Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Trustchain -- Trustworthy Decentralised Public Key Infrastructure for Digital Credentials

Tim Hobson, Lydia France, Sam Greenbury, Luke Hare, Pamela Wochner

TL;DR

Trustchain presents a hybrid decentralised public key infrastructure (DPKI) for digital credentials that binds real-world hierarchical trust to a decentralised data layer using independently-verifiable timestamping. The approach introduces a root DID anchored by verifiable timestamps and downstream DIDs (dDIDs) that form chains back to the root, enabling verifiable credential issuance and complete revocation data without relying on traditional, opaque certificate authorities. A reference implementation in Rust built on ION/IPFS demonstrates practical deployment, with infrastructure for root/downstream DIDs, timestamp verification, and mobile wallet support. The model aims for low setup costs, openness, and global accessibility, while addressing security and interoperability through features like constrained dDIDs, rebasing, and interoperability dDIDs, though it also raises socio-political considerations about digital credential use in society.

Abstract

The sharing of public key information is central to the digital credential security model, but the existing Web PKI with its opaque Certification Authorities and synthetic attestations serves a very different purpose. We propose a new approach to decentralised public key infrastructure, designed for digital identity, in which connections between legal entities that are represented digitally correspond to genuine, pre-existing relationships between recognisable institutions. In this scenario, users can judge for themselves the level of trust they are willing to place in a given chain of attestations. Our proposal includes a novel mechanism for establishing a root of trust in a decentralised setting via independently-verifiable timestamping. We also present a reference implementation built on open networks, protocols and standards. The system has minimal setup costs and is freely available for any community to adopt as a digital public good.

Trustchain -- Trustworthy Decentralised Public Key Infrastructure for Digital Credentials

TL;DR

Trustchain presents a hybrid decentralised public key infrastructure (DPKI) for digital credentials that binds real-world hierarchical trust to a decentralised data layer using independently-verifiable timestamping. The approach introduces a root DID anchored by verifiable timestamps and downstream DIDs (dDIDs) that form chains back to the root, enabling verifiable credential issuance and complete revocation data without relying on traditional, opaque certificate authorities. A reference implementation in Rust built on ION/IPFS demonstrates practical deployment, with infrastructure for root/downstream DIDs, timestamp verification, and mobile wallet support. The model aims for low setup costs, openness, and global accessibility, while addressing security and interoperability through features like constrained dDIDs, rebasing, and interoperability dDIDs, though it also raises socio-political considerations about digital credential use in society.

Abstract

The sharing of public key information is central to the digital credential security model, but the existing Web PKI with its opaque Certification Authorities and synthetic attestations serves a very different purpose. We propose a new approach to decentralised public key infrastructure, designed for digital identity, in which connections between legal entities that are represented digitally correspond to genuine, pre-existing relationships between recognisable institutions. In this scenario, users can judge for themselves the level of trust they are willing to place in a given chain of attestations. Our proposal includes a novel mechanism for establishing a root of trust in a decentralised setting via independently-verifiable timestamping. We also present a reference implementation built on open networks, protocols and standards. The system has minimal setup costs and is freely available for any community to adopt as a digital public good.
Paper Structure (19 sections, 4 figures)

This paper contains 19 sections, 4 figures.

Table of Contents

  1. Introduction
  2. Related work
  3. Design Principles
  4. Trustchain System Design
  5. Verifiable Data Registry
  6. Downstream DIDs
  7. Root DID
  8. Security
  9. Features
  10. Implementation
  11. Infrastructure
  12. Architecture
  13. Practical immutability
  14. Practical timestamp verification
  15. Simplified Timestamp Verification
  16. ...and 4 more sections

Figures (4)

  • Figure 1: Upstream and Downstream DIDs
  • Figure 2: Trustchain functional architecture
  • Figure 3: Timestamp verification via a chain of cryptographic commitments (in green). Process inputs are in yellow.
  • Figure 4: Trustchain proof mechanics. An attestation proof is encoded as a service endpoint in an ION DID document (top) and transformed into DID document metadata (bottom) by the Trustchain resolver.