Overview
The Trust Registry Service manages ETSI trust lists for credential verification. It enables verifying whether a credential issuer is listed in an official trust list—such as an EU member state's Trusted Service List (TSL) or an industry-specific trust list.
When linked to a Verifier2 Service, the Trust Registry enables the etsi-trust-list verification policy to resolve issuer certificates against loaded trust sources without external network calls at verification time.
The Trust Registry Service is controlled by the trust-registry feature flag. Enable it by adding it to enabledFeatures in your _features.conf.
Key Capabilities
- Multi-format trust list support — Load trust lists in TSL XML (ETSI TS 119 612), LoTE JSON (ETSI TS 119 602), or PILOT format (EWC).
- XMLDSig signature validation — Cryptographically verify trust list authenticity.
- Certificate resolution — Look up issuer certificates against all loaded trust sources.
- Verifier2 integration — Link to Verifier2 for automatic trust verification during credential presentation.
- Multi-tenant isolation — Each organization/tenant gets its own trust registry instance.
Service Dependencies
The Trust Registry Service can be linked to other services:
- Verifier2 Service — When Verifier2 has the Trust Registry as a dependency, the
etsi-trust-listpolicy automatically uses it for certificate resolution.
Supported Trust List Formats
| Format | Standard | Example |
|---|---|---|
| TSL XML | ETSI TS 119 612 | Austrian TSL |
| LoTE JSON | ETSI TS 119 602 | Custom trust lists in JSON format |
| PILOT | EWC Consortium | EWC Trust List |
Entity Types
Trust lists contain entities classified by their role in the credential ecosystem:
| Entity Type | Description |
|---|---|
PID_PROVIDER | Personal ID credential issuers (mDL, national ID) |
WALLET_PROVIDER | Authorized wallet applications |
ATTESTATION_PROVIDER | Attestation and certificate issuers |
TRUST_SERVICE_PROVIDER | Generic eIDAS trust services |
Trust Decision Model
When resolving a certificate, the service returns a rich decision object:
| Decision | Meaning |
|---|---|
TRUSTED | Certificate found in a valid, fresh trust source |
NOT_TRUSTED | Certificate not found in any loaded trust source |
STALE_SOURCE | Certificate found, but the trust source is outdated |
UNKNOWN | Unable to determine trust status |
Each decision includes:
- Authenticity state — Whether the trust list's XMLDSig signature was validated (
VALIDATED,SKIPPED_DEMO,FAILED) - Freshness state — Whether the source is current (
FRESH,STALE,EXPIRED) - Matched entity details — Information about the trusted entity and service that matched
Get Started
- Setup — Create the service.
- Trust Source Management — Load, list, refresh, and delete trust sources.
- Verifier Integration — Link to Verifier2 for automatic trust verification.
- API Reference — Complete endpoint documentation.