Version: v0.13

Trust Framework Overview

The IDK provides a comprehensive trust validation framework for verifying the authenticity and trustworthiness of credentials, issuers, and certificate chains. This is essential for building applications that require high-assurance identity verification.

Why Trust Matters

In digital identity systems, trust validation answers critical questions:

Is the issuer of this credential authorized to issue it?
Is the certificate chain valid and properly rooted?
Has the credential or certificate been revoked?
Does the issuer meet regulatory requirements?

Without proper trust validation, credentials from unauthorized sources could be accepted, undermining the entire identity ecosystem.

Trust Components

The IDK trust framework consists of several integrated components:

Component	Purpose
Trust Lists	Published lists of authorized issuers and their metadata
Certificate Validation	X.509 certificate chain verification
Revocation Checking	CRL and OCSP verification for certificate status
Trust Policies	Configurable rules for trust decisions

Trust Validation Flow

Core Components

Android/kotlin
iOS/Swift

// Access trust components from session
val trustValidator = session.component.trustValidator
val certificateValidator = session.component.certificateValidator
val trustListService = session.component.trustListService

// Access trust components from session
let trustValidator = session.component.trustValidator
let certificateValidator = session.component.certificateValidator
let trustListService = session.component.trustListService

Basic Trust Validation

Android/kotlin
iOS/Swift

// Validate trust for an issuer certificate
val trustResult = trustValidator.validateTrust(
    certificate = issuerCertificate,
    purpose = TrustPurpose.CREDENTIAL_ISSUER
)

when (trustResult) {
    is TrustResult.Trusted -> {
        println("Issuer is trusted")
        println("Trust level: ${trustResult.trustLevel}")
        println("Trust list: ${trustResult.trustListName}")
    }
    is TrustResult.NotTrusted -> {
        println("Issuer is not trusted: ${trustResult.reason}")
    }
    is TrustResult.Unknown -> {
        println("Trust status could not be determined")
    }
}

// Validate trust for an issuer certificate
let trustResult = try await trustValidator.validateTrust(
    certificate: issuerCertificate,
    purpose: .credentialIssuer
)

switch trustResult {
case .trusted(let result):
    print("Issuer is trusted")
    print("Trust level: \(result.trustLevel)")
    print("Trust list: \(result.trustListName)")

case .notTrusted(let reason):
    print("Issuer is not trusted: \(reason)")

case .unknown:
    print("Trust status could not be determined")
}

Trust Purposes

Different validation contexts require different trust evaluations:

Purpose	Description
`CREDENTIAL_ISSUER`	Entity issuing identity credentials
`DOCUMENT_SIGNER`	Entity signing mDoc documents
`TLS_SERVER`	Server providing TLS/HTTPS
`TLS_CLIENT`	Client authenticating via mTLS
`SIGNATURE`	General document/data signing
`ENCRYPTION`	Key used for encryption

Android/kotlin
iOS/Swift

// Validate for mDoc document signing
val mdocTrust = trustValidator.validateTrust(
    certificate = documentSignerCert,
    purpose = TrustPurpose.DOCUMENT_SIGNER
)

// Validate for credential issuance
val issuerTrust = trustValidator.validateTrust(
    certificate = issuerCert,
    purpose = TrustPurpose.CREDENTIAL_ISSUER
)

// Validate for mDoc document signing
let mdocTrust = try await trustValidator.validateTrust(
    certificate: documentSignerCert,
    purpose: .documentSigner
)

// Validate for credential issuance
let issuerTrust = try await trustValidator.validateTrust(
    certificate: issuerCert,
    purpose: .credentialIssuer
)

Trust Levels

The framework supports different trust levels:

Level	Description
`HIGH`	Government-approved, heavily audited issuers
`MEDIUM`	Commercially trusted, audited issuers
`LOW`	Self-asserted or minimally verified issuers
`NONE`	Not trusted

Android/kotlin
iOS/Swift

// Require minimum trust level
val trustResult = trustValidator.validateTrust(
    certificate = issuerCertificate,
    purpose = TrustPurpose.CREDENTIAL_ISSUER,
    minimumTrustLevel = TrustLevel.MEDIUM
)

if (trustResult is TrustResult.Trusted) {
    // Only accepts HIGH or MEDIUM trust levels
    val level = trustResult.trustLevel
    if (level >= TrustLevel.HIGH) {
        // High assurance credential
    }
}

// Require minimum trust level
let trustResult = try await trustValidator.validateTrust(
    certificate: issuerCertificate,
    purpose: .credentialIssuer,
    minimumTrustLevel: .medium
)

if case .trusted(let result) = trustResult {
    // Only accepts HIGH or MEDIUM trust levels
    let level = result.trustLevel
    if level >= .high {
        // High assurance credential
    }
}

Trust Anchors

Configure root trust anchors for certificate validation:

Android/kotlin
iOS/Swift

// Configure trust anchors
val trustConfig = TrustConfiguration {
    // Add root CA certificates
    trustAnchors {
        // From file
        certificate(loadCertificate("/path/to/root-ca.pem"))

        // From resource
        certificateResource("certificates/root-ca.pem")

        // PEM string
        certificatePem("""
            -----BEGIN CERTIFICATE-----
            MIICxjCCAa6gAwIBAgIIQx...
            -----END CERTIFICATE-----
        """.trimIndent())
    }

    // Trust IACA certificates for mDoc
    iacaTrustAnchors {
        certificate(loadCertificate("/path/to/iaca-root.pem"))
    }
}

val trustValidator = TrustValidator(trustConfig)

// Configure trust anchors
let trustConfig = TrustConfiguration { config in
    // Add root CA certificates
    config.trustAnchors { anchors in
        // From file
        anchors.certificate(cert: loadCertificate(path: "/path/to/root-ca.pem"))

        // From bundle resource
        anchors.certificateResource(name: "certificates/root-ca", extension: "pem")

        // PEM string
        anchors.certificatePem(pem: """
            -----BEGIN CERTIFICATE-----
            MIICxjCCAa6gAwIBAgIIQx...
            -----END CERTIFICATE-----
        """)
    }

    // Trust IACA certificates for mDoc
    config.iacaTrustAnchors { anchors in
        anchors.certificate(cert: loadCertificate(path: "/path/to/iaca-root.pem"))
    }
}

let trustValidator = TrustValidator(configuration: trustConfig)

Trust Policies

Define custom trust policies for specific requirements:

Android/kotlin
iOS/Swift

val policy = TrustPolicy {
    name = "Production Policy"

    // Require certificates from specific issuers
    allowedIssuers {
        issuer("CN=Government Root CA, O=Government, C=US")
        issuer("CN=Acme Identity CA, O=Acme Corp, C=US")
    }

    // Require specific certificate extensions
    requiredExtensions {
        extension(OID.EXTENDED_KEY_USAGE)
        extension(OID.KEY_USAGE)
    }

    // Minimum key strength
    minimumKeySize = 2048

    // Required signature algorithms
    allowedSignatureAlgorithms = setOf(
        SignatureAlgorithm.ES256,
        SignatureAlgorithm.ES384,
        SignatureAlgorithm.RS256
    )

    // Revocation checking
    revocationCheck = RevocationCheckPolicy.REQUIRE_VALID
}

val trustValidator = TrustValidator(
    configuration = trustConfig,
    policy = policy
)

let policy = TrustPolicy { policy in
    policy.name = "Production Policy"

    // Require certificates from specific issuers
    policy.allowedIssuers { issuers in
        issuers.issuer(dn: "CN=Government Root CA, O=Government, C=US")
        issuers.issuer(dn: "CN=Acme Identity CA, O=Acme Corp, C=US")
    }

    // Require specific certificate extensions
    policy.requiredExtensions { extensions in
        extensions.extension(oid: .extendedKeyUsage)
        extensions.extension(oid: .keyUsage)
    }

    // Minimum key strength
    policy.minimumKeySize = 2048

    // Required signature algorithms
    policy.allowedSignatureAlgorithms = Set([.es256, .es384, .rs256])

    // Revocation checking
    policy.revocationCheck = .requireValid
}

let trustValidator = TrustValidator(
    configuration: trustConfig,
    policy: policy
)

Configuration

Configure trust validation via properties:

# Trust anchors
trust.anchors.path=/path/to/trust-anchors/
trust.anchors.include-system=true

# IACA trust for mDoc
trust.iaca.path=/path/to/iaca-certs/

# Trust lists
trust.lists.etsi.enabled=true
trust.lists.etsi.url=https://trust.example.com/tsl.xml
trust.lists.etsi.refresh-interval-hours=24

# Revocation checking
trust.revocation.enabled=true
trust.revocation.prefer-ocsp=true
trust.revocation.cache-duration-hours=1

# Policy
trust.policy.minimum-key-size=2048
trust.policy.minimum-trust-level=MEDIUM

Next Steps

ETSI Trust Lists - Work with European trust service lists
Certificate Validation - Detailed certificate chain validation

Why Trust Matters​

Trust Components​

Trust Validation Flow​

Core Components​

Basic Trust Validation​

Trust Purposes​

Trust Levels​

Trust Anchors​

Trust Policies​

Configuration​

Next Steps​