Trust over IP (ToIP)

The ToIP stack is defined by four distinct layers that separate technical trust from human trust.

• Layer 1: Utility Layer: The decentralized ledger or peer-to-peer network that provides a root of trust for public keys and decentralized identifiers (DIDs).
• Layer 2: Agent Layer: The software agents (wallets, edge devices) that manage keys, DIDs, and perform cryptographic operations for holders and verifiers.
• Layer 3: Credential Layer: The ecosystem for issuing, holding, and verifying W3C Verifiable Credentials and W3C Verifiable Presentations.
• Layer 4: Governance Layer: The human-centric rules, policies, and standards that define how trust is established and maintained between participating organizations and individuals.

A ToIP Governance Framework (GF) is a formal specification for Layer 4, defining the rules of the road for a specific trust ecosystem. It answers critical questions about identity assurance, credential schemas, liability, and dispute resolution. Key components include:

• Governance Authority: The entity responsible for maintaining the GF.
• Controlled Documents: The specific policies, standards, and requirements participants must follow.
• Roles & Responsibilities: Definitions for Issuers, Holders, Verifiers, and other ecosystem actors.
• Risk Assessment & Liability: Clear rules for managing trust failures and assigning accountability.

A Trust Registry is a critical component of a ToIP Governance Framework, acting as a verifiable, machine-readable directory of trusted entities. It answers the question: "Who is authorized to do what?" in the ecosystem.

• Lists Authorized Participants: Registers approved Issuers, Verifiers, and accredited credential schemas.
• Machine-Verifiable: Uses DIDs and Verifiable Credentials to allow automated agents to check authorization status.
• Decentralized Operation: Can be implemented on a blockchain or other decentralized systems to avoid a single point of control or failure.
• Example: A university trust registry would list which departments are authorized to issue digital diplomas.

ToIP is built on and promotes open, global standards to ensure systems can work together across organizational and national boundaries.

• Core Standards: Heavily relies on W3C Decentralized Identifiers (DIDs) and W3C Verifiable Credentials (VCs).
• Hyperledger Aries: A common open-source project for implementing the Agent and Credential layers, providing interoperable protocols like DIDComm for secure messaging.
• SSI Principles: Embodies principles of Self-Sovereign Identity (SSI), giving individuals control over their credentials and data sharing.
• Cross-Ecosystem Trust: The layered design allows different governance frameworks to interoperate by establishing mutual recognition agreements at Layer 4.

ToIP architecture is being deployed to solve complex trust challenges across industries.

• Digital Wallets & Credentials: Government-issued digital driver's licenses (e.g., mDL) and employee ID badges.
• Supply Chain Provenance: Verifying the ethical sourcing and authenticity of products from origin to consumer.
• Healthcare: Secure, patient-controlled sharing of medical records and vaccination credentials between providers.
• Finance & KYC: Streamlining Know Your Customer (KYC) processes, allowing reusable identity verification to reduce friction and cost.

ToIP provides the foundational architecture for Self-Sovereign Identity (SSI), enabling individuals to own and control their verifiable credentials without relying on a central authority. Users store credentials in a digital wallet and present cryptographically signed proofs.

• Example: A citizen receives a digital driver's license from a government issuer, stores it in their wallet, and presents it to a car rental service (verifier) without revealing unnecessary personal data.

ToIP standards are being piloted for secure and privacy-preserving digital travel credentials. This allows airlines and border control agencies from different countries to verify passenger identities and health statuses (e.g., vaccination records) efficiently.

• Key Components: W3C Verifiable Credentials for the data format and DIDComm for secure, peer-to-peer messaging between wallets and verifiers.

Organizations use ToIP frameworks to streamline Know Your Customer (KYC) and employee verification. A bank can issue a reusable, verified credential after an initial KYC check, which the customer can then present to other trusted partners, reducing repetitive paperwork.

• Benefit: Dramatically reduces friction, cost, and data duplication while enhancing user privacy through selective disclosure.

ToIP enables verifiable claims about a product's origin, ethical sourcing, or carbon footprint to travel with the physical goods. Each entity in the chain (manufacturer, shipper, retailer) can issue credentials about their role, creating an immutable chain of trust.

• Use Case: A consumer scans a QR code on a product to instantly verify its organic certification and fair-trade credentials from the original farm.

Universities and certification bodies can issue tamper-proof digital diplomas and badges as verifiable credentials. Graduates can share these credentials with employers or other institutions instantly, eliminating the need for manual transcript requests and verification.

• Standards Involved: Leverages the Open Badges standard built on ToIP and W3C Verifiable Credentials specifications.

Zero-Knowledge Proofs (ZKPs) are cryptographic protocols that allow one party (the prover) to prove to another (the verifier) that a statement is true without revealing the underlying data.

• Key Benefit: Enables selective disclosure and privacy-preserving verification.
• Use Case: Proving you are over 21 without revealing your birth date from a Verifiable Credential.
• Role in ToIP: A critical technology for implementing privacy-enhancing verification protocols within the credential exchange layer.

Trust Registries are decentralized, governance frameworks that list the trusted authorities, schemas, and credential definitions permitted within a specific ToIP ecosystem.

• Function: They answer "who is authorized to issue what?"
• Governance: Managed by a Governance Authority using a Governance Framework.
• Role in ToIP: Forms Layer 2 of the stack, providing the rules and registries that enable interoperable trust between different organizations and networks.

Self-Sovereign Identity (SSI) is a model for digital identity where individuals or organizations have sole ownership and control over their credentials and identity data, without relying on centralized authorities.

• Core Principles: User control, portability, and minimal disclosure.
• Enabling Tech: Built using DIDs and Verifiable Credentials.
• Relation to ToIP: ToIP provides the complete, interoperable architecture to realize SSI at a global scale.

Governance Frameworks are the legal, technical, and business rules that govern a specific ToIP ecosystem or trust community.

• Purpose: Define the roles, policies, and standards that all participants must follow.
• Example: The ToIP Governance Stack (Layers 3 & 4) separates Governance Frameworks from Technical Standards.
• Critical Role: They provide the legal and operational certainty required for trusted digital interactions, making decentralized trust legally enforceable.