The Trust Registry Task Force (TRTF) at Trust Over IP (ToIP) is pleased to announce Public Review 02 (PR02) of the Trust Registry Query Protocol Specification V2.0.
The power of open standard digital wallets—now being implemented across the EU, Canada, Bhutan, and dozens of other jurisdictions—is that they can accept verifiable credentials that are digitally signed by issuers and cryptographically verified by relying parties.
However, cryptographic verification alone is not enough. A relying party also needs to know that the issuer is authorized to issue a particular type of credential. For example, to verify a California mobile driver's license (mDL), you first need to confirm that the issuer is actually the California Department of Motor Vehicles.
Now multiply that across 50 U.S. states, hundreds of international jurisdictions, and thousands of credential types serving countless digital trust use cases. The need for a simple, fast, and secure way to verify trusted participants becomes clear.
The challenge doesn't stop with issuers. The EU's eIDAS 2.0 legislation also requires "verifying the verifier"—ensuring that parties requesting personal data from wallet holders are authorized to do so.
The Trust Registry Query Protocol (TRQP) is a lightweight, read-only protocol for making fast, efficient queries for authoritative data from trust registries. It is often described as "DNS for trust." Just as DNS name servers serve name domains, TRQP trust registries serve trust domains (also known as digital trust ecosystems).
The authority for the trust registry (e.g. a company, university, professional association, or government agency) determines the policies governing which actors can perform what actions on what resources within an ecosystem. Those policies are typically published in a human-readable governance framework. To make these policies accessible to software agents, they are published in machine-readable authority statements. These are the data structures that can be queried via TRQP.
TRQP V2.0 focuses on two query types:
The TRQP information model is inspired by the PARC model (Principal, Action, Resource, Context), a well-established framework for expressing authorization decisions:
For more background on the PARC model, see the Cedar PARC Authorization documentation.
Interoperability of TRQP across decentralized trust domains depends on globally unique identifiers, just as Internet interoperability depends on IP addresses and DNS names. TRQP identifiers:
The core TRQP specification is separate from transport bindings. The initial binding specifies how to implement TRQP over HTTPS, with potential for future bindings to other transport protocols such as DIDComm and the ToIP Trust Spanning Protocol (TSP).
TRQP bridges connect TRQP endpoints to existing systems of record. A bridge transforms TRQP queries into the format supported by the underlying system (X.509 certificate hierarchies, OpenID Federations, EBSI Trust Chains, TRAIN trust lists, etc.) and performs the reverse mapping for responses. The specification includes the following diagram illustrating this architecture:
"A trust registry does not create authority. The authority of a trust registry is an outcome of governance." — Jacques Latour, CTO, CIRA.ca
TRQP is intentionally a read-only protocol. It does not manage information inside the trust registry (the system of record). The decision to trust the outputs from a trust registry belongs entirely to the party making the query. However, the information available via TRQP-compatible trust registries is often essential to building trust between parties that do not have any previous relationship.
We invite trust registry operators, ecosystem architects, wallet developers, credential issuers, verifiers, and other stakeholders to review TRQP V2.0 PR02 to help ensure it is:
Both an HTML and a Markdown version of the specification are available:
Follow the ToIP Public Review Process to comment, report bugs, or file issues via GitHub:
The Trust Registry Task Force (TRTF) was established in the summer of 2021 following the high demand for cross-jurisdiction verification of digital health credentials during the COVID-19 pandemic. The TRTF operates under the ToIP Technology Stack Working Group.
For more information about the TRTF and its work, visit the Trust Registry Task Force wiki page.
We would like to thank the authors of TRQP V2.0:
_______
Trust Over IP, an LF Decentralized Trust project, is defining a complete architecture for Internet-scale digital trust that combines cryptographic trust at the machine layer with human trust at the business, legal, and social layers. Learn more at trustoverip.org.