Decentralized Trust Chains (DTCs)

Introduction​

Verifiable Credentials (VCs) are most commonly issued by legal entities to assert facts such as identity, qualifications, or authorisation. Their core purpose is to provide the Relying Party — the entity verifying the credential — with a Level of Assurance (LoA) that the claims within the credential are legitimate.

However, in practice, it’s often difficult for relying parties to determine whether a legal entity issuing a credential is authentic, or a fraudulent impersonation. There is no built-in mechanism in most credential ecosystems for verifying whether a DID-based issuer is recognised, authorised, or trustworthy.

To fully establish trust, relying parties must be able to:

• Identify who issued a credential

• Understand whether the issuer was authorised to issue it

• Trace who accredited the issuer, and under what governance framework

Introducing Decentralized Trust Chains (DTCs)

To solve this challenge, cheqd introduces a verifiable trust infrastructure called Decentralized Trust Chains (DTCs) — a model that complements and extends approaches like the EBSI Trust Chain Framework.

DTCs allow participants to create hierarchical chains of trust, where:

• A Root Trusted Accreditation Organisation (rTAO) defines the governance model

• Verifiable Accreditations delegate authority to other legal entities (e.g., TAOs, Trusted Issuers)

• Verifiable Credentials are issued by accredited issuers, with embedded metadata that references the trust chain

Together, these components form a decentralized trust registry for each ecosystem.

Publicly Verifiable, Policy-Governed Trust

cheqd’s DTC model introduces both permissions and policies:

• Permissions define what an entity is allowed to do (e.g. issue or accredit)

• Policies define who granted that permission, under what framework, and with what legal or operational requirements.

This infrastructure is made publicly resolvable by publishing all authorisations and accreditations as DID-Linked Resources on the cheqd ledger. This means:

• 🧩 Trust relationships are machine-verifiable

• 🔍 Verifiers do not need prior knowledge of each entity

• 🛠️ Resolution follows W3C standards like DID-Core, DID Resolution and DID-Linked Resources.

The result: A scalable, cryptographically verifiable way to determine whether an issuer — and the credential they issue — can be trusted.

Glossary​

There are many terms used within this guide, and as such, familiarise yourself or refer back to the concepts within the glossary below:

Establishing a Trust Hierarchy

Decentralized Trust Chains are based on the concept of a hierarchical trust model, conceptually similar to traditional Public Key Infrastructure (PKI). At the top sits a Root of Trust, from which trust is delegated through a verifiable chain of credentials.

In this model, each participant is identified by a Decentralized Identifier (DID) and may be granted permission — via a Verifiable Accreditation — to accredit others or issue credentials themselves.

How the Hierarchy Works

Trust is delegated top-down through Verifiable Accreditations:

The following diagram show how a Root TAO accredits two TAOs lower in the hierarchy:

Each role is cryptographically linked through issued Verifiable Credentials, creating a machine-verifiable trust path.

Verifiable Credentials & Policy Enforcement

• Credentials are issued with a termsOfUse section that references an Attestation Policy, linking them back to the issuer’s accreditation and the root of trust.

• Digital Wallets or agents can present these credentials for verification.

• Verifiers can then resolve and validate the entire trust chain — from the issuer to the rTAO — using DID resolution and optional DNS anchoring.

Trust Infrastructure Roles and their Permissions

As shown in the diagram above, legal entities can play the following roles:

• In a Decentralized Trust Chain, each legal entity assumes a defined role with clearly scoped permissions. While a single DID may represent multiple roles in simple ecosystems, every complete trust chain should include these three functional roles:

  • Root Trusted Accreditation Organisation (rTAO)

  • Trusted Accreditation Organisation (TAO)

  • Trusted Issuer (TI)

  Only the Trusted Issuer (TI) is permitted to issue domain-specific Verifiable Credentials (VCs).

Root Trusted Accreditation Organisation (rTAO)

The rTAO is the root of governance in a trust chain. It establishes the ecosystem’s rules and authorises who can issue or accredit within it.

Capabilities:

• Issue a Root Authorisation that defines the Trust Framework

• Self-accredit for governance or issuance

• Accredit TAOs and TIs to delegate responsibility

• Revoke accreditations from any participant in the trust chain

Credential Type:

• VerifiableAuthorisationForTrustChain

Policy Type:

• TrustFrameworkPolicy (included in termsOfUse)

Trusted Accreditation Organisation (TAO)​

A TAO manages a delegated segment of the trust chain under the rTAO. It may further accredit entities or take on the role of issuer if permitted.

Capabilities:

• Accredit itself to issue VCs

• Accredit other TAOs or Trusted Issuers

• Revoke accreditations issued within its scope

Credential Type:

• VerifiableAccreditationToAccredit

Policy Type:

• AccreditationPolicy (included in termsOfUse)

Trusted Issuer (TI)​

A Trusted Issuer is an entity that issues domain-specific Verifiable Credentials under the conditions granted by its accreditation.

Capabilities:

• Issue Verifiable Credentials to users or organisations

• Only within the types, schemas, and jurisdictions defined in their accreditation

Credential Type:

• VerifiableAccreditationToAttest

Policy Type:

• AccreditationPolicy (accreditation) + AttestationPolicy (included in the issued credential’s termsOfUse)

Policies Overview​

Policies define the rules, permissions, and governance bindings for each layer of the trust chain. They are embedded into credentials via the termsOfUse field and fall into three types:

How Policies are Linked

• Root Authorisation includes a TrustFrameworkPolicy

• Each Accreditation must reference:

  • A parent AccreditationPolicy, or

  • The original TrustFrameworkPolicy

• Each Credential (Attestation) must reference:

  • The AttestationPolicy pointing back to the issuer’s accreditation

This layered policy model enables verifiers to traverse and validate the entire trust chain — from a single credential back to a rTAO (optionally anchored in DNS) — while ensuring that all participants adhere to consistent governance and operational standards.

Trust Types in Decentralized Trust Chains

Trust Chains are constructed from three verifiable building blocks:

1. Authorisations

• Define the rules of the ecosystem

• Issued by the rTAO as a VerifiableAuthorisationForTrustChain

• Reference the root governance framework

2. Accreditations

• Grant permission to accredit or issue

• Are always domain-specific and non-transferable

• Must include an AccreditationPolicy in termsOfUse

• Allow entities to govern or issue only within the authorised scope

3. Credentials (Attestations)

• Assert facts (identity, qualifications, rights)

• Must include an AttestationPolicy that:

  • Links back to the issuer's accreditation

  • Establishes a trust path to the root authority

• Issuable only by accredited Trusted Issuers

In Summary:

Get Started

Get started

Use cheqd Studio APIs to define, issue, and publish trust registry entries:

• Create and manage Root Authorisations, Accreditations, and Attestations

• Resolve trust chains in real time using standard DID resolution

• Anchor trust registries on-chain while keeping business logic off-chain

For verification, use TRAIN to validate the trust registry to determine whether an issuer DID is accredited, and what they are accredited for — by traversing the full trust chain to its root.

Set up Trust Chain

Design and build a trust chain for establishing a trust hierarchy in your ecosystem.

Get started with TRAIN

Deploy TRAIN and start validating trust chains with DNS-anchored roots and cryptographic accreditations.