Attestation is a signed statement that some fact is true, made by an issuer that a verifier is willing to trust. In plain terms, it is “someone credible vouching for something,” but with cryptography and rules so that the vouching can be checked rather than merely believed.
In modern digital systems, attestation usually means a package of claims plus proof of who issued them and that the claims have not been altered.
This is the shared spine behind things like device integrity checks, membership proofs, and identity attributes. The verifier checks signatures and validity, rather than relying on screenshots, emails, or phone calls.
In the Verifiable Credential world, a credential is essentially a standardised form of attestation: an issuer makes claims about a subject, the holder keeps it (often in a wallet), and a verifier can validate it cryptographically.
This is the “people and organisations” flavour of attestation, formalised in the W3C Verifiable Credentials model of issuer–holder–verifier.
A concrete example is an educational credential. A university can issue an attestation that you earned a degree, and an employer can verify the issuer’s signature and the integrity of the credential without needing direct access to the university’s internal database each time.
A second example is age or eligibility checks. Instead of revealing your full date of birth, you can present a proof derived from an attested attribute that answers only the policy question, such as “over 18.” This keeps the verification goal while reducing unnecessary disclosure, which matters in democratic participation where people should not have to over-share to be included.
There is also a “machines and software” flavour of attestation, often called remote attestation. Here, a device (or secure hardware such as a TPM, or a trusted execution environment) produces signed evidence about its software/hardware state, and a relying party decides whether to trust it. For example, remote attestation can be used to verify a boot chain or measured values before allowing access to a sensitive service.
In the IETF Remote Attestation Procedures ecosystem, an Entity Attestation Token (EAT) is a standard way to express claims about an entity (device, hardware, or software) so that a relying party can make a trust decision based on those claims.
Attestation becomes politically interesting when combined with Selective Disclosure and Zero-Knowledge Proof. It lets a system demand “prove the constraint” rather than “reveal the person.” That is the basic move that makes privacy-first governance, stratified participation, and anti-corruption auditing feel possible on ordinary smartphones, without turning civic life into a permanent data-collection ritual.