What it is
VERACCORD is an à-la-carte, open-core framework: FIPS-routable cryptography, PKI and CA, ACME, OIDC with passkeys, secure DNS, authenticated time, signed updates, and tamper-evident audit with SIEM export — secure by default, with fail-loud startup guards that turn an insecure setup into a build-time error. On top of that foundation sits an AI-provenance tier: attested memory, training-time governance, and signed attribution. Take one crate or the whole suite; every capability is optional and reachable through a one-line Easy Button.
Who it's for
Anyone shipping software that has to be trustworthy on the wire and provable after the fact:
- cloud-native and internet-facing services
- standalone desktop and PC apps, and local web servers
- airgapped systems that must provide their own DNS, time, CA, ACME, TSA, and OIDC
- trustworthy AI-training provenance, and AI-agent / MCP authentication
- identity infrastructure — OpenID Provider, passkeys, MFA
- software publishers shipping signed and OTA updates
- organizations running internal PKI/CA, SOC/SIEM audit forwarding, secure time (NTS), and timestamping (TSA)
- regulated teams needing a documented, self-audited SSDL
- IoT and embedded device makers — one audience among many
Our commitment to open source
- Apache-2.0, permanently. The umbrella crate and CLI (
veraccord), the entire security tier (veraccord-sec), and the SSDL tooling (veraccord-ssdl) are Apache-2.0 — and will remain so. - Source-available AI tier.
veraccord-ai(AI provenance) is published under the Business Source License 1.1: the source is public and auditable, with commercial-use terms that fund the open tiers. - Everything ships to crates.io. Every tier — including the BUSL tier — is distributed through the public registry, not behind a portal.
- The evidence ships with the source. Threat models, compliance records, requirements-to-code traceability, and SBOMs live in the repositories, self-audited in the open under an SSDL based on IEC 62443-4-1 and targeting the technical requirements of IEC 62443-3-3 and -4-2 Security Level 4 — engineering baselines we self-assess against, not third-party certifications.
Source & releases
VERACCORD is in pre-release development; repositories and crates go public as each tier reaches release. When they do, this is where they will live:
- GitHub —
github.com/dhadner/veraccord,veraccord-sec,veraccord-ai,veraccord-ssdl - crates.io —
veraccord,veraccord-sec-*,veraccord-ai-*,veraccord-ssdl
Until then, veraccord.com is the front door for Veraccord Labs, the company behind the project.