What is a decentralized trust model?
Learn how decentralized digital trust differs from earlier identity models, the technology that enables it, and the mind shifts required for policy makers and stakeholders.
Digital trust is moving from a federated model, in which intermediaries authenticate users and assert their identity to relying parties, to a decentralized one, in which the holder receives verifiable credentials and presents them directly. This shift is not a technology upgrade. It is a change in the architecture of trust itself.
Several jurisdictions are operationalizing decentralized digital identity programs, including the European Union (eIDAS 2.0 and the European Digital Identity Wallet), Australia, New Zealand, the United Kingdom, Canada, and Singapore. The standards stack is mature, the architectural model is widely understood, and credential schemes are entering production. The questions that remain are governance questions, and they require policy makers, regulators, and ecosystem stakeholders to reframe assumptions formed in earlier eras.
This page explains what is genuinely different about the decentralized trust model, the technology that enables it, and the shifts in thinking required to govern it well.
The three architectural eras of digital identity
Era one: Paper and the trusted holder
For most of the twentieth century, identity verification meant presenting a physical document. Governments issued passports, birth certificates, and driver licenses. The citizen carried them. A relying party (a bank, an employer, or a border officer) inspected the document, made a judgment about its authenticity, and recorded what they needed.
The safeguards in this era were operational: document security features, controlled issuance, in-person inspection. What happened at the point of presentation was largely outside the issuer's view.
This era's privacy properties were accidental rather than designed. There was no national identity database because there was no practical way to build one. Each relying party kept its own records, and linkage between them was difficult.
Era two: Federated identity and the trusted intermediary
From the early 2000s, governments and large institutions moved identity verification online. The architecture that emerged was federated. A single trusted intermediary, the identity provider, authenticated the user and then asserted to relying parties that the user was who they claimed to be. National schemes followed this model, alongside consumer-grade equivalents such as Login with Google and Login with Apple.
The federated model solved a real problem. It removed the need for every relying party to verify identity independently. But it introduced a new one: the identity provider sees every transaction. Each verification request flows through the intermediary, which can build a complete view of which services a person accesses.
The safeguards in this era were contractual and regulatory. Identity providers were required to handle data carefully, retain it only as long as necessary, and submit to oversight. Privacy law and binding terms did the work. But the architecture itself was surveillance-capable by design: the intermediary had to see the transaction in order to authenticate it.
Era three: Decentralized credentials and the trusted holder, returned
The decentralized model returns the holder to the center, but with cryptographic guarantees the paper era could not offer. An authoritative issuer issues a verifiable credential to the holder's wallet. The holder presents that credential to relying parties directly, without an intermediary in the transaction loop. The credential is cryptographically signed by the issuer, so the relying party can verify its authenticity without contacting the issuer. The issuer cannot see where the credential is being used.
What is genuinely different about era three is not the cryptography itself. It is the consequence: no party in the system holds a complete record of how a person uses their identity. Not the issuer. Not a federation provider. Not a single trust registry. The data minimization that was accidental in era one and contractual in era two is now architectural in era three.
The technology that enables decentralized trust
The decentralized trust model rests on a stack of open, internationally maintained standards that have matured significantly over the last five years.
| Layer | Standard | Role |
|---|---|---|
| Credential data model | W3C Verifiable Credentials Data Model 2.0 | Defines the structure and semantics of a verifiable credential |
| mobile Driver’s License (mDL) | ISO/IEC 18013-5 | Specifies the data model and presentation protocol for mobile driving licenses (mDL) |
| Selective disclosure credentials | SD-JWT VC | A credential format that supports presenting only selected attributes |
| Presentation protocol | OpenID for Verifiable Presentations (OID4VP) | Defines how a relying party requests and receives credentials from a wallet |
| Issuance protocol | OpenID for Verifiable Credential Issuance (OID4VCI) | Defines how an issuer delivers credentials to a wallet |
| Browser integration | W3C Digital Credentials API | Allows web pages to request credentials from a wallet through the browser |
Together, these standards make it possible for an issuer to mint a credential once, for a holder to store and present it from any compliant wallet, and for a verifier to validate it independently without contacting the issuer or any central intermediary.
Two properties of this stack matter particularly for governance:
- Cryptographic signatures make credentials tamper-evident and bind them to the issuer without requiring a live lookup at verification time. The verifier can confirm authenticity offline.
- Selective disclosure lets the holder present only the specific facts a verifier needs (for example, "over 18" rather than a full date of birth). This is how the architecture enforces data minimization in practice. See Selective disclosure for more.
Trust is anchored in cryptographic keys and governed by explicit trust frameworks rather than inferred from reputation or jurisdiction. See Chain of trust for how issuer keys are anchored to recognized trust roots.
Why architectural shifts matter for governance
Each era's safeguards were designed for that era's architecture. When governance instruments from earlier eras are carried forward unchanged, two failure modes follow.
The first is over-collection by reflex: treating a decentralized system as if it were federated and requiring providers to log, retain, or report on individual transactions. This recreates the surveillance properties the architecture was specifically designed to eliminate.
The second is under-protection by assumption: treating decentralization as if it solved every privacy and integrity question on its own. It does not. The new architecture moves the locus of risk away from the identity provider's database and onto the relying party's intake form. If the relying party asks for more than it needs, the holder presents more than necessary, and the data ends up retained in places the architecture cannot reach.
The work of policy in era three is to move the safeguards to where the risks actually sit.
Six shifts in governance focus
From gatekeeping access to setting issuance terms
In the federated era, the identity provider controlled access transaction by transaction. Every verification request was authorized in real time. Governance worked by sitting in the loop.
In the decentralized era, the issuer is out of the loop by design. The credential travels independently of the issuer. Governance must move upstream, to the moment of issuance, and downstream, to the conditions under which relying parties may consume credentials. The lever is no longer access control. It is issuance policy and accreditation.
In practice, this means specifying at issuance time what the issuer expects of any party that subsequently consumes the credential, and ensuring those expectations are technically and legally enforceable.
From surveillance-based oversight to architectural safeguards
Federated systems supported oversight through logs. The intermediary saw every transaction and could be required to report on patterns, anomalies, and breaches. Oversight was retrospective and pattern-based.
Decentralized systems cannot support that model without breaking their core property. Many trust frameworks now explicitly prohibit issuers, wallets, and trust framework providers from tracking or correlating verification activity. Policy makers seeking equivalent oversight assurance must look to architectural and statistical instruments instead of transactional ones:
- Aggregate issuance metrics (credentials issued, revocation rates, expiry patterns) give regulators system-level visibility without individual tracking.
- Mandatory incident reporting from accredited issuers, wallets, and verifiers provides accountability without surveillance.
- Operationally immediate revocation gives the issuer prospective protective capability that is more powerful than retrospective logging, because it stops harm in flight rather than describing it after the fact.
From "what data do we hold" to "what claims can be presented"
The federated era was preoccupied with the security of held data: breach response, encryption at rest, access controls. These remain important, but they answer a question that matters less in era three.
The decentralized era's central question is what claims can be presented and verified without underlying data ever transferring. "Over 18: yes" is a claim. "Citizen: yes" is a claim. Neither requires a date of birth or a passport number to leave the wallet. Selective disclosure and zero-knowledge proofs are the technical instruments. Policy frames whether they are mandated, encouraged, or optional.
A reasonable default is that for any high-value credential issued by a government or regulated body, selective disclosure should be the default presentation mode, and full-record disclosure should require a specific justification by the relying party.
From purpose limitation as compliance to purpose binding as architecture
Purpose limitation has long been a principle of privacy law: information collected for one purpose should not be used for another. Historically this has been auditable but not architecturally enforced.
In era three, purpose binding can be embedded in the credential itself. An issuer can specify that a particular attribute is presentable only for age verification, or only to accredited services, or only for a specific declared purpose. OID4VP requires the relying party to declare its purpose machine-readably before the credential is presented. The wallet enforces the issuer's policy. The user sees the purpose.
The architecture does the work that compliance auditing previously did after the fact.
From relying-party trust by reputation to relying-party trust by accreditation
In the federated era, the identity provider implicitly extended trust to whichever relying parties it chose to serve. The relying party's reputation, contractual position, or sector regulation did the work of justifying that trust.
In era three, accreditation under a trust framework is the formal instrument. For credentials carrying high-assurance attributes (nationality, citizenship, regulated qualifications), consumption can be restricted to accredited services. Lower-assurance attributes can be accessible to parties that have signed binding issuer terms without full accreditation.
Trust frameworks and trust registries are the enforcement mechanism. They let the ecosystem know which issuers, wallets, and verifiers meet defined obligations without putting the issuer in the transaction loop. See Verifiable credential ecosystem for more on these roles.
From data linkage as capability to data linkage as risk
Federated systems often combined data across agencies or institutions to enrich identity assertions. The capability was valued; the risk was managed contractually.
In era three, cross-organization data combination becomes the principal residual risk inside large institutional ecosystems, even as the risks outside them recede. Combining citizenship data with driver licensing data with business registration data to construct profiles no single dataset was collected to produce is the surveillance-by-linkage scenario decentralized architectures were specifically designed to prevent, and which institutions should not replicate internally.
A useful discipline is verification without retention: where an issuer needs to confirm a fact against another authoritative source, the claim should be verified at issuance time and the source data discarded. Verification happens, the credential is issued, the third-party data is not retained.
Common pitfalls when adopting a decentralized model
Practitioners new to the model often carry forward instincts that no longer serve. Among the most common:
- Logging all verification events centrally, because that is how oversight worked before. This breaks the architecture's privacy guarantees and is often prohibited by the trust framework rules that govern it.
- Requiring every credential to be checked against a live issuer endpoint at presentation time. This re-creates the federated dependency the model was designed to eliminate. Use offline-verifiable signatures and published status lists instead.
- Asking for full credentials when only a single attribute is needed. This pushes the data-minimization principle outside the architecture's enforcement zone. Use selective disclosure by default.
- Treating the wallet as a passive container. In era three, the wallet enforces issuer policy, mediates user consent, and represents the holder. It is a governance-bearing component, not just a user interface.
- Assuming the technology alone delivers privacy. It does not. The architecture removes specific risks (issuer-side surveillance, central correlation) but does not address what relying parties do with the data once they receive it. That work happens in issuance policy, accreditation, and trust framework rules.
What this means for policy makers and stakeholders
Decentralized trust does not reduce the need for governance. It changes where governance is applied and what instruments are available.
The strongest protections in a decentralized ecosystem come from designing the system so that misuse is technically constrained, not from adding compliance obligations on top of an architecture that already permits the harm. Where policy work is grounded in the architecture, the resulting safeguards are durable, technically enforceable, and proportionate. Where it is not, safeguards either become compliance overhead that the architecture has already made redundant, or they reintroduce surveillance properties the architecture was specifically designed to remove.
For policy makers, governance bodies, and ecosystem stakeholders, the recommendation is to use the architecture. Decide what claims may be issued, by whom, to whom, and under what conditions. Specify selective disclosure as the default. Treat trust frameworks and accreditation as primary instruments. Move oversight from transactional logging to aggregate metrics and incident reporting. Recognize that the harder work is not the technology. It is building the institutional capability to operate the ecosystem well: revocation operations, accreditation compliance, relying-party oversight, fraud response, and equity and access management.
The technology is ready. The standards are in place. The remaining work is governance, and it is the right hard work to do.
How would you rate this page?
Last updated on