Trusted Issuer Validation Policy Reference

This reference documents the trusted issuer validation policy for the validator service. The trusted issuer policy validates that credentials are issued by trusted entities through certificate chain validation against configured root certificates.

Policy Overview

The trusted issuer validation policy ensures that the issuers of verifiable credentials are trusted by verifying their certificate chains against a set of configured root certificates. This validation is crucial for establishing trust in the credential issuance process and preventing acceptance of credentials from untrusted sources.

Supported Standards

The trusted issuer validation policy supports issuer validation across multiple credential standards:

Standard	Organization	Specification	Certificate Source	Validation Method
mDL (mso_mdoc)	ISO	ISO 18013-5	mDL Document	Certificate chain validation using Auth0 mDL verifier
IETF Digital Credentials	IETF	SD-JWT Draft	JWT x5c Header	X.509 certificate chain validation using Node Forge
VICAL (Verifiable Issuer CA List)	AAMVA	VICAL Specification	COSE-signed Certificate List	COSE signature verification and certificate extraction

Supported Credential Types

The trusted issuer policy validates the following credential types:

Credential Type	Description	Certificate Location	Validation Library
mDL (mso_mdoc)	Mobile driving license credentials	Embedded in mDL document	Auth0 mDL verifier
IETF Digital Credential	IETF SD-JWT-based digital credentials	JWT header x5c parameter	Node Forge X.509 library

Certificate Source Configuration

The policy supports multiple methods for configuring trusted root certificates:

PEM Certificate

Direct PEM-encoded certificate specification:

{
    "type": "pem",
    "pem": "-----BEGIN CERTIFICATE-----\nMIIBijCCAS+gAwIBAgIUQ..."
}

VICAL (Verifiable Issuer CA List)

CBOR-encoded VICAL with trusted certificates for validation:

{
    "type": "vical",
    "cbor": "base64-encoded-vical-data",
    "vicalTrustedCertificates": ["-----BEGIN CERTIFICATE-----\n..."]
}

VICAL URL

URL-based VICAL resolution with caching:

{
    "type": "vical-url",
    "url": "https://example.com/vical",
    "vicalTrustedCertificates": ["-----BEGIN CERTIFICATE-----\n..."]
}

Predefined Tags

Predefined certificate sets for common trust anchors:

{
    "type": "predefined",
    "tag": "vidos"
}

Available predefined tags:

• vidos - Vidos platform root certificates
• aamva - AAMVA (American Association of Motor Vehicle Administrators) root certificates

Trusted Issuer Validation Process

flowchart TD
    subgraph "Trusted Issuer Validation"
        Input[Credential] --> DetectType[Detect Credential Type]
        DetectType --> ResolveCerts[Resolve Root Certificates]
        ResolveCerts --> mDL{mDL?}
        ResolveCerts --> IETF{IETF DC?}

        mDL -->|Yes| mDLVerifier[Auth0 mDL Verifier]
        mDLVerifier --> mDLChainValidation[Certificate Chain Validation]
        mDLChainValidation --> mDLResult[mDL Result]

        IETF -->|Yes| ExtractX5C[Extract x5c from JWT Header]
        ExtractX5C --> CreateCAStore[Create CA Store]
        CreateCAStore --> ValidateChain[Validate Certificate Chain]
        ValidateChain --> IETFResult[IETF DC Result]

        mDL -->|No| NextMiddleware[Next Middleware]
        IETF -->|No| NextMiddleware
        NextMiddleware --> UnsupportedType[Unsupported Type Error]

        mDLResult --> Decision{Valid?}
        IETFResult --> Decision
        UnsupportedType --> Decision

        Decision -->|Yes| TrustedIssuer[Trusted Issuer]
        Decision -->|No| UntrustedIssuer[Untrusted Issuer]
    end

    subgraph "Certificate Resolution"
        PEM[PEM Certificate]
        VICAL[VICAL CBOR]
        VICALUrl[VICAL URL]
        Predefined[Predefined Tags]

        PEM --> ResolveCerts
        VICAL --> ResolveCerts
        VICALUrl --> ResolveCerts
        Predefined --> ResolveCerts
    end

    style Input fill:#f9f9f9,stroke:#333,stroke-width:1px
    style DetectType fill:#e1f5fe,stroke:#333,stroke-width:1px
    style ResolveCerts fill:#e1f5fe,stroke:#333,stroke-width:1px
    style mDL fill:#e1f5fe,stroke:#333,stroke-width:1px
    style IETF fill:#e1f5fe,stroke:#333,stroke-width:1px
    style mDLVerifier fill:#e8f5e8,stroke:#333,stroke-width:1px
    style mDLChainValidation fill:#e8f5e8,stroke:#333,stroke-width:1px
    style ExtractX5C fill:#fff3e0,stroke:#333,stroke-width:1px
    style CreateCAStore fill:#fff3e0,stroke:#333,stroke-width:1px
    style ValidateChain fill:#fff3e0,stroke:#333,stroke-width:1px
    style TrustedIssuer fill:#dcedc8,stroke:#333,stroke-width:1px
    style UntrustedIssuer fill:#ffcdd2,stroke:#333,stroke-width:1px
    style PEM fill:#f3e5f5,stroke:#333,stroke-width:1px
    style VICAL fill:#f3e5f5,stroke:#333,stroke-width:1px
    style VICALUrl fill:#f3e5f5,stroke:#333,stroke-width:1px
    style Predefined fill:#f3e5f5,stroke:#333,stroke-width:1px

When validating trusted issuers, the policy follows these steps:

1. Certificate resolution - Resolves trusted root certificates from configured sources
2. Credential type detection - Identifies the credential type for appropriate validation
3. Certificate extraction - Extracts issuer certificates from the credential
4. Chain validation - Validates the certificate chain against trusted roots
5. Result determination - Returns validation results with detailed error information

mDL Trusted Issuer Validation

For mDL credentials, the policy:

1. Uses Auth0 mDL verifier - Leverages the Auth0 mDL verification library
2. Validates certificate chain - Checks the issuer authentication certificate chain
3. Focuses on issuer validation - Specifically validates ISSUER_AUTH.IssuerCertificateValidity
4. Handles verification errors - Converts verification failures to appropriate error types

mDL Validation Process

The mDL validation process checks:

• Certificate chain integrity
• Root certificate trust
• Certificate validity periods
• Issuer certificate compliance

IETF Digital Credential Validation

For IETF Digital Credentials, the policy:

1. Extracts x5c header - Retrieves the certificate chain from the JWT header
2. Creates CA store - Builds a certificate authority store from trusted roots
3. Validates leaf certificate - Verifies the leaf certificate against trusted roots
4. Optimizes performance - Pre-computes CA store and validates only necessary certificates

IETF DC Validation Process

The IETF DC validation process:

• Extracts certificates from the JWT x5c header parameter
• Converts certificates to Node Forge format
• Validates the certificate chain using Node Forge’s verification
• Ensures the leaf certificate is trusted by the root certificates

VICAL Integration

VICAL (Verifiable Issuer CA List) support includes:

VICAL Features

• COSE signature verification - Validates VICAL integrity using COSE signatures
• Certificate extraction - Extracts certificates from VICAL payload
• Trusted certificate validation - Validates VICAL against configured trusted certificates
• Caching support - Caches VICAL data for performance optimization

VICAL URL Caching

• Automatic caching - Caches VICAL data based on nextUpdate field
• Expiration handling - Removes expired cache entries automatically
• Fallback caching - Uses 24-hour default cache if nextUpdate is not provided
• Performance optimization - Reduces network requests for frequently accessed VICALs

Error Handling

The trusted issuer policy returns specific errors for various validation failures:

Error Type	Description	Typical Cause
Invalid Credential Issuer Certificate Chain Error	Certificate chain validation failed	Malformed certificates, broken chain, invalid signatures
Untrusted Credential Issuer Certificate Error	Certificate not trusted by root certificates	Certificate not issued by trusted CA, expired root certificate
Trusted Issuer Type Unsupported Error	Credential type not supported for trusted issuer validation	Unsupported credential format, missing certificate information

Configuration

The trusted issuer validation policy offers comprehensive configuration options:

Basic Configuration

{
    "skip": false,
    "trustedIssuerRootCertificates": [
        {
            "type": "predefined",
            "tag": "vidos"
        }
    ]
}

Advanced Configuration

{
    "skip": false,
    "trustedIssuerRootCertificates": [
        {
            "type": "pem",
            "pem": "-----BEGIN CERTIFICATE-----\n..."
        },
        {
            "type": "vical-url",
            "url": "https://example.com/vical",
            "vicalTrustedCertificates": ["-----BEGIN CERTIFICATE-----\n..."]
        },
        {
            "type": "predefined",
            "tag": "aamva"
        }
    ]
}

For detailed configuration options, parameters, and default values, see the Validator Configuration Reference.

Credential Type Support Matrix

Credential Format	Supported	Certificate Source	Validation Method	Notes
mDL (mso_mdoc)	✅	mDL Document	Auth0 mDL Verifier	Full certificate chain validation
IETF SD-JWT DC	✅	JWT x5c Header	Node Forge	X.509 certificate chain validation
W3C VC (JSON-LD)	❌	N/A	N/A	Certificate-based validation not supported
JWT VC	❌	N/A	N/A	Certificate-based validation not supported

Tip

The trusted issuer policy is essential for establishing trust in credential issuance. Use it in combination with other validation policies to ensure comprehensive credential verification, especially in high-security environments where issuer trust is critical.

Troubleshooting

Common Issues

1. Certificate chain validation failures

   • Check certificate validity periods
   • Verify certificate chain completeness
   • Ensure trusted root certificates are current

2. VICAL resolution errors

   • Verify VICAL URL accessibility
   • Check VICAL trusted certificate configuration
   • Validate VICAL signature integrity

3. Unsupported credential types

   • Ensure credential format is supported
   • Check certificate information availability
   • Verify credential parsing success