Horizon logoASPLENZ

Verification Guide

Verifying a Horizon Proof Bundle

Canonical · Public · Reference

Audience: Auditors · External reviewers · Security teams · Legal experts

Applies to: All Horizon deployments

1. Purpose of This Document

This document explains how Horizon evidence can be verified and what such verification guarantees.

It defines:

  • what a Horizon proof bundle contains,
  • what is cryptographically verifiable,
  • how tampering is detected,
  • and the limits of verification.

This guide does not explain how Horizon is implemented internally. It explains what can be independently checked.

2. What Is a Horizon Proof Bundle

A proof bundle is a verifiable artifact produced by Horizon that packages:

  • a set of sealed facts,
  • their cryptographic hashes,
  • their chaining information,
  • and a Horizon signature.

A bundle represents the state of a stream at a given point in time. Bundles are immutable once issued.

3. Contents of a Proof Bundle

A Horizon proof bundle includes, at minimum:

  • bundle_id
  • bundle_version
  • a list or manifest of facts
  • the head_hash of the stream at bundle time
  • a cryptographic signature
  • a reference to the signing key (key_id or equivalent)

Optionally, a bundle may reference:

  • attachments manifests,
  • external evidence objects.

4. What Verification Checks

Verification of a Horizon proof bundle consists of four independent checks.

4.1 Signature Verification

The bundle signature is verified using the public key corresponding to the declared signing key.

This establishes that:

  • the bundle was produced by Horizon,
  • the bundle content has not been altered since signing.

4.2 Fact Hash Verification

For each fact in the bundle:

  • the fact payload is hashed,
  • the computed hash is compared to the stored fact_hash.

This establishes that each fact has not been modified after sealing.

4.3 Hash Chain Verification

Facts are linked using a hash chain (prev_hash → fact_hash).

This establishes:

  • append-only ordering,
  • tamper evidence across the entire stream segment.

Verification recomputes the chain and confirms that:

  • each fact correctly references the previous one,
  • the final computed hash matches the bundle head_hash.

4.4 Bundle Consistency Verification

The verifier checks that:

  • the bundle references the correct stream,
  • the set of facts is complete up to head_hash,
  • no fact is missing, reordered, or duplicated.

5. What Verification Proves

Successful verification proves that:

Successful verification proves that:

  • the bundle was produced by Horizon,
  • the included facts were sealed by Horizon,
  • the facts have not been altered since sealing,
  • the ordering of facts is append-only and intact.

Verification establishes integrity and authenticity of the evidence.

6. What Verification Does NOT Prove

Verification does not prove:

Verification does not prove:

  • that the declared facts are true,
  • that the declared actors are legitimate,
  • that actions occurred as described,
  • that timestamps reflect real-world occurrence,
  • that the stream is complete,
  • that no other facts exist outside the bundle.

Verification validates evidence integrity, not evidence meaning.

7. Verification Scope and Independence

Verification can be performed:

Verification can be performed:

  • by Horizon systems,
  • by client systems,
  • by third-party auditors,
  • by regulators or courts.

No access to Horizon internal systems is required, provided that:

  • the proof bundle,
  • and the corresponding public verification material are available.

8. Handling of Incomplete or Partial Bundles

A proof bundle reflects the stream up to a specific point in time.

A proof bundle reflects the stream up to a specific point in time.

The absence of later facts:

  • does not indicate failure,
  • does not indicate success,
  • does not indicate abandonment.

Verification does not infer completeness.

9. Key Management and Trust Assumptions

Verification assumes:

  • the authenticity of the Horizon public signing key,
  • correct key distribution or trust anchoring.

Verification does not:

  • assess key governance,
  • assess Horizon operational security,
  • assess client security posture.

10. Legal Interpretation Boundary

Verification establishes technical integrity, not legal qualification.

Verification establishes technical integrity, not legal qualification.

A verified bundle:

  • is not a decision,
  • is not an authorization,
  • is not a compliance assertion,
  • is not a determination of responsibility.

Interpretation remains the responsibility of organizations, auditors, courts, or regulators.

11. Canonical Summary

Verification confirms that Horizon evidence is intact and authentic. It does not confirm what the evidence means.

12. Status and Stability

This document defines the stable verification semantics of Horizon. Any future evolution of Horizon must remain consistent with the guarantees described here.