Subscribing to Trust Lists
Overview
Procivis One enables you to subscribe to different kinds of trust lists and resolve trust information during interactions. Refer to the Standards for the latest list of supported trust list standards.
The workflow for subscribing to trust lists:
Create a trust collection
Add a trust list (or list of lists) to a collection
Prerequisites
When you add a trust list subscription, you must reference a configured trust list subscriber instance. See the ETSI Trust List Configuration Guide.
Creating a collection
A trust collection is a container for trust list subscriptions.
POST /api/trust-collection/v1
Content-Type: application/json
Accept: application/json
Authorization: Bearer <TOKEN>
{
"name": "Trust Collection",
"organisationId": "{{ORG-UUID}}" // only needed when not using STS auth
}
Returns:
{
"id": "{{TRUST-COLLECTION-UUID}}"
}
Store the returned trust collection ID for the next step.
Adding a subscription
Subscribe to a trust list by adding an entry to a trust collection.
POST /api/trust-collection/v1/{trust-collection-id}/trust-list
Content-Type: application/json
Accept: application/json
Authorization: Bearer <TOKEN>
{
"name": "EU LoTE",
"reference": "https://example-trust.com/list",
"role": "PID_PROVIDER",
"type": "LOTE_SUBSCRIBER"
}
reference- Provide the URL where the trust list is published.role- For Lists of Trusted Entities (LoTE) only. Each list in a LoTE is separated by role; provide the role the list is published for. This is anenumand the options can be seen in the API schema.type- Reference a configured instance oftrustListSubscriber. Refer to Core Config Reference - Trust list subscriber for supported types.
Returns:
{
"id": "{{TRUST-ENTRY-UUID}}"
}
How trust information is used
Trust resolution applies to wallet and verifier flows; issuer-side
validation of wallet provider trust lists is not yet implemented.
In addition to the automated validation described below, trust information
can also be resolved on any given identifier using
POST /api/identifier/v1/resolve-trust-entries.
Wallets
Trust information is resolved after connecting with an issuer's offer or a verifier's request, and the wallet shows the entity as "untrusted" or "trusted". By default, all interactions are allowed. The user can, however, toggle in the settings whether to restrict interactions to only trusted entities. In this case, interactions with untrusted entities will fail. For more details, see Wallets - Handling Trust Information.
Verifiers
For the Verifier App, trust information is resolved when receiving a presentation, and the issuer is shown as either "untrusted" or "trusted". By default, all interactions are allowed. The user can, however, toggle in the settings whether to restrict interactions to only trusted entities. In this case, interactions with untrusted issuers will fail.
Sharing subscriptions
A trust list subscription applies to the subscribing organization, but can be shared in a few ways.
In server environments
In multi-tenant setups, assign a parent organization to automatically subscribe to the trust collections of the parent. Child organizations can additionally add their own subscriptions. See Organization hierarchy for details.
In wallet apps
Wallet Providers can offer a defined set of trust collections for wallet users to optionally subscribe to. Additionally, providers can enable a toggle in the wallet that lets users block all interactions with untrusted entities. See Wallet Provider Configuration for details.