Referencing Trust Registry within a Verifiable Credential

Learn how to include or reference Trust Registries and Verifiable Accreditations within the body of W3C Verifiable Credentials.

To ensure a Verifiable Credential (VC) is not only technically valid but also issued by an authorised and trusted party, it must include metadata that links back to its origin in a trust registry.

This is done using the termsOfUse property, where the Trusted Issuer includes an AttestationPolicy referencing:

  • The Verifiable Accreditation that granted them permission

  • The Root Authorisation that anchors the governance framework

Why reference a trust registry?

Including a reference to a trust registry enables verifiers to:

  • Validate that the issuer is accredited to issue this type of credential.

  • Trace the credential’s trust lineage back to a Root Trusted Accreditation Organisation (rTAO).

  • Enforce domain-specific governance or regulatory policies.

Structure of termsOfUse

The termsOfUse field uses the AttestationPolicy type and typically includes:

Field
Description

type

Must be "AttestationPolicy"

parentAccreditation

DID URL pointing to the Verifiable Accreditation that granted authority to the issuer

rootAuthorisation

DID URL referencing the original Root Authorisation for the trust chain

Example: Credential referencing its trust registry via AttestationPolicy

{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://www.w3.org/ns/credentials/examples/v2"
  ],
  "id": "http://university.example/credentials/3732",
  "type": ["VerifiableCredential", "ExampleDegreeCredential"],
  "issuer": "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0",
  "validFrom": "2010-01-01T00:00:00Z",
  "credentialSubject": {
    "id": "did:cheqd:testnet:b4902745-5b5b-423e-820a-0773b033f2b9",
    "degree": {
      "type": "ExampleBachelorDegree",
      "name": "Bachelor of Science and Arts"
    }
  },
  "termsOfUse": {
    "type": "AttestationPolicy",
    "parentAccreditation": "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0/resources/58c01595-f884-4a3b-add4-8c691e16b8ee",
    "rootAuthorisation": "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0/resources/58c01595-f884-4a3b-add4-8c691e16b8ee"
  }
}

What this enables

This embedded trust policy allows verifiers to:

  • Look up the parent accreditation and root authorisation.

  • Confirm that the issuer was permitted to issue the attestation type.

  • Automate or enforce policy-based trust decisions.

Validating Trust Chains Using TRAIN

Once a Verifiable Credential includes an AttestationPolicy referencing the trust registry, TRAIN (TRust mAnagement INfrastructure) can be used to automatically validate the issuer’s authority against a decentralized trust chain.

What does TRAIN do?

TRAIN is a trust validator that:

  • Accepts a credential (or its metadata) as input.

  • Resolves the issuer’s accreditation.

  • Traverses the trust chain to the root authorisation.

  • Optionally checks DNS anchoring of the root DID for higher assurance.

  • Returns a result that confirms if the issuer is trusted under the specified framework.


TRAIN Validation Input

Here’s a simplified example of the request body TRAIN accepts:

{
  "issuer": "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0",
  "type": ["VerifiableCredential", "ExampleDegreeCredential"],
  "termsofuse": "AttestationPolicy",
  "parentAccreditation": "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0/resources/58c01595-f884-4a3b-add4-8c691e16b8ee",
  "DNSTrustFrameworkPointers": ["example.trust-scheme.org"]
}

Note: DNSTrustFrameworkPointers is optional. If omitted, TRAIN will still validate trust up to the root authorisation.


TRAIN Validation Output

TRAIN returns a response like this:

{
  "VerificationStatus": true,
  "VerificationResult": {
    "AccreditorDIDs": [
      "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0",
      "did:cheqd:testnet:8ea036da-f340-480d-8952-f5561ea1763c"
    ],
    "FoundRootIssuerDID": "did:cheqd:testnet:8ea036da-f340-480d-8952-f5561ea1763c",
    "TrustFramework": "Example Trust Framework",
    "TrustFrameworkId": "https://example.com/governance-framework/124",
    "VerifyRootIssuerDIDinDNS": true
  }
}

βœ… VerificationStatus: true indicates that the issuer is properly accredited and the trust chain is intact. Although this will only be true if the root DID is also included in a DNS record.


Why use TRAIN?

  • Automates trust validation using standardized credential metadata.

  • Provides clear trust decisions for wallets, agents, and verifiers.

  • Enables integration with public DNS for added assurance of root DIDs.

  • Compatible with all credentials that follow cheqd’s trust chain model.

Last updated

Was this helpful?