Glossary
This glossary is a collection of terms and definitions related to digital credentials, decentralized identity, and the technologies and standards that support them. It is intended to help you understand the concepts and terminology used in the MATTR ecosystem and the broader field of digital credentials.
A
Assurance Level: A measure of confidence in the authenticity of an identity or credential (often called Level of Assurance, or LoA). Higher assurance levels indicate stricter verification and greater trust in a credential’s validity, suitable for sensitive uses (e.g. a digital passport), while lower assurance levels are acceptable for less sensitive uses (e.g. a loyalty card).
B
Bearer Credential: A type of credential that grants access or rights to whoever possesses it, without requiring proof of the holder’s identity. Similar to how cash works — anyone who has it can spend it. In the digital world, bearer credentials are often easier to use but come with higher risks if lost or stolen. MATTR’s CWT (CBOR Web Token) credentials are an example of bearer credentials; they can be presented and verified without requiring the verifier to confirm the presenter’s identity, which is useful for certain offline or privacy-focused use cases.
C
Claim: A piece of data or attribute about a subject (such as a name, age, or qualification) that is asserted by the issuer in a credential. Multiple claims make up the content of a digital credential, and each claim is attested to (signed) by the issuer. For example, a university degree credential might contain claims about a person’s name, the degree earned, and the graduation date.
Certificate Authority (CA): A trusted entity responsible for issuing, signing, and managing digital certificates that bind cryptographic keys to identities (such as individuals, organizations, or services). In the context of digital identity ecosystems (such as verifiable credentials), a Root CA is the top-level authority in a certificate hierarchy. It signs the certificates of subordinate CAs and acts as the ultimate trust anchor. All certificates and digital signatures validated in the system must ultimately trace their trust back to the Root CA, which must be highly secure and carefully governed to maintain ecosystem-wide integrity.
Credential Issuance: The process of creating a digital credential and delivering it to a holder. During issuance, an issuer gathers the relevant information (claims) about the subject, formats it into a credential, and cryptographically signs it. This digital signature ensures the credential’s authenticity and integrity, allowing verifiers to confirm the credential without needing to contact the issuer again.
Credential Lifecycle: The sequence of stages that a digital credential goes through from creation to retirement. This typically includes issuance (credential creation and signing by an issuer), storage and management of the credential by the holder, presentation of the credential to verifiers, verification of its validity, and eventual expiration or revocation if the credential becomes invalid. Understanding the lifecycle in terms of these roles and steps is key to implementing secure credential solutions.
Credential Offer: An invitation from an issuer to a holder to receive a credential, typically used in an interactive issuance flow. In this approach (for example, see MATTR’s implementation of the OpenID4VCI workflow), the issuer provides an offer URL or token describing the credential. The holder reviews the offer and, if they accept it, the credential is then issued to their wallet.
Credential Template (Schema): A defined structure or blueprint for a credential that an issuer sets up in advance. The template specifies what data fields (claims) the credential will include, the format or schema for those fields, any rules such as validity period, and the cryptographic details (e.g. which keys or signature algorithm to use). By using a template, issuers ensure that all credentials of a certain type follow a consistent structure and meet the required standards. MATTR VII implements credential templates using the Credential configuration functionality.
D
Decentralized Identifier (DID): A globally unique, persistent digital identifier that is not
tied to any central authority. A DID is typically represented as a URI string (for example,
did:example:123456...) and can refer to a person, organization, or thing. The main difference from
traditional IDs (like usernames or email addresses) is that DIDs are controlled by the user (through
cryptographic keys) and are not issued or owned by any single provider, making them portable across
different systems and preventing vendor lock-in. Each DID is associated with a document that
contains the public keys and other metadata needed to use the DID. DIDs are used
in MATTR products as part of the CWT and JSON credential formats.
Decentralized Identity: A paradigm for identity management in which individuals and organizations can interact and share credentials without relying on a single centralized authority. In a decentralized identity model, people have control over their own data and digital credentials, typically stored in personal digital wallets, and they decide what information to share and with whom. This approach enhances privacy for users (they only share necessary information) and can offer organizations benefits in security and compliance, since trust is established through cryptography and distributed networks rather than one central database.
Digital Credential (Verifiable Credential): A digital certificate or token that contains a set of claims about a subject, digitally signed by an issuer so that it can be independently verified. It is the electronic equivalent of a physical credential (like an ID card, license, or diploma), designed to be tamper-evident and trustable. Because of the issuer’s cryptographic signature, anyone (or any system) can cryptographically check that the credential was indeed issued by a legitimate source and that its contents haven’t been altered.
Digital Credentials API (DC API): A standardized interface designed to streamline the process of presenting and verifying digital credentials to web applications. The DC API is part of the W3C’s Decentralized Identity Working Group and is intended to facilitate the integration of digital credentials into web-based applications. It provides a set of APIs and protocols that enable developers to easily implement credential presentation and verification functionalities in their applications.
Digital Trust: The confidence that digital interactions and transactions are secure, authentic, and reliable. When digital trust is high, users and organizations believe that a person or credential is who/what it claims to be and that data hasn’t been tampered with. Establishing digital trust often involves technologies and frameworks (like verifiable credentials, digital signatures, and trust frameworks) that ensure data integrity, privacy, and the legitimacy of all parties involved in an online exchange.
Digital Trust Service (DTS): A service that acts as a neutral intermediary to establish trust within a digital ecosystem. Instead of every participant needing to trust each other directly, all participants trust the Digital Trust Service, which in turn vouches for the identity and integrity of participants and their credentials. This proxy trust model simplifies interactions in large networks: the network operator maintains the trust relationships, and each member just trusts the DTS to validate others. By offloading trust management to a DTS, organizations can scale up federations of issuers and verifiers more easily while maintaining a high level of assurance. MATTR solutions can include Digital Trust Service capabilities to help organizations establish and manage trust in their ecosystems.
Digital Wallet: An application (typically on a smartphone or computer) that securely stores digital credentials and the user’s cryptographic keys. A digital wallet allows a holder to organize their credentials and control their use — for example, selecting and presenting a credential to a verifier when required. It is analogous to a physical wallet but for digital identity documents: the wallet safeguards credentials, often protecting them with passwords or biometrics, and enables the user to share verified information with others in a privacy-preserving way. MATTR Pi SDKs enable organizations build their own digital wallets, while the MATTR GO Hold white-label wallet solution enables getting up and running quickly with limited development effort.
Document Signer Certificate (DSC): A specific end-entity X.509 certificate used to digitally sign Mobile Security Objects (MSOs) within mobile documents (mDocs), as specified in the ISO/IEC 18013-5:2021 standard. Issued and signed by an Issuing Authority Certificate Authority (IACA), the DSC ensures the integrity and authenticity of the mDoc’s data. Each DSC includes a public key, validity period, and signature from the IACA. When an mDoc is presented for verification, the DSC’s public key is used to validate the MSO’s signature, confirming that the document has not been tampered with and originates from a trusted source. Refer to the chain of trust page for more information.
H
Hardware Security Module (HSM): A physical computing device that securely generates, stores, and manages cryptographic keys. It is used to perform sensitive operations such as digital signing, encryption, and key protection in a tamper-resistant environment — ensuring high levels of security for identity and credential systems.
Internal HSMs are built directly into a device (such as a mobile phone or secure element). These HSMs manage keys locally and are tightly coupled with the hardware environment they protect. For example, a mobile phone using an internal HSM might store credentials and perform cryptographic operations without the keys ever leaving the device.
On the other hand, external HSMs operate outside of the main system (e.g., in a dedicated on-premise appliance or cloud service) and is accessed over a secure channel. External HSMs are often used by credential issuers, Certificate Authorities (CAs), or trust service providers to securely manage high-value signing keys in centralized environments.
Holder: The person or entity in possession of a digital credential. The holder typically stores credentials in their digital wallet and is responsible for deciding when and with whom to share them. This role gives the individual control over their own digital identity information - the holder can choose to present a credential (or only part of it, via selective disclosure) to prove something about themselves, while keeping the credential secure and private when not in use.
I
Identity Assurance: The level of confidence that an individual, organization, or object is who or what they claim to be. This is established through processes like identity verification (e.g., checking passports, biometrics, or trusted data sources) during credential issuance. The higher the assurance level, the more rigorous the checks to verify that the subject’s identity is accurate and trustworthy.
Information Assurance: In credential verification, information assurance means ensuring the integrity and validity of the credential’s contents. This includes verifying that the credential’s digital signature is valid (proving the data hasn’t been tampered with) and that the credential meets expected format or schema requirements. It also involves checking that the credential is currently valid - for instance, confirming it hasn’t expired and hasn’t been revoked by the issuer. Together, these checks give the verifier confidence that the information presented is trustworthy and up-to-date.
Issuer: An organization or entity that creates and vouches for a credential. The issuer gathers the relevant data about a subject, encodes it into a credential (following a template or schema), and cryptographically signs the credential with its private key to ensure authenticity. Once issued, the credential is delivered to the holder (for example, added to the holder’s wallet). Anyone who later verifies the credential can check the issuer’s digital signature to confirm the credential came from a trusted source and hasn’t been altered.
Issuing Authority Certificate Authority (IACA): A self-signed X.509 certificate that serves as the root certificate in the chain of trust for mobile documents (mDocs), such as Mobile Driver’s Licenses (mDLs), as defined by the ISO/IEC 18013-5:2021 standard. The IACA identifies the mDoc issuer and is used to sign subordinate certificates, specifically the Document Signer Certificates (DSCs). These DSCs, in turn, sign the Mobile Security Objects (MSOs) within mDocs, ensuring the integrity and authenticity of the credential’s data. The IACA’s self-signed nature means it is the trust anchor; verifiers rely on its public key to validate the entire certificate chain down to the presented mDoc. IACAs can have validity periods of up to 20 years, facilitating long-term trust in the issued credentials. Refer to the chain of trust page for more information.
M
mDL (Mobile Driver’s License): A digital version of a driver’s license, designed to be stored on a mobile device like a smartphone. An mDL contains the same personal information and driving privileges as a physical license, but can be presented electronically. Modern mDL implementations use encryption and device security (such as biometric locks and anti-cloning measures) to provide a more secure, fraud-resistant alternative to a plastic ID card. They can also support privacy features like selective disclosure (e.g. proving you are over 18 without revealing your exact date of birth). mDLs are based on the ISO/IEC 18013-5:2021 standard, which defines the technical specifications for mobile driver’s licenses and their secure storage and presentation. MATTR has implemented mDLs as part of the mDocs credential format.
Mobile Security Object (MSO): A structured, signed data object that provides cryptographic integrity for the individual data elements within a mobile document (mDoc), such as an mDL, as defined in the ISO/IEC 18013-5:2021 standard. The MSO is generated by the issuing authority and digitally signed using the private key associated with a Document Signer Certificate (DSC). It contains cryptographic hashes of each data element included in the mDoc (e.g., name, date of birth, photo), ensuring that verifiers can confirm the authenticity of the data and detect any tampering. The MSO also includes metadata such as the document type, version, and validity period, and is a critical component in establishing trust in mDocs without requiring online connectivity. Refer to the chain of trust page for more information.
mDocs (Mobile Documents): A class of digital identity documents which expand the ISO/IEC 18013-5:2021 standard. mDocs are designed to be stored in a digital wallet on a mobile device and can be verified either in-person or remotely. The key strength of mDocs is their ability to provide strong authentication and high security; they are ideal for high-assurance identity credentials like driver’s licenses, passports, or national ID cards. mDocs use a chain of trust (digital certificates) and mechanisms like device binding to protect against forgery, cloning, and impersonation, making them very robust for digital trust use cases. MATTR has implemented a corresponding mDocs credential format.
O
OpenID for Verifiable Credential Issuance (OID4VCI): An open standard protocol that adapts OAuth 2.0/OpenID Connect for issuing verifiable credentials. In an OID4VCI flow, an issuer first provides a credential offer to the holder (often as a URL or QR code). The holder’s wallet or app then uses an OAuth-like sequence to authenticate (if needed) and retrieve the credential from the issuer’s server. This standard enables interoperability, allowing any compliant wallet to obtain credentials from any compliant issuer in a secure and standardized manner. MATTR has implemented OID4VCI as part of MATTR VII’s issuance capabilities.
OpenID for Verifiable Presentations (OID4VP): An open standard protocol that enables the presentation of verifiable credentials using OpenID Connect-based flows. It allows a holder to share credentials with a verifier in a privacy-preserving, secure, and standardized way — often initiated by scanning a QR code or clicking a link. OID4VP helps enable interoperability between different wallets, verifiers, and credential formats, and supports advanced features like selective disclosure and subject binding. MATTR has implemented OID4VP as part of its mDocs online verification capabilities.
Original Equipment Manufacturer (OEM): In this context, refers to a company that integrates MATTR’s solutions into their own hardware or software products. For example, a point of sale device might integrate MATTR’s credential verification capabilities to accept digital IDs or credentials from customers. The OEM uses MATTR’s technology to enhance their product offerings, providing their customers with advanced features like secure credential storage, verification, and presentation without needing to develop these capabilities from scratch. This allows OEMs to leverage MATTR’s expertise in digital identity while focusing on their core business.
R
Relying Party: A term for an entity that depends on an outside credential or identity proof to make decisions - essentially the same as a verifier in the context of digital credentials. The relying party “relies” on the credential’s authenticity and integrity. For example, a bank’s website acting as a relying party might accept a digital ID credential to onboard a new customer, trusting that the credential is valid (It relies on the issuer and the credential’s verification checks rather than collecting the data directly).
Revocation: The process of marking a previously issued credential as no longer valid or trustworthy. An issuer may revoke a credential if, for instance, the credential’s subject no longer meets certain conditions (imagine a professional license that gets revoked) or if the credential was compromised. Revocation is typically implemented by adding the credential’s identifier or status to a revocation list or status registry. When a verifier checks a credential, they can look up its status on that list to see if the credential has been revoked, all without revealing which specific credential is being checked (to preserve privacy). MATTR solutions support revocation for CWT, JSON and mDocs credential formats.
S
Selective Disclosure: A privacy-enhancing feature that allows a credential holder to reveal only the specific pieces of information required by a verifier, rather than sharing the entire credential. For example, with selective disclosure, you could prove you are over 18 by sharing a verified “over-18” attribute from your credential, without disclosing your full name or exact birthdate. This is usually achieved with advanced cryptography so that the verifier can be sure the undisclosed parts of the credential remain hidden and the revealed data is authentic. MATTR solutions support selective disclosure for the JSON and mDocs credential formats.
Self-Sovereign Identity (SSI): An approach to digital identity in which individuals fully own and control their personal identity information and credentials. In an SSI system, users (as holders) receive verifiable credentials from various issuers (e.g. a government ID, a college degree, a workplace ID) and store them in their personal wallet. The user decides which credentials or claims to share with a verifier, without needing any central intermediary in the transaction. No single authority “owns” the identity - it’s decentralized across many issuers and controlled by the individual. This model often leverages DIDs and blockchain or other distributed ledgers to anchor trust, enabling a decentralized yet trustworthy ecosystem for identity.
T
Trust Framework: The set of governance rules, policies, and technical standards that define how participants in a trust network operate and trust each other. A trust framework lays out, for example, which issuers are recognized as authoritative, what credentials formats are acceptable, what security and privacy standards must be met, and how disputes or failures are handled. It provides the legal and procedural foundation for the network, ensuring that all members (issuers, holders, verifiers) have a common understanding of the “rules of trust” they abide by. By adhering to a shared trust framework, different organizations can accept each other’s credentials with confidence.
Trust Network: A group or ecosystem of organizations and individuals that agree to mutually recognize and accept digital credentials under a common trust framework. Within a trust network, there may be many issuers, holders, and verifiers interacting across various use cases (e.g. a network could include government agencies, banks, universities, and individuals all using the same credential system). Because all participants follow the agreed rules and standards, a credential issued by one entity (say, a government ID) can be trusted and verified by another entity (say, a bank) without custom integration. In essence, the trust network ensures interoperability and trust across organizational boundaries by establishing shared expectations and infrastructure for digital trust.
U
Un-managed IACA: A deployment pattern where the Issuer Authority Certificate Authority (IACA) operates independently without centralized oversight or coordination (such as from a Digital Trust Service). Organizations may choose this model when they want to control their own credential issuance trust anchors, particularly in closed or private ecosystems. While this offers flexibility and autonomy, it requires careful governance to ensure interoperability and trust.
V
Verifiable Presentation: A package of information prepared by a holder that contains one or more credentials (or selected parts of credentials), along with cryptographic proof that the holder possesses those credentials. A verifiable presentation is typically created when a holder needs to prove something to a verifier: the holder’s wallet collects the necessary data from their credentials and signs the presentation to prove its authenticity. The verifier can then check the signature and the included credential proofs to ensure everything is valid and was issued to that holder. Verifiable presentations allow a holder to consolidate claims from different credentials and present them in one go, with assurance that the data is authentic and belongs to the holder.
Verifier: The entity that requests and validates a credential presented by a holder. A verifier checks that the credential was issued by a trusted issuer and that it hasn’t been tampered with or revoked. This is done by cryptographically validating the issuer’s signature on the credential and consulting any relevant status information (like an expiration date or revocation registry). If the credential passes these checks, the verifier can trust the claims contained in it. In some contexts, a verifier is also known as a relying party (because it relies on the credential’s authenticity and the issuer’s trustworthiness).
VICAL (Verified Issuer Certificate Authority List): A consolidated list of trusted issuer certificate authorities, used to simplify trust in ecosystems with many issuers. A VICAL is defined in the ISO/IEC 18013-5 standard as a mechanism where a central authority (often a national Digital Trust Service) collects and cryptographically signs a list of issuer CAs that are considered trustworthy. By publishing this single, signed list, the VICAL makes it easy for verifiers to trust credentials from any issuer on the list without needing separate agreements with each issuer. In practice, if a verifier trusts the VICAL, they will trust any credential whose issuer’s root certificate appears in the VICAL, greatly streamlining verification of credentials from multiple jurisdictions or organizations. MATTR offers VICAL solutions as part of its Digital Trust Service capabilities.
Z
Zero-Knowledge Proof (ZKP): A cryptographic protocol that allows one party (the prover) to prove to another party (the verifier) that a certain statement is true, without revealing any additional information beyond the truth of the statement itself. In the context of digital credentials, ZKPs enable a holder to convince a verifier of something about their data without exposing the data. For example, a ZKP can allow you to prove “I am over 18 years old” by using your credential, without ever showing your actual birth date. The verifier ends up convinced of the fact (over-18) but learns nothing else. This technology is key to advanced privacy-preserving interactions in decentralized identity systems.