Verifiable credentials are a powerful solution for verifying data, but whose verifiable credentials are trustworthy in any given use case? Two solutions to this challenge—Trust Registries and Trust Lists— have emerged from two different organizations. We explain their strengths, weaknesses, and differences, the effort to unite these groups, and how you can get involved in developing both.
By Mike Ebert
“How do we know which agents to trust?” is a problem you encounter quickly when creating a decentralized network (“agents” is the generic term for the software that issues, holds and presents, and verifies credentials; think of an “agent” acting on your behalf). Multiple organizations have come up with different answers to this challenge. Two of the most prominent are the Trust Over IP (ToIP) foundation with “Trust Registries,” and the Decentralized Identity Foundation (DIF) with “Trust Lists.” Coordination of these efforts has begun; and, at some point in the future, joint and separate work will be defined and duplication will be eliminated in order to provide unified standards for sharing trust information. At the moment, there are some key differences to each organization’s approach.
To date, a Trust Registry has referred to a solution for sharing trust information via an API: You call the API when you have a question about trust and it provides you with that information, usually one item at a time. Trust Registries also allow for a cached copy of the data when necessary. One strength of a Trust Registry is that it is likely to be up to date: as you are constantly asking questions of the API, you will receive updated data the API has found in real time. But one downside to implementing a Trust Registry based on an API is that it requires a relatively high level of expertise and commitment to develop, host, and maintain.
To use a dictionary as an analogy, you can almost think of a Trust Registry as a search tool for an online dictionary — if you want to know the definition of a specific word, you don’t need to read the entire dictionary to find it.
A Trust List is usually described as a solution for sharing trust information through a file-based approach that doesn’t require the heavier support requirements of running or using an API. Being able to publish, retrieve, or load a single file requires less effort for developers than building and maintaining an API. Because copies of the governance file are stored with each software agent, trust data is cached with each one. How often you retrieve that file can be configured, so you might retrieve it once a day or once a month; but whatever the setting, you have caching built in. A huge benefit here is that, should you lose connection to the internet, you can still look up the data you need because it is all stored locally. The tradeoff is that caching can be tricky because you have to consider if your information is recent enough and deal with the possibility that information that has been cached differently by different parties.
To go back to our analogy: With a Trust List, you now have the dictionary in your pocket, so you may need to look through all the words, but you can get the definition of a word without needing an Internet connection.
With a good internet connection, the end user will likely not be able to tell the difference between a Trust Registry and a Trust List; problems may arise for the API-based approach when there is poor internet connection and similarly for a Trust List if cached information differs between downloaded files. Each approach has benefits and tradeoffs that ecosystem builders and developers will have to consider.
How do they come together?
Led by Indicio’s Sam Curren, representatives from both organizations met at the most recent Internet Identity Workshop (IIW) and, through discussion, realized that their goals have a significant overlap. This has led to collaboration on compatible solutions and to ensure minimal or no duplication of effort.
The new goal is a coordinated, agreed-upon data format for sharing trust information. By building on the same data formats, anyone who needs to bridge the gap between API or file based solutions should be able to do so without having to resolve fundamental differences in what is being communicated.
Indicio is working closely with both the DIF and the ToIP Trust Registry Task Force to help define this specification. Indicio also created an open-source governance file editor and is working on open-source reference implementations for how to create, share, interpret, and follow a governance file. Both organizations are likely to stick to their API or file-based approaches as described above, but in providing reference code for delivering trust information in the same format, interoperability between both solutions should be much more achievable.
One useful task for the two organizations would be to agree on a single name, so that people are not confused by artificial distinctions between Trust Registries and Trust Lists. The real differences lie in how the trust information is delivered via an API or a file and not in the core purpose or format.
If you are interested in this conversation, I highly encourage you to get involved in the discussions that are taking place right now as they are shaping the technology. You can find out more information on the ToIP (Trust Registry) solution here, and the DIF (Trust List) solution here.
If you are looking to implement a solution and have specific questions you think the Indicio team can help with you can get in touch with us here.
To learn more about how Indicio has implemented trust you can learn about the open source Governance Editor.