Explainer

DSSE in 60 seconds

DSSE (Dead Simple Signing Envelope) is a signed envelope format. MVG uses DSSE statements as procurement‑friendly pointers to evidence: what to attach, what to verify, and what outputs to expect.

Open DSSE viewer Ticket pack Site release integrity

Why DSSEAudit-friendly

What it buys you

One URL a reviewer can open and understand.
Deterministic outputs: PASS / FAIL / HOLD, with stable reasons.
Replayable: verification can be re-run offline under pinned versions.
Discoverable pointers: packet, proofs, security review, governance receipts.

How to use2 minutes

What procurement attaches

Attach the DSSE URL to the ticket. The DSSE viewer can generate a Jira/ServiceNow snippet automatically.

Ticket-pack DSSE pointer

/.well-known/mvg-procurement-ticket-pack.dsse.json

If signatures are missing or evidence cannot be verified, the correct outcome is HOLD (fail‑closed).

No surprisesHuman-readable

DSSE is the pointer — not the whole story

DSSE keeps the high‑signal summary small, then points to receipts (signed artifacts) for the details. This avoids “long PDF drift” while keeping audits reproducible.

Open DSSE viewer What HOLD means Offline verification

FAQ

Do I need to trust MVG servers to verify a DSSE?

No. The DSSE is a pointer. Verification happens offline from the downloaded evidence pack and proofs.

Why DSSE instead of a PDF “certificate”?

DSSE is machine‑readable and deterministic. It can point to exact evidence and verifiers output PASS / FAIL / HOLD with reason codes.

What should a procurement ticket attach?

Attach one URL: the Ticket Pack DSSE. Reviewers can open it in the DSSE viewer and run offline verification.