Trusted Lists
Trusted List is a publicly available list of Trust Service Providers (TSPs) that have been accredited to provide specific, trusted services, often under a specific security regulation like the EU's eIDAS. These lists are crucial for ensuring the reliability of electronic signatures and other trust services by allowing users to verify the status and qualifications of service providers. They define who can be trusted and for what services, ensuring that digital interactions are secure, compliant, and legally recognized across jurisdictions.
What Are Trusted Lists?
Trusted lists are official, machine-readable records maintained by national or regulatory authorities. They enumerate trust service providers that are recognized as legitimate and identify the specific services they are authorized to perform—such as issuing electronic signatures, seals, or timestamps.
Each trusted list is digitally signed or sealed to guarantee its authenticity and integrity. In a simplest form, it can be a website that holds hashes of root CAs. These lists are intended for automated processing, enabling systems and relying parties to verify trust relationships programmatically and in real time.
Trusted lists are often published in standardized formats such as XML, especially in ETSI-based implementations, and are distributed through secure channels to facilitate interoperability. However, traditional trusted lists are typically static and limited to listing accredited entities. OpenID Federation offers a more dynamic and scalable approach to trust management by enabling real-time metadata, automated trust chains, and APIs—features that can complement or even serve as the foundation for modern, federated trusted lists.
Role in the Digital Identity Ecosystem
Trusted lists play a critical role in digital identity ecosystems, such as those involving digital wallets for authentication and electronic identification. They ensure that key actors—particularly credential issuers—are known, vetted, and authorized to issue trusted identity information. While other parties, such as verifiers and intermediaries, may not always appear on trusted lists, their trust can often be established through alternative mechanisms, such as certificate validation or federated trust frameworks.
To interact with such systems, relying parties must be issued access certificates by certificate authorities listed in trusted lists. These certificates validate not only the identity of the party but also their authorization to perform specific roles within the trust framework.
Governance and Onboarding
Trusted lists require strong governance to ensure that only eligible and compliant entities are included. A designated authority—such as a regulatory body or supervisory organization—oversees the onboarding process, defining the legal, technical, and security requirements that Trust Service Providers (TSPs) must meet. This typically includes independent audits, published terms of service, and adherence to recognized security and risk management standards. Only once these conditions are met can an entity be added to the trusted list.
Control and Hierarchical Models
Control over trusted lists is typically centralized, ensuring that the authority responsible for the list maintains oversight and accountability. In many cases, this control is organized hierarchically. For example, within the European Union, there is a central EU Trusted List (root) and individual member states maintain their own child trusted lists, inheriting trust from the root. This hierarchical approach supports both consistency across regions and the ability to delegate localized control.
Decentralization Efforts
While traditional trusted lists rely on centralized governance, there are growing efforts to explore more decentralized models of trust management. Emerging approaches include the distribution of trusted lists using decentralized technologies such as the InterPlanetary File System (IPFS). By decentralizing storage and access, these models aim to increase resilience, transparency, and availability, while still maintaining the necessary assurances around the integrity and authenticity of the list content.
Trusted Lists Summary
| Aspect | Description |
|---|---|
| Definition | Official, digitally signed lists of qualified trust service providers and their services |
| Legal Framework | Mandated by national or international regulations like, for example, eIDAS Regulation (Article 22) in Europe |
| Purpose | Ensure legal certainty, interoperability, and trust in electronic transactions |
| Format | Machine-readable, digitally signed, accessible via secure channels |
| Scope | Qualified or accredited trust services primarily |
| Role in Digital Identity | Foundation for trust in digital wallets and identity ecosystems, enabling secure authentication |
| Governance | Maintained by authorities, including national, for example, aggregated at EU level by the European Commission |
