Digital trust service
Overview
Trust networks are created to enable participants (governments, organizations, businesses, end users, etc.) to exchange data and value in different digital interactions. They can be very large or very small, ranging from countries and government agencies to enterprises and small companies.
Examples of trust networks
Challenge
These trust networks can include numerous issuers, holders and verifiers interacting in multiple ways and exchanging various verifiable credentials. While verifiable credentials offer some privacy preserving and tamper evident properties to enhance trust, all network participants can benefit from additional trust layers that make it easier to understand which participants and what interactions can be trusted.
Furthermore, as the number of participants increases, it becomes increasingly difficult to establish and maintain direct trust relationships with each one individually. This complexity can lead to security vulnerabilities, poor user experiences and a breakdown in trust.
Examples of challenges in trust networks
Digital Trust Service (DTS)
The purpose of a Digital Trust Service (DTS) is to address this growing challenge by enabling participants to rely on a single trusted framework. This simplifies interactions, as participants need to establish trust only with the DTS itself rather than with each individual entity. It is the network operator’s responsibility to establish and maintain trust in different digital entities, and then use a DTS to reflect that trust to all other participants.
This approach fosters a more scalable and cohesive network, where participants can confidently engage in digital interactions, knowing that the DTS safeguards their interests. This enables participants to enhance their operations, contributes to economic growth, and improves the user experience, all while fostering a more secure and trusted digital environment.
The following image depicts the two types of trust in a DTS:
- Direct trust: Participants establish trust relationships directly with one another, as each party verifies and trusts the identity and security of the other participant independently. Direct trust requires strong, direct relationships between each pair of entities interacting in the network and can become cumbersome and complex as the number of participants increases.
- Proxy trust: Participants rely on a third-party intermediary (such as a DTS) to establish trust on their behalf. Instead of directly verifying each participant, entities trust the DTS to manage and validate trust relationships. The DTS operator takes responsibility for maintaining the integrity of the network, ensuring that participants meet established standards for security, compliance, and reliability.
Examples of digital trust services
Trust framework
Trust networks are built on a legal foundation that establishes the rules and regulations governing the network. These laws ensure compliance with data protection, security, and privacy requirements, providing a trust framework for network participants to rely upon:
-
Policies: Define how participants can operate and interact. Policies can include:
- Trusted issuers list: Defines which issuers are authorized to issue specific types of verifiable credentials.
- Trusted verifiers list: Outlines which verifiers are allowed to request specific types of credentials for verification purposes.
- Trusted Technologies: Certified applications and solutions that may include digital wallets, identity agents, registers, and verifiable credentials that meet established criteria for secure and reliable operation.
-
Recognized standards: Defined and enforced set of recognized standards that ensure uniformity and interoperability. These may include local standards such as the Trusted Digital Identity Framework (TDIF) in Australia or the Digital Identity Services Trust Framework in New Zealand, as well as global standards like ISO/IEC 18013-5 for mobile driver’s licenses (mDLs).
-
Schemes and vocabularies: Defined schemes and vocabularies for the content and structure of supported verifiable credentials. These may include custom credential profiles created for the trust network, as well as subsets of global or industry-specific standards.
Examples of trust frameworks
Operation
The trust network operator acts as an accreditation body, responsible for overseeing the accreditation process, assessing compliance, and granting certifications to qualifying participants. This is based on an accreditation framework, a structured evaluation, ensuring all participants meet predefined standards. Onboarding and Offboarding mechanisms facilitate the seamless entry and exit of participants within the trust network, ensuring continuous adherence to standards and policies.
Continuous monitoring and auditing processes should be in place to ensure that participants adhere to the established policies and standards. This oversight helps maintain trust by detecting and addressing potential issues or breaches.
Examples for operating a DTS
Consuming
There are different models for DTSs to make the trust framework available for consumption:
- Public APIs: Download trust information from publicly available websites, public APIs, or authenticated APIs (which may require onboarding and potentially involve commercial terms). For example, MATTR Ecosystem capabilities enable retrieving policies which include information on trusted issuers, verifiers, and credential types, through publicly available APIs.
- VICAL: A VICAL (Verified Issuer Certificate Authority List) is a mechanism defined in the ISO/IEC 18013-5 standard to support establishing trust in trust networks where relying parties need to verify Mobile Credentials issued by numerous different issuers. The VICAL operator collects and validates IACAs from different issuing authorities, and then cryptographically signs them into a single list that can be consumed by relying parties.
Examples for consuming trust frameworks
Trust marks
Retrieved information can be displayed to participants using trust marks. These are digital indicators that signify the security, authenticity, and trustworthiness of online interactions, services, or entities.
Trust marks can take the form of digital badges, seals, or certificates that are prominently displayed on websites, applications, or digital credentials. They provide assurance to users that the entity displaying the trust mark has been verified and complies with stringent security standards and best practices.
When identifying a trust mark, users gain confidence that their interactions are secure and that their data is being handled responsibly. In essence, trust marks act as visual endorsements of trustworthiness, making it easier for users to recognize and choose secure and reputable services.
Examples for trust marks
MATTR capabilities
MATTR platforms enable customers to effectively operate trust networks by offering the following key features:
-
Network operation: MATTR VII ecosystem capabilities allow network operators to:
- Onboard entities as participants, and associate each participant with a unique IACA or DID to identify them.
- Configure valid credential types, and associate each credential type with a unique
combination of
format
anddocType
. - Create a policy that defines what what credential types (identified by their format and type/docType) can be issued and/or verified by what participants (identified by their IACA/DID).
- Make this information available for issuers, holders and verifiers to consume and integrate
into their solutions using either:
- MATTR VII APIs.
- MATTR Pi Holder and/or Verifier SDKs.
- MATTR GO Hold and/or Verify.
- A VICAL.
-
Credential issuance: MATTR VII tenants can be used to issue and manage verifiable credentials. When a MATTR VII tenant is onboarded into a network, holders and verifiers that trust the trust network can also trust credentials issued by this tenant without establishing a direct trust relationship with it.
-
Credential holding: MATTR Pi and GO platforms enable creating digital applications that allow users to claim, store, and present credentials. These platforms can consume and display information from DTSs to enable holders easily establish trust with issuers and verifiers they are interacting with.
-
Credential verification: All MATTR platforms offer credential verification capabilities. Once a verification application consumes trust information from a DTS, verification processes are greatly simplified, as establishing trust with every single issuer is delegated to the DTS operator.