Design principles
openclearance introduces no new cryptography and no new rights vocabulary. It is a thin layer that makes standards which already work answer one question together. The original contribution is small and deliberate: a clearance layer that translates "what the rights say" into "what you may do," carried in an integrity envelope built from primitives the industry already trusts.
The Tier-0 envelope protects the producer’s exact serialized bytes. The integrity hash is the SHA-256 of the UTF-8 bytes of the payload string, as lowercase hex. A consumer hashes those bytes verbatim, compares, and only then parses. No canonicalization step, so no canonicalization attack surface.
Signed tiers carry the same payload as a C2PA assertion and sign the claim. openclearance aligns with C2PA rather than competing with it, so content-authenticity tooling that already understands C2PA can understand a signed manifest.
Descriptive metadata, provenance, and the determination event are expressed in vocabularies that already exist and are widely understood. One JSON-LD context aliases the engine’s plain field names to those IRIs, so consumers that read JSON need no IRI awareness while strict JSON-LD processors get fully resolved terms.
Rights status references the existing public rights vocabularies by URI. v0.1 emits the CC0 and Public Domain Mark URIs; the model accommodates RightsStatements.org URIs for vocabularies a future version may admit.
The discipline of the format is in what it refuses to hold. The payload never contains its own hash, its signature, or any commercial data: integrity and attestation live in the transport envelope, and commerce lives in a separate sibling assertion that references the manifest by its content hash. The dependency runs one direction only, commerce toward clearance, never the reverse, so the neutral manifest stays byte-identical to what the engine emitted and remains independently verifiable on its own.
Transport over adjudication. This standard defines the shape and transport of a rights assertion so it flows between systems. It does not adjudicate jurisdiction-specific copyright law; an external authority decides, and the manifest carries that decision.
A determination is only as trustworthy as its default. openclearance is fail-closed: any rights signal that is missing, ambiguous, or not affirmatively permissive resolves to a deny, with every clearance answer false and a basis recording the exact failing value. This supports a conservative posture by construction. A record that should not clear does not quietly present as cleared; a false deny is the tolerable error, not a false clear.