Decentralized Trust Chains (DTCs)

Introduction

Verifiable Credentials (VCs) are, in most cases, issued by legal entities. The purpose of Verifiable Credentials is to provide the Relying Party that receives the credentials a Level of Assurance (LoA) that the attributes and claims within the credential are legitimate. However, it is not currently easy to determine whether a legal entity issuing a credential is in fact the entity they claim to be, and not, a fraudulent misrepresentation of that legal entity. This is the challenge that Trust Infrastructure and Trust Registries are positioned to solve.

At present, legal entities that issue credentials have no mechanism to establish that they are trustworthy; thus, Relying Parties may not recognise the DIDs signing the Verifiable Credentials they receive. To fully establish trust, Relying Parties need to know who issued the VCs, whether the issuer is recognised as trusted within a particular governance framework, and who accredited the issuer for the purpose of issuing the credential.

To solve this industry-wide challenge, cheqd introduces a Verifiable Trust Infrastructure "Decentralzied Trust Chains (DTCs)", that directly complements the model . Within Decentralized Trust Chains, users can create hierarchical chains of trust "Trust Chains" that together encapsulate a "Trust Registry" for a given ecosystem.

The Trust Infrastructure Model also includes permissions and policies set via "Verifiable Accreditations" and an overall "Governance Framework". Herein, permissions govern the scope of , while policies are used to define who made the accreditation; which Trust Framework is followed; and, the legal basis of the credential.

cheqd Trust Infrastructure users make the whole Verifiable Trust Model publicly available by registering it as a collection of on cheqd. cheqd's Trust Infrastructure therefore enables verifiers to automatically resolve and establish trust in hierarchies of trust without needing to know each organisation directly, using industry-standard resolution mechanisms defined in the W3C DID-Core and the DID Resolution Spec.

Glossary

There are many terms used within this guide, and as such, familiarise yourself or refer back to the concepts within the glossary below:

Establishing a Trust Hierarchy

The Decentralized Trust Chain model is predicated on the notion of a trust hierarchy, which is conceptually very similar to traditional Public Key Infrastructure (PKI). Specifically, the model relies on a Root of Trust from which trusted relationships can be established.

In our model, each organisation in the trust hierarchy possesses a Decentralized Identifier (DID) and is able to issue Verifiable Accreditations to other entities, conveying a set of permissions or scopes that determine what the recipient entity is permitted to do.

The following diagram show how a Root TAO accredits two TAOs lower in the hierarchy:

where:

• Root of Trust (rTAO) DID:

  • Controls Verifiable Accreditations (VAs) issued from rTAO to TAOs.

• Trusted Accreditation Organisation (TAO) DID:

  • Controls Verifiable Accreditations (VAs) issued from TAOs to Trusted Issuers or subTAOs.

• Trusted Issuer DID:

  • Issues Verifiable Credentials with Issuance Policies

• Verifiable Credentials

  • Issued including the Issuance Policies in the TermsOfUse section of the data model.

  • Issued to Digital Identity Wallet of user or organisation, which can be later verified up the entire trust chain.

Trust Infrastructure Roles and their Permissions

As shown in the diagram above, legal entities can play the following roles:

• Root Trusted Accreditation Organisation (Root TAO)

• Trusted Accreditation Organisation (TAO)

• Trusted Issuer (TI)

A Trust Chain should contain all three roles, even if one single DID would represent all three roles. The roles must be RTAO, TAO, and TI, where only TI may issue domain-specific Verifiable Credentials.

Root Trusted Accreditation Organisation (RTAO)

The Root TAO is the owner of a Trust Chain, responsible for the governance of the whole Trust Chain. Root TAOs may:

• accredit itself to govern or issue domain-specific Verifiable Credentials

• accredit TAOs to govern a segment of the Trust Chain

• accredit a Trusted Issuer to issue domain-specific Verifiable Credentials

• revoke an accreditation from a legal entity that is participating in the Trust Chain

The RTAO permission is defined by VerifiableAuthorisationForTrustChain, and the policies are contained in termsOfUse as TrustFrameworkPolicy.

A TAO governs an accredited segment on behalf of the RTAO. It may:

• accredit itself to issue domain-specific Verifiable Credentials

• accredit another TAO to govern a segment of the Trust Chain

• accredit a Trusted Issuer to issue domain-specific Verifiable Credentials

• revoke accreditation from a legal entity that was accredited by the TAO

The TAO permission is defined by VerifiableAccreditationToAccredit, and the policies are contained in termsOfUse as AccreditationPolicy.

A Trusted Issuer represents the Issuer in a Trust Chain. It may issue domain-specific Verifiable Credential types defined by the received accreditation.

The TI permission is defined by VerifiableAccreditationToAttest, and the policies are contained in termsOfUse as AccreditationPolicy. When the Trusted Issuer is using their accreditation to issue a domain-specific VC, the issued domain VC must contain a termsOfUse property with AttestationPolicy type, which links to the Trusted Issuer's accreditation and into Root TAO's accreditation, where both are located in TIR.

Policies define the rules and requirements that govern the trustworthiness of each entity or credential in the ecosystem. They ensure that every actor — from the root authority to the credential issuer — complies with defined standards for security, legal compliance, operational processes, and domain-specific functions.

Policies are embedded into the trust structure through the termsOfUse field of each Verifiable Accreditation or Credential.

There are three key types of policies:

How Policies are Linked

• The Trust Framework Policy is referenced in the Root Authorisation for Trust Chain issued by the rTAO.

• Each Accreditation Policy references either the Trust Framework Policy or a parent Accreditation Policy through its termsOfUse.

• Each Attestation Policy ensures that issued credentials align with the specific permissions granted by the issuer’s accreditation.

This layered policy model enables verifiers to traverse and validate the entire trust chain — from a single credential back to a rTAO (optionally anchored in DNS) — while ensuring that all participants adhere to consistent governance and operational standards.

Trust Types

Decentralized Trust Chains (DTCs) organize trust relationships into three core building blocks: Authorisations, Accreditations and Credentials (Attestations). Each type plays a distinct role in constructing verifiable, governance-aligned trust chains across ecosystems.

Authorisations

Authorisations form the foundation of a Decentralized Trust Chain by setting the rules, governance model, and trust framework that underpin the ecosystem.

At the root of every trust chain is a Root Authorisation, issued by a Root Trusted Accreditation Organisation (rTAO). This Root Authorisation:

• Defines the governance framework governing the trust chain

• Provides a machine-readable reference to a Trust Framework Policy (e.g., URL and trust framework ID)

• (Optionally) restricts permissible credential types or schemas

Every Verifiable Accreditation must reference the Root Authorisation, either directly or through intermediate accreditations. This structure ensures a policy-governed, cryptographically verifiable path from any issued credential back to the root of trust.

Root Authorisations may also be referenced within DNS records to establish stronger assurance in the identity of the legal entity.

Accreditations

Accreditations are Verifiable Credentials that grant legal entities the authority to either accredit others or issue attestations. Accreditations are always attribute-driven and domain-specific, meaning they are restricted to particular credential types or fields of trust.

These boundaries cannot be arbitrarily expanded. For example, an organisation accredited to accredit issuers of diploma attestations may only delegate that specific authority — or a narrower subset — to others downstream in the trust hierarchy.

Each Verifiable Accreditation includes an Accreditation Policy embedded in its termsOfUse field. This policy:

• Defines the permissions and conditions attached to the accreditation

• References a parent accreditation

• Enables verifiers to trace the full accreditation path back to the original root authority

Depending on the nature of the accreditation, an entity may be authorised to:

• Govern: Accrediting other entities further down the trust chain

• Issue: Attesting to facts through domain-specific Verifiable Credentials

Accredited entities must operate strictly within the boundaries defined by their accreditation and the overarching trust framework.

Credentials (Attestations)

Credentials (Attestations) are Verifiable Credentials that assert facts about an entity, such as identity, qualifications, certifications, or affiliations.

Issuance rules differ depending on the entity:

• Generic credentials may be issued by any DID-based entity without accreditation.

• Domain-specific attestations must be issued by accredited Trusted Issuers, operating within an authorized scope defined by the trust chain.

Each attestation issued under an accreditation must include an Attestation Policy in its termsOfUse field. This policy:

• Links the credential back to the issuer’s accreditation

• Establishes a cryptographic and policy-aligned trust path to the root authority

End users — whether individuals or organisations — can collect multiple attestations across one or more decentralized trust ecosystems, building portable, interoperable trust profiles.

In Summary: