This reference documents the trusted issuer validation policy for the validator service. The trusted issuer policy validates that credentials are issued by trusted entities through certificate chain validation against configured root certificates.
The trusted issuer validation policy ensures that the issuers of verifiable credentials are trusted by verifying their certificate chains against a set of configured root certificates. This validation is crucial for establishing trust in the credential issuance process and preventing acceptance of credentials from untrusted sources.
The trusted issuer validation policy supports issuer validation across multiple credential standards:
Standard | Organization | Specification | Certificate Source | Validation Method |
---|---|---|---|---|
mDL (mso_mdoc) | ISO | ISO 18013-5 | mDL Document | Certificate chain validation using Auth0 mDL verifier |
IETF Digital Credentials | IETF | SD-JWT Draft | JWT x5c Header | X.509 certificate chain validation using Node Forge |
VICAL (Verifiable Issuer CA List) | AAMVA | VICAL Specification | COSE-signed Certificate List | COSE signature verification and certificate extraction |
The trusted issuer policy validates the following credential types:
Credential Type | Description | Certificate Location | Validation Library |
---|---|---|---|
mDL (mso_mdoc) | Mobile driving license credentials | Embedded in mDL document | Auth0 mDL verifier |
IETF Digital Credential | IETF SD-JWT-based digital credentials | JWT header x5c parameter | Node Forge X.509 library |
The policy supports multiple methods for configuring trusted root certificates:
Direct PEM-encoded certificate specification:
CBOR-encoded VICAL with trusted certificates for validation:
URL-based VICAL resolution with caching:
Predefined certificate sets for common trust anchors:
Available predefined tags:
vidos
- Vidos platform root certificatesaamva
- AAMVA (American Association of Motor Vehicle Administrators) root certificatesWhen validating trusted issuers, the policy follows these steps:
For mDL credentials, the policy:
ISSUER_AUTH.IssuerCertificateValidity
The mDL validation process checks:
For IETF Digital Credentials, the policy:
The IETF DC validation process:
x5c
header parameterVICAL (Verifiable Issuer CA List) support includes:
nextUpdate
fieldnextUpdate
is not providedThe trusted issuer policy returns specific errors for various validation failures:
Error Type | Description | Typical Cause |
---|---|---|
Invalid Credential Issuer Certificate Chain Error | Certificate chain validation failed | Malformed certificates, broken chain, invalid signatures |
Untrusted Credential Issuer Certificate Error | Certificate not trusted by root certificates | Certificate not issued by trusted CA, expired root certificate |
Trusted Issuer Type Unsupported Error | Credential type not supported for trusted issuer validation | Unsupported credential format, missing certificate information |
The trusted issuer validation policy offers comprehensive configuration options:
For detailed configuration options, parameters, and default values, see the Validator Configuration Reference.
Credential Format | Supported | Certificate Source | Validation Method | Notes |
---|---|---|---|---|
mDL (mso_mdoc) | ✅ | mDL Document | Auth0 mDL Verifier | Full certificate chain validation |
IETF SD-JWT DC | ✅ | JWT x5c Header | Node Forge | X.509 certificate chain validation |
W3C VC (JSON-LD) | ❌ | N/A | N/A | Certificate-based validation not supported |
JWT VC | ❌ | N/A | N/A | Certificate-based validation not supported |
The trusted issuer policy is essential for establishing trust in credential issuance. Use it in combination with other validation policies to ensure comprehensive credential verification, especially in high-security environments where issuer trust is critical.
Certificate chain validation failures
VICAL resolution errors
Unsupported credential types