Skip to main content

Subscribing to Trust Lists

Overview

Procivis One enables you to subscribe to different kinds of trust lists and resolve trust information during interactions. Refer to the Standards for the latest list of supported trust list standards.

The workflow for subscribing to trust lists:

  1. Create a trust collection

  2. Add a trust list (or list of lists) to a collection

Prerequisites

When you add a trust list subscription, you must reference a configured trust list subscriber instance. See the ETSI Trust List Configuration Guide.

Creating a collection

A trust collection is a container for trust list subscriptions.

POST /api/trust-collection/v1
Content-Type: application/json
Accept: application/json
Authorization: Bearer <TOKEN>
{
"name": "Trust Collection",
"organisationId": "{{ORG-UUID}}" // only needed when not using STS auth
}

Returns:

{
"id": "{{TRUST-COLLECTION-UUID}}"
}
tip

Store the returned trust collection ID for the next step.

Adding a subscription

Subscribe to a trust list by adding an entry to a trust collection.

POST /api/trust-collection/v1/{trust-collection-id}/trust-list
Content-Type: application/json
Accept: application/json
Authorization: Bearer <TOKEN>
{
"name": "EU LoTE",
"reference": "https://example-trust.com/list",
"role": "PID_PROVIDER",
"type": "LOTE_SUBSCRIBER"
}
  • reference - Provide the URL where the trust list is published.
  • role - For Lists of Trusted Entities (LoTE) only. Each list in a LoTE is separated by role; provide the role the list is published for. This is an enum and the options can be seen in the API schema.
  • type - Reference a configured instance of trustListSubscriber. Refer to Core Config Reference - Trust list subscriber for supported types.

Returns:

{
"id": "{{TRUST-ENTRY-UUID}}"
}

How trust information is used

Trust resolution applies to wallet and verifier flows; issuer-side validation of wallet provider trust lists is not yet implemented. In addition to the automated validation described below, trust information can also be resolved on any given identifier using POST /api/identifier/v1/resolve-trust-entries.

Wallets

Trust information is resolved after connecting with an issuer's offer or a verifier's request, and the wallet shows the entity as "untrusted" or "trusted". By default, all interactions are allowed. The user can, however, toggle in the settings whether to restrict interactions to only trusted entities. In this case, interactions with untrusted entities will fail. For more details, see Wallets - Handling Trust Information.

Verifiers

For the Verifier App, trust information is resolved when receiving a presentation, and the issuer is shown as either "untrusted" or "trusted". By default, all interactions are allowed. The user can, however, toggle in the settings whether to restrict interactions to only trusted entities. In this case, interactions with untrusted issuers will fail.

Sharing subscriptions

A trust list subscription applies to the subscribing organization, but can be shared in a few ways.

In server environments

In multi-tenant setups, assign a parent organization to automatically subscribe to the trust collections of the parent. Child organizations can additionally add their own subscriptions. See Organization hierarchy for details.

In wallet apps

Wallet Providers can offer a defined set of trust collections for wallet users to optionally subscribe to. Additionally, providers can enable a toggle in the wallet that lets users block all interactions with untrusted entities. See Wallet Provider Configuration for details.