TRAIN

TRAIN provides components for a flexible and cross-domain trust infrastructure to sovereignly manage trust anchors with DNS(SEC) and verify the inclusion of entities (e.g. issuers of self-sovereign identity credentials) in trust frameworks.

Challenge

Decentralized identity management technology is currently developing fast. At the same time, multiple trust domains (various national trust domains, various industries etc.) exist. It might be overly optimistic to settle on one specific decentralized identity technology and trust domain. Hence, a trust management infrastructure, should aim to be agnostic towards the specific decentralized identity technology, ledger and framework (e.g. EBSI, Indy). It should be able to bridge different trust domains and to allow individual entities and frameworks to make sovereign trust decisions – largely independent of the underlying technology.

 

Ecosystems building on federated or decentralized identity management technologies (such as self-sovereign identity SSI) require a decentralized, flexible, scalable, and interoperable trust infrastructure to manage information on trusted entities, federations or participants in the ecosystem. Individual entities or groups of entities (federations) have to be able to define and manage their trust anchors in a sovereign way. On the other hand, in order to ease adoption, it must be possible for individual entities and federations to easily delegate individual trust decisions to trustable authorities and integrate trust anchors according to their requirements. Moreover, it must be possible to connect trust anchors across trust domains to achieve interoperability across federations and eventually bridging ecosystem boundaries.

Method

The TRAIN trust management infrastructure enables establishing a root of trust for entities acting in a specific ecosystem and credentials (e.g. W3C Data Model Verifiable Credentials and X.509 certificates) issued by these entities. This is achieved through the publication of trust lists (following ETSI TS 119 612  in XML or JSON-LD wrapped in VCs) combined with anchoring of pointers in the DNS (PTR RR Record). These lists, published by governance authorities (this can be basically anyone who controls a DNS record), include entities that are certified according to a certain trust framework (also known as Trust Scheme) that is maintained by the respective governance authority. This, for example, supports verifying entities in examining the trustworthiness of credentials originating from issuers through their inclusion in the trust list under a specific trust framework.

TRAIN leverages the established DNS(SEC) infrastructure to support decentralized identity ecosystems. It is neither dependent on a hierarchical CA infrastructure / Public Key Infrastructure, nor on a specific distributed ledger. The trust layer is flexible: individual entities can define their own trust anchors and policies, manage, and apply them. Individual entities or federations (industry organizations, manufacturer-supplier-networks, NGOs, etc.) can define for themselves the trust standards they require, establish trust frameworks and publish trust lists of entities adhering to their trust framework. Cross-referencing of trust frameworks is possible. No central authority is established, anyone can issue certificates/credentials and set up their own trust frameworks, but TRAIN facilitates individual trust decisions through the defined discovery of trust lists via the established and widely accepted mechanism of the DNS. Established trust frameworks (eIDAS, Pan Canadian Trust Framework, but also other self-defined frameworks and policies) can be integrated.

 

TRAIN builds on work in the EU-funded projects LIGHTest, NGI ESSIF-Lab TRAIN, NGI Atlantic "Next Generation SSI Standards" and has been piloted with a number of partners.

Solution

TRAIN makes use of the DNS(DNSSEC) as a fundamental and well established anchor to discover and validate trust. In order for an entity to be able to set up a trust list, it has to control a DNS domain to create a Trust Framework (Trust Scheme) in its DNS record and to set pointers (PTR RR) to the Trusted Content, specifically the Trust List, in its DNS record. The DNS hostname is then embedded into the meta section (TermsOfUse) of verifiable credentials by entities claiming enrollment in the Trust Framework of a specific Trust Framework operator. Verifying entities use the DNS hostname to resolve trusted content and validate the inclusion of entities in Trust Frameworks - according to their trust requirements, as they can define which Trust Frameworks (via their DNS hostnames) to trust.

 

TRAIN has demonstrated that it can be used to verify the trust in issuers of verifiable credentials (VCs) adhering to the W3C Data Model, to verify credential schemas, as well as verifiers. A concept leveraging TRAIN to verify wallet conformance has been presented. It was demonstrated in the Global COVID Certificate Network (GCCN) of the Linux Foundation Public Health (LFPH) and was subsequently picked up by the United Nations Development Programme (UNDP) for the Digital Trust Infrastructure for Discovery and Validation (Regi-TRUST. Moreover, it has been specified for implementation into the Gaia-X Federation Services (GXFS) to manage trust in Gaia-X Federation Ecosystems.

 

TRAIN is fully in line with the open and decentral SSI approach and complements other methods that establish cryptographic trust. As this it has been mentioned in the implementation considerations of the OpenID Connect for Verifiable Presentations (OpenID4VP) specification.

 

TRAIN components are Open Source under Apache 2.0 license (see TRAIN Gitlab).

Selected publications on TRAIN

Kubach, M. & Rossnagel, H., (2021). A lightweight trust management infrastructure for self-sovereign identity. In: Rossnagel, H., Schunck, C. H. & Moedersheim, S. (Eds.), Open Identity Summit 2021. Bonn: Gesellschaft for Informatik e.V.. (S. 155-166).

Martinez Jurado, V., Vila, X., Kubach, M., Henderson Johnson Jeyakumar, I., Solana, A. & Marangoni, M., (2021). Applying assurance levels when issuing and verifying credentials using Trust Frameworks. In: Rossnagel, H., Schunck, C. H. & Moedersheim, S. (Eds.), Open Identity Summit 2021. Bonn: Gesellschaft for Informatik e.V.. (S. 167-178).

Johnson Jeyakumar, I. H., Chadwick, D. W. & Kubach, M., (2022). A novel approach to establish trust in verifiable credential issuers in Self-sovereign identity ecosystems using TRAIN. In: Rossnagel, H., Schunck, C. H. & Moedersheim, S. (Eds.), Open Identity Summit 2022. Bonn: Gesellschaft for Informatik e.V.. (S. 27-38). DOI: 10.18420/OID2022_02

Chadwick, D.W., Kubach, M.,Sette, I., Johnson Jeyakumar, I. H. (2023). Establishing Trust in SSI Verifiers. Open Identity Summit 2023. In: Rossnagel, H., Schunck, C. H. & Günther, J. (Eds.), Open Identity Summit 2023. Bonn: Gesellschaft for Informatik e.V.. (S. 15-26). DOI: DOI: 10.18420/OID2023_01