As a Root of Trust (RTAO) entity, it is possible to accredit Trusted Accreditation Organisations to issue Verifiable Accreditations or Verifiable Attestations.
The Verifiable Accreditation should include:
Issuer
DID of the Root of Trust (RTAO)
did:cheqd:testnet:8ea036da-f340-480d-8952-f5561ea1763c
Subject
DID of the TAO that is being accredited
did:cheqd:testnet:a2b675de-33d0-4044-8183-0d74f210cceb
Credential Subject
A set of structured permissions around what credentials the TAO is accredited to issue, and in which jurisdiction.
See below
Terms of use
A set of policies setting out the Governance Framework for the ecosystem
See below
Root TAOs can set permissions under which TAOs must abide. This creates a level of codified governance for the trust ecosystem.
Whereby:
schemaId
Schema of the Verifiable Accreditation that the TAO is accredited to issue themselves
types
Types of Credential that the TAO is accredited to issue
limitJurisdiction
Permission that the RTAO can set to limit the jurisdictional scope of the credentials issued in the ecosystem
The Root TAO can also set polices known as the TrustFrameworkPolicy
within the termsOfUse
section of the Verifiable Accreditation.
Whereby:
type
Must be TrustFrameworkPolicy
trustFramework
Name of Governance Framework set by the Governance Authority
trustFrameworkId
URL linking to where the written Governance Framework is stored
Trust Registries are referenced within Accreditaiton Policies in the Verifiable Credential body. This enables Relying Parties to traverse the trust chain and verify that the issuer, accrediting entity (TAO) and Root of Trust (rTAO) are all legitimate entities.
Within the body of the Verifiable Credential, issuers will need to configure the termsOfUse
section to reference DIDs or DID URLs of trust registry entries, for example:
As a Trusted Accreditation Organisation (TAO), it is possible to accredit Trusted Issuers (TIs) to issue Verifiable Attestations.
The Verifiable Accreditation should include:
Issuer
DID of the TAO
did:cheqd:testnet:e66a9416-d03e-4ced-95e3-07af16e25bc5
Subject
DID of the Trusted Issuer that is being accredited
did:cheqd:testnet:f6e731f0-5bfb-429b-b2c7-e65a951d7b5e
Credential Subject
A set of structured permissions around what credentials the Trusted Issuer is accredited to issue, and in which jurisdiction.
See below
Terms of use
A set of policies setting out the scope of Trust Chain for Relying parties to validate against.
See below
Root TAOs can set permissions under which TAOs must abide. This creates a level of codified governance for the trust ecosystem.
Whereby:
schemaId
Schema of the Verifiable Accreditation that the SubTAO is accredited to issue themselves
types
Types of Credential that the SubTAO is accredited to issue
limitJurisdiction
Permission that the TAO can set to limit the jurisdictional scope of the credentials issued in the ecosystem
The Root TAO can also set polices known as the AccreditationPolicy
within the termsOfUse
section of the Verifiable Accreditation.
Whereby:
type
Must be AccreditationPolicy
parentAccreditation
The DID URL of the Accreditation issued by another TAO or the Root TAO to the TAO
rootAuthoroisation
The DID URL of the Root of Trust Verifiable Authorsation
trustFramework
Name of Governance Framework set by the Governance Authority
trustFrameworkId
URL linking to where the written Governance Framework is stored
As a Trusted Accreditation Organisation (TAO), it is possible to accredit Sub-Trusted Accreditation Organisations (SubTAOs) to issue Verifiable Accreditations or Verifiable Attestations.
The Verifiable Accreditation should include:
Issuer
DID of the TAO
did:cheqd:testnet:a2b675de-33d0-4044-8183-0d74f210cceb
Subject
DID of the SubTAO that is being accredited
did:cheqd:testnet:e66a9416-d03e-4ced-95e3-07af16e25bc5
Credential Subject
A set of structured permissions around what credentials the SubTAO is accredited to issue, and in which jurisdiction.
See below
Terms of use
A set of policies setting out the scope of Trust Chain for Relying parties to validate against.
See below
Root TAOs can set permissions under which TAOs must abide. This creates a level of codified governance for the trust ecosystem.
Whereby:
schemaId
Schema of the Verifiable Accreditation that the SubTAO is accredited to issue themselves
types
Types of Credential that the SubTAO is accredited to issue
limitJurisdiction
Permission that the TAO can set to limit the jurisdictional scope of the credentials issued in the ecosystem
The Root TAO can also set polices known as the AccreditationPolicy
within the termsOfUse
section of the Verifiable Accreditation.
Whereby:
type
Must be AccreditationPolicy
parentAccreditation
The DID URL of the Accreditation issued by another TAO or the Root TAO to the TAO
rootAuthoroisation
The DID URL of the Root of Trust Verifiable Authorsation
trustFramework
Name of Governance Framework set by the Governance Authority
trustFrameworkId
URL linking to where the written Governance Framework is stored
Verifiable Credentials (VCs) are, in most cases, issued by legal entities. The purpose of Verifiable Credentials is to provide the Relying Party that receives the credentials a Level of Assurance (LoA) that the attributes and claims within the credential are legitimate. However, it is not currently easy to determine whether a legal entity issuing a credential is in fact the entity they claim to be, and not, a fraudulent misrepresentation of that legal entity. This is the challenge that Trust Infrastructure and Trust Registries are positioned to solve.
Note: This Trust Registry challenge is a significant problem for the digital credential industry, and often inhibits the technology reaching a production stage of readiness.
At present, legal entities that issue credentials have no mechanism to establish that they are trustworthy; thus, Relying Parties may not recognise the DIDs signing the Verifiable Credentials they receive. To fully establish trust, Relying Parties need to know who issued the VCs, whether the issuer is recognised as trusted within a particular governance framework, and who accredited the issuer for the purpose of issuing the credential.
To solve this industry-wide challenge, cheqd introduces a Verifiable Trust Infrastructure, that directly complements the model created by EBSI. Within cheqd's Trust Infrastructure, users can create hierarchical chains of trust "Trust Chains" that together encapsulate a "Trust Registry" for a given ecosystem.
The Trust Infrastructure Model also includes permissions and policies set via "Verifiable Accreditations" and an overall "Governance Framework". Herein, permissions govern the scope of , while policies are used to define who made the accreditation; which Trust Framework is followed; and, the legal basis of the credential.
cheqd Trust Infrastructure users make the whole Verifiable Trust Model publicly available by registering it as a collection of DID-Linked Resources on cheqd. cheqd's Trust Infrastructure therefore enables verifiers to automatically resolve and establish trust in hierarchies of trust without needing to know each organisation directly, using industry-standard resolution mechanisms defined in the W3C DID-Core and the DID Resolution Spec.
There are many terms used within this guide, and as such, familiarise yourself or refer back to the concepts within the glossary below:
-
Accreditation Policy
Part of a Verifiable Credential, using the termsOfUse
section to reference the parentAccreditation in the Trust Chain
DID
Decentralised Identifier
Legal entity identifier for Trust Registry, cannot be natural person in context of Trust Infrastructure
GA
Governance Authority
The legal entity or consortia responsible for writing the Governance Framework. In many instances the Governance Authority is also a Root TAO
GF
Governance Framework
A policy document outlining the purpose, roles, scopes and permissions for a given ecosystem using the Trust Infrastructure.
Root TAO
Root Trusted Accreditation Organization
Legal entity governing the whole trust chain
TAO
Trusted Accreditation Organization
Legal entity governing a trust chain segment
-
Trust Chain
Hierarchy of Verifiable Accreditations. Multiple Trust Chains may comprise a Trust Registry.
TI
Trusted Issuer
Legal entity participating in a trust chain as an issuer
-
Trust Infrastructure
The overall set of technical and governance components to establish end-to-end trust.
-
Verifiable Accreditation
Type of on-ledger Verifiable Credential that is specifically used for establishing governance permissions and policies
-
Verifiable Trust Model
Permissions with policies to either accredit, or to attest
Depending on their accreditations and authorisations, legal entities can play the following roles:
Root Trusted Accreditation Organisation (Root TAO)
Trusted Accreditation Organisation (TAO)
Trusted Issuer (TI)
A Trust Chain should contain all three roles, even if one single DID would represent all three roles. The roles must be RTAO, TAO, and TI, where only TI may issue domain-specific Verifiable Credentials.
The Root TAO is the owner of a Trust Chain, responsible for the governance of the whole Trust Chain. Root TAOs may:
accredit itself to govern or issue domain-specific Verifiable Credentials
accredit TAOs to govern a segment of the Trust Chain
accredit a Trusted Issuer to issue domain-specific Verifiable Credentials
revoke an accreditation from a legal entity that is participating in the Trust Chain
The RTAO permission is defined by VerifiableAuthorisationForTrustChain
, and the policies are contained in termsOfUse
as TrustFrameworkPolicy
.
A TAO governs an accredited segment on behalf of the RTAO. It may:
accredit itself to issue domain-specific Verifiable Credentials
accredit another TAO to govern a segment of the Trust Chain
accredit a Trusted Issuer to issue domain-specific Verifiable Credentials
revoke accreditation from a legal entity that was accredited by the TAO
The TAO permission is defined by VerifiableAccreditationToAccredit
, and the policies are contained in termsOfUse
as AccreditationPolicy
.
A Trusted Issuer represents the Issuer in a Trust Chain. It may issue domain-specific Verifiable Credential types defined by the received accreditation.
Note that issuers may issue Verifiable Credentials outside the Trust Chain, but these are not associated or recognised by a Root TAO and therefore contain no weight within the Trust Chain's governance framework.
The TI permission is defined by VerifiableAccreditationToAttest
, and the policies are contained in termsOfUse
as AccreditationPolicy
. When the Trusted Issuer is using their accreditation to issue a domain-specific VC, the issued domain VC must contain a termsOfUse
property with AttestationPolicy
type, which links to the Trusted Issuer's accreditation and into Root TAO's accreditation, where both are located in TIR.
The Governance Framework Policy is a document, written by a Governance Authority, that defines requirements that must be met for the Trust Ecosystem. These requirements may include security, legal, operational, or functional requirements and may relate to regulation, directives, national policy, or similar documents.
All Trust Model policies are located in the termsOfUse
property of the corresponding Accreditation or credential that contains the permissions related to the policy.
Accreditations are certifications of being qualified to accredit or attest. Accreditations are attribute-driven and are always restricted to domain-specific credential types. These restrictions cannot be extended. For example, if a legal entity is accredited to accredit Issuers of diploma VCs, they may only pass this or a subset downstream of the hierarchy. Depending on the accreditation, the accredited legal entity may govern (accredit) or issue (attest), but always within the Trust Model and the accredited boundaries.
Each Verifiable Accreditation is also associated with an AccreditationPolicy
in the termsOfUse
section of the credential. This Policy links to the parent or root accreditation to enable verifiers to traverse the trust registry.
All Verifiable Credentials are attestations of something. Any issuer may issue credentials (default), while accredited Trusted Issuers may issue domain-specific VCs with the accreditation, by attaching the AttestationPolicy
into termsOfUse
.
End Users (legal entities or natural persons) can accumulate multiple Verifiable Credentials from one or many Trust Models.
The following diagram show how a Root TAO accredits two TAOs lower in the hierarchy:
where:
Root of Trust (rTAO) DID:
Controls Verifiable Accreditations (VAs) issued from rTAO to TAOs.
Accredited Org (TAO) DID:
Controls Verifiable Accreditations (VAs) issued from TAOs to Trusted Issuers.
Trusted Issuer DID:
Issues Verifiable Credentials with Issuance Policies
Verifiable Credentials
Issued including the Issuance Policies in the TermsOfUse
section of the data model.
Issued to Digital Identity Wallet of user or organisation, which can be later verified up the entire trust chain.
RTAO -> TAO
Learn about how Root TAOs can accredit other TAOs in the trust ecosystem with permissions and Trust Framework Policies.
TAO -> SubTAO
Learn about how TAOs can accredit other SubTAOs in the trust ecosystem with permissions and Accreditation Policies.
TAO - TI
Learn about how TAOs can accredit Trusted Issuers to issue credentials within the trust ecosystem, using permissions and Accreditation Policies.
Referencing Trust Registry within a Verifiable Credential
Learn how a Trusted Issuer can reference a Trust Registry in an issued credential, enabling a relying party to traverse the Trust Chain.