1 of 11

Design your Solution

Establish Parties in Trust Ecosystem

Overview - Trust Chain definition

By completing this subsection, you will:

Identify all actors and map out their roles and relationships.
Define the rules and policies of your use case.
Define the legal identities involved.
Understand how to set up DIDs for your entities
Define accreditations issued by the Trusted Accreditation Organisation.

<todo>

Design your Trust Infrastructure

<todo>

Roots of Trust

Supported Roots of Trust

cheqd supports two predominant Root of Trust Models.

Well-Known DIDs

X.509 Certificates linked to DIDs

For existing trust frameworks such as eIDAS, organisations need to establish a root of trust using in traditional "" infrastructure. These certificates establish that an organisation is authorised to provide a service under a particular jurisdiction.

Article 22 of the eIDAS Regulation obliges Member States to establish, maintain and publish trusted lists. These lists should include information related to the qualified trust service providers for which they are responsible, and information related to the qualified trust services provided by them. The lists are to be published in a secured manner, electronically signed or sealed in a format suitable for automated processing.

Standard information in an X509 certificate includes:

Version — The version of X.509 that applies to the certificate.
Serial number — Serial number assigned by certificate authority to distinguish one certificate from other certificates.
Algorithm information — The hashing algorithm used by the CA to sign the certificate (SHA-2 in almost all cases).
Issuer distinguished name — The name of the entity issuing the certificate (usually a certificate authority)
Validity period of the certificate — The period during which certificate is valid to use.
Subject distinguished name — The name of the identity the certificate is issued to (individual, organization, domain name, etc.)
Subject public key information — The public key of the certificate

As such, one method of establishing a root of trust is associating a DID on cheqd with an existing X.509 certificate. This concept has been written on recently, with there being various approaches to achieving this.

As a first iteration of trust infrastructure on cheqd, we suggest that:

did:cheqd DIDs can be derived from the same public/private key pair as existing X.509 certificates
did:cheqd DIDs can reference X.509 certificates using a serviceEndpoint
X.509 certificates can reference did:cheqd DIDs using the "Subject Alternative Name" field within the X.509 certificate.

This will enable Root TAOs to create a reciprocal root of trust across European Trusted Lists for eIDAS compliance, and equally on cheqd.

Decentralised Root of Trust

For ecosystems that do not require a "traditional" root of trust, we can leverage the cheqd network itself to create reputable, "weighted" roots of trust.

Then, when traversing the trust chain and resolving to the Root of Trust, the validating application can apply logic to validate the "reputation" of the Root TAO, based on the voting power of the Validator within the active set.

Verifiable Accreditations

Verifiable Accreditations are credentials that are issued from one organisation to another organisation to "accredit" that organisation to perform a particular action. These types of credentials are stored directly on-ledger as DID-Linked Resources, meaning that they are persistent, sequentially versioned and highly available.

There are two types of Verifiable Accreditation:

Type

Description

Verifiable Accreditation to Accredit

This Credential verifies that an organisation has the permissions needed to accredit other organisations for issuing a particular type of Verifiable Accredittion.

Verifiable Accreditation to Attest

This Credential verifies that an organisation has the permissions needed to issue Verifiable Credentials, defined by a particular schema.

For a trusted ecosystem, these attestations are required to trace the legitimacy of a credential issuer to a root-of-trust.

Verifiable Accreditation Schema

In order to ensure consistency and interoperability within a trusted ecosystem, Trusted Accreditation Organisations (TAOs) should define schemas for the Verifiable Accreditations for their particular ecosystem. They may also reuse existing schemas that have been created for equivalent ecosystems.

Verifiable Accreditation Schema Example

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "Verifiable Accreditation Record",
  "description": "Schema of an Verifiable Accreditation",
  "type": "object",
  "allOf": [
    {
      "properties": {
        "credentialSubject": {
          "description": "Defines additional information about the subject that is described by the Verifiable Accreditation",
          "type": "object",
          "properties": {
            "id": {
              "description": "Defines a unique identifier of the Verifiable Attestation",
              "type": "string",
              "format": "uri"
            },
            "reservedAttributeId": {
              "description": "Defines the attributeId this Verifiable Accreditation has been created for",
              "type": "string"
            },
            "accreditedFor": {
              "description": "Defines a list of claims that define/determine the authorisation of an Issuer to issue certain types of VCs",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "schemaId": {
                    "description": "Schema, registered as a DID-Linked Resource, which the accredited organisation is allowed to issue, as per their accreditation",
                    "type": "string",
                    "format": "uri"
                  },
                  "types": {
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  },
                  "limitJurisdiction": {
                    "anyOf": [
                      {
                        "description": "Defines the jurisdiction for which the accreditation is valid",
                        "type": "string",
                        "format": "uri"
                      },
                      {
                        "type": "array",
                        "description": "Defines the jurisdictions for which the accreditation is valid",
                        "items": {
                          "type": "string",
                          "format": "uri"
                        }
                      }
                    ]
                  }
                },
                "required": ["schemaId", "types", "limitJurisdiction"]
              }
            }
          },
          "required": ["id", "reservedAttributeId", "accreditedFor"]
        },
        "credentialStatus": {
          "description": "Defines revocation details for the issued credential. Further redefined by type extension",
          "type": "object",
          "properties": {
            "id": {
              "description": "Exact identity for the credential status",
              "type": "string",
              "format": "uri"
            },
            "type": {
              "description": "Defines the revocation status type",
              "type": "string",
              "const": "AccreditationEntry"
            }
          },
          "required": ["id", "type"]
        }
      },
      "required": [
        "expirationDate",
        "credentialSubject",
        "credentialStatus",
        "termsOfUse"
      ]
    }
  ]
}

Verifiable Accreditation Examples

Notably, Verifiable Accreditations are credentials that are issued to organisational DIDs on cheqd. In each Verifiable Accreditation, there is also a reservedAttributeId that corresponds to the resourceId of the Accreditation as a DID-Linked Resource.

Verifiable Accreditation to Accredit Example

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "id": "urn:uuid:8568b525-a24e-4bc0-9d97-6a8459ec0130",
  "type": [
    "VerifiableCredential",
    "VerifiableAttestation",
    "VerifiableAccreditation",
    "VerifiableAccreditationToAccredit"
  ],
  "issuer": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6",
  "issuanceDate": "2021-11-01T00:00:00Z",
  "validFrom": "2021-11-01T00:00:00Z",
  "expirationDate": "2025-06-22T14:11:44Z",
  "issued": "2020-06-22T14:11:44Z",
  "credentialSubject": {
    "id": "did:cheqd:testnet:e21b63d1-a771-4eb9-9452-869cd30fd622",
    "reservedAttributeId": "05afe541-77dd-4eda-9e01-2258c74b291b",
    "accreditedFor": [
      {
        "schemaId": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/83eb0ed8-37d1-4ba6-9e0b-40d60676d4aa",
        "types": [
          "VerifiableCredential",
          "VerifiableAttestation",
          "DiplomaCredential"
        ]
      }
    ]
  },
  "credentialStatus": {
    "id": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6?resourceName=accreditationStatus&resourceType=StatusList2021Revocation",
    "type": "StatusList2021Revocation"
  },
  "credentialSchema": [
    {
      "id": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/83eb0ed8-37d1-4ba6-9e0b-40d60676d4aa",
      "type": "FullJsonSchemaValidator2021"
    },
  "termsOfUse": {
    "type": "AccreditationPolicy",
    "parentAccreditation": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/83eb0ed8-37d1-4ba6-9e0b-40d60676d4aa",
    "policyId": "https://example.com/policies/124",
    "rootAuthorisation": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/83eb0ed8-37d1-4ba6-9e0b-40d60676d4aa",
    "trustFramework": "cheqd Governance Framework"
    }
  ]
}

Verifiable Accreditation to Attest Example

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "id": "urn:uuid:8568b525-a24e-4bc0-9d97-6a8459ec0130",
  "type": [
    "VerifiableCredential",
    "VerifiableAttestation",
    "VerifiableAccreditation",
    "VerifiableAccreditationToAttest"
  ],
  "issuer": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6",
  "issuanceDate": "2021-11-01T00:00:00Z",
  "validFrom": "2021-11-01T00:00:00Z",
  "expirationDate": "2025-06-22T14:11:44Z",
  "issued": "2020-06-22T14:11:44Z",
  "credentialSubject": {
    "id": "did:cheqd:testnet:e21b63d1-a771-4eb9-9452-869cd30fd622",
    "reservedAttributeId": "15b49499-2a36-4c73-9f5b-7409b44ce7a3",
    "accreditedFor": [
      {
        "schemaId": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/da4159f1-ff50-4a7c-b0cb-40d3a1f71003a",
        "types": [
          "VerifiableCredential",
          "VerifiableAttestation",
          "DiplomaCredential"
        ]
    ]
  },
  "credentialStatus": {
    "id": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6?resourceName=accreditationStatusToAttest&resourceType=StatusList2021Revocation",
    "type": "EbsiAccreditationEntry"
  },
  "termsOfUse": [
    {
      "id": "https://example.com/governance-framework/../..xyz",
      "type": "GovernanceFramework"
    }
  ],
  "credentialSchema": [
    {
      "id": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/da4159f1-ff50-4a7c-b0cb-40d3a1f71003a",
      "type": "FullJsonSchemaValidator2021"
    }
  ]
}

Verifiable Accreditations as DID-Linked Resources

Storing Verifiable Accreditations as DID-Linked Resources enables each accreditation to be individually resolvable using a DID URL. It also enables Accreditations to be "chained" to a DID, allowing the traversal of the Accreditation to the root of trust.

The diagram below shows how DID-Linked Resources can be applied to the trust hierarchy to enable DID resolvable Verifiable Accreditations:

Accreditation and Issuance Policies

Accreditation Policies are included in each "Verifiable Accreditation" or "Verifiable Credential" within the termsOfUse section of the credential. The Accreditation Policies reference the other members of the Trust Chain, so that a Relying Party can traverse the Trust Chain.

Data Models

Process for creating a trust chain

Create did:cheqd DID for Root TAO
Establish root of trust, by:
1. Associating Root TAO DID with X.509 certificate;
2. Publishing Root TAO DID as a Well-Known DID;
3. Associating Root TAO DID with cheqd Validator.
Create did:cheqd DIDs for TAOs or TIs within the ecosystem
Create body of Verifiable Accreditation, specifying:
1. The did:cheqd DID of the subject organisation that the Accreditation is being issued to
2. A UUID as a reservedAttributeId which aligns with the resourceId of the DID-Linked Resource
Encode Verifiable Accreditation as a hexidecimal and as a base64 encoded value
Compile payload file for writing Verifiable Accreditation as a DID-Linked Resource
Publish transaction as a DID-Linked Resource, using the same UUID for the resourceId as the value specified in the reservedAttributeId

Resource Payload File fields

Field

Description

Required

did

DID of the DID Controller publishing the DID-Linked Resource

Yes

hash

Hash of the Verifiable Accreditation as a Base64 encoded value

Yes

body

Body of the Verifiable Accreditation as a hexidecimal string

Yes

type

Type of Resource being created, defaults to VerifiableAccreditation

Yes

issuerType

Type of Issuer that is issuing this Verifiable Accreditation, can be: "RootTAO", "TAO" or "SubTAO"

Yes

tao

DID of the TAO that accredited the Issuer

Yes

rootTao

DID of the root of trust that accredited the TAO and the issuer

Yes

revoked

Boolean value indicating whether the Verifiable Accreditation is revoked or not

Yes

Encrypted

Boolean value indicating whether the Verifiable Accreditation is encrypted or not

Example payload file

```json
{
  "attribute": {
    "did": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6",
    "hash": "bcdb6bc952c8c897ca1e605fce25f82604c76c16d479770014b7b262b93c0250",
    "body": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDplYnNpOnpqSFpqSjRTeTdyOTJCeFh6RkdzN3FEI1Q2aVBNVy1rOE80dXdaaWQyOUd3TGUtTmpnNDBFNmpOVDdoZExwSjNaU2cifQ.eyJpYXQiOjE2OTE1OTA3NjgsImp0aSI6InVybjp1dWlkOmZmMzFhZmM4LTFmNGUtNGMxMy04ZjdhLTM0MDQ0ODZlYWRlYSIsIm5iZiI6MTY5MTU5MDc2OCwiZXhwIjoxNzIzMTI2NzY4LCJzdWIiOiJkaWQ6ZWJzaTp6akhaako0U3k3cjkyQnhYekZHczdxRCIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sImlkIjoidXJuOnV1aWQ6ZmYzMWFmYzgtMWY0ZS00YzEzLThmN2EtMzQwNDQ4NmVhZGVhIiwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlZlcmlmaWFibGVBdHRlc3RhdGlvbiIsIlZlcmlmaWFibGVBY2NyZWRpdGF0aW9uIiwiVmVyaWZpYWJsZUFjY3JlZGl0YXRpb25Ub0F0dGVzdCJdLCJpc3N1ZXIiOiJkaWQ6ZWJzaTp6akhaako0U3k3cjkyQnhYekZHczdxRCIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMDgtMDlUMTQ6MTk6MjhaIiwiaXNzdWVkIjoiMjAyMy0wOC0wOVQxNDoxOToyOFoiLCJ2YWxpZEZyb20iOiIyMDIzLTA4LTA5VDE0OjE5OjI4WiIsImV4cGlyYXRpb25EYXRlIjoiMjAyNC0wOC0wOFQxNDoxOToyOFoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDplYnNpOnpqSFpqSjRTeTdyOTJCeFh6RkdzN3FEIiwiYWNjcmVkaXRlZEZvciI6W3sic2NoZW1hSWQiOiJodHRwczovL2FwaS1jb25mb3JtYW5jZS5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92My9zY2hlbWFzL3ozTWdVRlVrYjcyMnVxNHgzZHY1eUFKbW5ObXpERmVLNVVDOHg4M1FvZUxKTSIsInR5cGVzIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiVmVyaWZpYWJsZUF1dGhvcmlzYXRpb25Gb3JUcnVzdENoYWluIl19XSwicmVzZXJ2ZWRBdHRyaWJ1dGVJZCI6IjRlYzcwN2YxZDMxZjBlOTg5OTZlYzY2MmQ3ZDk4MjA4NzRiNGRkMjNjZGMwM2Y3OGEyYWIxNDgzYzM5NjlmM2EifSwiY3JlZGVudGlhbFNjaGVtYSI6eyJpZCI6Imh0dHBzOi8vYXBpLWNvbmZvcm1hbmNlLmVic2kuZXUvdHJ1c3RlZC1zY2hlbWFzLXJlZ2lzdHJ5L3YzL3NjaGVtYXMvempWRk52YkVCUEFyM2E3MjREdHRpb1pwZ1ptTnI3NUJCdFJ6WnFrN3BrRGUiLCJ0eXBlIjoiRnVsbEpzb25TY2hlbWFWYWxpZGF0b3IyMDIxIn19LCJpc3MiOiJkaWQ6ZWJzaTp6akhaako0U3k3cjkyQnhYekZHczdxRCJ9.o6olFmrYFpWy36N2Jnz1DHKBkAcSt3vN7RzSU-j6HGyhzHVZAEG7W20EtZDw4LVvKE0GzH9burBAdfJkAWR_6w",
  },
  "metadata": {
    "type": "VerifiableAccreditation",
    "issuerType": "RootTAO",
    "tao": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6",
    "rootTao": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6",
    "revoked": false,
    "encrypted": false
  }
}
```

Governance Framework

Trust over IP Governance

Establish Schemas for Accreditations and Credentials

<todo>

Choose a Credential Issuance Provider

<todo>

Monetise your solution

<todo>

Data Models

Process for creating a trust chain

Create did:cheqd DID for Root TAO
Establish root of trust, by:
1. Associating Root TAO DID with X.509 certificate;
2. Publishing Root TAO DID as a Well-Known DID;
3. Associating Root TAO DID with cheqd Validator.
Create did:cheqd DIDs for TAOs or TIs within the ecosystem
Create body of Verifiable Accreditation, specifying:
1. The did:cheqd DID of the subject organisation that the Accreditation is being issued to
2. A UUID as a reservedAttributeId which aligns with the resourceId of the DID-Linked Resource
Encode Verifiable Accreditation as a hexidecimal and as a base64 encoded value
Compile payload file for writing Verifiable Accreditation as a DID-Linked Resource
Publish transaction as a DID-Linked Resource, using the same UUID for the resourceId as the value specified in the reservedAttributeId

Resource Payload File fields

Field

Description

Required

did

DID of the DID Controller publishing the DID-Linked Resource

Yes

hash

Hash of the Verifiable Accreditation as a Base64 encoded value

Yes

body

Body of the Verifiable Accreditation as a hexidecimal string

Yes

type

Type of Resource being created, defaults to VerifiableAccreditation

Yes

issuerType

Type of Issuer that is issuing this Verifiable Accreditation, can be: "RootTAO", "TAO" or "SubTAO"

Yes

tao

DID of the TAO that accredited the Issuer

Yes

rootTao

DID of the root of trust that accredited the TAO and the issuer

Yes

revoked

Boolean value indicating whether the Verifiable Accreditation is revoked or not

Yes

Encrypted

Boolean value indicating whether the Verifiable Accreditation is encrypted or not

Example payload file

```json
{
  "attribute": {
    "did": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6",
    "hash": "bcdb6bc952c8c897ca1e605fce25f82604c76c16d479770014b7b262b93c0250",
    "body": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDplYnNpOnpqSFpqSjRTeTdyOTJCeFh6RkdzN3FEI1Q2aVBNVy1rOE80dXdaaWQyOUd3TGUtTmpnNDBFNmpOVDdoZExwSjNaU2cifQ.eyJpYXQiOjE2OTE1OTA3NjgsImp0aSI6InVybjp1dWlkOmZmMzFhZmM4LTFmNGUtNGMxMy04ZjdhLTM0MDQ0ODZlYWRlYSIsIm5iZiI6MTY5MTU5MDc2OCwiZXhwIjoxNzIzMTI2NzY4LCJzdWIiOiJkaWQ6ZWJzaTp6akhaako0U3k3cjkyQnhYekZHczdxRCIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sImlkIjoidXJuOnV1aWQ6ZmYzMWFmYzgtMWY0ZS00YzEzLThmN2EtMzQwNDQ4NmVhZGVhIiwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlZlcmlmaWFibGVBdHRlc3RhdGlvbiIsIlZlcmlmaWFibGVBY2NyZWRpdGF0aW9uIiwiVmVyaWZpYWJsZUFjY3JlZGl0YXRpb25Ub0F0dGVzdCJdLCJpc3N1ZXIiOiJkaWQ6ZWJzaTp6akhaako0U3k3cjkyQnhYekZHczdxRCIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMDgtMDlUMTQ6MTk6MjhaIiwiaXNzdWVkIjoiMjAyMy0wOC0wOVQxNDoxOToyOFoiLCJ2YWxpZEZyb20iOiIyMDIzLTA4LTA5VDE0OjE5OjI4WiIsImV4cGlyYXRpb25EYXRlIjoiMjAyNC0wOC0wOFQxNDoxOToyOFoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDplYnNpOnpqSFpqSjRTeTdyOTJCeFh6RkdzN3FEIiwiYWNjcmVkaXRlZEZvciI6W3sic2NoZW1hSWQiOiJodHRwczovL2FwaS1jb25mb3JtYW5jZS5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92My9zY2hlbWFzL3ozTWdVRlVrYjcyMnVxNHgzZHY1eUFKbW5ObXpERmVLNVVDOHg4M1FvZUxKTSIsInR5cGVzIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiVmVyaWZpYWJsZUF1dGhvcmlzYXRpb25Gb3JUcnVzdENoYWluIl19XSwicmVzZXJ2ZWRBdHRyaWJ1dGVJZCI6IjRlYzcwN2YxZDMxZjBlOTg5OTZlYzY2MmQ3ZDk4MjA4NzRiNGRkMjNjZGMwM2Y3OGEyYWIxNDgzYzM5NjlmM2EifSwiY3JlZGVudGlhbFNjaGVtYSI6eyJpZCI6Imh0dHBzOi8vYXBpLWNvbmZvcm1hbmNlLmVic2kuZXUvdHJ1c3RlZC1zY2hlbWFzLXJlZ2lzdHJ5L3YzL3NjaGVtYXMvempWRk52YkVCUEFyM2E3MjREdHRpb1pwZ1ptTnI3NUJCdFJ6WnFrN3BrRGUiLCJ0eXBlIjoiRnVsbEpzb25TY2hlbWFWYWxpZGF0b3IyMDIxIn19LCJpc3MiOiJkaWQ6ZWJzaTp6akhaako0U3k3cjkyQnhYekZHczdxRCJ9.o6olFmrYFpWy36N2Jnz1DHKBkAcSt3vN7RzSU-j6HGyhzHVZAEG7W20EtZDw4LVvKE0GzH9burBAdfJkAWR_6w",
  },
  "metadata": {
    "type": "VerifiableAccreditation",
    "issuerType": "RootTAO",
    "tao": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6",
    "rootTao": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6",
    "revoked": false,
    "encrypted": false
  }
}
```

Verifiable Accreditations

There are two types of Verifiable Accreditation:

Type

Description

Verifiable Accreditation to Accredit

This Credential verifies that an organisation has the permissions needed to accredit other organisations for issuing a particular type of Verifiable Accredittion.

Verifiable Accreditation to Attest

This Credential verifies that an organisation has the permissions needed to issue Verifiable Credentials, defined by a particular schema.

For a trusted ecosystem, these attestations are required to trace the legitimacy of a credential issuer to a root-of-trust.

Verifiable Accreditation Schema

Verifiable Accreditation Schema Example

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "Verifiable Accreditation Record",
  "description": "Schema of an Verifiable Accreditation",
  "type": "object",
  "allOf": [
    {
      "properties": {
        "credentialSubject": {
          "description": "Defines additional information about the subject that is described by the Verifiable Accreditation",
          "type": "object",
          "properties": {
            "id": {
              "description": "Defines a unique identifier of the Verifiable Attestation",
              "type": "string",
              "format": "uri"
            },
            "reservedAttributeId": {
              "description": "Defines the attributeId this Verifiable Accreditation has been created for",
              "type": "string"
            },
            "accreditedFor": {
              "description": "Defines a list of claims that define/determine the authorisation of an Issuer to issue certain types of VCs",
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "schemaId": {
                    "description": "Schema, registered as a DID-Linked Resource, which the accredited organisation is allowed to issue, as per their accreditation",
                    "type": "string",
                    "format": "uri"
                  },
                  "types": {
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  },
                  "limitJurisdiction": {
                    "anyOf": [
                      {
                        "description": "Defines the jurisdiction for which the accreditation is valid",
                        "type": "string",
                        "format": "uri"
                      },
                      {
                        "type": "array",
                        "description": "Defines the jurisdictions for which the accreditation is valid",
                        "items": {
                          "type": "string",
                          "format": "uri"
                        }
                      }
                    ]
                  }
                },
                "required": ["schemaId", "types", "limitJurisdiction"]
              }
            }
          },
          "required": ["id", "reservedAttributeId", "accreditedFor"]
        },
        "credentialStatus": {
          "description": "Defines revocation details for the issued credential. Further redefined by type extension",
          "type": "object",
          "properties": {
            "id": {
              "description": "Exact identity for the credential status",
              "type": "string",
              "format": "uri"
            },
            "type": {
              "description": "Defines the revocation status type",
              "type": "string",
              "const": "AccreditationEntry"
            }
          },
          "required": ["id", "type"]
        }
      },
      "required": [
        "expirationDate",
        "credentialSubject",
        "credentialStatus",
        "termsOfUse"
      ]
    }
  ]
}

Verifiable Accreditation Examples

Verifiable Accreditation to Accredit Example

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "id": "urn:uuid:8568b525-a24e-4bc0-9d97-6a8459ec0130",
  "type": [
    "VerifiableCredential",
    "VerifiableAttestation",
    "VerifiableAccreditation",
    "VerifiableAccreditationToAccredit"
  ],
  "issuer": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6",
  "issuanceDate": "2021-11-01T00:00:00Z",
  "validFrom": "2021-11-01T00:00:00Z",
  "expirationDate": "2025-06-22T14:11:44Z",
  "issued": "2020-06-22T14:11:44Z",
  "credentialSubject": {
    "id": "did:cheqd:testnet:e21b63d1-a771-4eb9-9452-869cd30fd622",
    "reservedAttributeId": "05afe541-77dd-4eda-9e01-2258c74b291b",
    "accreditedFor": [
      {
        "schemaId": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/83eb0ed8-37d1-4ba6-9e0b-40d60676d4aa",
        "types": [
          "VerifiableCredential",
          "VerifiableAttestation",
          "DiplomaCredential"
        ]
      }
    ]
  },
  "credentialStatus": {
    "id": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6?resourceName=accreditationStatus&resourceType=StatusList2021Revocation",
    "type": "StatusList2021Revocation"
  },
  "credentialSchema": [
    {
      "id": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/83eb0ed8-37d1-4ba6-9e0b-40d60676d4aa",
      "type": "FullJsonSchemaValidator2021"
    },
  "termsOfUse": {
    "type": "AccreditationPolicy",
    "parentAccreditation": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/83eb0ed8-37d1-4ba6-9e0b-40d60676d4aa",
    "policyId": "https://example.com/policies/124",
    "rootAuthorisation": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/83eb0ed8-37d1-4ba6-9e0b-40d60676d4aa",
    "trustFramework": "cheqd Governance Framework"
    }
  ]
}

Verifiable Accreditation to Attest Example

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "id": "urn:uuid:8568b525-a24e-4bc0-9d97-6a8459ec0130",
  "type": [
    "VerifiableCredential",
    "VerifiableAttestation",
    "VerifiableAccreditation",
    "VerifiableAccreditationToAttest"
  ],
  "issuer": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6",
  "issuanceDate": "2021-11-01T00:00:00Z",
  "validFrom": "2021-11-01T00:00:00Z",
  "expirationDate": "2025-06-22T14:11:44Z",
  "issued": "2020-06-22T14:11:44Z",
  "credentialSubject": {
    "id": "did:cheqd:testnet:e21b63d1-a771-4eb9-9452-869cd30fd622",
    "reservedAttributeId": "15b49499-2a36-4c73-9f5b-7409b44ce7a3",
    "accreditedFor": [
      {
        "schemaId": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/da4159f1-ff50-4a7c-b0cb-40d3a1f71003a",
        "types": [
          "VerifiableCredential",
          "VerifiableAttestation",
          "DiplomaCredential"
        ]
    ]
  },
  "credentialStatus": {
    "id": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6?resourceName=accreditationStatusToAttest&resourceType=StatusList2021Revocation",
    "type": "EbsiAccreditationEntry"
  },
  "termsOfUse": [
    {
      "id": "https://example.com/governance-framework/../..xyz",
      "type": "GovernanceFramework"
    }
  ],
  "credentialSchema": [
    {
      "id": "did:cheqd:testnet:098c4f66-b461-4037-9cf0-c5db75b270c6/resources/da4159f1-ff50-4a7c-b0cb-40d3a1f71003a",
      "type": "FullJsonSchemaValidator2021"
    }
  ]
}

Verifiable Accreditations as DID-Linked Resources

The diagram below shows how DID-Linked Resources can be applied to the trust hierarchy to enable DID resolvable Verifiable Accreditations:

Roots of Trust

Supported Roots of Trust

cheqd supports two predominant Root of Trust Models.

Well-Known DIDs

X.509 Certificates linked to DIDs

Standard information in an X509 certificate includes:

Version — The version of X.509 that applies to the certificate.
Serial number — Serial number assigned by certificate authority to distinguish one certificate from other certificates.
Algorithm information — The hashing algorithm used by the CA to sign the certificate (SHA-2 in almost all cases).
Issuer distinguished name — The name of the entity issuing the certificate (usually a certificate authority)
Validity period of the certificate — The period during which certificate is valid to use.
Subject distinguished name — The name of the identity the certificate is issued to (individual, organization, domain name, etc.)
Subject public key information — The public key of the certificate

As a first iteration of trust infrastructure on cheqd, we suggest that:

did:cheqd DIDs can be derived from the same public/private key pair as existing X.509 certificates
did:cheqd DIDs can reference X.509 certificates using a serviceEndpoint
X.509 certificates can reference did:cheqd DIDs using the "Subject Alternative Name" field within the X.509 certificate.

This will enable Root TAOs to create a reciprocal root of trust across European Trusted Lists for eIDAS compliance, and equally on cheqd.

Decentralised Root of Trust

For ecosystems that do not require a "traditional" root of trust, we can leverage the cheqd network itself to create reputable, "weighted" roots of trust.

For this model, we suggest that "Root TAOs" on the cheqd Network and include their DID in the "description" field of their Validator. This will tie the reputation and weight of the Validator with the DID itself.