The Governance Authority MUST publish a [[DID-CORE]] document at a stable, publicly resolvable URI. This DID serves as the Root TAO DID for the Trust Chain and MUST be referenced in the machine-readable TFD.

The GA MUST publish the Trust Framework Document at a stable URI and MUST version it using MAJOR.MINOR versioning. A new MAJOR version MUST be issued for any change that affects existing Verifiable Accreditations or invalidates credentials issued under the prior version. A changelog MUST be maintained.

The GA MUST issue a VerifiableAuthorisationForTrustChain credential (self-issued or from an external root, per [[EBSI-TRUST-MODEL]]) anchoring the trust chain. This credential MUST be publicly accessible and included in the TIR.

The GA MUST maintain, version, and publish each Governance Document referenced in the TFD. All Governance Documents MUST include a last-modified date and a stable URI. Links MUST NOT rot; retired documents MUST redirect to their successors.

A TAO MUST NOT grant a Verifiable Accreditation whose Accreditation Scope exceeds its own. All scope constraints from the accrediting party MUST be inherited and, where appropriate, further restricted. This prevents privilege escalation within the trust chain.

Before issuing a VerifiableAccreditationToAttest to a Trusted Issuer applicant, the TAO MUST:

1. Verify the applicant's legal identity using a recognized national business registry or equivalent process.
2. Confirm the applicant holds a resolvable [[DID-CORE]] identifier with key material suitable for the required proof format(s).
3. Confirm the applicant meets the sector-specific requirements defined in the TFD Section 4 for their intended issuer category.
4. Record the vetting evidence and its outcome in a durable, auditable log.

The TAO MUST update the Trusted Issuers Registry within 5 business days of any accreditation grant, suspension, revocation, or renewal. The TAO MUST NOT allow an entry to remain in the TIR for an entity whose accreditation has been revoked.

A Trusted Issuer MUST only issue VSC Credentials whose type and Accreditation Scope fall within the bounds of their Verifiable Accreditation. Credentials issued outside this scope MUST be rejected by conformant verifiers.

A Trusted Issuer MUST maintain a written Key Management Policy (a Governance Document) that specifies: key generation algorithm, key storage (FIPS 140-2 Level 2 hardware security module RECOMMENDED for production issuance), key rotation schedule (RECOMMENDED: 12 months maximum), and key compromise response procedure. The Key Management Policy MUST be referenced in the TFD.

A Trusted Issuer MUST ensure that every VSC Credential it issues accurately reflects the underlying [[EPCIS20]] event data as observed or recorded by the issuer's own systems. A Trusted Issuer MUST NOT issue credentials for events it did not observe or for which it lacks authoritative first-hand data, except as explicitly authorized by the TFD (e.g., a customs authority re-asserting an inspection result).

Each VSC Credential issued by a Trusted Issuer MUST include a reference to the issuer's Verifiable Accreditation in the credential's termsOfUse property, as specified in Credential Policies. This enables verifiers to traverse the Trust Chain programmatically.

A Trusted Issuer MUST report to its accrediting TAO within 48 hours of any: key compromise or suspected key compromise; issuance of a credential known to be erroneous; or any security incident affecting the integrity of its credential-issuing system.

A Trusted Verifier MUST perform full Trust Chain traversal for every received VSC Credential before accepting it. This includes: resolving the issuer's [[DID-CORE]] identifier, verifying the cryptographic proof, checking Credential Status via [[VC-BITSTRING-STATUS]], and confirming the issuer's Verifiable Accreditation is valid and in scope.

A Trusted Verifier MUST NOT accept a VSC Credential solely on the basis of an out-of-band relationship with the issuer (e.g., a pre-existing business relationship). The Trust Chain traversal in ROLE-TV1 is required regardless of any bilateral familiarity with the issuer.

An applicant for Trusted Issuer status MUST submit to the accrediting TAO an application package containing:

1. Legal identity evidence (business registration number, LEI, or equivalent).
2. The applicant's [[DID-CORE]] identifier and proof of key control (a signed challenge response).
3. A completed self-assessment against the technical requirements in TFD Section 9.
4. A Key Management Policy (see ROLE-TI2).
5. Evidence of compliance with any sector-specific prerequisites defined in TFD Section 4.3.

The TAO MUST acknowledge receipt of a complete application within 5 business days and MUST issue an accreditation decision (grant or reasoned rejection) within [TF-specific SLA, e.g., 30 calendar days]. A rejection MUST include a written statement of the specific criteria not met and MAY include a remediation pathway.

Upon successful vetting, the TAO MUST issue a VerifiableAccreditationToAttest credential conformant with the following schema. This schema follows [[EBSI-TRUST-MODEL]] conventions and is encoded as a [[VC-DATA-MODEL]] credential:

{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://w3c-cg.github.io/vsc/contexts/v1"
  ],
  "type": ["VerifiableCredential", "VerifiableAccreditationToAttest"],
  "id": "https://tir.example-consortium.org/accreditations/abc-123",
  "issuer": "did:web:tao.example-consortium.org",
  "validFrom": "2026-07-01T00:00:00Z",
  "validUntil": "2027-07-01T00:00:00Z",
  "credentialSubject": {
    "id": "did:web:issuer.example-company.com",
    "accreditedFor": [
      {
        "vscCredentialTypes": ["VSCTransactionEvent", "VSCObjectEvent"],
        "epcisEventTypes": ["TransactionEvent", "ObjectEvent"],
        "bizSteps": [
          "https://ref.gs1.org/cbv/BizStep-shipping",
          "https://ref.gs1.org/cbv/BizStep-receiving"
        ],
        "commodityCategories": ["pharmaceutical"],
        "geoScope": ["US"],
        "trustFramework": "https://w3c-cg.github.io/vsc-trust-framework/instances/pharma-dscsa-us-v1"
      }
    ]
  },
  "termsOfUse": [{
    "type": "AccreditationPolicy",
    "parentAccreditation": "https://tir.example-consortium.org/root/rtao-chain",
    "rootTAO": "did:web:governance.example-consortium.org"
  }],
  "credentialStatus": {
    "id": "https://tir.example-consortium.org/status/1#42",
    "type": "BitstringStatusListEntry",
    "statusListIndex": "42",
    "statusListCredential": "https://tir.example-consortium.org/status/1"
  },
  "proof": { /* Data Integrity Proof */ }
}
      

The TAO MUST register the issued accreditation credential in the Trusted Issuers Registry within 2 business days of issuance. The TI MUST NOT begin issuing VSC Credentials until the TIR entry is confirmed.

A TAO MUST revoke a Trusted Issuer's accreditation upon any of the following:

• Confirmed key compromise (reported by the TI per ROLE-TI5 or detected externally).
• Confirmed issuance of materially false or fraudulent VSC Credentials.
• Legal entity dissolution, insolvency, or loss of required operating license.
• Failure to remediate a critical audit finding within the prescribed timeframe.
• Written request from the TI to voluntarily withdraw.

Revocation MUST be executed by setting the TI's [[VC-BITSTRING-STATUS]] entry to revoked and updating the TIR entry to reflect the revocation date and reason code. The TAO MUST notify the TI of the revocation in writing (via registered email or equivalent) simultaneously with or before the registry update.

Revocation of an issuer's accreditation does NOT automatically invalidate VSC Credentials already issued by that TI and in the possession of legitimate holders. However, verifiers SHOULD treat credentials issued after the revocation date as untrustworthy. The TFD MUST specify a policy for the treatment of pre-revocation credentials in the affected sector.

Trusted Issuer accreditations MUST have a defined validity period specified in the TFD. The default is 12 months. A TI MUST initiate renewal no later than 60 days before expiry. A TAO MUST complete a renewal review before the expiry date to avoid a gap in the TI's active status.

The Trusted Issuers Registry MUST be publicly readable without authentication. Any party MUST be able to query the TIR to verify whether a given [[DID-CORE]] identifier holds a valid Verifiable Accreditation at any time. Write access MUST require authentication and authorization (OAuth 2.0 or equivalent).

The TIR MUST expose the following REST query endpoints. Responses MUST be returned as application/json using [[RFC9457]] for errors:

The TIR MUST meet a minimum availability of 99.5% per calendar month (approximately 3.6 hours downtime). Planned maintenance windows MUST be announced at least 48 hours in advance via the TFD's status page. Downtime affects the ability of verifiers to confirm issuer status; implementations SHOULD implement a TTL-based cache (RECOMMENDED: 24-hour TTL for read endpoints).

Adopting networks MAY implement the TIR using any of the following technology patterns. The TFD MUST document the chosen pattern and its trade-offs:

Every VSC Credential issued by a Trusted Issuer MUST include a termsOfUse entry of type AccreditationPolicy containing:

• parentAccreditation: URI of the issuer's Verifiable Accreditation in the TIR.
• rootTAO: DID of the Root TAO for the applicable Trust Framework.
• trustFramework: URI of the published Trust Framework Document.

This property is the machine-readable hook that enables automated Trust Chain traversal by verifiers (ROLE-TV1). It is modelled after the AccreditationPolicy in [[EBSI-TRUST-MODEL]].

The TFD MUST specify a default validUntil period for each VSC Credential type. The following defaults apply unless overridden by the TFD's sector-specific rules:

The TFD MUST define a Minimum Disclosure Set (MDS) for each verifier category. The MDS specifies the minimum fields that MUST be disclosed for a credential to satisfy a verifier's legitimate need, without requiring unnecessary fields. Verifiers MUST NOT request fields beyond their defined MDS. Example:

Every Trusted Issuer MUST undergo at minimum an annual surveillance audit conducted by or on behalf of their accrediting TAO. The audit MUST assess at minimum:

• Key management practice compliance with ROLE-TI2.
• Accuracy of issued credentials against source event records (sample-based review).
• Timely incident reporting compliance with ROLE-TI5.
• Continued compliance with sector-specific requirements in TFD Section 4.3.
• [[VSC-INTEROP]] conformance class claimed in current implementation.

Auditors conducting surveillance audits MUST hold qualifications appropriate to the sector. For frameworks governed by regulated industries, auditors SHOULD hold relevant national qualifications (e.g., ISO 27001 lead auditor for information security aspects, [[ISO-27001]]). The TFD MUST specify acceptable auditor qualifications in its Section 12.

Any Trusted Issuer subject to a Formal Warning, Suspension, or Revocation decision MUST be afforded a right of appeal to the Governance Authority within 15 business days of notification. The GA MUST render a decision on the appeal within 30 calendar days. The TFD MUST specify whether appeal has suspensive effect (i.e., whether the TI may continue issuing during the appeal period).

Any holder or verifier that believes a VSC Credential was issued in error or fraudulently MAY file a credential challenge with the issuer's TAO. The TFD MUST define a challenge procedure that includes: a structured challenge submission form, a response timeline (RECOMMENDED: 10 business days), and an escalation path to the Governance Authority if unresolved.

The machine-readable TFD MUST be discoverable at: https://{governance-authority-domain}/.well-known/vsc-trust-framework.json

Additionally, the Root TAO's [[DID-WEB]] document SHOULD include a service entry of type VSCTrustFramework pointing to this URI.