring
Optional Merkle anchoring of chain heads to public transparency logs.
2027
Next-generation spec draft
Hybrid classical+PQC signatures, post-quantum chain hashes, hardened cross-producer auditor flow.