#Trusted Issuer Validation Policy Reference

This reference documents the trusted issuer validation policy for the validator service. The trusted issuer policy validates that credentials are issued by trusted entities through certificate chain validation against configured root certificates.

#Policy Overview

The trusted issuer validation policy ensures that the issuers of verifiable credentials are trusted by verifying their certificate chains against a set of configured root certificates. This validation is crucial for establishing trust in the credential issuance process and preventing acceptance of credentials from untrusted sources.

#Supported Standards

The trusted issuer validation policy supports issuer validation across multiple credential standards:

#Supported Credential Types

The trusted issuer policy validates the following credential types:

#Certificate Source Configuration

The policy supports multiple methods for configuring trusted root certificates:

#PEM Certificate

Direct PEM-encoded certificate specification:

{
    "type": "pem",
    "pem": "-----BEGIN CERTIFICATE-----\nMIIBijCCAS+gAwIBAgIUQ..."
}

#VICAL (Verifiable Issuer CA List)

CBOR-encoded VICAL with trusted certificates for validation:

{
    "type": "vical",
    "cbor": "base64-encoded-vical-data",
    "vicalTrustedCertificates": ["-----BEGIN CERTIFICATE-----\n..."]
}

#VICAL URL

URL-based VICAL resolution with caching:

{
    "type": "vical-url",
    "url": "https://example.com/vical",
    "vicalTrustedCertificates": ["-----BEGIN CERTIFICATE-----\n..."]
}

#Predefined Tags

Predefined certificate sets for common trust anchors:

{
    "type": "predefined",
    "tag": "vidos"
}

Available predefined tags:

• vidos - Vidos platform root certificates
• aamva - AAMVA (American Association of Motor Vehicle Administrators) root certificates

#Trusted Issuer Validation Process

When validating trusted issuers, the policy follows these steps:

1. Certificate resolution - Resolves trusted root certificates from configured sources
2. Credential type detection - Identifies the credential type for appropriate validation
3. Certificate extraction - Extracts issuer certificates from the credential
4. Chain validation - Validates the certificate chain against trusted roots
5. Result determination - Returns validation results with detailed error information

#mDL Trusted Issuer Validation

For mDL credentials, the policy:

1. Uses Auth0 mDL verifier - Leverages the Auth0 mDL verification library
2. Validates certificate chain - Checks the issuer authentication certificate chain
3. Focuses on issuer validation - Specifically validates ISSUER_AUTH.IssuerCertificateValidity
4. Handles verification errors - Converts verification failures to appropriate error types

#mDL Validation Process

The mDL validation process checks:

• Certificate chain integrity
• Root certificate trust
• Certificate validity periods
• Issuer certificate compliance

#IETF Digital Credential Validation

For IETF Digital Credentials, the policy:

1. Extracts x5c header - Retrieves the certificate chain from the JWT header
2. Creates CA store - Builds a certificate authority store from trusted roots
3. Validates leaf certificate - Verifies the leaf certificate against trusted roots
4. Optimizes performance - Pre-computes CA store and validates only necessary certificates

#IETF DC Validation Process

The IETF DC validation process:

• Extracts certificates from the JWT x5c header parameter
• Converts certificates to Node Forge format
• Validates the certificate chain using Node Forge's verification
• Ensures the leaf certificate is trusted by the root certificates

#VICAL Integration

VICAL (Verifiable Issuer CA List) support includes:

#VICAL Features

• COSE signature verification - Validates VICAL integrity using COSE signatures
• Certificate extraction - Extracts certificates from VICAL payload
• Trusted certificate validation - Validates VICAL against configured trusted certificates
• Caching support - Caches VICAL data for performance optimization

#VICAL URL Caching

• Automatic caching - Caches VICAL data based on nextUpdate field
• Expiration handling - Removes expired cache entries automatically
• Fallback caching - Uses 24-hour default cache if nextUpdate is not provided
• Performance optimization - Reduces network requests for frequently accessed VICALs

#Error Handling

The trusted issuer policy returns specific errors for various validation failures:

#Configuration

The trusted issuer validation policy offers comprehensive configuration options:

#Basic Configuration

{
    "skip": false,
    "trustedIssuerRootCertificates": [
        {
            "type": "predefined",
            "tag": "vidos"
        }
    ]
}

#Advanced Configuration

{
    "skip": false,
    "trustedIssuerRootCertificates": [
        {
            "type": "pem",
            "pem": "-----BEGIN CERTIFICATE-----\n..."
        },
        {
            "type": "vical-url",
            "url": "https://example.com/vical",
            "vicalTrustedCertificates": ["-----BEGIN CERTIFICATE-----\n..."]
        },
        {
            "type": "predefined",
            "tag": "aamva"
        }
    ]
}

For detailed configuration options, parameters, and default values, see the Validator Configuration Reference.

#Credential Type Support Matrix

#Troubleshooting

#Common Issues

1. Certificate chain validation failures

   • Check certificate validity periods
   • Verify certificate chain completeness
   • Ensure trusted root certificates are current

2. VICAL resolution errors

   • Verify VICAL URL accessibility
   • Check VICAL trusted certificate configuration
   • Validate VICAL signature integrity

3. Unsupported credential types

   • Ensure credential format is supported
   • Check certificate information availability
   • Verify credential parsing success