RE: Authorized Issuer Lists

+1 to Steve and Kyano.

The paper "Decentralized SSI Governance<>" may be relevant for this discussion. It not only discusses some non-technical matters, but also proposes Accreditation Credentials<> (to be issued to trusted issuers), are accompanied with “Trustworthy Credentials<>”, that can be proven to be issued by an accredited (trusted) issuer (without a requirement that the identity of trusted issuer must be revealed).

While I can see the use of trust lists, I also think they are an artifact of “centralized  authority<>” thinking: they do not recognize that verifiers (relying parties) are the ones that get to decide whom (not) to trust. We really should to start thinking about “trust<>” as something that is very subjective. We need “Self-Sovereign Trust”, i.e. every party (individuals as well as organizations) controls its own trust (trust decisions), which is very much related to the RWOT advance-readings paper on validation<>.


-----Original Message-----
From: Steve Capell <>
Sent: zondag 14 augustus 2022 23:38
To: Manu Sporny <>
Cc: Mike Prorock <>; Tomislav Markovski <>; Dmitri Zagidulin <>; Daniel Buchner <>; W3C Credentials CG <>
Subject: Re: Authorized Issuer Lists

Completely agree about the problem - just not the solution

The question of whether a VC issuer is authorised to make the claim is a concern for every VC that Is not issued by a trusted authority

- is the issuer of that iso-9000 certificate really  accredited to do so?

- is the issuer of that animal health certificate really a registered vet?

- is the issuer of that invoice really who they say they are?

One solution is to ask the authority of a list of who is authorised - but

- for large groups it can be a fast changing list

- for large groups the list would be huge

- half of the uses cases would essentially be revealing private information like customer lists

- the verifier may have no relationship with the authority and no way to ask for the list

Isn’t a better solution to the same problem to use linked credentials ?

- the certificate VC includes a hash link to the accreditation VC (and the certificate issued DID is the same as the accreditation subject DID.

- the animal health vc contains a hash link to the vetinarian’s current qualification / professional body registration vc

- the invoice contains a hash link to the business registration vc

- and so on

Verifiers must not only verify the presented vc but must also follow linked vcs until they find a trust anchor vc

There are tricky semantics around this - for example it’s not enough just to verify that the subject DID of the accreditation vc is the same as the issuer did of the certificate vc - because the accreditation could be about something entirely different.  One solution might be that any trust anchor VC must enumerate the vc types thst the subject is authorised to issue.

Despite the challenges, I think that finding a standard solution to the issuing of linked credentials and the verification of trust chains is a better approach (although not mutually exclusive) than asking trust anchors to issue lists.  In the invoice linked to Australian business registration example, that list would contain around 10 million entries and would change roughly every 2 minutes

Kind regards

Steven Capell

Mob: 0410 437854

> On 15 Aug 2022, at 5:34 am, Manu Sporny <<>> wrote:


> On Sun, Aug 14, 2022 at 3:12 PM Mike Prorock <<>> wrote:

>> Want us to write up some of the Food Safety and Agriculture use cases we have?  If so is that a good doc to PR against?


> Yes please, and yes.


> The Authorized Issuers List was meant to be a sharply focused VC (not

> attempting to tackle the breadth of what "trust registries" are trying

> to do. Though, at this point, we should be concerned about significant

> work happening in multiple places -- ToIP, RWoT, VCWG, DIF, and ESSIF.

> As we've all experienced over the last several years, this seems

> almost unavoidable, so perhaps we can optimize for something each of

> those venues needs?


> Perhaps what we should do is turn the RWoT exercise into a use cases

> and requirements gathering/refinement exercise, perhaps with some

> exploration wrt. what technologies/approaches already exist. Perhaps

> the discussion of what is out of scope is almost as important as what

> is in scope... and then we can feed that work back into at least the

> five venues above and go from there?


> Does anyone know if ToIP, DIF, or ESSIF have a use cases and

> requirements document for authorized issuer lists / trust registries

> (in general)?


> -- manu


> --

> Manu Sporny -

> Founder/CEO - Digital Bazaar, Inc.

> News: Digital Bazaar Announces New Case Studies (2021)



This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.

Received on Monday, 15 August 2022 06:54:57 UTC