Skip to Content
GuidesSelf Service Portal🎓 Digital Trust Service

Learn how to create a Digital Trust Service (DTS) using the Portal

Introduction

The purpose of a Digital Trust Service (DTS) is to enable different participants in a digital ecosystem to rely on a single trusted framework.

This tutorial will guide you through using the Portal to set up a DTS and publish a policy that defines trusted participants and credential types.

Tutorial overview

Setting up a DTS comprises the following steps:

  1. Create an Ecosystem: This is the container for all the participants and policies that define the trust framework.
  2. Create a participant: These are the entities that will be part of the trust framework, such as issuers and verifiers.
  3. Configure valid Credential types: These are the types of credentials that will be issued and verified within the trust framework.
  4. Configure roles and permissions: This step involves defining what each participant can do, such as issuing or verifying credentials, and whether they are constrained to specific credential types.
  5. Publish a policy: This is the final step where you publish the policy that defines the trust framework and its participants.

Prerequisites

  • Make sure you understand the concepts of a DTS and how it relates to Ecosystem operations.
  • You need access to an existing MATTR VII tenant with either the DTS Provider or Admin role. Refer to the Getting started with the Portal tutorial to learn how to create a tenant and assign roles.

Create an Ecosystem

The Ecosystem acts as the overarching entity that holds all the other components together. Each Ecosystem defines its own:

  • Participants: Issuers and/or verifiers that are valid in the ecosystem.
  • Credential Types: Credential types that are valid in the ecosystem.
  • Policies: Define what participants are allowed to issue and/or verify different types of credentials within the ecosystem.

Perform the following steps to create an Ecosystem:

  1. Log in to the Portal.
  2. Navigate to the Ecosystem page under the Digital Trust Service section.
  3. Enter a name for your Ecosystem, such as “My Digital Trust Service”.
  4. Select the Create button.

Create a participant

Participants are entities within an ecosystem that can be issuers and/or verifiers. When issuers/verifiers are onboarded as valid participants in the ecosystem, they are assigned with unique identifiers that identify them when they issue and/or verify credentials. For example, each issuer can be associated with an IACA certificate that they use to sign and issue credentials.

Perform the following steps to create a participant:

  1. Select the Participants tab.
  2. Select the Create new button.
    The Create new participant form appears, starting from Step 1 (Details).
  3. Insert a meaningful Name for the participant.
  4. Use the Country dropdown list to select the Participant’s country (optional). Note that when selected, this value must match the Country value in the IACA certificate associated with this participant.
  5. If you select a country, a State or Province dropdown list is displayed. You can use it to select the Participant’s state or province (optional). Note that when selected, this value must match the StateOrProvinceName value in the IACA certificate associated with this participant.
  6. Insert the participant’s Address (optional).
  7. Insert the participant’s Phone number (optional).
  8. Use the Status radio button to select whether the participant will be created as active.
  9. Click the Next button.
    You are directed to Step 2 (Identifiers & Certificates).
  10. Select the Add new button.
  11. Use the Credential profile dropdown list and select Mobile.
  12. Drag and drop the PEM file you want to use as this participant’s identifier (this must be a valid IACA certificate and match any values set for Country and State or Province above).
    You should now see the certificate summary and details.
  13. Scroll down and use the Certificate status dropdown list to choose Active.
  14. Click the Add button.
  15. Click Next.
    You are redirected to Step 3 (Roles), but you must first create the new participant and configure credential types before you can add any roles to it.
  16. Select Create.

The new participant is now created.

Configure valid credential types

Credential types define what credentials are valid in the ecosystem. They can be combined with participants to constraint an issuer/verifier to only issue/verify specific types of credentials.

This does not mean that other credentials cannot be issued or verified in the ecosystem, but these will not carry with them the same level of trust as credential types that were configured as valid.

Perform the following steps to configure valid credential types:

  1. Return to the Ecosystem page.
  2. Select the Credential types tab.
  3. Select the Add new button.
  4. Use the Credential profile dropdown list to select Mobile.
  5. Insert a meaningful Name for this credential type.
  6. Insert the Credential type. Note that credential types must be unique for every credential profile (e.g. you cannot create two different credentials with Mobile as Profile and org.iso.18013.5.1.mDL as Credential type).
  7. Select the Create button.

The new credential type is now created and can be referenced by roles in the ecosystem.

Configure roles and permissions

Now that you have a participant and a credential type, you can combine them to define what participants can do in the ecosystem. This is done by configuring roles and permissions for each participant:

  1. Return to the Ecosystem page.
  2. Select the Participants tab.
  3. Select the participant you created earlier in this tutorial.
  4. Select the Roles tab.
    The Roles panel is displayed, showing the participant’s current roles and permissions.
  5. Check the Can issue credentials checkbox to enable this participant to issue credentials.
    The Constraints panel is displayed.
  6. Use the Constraints radio button and select Constrained to only enable the participant to issue specific credential types.\
  7. Select the Select button.
  8. Select the checkbox next to the credential type you created earlier.
  9. Select the Apply button.
  10. Select the Update button to save your changes.

The participant is now configured so that they are only allowed to issue credentials of the type you created earlier. You can repeat this process to add more roles and permissions for the participant, such as allowing them to verify credentials or issue other types of credentials.

Publish a policy

Ecosystem policies combine participants and credential types to determine permissions within the ecosystem. For example, participant X can act as an issuer and issue valid credentials of type X, Y and Z.

  • Issued credentials are only considered valid when they reference a unique identifier of an issuer that is a participant in the ecosystem and is allowed to issue that credential type.
  • Verification requests are only considered valid when they reference a unique identifier of a verifier that is a participant in the ecosystem and is allowed to verify that credential type.

These roles are then bundled together into a policy and published for relying parties to consume.

The last step in this tutorial is to publish a policy that will includes the participant and credential type you created earlier, as well as the constraints you applied to the participant’s role.

Currently the Portal only enables publishing a policy as a Verified Issuer Certificate Authority List (VICAL).

Perform the following steps to publish your DTS policy as a VICAL:

  1. Return to the Ecosystem page.
  2. Select the Publish tab.
  3. Enter a meaningful Provider name to identify the provider of the policy.
  4. Use the Certificate country dropdown list to select the country of the certificate that will be used to sign the policy. This cannot be changed once a policy is published.
  5. Enter a meaningful Certificate organisation name to identify the organization that will be signing the policy. This cannot be changed once a policy is published.
  6. Select the Generate button.
  7. You can now either:
    • Use the Download button to download the VICAL policy file.
    • Copy the link to the public endpoint where relying parties can access the policy.
Last updated on
🎓 Web app verificationMonitor analytic events