1. Trust Model & Roles
Roles
- Trust Anchor: VeriTrust (issues accreditation VCs to issuers).
- Issuer: e.g., Neksus AI (issues Agent VCs).
- Holder / Agent: software agents with did:key identifiers.
- Verifier: relying parties validating VCs and status.
Identifiers
- VeriTrust DID: did:web:veritrust.vc
- Issuer DIDs: did:web:<issuer-domain>
- Agents: did:key:<multibase> (self-certifying)
2. Discovery & Endpoints
| Artifact | URL | Notes |
|---|---|---|
| DID Document (VeriTrust) | /.well-known/did.json | Contains verification methods and services. |
| JWKS | /.well-known/jwks.json | Public JWKs; kid matches DID vm id. |
| OID4VCI Issuer Metadata | /.well-known/openid-credential-issuer | Wallet discovery for issuance. |
| Issuer Landing | /issuer | Human entry point & service directory. |
| OAuth2 Token | /oauth2/token | Supports pre-authorized_code; authorization_code optional. |
| Credential Issuance | /oidc/credential | Issues jwt_vc credentials (ES256K). |
| Status Lists | /status/ | Publishes StatusList2021 credentials and bitstrings. |
| Policy (this page) | /trust/policy | Human-readable governance & requirements. |
3. Cryptography & Keys
Key suites
Primary: secp256k1 (JWK, JsonWebKey2020); Optional: Ed25519 for specific ecosystems.
JWT alg
ES256K for jwt_vc.
KIDs
JWT kid MUST equal DID verificationMethod.id (e.g., did:web:veritrust.vc#keys-1).
JWKS
Public keys mirrored at /.well-known/jwks.json.
Rotation
Planned rotation ≤ 12 months; emergency rollover immediate with overlap period where old and new keys are both published.
Verifiers MAY prefer DID resolution over JWKS; both SHOULD be consistent.
4. Accreditation of Issuers
VeriTrust issues Accreditation Credentials to issuers (e.g., Neksus AI) asserting eligibility to issue specific credential types.
- Subject: issuer DID (did:web:<domain>).
- Format: jwt_vc, signed by did:web:veritrust.vc (ES256K).
- Claims: accreditation scope, legal name, effective/expiry dates.
- Status: revocable via StatusList2021.
{
"type": ["VerifiableCredential","AccreditationCredential"],
"issuer": "did:web:veritrust.vc",
"credentialSubject": {
"id": "did:web:neksus.ai",
"accredited": true,
"scope": ["AgentOwnershipCredential"]
}
}5. Issuance Policy (OID4VCI)
- Discovery: wallets read /.well-known/openid-credential-issuer.
- Token: /oauth2/token supports pre-authorized_code (no UI) and MAY support authorization_code.
- Credential: /oidc/credential accepts format: "jwt_vc" and a holder proof.jwt containing the server's c_nonce.
- Subject binding: subject DID is derived from pre-auth context or holder proof (iss).
- Minimization: include only necessary claims; avoid PII where possible.
6. Revocation & Status
VeriTrust and accredited issuers publish StatusList2021 credentials and bitstrings. Marked bits indicate revoked/suspended entries. Relying parties MUST check status for credentials with a credentialStatus field.
{
"credentialStatus": {
"id": "https://veritrust.vc/status/agents-2025#12345",
"type": "StatusList2021Entry",
"statusListIndex": "12345",
"statusListCredential": "https://veritrust.vc/status/agents-2025/status_vc.json"
}
}Status artifacts are cacheable; clients SHOULD honor cache headers and refresh periodically.
7. Verification Expectations
- Resolve issuer DID → obtain public key (DID vm or JWKS).
- Verify VC signature (ES256K) and check nbf/exp if present.
- Verify accreditation chain: VeriTrust → Issuer.
- Verify subject binding (holder proof and/or VC subject DID).
- Check credentialStatus if provided.
- Apply relying-party policy (scope, purpose, freshness).
8. Privacy & Data Protection
- Data minimization: credentials contain only necessary claims.
- No central aggregation of presented credentials; verification is stateless.
- Logs exclude credential contents where feasible (hashes/metadata only).
- Retention: operational logs ≤ 90 days unless required for incident response or legal obligations.
9. Security, KMS & Rotation
- Private keys stored in Veramo KMS (local HSM/secure enclave or encrypted at rest).
- Rotation: at most 12 months; emergency rotation immediate with overlap in DID/JWKS.
- Domain linkage: recommended via /.well-known/did-configuration.json.
- TLS everywhere; HSTS on public endpoints.
10. Interoperability
- W3C DID Core, VC Data Model v2.
- VC format: jwt_vc (JOSE), optionally DataIntegrity Proofs.
- OpenID4VCI metadata and flows per current drafts.
11. Changes & Contact
Material changes to this policy will update the version and "Last updated" date. Breaking cryptographic changes will be announced with at least 14-day overlap where possible.