light-mode-image
Learn

Establish trust with issuers

For mDoc verification to work, your application must trust the issuer's signing certificates. This page explains how trust is established, how MATTR's managed trust lists reduce your operational burden, and how to configure trusted issuers.

For the broader picture of how trust lists work across a network (trusted issuers, trusted readers, and trusted wallets), see Trusted Lists in the Digital Trust Service section.

Establish trust with issuers

For mDoc verification to work, your application must trust the issuer's signing certificates. The underlying chain of trust model is the same across mDoc credential types, though the terminology differs by credential family.

How trust works

  1. Each issuer publishes root certificates. For mDLs, these are Issuing Authority Certificate Authority (IACA) roots, published at the state, territory, or national level depending on the jurisdiction. Other mDoc credential types follow the same chain-of-trust model with their own issuer certificate authorities.
  2. Your verifier is configured with a list of trusted root certificates.
  3. During verification, the SDK validates that the credential's signature chains back to a trusted root.
  4. If the chain is valid, the credential is trusted. If not, verification fails.

Managed trust lists from MATTR

Maintaining an up-to-date list of issuer certificates across multiple jurisdictions and credential types is operationally complex. Certificates rotate, new issuers come online, and different authorities may publish certificates independently.

MATTR provides managed trust lists that include verified IACA certificates for mDL issuers:

  • Australia: all state and territory issuers.
  • United States: state-level issuers participating in mDL programs.
  • Additional jurisdictions as they come online.

These managed lists are kept current by MATTR, reducing your operational burden and ensuring your application stays compatible as new issuers join the ecosystem. For non-mDL mDoc credentials, you configure the issuer's certificates directly through the same trust APIs.

For in-person verification, trusted issuer certificates are configured locally in the SDK. For remote verification, they are managed through the MATTR VII Trusted Issuers API.

Configuring trusted issuers

  • In-person (SDK): Load trusted root certificates into the SDK's local trust store.
  • Remote (MATTR VII): Use the MATTR Portal or the Create a Trusted Issuer API to register issuer certificates on your tenant.

For deeper guidance on certificates and the chain of trust used in verification, see the certificates pages under Establishing trust.

Next steps

Once trust is established, learn about handling verification results.

How would you rate this page?

Last updated on

On this page