What is a decentralized trust model?
Learn how decentralized digital trust differs from earlier identity models, the technology that enables it, and the mind shifts required for policy makers and stakeholders.
Digital trust is moving from a federated model, in which intermediaries authenticate users and assert their identity to relying parties, to a decentralized one, in which the holder receives verifiable credentials and presents them directly. This shift is not a technology upgrade. It is a change in the architecture of trust itself.
Several jurisdictions are operationalizing decentralized digital identity programs, including the European Union (eIDAS 2.0 and the European Digital Identity Wallet), Australia, New Zealand, the United Kingdom, Canada, and Singapore. The standards stack is mature, the architectural model is widely understood, and credential schemes are entering production. The questions that remain are governance questions, and they require policy makers, regulators, and ecosystem stakeholders to reframe assumptions formed in earlier eras.
This page explains what is genuinely different about the decentralized trust model, the technology that enables it, and the shifts in thinking required to govern it well.
The three architectural eras of digital identity
Era one: Paper and the trusted holder
For most of the twentieth century, identity verification meant presenting a physical document. Governments issued passports, birth certificates, and driver licenses. The citizen carried them. A relying party (a bank, an employer, or a border officer) inspected the document, made a judgment about its authenticity, and recorded what they needed.
The safeguards in this era were operational: document security features, controlled issuance, in-person inspection. What happened at the point of presentation was largely outside the issuer's view.
This era's privacy properties were accidental rather than designed. There was no national identity database because there was no practical way to build one. Each relying party kept its own records, and linkage between them was difficult.
Era two: Federated identity and the trusted intermediary
From the early 2000s, governments and large institutions moved identity verification online. The architecture that emerged was federated. A single trusted intermediary, the identity provider, authenticated the user and then asserted to relying parties that the user was who they claimed to be. National schemes followed this model, alongside consumer-grade equivalents such as Login with Google and Login with Apple.
The federated model solved a real problem. It removed the need for every relying party to verify identity independently. But it introduced a new one: the identity provider sees every transaction. Each verification request flows through the intermediary, which can build a complete view of which services a person accesses.
The safeguards in this era were contractual and regulatory. Identity providers were required to handle data carefully, retain it only as long as necessary, and submit to oversight. Privacy law and binding terms did the work. But the architecture itself was surveillance-capable by design: the intermediary had to see the transaction in order to authenticate it.
Era three: Decentralized credentials and the trusted holder, returned
The decentralized model returns the holder to the center, but with cryptographic guarantees the paper era could not offer. An authoritative issuer issues a verifiable credential to the holder's wallet. The holder presents that credential to relying parties directly, without an intermediary in the transaction loop. The credential is cryptographically signed by the issuer, so the relying party can verify its authenticity without contacting the issuer. The issuer cannot see where the credential is being used.
What is genuinely different about era three is not the cryptography itself. It is the consequence: no party in the system holds a complete record of how a person uses their identity. Not the issuer. Not a federation provider. Not a single trust registry. The data minimization that was accidental in era one and contractual in era two is now architectural in era three.
The technology that enables decentralized trust
The decentralized trust model rests on a stack of open, internationally maintained standards that have matured significantly over the last five years.
| Layer | Standard | Role |
|---|---|---|
| Credential data model | W3C Verifiable Credentials Data Model 2.0 | Defines the structure and semantics of a verifiable credential |
| mobile Driver’s License (mDL) | ISO/IEC 18013-5 | Specifies the data model and presentation protocol for mobile driving licenses (mDL) |
| Selective disclosure credentials | SD-JWT VC | A credential format that supports presenting only selected attributes |
| Presentation protocol | OpenID for Verifiable Presentations (OID4VP) | Defines how a relying party requests and receives credentials from a wallet |
| Issuance protocol | OpenID for Verifiable Credential Issuance (OID4VCI) | Defines how an issuer delivers credentials to a wallet |
| Browser integration | W3C Digital Credentials API | Allows web pages to request credentials from a wallet through the browser |
Together, these standards make it possible for an issuer to mint a credential once, for a holder to store and present it from any compliant wallet, and for a verifier to validate it independently without contacting the issuer or any central intermediary.
Two properties of this stack matter particularly for governance:
- Cryptographic signatures make credentials tamper-evident and bind them to the issuer without requiring a live lookup at verification time. The verifier can confirm authenticity offline.
- Selective disclosure lets the holder present only the specific facts a verifier needs (for example, "over 18" rather than a full date of birth). This is how the architecture enforces data minimization in practice. See Selective disclosure for more.
Trust is anchored in cryptographic keys and governed by explicit trust frameworks rather than inferred from reputation or jurisdiction. See Chain of trust for how issuer keys are anchored to recognized trust roots.
Four layers of a credential ecosystem
It is helpful to read a credential ecosystem in terms of four functional layers, because the policy questions tend to sit cleanly within one or another of them. This framing is not specific to any single jurisdiction. It is a useful way to read what is actually happening in deployed programs. The EU's Architecture and Reference Framework, the ISO 18013 family of standards, and most national trust frameworks make similar distinctions, sometimes with different vocabulary.
| Layer | What it does | Where it sits |
|---|---|---|
| Issuing authority | Decides what may be asserted, at what level of assurance, and under what conditions. Holds the revocation mandate. | The agency with the legal standing and the authoritative source data to create credentials. |
| Issuance platform | Turns the issuing authority's instructions into cryptographically signed credentials and delivers them to the holder's wallet. | The technical infrastructure. It has no independent credential authority. It does what the issuing authority tells it to do, to a standards-compliant specification. |
| Trust framework | Defines who counts as accredited, what technical standards apply, what privacy and security obligations attach to accredited parties, and how enforcement works. | The governance layer. Typically established by primary legislation, refined through regulations and standards, and operated by an accreditation authority. |
| Facilitation mechanism | Holds credentials and presents them. Implements selective disclosure, refuses to "phone home" to its supplier during presentations, supports biometric access on the device, and supports user-initiated revocation. | The citizen-facing software. The wallet. It operates under the citizen's control rather than the issuing authority's. |
Outside all four layers sit relying parties. These are the businesses, agencies, and organizations that receive credential presentations. They are bound by general data protection law, such as the GDPR in Europe and the Privacy Act in New Zealand and Australia, but they are not, in most jurisdictions, bound by the trust framework itself unless they are also operating an accredited service. Closing this gap is one of the most consistent open policy questions across credential programs. See Policy considerations for the design choices it opens up.
This four-layer view lets you point precisely at where each policy question lives, rather than collapsing them all into a single "decentralized identity" conversation. Most of the policy work sits at the issuing authority and trust framework layers. The issuance platform and facilitation mechanism are largely technical, operating to standards set by the layers above them.
Why architectural shifts matter for governance
Each era's safeguards were designed for that era's architecture. When governance instruments from earlier eras are carried forward unchanged, two failure modes follow.
The first is over-collection by reflex: treating a decentralized system as if it were federated and requiring providers to log, retain, or report on individual transactions. This recreates the surveillance properties the architecture was specifically designed to eliminate.
The second is under-protection by assumption: treating decentralization as if it solved every privacy and integrity question on its own. It does not. The new architecture moves the locus of risk away from the identity provider's database and onto the relying party's intake form. If the relying party asks for more than it needs, the holder presents more than necessary, and the data ends up retained in places the architecture cannot reach.
The work of policy in era three is to move the safeguards to where the risks actually sit.
Six shifts in governance focus
From gatekeeping access to setting issuance terms
In the federated era, the identity provider controlled access transaction by transaction. Every verification request was authorized in real time. Governance worked by sitting in the loop.
In the decentralized era, the issuer is out of the loop by design. The credential travels independently of the issuer. Governance must move upstream, to the moment of issuance, and downstream, to the conditions under which relying parties may consume credentials. The lever is no longer access control. It is issuance policy and accreditation.
In practice, this means specifying at issuance time what the issuer expects of any party that subsequently consumes the credential, and ensuring those expectations are technically and legally enforceable.
From surveillance-based oversight to architectural safeguards
Federated systems supported oversight through logs. The intermediary saw every transaction and could be required to report on patterns, anomalies, and breaches. Oversight was retrospective and pattern-based.
Decentralized systems cannot support that model without breaking their core property. Many trust frameworks now explicitly prohibit issuers, wallets, and trust framework providers from tracking or correlating verification activity. Policy makers seeking equivalent oversight assurance must look to architectural and statistical instruments instead of transactional ones:
- Aggregate issuance metrics (credentials issued, revocation rates, expiry patterns) give regulators system-level visibility without individual tracking.
- Mandatory incident reporting from accredited issuers, wallets, and verifiers provides accountability without surveillance.
- Operationally immediate revocation gives the issuer prospective protective capability that is more powerful than retrospective logging, because it stops harm in flight rather than describing it after the fact.
From "what data do we hold" to "what claims can be presented"
The federated era was preoccupied with the security of held data: breach response, encryption at rest, access controls. These remain important, but they answer a question that matters less in era three.
The decentralized era's central question is what claims can be presented and verified without underlying data ever transferring. "Over 18: yes" is a claim. "Citizen: yes" is a claim. Neither requires a date of birth or a passport number to leave the wallet. Selective disclosure and zero-knowledge proofs are the technical instruments. Policy frames whether they are mandated, encouraged, or optional.
A reasonable default is that for any high-value credential issued by a government or regulated body, selective disclosure should be the default presentation mode, and full-record disclosure should require a specific justification by the relying party.
From purpose limitation as compliance to purpose binding as architecture
Purpose limitation has long been a principle of privacy law: information collected for one purpose should not be used for another. Historically this has been auditable but not architecturally enforced.
In era three, purpose binding can be embedded in the credential itself. An issuer can specify that a particular attribute is presentable only for age verification, or only to accredited services, or only for a specific declared purpose. OID4VP requires the relying party to declare its purpose machine-readably before the credential is presented. The wallet enforces the issuer's policy. The user sees the purpose.
The architecture does the work that compliance auditing previously did after the fact.
From relying-party trust by reputation to relying-party trust by accreditation
In the federated era, the identity provider implicitly extended trust to whichever relying parties it chose to serve. The relying party's reputation, contractual position, or sector regulation did the work of justifying that trust.
In era three, accreditation under a trust framework is the formal instrument. For credentials carrying high-assurance attributes (nationality, citizenship, regulated qualifications), consumption can be restricted to accredited services. Lower-assurance attributes can be accessible to parties that have signed binding issuer terms without full accreditation.
Trust frameworks and trust registries are the enforcement mechanism. They let the ecosystem know which issuers, wallets, and verifiers meet defined obligations without putting the issuer in the transaction loop. See Verifiable credential ecosystem for more on these roles.
From data linkage as capability to data linkage as risk
Federated systems often combined data across agencies or institutions to enrich identity assertions. The capability was valued; the risk was managed contractually.
In era three, cross-organization data combination becomes the principal residual risk inside large institutional ecosystems, even as the risks outside them recede. Combining citizenship data with driver licensing data with business registration data to construct profiles no single dataset was collected to produce is the surveillance-by-linkage scenario decentralized architectures were specifically designed to prevent, and which institutions should not replicate internally.
A useful discipline is verification without retention: where an issuer needs to confirm a fact against another authoritative source, the claim should be verified at issuance time and the source data discarded. Verification happens, the credential is issued, the third-party data is not retained.
Common pitfalls when adopting a decentralized model
Practitioners new to the model often carry forward instincts that no longer serve. Among the most common:
- Logging all verification events centrally, because that is how oversight worked before. This breaks the architecture's privacy guarantees and is often prohibited by the trust framework rules that govern it.
- Requiring every credential to be checked against a live issuer endpoint at presentation time. This re-creates the federated dependency the model was designed to eliminate. Use offline-verifiable signatures and published status lists instead.
- Asking for full credentials when only a single attribute is needed. This pushes the data-minimization principle outside the architecture's enforcement zone. Use selective disclosure by default.
- Treating the wallet as a passive container. In era three, the wallet enforces issuer policy, mediates user consent, and represents the holder. It is a governance-bearing component, not just a user interface.
- Assuming the technology alone delivers privacy. It does not. The architecture removes specific risks (issuer-side surveillance, central correlation) but does not address what relying parties do with the data once they receive it. That work happens in issuance policy, accreditation, and trust framework rules.
What this means for policy makers and stakeholders
Decentralized trust does not reduce the need for governance. It changes where governance is applied and what instruments are available.
The strongest protections in a decentralized ecosystem come from designing the system so that misuse is technically constrained, not from adding compliance obligations on top of an architecture that already permits the harm. Where policy work is grounded in the architecture, the resulting safeguards are durable, technically enforceable, and proportionate. Where it is not, safeguards either become compliance overhead that the architecture has already made redundant, or they reintroduce surveillance properties the architecture was specifically designed to remove.
For policy makers, governance bodies, and ecosystem stakeholders, the recommendation is to use the architecture. Decide what claims may be issued, by whom, to whom, and under what conditions. Specify selective disclosure as the default. Treat trust frameworks and accreditation as primary instruments. Move oversight from transactional logging to aggregate metrics and incident reporting. Recognize that the harder work is not the technology. It is building the institutional capability to operate the ecosystem well: revocation operations, accreditation compliance, relying-party oversight, fraud response, and equity and access management.
The technology is ready. The standards are in place. The remaining work is governance, and it is the right hard work to do.
Frequently asked questions
What is a decentralized trust model?
A decentralized trust model is an approach to digital identity in which an authoritative issuer issues a verifiable credential to a holder's wallet, and the holder presents that credential directly to relying parties without an intermediary in the transaction loop. The credential is cryptographically signed by the issuer so the relying party can verify it independently, and no central party sees where the credential is being used.
How is decentralized trust different from federated identity?
In a federated model, an identity provider authenticates the user and asserts their identity to relying parties, so the intermediary sees every transaction. In a decentralized model, the issuer is out of the loop once the credential is issued. The relying party verifies the credential cryptographically without contacting the issuer, and no party holds a complete record of how a person uses their identity.
What technical standards does decentralized trust rely on?
The decentralized trust model rests on a stack of open international standards. These include the W3C Verifiable Credentials Data Model 2.0 for credential structure, ISO/IEC 18013-5 for mobile driving licenses, SD-JWT VC for selective disclosure, OpenID for Verifiable Presentations (OID4VP) for presentation requests, OpenID for Verifiable Credential Issuance (OID4VCI) for issuance, and the W3C Digital Credentials API for browser integration.
What are the four layers of a credential ecosystem?
A credential ecosystem can be read in four functional layers. The issuing authority decides what may be asserted and holds the revocation mandate. The issuance platform turns those instructions into signed credentials. The trust framework defines accreditation, technical standards, and obligations. The facilitation mechanism, or wallet, holds and presents credentials under the citizen's control. Relying parties sit outside these four layers and are bound by general data protection law.
Does decentralized trust eliminate the need for governance?
No. Decentralized trust does not reduce the need for governance. It changes where governance is applied and what instruments are available. Architectural safeguards do much of the work that contractual rules did in earlier models, but policy is still needed for issuance terms, accreditation, relying party obligations, equity, and enforcement.
Can a decentralized credential be used offline?
Yes. Because the credential carries a cryptographic signature, a verifier can confirm authenticity offline without contacting the issuer for each transaction. Status checks for revocation may require online connectivity depending on the design, but the core verification of issuer authenticity and credential integrity can be performed locally.
How would you rate this page?
Last updated on