Product Docs
Product DocsTechnical DocsLearning & GovernanceUseful Links
  • Product Docs
  • Node Docs
  • Learning Docs
  • ℹ️Getting Started
    • Product Overview
    • ➑️Get Started with cheqd Studio
      • πŸ‘‰Set Up Your Account
      • πŸ—οΈCreate API Keys
      • πŸͺ™Token Top Up
      • πŸ”„Advanced Configuration Options
    • β˜‘οΈUse Trust Registries for AI Agents
      • πŸ—οΈBuild an AI Agent Trust Registry
        • Setup AI Agent Trust Registry
          • Issue Verifiable Credentials to AI Agent
        • Setup and Configure MCP Server
          • Create AI Agent DID
          • Import Credential to AI Agent
          • Advanced functionality
            • Issue a Verifiable Credential
            • Verify a Credential
      • 🀝Validate AI Agent Trust Chain
  • 🟒Start using cheqd
    • πŸ†”Create DIDs and Identity Keys
      • Create a DID
      • Create Identity Keys
      • Create a Subject DID
      • Resolve a DID
      • Update a DID
      • Deactivate a DID
    • βœ…Issue Credentials and Presentations
      • Issue a Credential
      • Setup Verida Wallet
      • Verify a Credential
      • Verify a Presentation
      • Revoke a Credential
      • Suspend or Unsuspend a Credential
    • ♻️Charge for Verifiable Credentials
      • Understanding Credential Payments
        • Access Control Conditions
        • Privacy Considerations
      • Charge for Status List
      • Issue Credential with Encrypted Status List
      • Create Verifier Pays Issuer flow
      • Bulk Update or Rotate Encryption Keys
    • 🀝Build Trust Registries
      • Decentralized Trust Chains (DTCs)
        • Root Authorisations
        • RTAO -> TAO
        • TAO -> SubTAO
        • TAO -> Trusted Issuer (TI)
        • Referencing Trust Registry within a Verifiable Credential
      • Set up Trust Chain
        • Issue Verifiable Accreditation
        • Verify Verifiable Accreditation
      • Get Started with TRAIN
        • Deploy TRAIN and Anchor rTAO in DNS
        • Validate Trust Chain
    • πŸŽ‹Create Status Lists
      • Bitstring Status List
        • Create Bitstring Status List
        • Update Bitstring Status List
        • Check Bitstring Status List
        • Search Bitstring Status List
      • Token Status List
        • Create Token Status List
        • Update Token Status List
    • ↕️Create DID-Linked Resources
      • Understanding DID-Linked Resources
        • Context for developing DID-Linked Resources
        • Technical composition of DID-Linked Resources
        • Referencing DID-Linked Resources in VCs
      • Create DID-Linked Resource
      • Search DID-Linked Resource
  • πŸ› οΈIntegrate an SDK
    • Choosing the right SDK
    • 🍏Credo
      • Setup Credo Agent
      • Decentralized Identifiers (DIDs)
        • Create a DID
        • Update a DID
        • Deactivate a DID
      • DID-Linked Resources
        • Create DID-Linked Resource
        • Resolve DID-Linked Resource
        • Create AnonCreds Schema
        • Create AnonCreds Credential Definition
      • Verifiable Credentials and Presentations
        • Issue a Verifiable Credential (AnonCreds)
        • Present a Verifiable Credential (AnonCreds)
    • 🍊ACA-Py
      • Setup ACA-Py Agent
      • Decentralized Identifiers (DIDs)
        • Create a DID
        • Update a DID
        • Deactivate a DID
      • DID-Linked Resources
        • Create AnonCreds Schema
        • Create AnonCreds Credential Definition
      • Verifiable Credentials and Presentations
        • AnonCreds
          • Issue a Verifiable Credential
          • Present a Verifiable Credential
          • Revoke a Verifiable Credential
        • JSON-LD
          • Issue a Verifiable Credential
          • Present a Verifiable Credential
    • 🍈Veramo
      • Setup Veramo CLI for cheqd
        • Troubleshooting Veramo CLI Setup
      • Decentralized Identifiers (DIDs)
        • Create a DID
        • Querying a DID
        • Update an existing DID
        • Deactivate a DID
        • Create an off-ledger holder DID
        • Managing Identity Keys
        • Troubleshooting
      • Verifiable Credentials and Presentations
        • Issue a Verifiable Credential
        • Verify a Verifiable Credential
        • Create a Verifiable Presentation
        • Verify a Verifiable Presentation
      • Credential Payments
        • Charge for Status List
        • Issue Credential with Encrypted Status List
        • Verifier pays Issuer
      • Bitstring Status List
        • Create Status List
        • Issuing a Verifiable Credential referencing Status List
      • DID-Linked Resources
        • Create a DID-Linked Resource
        • Create a new Resource version within existing Collection
    • 🫐Walt.id Community Stack
  • πŸ—οΈArchitecture
    • Architecture Decision Record (ADR) Process
    • List of ADRs
      • πŸ”΅ADR 001: cheqd DID Method
      • 🟒ADR 002: DID-Linked Resources
      • 🟑ADR 003: DID Resolver
      • 🟠ADR 004: DID Registrar
      • 🟣ADR 005: DID Resolution & DID URL Dereferencing
  • πŸ’«Advanced features and alternatives
    • ➑️DID Registrar
      • Setup DID Registrar
      • Create a DID
      • Create a DID-Linked Resource
    • ⬅️DID Resolver
      • Setup DID Resolver
    • ⚑AnonCreds Object Method
      • Schemas
      • Credential Definitions
      • Revocation Registry Definitions
      • Revocation Status Lists
    • 🌠Advanced Tooling
      • cheqd Cosmos CLI for identity
        • Create a DID
        • Update a DID
        • Deactivate a DID
        • Query a DID
        • Create a DID-Linked Resource
        • Update a DID-Linked Resource
      • Direct interaction with ledger code
      • VDR Tools CLI with cheqd (deprecated)
      • Demo Wallet for Identity Setup
  • βš›οΈNetwork
    • Get started with cheqd Network
      • Identity Write Pricing
      • Comparison to Hyperledger Indy
    • ⏩Setup your Wallet
      • Setup Leap Wallet
        • Congifure cheqd Testnet for Leap
      • Setup Keplr Wallet
      • Migrate from Keplr to Leap Wallet
    • β†ͺ️Useful Tools and APIs
      • Block Explorer
      • Testnet Faucet
      • Validator Status API
      • Cheqd x Cosmos Data APIs
      • Cosmos Airdrop Helpers
      • Cosmos Address Convertor
      • Ethereum Bridge
    • ⬆️Network Upgrades
      • 2021
        • 0.1.x
        • 0.2.x
        • 0.3.x
      • 2022
        • 0.4.x
        • 0.5.x
        • 0.6.x
      • 2023
        • 1.x
      • 2024
        • 2.x
        • 3.x
      • Root Cause Analysis of Outages
        • v1.x upgrade RCA
  • βš–οΈLegal
    • License
    • Code of Conduct
    • Security Policy
  • πŸ†˜Support
    • System Status
    • Discord
    • Bugs & Feature Requests
Powered by GitBook
LogoLogo

General

  • Website
  • Blog
  • Get $CHEQ

Product Docs

  • Product Docs
  • cheqd Studio
  • Creds.xyz
  • Bug/Feature Requests

Technical Docs

  • Node Docs
  • GitHub
  • Block Explorer

Learning Docs

  • Learning Docs
  • Governance Docs
  • Governance Forum
  • Governance Explorer
On this page
  • Overview
  • Why Build a Trust Chain?
  • Key Roles in a Trust Chain
  • Trust Chain Structure
  • Steps to Set Up a Trust Chain
  • Example: Education Trust Chain
  • Optional: DNS Anchoring for rTAOs
  • Why Anchor Your rTAO in DNS?
  • How It Works: TDZM (Trust-DNS Zone Manager)

Was this helpful?

Edit on GitHub
Export as PDF
  1. Start using cheqd
  2. Build Trust Registries

Set up Trust Chain

Set up your Decentralized Trust Chain (DTC) on cheqd.

Last updated 20 days ago

Was this helpful?

Overview

A Trust Chain is a hierarchical structure of Verifiable Accreditations (VAs) that connects a Trusted Issuer to a Root Trusted Accreditation Organisation (rTAO). This structure allows credentials to be verified as trustworthy using tools like TRAIN, by tracing authority through cryptographic delegation.

Each step in the chain is formalised using a Verifiable Accreditation, while the root is anchored using a Root Authorisation for Trust Chain, which establishes the governance framework of the ecosystem.

If you're ready to issue your first accreditation, skip ahead to use cheqd Studio:

Why Build a Trust Chain?

Trust Chains enable decentralized ecosystems to:

  • Delegate authority without centralized registries

  • Define and enforce governance frameworks

  • Enable TRAIN to validate credentials against trusted policies

  • Optionally anchor trust using DNS or X.509 proofs

This is especially useful in domains like education, health, supply chain, or finance where hierarchical authority is well established.


Key Roles in a Trust Chain

Role

Description

rTAO (Root Trusted Accreditation Organisation)

The top-level, highly trusted entity (e.g. government agency or standards body). It defines the governance framework and issues the root authorisation.

TAO (Trusted Accreditation Organisation)

An intermediary entity that is accredited by the rTAO or another TAO. It may accredit further entities.

Trusted Issuer

An entity accredited by a TAO or rTAO to issue Verifiable Credentials to holders.


Trust Chain Structure

Root Authorisation for Trust Chain (published by rTAO)
    ↓
Verifiable Accreditation from rTAO to TAO
    ↓
Verifiable Accreditation from TAO to Trusted Issuer
    ↓
Verifiable Credential (Attestation) issued to subject

Steps to Set Up a Trust Chain

1. Create an rTAO DID

Register a DID to represent your Root Trusted Accreditation Organisation (rTAO). This should be a recognised, high-trust entity.

Optionally, anchor this DID in DNS using a TXT or TLSA record for added assurance in tools like TRAIN.

2. Publish a Root Authorisation for Trust Chain

Before issuing any accreditations, the rTAO must publish a Root Authorisation for Trust Chain, which includes:

  • A URI for the governance framework

  • A human-readable trust framework ID

  • Supported credential schemas for the ecosystem

This authorisation forms the root of the trust graph and is referenced by all downstream Verifiable Accreditations.

3. Issue Verifiable Accreditations (VAs)

Use the rTAO to issue a Verifiable Accreditation to a TAO. This VA should:

  • Reference the Root Authorisation

  • Define the scope of trust (e.g. what credential types or domains the TAO can operate in)

  • Optionally include expiration or other constraints

4. Delegate Further to Trusted Issuers

Each TAO may issue Verifiable Accreditations to one or more Trusted Issuers, who are responsible for issuing actual Verifiable Credentials to end-users.


Example: Education Trust Chain

TAO: did:cheqd:gov-edu                    ← Department of Education
    └── Root Authorisation β†’ "cheqd Governance Framework"
    ↓
TAO:  did:cheqd:state-certifier            ← State Certification Body
    ↓
Trusted Issuer: did:cheqd:university-123   ← Accredited University
    ↓
Verifiable Credential: Bachelor of Science

Each entity is linked by a signed Verifiable Accreditation, and all references point back to the initial Root Authorisation for Trust Chain.


Optional: DNS Anchoring for rTAOs

In decentralized ecosystems, trust can be strengthened by combining blockchain-based identity with traditional Web PKI. To support this, Root Trusted Accreditation Organisations (rTAOs) can anchor their DIDs in DNS records, enabling domain-level verification of the root of the trust chain.

Why Anchor Your rTAO in DNS?

Anchoring a DID in DNS provides:

  • πŸ” Cryptographic proof of domain control

  • 🌍 Public discoverability and auditability of the rTAO’s identity

  • βœ… Higher assurance in trust chain validation, especially for public sector or federated environments

This optional step is highly recommended if your governance model involves domain ownership or if trust must be externally verifiable.


How It Works: TDZM (Trust-DNS Zone Manager)

TDZM is a component that manages DNS zones where rTAOs can publish their DIDs as TXT or TLSA records. It integrates with DNS infrastructure to serve trust metadata for automated validation.

TRAIN uses TDZM to verify that:

  • The rTAO controls the claimed domain

  • The DID used in the trust chain is anchored in DNS

  • The governance framework is consistently represented

🀝 Interoperability with tools like , which can validate trust chains using DNS lookups

🟒
🀝

Issue Verifiable Accreditation

Issue a type of Verifiable Accreditation, including authorisations for the trust chain, and subordinate accreditations

Issue Verifiable Accreditation

Issue a type of Verifiable Accreditation, including authorisations for the trust chain, and subordinate accreditations

TRAIN
Cover

Deploy TRAIN and Anchor rTAO in DNS

Add high assurance to your root DID, anchoring it within a DNS record.