Accredit TAOs and TIs
Now you are almost ready to start issuing Verifiable Credentials. Just a few more steps to go!
Verifiable Credential and Presentation
Check out our VC and VP library to create and verify EBSI-compliant W3C Verifiable Credentials and Verifiable Presentations in JWT format
Step 2.1 Authorise TAO to onboard by issuing a V. Authorisation to Onboard
Step 2.1.1 Provide Authorisation Server to authenticate TAO
Now that you have set up your Root Trusted Accreditation Organisation, you can onboard Trusted Accreditation Organisations.
Your Root TAO needs to provide an OIDC Authorisation Server for TAO. Authentication can be performed by using a code flow or by pre-authorisation.
Step 2.1.2 Authentication code flow
For authentication and authorisation, the Root TAO needs to provide an Authorisation Server. The TAO can start authentication by calling the Authorisation Server's authorise endpoint with response_type code. In response, the Authorisation Server should proceed to authenticate the TAO/TI, for example by requesting an ID Token. After successful authentication, the Authorisation Server should respond with a code. Using this code, the TAO/TI can request an access token (by calling the Authorisation Server's token endpoint).
Step 2.1.3 Authentication with pre-authorization
In addition to the code flow above, authentication can also be done using a pre-authorised code. This code is delivered to the TAO via a Credential Offering or out of band method. Using this code, the TAO/TI can invoke the Authorisation Server's token endpoint directly to get an access token.
Step 2.1.4 Provide Credential Issuer service for issuing TAO Authorisation to Onboard
The Root TAO needs to provide a Credential Issuer service for a TAO. It should contain a credential endpoint which is protected by requiring an access token issued in the previous phase.
The TAO should use this endpoint to request a Verifiable Authorisation to Onboard credential. Using this credential the TAO can onboard to EBSI by inserting their DID document into EBSI DID Registry.
Step 2.2 Authorise TAO to register in the TIR
To be able to issue VCs the TAO needs to add themselves to the EBSI Trusted Issuer Registry. The Root TAO authorises this by issuing a Verifiable Accreditation to Attest. Using the Authorisation Server and Credential Issuer service provided by the Root TAO, the TAO is able to request a Verifiable Accreditation to Attest VC. Using this VC, the TAO can add themselves to the EBSI Trusted Issuers Registry. To be able to accredit other TAO/TIs, a TAO needs register in the Trusted Issuers Registry. The Root TAO authorises this by issuing a Verifiable Accreditation to Accredit VC. Using this VC the TAO can register themselves in the Trusted Issuers Registry.Step 2.2.1 Enable TAO Request a V. Accreditation to Attest
Step 2.2.2 Authorise TAO to accredit other TAO/TIs