§ ToIP Trust Registry QueryProtocol version 2.0 Specification

Specification Status: v2.0 Implementers Draft

Category	Status
Document Type	Specification
Document Status	Draft
Document Purpose	Implementers Draft

Note to Implementers and Reviewers

The intent of this Implementers Review Draft Deliverable is to drive input for the specification. Comments are appreciated and encouraged. During the Implementers Review period (2024-04-03 to 2024-06-03) feedback may be dispositioned rapidly.

Provide input via:

GitHub Issues - for items that need to be tracked. These will be formally dispositioned.
GitHub Discussions - for items that are more discussion level.

This protocol is currently focused on read-only operations.

Source/Resources:

The following links will be helpful for editors and reviewers during the DRAFT stage.

Source Code - https://github.com/trustoverip/tswg-trust-registry-protocol
Rendered Specification (github.io Pages) - https://trustoverip.github.io/tswg-trust-registry-protocol/
Browseable (SwaggerHub) API - https://app.swaggerhub.com/apis-docs/continuumloop/trust-over_ip_trust_registry_protocol_res_tful_api_v_2/2.0.0 - note there is no endpoint responding.
Inline (Redocs) API Browser - Redoc Rendering (static HTML) of specification

Editors:

Darrell O’Donnell, Continuum Loop Inc.

Contributors:

To comply with the intellectual property rights protections in the charter of the ToIP Foundation (as required by all Joint Development Foundation projects hosted by the Linux Foundation), all contributors in any capacity to this Draft Deliverable MUST be current members of the ToIP Foundation. The following contributors each certify that they meet this requirement:

Antti
Andor
Jacques Latour, CIRA
Christine Martin, Continuum Loop Inc.

§ Participate

WARNING

SECTION will be removed before going to Review]

Participation is welcomed and encouraged.

Revision History

NOTE

[[This section applies after the specification has been released for a Public Review, including Implementers Public Review]].

2024-06-24
- changed specification name to add “Query” to the title
- updated beidge diagram to reflect profile need for OIDF
- fixed Swagger links

::: ISSUE Pandoc TOC not rendering :::

§ Scope

The usefulness of an ecosystem is largely dependant on its ability to assert trust for and between its members. This is true for traditional ecosystems, but even more so with digital ecosystems. With the growing trend on decentralisation of digital services, we are also seeing increased need to transitively assert trust across ecosystems.

The term trust is loaded with varied meanings that may conflict. In the context of trust registries we want to be clear what we mean, when we apply the term “trust”. A trust registry does not create trust by itself. The decision for one entity to “trust” another is each party’s own decision. The purpose of the trust registry is to provide access to a system of record that contains answers to questions that help drive those trust decisions.

A trust registry may provide information that helps the consuming party in deciding that an entity is trustworthy. The ToIP Trust Registry Query Protocol helps ecosystems create the foundation of trust within its governed domain, by providing a common protocol for querying information that helps the consuming party in deciding that an entity is trustworthy.

In addition to providing information on its own ecosystem, the Trust Registry Query Protocol (TRQP) enables creation of a registry of registries. This is done by allowing an ecosystem to assert trust to other trust registries, and thus ecosystems. This can be achieved by allowing a governance entity to assert that consuming parties that rely on the trust registry, may also utilize information from another trust registry for additional assertions. This effectively creates transitive trust across ecosystems to achieve wider reach.

The Trust Registry Query Protocol serves to provide a simple interface to enable querying of systems of record that provide the information that drives a trust registry. There are a plethora of systems that contain answers that are required to make trust decisions. The protocol is intended to make the communication with any particular system-of-record consistent and simple.

§ Foreword

This specification is subject to the OWF Contributor License Agreement 1.0 - Copyright available at https://www.openwebfoundation.org/the-agreements/the-owf-1-0-agreements-granted-claims/owf-contributor-license-agreement-1-0-copyright.

If source code is included in the specification, that code is subject to the Apache 2.0 license unless otherwise marked. In the case of any conflict or confusion within this specification between the OWF Contributor License and the designated source code license, the terms of the OWF Contributor License shall apply.

These terms are inherited from the Technical Stack Working Group at the Trust over IP Foundation. Working Group Charter

THESE MATERIALS ARE PROVIDED “AS IS.” The Trust Over IP Foundation, established as the Joint Development Foundation Projects, LLC, Trust Over IP Foundation Series (“ToIP”), and its members and contributors (each of ToIP, its members and contributors, a “ToIP Party”) expressly disclaim any warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to the materials. The entire risk as to implementing or otherwise using the materials is assumed by the implementer and user.

IN NO EVENT WILL ANY ToIP PARTY BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THESE MATERIALS, ANY DELIVERABLE OR THE ToIP GOVERNING AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

§ Conventions

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

§ Terms & Definitions

The following terms are used to describe concepts in this specification.

authorization:: Access privileges granted to an entity; conveys an “official” sanction to perform a cryptographic function or other sensitive activity. (Source: NIST NIST SP 800-57 Part 2 Rev.1 under Authorization)

ISSUE

https://github.com/trustoverip/tswg-trust-registry-protocol/issues/6

May need a governed authorization term to help link tech+governance.

authorized trust registry: The primary trust registry plus all secondary trust registries are collectively referred to as the authorized trust registries.
authorization namespace:: A well-known string that is used in an EGF to indicate a discrete authorization. Examples (non-exhaustive): “canada:driver-license”, “eu:trusted-list.authorized-timestamp”, “global:tsm”
consuming party:: A party that consumes the services and information provided by a trust registry in order to make a trust decision.
registered entity:: An entity that is listed in the system (i.e. the trust registry) that is being queried.
permission:: Authorization to perform some action on a system. (Source: NIST)
primary trust registry:: The single trust registry that is considered the primary source for information of a particular type in an ecosystem.
secondary trust registry:: A trust registry that has copies of information based on the ecosystem’s primary trust registry.
service endpoint:: A network address, such as an HTTP URL, at which services operate on behalf of a DID subject. (Source: [DID-CORE])
service property:: in context of: [TRQP-1] …MUST publish, in the DID document associated with the DID identifying its EGF, a service property specifying the service endpoint
trust registry:: A registry that serves as an authoritative source for trust graphs or other governed information describing one or more trust communities. A trust registry is typically authorized by a governance framework. (See also: trust list)
trust: A belief that an entity will behave in a predictable manner in specified circumstances. The entity may be a person, process, object or any combination of such components. The entity can be of any size from a single hardware component or software module, to a piece of equipment identified by make and model, to a site or location, to an organization, to a nation-state. Trust, while inherently a subjective determination, can be based on objective evidence and subjective elements. The objective grounds for trust can include for example, the results of information technology product testing and evaluation. Subjective belief, level of comfort, and experience may supplement (or even replace) objective evidence, or substitute for such evidence when it is unavailable. Trust is usually relative to a specific circumstance or situation (e.g., the amount of money involved in a transaction, the sensitivity or criticality of information, or whether safety is an issue with human lives at stake). Trust is generally not transitive (e.g., you trust a friend but not necessarily a friend of a friend). Finally, trust is generally earned, based on experience or measurement. (source: NIST Special Publication 800-39 p.24)
trust relationship: An agreed upon relationship between two or more system elements that is governed by criteria for secure interaction, behavior, and outcomes relative to the protection of assets. (source: NIST SP 800-160v1r1)
trustworthy: Worthy of the confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities. (note: based on the definition of trustworthiness. note: from source “This refers to trust relationships between system elements implemented by hardware, firmware, and software” but the definition largely works.
trustworthiness: An attribute of a person or organization that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities. Trustworthiness is also a characteristic of information technology products and systems (see Section 2.6.2 on trustworthiness of information systems). The attribute of trustworthiness, whether applied to people, processes, or technologies, can be measured, at least in relative terms if not quantitatively.48 The determination of trustworthiness plays a key role in establishing trust relationships among persons and organizations. The trust relationships are key factors in risk decisions made by senior leaders/executives. NOTE: Current state-of-the-practice for measuring trustworthiness can reliably differentiate between widely different levels of trustworthiness and is capable of producing a trustworthiness scale that is hierarchical between similar instances of measuring activities (e.g., the results from ISO/IEC 15408 [Common Criteria] evaluations). (source: NIST Special Publication 800-39 p.24)
trusted party:: A party that is trusted by an entity to faithfully perform certain services for that entity. An entity may choose to act as a trusted party for itself.(source: NIST SP 800-56B Rev. 2 under Trusted party)
VID Type:: A specific kind of VID.

§ Introduction

This section is non-normative

A trust registry is a resource that helps to bind governance (business, legal, and social mandates) for an ecosystem. A trust registry helps get the main answers that parties inside and outside of the ecosystem need to tie the governance into their own systems - both technically and on a governance (the information provided is created via a governed process).

It is crucially important to understand that a trust registry does not create trust, nor the conditions for trust, by itself. Trust and belief in the data provided by a trust registry is an outcome of governance.

We need answers to a simple question:

Does Entity X have Authorization Y, in the context of Ecosystem Governance Framework Z?

The Trust Registry Query Protocol (TRQP) serves to provide a simple interface to enable querying of systems of record that provide the information that drives a trust registry. There are a plethora of systems that contain answers that are required to make trust decisions. The protocol is intended to make the communication with any particular system-of-record consistent and simple.

It is intentionally simple to allow rapid integration into external systems.

The TRQP does not:

create a trust registry - it allows (read-only) access to a system-of-record that has the data needed to generate answers that a trust registry provides.
create new information - the Create, Update, and Delete of CRUD are not supported. Systems-of-record perform the full CRUD operations. The protocol provides a simple and consistent way of retrieving information from a system.
create nor implement governance - the system-of-record that supports the TRQP may have technical ways of doing this, supported by manual operations. Regardless, the TRQP has no opinion on how governance is implemented - just that the information retrieved complies with the stated EGF.
make decisions - the TRWP serves up data that are inputs to trust decisions.
assign Roles or Rights, though a consuming system may take information that is received via the TRQP and assign these.

It is most crucial to understand that a Trust Registry does NOT create authority. The authority of a trust registry is an outcome of governance.

The purpose of this ToIP specification is to define a standard interoperable protocol for querying a global web of peer trust registries, each of which can answer queries about whether a particular entity holds an authorization, in a particular digital trust ecosystem (defined under an EGF), as well as which peer trust registries acknowledge each other.

§ Trust Registry Query Protocol features

A core role within the ToIP stack is a trust registry. This is a network service that enables the governing authority for an EGF to share information about their ecosystem. In particular, which governed parties hold which authorizations under the EGF.

A trust registry query protocol thus should provide the following features:

interface to query if a particular entity holds specific authorization under a defined EGF?

e.g. “Does entity X hold the authorization of canada.driver.license.issue under Canadian Driver’s license scheme?”

interface to query what other trust registries are recognized by this trust registry?

§ Read-only query Protocol

The primary question (Does Entity X have Authorization Y, in the context of Ecosystem Governance Framework Z) we need an answer to when working in an ecosystem is in itself a simple query. Furthermore, it is read-only query and it doesn’t modify any information in a system of record. It just makes data available.

In the web service world the TRQP is purely a GET protocol.

Just as important it is to understand what the TRQP does NOT do. The TRQP does NOT:

affect the operations and governance of the systems that support querying using the TRQP.
create, update, or delete data in a system. In web services this means the TRQP does to PUT, POST, DELETE, and other non-GET operations.

As with all layers of the ToIP stack, the purpose of a ToIP specification is to enable the technical interoperability necessary to support transitive trust within and between different trust communities implementing the ToIP stack. In this case, the desired interoperability outcome is a common query protocol that works between any number of decentralized peer trust registries operated by independent governing authorities** representing multiple legal and business jurisdictions.

§ Registry of Registries

A Registry of Registries (RoR), is a form of trust registry that primarily serves information about other trust registries.

What other governing authorities are known to the RoR.
Which trust registry are known to be authoritative for particular actions. Examples:
- Which trust registry is known to issue university diplomas for a particular jurisdiction?

Which trust registry is known to manage a list of professionals (e.g. CPAs, lawyers, engineers) that have particular signing rights (authorizations)?

Which trust registry are known to operate under a given EGF.

The results on a trust decision based on input from a trust registry may range from:

immediate decision that the entity meets or cannot meet the full requirement of the trust relationship; or
further input is required before trust decision can be made.

These decisions relate to a determination that a relationship is (or is not) sufficiently trustworthy to establish a trust relationship. To reach that determination, each party may have its own way of determining the trustworthiness of their counterparty for the trust relationship that they require.

§ Requirements

§ Registry Queries [RQ-*]

The following queries relate to receiving answers related to entities and other trust registries.

[RQ-1] The system MUST support query operations for the current status of a registered entity.
[RQ-2] The system SHOULD support query operations for a list of related trust registries.

§ Configuration Queries [CQ-*]

The following queries relate to configuration of systems that will interact with the trust registry.

[CQ-1] MUST provide a list of authorization namespaces that are supported by the responding system.
[CQ-2] MUST provide list of additional EGFs that the trust registry operates under.
[CQ-2] MUST provide a list of VID Type (i.e. VID Types) that are supported by the responding system.
[CQ-3] MUST provide a list of assurance levels that are supported by the responding system.

§ Metadata Queries [MQ-*]

[MQ-1] MUST provide a list of ecosystem governance frameworks (EGFs) that the system is operating under. This data will be comprised of the following elements:
- [MQ-1-1] MUST provide the VID of the EGF.
- [MQ-1-2] MAY provide the name of the EGF.

[MQ-2] SHOULD provide the legal name and jurisdiction of the governing authority for the trust registry service.
[MQ-3] SHOULD provide the legal name and jurisdiction of the administering authority for the trust registry operator (if different from governing body).
[MQ-4] SHOULD provide a textual description of the trust registry mandate.

§ Governing Authorities [GA-*]

Governing authorities compliant with this specification:

[GA-1] MUST have exactly one primary trust registry.
[GA-2] MAY have one or more secondary trust registries.

The primary trust registry plus all secondary trust registries are collectively referred to as the authorized trust registries.

[GA-3] MUST publish an EGF that meets the requirements of:
- [GA-3-1] This specification.
- [GA-3-2] The ToIP Governance Architecture Specification. Note that this includes the requirement that the EGF and all governed parties must be identified with a DID.

TODO

Add normative ref to ToIP Governance Architecture Specification

[GA-4] MUST publish, in the DID document associated with the DID identifying its EGF, a service property specifying the service endpoint for its primary trust registry that meets the requirements in the Trust Registry Service Property section.
[GA-5] MUST publish in its EGF a list of any other EGFs governing secondary trust registries.
[GA-6] MUST specify in the EGF any additional requirements for an authorized trust registry. This data will be comprised of the following elements::
- [GA-6-1] SHOULD provide Information Trust requirements.
- [GA-6-2] SHOULD provide Technical requirements.
- [GA-6-3] SHOULD provide Operational requirements.
- [GA-6-4] MAY provide Legal contracts.
[GA-7] MUST specify in its EGF (or in any referenced documents) requirements for:
- [GA-7-1] MUST provide all authorization values that are used by the trust registry.
- [GA-7-2] MUST provide all assurance levels, specified with unique names, that are service by the trust registry, and what authorization values they apply to.
- [GA-7-3] MUST provide a list of all VID Types that are supported by the ecosystem, and serviced by the trust registry.
- [GA-7-4] SHOULD provide resources (e.g. logo files, documents, interoperability profile information) that are required by systems integrating into the ecosystem that the system serves.
- [GA-7-5] ???any metadata required by implementors (e.g. claim name that is mandatory if pointing a credential back to an EGF.) [this is a weak example]???
- [GA-7-6] ???a statement about the basis the trust registry claims to be authoritative???
- [GA-7-7] ???means by which others are able to verify the asserted authority???
[GA-8] SHOULD specify in the EGF the following requirements for an authorized trust registry and any registered party (i.e., issuer, verifier, or peer trust registry):
- [GA-8-1] The requirements to become authorized.
- [GA-8-2] How to request registration.
- [GA-8-3] The requirements for assignment of each authorization for a registry entry.
- [GA-8-4] Any access limitations (e.g. unrestricted public access, authentication-limited access).
- [GA-8-5] How to request access where unrestricted public access is not available.

§ Trust Registry Service Property [TRSP-*]

The DID document for the DID that identifies an EGF compliant with this specification MUST include a service property that meets the requirements in section 5.4 of [DID-CORE] plus the following additional requirements:

[TRSP-1] The value of the type property MUST be TrustRegistry.
[TRSP-2] The value of the serviceEndpoint property MUST be exactly one HTTPS URI.

TODO

FIX

Registered entities MUST indicate which registries they are part of.

[TRSP-3] Registered entities MUST indicate the primary trust registry] for a particular authorization.

§ Service Profile Recommendation

the following recommendation is non-normative

It is recommended that the service leverage the Service Profile Specification. Trust Over IP hosts a Service Profile with the following pointer:

{
  "integrity": "<>",
  "profile": "<>"
  "uri": "<your service endpoint uri here>"
}

By implementing service profiles, it enables easier interoperability and discovery of service capabilities for the trust registry being implemented.

§ Trust Registry Query Protocol [TRQP-*]

The authoritative technical specifications for the API calls in the ToIP Trust Registry Query Protocol are specified in Appendix A (OpenAPI YAML file). This section contains a textual description of the requirements.

Trust registries implementing this protocol:

[TRQP-1] MUST maintain the service implementing this protocol at the HTTPS URI specified in the Trust Registry Service Property section.
[TRQP-2] The system SHOULD support queries that are at a point in time in the past.
- [TRQP-2-1] The parameter for the point in time must be named queryTime.
- [TRQP-2-2] The datetime value provided MUST be formatted per [RFC3339] using the UTC (i.e. Z for Zulu) zero offset (e.g. “2018-03-20T09:12:28Z”.
- [TRQP-2-3] If the system does not support non-current data, and the the queryTime parameter is present, the system MUST NOT return entity data and must se http error code 405 (Method not allowed).
[TRQP-3] MUST return responses to queries for the status value of a registry entry that satisfies one or more of the following sets of query parameters:
- [TRQP-3-1] Entity Authorization: Given the entityDID, and authorization return the status of that registered entity, MUST return exactly one of the following status values for a registry entry satisfying the query parameters:
  - Not Found + http code 404 - entry not found.
  - Current + http code 200 - authorization for the registered entity is current as of the time of query, or as of the time requested.
  - Expired + http code 200 - authorization has expired (e.g. not renewed after the previous valid registration period)
  - Terminated + http code 200 - authorization was terminated (e.g. voluntary termination by the registered entity)
  - Revoked + http code 200 - authorization was revoked (e.g. involuntary termination by the governing authority)
- [TRQP-3-2] Entity Authorizations: Given only the entityDID the system SHOULD return the array of Authorization objects for the entity identified by entityDID.
- [TRQP-3-3] Recognized Registry: Given the entityDID the system SHOULD return the list of trust registries that the entity has indicated it is registered in.
  - [TRQP-3-3-1] The system MUST NOT return more than one trust registry in the array designated as a primary registry.

::: TODO: Align VID and/or DID terminology. :::

[TRQP-4] MUST return responses using the data model specified in the OpenAPI Specification .

[TRQP-5] For queries returning a status value other than Not Found, the response MUST return the following values:

[TRQP-5-1] The system must return the parameter values exactly as supplied in the query (so responses can be stateless).
[TRQP-5-2] The system must return the status value for the entity (per TRP-3-1).
[TRQP-5-3] The system must return exactly two datetime values conforming to the following requirements: - [TRQP-5-3-1]The value labels MUST be: - i. AuthorizationStartDate - ii. AuthorizationEndDate - [TRQP-5-3-2] The datetime values MUST be formatted to comply with [RFC3339] in the UTC/Z time zone with no offset. - [TRQP-5-3-3] The AuthorizationStartDate MUST be the date that the registered entity authorization began. - [TRQP-5-3-4] The AuthorizationEndDate MUST be either: - [TRQP-5-3-4-1] Null for an entry whose status value is Current at the time of the query. - [TRQP-5-3-4-2] A specific datetime value if the registered entity status value is Expired, Terminated or Revoked. - [TRQP-5-3-5] If a registered entity has multiple entries in the system (representing an authorization history), the value that is active at the time indicated must be returned: - [TRQP-5-3-5-1] when no queryTime value is provided the value that is active at time of the query MUST be returned. - [TRQP-5-3-5-2] when a queryTime parameter is provided the entry that is active at that time (i.e. indicted by queryTime) MUST be returned.

§ Anti-Requirements

The following are considered anti-requirements in that they have been considered in the current design of the TRQP:

[AR-1] SHALL NOT support query operations for the history of a registered entity.
[AR-2] SHALL NOT include support for a DIDComm interface, only a RESTful (i.e. OpenAPI Specification) interface. When a repeatable trust task specification approach is created, a DIDComm/trust task approach should be considered as a work effort.
[AR-3]]SHALL NOT support automated rules processing in the protocol. A rules engine can certainly use the protocol.
[AR-4] Anything other than read-only operations. The TRQP is a read-only (RETRIEVE in the CRUD sense) protocol.

§ Normative References

ToIP Governance Architecture Specification

DID-CORE: Decentralized Identifiers (DIDs) v1.0. Manu Sporny; Amy Guy; Markus Sabadello; Drummond Reed; 2022-07-19. Status: REC.
RFC3339: Date and Time on the Internet: Timestamps. G. Klyne; C. Newman; 2002-07. Status: Proposed Standard.

§ Non-Normative/Informative References

[[spec-inform]]

§ Annex A: Consolidated Requirements

For ease of reference, the following table consolidates all normative requirements in this specification. Each requirement is linked to the section in which it appears.

THE FOLLOWING REQUIREMENTS IN THE TABLE ARE JUST EXAMPLES FOR NOW.

TODO: Finalize table once requirements (earlier).

Req #	Description	Section
	Governing Authority Requirements
GA-1	EGF MUST have exactly one primary trust registry.	[#governing-authorities-ga-]
GA-2	EGF MAY have one or more secondary trust registries.	[[#governing-authorities-ga-]
A.3	MUST publish an EGF that meets the requirements in:
A.3.1	This specification.	[LINK]
A.3.2	The ToIP Governance Architecture Specification. Note that this includes the requirement that the EGF and all governed parties (which includes authorized issuers and authorized verifiers)	[LINK]

§ Annex B: OpenAPI Specification

The OpenAPI Specification (v3.1.0) is the first “concrete” API specification.

It is provided as an Open API Specification v3 YAML file.

OAS (.yaml) for TRQP v2.

There are several renderings of the OAS specification:

Inline - this rendering is managed in this repository Redoc Rendering (static HTML) of specification
SwaggerHub - this rendering is manually updated from time to time and may be out of date: SwaggerHub

§ Annex C - Uses and Data Model Reference

§ Use of the Trust Registry Query Protocol.

The TRQP is intended to be used in at least two key ways:

Native Support - systems may directly implement access using the TRQP.
Bridged - systems may create access “bridges” that provide TRQP access to their systems.

C4 Systems Model - showing native TRQP support on one system, bridged support to two other systems (e.g. TRAIN and EU Trusted List ARF) .

§ Object Model

We provide a high-level object model (NOTE: source of truth is the Swagger as this diagram may be out of date during development)

High Level Object Model

§ Annex D - Guides (for future breakout)

We will need to provide guides and other thought pieces that explain many aspects of trust registries. A notional (short bullet) list of items could include:

“why do I need a trust registry?” - blog article or position paper to explain why trust registries help.
“I have the data, but how do I use the TRQP?” - paper about how adding TRQP to a bridge or native integration.
“where do I learn about the governance changes that I have?”