Skip to main content
European CommissionEBSI European Blockchain

How to onboard in a Trust Chain

Last updated on

Introduction

The Trusted Issuers Registry (TIR) is a decentralised registry for storing information about trusted issuers, such as public information and accreditations. The TIR stores all information within a smart contract in the form of Verifiable Accreditations, which are issued by Trust Chain participants or self-issued. Issuers can designate proxies for credential verification that can be used to assess the validity of the credential or check whether it has been revoked.

The TIR service comprises a smart contract (TIR SC) and an API (TIR API). The TIR SC is an Ethereum SC deployed on the EBSI ledger, and all public smart contract methods are exposed via APIs. There are two types of APIs available: JSON-RPC for write operations and REST for read operations. The JSON-RPC contains the Ethereum transaction build methods and a signed transaction publishing method. The TIR API enables the management and verification of Trusted Issuers' information and accreditations. However, accreditation of trusted issuers is domain-specific and falls outside the scope of EBSI.

TIR service is protected by Authorisation Service (OID4VP), thus a bearer token must be requested before any write operations may be performed. More information can be found at obtain an Access Token.

For more information see:

Glossary

AbbreviationTermDescription
EBSI TOEBSI Technical OfficeTechnical support by EBSI team
RTAORoot Trusted Accreditation OrganizationCan issue Verifiable Accreditations for Trusted Accreditation Organization
TAOTrusted Accreditation OrganizationCan issue Verifiable Accreditations (Accreditations, Attestations and Authorisations) of the accredited types for legal entities
TITrusted IssuerLegal Entity with one or more accreditations. Accredited to accredit, attest or authorise
TSRTrusted Schema RegistryRegistry that holds schemas used to validate the Verifiable Credentials
TIRTrusted Issuers RegistryRegistry that holds Issuers belonging to some Trust Chain

Becoming Trusted Issuer in Trust Chain

To become a Trusted Issuer, the Legal Entity (LE), must have a valid entry in the DID registry, and it must be invited into a Trust Chain. An invitation allows the LE to accept the registration by writing the Verifiable Credential into the smart contract. A Trusted Issuer may participate in multiple Trust Chains with multiple roles and each participation can be revoked separately from the smart contract.

Only RTAOs and TAOs participating in a Trust Chain can invite other LEs to join that Trust Chain as a TAO or as a TI.

Invitation happens by first building the Ethereum transaction with setAttributeMetadata and then publishing it to the validators through sendSignedTransaction.

A Verifiable Credential with type VerifiableAccreditationToAccredit (for TAO) or VerifiableAccreditationToAttest (for TI) must be issued for the Legal Entity. The VC is the proof of the accreditation, where metadata, like role, the RTAO, and the inviter, can be seen from the TIR with the attached reservedAttributeId.

The invitation is designed to be built during Verifiable Credential Issuance flow, where the subject Legal Entity is requesting a Verifiable Accreditation from the TAO or RTAO. The TAO or RTAO can then initiate a deferred flow for the Credential Request, build the setAttributeMetadata transaction, sign the transaction and publish it, optionally wait for the completion of the transaction, issue Verifiable Accreditation with the reservedAttributeId and then hand over the Credential to the subject Legal Entity.

The diagram below assumes that the TAO has negotiated a valid bearer token from EBSI Authorisation API.

Accept invitation

The invitation is accepted by registering the provided Verifiable Credential into the TIR. The Verifiable Accreditation has reservedAttributeId, which defines the location where the accreditation MUST be registered into. The same location contains the role of the Trusted Issuer and possible revocation status (in-place of the role).

Before the Legal Entity can call the TIR, it must obtain an Access Token from the EBSI Authorisation service. The required scope is tir_invite (tir_write works only if the LE is already a Trusted Issuer), which accepts the received Verifiable Accreditation as a proof of access.

Invitation acceptance happens by first building the Ethereum transaction with setAttributeData and then publishing it to the validators through sendSignedTransaction.

After the Verifiable Accreditation has been received by the Legal Entity, it may refresh the access with the EBSI Platform, build a setAttributeData transaction with attributeId from reservedAttributeId, sign the transaction and publish it, and optionally wait for the completion of the transaction. After the transaction has been completed, the Legal Entity becomes a Trusted Issuer in the defined Trust Chain and can start to use the tir_write scope if needed.