Summarize points
Using GLEIF as example of an Ecosystem which has declared technical and authoritative/governance roots of Trust.
- The key aspects of requirements (and governance) of Issuer haven’t changed, which is good news for existing (non-VC) credentials (and should be captured as models for new Issuers who lack a non-VC background).
- Roots of trust are going to be determined by the authoritative actors in the ecosystem, which need to be well defined, understood and captured within governance.
- So what are reference examples ToIP should be capturing? GLEIF is our a prime candidate as one of the references.
- Organizations have a requirement to fit into their ecosystem/supply chains, including all public “touch points (such as public roles within the organization), but internal governance (including roots of trust) are entirely their domain.
- GLEIF uses a model of needing multiple authoritative signatures (by people in defined roles) on assigning organization identifiers, roles and related credentials. This is in keeping with current organizational practices (financial, including banks).
- Multi-signatures leads to overlapping/shared responsibilities - complicating
- The GLEIF model provides for Organization and Role identities, from which rights and responsibilities can be assigned (including public and internal/private roles). Between GLEIF, the vLEI issuer and the LEI/vLEI organization, there is a series of certificate/role pairs such that:
- A certificate is issued by a higher authority to the organization and its roles within the organization.
- An Organization (LEI, vLEI) acts as a trust anchor/root of trust for roles and actions by roles within the organization or for identifying sub-organizations (e.g., parent-child corporation relationships)
- Roles
- Must be a human
- Have rights and responsibilities, which can include actions on behalf of the organization, and assigning a role to another human
- Has a certificate signed by the authoritative higher level role which assigned this role
The diagram (included in the screenshots/diagrams below) provides a trust chain of the following as an illustration of a trust change for Issuers through to issuing Verifiable Credentials
- Adding a comprehensive but new identifier/role trust model (such as GLEIF) may be difficult, particularly for (large) Institutional banking products & services to adapt/integrate. Possibly this sits on top of existing identity solutions (e.g., use existing internal identities and back them with vLEI-type certificates).
- Worth understanding is the application of certificates (pre-VCs) as applies to international supply chains (UN/CEFACT), which are in operation today (see chat links above). Ideally, GLEIF-type identifiers for organizations & roles and how they are controlled and verifiable should be integrable into the CEFACT system and ideally generalized for any supply chain
- How are Issuers and Trust Registries (as discussed in ToIP) similar and different? This is needed as taken from some perspectives, and they appear similar in that; an Issuer issues trust certificates about a subject; a Trust registry has a list/graph of trustable (trustable candidates?) objects within a specific context (qualified engineers with attested experience in mining-related pollution control)