Decentralized Trust Chains (DTCs)
Learn about Decentralized Trust Chains (DTCs) on cheqd.
Last updated
Was this helpful?
Learn about Decentralized Trust Chains (DTCs) on cheqd.
Last updated
Was this helpful?
Verifiable Credentials (VCs) are, in most cases, issued by legal entities. The purpose of Verifiable Credentials is to provide the Relying Party that receives the credentials a Level of Assurance (LoA) that the attributes and claims within the credential are legitimate. However, it is not currently easy to determine whether a legal entity issuing a credential is in fact the entity they claim to be, and not, a fraudulent misrepresentation of that legal entity. This is the challenge that Trust Infrastructure and Trust Registries are positioned to solve.
At present, legal entities that issue credentials have no mechanism to establish that they are trustworthy; thus, Relying Parties may not recognise the DIDs signing the Verifiable Credentials they receive. To fully establish trust, Relying Parties need to know who issued the VCs, whether the issuer is recognised as trusted within a particular governance framework, and who accredited the issuer for the purpose of issuing the credential.
To solve this industry-wide challenge, cheqd introduces a Verifiable Trust Infrastructure "Decentralzied Trust Chains (DTCs)", that directly complements the model . Within Decentralized Trust Chains, users can create hierarchical chains of trust "Trust Chains" that together encapsulate a "Trust Registry" for a given ecosystem.
The Trust Infrastructure Model also includes permissions and policies set via "Verifiable Accreditations" and an overall "Governance Framework". Herein, permissions govern the scope of , while policies are used to define who made the accreditation; which Trust Framework is followed; and, the legal basis of the credential.
cheqd Trust Infrastructure users make the whole Verifiable Trust Model publicly available by registering it as a collection of on cheqd. cheqd's Trust Infrastructure therefore enables verifiers to automatically resolve and establish trust in hierarchies of trust without needing to know each organisation directly, using industry-standard resolution mechanisms defined in the W3C DID-Core and the DID Resolution Spec.
There are many terms used within this guide, and as such, familiarise yourself or refer back to the concepts within the glossary below:
-
Accreditation Policy
Part of a Verifiable Credential, using the termsOfUse
section to reference the parentAccreditation in the Trust Chain
DID
Decentralized Identifier
Legal entity identifier for Trust Registry, cannot be natural person in context of Trust Infrastructure
GA
Governance Authority
The legal entity or consortia responsible for writing the Governance Framework. In many instances the Governance Authority is also a Root TAO
GF
Governance Framework
A policy document outlining the purpose, roles, scopes and permissions for a given ecosystem using the Trust Infrastructure.
Root TAO
Root Trusted Accreditation Organization
Legal entity governing the whole trust chain
TAO
Trusted Accreditation Organization
Legal entity governing a trust chain segment
-
Trust Chain
Hierarchy of Verifiable Accreditations. Multiple Trust Chains may comprise a Trust Registry.
TI
Trusted Issuer
Legal entity participating in a trust chain as an issuer
-
Trust Infrastructure
The overall set of technical and governance components to establish end-to-end trust.
-
Verifiable Accreditation
Type of on-ledger Verifiable Credential that is specifically used for establishing governance permissions and policies
-
Verifiable Trust Model
Permissions with policies to either accredit, or to attest
The Decentralized Trust Chain model is predicated on the notion of a trust hierarchy, which is conceptually very similar to traditional Public Key Infrastructure (PKI). Specifically, the model relies on a Root of Trust from which trusted relationships can be established.
In our model, each organisation in the trust hierarchy possesses a Decentralized Identifier (DID) and is able to issue Verifiable Accreditations to other entities, conveying a set of permissions or scopes that determine what the recipient entity is permitted to do.
The following diagram show how a Root TAO accredits two TAOs lower in the hierarchy:
where:
Root of Trust (rTAO) DID:
Controls Verifiable Accreditations (VAs) issued from rTAO to TAOs.
Trusted Accreditation Organisation (TAO) DID:
Controls Verifiable Accreditations (VAs) issued from TAOs to Trusted Issuers or subTAOs.
Trusted Issuer DID:
Issues Verifiable Credentials with Issuance Policies
Verifiable Credentials
Issued including the Issuance Policies in the TermsOfUse
section of the data model.
Issued to Digital Identity Wallet of user or organisation, which can be later verified up the entire trust chain.
As shown in the diagram above, legal entities can play the following roles:
Root Trusted Accreditation Organisation (Root TAO)
Trusted Accreditation Organisation (TAO)
Trusted Issuer (TI)
A Trust Chain should contain all three roles, even if one single DID would represent all three roles. The roles must be RTAO, TAO, and TI, where only TI may issue domain-specific Verifiable Credentials.
The Root TAO is the owner of a Trust Chain, responsible for the governance of the whole Trust Chain. Root TAOs may:
accredit itself to govern or issue domain-specific Verifiable Credentials
accredit TAOs to govern a segment of the Trust Chain
accredit a Trusted Issuer to issue domain-specific Verifiable Credentials
revoke an accreditation from a legal entity that is participating in the Trust Chain
The RTAO permission is defined by VerifiableAuthorisationForTrustChain
, and the policies are contained in termsOfUse
as TrustFrameworkPolicy
.
A TAO governs an accredited segment on behalf of the RTAO. It may:
accredit itself to issue domain-specific Verifiable Credentials
accredit another TAO to govern a segment of the Trust Chain
accredit a Trusted Issuer to issue domain-specific Verifiable Credentials
revoke accreditation from a legal entity that was accredited by the TAO
The TAO permission is defined by VerifiableAccreditationToAccredit
, and the policies are contained in termsOfUse
as AccreditationPolicy
.
A Trusted Issuer represents the Issuer in a Trust Chain. It may issue domain-specific Verifiable Credential types defined by the received accreditation.
The TI permission is defined by VerifiableAccreditationToAttest
, and the policies are contained in termsOfUse
as AccreditationPolicy
. When the Trusted Issuer is using their accreditation to issue a domain-specific VC, the issued domain VC must contain a termsOfUse
property with AttestationPolicy
type, which links to the Trusted Issuer's accreditation and into Root TAO's accreditation, where both are located in TIR.
Policies define the rules and requirements that govern the trustworthiness of each entity or credential in the ecosystem. They ensure that every actor β from the root authority to the credential issuer β complies with defined standards for security, legal compliance, operational processes, and domain-specific functions.
Policies are embedded into the trust structure through the termsOfUse
field of each Verifiable Accreditation or Credential.
There are three key types of policies:
Policy Type
Applies To
Purpose
Trust Framework Policy
Root Authorisation (rTAO)
Defines the overarching governance framework for the entire trust model. Sets baseline security, operational, legal, and regulatory requirements.
Accreditation Policy
Verifiable Accreditation (TAO)
Defines the scope and conditions under which an accredited TAO can accredit others or issue domain-specific attestations, always within the bounds of the root framework.
Attestation Policy
Verifiable Credential (Trusted Issuer)
Defines the terms under which an attestation (credential) is issued, linking it back to the accreditation and ensuring compliance with the trust framework.
The Trust Framework Policy is referenced in the Root Authorisation for Trust Chain issued by the rTAO.
Each Accreditation Policy references either the Trust Framework Policy or a parent Accreditation Policy through its termsOfUse
.
Each Attestation Policy ensures that issued credentials align with the specific permissions granted by the issuerβs accreditation.
This layered policy model enables verifiers to traverse and validate the entire trust chain β from a single credential back to a rTAO (optionally anchored in DNS) β while ensuring that all participants adhere to consistent governance and operational standards.
Decentralized Trust Chains (DTCs) organize trust relationships into three core building blocks: Authorisations, Accreditations and Credentials (Attestations). Each type plays a distinct role in constructing verifiable, governance-aligned trust chains across ecosystems.
Authorisations form the foundation of a Decentralized Trust Chain by setting the rules, governance model, and trust framework that underpin the ecosystem.
At the root of every trust chain is a Root Authorisation, issued by a Root Trusted Accreditation Organisation (rTAO). This Root Authorisation:
Defines the governance framework governing the trust chain
Provides a machine-readable reference to a Trust Framework Policy (e.g., URL and trust framework ID)
(Optionally) restricts permissible credential types or schemas
Every Verifiable Accreditation must reference the Root Authorisation, either directly or through intermediate accreditations. This structure ensures a policy-governed, cryptographically verifiable path from any issued credential back to the root of trust.
Root Authorisations may also be referenced within DNS records to establish stronger assurance in the identity of the legal entity.
Accreditations are Verifiable Credentials that grant legal entities the authority to either accredit others or issue attestations. Accreditations are always attribute-driven and domain-specific, meaning they are restricted to particular credential types or fields of trust.
These boundaries cannot be arbitrarily expanded. For example, an organisation accredited to accredit issuers of diploma attestations may only delegate that specific authority β or a narrower subset β to others downstream in the trust hierarchy.
Each Verifiable Accreditation includes an Accreditation Policy embedded in its termsOfUse
field. This policy:
Defines the permissions and conditions attached to the accreditation
References a parent accreditation
Enables verifiers to trace the full accreditation path back to the original root authority
Depending on the nature of the accreditation, an entity may be authorised to:
Govern: Accrediting other entities further down the trust chain
Issue: Attesting to facts through domain-specific Verifiable Credentials
Accredited entities must operate strictly within the boundaries defined by their accreditation and the overarching trust framework.
Credentials (Attestations) are Verifiable Credentials that assert facts about an entity, such as identity, qualifications, certifications, or affiliations.
Issuance rules differ depending on the entity:
Generic credentials may be issued by any DID-based entity without accreditation.
Domain-specific attestations must be issued by accredited Trusted Issuers, operating within an authorized scope defined by the trust chain.
Each attestation issued under an accreditation must include an Attestation Policy in its termsOfUse
field. This policy:
Links the credential back to the issuerβs accreditation
Establishes a cryptographic and policy-aligned trust path to the root authority
End users β whether individuals or organisations β can collect multiple attestations across one or more decentralized trust ecosystems, building portable, interoperable trust profiles.
Element
Purpose
Authorisations
Define the governance and policy rules at the root of the trust chain
Accreditations
Delegate trust authority for accreditation or credential issuance
Credentials (Attestations)
Assert verifiable facts within the scope of a governed trust framework
RTAO -> TAO
Learn about how Root TAOs can accredit other TAOs in the trust ecosystem with permissions and Trust Framework Policies.
TAO -> SubTAO
Learn about how TAOs can accredit other SubTAOs in the trust ecosystem with permissions and Accreditation Policies.
TAO - TI
Learn about how TAOs can accredit Trusted Issuers to issue credentials within the trust ecosystem, using permissions and Accreditation Policies.
Referencing Trust Registry within a Verifiable Credential
Learn how a Trusted Issuer can reference a Trust Registry in an issued credential, enabling a relying party to traverse the Trust Chain.