Trusted Issuer Validation Policy Reference

This reference documents the trusted issuer validation policy for the validator service. The trusted issuer policy validates that credentials are issued by trusted entities through certificate chain validation against configured root certificates.

Policy Overview

The trusted issuer validation policy ensures that the issuers of verifiable credentials are trusted by verifying their certificate chains against a set of configured root certificates. This validation is crucial for establishing trust in the credential issuance process and preventing acceptance of credentials from untrusted sources.

Supported Standards

The trusted issuer validation policy supports issuer validation across multiple credential standards:

StandardOrganizationSpecificationCertificate SourceValidation Method
mDL (mso_mdoc)ISOISO 18013-5mDL DocumentCertificate chain validation using Auth0 mDL verifier
IETF Digital CredentialsIETFSD-JWT DraftJWT x5c HeaderX.509 certificate chain validation using Node Forge
VICAL (Verifiable Issuer CA List)AAMVAVICAL SpecificationCOSE-signed Certificate ListCOSE signature verification and certificate extraction

Supported Credential Types

The trusted issuer policy validates the following credential types:

Credential TypeDescriptionCertificate LocationValidation Library
mDL (mso_mdoc)Mobile driving license credentialsEmbedded in mDL documentAuth0 mDL verifier
IETF Digital CredentialIETF SD-JWT-based digital credentialsJWT header x5c parameterNode Forge X.509 library

Certificate Source Configuration

The policy supports multiple methods for configuring trusted root certificates:

PEM Certificate

Direct PEM-encoded certificate specification:

{
    "type": "pem",
    "pem": "-----BEGIN CERTIFICATE-----\nMIIBijCCAS+gAwIBAgIUQ..."
}

VICAL (Verifiable Issuer CA List)

CBOR-encoded VICAL with trusted certificates for validation:

{
    "type": "vical",
    "cbor": "base64-encoded-vical-data",
    "vicalTrustedCertificates": ["-----BEGIN CERTIFICATE-----\n..."]
}

VICAL URL

URL-based VICAL resolution with caching:

{
    "type": "vical-url",
    "url": "https://example.com/vical",
    "vicalTrustedCertificates": ["-----BEGIN CERTIFICATE-----\n..."]
}

Predefined Tags

Predefined certificate sets for common trust anchors:

{
    "type": "predefined",
    "tag": "vidos"
}

Available predefined tags:

  • vidos - Vidos platform root certificates
  • aamva - AAMVA (American Association of Motor Vehicle Administrators) root certificates

Trusted Issuer Validation Process

When validating trusted issuers, the policy follows these steps:

  1. Certificate resolution - Resolves trusted root certificates from configured sources
  2. Credential type detection - Identifies the credential type for appropriate validation
  3. Certificate extraction - Extracts issuer certificates from the credential
  4. Chain validation - Validates the certificate chain against trusted roots
  5. Result determination - Returns validation results with detailed error information

mDL Trusted Issuer Validation

For mDL credentials, the policy:

  1. Uses Auth0 mDL verifier - Leverages the Auth0 mDL verification library
  2. Validates certificate chain - Checks the issuer authentication certificate chain
  3. Focuses on issuer validation - Specifically validates ISSUER_AUTH.IssuerCertificateValidity
  4. Handles verification errors - Converts verification failures to appropriate error types

mDL Validation Process

The mDL validation process checks:

  • Certificate chain integrity
  • Root certificate trust
  • Certificate validity periods
  • Issuer certificate compliance

IETF Digital Credential Validation

For IETF Digital Credentials, the policy:

  1. Extracts x5c header - Retrieves the certificate chain from the JWT header
  2. Creates CA store - Builds a certificate authority store from trusted roots
  3. Validates leaf certificate - Verifies the leaf certificate against trusted roots
  4. Optimizes performance - Pre-computes CA store and validates only necessary certificates

IETF DC Validation Process

The IETF DC validation process:

  • Extracts certificates from the JWT x5c header parameter
  • Converts certificates to Node Forge format
  • Validates the certificate chain using Node Forge's verification
  • Ensures the leaf certificate is trusted by the root certificates

VICAL Integration

VICAL (Verifiable Issuer CA List) support includes:

VICAL Features

  • COSE signature verification - Validates VICAL integrity using COSE signatures
  • Certificate extraction - Extracts certificates from VICAL payload
  • Trusted certificate validation - Validates VICAL against configured trusted certificates
  • Caching support - Caches VICAL data for performance optimization

VICAL URL Caching

  • Automatic caching - Caches VICAL data based on nextUpdate field
  • Expiration handling - Removes expired cache entries automatically
  • Fallback caching - Uses 24-hour default cache if nextUpdate is not provided
  • Performance optimization - Reduces network requests for frequently accessed VICALs

Error Handling

The trusted issuer policy returns specific errors for various validation failures:

Error TypeDescriptionTypical Cause
Invalid Credential Issuer Certificate Chain ErrorCertificate chain validation failedMalformed certificates, broken chain, invalid signatures
Untrusted Credential Issuer Certificate ErrorCertificate not trusted by root certificatesCertificate not issued by trusted CA, expired root certificate
Trusted Issuer Type Unsupported ErrorCredential type not supported for trusted issuer validationUnsupported credential format, missing certificate information

Configuration

The trusted issuer validation policy offers comprehensive configuration options:

Basic Configuration

{
    "skip": false,
    "trustedIssuerRootCertificates": [
        {
            "type": "predefined",
            "tag": "vidos"
        }
    ]
}

Advanced Configuration

{
    "skip": false,
    "trustedIssuerRootCertificates": [
        {
            "type": "pem",
            "pem": "-----BEGIN CERTIFICATE-----\n..."
        },
        {
            "type": "vical-url",
            "url": "https://example.com/vical",
            "vicalTrustedCertificates": ["-----BEGIN CERTIFICATE-----\n..."]
        },
        {
            "type": "predefined",
            "tag": "aamva"
        }
    ]
}

For detailed configuration options, parameters, and default values, see the Validator Configuration Reference.

Credential Type Support Matrix

Credential FormatSupportedCertificate SourceValidation MethodNotes
mDL (mso_mdoc)mDL DocumentAuth0 mDL VerifierFull certificate chain validation
IETF SD-JWT DCJWT x5c HeaderNode ForgeX.509 certificate chain validation
W3C VC (JSON-LD)N/AN/ACertificate-based validation not supported
JWT VCN/AN/ACertificate-based validation not supported
TIP

The trusted issuer policy is essential for establishing trust in credential issuance. Use it in combination with other validation policies to ensure comprehensive credential verification, especially in high-security environments where issuer trust is critical.

Troubleshooting

Common Issues

  1. Certificate chain validation failures

    • Check certificate validity periods
    • Verify certificate chain completeness
    • Ensure trusted root certificates are current
  2. VICAL resolution errors

    • Verify VICAL URL accessibility
    • Check VICAL trusted certificate configuration
    • Validate VICAL signature integrity
  3. Unsupported credential types

    • Ensure credential format is supported
    • Check certificate information availability
    • Verify credential parsing success