The sealed cert
What the PDF holds, what the QR proves, how a lawyer uses it.
When you click Seal on a completed vetting, the workbench generates a one-page PDF certificate. It is the artifact you keep on file, and the artifact your lawyer hands the other side three years later. This page explains what's in it, what it proves, and how someone else verifies it.
What the cert contains
- A QR code, large enough to scan from a phone three feet away.
- The signer's name — your account's legal entity name, prominently placed. This is the broker or shipper who ran the vetting.
- The carrier vetted — MC number and legal name as it stood at vetting time.
- The sealed-at timestamp — the moment the proof chain recorded the record.
- The verify URL in plain text, printed below the QR. So even if the QR can't be scanned, the URL still works.
- A small-print disclosure stating that the signer is solely responsible for the carrier-selection decision and that TDPort makes no representation about carrier safety.
That's it. The cert PDF is deliberately spare. The data isn't on the cert — the data is in the encrypted bundle the QR points to.
What the QR encodes
Two things:
- The record ID — the unique identifier the proof chain assigned when you sealed.
- The decryption key — the symmetric key that unlocks the bundle.
Scanning the QR opens a verify URL on tdport.io that already contains both. The verifier doesn't need an account, doesn't need to log in, and doesn't need to know who you are. They just need the cert.
What the proof chain actually proves
Three precise claims:
- The encrypted bundle existed at the sealed-at timestamp. The chain's block hash, witness co-signatures, and merkle inclusion proof attest to this. No party — including TDPort — can back-date a record.
- The bundle was signed by the named producer's key. The Ed25519 signature over the canonical seal envelope is part of the chain record. Anyone holding the cert can verify the signature against the producer's published public key.
- The bundle has not been altered since the seal. The bundle hash is part of the proof envelope. If a single byte in the bundle changes, the hash no longer matches, and the verify page reports it.
The chain does not prove the carrier is safe, that the FMCSA data is accurate, or that your vetting was reasonable. It proves what happened and when. The reasonableness argument is the one you make from the documented record.
How verification works
Anyone with the cert PDF can verify it. The flow:
- Scan the QR on the cert (or open the printed URL).
- The tdport.io verify page fetches the encrypted bundle and the public proof envelope from the chain.
- The page uses the decryption key from the URL to open the bundle locally in the browser. The decryption key is never sent back to our servers.
- The page displays:
- The full vetting data exactly as it was at sealed-at time.
- The signer's name and account.
- The chain proof — block hash, timestamp, signatures, and a verdict (verified / not verified).
No login. No account. No tracking of who verified what.
How this holds up in discovery
A plausible discovery scenario, three years after a vetting:
A negligent-hiring suit names your brokerage. The plaintiff's attorney demands documents showing what you knew about the carrier at the time you tendered the load. You hand over the cert PDF — one page, with a QR.
The attorney scans the QR. The verify page returns the encrypted bundle plus the chain's proof envelope. The attorney now has, in their hands, the exact FMCSA data you saw at vetting time, a cryptographic timestamp proving the data existed before the accident, and a signature proving you ran the vetting.
What the attorney does with that is up to them. What you can show is that you did the work and kept a contemporaneous record. That is what Montgomery's ordinary-care standard, as elaborated in the Kavanaugh concurrence, is asking for.
What happens if you lose the cert
Two paths to recovery:
- Your vault. If you sealed under a free account, the record appears in your vault and you can re-download the cert any time.
- The auto-saved
.txt. Every seal also auto-saves a plain text copy of the record to your machine at seal time. The.txtis not court-grade evidence on its own — the chain proof lives in the PDF — but it preserves the data.
If you lose both the cert and the auto-saved text and your account is gone, the record is still on the chain — but without the decryption key from the QR, no one can open the bundle. The encryption is real; we can't recover it for you.