light-mode-image
Learn

Learn how to setup a Digital Trust Service (DTS)

Introduction

The purpose of a Digital Trust Service (DTS) is to enable different participants in a digital ecosystem to rely on a single trusted framework.

This tutorial will guide you through using the Portal to set up a DTS and publish a policy that defines trusted participants and credential types.

Prerequisites

  • Make sure you understand the concepts of a DTS and how it relates to Ecosystem operations.
  • You need access to an existing MATTR VII tenant with either the DTS Provider or Admin role. Refer to the Getting started with the Portal tutorial to learn how to create a tenant and assign roles.

Tutorial overview

Setting up a DTS comprises the following steps:

  1. Create an Ecosystem: This is the container for all the participants and policies that define the trust framework.
  2. Create a participant: These are the entities that will be part of the trust framework, such as issuers and verifiers. This includes uploading their identifiers (such as IACA certificates) and defining the scope of their roles.
  3. Publish a policy: This is the final step where you publish the policy that defines the trust framework and its participants.

Tutorial steps

Create an Ecosystem

The Ecosystem acts as the overarching entity that holds all the other components together. Each Ecosystem defines its own:

  • Participants: Issuers and/or verifiers that are valid in the ecosystem.
  • Credential Types: Credential types that are valid in the ecosystem.
  • Policies: Define what participants are allowed to issue and/or verify different types of credentials within the ecosystem.

Perform the following steps to create an Ecosystem:

  1. Log in to the Portal.
  2. Navigate to the Ecosystem page under the Digital Trust Service section.
  3. Enter a name for your Ecosystem, such as "My Digital Trust Service".
  4. Select the Create button.

Create a participant

Participants are entities within an ecosystem that are assigned with unique identifiers. Participants can also be assigned with specific roles and permissions that define what credential types they are allowed to issue or verify within the ecosystem. For example, each issuer can be associated with an IACA certificate that they use to sign and issue credentials of a specific type, and the ecosystem policy can specify that only participants with a certain IACA certificate are allowed to issue that credential type.

Perform the following steps to create a participant:

  1. Select the Participants tab.
  2. Select the Create new button.
    The Create ecosystem participant form appears, starting from Step 1 (Details).
  3. Insert a meaningful Name for the participant (e.g. "Montcliff DMV").
  4. Use the Country dropdown list to select the Participant’s country (optional). Note that when selected, this value must match the Country value in the IACA certificate associated with this participant.
  5. If you select a country, a State or Province dropdown list is displayed. You can use it to select the Participant’s state or province (optional). Note that when selected, this value must match the StateOrProvinceName value in the IACA certificate associated with this participant.
  6. Insert the participant’s Address (optional).
  7. Insert the participant’s Phone number (optional).
  8. Use the Status radio button to set the participant as Active.
  9. Click the Next button.
    You are directed to Step 2 (Certificates).
  10. Select the Add new button.
  11. Upload the PEM file you want to use as this participant’s identifier for issuing mDocs (this must be a valid IACA certificate and match any values set for Country and State or Province above).
    You should now see the certificate summary and details.
  12. Use the Credential types valid for text box to insert the credential types that this participant will be allowed to issue.
  • You can insert as many credential types as you want.
  • You can use the pre-populated options (org.iso.18013.5.1.mDL and/or org.iso.23220.photoid.1) or insert custom credential types that are relevant to your ecosystem.
  • The credential type is just a string value and does not need to match any values in the certificate. It is only used to link the participant to the credential types they are allowed to issue.
  1. Scroll down and use the Certificate status dropdown list to set the certificate as Active.
  2. Click the Add button.
  3. Click Create.

Publish a policy

Ecosystem policies combine participants and credential types to determine permissions within the ecosystem. For example, participant X can act as an issuer and issue valid credentials of type X, Y and Z.

  • Issued credentials are only considered valid when they reference a unique identifier of an issuer that is a participant in the ecosystem and is allowed to issue that credential type.
  • Verification requests are only considered valid when they reference a unique identifier of a verifier that is a participant in the ecosystem and is allowed to verify that credential type.

These roles are then bundled together into a policy and published for relying parties to consume.

The last step in this tutorial is to publish a policy that will includes the participants you created, as well as the constraints you applied to the participants' roles. role.

Currently the Portal only enables publishing a policy as a Verified Issuer Certificate Authority List (VICAL).

Perform the following steps to publish your DTS policy as a VICAL:

Create a DTS root CA

Each VICAL must be linked to a trusted root CA via a chain of trust. Perform the following steps to create a DTS root CA:

  1. Navigate to the Certificates page under the Platform Management section.
  2. Select the Create new button.
    The New certificate form appears.
  3. Use the Type dropdown list to select DTS CA.
  4. Use the Management method radio button to select MATTR managed.
  5. Enter a meaningful name in the Organisation field to identify the organization that will be signing the policy.
  6. Use the Country dropdown list to select the country where the organization is located.
  7. Select the Create button.
  8. Use the Status radio button to select Active.
  9. Select the Update button.

Your new DTS root CA is now ready and can be used to establish trust in your VICAL.

Manually Generate and Publish a VICAL

  1. Return to the Ecosystem page under the Digital Trust Service section.
  2. Select the Publish tab.
  3. Enter a meaningful Provider name to identify the provider of the VICAL.
  4. Select the Create button.
  5. Review the preview area where you can see all participants and credential types included in the VICAL.
  6. Select Generate & Publish when you are ready.
    The VICAL is now generated and published, and a modal is displayed where you can:
    • Use the Download button to download the VICAL policy file.
    • Copy the link to the public endpoint where relying parties can access the policy.

Auto Generate and Publish a VICAL

You can set up auto-generation of your VICAL by performing the following steps:

  1. Return to the Ecosystem page under the Digital Trust Service section.
  2. Select the Publish tab.
  3. Expand the VICAL configuration panel.
  4. Use the Generation method radio button to select Auto generate.
  5. Use the Auto generate frequency dropdown list to select how often you want the VICAL to be automatically generated and published (daily/weekly).
  6. Select the Update button.
  7. Review the preview area where you can see all participants and credential types included in the VICAL.
    Note that the VICAL is not generated and published yet. It will only be generated and published automatically based on the frequency you selected in step 5. If you want to generate and publish the VICAL immediately, you can select the Generate & Publish button.

View Previously Published VICALs

  1. Return to the Ecosystem page under the Digital Trust Service section.
  2. Select the Publish tab.
  3. Scroll down and select the View Previously Published button to see all previously published VICALs.
    You can select any previously published VICAL to see its details, download the policy file and copy the link to the public endpoint where relying parties can access the policy.

How would you rate this page?

Last updated on

Ecosystems

Previous Page

Overview

Next Page

On this page

Introduction
Prerequisites
Tutorial overview
Tutorial steps
Create an Ecosystem
Create a participant
Publish a policy
Create a DTS root CA
Manually Generate and Publish a VICAL
Auto Generate and Publish a VICAL
View Previously Published VICALs