This document defines requirements and use cases for representing supply chain events as Verifiable Credentials, enabling interoperable and cryptographically verifiable data exchange across organizational boundaries. It establishes the problem space, shared terminology, motivating scenarios, and testable functional and non-functional requirements that will guide the development of the VSC Core Data Model and related specifications.
The VSC framework maps [[EPCIS]] event semantics onto [[VC-DATA-MODEL]] representations, using [[DID-CORE]] for actor identity binding. The approach is grounded in published W3C, GS1, ISO, IETF, and regulatory standards and aligns with established community work including the [[TRACEABILITY-V1]] vocabulary and [[UNTP]].
This document is intended for:
This document is a Community Group Draft produced by the Verifiable Supply Chain Community Group. It has not been endorsed by the W3C membership and is not a W3C Standard. It may be updated, replaced, or made obsolete at any time.
Feedback is welcome. The preferred mechanism is to open a GitHub issue. For general discussion, see the public mailing list. See Contributing for full contributor guidance.
Global supply chains are among the most complex information systems humans operate. They span hundreds of organizations, dozens of jurisdictions, and thousands of individual product movements per day. Despite this complexity, the underlying data infrastructure remains fragmented: proprietary formats, bilateral EDI agreements, and centralized intermediary platforms are the norm rather than the exception.
The GS1 [[EPCIS]] standard, widely adopted across retail, healthcare, and logistics, provides a common vocabulary for supply chain events — captures of who did what to which item, where, and when. However, EPCIS defines what to record, not how to prove it. A receiving party cannot cryptographically verify that an EPCIS record was created by an authorized party, has not been tampered with, or corresponds to any real-world act of authority.
Simultaneously, the W3C Verifiable Credentials Data Model and [[DID-CORE]] provide a mature, widely deployed infrastructure for cryptographically signed, decentralized identity. These technologies have been adopted in digital credentials for education, healthcare records, and government identity, but have not yet been systematically applied to supply chain event data.
Regulatory pressure is accelerating the need. The US [[DSCSA]] mandates electronic, interoperable tracing of prescription drug products across the entire pharmaceutical distribution chain by 2023. The EU [[EUDR]] requires due diligence documentation for commodities associated with deforestation. The EU [[EU-BEV]] requires battery passport data covering the full material supply chain. These regulations require auditable, tamper-evident records — a property EPCIS alone cannot provide.
The Verifiable Supply Chain (VSC) framework addresses this gap by defining how [[EPCIS]] events can be represented as [[VC-DATA-MODEL]] credentials, binding event data to the issuing party's [[DID-CORE]] identifier and enabling cryptographic verification across organizational boundaries without requiring a shared central database.
Current supply chain data systems exhibit three structural deficiencies that VSC is designed to address:
VSC addresses the deficiencies identified in Problem Statement by:
VSC does not require distributed ledger technology. DID methods
backed by web infrastructure (e.g., did:web) are
explicitly supported and are expected to be the dominant deployment
pattern for enterprise supply chains. Ledger-based DID methods
MAY be used but are not privileged.
Requirement identifiers take the form
REQ-Xn where
X is F (functional) or
NF (non-functional) and n is a two-digit
sequence number. Every requirement includes a rationale, a
testability statement, and normative references to inform
conformance test development.
Use case identifiers take the form UC-n.
Each use case cross-references the requirements it motivates.
Defined terms appear in small-caps style and are linked on first use in each section.
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, NOT RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in [[RFC2119]] and [[RFC8174]] when, and only when, they appear in all capitals, as shown here.
A VSC-conformant implementation is a software system that satisfies all MUST and MUST NOT requirements in Requirements. Conformance is assessed against the testability statements accompanying each requirement.
This document defines two conformance classes:
Holder conformance requirements are not independently specified in this document because a holder can be implemented by either an issuer or verifier system. Future VSC specifications MAY define an explicit holder conformance class.
The following terms are used throughout this specification. Terms defined in [[VC-DATA-MODEL]] and [[DID-CORE]] are imported by reference where noted.
shipping, receiving,
manufacturing) that describes the step in the
business process at which an EPCIS Event occurred.
in_transit, recalled,
destroyed) describing the condition or status of
an EPC or product class at the time of an EPCIS Event.
VSC defines three primary roles, aligned with [[VC-DATA-MODEL]] Section 1.3. In supply chain deployments these roles are typically held by different organizations.
[[EPCIS]] v2.0 defines five event types. VSC requires a normative credential schema for each:
| EPCIS Event Type | Typical Business Use | VSC Credential Schema (placeholder) |
|---|---|---|
ObjectEvent | Commissioning, observation, shipping, receiving of items | VscObjectEventCredential |
AggregationEvent | Packing items into a container; disaggregating a pallet | VscAggregationEventCredential |
TransformationEvent | Manufacturing: input materials consumed, output products created | VscTransformationEventCredential |
TransactionEvent | Linking events to business transactions (orders, invoices) | VscTransactionEventCredential |
AssociationEvent | Associating sub-objects with a parent object | VscAssociationEventCredential |
The schema names in the table above are placeholders. Normative schema identifiers and JSON-LD context URIs will be defined in the VSC Core Data Model specification.
The core objects in VSC are:
issuer is the asserting
Supply Chain Actor's DID. The credentialSubject
contains the EPCIS Event fields. The credential carries a
credentialStatus endpoint for revocation checks.
The canonical VSC information flow is:
Figure 1 — Canonical VSC information flow: Event capture, credential issuance, holder storage, verifier validation.
Step 4 (verification) may fail if the DID cannot be resolved, the signature is invalid, the credential has been revoked, or the issuer is not in the required issuer registry. Verifier behavior in each failure case is defined in Requirements.
This section describes motivating scenarios for VSC. Each use case includes actors, preconditions, a nominal flow, failure modes, and a mapping to the requirements it motivates. Use cases are non-normative.
Nominal flow:
VscObjectEventCredential, with an extension for geospatial data and the relevant commodity type.Failure modes:
Requirements motivated: REQ-F01, REQ-F02, REQ-F03, REQ-F04, REQ-F07, REQ-NF03.
Nominal flow:
commissioning) as a signed VSC credential.shipping) credential for the pallet SSCC, referencing the commissioned item credentials via AggregationEvent.receiving) and issues their own credential referencing the manufacturer's shipping credential by its credential identifier.Failure modes:
Requirements motivated: REQ-F01, REQ-F02, REQ-F03, REQ-F04, REQ-F05, REQ-F08, REQ-NF01.
Nominal flow:
Failure modes:
Requirements motivated: REQ-F05, REQ-F06, REQ-F07, REQ-NF02, REQ-NF03.
Nominal flow:
Failure modes:
Requirements motivated: REQ-F01, REQ-F04, REQ-F06, REQ-NF01, REQ-NF04.
Nominal flow:
revoked status and MUST reject the credential.Nominal flow:
Failure modes:
Requirements motivated: REQ-F05, REQ-F07, REQ-NF02, REQ-NF05.
The following requirements are derived from the use cases in Use Cases and from the regulatory and standards landscape described in Introduction. Each requirement is identified by a stable identifier, states the conformance level, provides a rationale grounded in published sources, and includes a testability statement to guide conformance test development.
All VSC-conformant implementations MUST also satisfy the MUST-level requirements of [[VC-DATA-MODEL]]. The requirements below are additional VSC-specific requirements that go beyond the base VC Data Model.
| ID | Title | Level | Class | Use Cases |
|---|---|---|---|---|
| REQ-F01 | Event-to-Credential Mapping | MUST | Issuer | UC-01–04 |
| REQ-F02 | Event Semantics Preservation | MUST | Issuer | UC-01, UC-02 |
| REQ-F03 | Issuer DID Binding | MUST | Issuer | UC-01–05 |
| REQ-F04 | Event Linking | SHOULD | Issuer | UC-01–04 |
| REQ-F05 | Selective Disclosure | MUST | Issuer, Verifier | UC-02, UC-03, UC-06 |
| REQ-F06 | Batch and Lot Traceability | SHOULD | Issuer | UC-03, UC-04 |
| REQ-F07 | Issuer Authority Verification | MUST | Verifier | UC-01, UC-03, UC-06 |
| REQ-F08 | Credential Status and Revocation | MUST | Issuer, Verifier | UC-02, UC-05 |
| REQ-F09 | Chain Integrity Detection | SHOULD | Verifier | UC-01, UC-02, UC-04 |
| REQ-F10 | Trust Framework Reference | SHOULD | Issuer, Verifier | UC-01–03 |
| REQ-NF01 | Scalability | MUST | Issuer, Verifier | UC-02, UC-04, UC-05 |
| REQ-NF02 | Privacy Preservation | SHOULD | Issuer, Verifier | UC-03, UC-06 |
| REQ-NF03 | Interoperability | MUST | Issuer, Verifier | UC-01, UC-03 |
| REQ-NF04 | Extensibility | SHOULD | Issuer | UC-04 |
| REQ-NF05 | Long-term Verifiability | SHOULD | Verifier | UC-06 |
A VSC Issuer MUST support producing a [[VC-DATA-MODEL]]-conformant Verifiable Credential for each of the five [[EPCIS]] v2.0 event types: ObjectEvent, AggregationEvent, TransformationEvent, TransactionEvent, and AssociationEvent. The mapping applied MUST conform to the normative Event-to-Credential Mapping defined in the VSC Core Data Model specification (once published).
EPCIS v2.0 [[EPCIS]] defines five event types covering the full range of supply chain observations. Requiring support for all five ensures that VSC can represent any supply chain event without loss of semantics. The GS1 [[GS1-CBV]] provides the controlled vocabulary used within these events.
A test vector set MUST be published containing at least one syntactically and semantically valid EPCIS event document for each of the five event types. A conformant issuer MUST produce a valid, verifiable Verifiable Credential for each test vector that: (a) passes [[VC-DATA-MODEL]] validation; (b) preserves all EPCIS fields specified in REQ-F02; and (c) carries a valid [[VC-DATA-INTEGRITY]] proof.
[[EPCIS]] Section 7; [[GS1-CBV]]; [[VC-DATA-MODEL]] Section 4.
The Event-to-Credential Mapping MUST
preserve, without loss or transformation, the following fields from
the source [[EPCIS]] event:
eventTime, eventTimeZoneOffset,
recordTime, eventType,
action, bizStep,
disposition, readPoint,
bizLocation, epcList /
inputEPCList / outputEPCList (as
applicable to the event type), and
quantityList / inputQuantityList /
outputQuantityList (as applicable).
Extension fields (ILMD, sensor elements) MUST
also be preserved where present.
Regulatory requirements under [[DSCSA]] and [[EUDR]] require that the specific event-time, location, and identifier information are auditable and have not been altered. Loss of any of these fields would undermine the legal validity of the credential as a regulatory record. The [[ISO28000]] supply chain security management framework similarly requires complete and accurate event records.
For each test vector in REQ-F01: a conformant parser applied to the resulting credential MUST recover values bit-for-bit identical to the source EPCIS event for each listed field. Automated round-trip tests MUST be defined in the conformance test suite.
[[EPCIS]] Sections 7–9; [[DSCSA]]; [[EUDR]] Article 9; [[ISO28000]].
Every Verifiable Credential representing a Supply Chain Event
MUST include an issuer
value using [[DID-CORE]] syntax. The DID MUST
be resolvable to a DID Document containing the public key material
used to verify the credential's [[VC-DATA-INTEGRITY]] proof.
A VSC Issuer MUST NOT use a bare
HTTP URL or an opaque identifier as the issuer value.
The core security property of VSC is the cryptographic binding between the event assertion and the asserting party's identity. Without a resolvable DID, a verifier cannot retrieve the public key needed to verify the signature, making the credential unverifiable. [[DID-CORE]] provides the standardized mechanism for this binding, supported by existing W3C infrastructure.
Given a VSC event credential: (a) the issuer value
MUST conform to the DID syntax rule defined in [[DID-CORE]]
Section 3.1; (b) resolving the DID via a conformant DID resolver
MUST return a DID Document; and (c) the DID Document MUST contain
a verificationMethod entry whose public key
successfully verifies the credential's proof.
[[DID-CORE]] Sections 3, 7; [[VC-DATA-MODEL]] Section 4.5; [[VC-DATA-INTEGRITY]].
A VSC Issuer SHOULD include, in
event credentials that represent a step in a multi-party custody
chain, a reference to the credential identifier(s) of immediately
preceding events in the chain. References MUST
use the id property of the referenced credential,
expressed as a URI, in the credential subject. A VSC Verifier
SHOULD follow event links to reconstruct the chain and verify each
linked credential.
Custody chain reconstruction is required by [[DSCSA]] (full tracing from manufacturer to dispenser), [[EUDR]] (origin to importer), and [[EU-BEV]] (material to battery). Without event linking, a verifier cannot confirm that consecutive custody transfers are contiguous or that no unauthorized party intervened. The linking pattern is consistent with the linked data approach of [[JSON-LD]].
Given a two-credential chain where credential B references credential A by URI: (a) a conformant verifier MUST resolve and verify credential A when requested; (b) if credential A's ID is altered, the verifier MUST detect the broken link; (c) a verifier MUST signal non-verifiability if a referenced credential cannot be retrieved.
[[DSCSA]]; [[EUDR]] Article 4; [[EU-BEV]] Annex XIII; [[JSON-LD]] Section 3.
A VSC Issuer MUST produce event credentials using a proof format that supports Selective Disclosure. Supported proof formats include [[BBS-2023]] and [[SD-JWT]]. A VSC Verifier MUST be capable of verifying selective disclosure presentations produced by at least one of these proof formats. Selective disclosure presentations MUST NOT allow an adversary to infer unrevealed field values from the presented proof.
Supply chain data contains commercially sensitive information (supplier identities, pricing, production volumes) that participants are not willing to share beyond regulatory minimum disclosure. [[GDPR]] Article 5(1)(c) data minimization principle requires that only necessary data be shared. [[BBS-2023]] and [[SD-JWT]] are standardized selective disclosure mechanisms with W3C and IETF backing respectively.
Given a credential with N fields: (a) a conformant holder MUST be able to produce a presentation revealing any subset of k fields (1 ≤ k < N) while maintaining proof validity; (b) the verifier MUST accept the presentation for the revealed fields; (c) the verifier MUST NOT be able to recover the values of the unrevealed fields from the proof material; (d) a tampered proof MUST be rejected.
[[BBS-2023]]; [[SD-JWT]]; [[GDPR]] Article 5(1)(c); [[VC-DATA-MODEL]] Section 5.9; [[NIST-SP800-53]] SI-12.
A VSC Issuer SHOULD support batch-level and lot-level identifiers (e.g., LGTIN as defined in [[GS1-CBV]]) in event credentials, in addition to serialized-item identifiers (SGTIN, SSCC). Implementations supporting batch traceability MUST ensure that batch identifiers are expressed using GS1 EPCIS quantity element syntax or an equivalent normative vocabulary.
Not all supply chain scenarios track at the per-item serialization level. Bulk commodities (agricultural products, chemicals, minerals) are tracked at batch or lot level. Batch identifiers are mandatory for EUDR due diligence claims and EU battery material traceability. Requiring per-item identifiers would make VSC undeployable for bulk commodity supply chains.
A conformant issuer MUST produce a valid credential carrying an LGTIN quantity element. A conformant verifier MUST parse and validate this element without error.
[[EPCIS]] Section 7.3.3; [[GS1-CBV]] Section 7; [[EUDR]] Article 9(1)(d); [[EU-BEV]] Annex XIII.
A VSC Verifier MUST verify that the credential issuer's DID is authorized to assert events for the claimed business context when an Issuer Registry is referenced in the credential or specified by the verifier's Trust Framework. A verifier MUST NOT accept a credential whose issuer DID does not appear in a required issuer registry. Where no issuer registry is required by the verification context, the verifier SHOULD surface a warning indicating that issuer authority has not been confirmed.
Cryptographic proof of integrity (signature verification) is necessary but not sufficient for supply chain verifiability. An attacker can create a validly signed credential from a DID they control for a business step they are not authorized to assert. Checking the issuer against an authoritative registry — analogous to the certificate authority model in TLS — closes this gap. This pattern is aligned with [[NIST-SP800-53]] IA-5 (Authenticator Management) and the authorization model in [[RFC6749]].
Given a credential whose issuer DID is not in the verifier's configured issuer registry: the verifier MUST reject the credential and MUST return an error code distinguishing "issuer not authorized" from "signature invalid." A credential whose issuer IS in the registry MUST be accepted (assuming valid signature and status).
[[NIST-SP800-53]] IA-5; [[RFC6749]] Section 1.1; [[ISO28000]] Section 6.5; [[DSCSA]] Section 582(c).
Every VSC event credential MUST include
a credentialStatus property referencing a
machine-readable status endpoint conformant with
[[VC-DATA-MODEL]] Section 7. A VSC Verifier
MUST check the status of each credential
presented before accepting it. Cached revocation status
information SHOULD NOT be relied upon
for more than 24 hours for high-stakes verification contexts
(pharmaceutical, food safety) and MAY
be cached for up to 7 days in lower-stakes contexts.
Product recalls ([[DSCSA]], EU General Product Safety Regulation) require that invalid credentials be rejected promptly. A revocation mechanism that verifiers cannot check renders recall notifications ineffective. Cache lifetime limits balance performance (avoiding status service overload) against timeliness of revocation propagation, consistent with [[NIST-SP800-53]] SI-7.
(a) A verifier presented with a revoked credential MUST reject
it and return a revoked status indicator.
(b) A verifier with a stale (>24h) cached status for a
high-stakes credential MUST re-fetch the status before accepting
the credential.
(c) A verifier MUST distinguish "revoked" from "status service
unreachable" and SHOULD treat the latter as a verification failure.
[[VC-DATA-MODEL]] Section 7; [[DSCSA]] Section 582(h); [[NIST-SP800-53]] SI-7.
A VSC Verifier SHOULD detect gaps in an Event Chain — specifically, cases where a credential references a predecessor credential that cannot be retrieved, verified, or that has been revoked — and MUST signal non-verifiability of the chain in such cases, with a specific error distinguishing: (a) missing predecessor, (b) invalid predecessor signature, (c) revoked predecessor, and (d) broken link (credential ID does not resolve).
An incomplete event chain may indicate either accidental data loss or a deliberate attempt to obscure an unauthorized custody transfer. Undifferentiated error signaling would prevent operators and regulators from distinguishing these cases. Distinct error codes enable targeted remediation. This is consistent with [[NIST-SP800-53]] AU-12 (Audit Record Generation) and the DSCSA requirement for complete, unbroken tracing.
Given a three-credential chain A→B→C where credential B's predecessor reference is corrupted: the verifier MUST return a "broken link" error specifically identifying B. A chain where B has been revoked MUST return a "revoked predecessor" error. A complete valid chain MUST return success.
[[NIST-SP800-53]] AU-12; [[DSCSA]] Section 582(j); [[ISO28000]] Section 6.4.
A VSC event credential SHOULD include a machine-readable reference to the Trust Framework under which it was issued, expressed as a URI in the credential's terms-of-use or evidence property. A VSC Verifier SHOULD use this reference to determine which Issuer Registry to consult for authority verification (REQ-F07).
Supply chains operate under sector-specific governance frameworks (pharmaceutical, food, automotive, etc.) with different authorization rules. Embedding a trust framework URI in the credential allows verifiers to apply the correct governance rules automatically, enabling cross-sector interoperability without bilateral configuration. This pattern follows the trust framework approach used in the [[PEPPOL]] e-procurement network.
A credential carrying a trust framework URI MUST allow a verifier to dereference the URI and retrieve a machine-readable document listing authorized issuer DIDs. A credential lacking a trust framework URI MUST be accepted with a warning (not rejected) by a verifier that does not require one.
[[VC-DATA-MODEL]] Section 5.12 (terms of use); [[PEPPOL]]; [[TRACEABILITY-INTEROP]] Section 4.
A VSC-conformant implementation MUST be capable of issuing and verifying event credentials at a rate commensurate with enterprise supply chain event volumes. As a benchmark, conformant implementations SHOULD be capable of verifying a ten-credential event chain in under 2 seconds under normal network conditions, and of issuing 1,000 credentials per minute on commodity cloud hardware. These benchmarks are indicative; normative performance requirements will be specified in the conformance test suite.
Large retail and pharmaceutical supply chains generate millions of EPCIS events per day. A verifiable credential system that cannot sustain production event volumes will not be adopted. Battery passport use case (UC-04) requires verification of chains spanning thousands of credentials. The benchmark figures are derived from GS1's published EPCIS throughput guidance and typical cloud instance capabilities as of 2024.
The conformance test suite MUST include a load test that exercises issuance at 1,000 credentials per minute and chain verification of 10 credentials within 2 seconds, recording pass/fail and actual throughput figures.
[[EPCIS]] Appendix D (performance guidance); [[ISO28000]].
VSC implementations SHOULD avoid requiring globally unique, long-lived correlatable identifiers for all participants in all verification contexts. Where pairwise [[DID-CORE]] identifiers are available, implementations SHOULD use them. Credential schemas MUST NOT require the inclusion of personally identifiable information (PII) beyond what is required for the regulatory context in question.
[[GDPR]] Article 25 (Data Protection by Design) requires that data minimization and privacy-by-design be embedded in system design. Supply chain credentials frequently traverse jurisdictional boundaries and may be subject to multiple data protection regimes. Long-lived correlatable identifiers enable tracking of supply chain participant behavior across contexts beyond the intended disclosure.
A conformance test MUST verify that a credential schema does not include mandatory PII fields beyond regulatory minimum. A verifier MUST NOT require a holder to present more fields than the minimum needed for the stated verification purpose.
[[GDPR]] Articles 5, 25; [[NIST-SP800-53]] AR-7; [[VC-DATA-MODEL]] Section 10 (privacy considerations).
A VSC event credential issued by one conformant implementation MUST be verifiable by any other conformant implementation without prior bilateral configuration. Implementations MUST use the VSC JSON-LD context URI (to be defined in the VSC Core Data Model) and MUST NOT require proprietary extensions for basic credential exchange. Implementations SHOULD conform to the [[TRACEABILITY-INTEROP]] HTTP API profile for credential exchange.
The primary value proposition of VSC is cross-organizational verifiability. Without interoperability, VSC becomes a series of proprietary bilateral integrations — the same problem it is designed to solve. The [[TRACEABILITY-INTEROP]] profile provides a tested, deployed HTTP API standard for credential exchange in supply chain contexts.
The VSC interoperability test suite MUST include an implementation-A-issues / implementation-B-verifies scenario for each of the five credential types. A credential issued by implementation A MUST be verified successfully by implementation B without any bilateral pre-configuration.
[[TRACEABILITY-INTEROP]]; [[VC-DATA-MODEL]] Section 1.3; [[JSON-LD]] Section 5.
The VSC credential schema SHOULD support sector-specific and jurisdiction-specific extension vocabularies without invalidating base credential verification. Extension vocabularies MUST be expressed using [[JSON-LD]] context extension mechanisms. Verifiers that do not understand an extension MUST still be able to verify the base credential.
Supply chain verticals (pharmaceutical, food, automotive, aerospace) have distinct data requirements. A rigid schema would require a separate specification for each vertical. The JSON-LD extension mechanism provides a standards-based, proven approach to extensibility, as demonstrated by [[TRACEABILITY-V1]] and [[UNTP]].
A credential carrying an unknown JSON-LD extension term MUST be parsed and its base fields MUST be verifiable by a conformant verifier that does not have the extension context loaded. Verifier MUST NOT fail on unknown extension terms.
[[JSON-LD]] Sections 5, 9; [[TRACEABILITY-V1]]; [[UNTP]].
VSC-conformant implementations SHOULD support verification of event credentials issued up to 10 years prior. This requires that: (a) issuer DID key history is preserved and accessible, either via the DID Document or a trust-framework-maintained historical key archive; and (b) the cryptographic algorithms used for signing remain secure and supported for the expected credential lifetime.
Regulatory audit requirements in pharmaceutical (FDA, EMA), food safety (FDA FSMA), and financial sectors require records retention of 5–10 years. A credential that cannot be verified after its issuer rotates keys or deactivates its DID provides no audit value. Key history preservation is analogous to the certificate transparency log model in TLS.
A conformance test MUST simulate DID key rotation and verify that a credential signed before rotation can still be verified using the pre-rotation key retrieved from the DID Document history or trust framework archive.
[[DID-CORE]] Section 7.2 (DID Document history); [[NIST-SP800-53]] SI-12; [[DSCSA]] Section 582(n).
The security considerations of [[VC-DATA-MODEL]] Section 11 and [[DID-CORE]] Section 10 apply in full. This section identifies supply-chain-specific threats using the [[STRIDE]] threat classification framework and specifies mitigations.
VSC threats are analyzed at the four primary trust boundaries: (1) issuer key material, (2) event credential content, (3) event chain linkage, and (4) issuer registry integrity.
| ID | STRIDE Category | Threat | Severity | Mitigation | Req |
|---|---|---|---|---|---|
| T-01 | Spoofing | Adversary creates a fabricated event credential using a DID they control, not authorized for the business context. | High | Issuer authority verification against an issuer registry (REQ-F07). Trust framework reference in credential (REQ-F10). | REQ-F07, REQ-F10 |
| T-02 | Tampering | Adversary modifies event data (e.g., alters origin coordinates or timestamps) after credential issuance. | High | Cryptographic proof over all credential fields (REQ-F03). Selective disclosure proofs protect unrevealed fields (REQ-F05). | REQ-F03, REQ-F05 |
| T-03 | Repudiation | Issuer denies having issued a specific event credential. | Medium | Non-repudiation is provided by the issuer's DID-bound cryptographic signature. Verifiers SHOULD log verification results. | REQ-F03 |
| T-04 | Information Disclosure | Verifier extracts commercially sensitive supply chain data from a credential beyond what was intended for disclosure. | Medium | Selective disclosure (REQ-F05) ensures unrevealed fields cannot be recovered from proof material. Pairwise DIDs (REQ-NF02) limit correlation. | REQ-F05, REQ-NF02 |
| T-05 | Denial of Service | Adversary floods the credential status service or DID resolution endpoint, preventing legitimate verification. | Medium | Status service SHOULD implement rate limiting and geographic redundancy. Verifiers SHOULD implement caching per REQ-F08 cache lifetime limits. | REQ-F08 |
| T-06 | Elevation of Privilege | Adversary registers a DID in an issuer registry without meeting the registry's eligibility requirements. | High | Issuer registry governance is out of scope for VSC but trust frameworks MUST define eligibility criteria. Credential SHOULD reference the registry (REQ-F10). | REQ-F10 |
A malicious actor may attempt to inject fabricated Supply Chain Events by creating validly signed credentials from an authorized DID for events that never occurred, or from an unauthorized DID. VSC implementations MUST verify issuer identity and authority as specified in REQ-F03 and REQ-F07. Verification SHOULD include checking the issuer's DID against the Issuer Registry referenced in the credential or the verifier's trust framework configuration.
Physical-world corroboration (IoT sensor data, GPS timestamps, third-party inspection certificates referenced as linked credentials) provides additional assurance that event credentials correspond to actual physical events. VSC implementations SHOULD support referencing corroboration evidence as linked credentials in the credential evidence property.
A valid Verifiable Credential for one shipment may be replayed in a presentation for a different shipment, or a credential may be presented outside its intended time window.
Implementations SHOULD include one or more of the following context-binding mechanisms to mitigate replay:
audience or equivalent field identifying the intended verifier DID, preventing use of the credential by a different verifier.validFrom and SHOULD include validUntil values. Verifiers MUST reject credentials outside their validity period.A verifier may receive an Event Chain from which one or more credentials have been omitted — either accidentally (data loss) or deliberately (to conceal an unauthorized custody transfer). VSC-conformant verifiers MUST detect gaps in event chains and signal non-verifiability with specific error codes as defined in REQ-F09. Implementations SHOULD treat a broken chain as a verification failure unless the verification context explicitly permits incomplete chains (e.g., for partial audit queries).
If an issuer's DID private key is compromised, an adversary can issue fraudulent event credentials indistinguishable from legitimate ones. Issuers MUST implement key management practices consistent with [[NIST-SP800-53]] IA-5, including:
The VSC Trust Framework specification SHOULD define sector-specific key management requirements and mandatory incident response procedures for key compromise events.
The privacy considerations of [[VC-DATA-MODEL]] Section 10 apply in full. This section identifies supply-chain-specific privacy risks and recommended mitigations.
Supply chain event credentials frequently contain information that is commercially sensitive: supplier identities, production volumes, pricing signals embedded in batch sizes, and logistics routing. Disclosing this information beyond the minimum required by a verification context:
VSC implementations MUST support selective disclosure (REQ-F05) and SHOULD use pairwise DIDs (REQ-NF02) to minimize information disclosure.
If all credentials issued by a given Supply Chain Actor use the same long-lived DID, a verifier can correlate all events asserted by that actor across time and contexts. This enables surveillance of supply chain participants' business activity beyond the scope of individual verification requests. Implementations SHOULD use pairwise DIDs per trading relationship, or short-lived credential identifiers, to limit cross-context correlation. Zero-knowledge proof mechanisms (e.g., [[BBS-2023]]) SHOULD be preferred for contexts where correlation risk is high.
Some supply chain events may involve personally identifiable information (e.g., the name of a quality inspector, a driver's identity, or patient-level pharmaceutical dispensing data). VSC credential schemas MUST NOT require PII fields beyond the regulatory minimum. Where PII is required by regulation, issuers MUST apply selective disclosure to prevent disclosure of PII to parties who do not require it, consistent with [[GDPR]] Article 25 and analogous data protection frameworks.
This specification does not define a user interface. However, implementations of VSC-conformant systems that expose user interfaces for credential issuance, presentation, or verification SHOULD conform to WCAG 2.1 Level AA guidelines. In particular:
Supply chains are global. VSC implementations must be prepared to handle data from multiple locales and character sets.
This requirements document identifies the following areas for future normative specification work by the VSC Community Group, listed in expected priority order:
bug (error in existing text), enhancement (new requirement or use case), question (seeking clarification), editorial (typo, formatting).Changes to this document follow the W3C Community Group process. Pull requests require at least one review from an editor before merging. New requirements must include:
New use cases must include all fields in the use case template (scenario description, actors, preconditions, nominal flow, at least one failure mode, and requirement cross-references).
Contributions to W3C Community Group deliverables are subject to the W3C Community Contributor License Agreement (CLA). By submitting a pull request or email contribution, you agree to the terms of the CLA.
Issues tagged
good first issue
on GitHub are suitable for contributors who are new to the
specification. These typically involve:
The editors thank the participants of the Verifiable Supply Chain Community Group for their contributions and feedback. This document has benefited from the prior work of the W3C CCG Traceability Task Force, GS1, and UN/CEFACT UNTP contributors.