The information contained in this page will be applicable to future versions. Currently, the implemented Issuer Trust model is defined here.
Introduction
Verifiable Credentials (VCs) are typically issued by legal entities. Verifiers need to know the issuer of the VCs, whether the issuer is recognised as trusted within the domain and who provided this recognition. By default, legal entities have no accreditations, meaning verifiers may not recognise the VCs they issue.
EBSI introduces a Verifiable Trust Model that contains permissions and policies. Permissions allow for governance or issuance within the Trust Model, while policies define who made the accreditation, which trust framework is followed and its legal basis. Trust Model participants make the entire verifiable Trust Model publicly available by registering it in the EBSI Trusted Issuers Registry.
The Trust Model allows verifiers to trust the roots of hierarchies without needing to know each issuer directly. All permissions and policies are verifiable by verifiers, building greater trust towards issuers.
Verifiable Authorisations model the Decentralised Access Management (DAM) consumed by the EBSI Platform Identity and Access Management (IAM). DAM can be used to onboard new legal entities or create new trust chains.
Depending on their accreditations and authorisations, legal entities can play the following roles:
- Root Trusted Accreditation Organisation (Root TAO)
- Trusted Accreditation Organisation (TAO)
- Trusted Issuer (TI)
Glossary
Abbreviation | Term | Description |
---|---|---|
- | Trust chain | Implementation of a Trust Model |
DID | Decentralised Identifier | Legal entity identifier for Trust Model; cannot be natural person in context of Trust Model |
RTAO | Root Trusted Accreditation Organization | Legal entity governing the whole trust chain |
TAO | Trusted Accreditation Organization | Legal entity governing a trust chain segment |
TI | Trusted Issuer | Legal entity participating in a trust chain as an issuer |
TIR | Trusted Issuers Registry | Registry for Issuers to register their accreditations |
VC | Verifiable Credential | Base type for Verifiable Attestation, Accreditation and Authorisation |
- | Verifiable Trust Model | Permissions with policies to either accredit, or to attest |
Concepts
The Trust Chain enables a single point of trust for the given Trust Model. The verifier can choose to trust the Root TAO and verify the accreditation chain that is referenced from the issued VC. Verifiable Trust Models contain permissions with policies and are public information stored in the Trusted Issuers Registry.
Trust Model Roles and their Permissions
A Root TAO is the owner of the chain, responsible for the governance of the entire trust chain. Root TAOs may accredit TAOs to govern a segment of the chain. Root TAO and TAOs may also accredit TIs to issue specific VCs. The Verifiable Accreditation defines permissions with policies that the accreditation holder must follow. Accreditation holders (legal entities) can have multiple accreditations from single or numerous trust chains, with each accreditation belonging to one trust chain that grants issuing or governance capabilities.
A trust chain should contain all three roles, even if a single DID represents all three roles. The roles must be Root TAO, TAO and TI, where only TI may issue domain-specific Verifiable Credentials.
Root Trusted Accreditation Organisation (Root TAO)
A Root TAO represents a trust model and has full control of the trust chain. It may:
- accredit itself to govern or issue domain-specific VCs
- accredit any legal entity to govern or issue domain-specific VCs
- revoke an accreditation from a legal entity participating in the trust chain
The Root TAO permission is defined by VerifiableAuthorisationForTrustChain
, and the policies are contained in termsOfUse
as TrustFrameworkPolicy
. The VerifiableAuthorisationForTrustChain
is always issued by the EBSI Support Office.
Trusted Accreditation Organisation (TAO)
A TAO governs an accredited segment on behalf of the Root TAO. It may:
- accredit itself to issue domain-specific VCs
- accredit any legal entity to govern or issue domain-specific VCs
- revoke accreditation from a legal entity that was accredited by the TAO
The TAO permission is defined by VerifiableAccreditationToAccredit
, and the policies are contained in termsOfUse
as AccreditationPolicy
.
Trusted Issuer (TI)
A TI represents the issuer in a trust chain. It may issue domain-specific VC types defined by the received accreditation. Issuers may issue VCs outside the trust chain, but these are not associated with a Root TAO and contain no reference to an accreditation.
The TI permission is defined by VerifiableAccreditationToAttest
, and the policies are contained in termsOfUse
as AccreditationPolicy
. When the TI uses their accreditation to issue a domain-specific VC, the issued VC must contain a termsOfUse
property with AttestationPolicy
type, which links to the TI's accreditation Root TAO's accreditation. Both accreditations are located in the TIR.
Accreditations
Accreditations certify that an entity is qualified to accredit or attest. Accreditations are attribute-driven and are always restricted to domain-specific credential types. These restrictions cannot be extended. For example, if a legal entity is accredited to accredit issuers of diploma VCs, they may only pass this or a subset downstream of the hierarchy. Depending on the accreditation, the accredited legal entity may govern (accredit) or issue (attest), but always within the trust model and the accredited boundaries.
Authorisations
Authorisations are rights to use EBSI services.
The VerifiableAuthorisationToOnboard
is used to anchor the DID document into the DID Registry. This is a mandatory step for all legal entities and is required before any accreditations can be done, as the subject must be able to prove the ownership of the DID. Onboarding guarantees safe entry for the DID and DID document. TAOs can issue VerifiableAuthorisationToOnboard
credentials to legal entities. Onboarding alone will not provided any access rights or onboarding capabilities, as it is just a means to anchor the DID document.
Attestations
All Verifiable Credentials are attestations of something. Any issuer may issue non-accredited attestations (default), while accredited TIs may issue domain-specific VCs with the accreditation by attaching the AttestationPolicy
into termsOfUse
.
End Users (legal entities or natural persons) can accumulate multiple VCs from one or many trust models.
Hierarchy examples
The following diagram shows multiple top-level Root TAOs, where a single legal entity is accredited by two individual trust chains. One of the Root TAOs is stand-alone and has no hierarchy.
Policies Overview
The Trust Framework Policy is a document that links to a regulation, directive, national policy or similar document that may define requirements that must be met. These requirements may include security, legal, operational or functional requirements.
All trust model policies are located in the termsOfUse
property of the corresponding VerifiableTrustModel
credential that contains the permissions related to the policy.
Validating the Trust Model's data model
Every accredited domain-specific VC must include the AttestationPolicy
in termsOfUse
. The policy refers to a Root TAO's VerifiableAuthorisationForTrustChain
and Trusted Issuer's VerifiableAccreditationToAttest
. VerifiableAuthorisationForTrustChain
contains policies related to the Trust Framework, while VerifiableAccreditationToAttest
has policies regarding accreditation. Policies in VerifiableAccreditationToAttest
refer to VerifiableAccreditationToAccredit
, which also contains policies.
Here is one process to validate the Trust Chain. The process below does not indicate how to verify signatures or schemas; it only describes data model validation. The credential schema identifier may be hex
or base58btc
encoded, and the equality check must be encoding agnostic. It is advisable to cache the results and have evictions based on the TIRData /attribute/hash
(updates) and TIRData /attribute/issuerType
(revocations). Caches come with data staleness, which the use case must define. It is also possible to listen for TIR events to manage the caches.
EBSI Support Office
- DID
did:ebsi:zZeKyEJfUTGwajhNyNX928z
Process: TIR dereference
- Dereference the TIR link and let it be
TIRData
TIRData /attribute/issuerType
must not beUndefined
orRevoked
- Let
TIRData /attribute/body
be a subtype ofVerifiableTrustModel
VerifiableTrustModel /credentialSubject/id
must equal withTIRData /did
- If
TIRData /attribute/issuerType
isRootTAO
- Then
VerifiableTrustModel /type
must containVerifiableAuthorisationForTrustChain
- Then
VerifiableTrustModel /termsOfUse/type
must beTrustFrameworkPolicy
- Then
VerifiableTrustModel /credentialSubject/issuer
must be EBSI Support Office
- Then
- If
TIRData /attribute/issuerType
isTAO
thenVerifiableTrustModel /type
must containVerifiableAccreditationToAccredit
- If
TIRData /attribute/issuerType
isTI
thenVerifiableTrustModel /type
must containVerifiableAccreditationToAttest
- If
TIRData /attribute/issuerType
isTAO
orTI
- then
VerifiableTrustModel /termsOfUse/type
must beAccreditationPolicy
- then
VerifiableTrustModel /credentialSubject/issuer
must equal withTIRData /attribute/tao
- then
- return
VerifiableTrustModel
for use case validation
Validate Domain VC's AttestationPolicy
- Apply Process: TIR dereference for
/termsOfUse/rootAuthorisation
- Resulting VerifiableTrustModel
/credentialSubject/permissionFor[x]/types
must equal withDomain VC /type
/credentialSubject/permissionFor[x]/schemaId
must equal withDomain VC /credentialSchema
/credentialSubject/permissionFor[x]/jurisdiction
must be acceptable for the use case/termsOfUse/trustFramework
must be acceptable for the use case/termsOfUse/policyId
must be acceptable for the use case/termsOfUse/legalBasis
must be acceptable for the use case/credentialSubject/id
must be allowed for the use case
- Apply Process: TIR dereference for
/termsOfUse/parentAccreditation
- Resulting
VerifiableTrustModel
/type
must beVerifiableAccreditationToAttest
/credentialSubject/permissionFor[x]/types
must equal withDomain VC /type
/credentialSubject/permissionFor[x]/schemaId
must equal withDomain VC /credentialSchema
/credentialSubject/permissionFor[x]/jurisdiction
must be acceptable for the use case- Recursively the
step 2.
until equivalent link ofAttestationPolicy rootAuthorisation
has been found./type
must beVerifiableAccreditationToAccredit
/credentialSubject/permissionFor[x]/types
must equal withDomain VC /type
/credentialSubject/permissionFor[x]/schemaId
must equal withDomain VC /credentialSchema
/credentialSubject/permissionFor[x]/jurisdiction
must be equal or greater than lastVerifiableTrustModel
Trusted Policies Registry (TPR) validation exceptions
When validating a Verifiable Credential (VC), it is typically unnecessary to check the Trusted Policy Registry (TPR), with one specific exception: Self-Accreditation to Attest.
The conditions that require a TPR check include:
- The VC's type property includes
VerifiableAccreditationToAttest
. - The VC subject is also the VC issuer
- The VC subject is authorised to issue
VerifiableAuthorisationForTrustChain
credentials.
In this case, the TPR must be checked to determine if the VC issuer has one of the following policies:
- TIR:insertIssuer
- TIR:updateIssuer
- TIR:setAttributeMetadata
The extra validation is done on the VerifiableAccreditationToAttest
VC containing:
credentialSubject.accreditedFor[x].types = [ ..., "VerifiableAuthorisationForTrustChain" ]
This process is automatically handled by our EBSI VC library when the user invokes the verifyCredentialJwt function. However, users not utilising EBSI's VC library will need to implement this check and perform the verification manually.