{ "$schema": "https://feedoracle.io/.well-known/academic-l1-signing-manifest.schema.json", "purpose": "Public-key infrastructure for FeedOracle Action Gate Academic Verification Layer (L1) receipts. Anyone can use these keys to verify the integrity and authenticity of academic-receipts produced by FeedOracle.", "current_key": { "key_id": "academic_l1_v2", "fingerprint": "SHA256:aab48e9380279fe498ee83580037a0c16bede6d789e471b5ba5924d74e7def82", "algorithm": "ECDSA-P256-SHA256", "curve": "secp256r1 (NIST P-256)", "format": "PEM (PKCS8 SubjectPublicKeyInfo)", "active_since": "2026-05-10", "url": "https://feedoracle.io/.well-known/academic-l1-signing-v2.pub.pem" }, "issuer": { "name": "FeedOracle Action Gate — Academic Verification Layer (L1)", "url": "https://feedoracle.io", "version": "phase-1b-f-v0.2-multikey", "contact": "support@feedoracle.io" }, "what_is_signed": { "description": "Each academic and curation receipt body (canonical JSON, including its own sha256 field) is signed. The signature commits to the entire receipt content including the audit-chain link.", "schema_versions_signed": ["0.3"], "schema_versions_unsigned": ["0.1", "0.2"], "unsigned_receipts_remain_valid_via": "sha256 + hash-chain integrity (Phase 1B-E)" }, "verification": { "example_script_url": "https://feedoracle.io/.well-known/verify-academic-receipt.py", "documentation_url": "https://feedoracle.io/.well-known/academic-l1-readme.md", "openssl_one_liner": "echo $signature_hex | xxd -r -p | openssl dgst -sha256 -verify .pub.pem -signature /dev/stdin canonical_body.json", "multi_key_note": "Each receipt declares the key_id used to sign it. Verifiers should fetch the matching public key — academic-l1-signing.pub.pem for v1 (legacy URL retained), academic-l1-signing-v2.pub.pem for v2." }, "rotation_policy": { "method": "manual operator-approved curation walkthrough with full test suite", "current_keys_retained_until": "until next rotation (v2 active since 2026-05-10)", "old_keys_retained_for": "historical receipt verification (forever — public keys remain published; private keys archived on Master with mode 400)", "first_rotation_evidence": { "walkthrough_id": "walk-rotate-20260510-075046", "curation_receipt_id": "rec-curation-d40730fe4294942a", "curation_chain_id": "0e78577f8e2f1d2876bcb092", "all_46_pre_rotation_receipts_still_verify": true, "rollback_exercised_during_attempt_1": "yes — a strict pre-rotation test assertion fired auto-rollback; v2 deleted and v1 restored before second attempt with corrected test" }, "history": [ { "key_id": "academic_l1_v1", "active_since": "2026-05-07", "active_until": "2026-05-10", "status": "retired", "fingerprint": "SHA256:b9910d8eb372d5f0a9d785e856b0a83524fef209a62cad13a1cea877b4076e0e", "url": "https://feedoracle.io/.well-known/academic-l1-signing.pub.pem", "private_key_archived_at": "/opt/action-gate/keys/academic_l1_signing.pem.retired.20260510-075046 (mode 400, root-only)", "purpose_after_retirement": "verification of historical receipts only — no new signing" }, { "key_id": "academic_l1_v2", "active_since": "2026-05-10", "active_until": null, "status": "active", "fingerprint": "SHA256:aab48e9380279fe498ee83580037a0c16bede6d789e471b5ba5924d74e7def82", "url": "https://feedoracle.io/.well-known/academic-l1-signing-v2.pub.pem" } ] }, "trust_model": { "description": "Self-signed public-key publication. Trust is established by: (a) trusting the TLS certificate of feedoracle.io, (b) trusting that keys were generated and stored securely on the FeedOracle Master server with file mode 600 (active private) / 400 (archived private). There is no CA chain. For high-stakes verification, pin the fingerprint above out-of-band.", "fingerprint_pinning_recommendation": "For long-term verification (e.g. audits years later), record the fingerprint of each key version. The key files at the per-version URLs may move; the fingerprints above are permanent for academic_l1_v1 and academic_l1_v2." }, "metadata": { "manifest_version": "2.0", "created_at": "2026-05-07", "last_updated": "2026-05-10", "last_updated_reason": "First key rotation v1 → v2 completed via curation walkthrough walk-rotate-20260510-075046" } }