Verifiable Accreditations are credentials that are issued from one organisation to another organisation to "accredit" that organisation to perform a particular action. These types of credentials are stored directly on-ledger as DID-Linked Resources, meaning that they are persistent, sequentially versioned and highly available.
There are two types of Verifiable Accreditation:
For a trusted ecosystem, these attestations are required to trace the legitimacy of a credential issuer to a root-of-trust.
In order to ensure consistency and interoperability within a trusted ecosystem, Trusted Accreditation Organisations (TAOs) should define schemas for the Verifiable Accreditations for their particular ecosystem. They may also reuse existing schemas that have been created for equivalent ecosystems.
Notably, Verifiable Accreditations are credentials that are issued to organisational DIDs on cheqd. In each Verifiable Accreditation, there is also a reservedAttributeId
that corresponds to the resourceId
of the Accreditation as a DID-Linked Resource.
Storing Verifiable Accreditations as DID-Linked Resources enables each accreditation to be individually resolvable using a DID URL. It also enables Accreditations to be "chained" to a DID, allowing the traversal of the Accreditation to the root of trust.
The diagram below shows how DID-Linked Resources can be applied to the trust hierarchy to enable DID resolvable Verifiable Accreditations:
Type | Description |
---|---|
Verifiable Accreditation to Accredit
This Credential verifies that an organisation has the permissions needed to accredit other organisations for issuing a particular type of Verifiable Accredittion.
Verifiable Accreditation to Attest
This Credential verifies that an organisation has the permissions needed to issue Verifiable Credentials, defined by a particular schema.
For existing trust frameworks such as eIDAS, organisations need to establish a root of trust using X.509 certificates in traditional "Trusted List" infrastructure. These certificates establish that an organisation is authorised to provide a service under a particular jurisdiction.
Article 22 of the eIDAS Regulation obliges Member States to establish, maintain and publish trusted lists. These lists should include information related to the qualified trust service providers for which they are responsible, and information related to the qualified trust services provided by them. The lists are to be published in a secured manner, electronically signed or sealed in a format suitable for automated processing.
Standard information in an X509 certificate includes:
Version — The version of X.509 that applies to the certificate.
Serial number — Serial number assigned by certificate authority to distinguish one certificate from other certificates.
Algorithm information — The hashing algorithm used by the CA to sign the certificate (SHA-2 in almost all cases).
Issuer distinguished name — The name of the entity issuing the certificate (usually a certificate authority)
Validity period of the certificate — The period during which certificate is valid to use.
Subject distinguished name — The name of the identity the certificate is issued to (individual, organization, domain name, etc.)
Subject public key information — The public key of the certificate
As such, one method of establishing a root of trust is associating a DID on cheqd with an existing X.509 certificate. This concept has been written on recently, with there being various approaches to achieving this.
As a first iteration of trust infrastructure on cheqd, we suggest that:
did:cheqd
DIDs can be derived from the same public/private key pair as existing X.509 certificates
did:cheqd
DIDs can reference X.509 certificates using a serviceEndpoint
X.509 certificates can reference did:cheqd
DIDs using the "Subject Alternative Name" field within the X.509 certificate.
This will enable Root TAOs to create a reciprocal root of trust across European Trusted Lists for eIDAS compliance, and equally on cheqd.
For ecosystems that do not require a "traditional" root of trust, we can leverage the cheqd network itself to create reputable, "weighted" roots of trust.
For this model, we suggest that "Root TAOs" set up a cheqd Validator on the cheqd Network and include their DID in the "description" field of their Validator. This will tie the reputation and weight of the Validator with the DID itself.
Then, when traversing the trust chain and resolving to the Root of Trust, the validating application can apply logic to validate the "reputation" of the Root TAO, based on the voting power of the Validator within the active set.
Note that this work on Trust Infrastructure is in a draft stage, and will change as it is improved and iterated over the coming months.
Verifiable Credentials (VCs) are, in most cases, issued by legal entities. Verifiers need to know who issued the VCs, whether the issuer is recognised as trusted within the domain, and who made the recognition. By default, legal entities have no accreditations; thus, verifiers may not recognise the Verifiable Credentials they issued.
cheqd introduces a Verifiable Trust Model, that directly mirrors the model created by EBSI, that contains permissions and policies. Permissions allow governance or issuance in the Trust Model, while policies are used to define who made the accreditation, which Trust Framework is followed, and the legal basis of it. Trust Model participants make the whole Verifiable Trust Model publicly available by registering it as DID-Linked Resources on cheqd.
The Trust Model enables verifiers to trust roots of hierarchies without needing to know each issuer directly. All permissions and policies are verifiable by verifiers, which allows building greater trust towards issuers.
Depending on their accreditations and authorisations, legal entities can play the following roles:
Root Trusted Accreditation Organisation (Root TAO)
Trusted Accreditation Organisation (TAO)
Trusted Issuer (TI)
A trust chain creates a common and highly accessible point of trust for the given trust domain. Each Verifier can choose to trust the Root TAO and verify the accreditation chain that is referenced from the issued Verifiable Credential. All Verifiable Accreditations are public information and stored as DID-Linked Resources on the cheqd network.
Root TAO is the owner of the chain, responsible for the governance of the whole trust chain. Root TAOs may accredit TAOs to govern a segment of the chain. Root TAO and TAOs may also accredit Trusted Issuers to issue specific Verifiable Credentials. The Verifiable Accreditation defines permissions with policies that the accreditation holder must follow. Accreditation holders (legal entities) can have multiple accreditations from single or numerous trust chains, where each accreditation belongs to a one trust chain that gives them issuing or governance capabilities.
A Trust Chain should contain all three roles, even if one single DID would represent all three roles. The roles must be RTAO, TAO, and TI, where only TI may issue domain-specific Verifiable Credentials.
A Root TAO represents a Trust Model and has full control of the Trust Chain. It may:
accredit itself to govern or issue domain-specific Verifiable Credentials
accredit any legal entity to govern or issue domain-specific Verifiable Credentials
revoke an accreditation from a legal entity that is participating in the trust chain
The RTAO permission is defined by VerifiableAuthorisationForTrustChain
, and the policies are contained in termsOfUse
as TrustFrameworkPolicy
.
A TAO governs an accredited segment on behalf of the RTAO. It may:
accredit itself to issue domain-specific Verifiable Credentials
accredit any legal entity to govern or issue domain-specific Verifiable Credentials
revoke accreditation from a legal entity that was accredited by the TAO
The TAO permission is defined by VerifiableAccreditationToAccredit
, and the policies are contained in termsOfUse
as AccreditationPolicy
.
A Trusted Issuer represents the Issuer in a trust chain. It may issue domain-specific Verifiable Credential types defined by the received accreditation. Issuers may issue Verifiable Credentials outside the trust chain, but these are not associated with a Root TAO and contain no reference to an accreditation.
The TI permission is defined by VerifiableAccreditationToAttest
, and the policies are contained in termsOfUse
as AccreditationPolicy
. When the Trusted Issuer is using their accreditation to issue a domain-specific VC, the issued domain VC must contain a termsOfUse
property with AttestationPolicy
type, which links to the Trusted Issuer's accreditation and into Root TAO's accreditation, where both are located in TIR.
Accreditations are certifications of being qualified to accredit or attest. Accreditations are attribute-driven and are always restricted to domain-specific credential types. These restrictions cannot be extended. For example, if a legal entity is accredited to accredit Issuers of diploma VCs, they may only pass this or a subset downstream of the hierarchy. Depending on the accreditation, the accredited legal entity may govern (accredit) or issue (attest), but always within the Trust Model and the accredited boundaries.
All Verifiable Credentials are attestations of something. Any issuer may issue non-accredited attestation (default), while accredited Trusted Issuers may issue domain-specific VCs with the accreditation, by attaching the AttestationPolicy
into termsOfUse
.
End Users (legal entities or natural persons) can accumulate multiple Verifiable Credentials from one or many Trust Models.
The following diagram show how a Root TAO accredits two TAOs lower in the hierarchy
<todo>
The Trust Framework Policy is a document that links to a regulation, directive, national policy, or similar document that may define requirements that must be met. These requirements may include security, legal, operational, or functional requirements.
All Trust Model policies are located in the termsOfUse
property of the corresponding VerifiableTrustModel
credential that contains the permissions related to the policy.
Unlike the EBSI Verifiable Trust Model which requires Root TAOs to obtain authorisation from the EBSI office to write to the Trust Registry, cheqd employs a permisionless model, allowing any organisation to set-up a Root TAO DID and accredit other organisations.
Create did:cheqd
DID for Root TAO
Establish root of trust, by:
Associating Root TAO DID with X.509 certificate; or
Associating Root TAO DID with cheqd Validator
Create did:cheqd
DIDs for TAOs or TIs within the ecosystem
Create body of Verifiable Accreditation, specifying:
The did:cheqd
DID of the subject organisation that the Accreditation is being issued to
A UUID as a reservedAttributeId which aligns with the resourceId of the DID-Linked Resource
Encode Verifiable Accreditation as a hexidecimal and as a base64 encoded value
Compile payload file for writing Verifiable Accreditation as a DID-Linked Resource
Publish transaction as a DID-Linked Resource, using the same UUID for the resourceId
as the value specified in the reservedAttributeId
Abbreviation | Term | Description |
---|---|---|
Field | Description | Required |
---|---|---|
-
Trust Chain
Implementation of a Trust Model
DID
Decentralised Identifier
Legal entity identifier for Trust Model, cannot be natural person in context of Trust Model
RTAO
Root Trusted Accreditation Organization
Legal entity governing the whole trust chain
TAO
Trusted Accreditation Organization
Legal entity governing a trust chain segment
TI
Trusted Issuer
Legal entity participating in a trust chain as an issuer
VC
Verifiable Credential
Base type for Verifiable Attestation, Accreditation and Authorisation
-
Verifiable Trust Model
Permissions with policies to either accredit, or to attest
did
DID of the DID Controller publishing the DID-Linked Resource
Yes
hash
Hash of the Verifiable Accreditation as a Base64 encoded value
Yes
body
Body of the Verifiable Accreditation as a hexidecimal string
Yes
type
Type of Resource being created, defaults to VerifiableAccreditation
Yes
issuerType
Type of Issuer that is issuing this Verifiable Accreditation, can be: "RootTAO", "TAO" or "SubTAO"
Yes
tao
DID of the TAO that accredited the Issuer
Yes
rootTao
DID of the root of trust that accredited the TAO and the issuer
Yes
revoked
Boolean value indicating whether the Verifiable Accreditation is revoked or not
Yes
Encrypted
Boolean value indicating whether the Verifiable Accreditation is encrypted or not
No
Combination of x509 and DID/VC for inheritance properties of trust in digital identities
Paper written by Carsten Stocker, Paul Bastian and Steffen Schwalm on the different methods for associating DIDs with X.509 certificates