index.html

<!DOCTYPE html>
<html>
  <head>
    <title>Recognized Entities v1.0</title>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
    <!--
      === NOTA BENE ===
      For the three scripts below, if your spec resides on dev.w3 you can check them
      out in the same tree and use relative links so that they'll work offline,
     -->
    <script
      src="https://www.w3.org/Tools/respec/respec-w3c"
      class="remove"
    ></script>
    <script type="text/javascript" class="remove">
      var respecConfig = {
        // specification status (e.g., WD, LCWD, NOTE, etc.). If in doubt use ED.
        specStatus: "ED",

        // the specification's short name, as in http://www.w3.org/TR/short-name/
        shortName: "vc-recognized-entities-1.0",
        subtitle: "VCs for recognized entities and the actions they perform",
        group: "vc",

        // if you wish the publication date to be other than today, set this
        //publishDate:  "2026-05-12",

        // if there is a previously published draft, uncomment this and set its YYYY-MM-DD date
        // and its maturity status
        // previousPublishDate:  "1977-03-15",
        // previousMaturity:  "WD",

        // if there a publicly available Editor's Draft, this is the link
        edDraftURI: "https://w3c.github.io/vc-recognized-entities/",
        //latestVersion: "https://www.w3.org/community/reports/credentials/CG-FINAL-vc-recognition-20260320/",

        // if you wish the publication date to be other than today, set this
        //publishDate: "2026-03-20",

        // if this is a LCWD, uncomment and set the end of its review period
        // lcEnd: "2009-08-05",

        // if you want to have extra CSS, append them to this list
        // it is recommended that the respec.css stylesheet be kept
        //extraCSS:             ["spec.css", "prettify.css"],

        // editors, add as many as you like
        // only "name" is required
        editors: [{
          name: "Isaac Henderson Johnson Jeyakumar",
          company: "Fraunhofer IAO, Germany",
          note: "v1.0"
        }, {
          name: "Manu Sporny",
          company: "Digital Bazaar",
          w3cid: 41758
        }],

        authors: [{
          name: "Isaac Henderson Johnson Jeyakumar",
          company: "Fraunhofer IAO, Germany"
        }, {
          name: "David Chadwick",
          company: "Truetrust Ltd"
        },{
          name: "Manu Sporny",
          company: "Digital Bazaar"
        }, {
          name: "Oskar van Deventer",
          company: "TNO"
        }, {
          name: "Shigeya Suzuki",
          company: "Keio University"
        }, {
          name: "Konstantin Tsabolov",
          company: "Spherity"
        }, {
          name: "Line Kofoed",
          company: "Bloqzone"
        }, {
          name: "Rieks Joosten",
          company: "TNO"
        }],

        //wg: "Credentials Community Group",
        // URI of the public WG page
        //wgURI: "https://www.w3.org/community/credentials/",
        // name (with the @w3c.org) of the public mailing to which comments are due
        //wgPublicList: "public-credentials",
        // URI of the patent status for this WG, for Rec-track documents
        // !!!! IMPORTANT !!!!
        // This is important for Rec-track documents, do not copy a patent URI from a random
        // document unless you know what you're doing. If in doubt ask your friendly neighbourhood
        // Team Contact.
        //wgPatentURI: "https://www.w3.org/community/about/agreements/cla/",
        github: "https://github.com/w3c/vc-recognized-entities/",

        // URI of the patent status for this WG, for Rec-track documents
        // !!!! IMPORTANT !!!!
        // This is important for Rec-track documents, do not copy a patent URI from a random
        // document unless you know what you're doing. If in doubt ask your friendly neighbourhood
        // Team Contact.
        // wgPatentURI:  "",
        maxTocLevel: 4,
        /*preProcess: [ webpayments.preProcess ],
        alternateFormats: [ {uri: "diff-20111214.html", label: "diff to previous version"} ],
        */
        xref: ["URL", "I18N-GLOSSARY", "INFRA", "CID", "VC-DATA-MODEL"],
        otherLinks: [{
          key: "Meetings:",
          data: [{
            value: "View next scheduled meeting",
            href: "https://www.w3.org/events/meetings/07bee2e8-d70d-4471-acf9-b730a2988a19/#next"
          }]
        }],
        // extend the bibliography entries
        localBiblio: {
          "ETSI-TRUST-LISTS": {
            title: "Electronic Signatures and Infrastructures (ESI); Trusted Lists",
            href: ["https://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.01.01_60/ts_119612v020101p.pdf"],
            authors: ["ETSI"],
            status: "ETSI Standard TS 119 612 V2.1.1 (2015-07)",
            publisher: "ETSI"
          }
        }
      }
    </script>
    <style>
code {
  color: rgb(199, 73, 0);
  font-weight: bold;
}
pre {
  overflow-x: auto;
  white-space: pre-wrap;
}
pre .highlight {
  font-weight: bold;
  color: Green;
}
pre .subject {
  font-weight: bold;
  color: RoyalBlue;
}
pre .property {
  font-weight: bold;
  color: DarkGoldenrod;
}
pre .comment {
  font-weight: bold;
  color: SteelBlue;
  -webkit-user-select: none;
  -moz-user-select: none;
  -ms-user-select: none;
  user-select: none;
}
.color-text {
  font-weight: bold;
  text-shadow: -1px 0 black, 0 1px black, 1px 0 black, 0 -1px black;
}
ol.algorithm {
  counter-reset: numsection;
  list-style-type: none;
}
ol.algorithm li {
  margin: 0.5em 0;
}
ol.algorithm li:before {
  font-weight: bold;
  counter-increment: numsection;
  content: counters(numsection, ".") ") ";
}
.supported {
  background-color: #93c47d;
}
.missing {
  background-color: #e06666;
}
table.simple {
    border-collapse: collapse;
    margin: 25px 0;
    min-width: 400px;
    border: 1px solid #dddddd;
}
table.simple thead tr {
    background-color: #005a9c;
    color: #ffffff;
    text-align: left;
}
table.simple th,
table.simple td {
    padding: 12px 15px;
    vertical-align: top;
    text-align: left;
}
table.simple tbody tr {
    border-bottom: 1px solid #dddddd;
}
table.simple tbody tr:nth-of-type(even) {
    background-color: #00000008;
}
table.simple tbody tr:last-of-type {
    border-bottom: 2px solid #005a9c;
}
    </style>
  </head>
  <body>
    <section id="abstract">
      <p>
This specification describes a data model with which one or more recognized
entities, such as one or more persons and/or organizations, can be described as
known to perform specific actions, such as issuing or verifying a [=verifiable
credential=]. The data model enables the publication or direct sharing of such
information, providing a cryptographically-verifiable and privacy-preserving
mechanism through which a [=holder=] can demonstrate that an entity whose
credential they are using is recognized within a particular ecosystem. The
specification is designed to interoperate with existing "trust infrastructures",
such as X.509 certificate authority lists and ETSI Trust Service Lists, while
enabling new decentralized ecosystems to be built using [=verifiable credentials=].
      </p>
    </section>

    <section id="sotd">

      <p>
This is an experimental specification and is undergoing regular revisions. It is
not fit for production deployment.
      </p>

    </section>

    <section>
      <h2>Introduction</h2>

      <p>
The [=verifiable credential=] ecosystem relies on the ability of [=verifiers=]
to determine whether a particular [=issuer=] is recognized to perform a
particular action, such as [=issuer|issuing=] a certain type of [=verifiable
credential=]. Historically, this determination has often been made through
out-of-band processes, bilateral agreements, or proprietary registries that are
difficult to discover, query, or reason about in an automated way. As [=verifiable
credentials=] are increasingly deployed across sectors such as education, healthcare,
financial services, and government, the need for a standardized, interoperable
mechanism to express and communicate recognition of entities that perform known
actions has become critical. Without such a mechanism, ecosystem participants
are forced to build bespoke "trust infrastructure", leading to fragmentation,
increased integration costs, and barriers to cross-border and cross-sector
interoperability.
      </p>

      <p>
This specification addresses the challenge of expressing recognized entities,
such as people and organizations, and the actions they perform, such as issuing
and verifying, in a decentralized manner by defining a data model that any
entity can use to publish or share recognition information as a [=verifiable
credential=]. Rather than mandating a single central registry, the model allows
any entity — a government body, an industry consortium, a standards
organization, or even a single individual — to issue a
`RecognizedEntityCredential` asserting that they know of one or more
entities that are recognized to perform specific actions. This design enables a
web of overlapping, competing, and complementary "trust registries" to coexist,
allowing ecosystem participants to choose the entities they trust and to reason
across multiple registries. The specification also supports interoperability
with existing "trust infrastructure", such as X.509 certificate authority lists
and ETSI Trust Service Lists, allowing existing recognized entity information to
be referenced and composed into new decentralized ecosystems.
      </p>

      <p>
Readers who are interested in the variety of use cases supported by this
specification are urged to read the
<a href="use-cases.html">use cases document</a>.
The remainder of this document is organized into the following sections:
      </p>

      <ul>
        <li>
Section [[[#data-model]]] defines the core data model, including the
`RecognizedEntity`, `RecognizedAction`, and `RecognizedEntityCredential`
types along with their properties and worked examples.
        </li>
        <li>
Section [[[#security-considerations]]] discusses security considerations
relevant to implementers of this specification.
        </li>
        <li>
Section [[[#privacy-considerations]]] discusses privacy considerations
relevant to implementers of this specification.
        </li>
      </ul>

      <section id="conformance">
        <p>
A <dfn>conforming document</dfn> is any concrete expression of the data model
that complies with the normative statements in this specification. Specifically,
all relevant normative statements in Section
<a href="#data-model"></a> of this document MUST be enforced.
        </p>

        <p>
A <dfn class="lint-ignore">conforming processor</dfn> is any algorithm realized
as software and/or hardware that generates or consumes a
<a>conforming document</a>. Conforming processors MUST produce errors when
non-conforming documents are consumed.
        </p>
        <p>
This document also contains examples that contain JSON and JSON-LD content. Some
of these examples contain characters that are invalid JSON, such as inline
comments (`//`) and the use of ellipsis (`...`) to denote
information that adds little value to the example. Implementers are cautioned to
remove this content if they desire to use the information as valid JSON or
JSON-LD.
        </p>
      </section>

    </section>

    <section>
      <h2>Data Model</h2>

      <p>
The following sections outline the data model that is used by this specification
for Verifiable Issuer and Verifier Lists.
      </p>

<p>
The data model described in this section has been built using input from a
variety of the prior art evaluated for this paper including input from the EBSI
Trusted Issuer Registry, ETSI TS 119 612, eSSIF-Lab TRAIN, the Trust over IP
Foundation Trust Registry Protocol, and Rebooting the Web of Trust input
documents. The data model described in this section is capable of expressing
many, but not all, of the concepts described in those other specifications.
</p>
<p>
The unified data model for this work can be represented as a list of service providers
that represent entities or organizations that provide services such as
credential issuance or validation. The data model also includes the
details of the list operator description.
</p>

    <section>
        <h3>General Properties</h3>

        <p>
The properties in this section can be added to objects found in a
`RecognizedEntityCredential` as defined in Section
[[[#recognizedentitycredential]]]. Each general property listed in
this section is OPTIONAL; none of the values are required to be provided by
an [=issuer=].
        </p>

        <table class="simple">
          <thead>
            <tr>
              <th style="white-space: nowrap">Property</th>
              <th>Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>id</td>
              <td>
A URL that identifies the entity in a globally unambiguous way. The value for
this property is defined in
<a data-cite="VC-DATA-MODEL#identifiers">Section 4.4: Identifiers</a>
of the [[[VC-DATA-MODEL]]] specification.
              </td>
            </tr>
            <tr>
              <td>type</td>
              <td>
The type of the entity. The value for this property is defined in
<a data-cite="VC-DATA-MODEL#types">Section 4.5: Types</a>
of the [[[VC-DATA-MODEL]]] specification. The `type` property MUST be
`RecognizedIssuer` if the entity is an [=issuer=] of [=verifiable credentials=].
              </td>
            </tr>
            <tr>
              <td>name</td>
              <td>
A human-readable name for the entity. The value for this property is defined in
<a data-cite="VC-DATA-MODEL#names-and-descriptions">Section 4.6: Names and Descriptions</a>
of the [[[VC-DATA-MODEL]]] specification.
              </td>
            </tr>
            <tr>
              <td>legalName</td>
              <td>
The official legal name of an organization or entity, as registered with legal
authorities, which can differ from the commonly used name. The value MUST be a
[=string=].
              </td>
            </tr>
            <tr>
              <td>image</td>
              <td>
A URL or image data representing a visual identifier for the entity, such as a
logo, photograph, or icon. The value MUST be a [=URL=].
              </td>
            </tr>
            <tr>
              <td>url</td>
              <td>
A URL pointing to the primary website or web resource associated with the
entity. The value MUST be a [=URL=].
              </td>
            </tr>
            <tr>
              <td>sameAs</td>
              <td>
One or more URLs that refer to the same entity in other contexts or systems,
enabling cross-reference and verification across different platforms.
Each value MUST be a [=URL=].
              </td>
            </tr>
            <tr>
              <td>description</td>
              <td>
A human-readable description providing details about the entity. The value for
this property is defined in
<a data-cite="VC-DATA-MODEL#names-and-descriptions">Section 4.6: Names and Descriptions</a>
of the [[[VC-DATA-MODEL]]] specification.
              </td>
            </tr>
            <tr>
              <td>digestMultibase</td>
              <td>
One or more cryptographic digests used to verify the integrity of resources
associated with the entity. The values for this property are defined in
<a data-cite="VC-DATA-MODEL#integrity-of-related-resources">Section 5.3: Integrity of Related Resources</a>
of the [[[VC-DATA-MODEL]]] specification.
              </td>
            </tr>
          </tbody>
        </table>

    </section>

    <section>
        <h3>RecognizedEntity</h3>

        <p>
A <dfn>recognized entity</dfn> is any entity that is recognized by an [=issuer=]
of a `RecognizedEntityCredential` to perform a specific action.
        </p>

        <table class="simple">
          <thead>
            <tr>
              <th style="white-space: nowrap">Property</th>
              <th>Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>id</td>
              <td>
A URL that identifies the entity in a globally unambiguous way. The value for
this property is defined in
<a data-cite="VC-DATA-MODEL#identifiers">Section 4.4: Identifiers</a>
of the [[[VC-DATA-MODEL]]] specification.
              </td>
            </tr>
            <tr>
              <td>type</td>
              <td>
The `type` property MUST be `RecognizedEntity`. The value for
this property is defined in
<a data-cite="VC-DATA-MODEL#types">Section 4.5: Types</a>
of the [[[VC-DATA-MODEL]]] specification.
              </td>
            </tr>
            <tr>
              <td>recognizedTo</td>
              <td>
A specific action that the [=recognized entity=] is expected to perform as
defined in Section [[[#recognizedaction]]]. This property may occur more
than once if the [=recognized entity=] is expected to perform more than
one action.
              </td>
            </tr>
            <tr>
              <td>recognizedIn</td>
              <td>
An object that contains a reference to a document of recognized entities that
contains this particular [=recognized entity=] as well as the actions it is
known to perform. The `id` value of the object MUST be a
[=URL=]. The `type` value of the object MUST conform to the
<a data-cite="VC-DATA-MODEL#types">type value space </a> defined in
the [[[VC-DATA-MODEL]]] specification and SHOULD be `EtsiTrustServiceList`,
`x509CertificateAuthorityList`, or `RecognizedEntityCredential`.
              </td>
            </tr>
          </tbody>
        </table>

        <p>
Properties from Section [[[#general-properties]]] can be included in
addition to the properties above.
        </p>

        <p>
A `recognizedIn` with a `type` property of `EtsiTrustServiceList` MUST conform
to the [[[ETSI-TRUST-LISTS]]] specification. A list with `type` property of
`x509CertificateAuthorityList` MUST conform to the [[[RFC5280]]] specification.
A list with a `type` property of `RecognizedEntityCredential` MUST conform
to this specification.
        </p>

    </section>

    <section>
        <h3>RecognizedAction</h3>

        <p>
A <dfn>recognized action</dfn> is an action that a [=recognized entity=] is
expected to perform.
        </p>

        <table class="simple">
          <thead>
            <tr>
              <th style="white-space: nowrap">Property</th>
              <th>Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>type</td>
              <td>
The `type` property MUST be `RecognizedAction`.
              </td>
            </tr>
            <tr>
              <td>action</td>
              <td>
A [=string=] that specifies the name of the action to be performed such as
`issue` or `verify`.
              </td>
            </tr>
            <tr>
              <td>recognizedBy</td>
              <td>
A [=URL=], or object containing properties from Section
[[[#general-properties]]], of the entity that performed the task of recognizing.
              </td>
            </tr>
            <tr>
              <td>outputValidation</td>
              <td>
The value of the `outputValidation`
property MUST be one or more data
schemas that provide [=verifiers=] with enough information to determine whether
the provided data conforms to the provided schema(s). Each validator MUST
specify its `type` (for example, `JsonSchema`) and an `id`
property that MUST be a [=URL=]
identifying the schema file. The specific type definition determines the precise
contents of each data schema. If multiple schemas are present, validity is
determined according to the processing rules outlined by each associated `type`
property.
              </td>
            </tr>
          </tbody>
        </table>
    </section>

    <section>
        <h3>RecognizedEntityCredential</h3>

        <p>
When a <dfn>recognized entity credential</dfn>
is published, it MUST be a conforming [=verifiable credential=], as defined in
[[[VC-DATA-MODEL-2.0]]], that expresses the data model specified in the section
that follows. It describes the format of a [=verifiable credential=] that
encapsulates the recognized entities.
        </p>

        <p>
A recognized entity is expressed inside a [=verifiable credential=],
enabling a [=holder=] to provide it directly to a [=verifier=]. This
mechanism, sometimes called "certificate stapling", increases privacy for the
[=holder=] by ensuring that the [=verifier=] does not need to contact the
[=issuer=] to retrieve the recognized entity credential. Still, a [=verifier=] might
choose to ignore the [=holder=]-provided [=recognized entity credential=], even when
its authenticity is verifiable, if, for instance, it desires a more recent
version of the [=recognized entity credential=].
        </p>

        <table class="simple">
          <thead>
            <tr>
              <th style="white-space: nowrap">Property</th>
              <th>Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td>id</td>
              <td>
A [=verifiable credential=] that contains a set of recognized entities MAY
express an `id` property to make its retrieval easier for other systems.
              </td>
            </tr>
            <tr>
              <td>type</td>
              <td>
A [=verifiable credential=] that contains a set of recognized entities MUST
express a `type` property that includes the `RecognizedEntityCredential`
value.
              </td>
            </tr>
            <tr>
              <td>issuer</td>
              <td>
The [=issuer=] of the [=verifiable credential=] as
defined in the Verifiable Credentials Data Model specification in
<a href="https://www.w3.org/TR/vc-data-model-2.0/#issuer">
Section 4.76: Issuer</a>. This object MAY also include other properties listed
in Section [[[#general-properties]]].
              </td>
            </tr>
            <tr>
              <td>validFrom</td>
              <td>
The earliest point in time at which the credential is valid. This property is
defined in the Verifiable Credentials Data Model specification in
<a href="https://www.w3.org/TR/vc-data-model-2.0/#validity-period">
Section 4.6: Validity Period</a>.
              </td>
            </tr>
            <tr>
              <td>validUntil</td>
              <td>
The latest point in time at which the credential is valid. This property is
defined in the Verifiable Credentials Data Model specification in
<a href="https://www.w3.org/TR/vc-data-model-2.0/#validity-period">
Section 4.6: Validity Period</a>.
              </td>
            </tr>
            <tr>
              <td>credentialSubject</td>
              <td>
A set of one or more `RecognizedEntity` objects as defined in
Section [[[#recognizedentity]]].
              </td>
            </tr>
        </tbody>
      </table>

      <p>
The following examples demonstrate how recognized entity credentials can be
employed in a variety of use cases. The first example below is used to
publish information about a set of known universities in a particular nation.
      </p>

      <pre class="example" title="A set of known universities in a particular nation">
{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://www.w3.org/ns/credentials/examples/v2"
  ],
  "type": [
    "VerifiableCredential",
    "RecognizedEntityCredential"
  ],
  "issuer": {
    "id": "did:web:learning-commission.example",
    "type": "RecognizedIssuer"
  },
  "validFrom": "2025-01-01T00:00:00Z",
  "validUntil": "2030-01-01T00:00:00Z",
  "credentialSubject": [{
    "id": "did:web:university.example",
    "type": "RecognizedEntity",
    "name": "Example Tech",
    "legalName": "Example Polytechnic University",
    "image": "https://university.example/logo.png",
    "url": "https://www.university.example/",
    "description": "A university providing a great education in Utopia Valley.",
  }, {
    "id": "did:web:college.example",
    "type": "RecognizedEntity",
    "name": "Exemplar Community College",
    "legalName": "Community College of Examples and ",
    "image": "https://college.example/graphics/ecc.png",
    "url": "https://college.example/",
    "description": "The backbone of learning in the Utopia community.",
  }],
  "proof": {
    "type": "DataIntegrityProof",
    "created": "2026-04-10T20:08:22Z",
    "verificationMethod": "did:web:accreditor.example#issuance-key-1",
    "cryptosuite": "ecdsa-rdfc-2019",
    "proofPurpose": "assertionMethod",
    "proofValue": "z36XPGByaH3rvtKfwoEQXsnUXUAjwd2Ceiqke1GPfjAPAFYoXKo5ftPdwE7QZ8Mw22SC5LSRQg1d8bhe3252hYJoH"
  }
}
    </pre>

      <p>
The next example is used to publish information about a set of known issuers
for a particular type of [=verifiable credential=].
      </p>

      <pre class="example" title="A set of known issuers for a particular type of credential">
{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://www.w3.org/ns/credentials/examples/v2"
  ],
  "type": [
    "VerifiableCredential",
    "RecognizedEntityCredential"
  ],
  "issuer": {
    "id": "did:web:learning-commission.example",
    "type": "RecognizedIssuer"
  },
  "validFrom": "2025-01-01T00:00:00Z",
  "validUntil": "2030-01-01T00:00:00Z",
  "credentialSubject": [{
    "id": "did:web:university.example",
    "type": "RecognizedEntity",
    "name": "Example Tech",
    "legalName": "Example Polytechnic University",
    "image": "https://university.example/logo.png",
    "url": "https://www.university.example/",
    "description": "A university providing a great education in Utopia Valley.",
    "recognizedTo": {
      "type": "RecognizedAction",
      "action": "issue",
      "recognizedBy": "did:web:learning-commission.example",
      "outputValidation": {
        "id": "https://learning-commission.example/credentials/bachelors.json",
        "type": "JsonSchema",
        "digestMultibase": "uEiBZl963sknNAHgPyslVv6VztZpfWQoRvW1htfx-UwirFo",
      }
    }
  }, {
    "id": "did:web:college.example",
    "type": "RecognizedEntity",
    "name": "Exemplar Community College",
    "legalName": "Community College of Examples and ",
    "image": "https://college.example/graphics/ecc.png",
    "url": "https://college.example/",
    "description": "The backbone of learning in the Utopia community.",
    "recognizedTo": {
      "type": "RecognizedAction",
      "action": "issue",
      "recognizedBy": "did:web:learning-commission.example",
      "outputValidation": {
        "id": "https://learning-commission.example/credentials/associates.json",
        "type": "JsonSchema",
        "digestMultibase": "uEiWQoRvpfWW1htfsknNAHgPyslVv6VztZpfwirFoBZl963",
      }
    }
  }],
  "proof": {
    "type": "DataIntegrityProof",
    "created": "2026-04-10T20:08:22Z",
    "verificationMethod": "did:web:accreditor.example#issuance-key-1",
    "cryptosuite": "ecdsa-rdfc-2019",
    "proofPurpose": "assertionMethod",
    "proofValue": "z36XPGByaH3rvtKfwoEQXsnUXUAjwd2Ceiqke1GPfjAPAFYoXKo5ftPdwE7QZ8Mw22SC5LSRQg1d8bhe3252hYJoH"
  }
}
      </pre>

      <p>
The final example below is used to publish information about an entity that
publishes an European Union ETSI Trust Services list [[ETSI-TRUST-LISTS]].
      </p>

      <pre class="example" title="An entity that publishes information conforming to an EU ETSI Trust Service list">
{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://www.w3.org/ns/credentials/examples/v2"
  ],
  "type": [
    "VerifiableCredential",
    "RecognizedEntityCredential"
  ],
  "issuer": "did:web:ec.europa.example",
  "validFrom": "2025-01-01T00:00:00Z",
  "validUntil": "2030-01-01T00:00:00Z",
  "credentialSubject": [{
    "id": "did:web:ec.europa.example",
    "type": "RecognizedEntity",
    "name": "Utopian Commission",
    "legalName": "The Utopian Commission",
    "image": "https://ec.europa.example/logo.png",
    "url": "https://ec.europa.example/",
    "recognizedIn": {
      "id": "https://ec.europa.example/tsl/lotl.xml",
      "type": "EtsiTrustServiceList",
      "name": "Utopian Commission List of the Lists"
    }
  }],
  "proof": {
    "type": "DataIntegrityProof",
    "created": "2026-04-10T20:08:22Z",
    "verificationMethod": "did:web:ec.europa.example#issuance-key-1",
    "cryptosuite": "ecdsa-rdfc-2019",
    "proofPurpose": "assertionMethod",
    "proofValue": "z36XPGByaH3rvtKfwoEQXsnUXUAjwd2Ceiqke1GPfjAPAFYoXKo5ftPdwE7QZ8Mw22SC5LSRQg1d8bhe3252hYJoH"
  }
}
      </pre>

    </section>
    </section>

    <section>
      <h2>Privacy Considerations</h2>

      <p>
This section details the general privacy considerations and specific privacy
implications of deploying this specification into production environments.
      </p>

      <p>
Readers are urged to familiarize themselves with the general privacy advice
provided in the
<a data-cite="VC-DATA-MODEL#privacy-considerations">
Privacy Considerations section of the Verifiable Credentials specification</a>
before reading this section. Implementers are expected to apply the
general warnings provided in that specification to each specific feature
provided by this specification.
      </p>

      <section>
        <h3>Surveillance of Individuals as Recognized Entities</h3>
        <p class="issue">
A `RecognizedEntityCredential` publicly lists named organizations and
people with their identifiers, legal names, URLs, and images. Aggregating
these across multiple lists enables profiling and surveillance of
recognized entities. This section should discuss the risks of publishing
richly-described entity information, especially for individuals, and guidance
for issuers on minimizing disclosure. For example, a list of recognized
entities that is published to a private group can escape that group if any group
member decides to publish the information outside of the private group.
Suggest that selective disclosure does not provide much protection here because
it requires honest actors.
        </p>
      </section>

      <section>
        <h3>Holder-Provided Recognition Credentials</h3>
        <p class="issue">
Having holders provide recognized entity credentials preserves privacy better than having
the verifier reach out to the issuer to retrieve the recognized entity credential.
        </p>
      </section>

      <section>
        <h3>Harms by Association</h3>
        <p class="issue">
A `RecognizedEntityCredential` can reveal the membership structure of a
private or sensitive ecosystem, such as healthcare credential issuers or
financial service providers. Publishing or widely sharing such credentials
can expose which entities participate in that ecosystem, which can be
commercially sensitive or create targeting risks. This section should discuss
when and how to limit the distribution of recognized entity credentials that
describe sensitive ecosystems, possibly suggesting that it is not possible
to limit distribution of recognized entity credentials and thus creating them for
sensitive ecosystems might be an anti-pattern. In general, if you build
certain lists with certain memberships, it might have negative effects on
individuals (harm by association) -- unintended or not.
        </p>
      </section>

    </section>

    <section>
      <h2>Security Considerations</h2>

      <p>
There are a number of security considerations that implementers should be
aware of when processing data described by this specification. Ignoring or
not understanding the implications of this section can result in
security vulnerabilities.
      </p>

      <p>
Readers are urged to familiarize themselves with the general
security advice provided in the
<a data-cite="VC-DATA-MODEL#security-considerations">
Security Considerations section of the Verifiable Credentials
specification</a> before reading this section.
      </p>

      <p>
While this section attempts to highlight a broad set of security
considerations, it is not a complete list. Implementers are urged to seek the
advice of security and cryptography professionals when implementing mission
critical systems using the technology outlined in this specification.
      </p>

      <section>
        <h3>Validate Before Sharing</h3>
        <p>
When a [=holder=] receives a `RecognizedEntityCredential` and shares it
with others, there is a risk that the credential has not been properly vetted.
A malicious or negligent actor could craft a `RecognizedEntityCredential`
that lists fraudulent or compromised entities as recognized issuers or
verifiers, and propagate it peer-to-peer across an ecosystem. Recipients who
accept and act upon such a credential without independent verification might
unknowingly accept [=verifiable credentials=] from untrustworthy sources,
exposing themselves and others to fraud, data breaches, or credential
forgery. The decentralized nature of this specification, while a strength,
amplifies this risk: a single unvetted credential shared widely can rapidly
corrupt the trust assumptions of many parties in an ecosystem.
        </p>
        <p>
To mitigate these dangers, deployments are expected to independently verify the
cryptographic integrity and provenance of any `RecognizedEntityCredential`
before acting upon it or sharing it further. This includes confirming that the
[=issuer=] of the credential is a party the implementer has an established
reason to trust for the given recognition domain, and that the credential has
not expired or been revoked. Implementers cannot rely solely on the fact
that a peer has already accepted a credential as evidence of its validity.
Instead, a [=verifier=] needs to vet the issuer of the recognized entity credential
as well as the [=recognized action=] independently of receiving the
`RecognizedEntityCredential` and can only depend on information from the
credential once trust has been established on the issuing entity.
        </p>
      </section>

      <section>
        <h3>Issuer Impersonation</h3>
        <p class="issue">
A malicious actor could create a `RecognizedEntityCredential` that mimics a
well-known recognizing authority by using a similar `issuer` identifier or name.
Verifiers who manually add VRCs to their software, that do not independently
validate the issuer's identifier against a known root of trust, could be deceived
into accepting fraudulent recognition claims. This section should discuss how to
detect and prevent issuer impersonation and the importance of verifying issuer
identifiers through authoritative out-of-band means.<br/><br/>

Note that appropriate bindings to protocols and user interactions (such as an
individual receiving a request from origin). It would be good if a wallet
communicates: "I have a recognized entity credential for this origin/issuer from
someone you trust" (if there is a check made that binds request to origin
-- TLS used, for example) and that's associated with issuer in VRC. It would be
good for this section to talk about how protocols can bind this sort of
information together to help individuals not fall for scams.
        </p>
      </section>

      <section>
        <h3>Selecting Appropriate Validity Periods</h3>
        <p class="issue">
Recognition credentials with excessively long `validUntil` periods may remain in
circulation long after a recognized entity has been suspended, revoked, or
compromised. Conversely, overly short validity periods create operational
burden. This section should discuss appropriate selection of validity periods and
the importance of pairing validity periods with robust revocation mechanisms.
The section should speak to organization/individual end of life as well. How long
a period should be is dependent on list size and diversity -- the larger the list,
the shorter the timeline (24-48 hours?); the smaller the list, the longer the
timeline (weeks to months). Want to be able to add entities on reasonable
timeframes. Ecosystems might desire list aggregators -- accreditation bodies might
have longer periods. The section should explain the justification for having a
longer period -- why go longer than 24-48 hours?
        </p>
      </section>

      <section>
        <h3>External Resource Tampering</h3>
        <p class="issue">
The `outputValidation` property references external schema files via URL. If
those URLs are not protected by `digestMultibase` or other integrity checks, an
attacker who compromises the schema host can alter validation rules without
invalidating the recognized entity credential, causing verifiers to accept credentials
that no longer conform to the intended schema. This section should discuss the
importance of using content integrity protection for all externally referenced
resources.
        </p>
      </section>

      <section>
        <h3>Verifying Recognition Chains</h3>
        <p class="issue">
The `recognizedIn` property allows recognized entity credentials to chain to other
registries such as ETSI Trust Service Lists, X.509 certificate authority lists,
or other `RecognizedEntityCredential`s. A compromised or malicious entry
in a lower-level registry could be transitively trusted if verifiers do not
enforce depth limits or validate each link in the chain independently. This
section should discuss safe practices for traversing chained recognition
structures and the risks of unbounded transitive trust.
        </p>
      </section>

      <section>
        <h3>Abuse of Recognized Actions</h3>
        <p class="issue">
The `action` property is a free-form string (e.g., `issue`, `verify`). Without
strict governance of allowable action values within an ecosystem, recognized
entities may present credentials claiming broad or undefined actions that
verifiers interpret more permissively than intended, leading to unauthorized use
beyond the issuer's intent. This section should discuss the importance of
ecosystem-level governance of action vocabularies and how verifiers should
handle unrecognized action values.
        </p>
      </section>

    </section>

    <section class="appendix informative">
      <h2>Relationship to Other Technologies</h2>

      <p>
This specification was designed with awareness of existing "trust
infrastructure" technologies, three of which are described below. The data model
defined in this specification is capable of expressing many of the concepts
found in these technologies and is designed to interoperate with them via the
`recognizedIn` property.
      </p>

      <section class="informative">
        <h3>ETSI Trust Service Lists</h3>

        <p>
The European Telecommunications Standards Institute (ETSI) defines a format
for Trust Service Lists (TSLs) in [[?ETSI-TRUST-LISTS]], which is used across
the European Union to publish lists of trusted service providers — entities
authorized to issue electronic signatures, seals, timestamps, and other
trust services under the eIDAS regulation. Each EU member state publishes a
national TSL, and the European Commission publishes a List of the Lists (LoTL)
that references each national TSL, forming a well-defined, hierarchical trust
federation.
        </p>

        <p>
ETSI Trust Service Lists share several conceptual goals with this
specification: both describe entities that are recognized to perform specific
actions, associate those entities with identifying metadata, and are intended
to be consumed by relying parties during validation. However, this
specification differs from ETSI Trust Service Lists in several key ways:
        </p>

        <ul>
          <li>
<strong>Format:</strong> ETSI Trust Service Lists are expressed as signed XML
documents. This specification uses JSON-LD and the Verifiable Credentials Data
Model, enabling integration with the broader decentralized identity ecosystem.
          </li>
          <li>
<strong>Governance:</strong> ETSI Trust Service Lists are governed by a
centralized, hierarchical structure rooted in EU member state authorities.
This specification supports both centralized and decentralized governance
models, allowing any entity to act as a recognizing authority within its
own ecosystem.
          </li>
          <li>
<strong>Scope:</strong> ETSI Trust Service Lists are scoped to electronic
trust services regulated under eIDAS. This specification is domain-agnostic
and can express recognition across any sector, including education,
healthcare, and financial services.
          </li>
          <li>
<strong>Holder-centric sharing:</strong> ETSI Trust Service Lists are
published at well-known URLs and fetched by relying parties. This
specification additionally supports "certificate stapling", where a holder
presents a recognized entity credential directly to a verifier, reducing the need
for verifiers to contact a central registry during each interaction.
          </li>
        </ul>
      </section>

      <section class="informative">
        <h3>X.509 Certificate Authority Lists</h3>

        <p>
X.509 [[RFC5280]] is a standard for public key infrastructure (PKI) that
defines the format for certificates and certificate chains. Certificate
Authorities (CAs) are entities trusted to issue X.509 certificates that bind
a public key to an identity. Trust in a CA is typically established through
inclusion in a browser or operating system trust store — a curated list of
root CAs — or through a certificate chain that traces back to such a root.
        </p>

        <p>
X.509 CA infrastructure and this specification both address the problem of
establishing whether a given entity can be relied upon to perform a specific
action within a given context. However, this specification differs from X.509 CA
lists in several key ways:
        </p>

        <ul>
          <li>
<strong>Data model:</strong> X.509 certificates encode identifier and public key
association in a binary ASN.1 format with a fixed schema. This specification
uses a flexible, extensible JSON-LD data model that can express arbitrary
metadata about recognized identifiers and the actions that the entities they
identify are authorized to perform.
          </li>
          <li>
<strong>Trust hierarchy:</strong> X.509 PKI relies on a strictly hierarchical
chain of trust rooted in a small number of globally trusted root CAs. This
specification supports a web-of-trust model where multiple, overlapping, and
competing recognition registries can coexist, and ecosystem participants can
choose which recognizing authorities they trust.
          </li>
          <li>
<strong>Action semantics:</strong> X.509 certificates express key usage and
extended key usage flags to constrain what a certificate may be used for, but
these are limited to a fixed set of cryptographic operations. This
specification expresses recognition for arbitrary, domain-specific actions
such as issuing a particular type of credential, enabling richer and more
context-specific claims of recognition.
          </li>
          <li>
<strong>Decentralized issuance:</strong> Adding a new CA to existing trust
stores requires acceptance by browser vendors and/or OS maintainers, which is a
centralized and often slow process. In contrast, this specification allows any
entity to issue a `RecognizedEntityCredential` and to share it within its
ecosystem without requiring approval from a central gatekeeper.
          </li>
        </ul>
      </section>

      <section class="informative">
        <h3>ISO/IEC 18013-5 mDL VICAL</h3>

        <p>
ISO/IEC 18013-5 defines the mobile Driving License (mDL), a standard for
expressing driver's licenses as mobile documents (mDocs). As part of that
ecosystem, the standard defines a Verified Issuer Certificate Authority List
(VICAL), which is a signed data structure containing a list of entities that are
recognized as certificate authorities empowered to issue mDLs. A relying party
uses the VICAL to determine whether the issuer of a presented mDL is trusted
within its jurisdiction.
        </p>

        <p>
The VICAL concept and this specification share the goal of enabling relying
parties to determine whether a credential issuer is recognized within a
particular ecosystem. However, this specification differs from the mDL VICAL
in several key ways:
        </p>

        <ul>
          <li>
<strong>Format:</strong> The VICAL is a CBOR-encoded, COSE-signed data
structure which is tightly coupled to the mDL ecosystem. This specification
uses JSON-LD and the Verifiable Credentials Data Model, making it suitable
for a broader range of credential types and deployment environments.
          </li>
          <li>
<strong>Scope:</strong> The VICAL is specific to the mDL use case and the
ISO/IEC 18013-5 trust model. This specification can use any type of credential
to express recognition of any type of verifiable credential and any kind of
action; it is not limited to issuing credentials for driving licenses.
          </li>
          <li>
<strong>Action expressiveness:</strong> The VICAL records CAs which are trusted
to issue mDL certificates, but does not have a general mechanism by which to
express the scope or other types of actions a CA is recognized to perform. This
specification's `RecognizedAction` structure explicitly captures the actions a
recognized entity is authorized to perform and against which credential schemas,
enabling more fine-grained authorization.
          </li>
          <li>
<strong>Decentralization:</strong> The VICAL is managed by a designated VICAL
provider within each mDL ecosystem and distributed through centralized
channels. This specification allows any entity to publish a recognition
credential without relying on a designated central provider, supporting
more open and composable trust ecosystems.
          </li>
        </ul>
      </section>

    </section>

    <section class="appendix informative">
      <h2>Acknowledgements</h2>

      <p>
The Working Group thanks the following individuals for significant
contributions to the community: TBD
      </p>

      <p>
Work on this specification has been supported by the Rebooting the
Web of Trust community facilitated by Christopher Allen, Joe Andrieu, and
Erica Connell. The participants in the Internet Identity Workshop,
facilitated by Phil Windley, Kaliya Young, Doc Searls, and Heidi Nobantu Saul,
also supported the refinement of this work through numerous working sessions
designed to educate about, debate on, and improve this specification.
      </p>

      <p>
The Working Group would like to thank the following individuals for reviewing
and providing feedback on the specification (in alphabetical order):
      </p>

    </section>
  </body>
</html>