| Internet-Draft | Verifiable Trust Circles | March 2026 |
| Herman | Expires 27 September 2026 | [Page] |
This document specifies Web 7.0 Verifiable Trust Circles (VTCs), a generalized mechanism for expressing verifiable multi-party membership, belonging, and trust relationships using the W3C Verifiable Credentials (VC) Data Model 2.0 [W3C.VC-DATA-MODEL] and VC Data Integrity Proof Sets [W3C.VC-DATA-INTEGRITY]. VTCs extend the Partof Architecture Reference Model (PARM) to provide a universal credential pattern that subsumes prior pairwise constructs (Personhood Credentials (PHCs) and Verifiable Relationship Credentials (VRCs)) and additionally supports voting-based decision making, meeting requests, task forces, and digital societies.¶
This note is to be removed before publishing as an RFC.¶
This Internet-Draft is derived from the Web 7.0 Foundation specification "SDO: Verifiable Trust Circles (VTCs) using VC Proof Sets (Web 7.0)" [WEB70-VTC] authored by Michael Herman, published 26 March 2026, and from community discussion at the Trust over IP Foundation Digital Trust Graph Working Group (DTGWG) Credentials Task Force, GitHub Discussion #8 [DISCUSSION-8]. Licensed under the Creative Commons Attribution-ShareAlike 4.0 International Public License. Web 7.0(TM), Web 7.0 DIDLibOS(TM), TDW AgenticOS(TM), TDW(TM), Trusted Digital Web(TM), and Hyperonomy(TM) are trademarks of the Web 7.0 Foundation. All Rights Reserved.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 27 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The Web 7.0 paradigm seeks to establish a decentralized, agent-centric, privacy-preserving digital society. Central to this vision is the ability of digital entities - people, organizations, and autonomous agents - to form verifiable groups: trust circles that are cryptographically provable, privacy-respecting, and composable.¶
Prior specifications in the Trust over IP (ToIP) ecosystem defined pairwise constructs - Personhood Credentials (PHCs) and Verifiable Relationship Credentials (VRCs) - to link pairs of entities. While useful, these constructs are insufficient to describe multi-party group membership, community affiliation, or collective decision-making.¶
This specification introduces Verifiable Trust Circles (VTCs), which generalize pairwise credentials into an N-party construct using the standard W3C VC Proof Set mechanism. A single VTC credential can represent a self-credential (N=1), a bilateral relationship (N=2), or any multi-member group (N>2), enabling a single, coherent model for all membership-like relationships.¶
The following observations motivate this specification:¶
This specification defines:¶
This specification does not define transport protocols, DID method requirements, or verifiable presentation formats, except where necessary to illustrate the VTC pattern.¶
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, NOT RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals as shown here.¶
Unless stated otherwise, terms have the meanings assigned in the W3C Verifiable Credentials Data Model 2.0 [W3C.VC-DATA-MODEL].¶
This specification adheres to the following design principles, consistent with the ToIP DTGWG Design Principles [DTGWG-DESIGN]:¶
VTCs are grounded in existing W3C VC standards. No new cryptographic primitives or credential types are defined. The only structural addition is the deliberate use of the proof array (Proof Set) to carry per-member proofs alongside the Notary proof.¶
PHCs and VRCs are recognized as specializations of a single underlying relationship pattern (PARM). Rather than defining multiple credential types for essentially the same concept, this specification derives one universal type that covers all cases by varying the cardinality of the "to" array and the composition of the Proof Set.¶
VTC credential subjects SHOULD use confidentialSubject semantics wherever selective disclosure is required. Members of a VTC should be able to prove membership to a verifier without unnecessarily revealing the full membership list. Zero-Knowledge Proof (ZKP) integration in Proof Sets is explicitly supported and encouraged.¶
VTCs compose at each layer of the SSC 7.0 Metamodel. A VTC at the Beneficial Controller layer expresses human-level trust relationships; one at the Intermediate Agent layer expresses agent-level relationships; one at the Technical Controller layer expresses device/key-level relationships.¶
The PARM model is network-agnostic. The same VTC pattern supports trust relationships across and between independent, distinct networks and ecosystems.¶
The Partof Architecture Reference Model (PARM) provides the conceptual foundation for VTCs. It observes that a large class of real-world relationships - membership, citizenship, parthood, employment, and participation - share a common logical structure. Representative relationship types and examples are shown below:¶
| Relationship Type | Example |
|---|---|
| MemberOf | Alice is a member of the Working Group Trust Circle. |
| PartOf | Bob is part of the study group. |
| CitizenOf | Carol is a citizen of the Digital Nation State of Sovronia. |
| EmployeeOf | Dave is an employee of Acme Corp (DID-identified). |
| ParticipantOf | Eve is a participant of the 09:00 meeting (a VC-based meeting request). |
| VoterFor | Frank has cast a vote for Candidate 1 by contributing his proof to that VTC. |
All of these reduce to the same credential structure: a VC whose credentialSubject.id identifies the group or decision entity (the "circle"), and whose proof array contains proofs from the Notary and each member who has accepted membership. PHCs and VRCs are degenerate cases of this pattern with N=1 and N=2 respectively.¶
A VTC is a valid W3C Verifiable Credential [W3C.VC-DATA-MODEL] with the following structural characteristics:¶
The following non-normative example illustrates a bilateral VTC between Alice (Initiator) and Bob (Responder), notarized by a Notary entity:¶
{
"@context": [
"https://www.w3.org/ns/credentials/v2",
"https://w3id.org/vtc/v1"
],
"id": "did:envelope:1234",
"type": [
"VerifiableCredential",
"VerifiableTrustCircle"
],
"issuer": "did:example:notaryabcd",
"validFrom": "2026-01-01T00:00:00Z",
"credentialSubject": {
"id": "did:vrc:2468",
"from": "did:example:alice",
"to": ["did:example:bob"],
"metadata": {
"label":
"Alice-Bob Bilateral Trust Circle"
}
},
"proof": [
{
"id": "did:example:notaryabcd",
"type": "DataIntegrityProof",
"...": "<notary-proof>"
},
{
"id": "did:example:alice",
"type": "DataIntegrityProof",
"...": "<alice-proof>"
},
{
"id": "did:example:bob",
"type": "DataIntegrityProof",
"...": "<bob-proof>"
}
]
}
¶
For groups with more than two members, the "to" array is extended to include all Responders, and the proof array gains one additional entry per additional Responder:¶
{
"id": "did:envelope:5678",
"type": [
"VerifiableCredential",
"VerifiableTrustCircle"
],
"issuer": "did:example:notaryabcd",
"credentialSubject": {
"id": "did:vrc:9999",
"from": "did:example:alice",
"to": [
"did:example:bob",
"did:example:carol",
"...",
"did:example:zelda"
],
"metadata": {
"label": "Working Group Trust Circle",
"policy": "did:policy:majority"
}
},
"proof": [
{ "id": "did:example:notaryabcd",
"...": "<notary-proof>" },
{ "id": "did:example:alice",
"...": "<alice-proof>" },
{ "id": "did:example:bob",
"...": "<bob-proof>" },
{ "id": "did:example:carol",
"...": "<carol-proof>" },
{ "id": "did:example:zelda",
"...": "<zelda-proof>" }
]
}
¶
When "to" contains only the Initiator's own DID, or when "from" and credentialSubject.id identify the same entity, the VTC degenerates to a Personhood Credential (PHC):¶
{
"credentialSubject": {
"id": "did:phc:alice-self",
"from": "did:example:alice",
"to": ["did:example:alice"],
"metadata": {
"label": "Alice Self-Attestation"
}
},
"proof": [
{ "id": "did:example:notaryabcd",
"...": "<notary-proof>" },
{ "id": "did:example:alice",
"...": "<alice-proof>" }
]
}
¶
For a voting scenario, one VTC is created per candidate. Voters cast their vote by contributing their individual proof to the VTC of the candidate they support. The vote count is the number of valid member proofs in the Proof Set.¶
{
"credentialSubject": {
"id":
"did:sovronia:election2026:district103:cand1",
"from": "did:example:electionofficial",
"to": [],
"metadata": {
"label":
"Candidate 1 - District 103 - 2026"
}
},
"proof": [
{ "id": "did:example:electionofficial",
"...": "<official-proof>" },
{ "id": "did:example:voter001",
"...": "<vote-proof>" },
{ "id": "did:example:voter002",
"...": "<vote-proof>" }
]
}
¶
The following table defines the normative properties of a VTC credential:¶
| Property | Req. | Description |
|---|---|---|
| id | REQUIRED | DID identifying the VTC credential itself. SHOULD use did:envelope or equivalent. |
| type | REQUIRED | MUST include "VerifiableCredential" and "VerifiableTrustCircle". |
| issuer | REQUIRED | DID of the Notary (N). The Notary MUST be trusted by all members. |
| credentialSubject.id | REQUIRED | DID identifying the relationship or group itself. |
| credentialSubject.from | REQUIRED | DID of the Initiator (A). |
| credentialSubject.to | REQUIRED | Array of Responder DIDs. MAY be empty for open voting VTCs. |
| credentialSubject.metadata | OPTIONAL | Arbitrary structured metadata (label, policy, expiry, etc.). |
| proof | REQUIRED | Array of proof objects (Proof Set). First proof MUST be from the Notary. Subsequent proofs are from the Initiator then Responders in any order. |
| proof[].id | REQUIRED | DID of the signer contributing this proof entry. |
The VTC Proof Set lifecycle consists of the following phases. At each phase t, the VTC applies to the Notary and the first t members who have contributed their proof.¶
The credential shell is created by the Notary with an empty or pre-populated "to" array. The Notary contributes the initial proof. No member relationships are yet verified. t = 0.¶
Each Responder, in any order, reviews the credential and - if they consent to membership - adds their individual proof to the existing Proof Set using the "add-proof-set-chain" algorithm defined in [W3C.VC-DATA-INTEGRITY]. The VTC becomes valid for those t members who have signed. Non-signing members are not yet bound.¶
All Responders listed in the "to" array have contributed their proofs. The VTC is fully executed and represents a complete, verifiable, multi-party trust relationship.¶
To add a proof to an existing secured VTC, implementors MUST follow the algorithm specified in W3C VC Data Integrity [W3C.VC-DATA-INTEGRITY], Section "add-proof-set-chain". The proof is appended to the existing proof array without modifying prior proofs.¶
Proof Sets are unordered by definition. However, this specification RECOMMENDED to follow the conventional ordering for readability and auditability: (1) Notary proof, (2) Initiator proof, (3) Responder proofs in the same order as the "to" array.¶
The Notary is the credential issuer. It MUST be trusted by both the Initiator and all Responders. The Notary is responsible for creating the credential shell, pre-populating the "to" array (or defining the voting policy), and contributing the first proof. In some use cases, the Notary MAY be the same entity as the Initiator or a Responder, provided that entity plays each role distinctly and the resulting credential satisfies all REQUIRED properties.¶
The Initiator proposes the trust circle. The Initiator's DID appears in credentialSubject.from. The Initiator contributes a proof to the Proof Set to signify their acceptance of the relationship.¶
Each Responder is identified in the credentialSubject.to array. A Responder accepts membership by contributing their individual proof. A Responder who does not contribute a proof is proposed but not yet a verified member.¶
Alice and Bob wish to establish a verifiable bilateral trust relationship. A mutually trusted Notary issues a VTC with from = Alice and to = [Bob]. Both Alice and Bob contribute proofs. The result is a two-party VTC equivalent to a classic VRC.¶
Alice wishes to create a self-signed personhood credential. A Notary issues a VTC with from = Alice and to = [Alice]. Alice contributes her proof. The result is a one-party VTC equivalent to a PHC [PHC-PAPER].¶
A task force of N participants is formed. A Notary (the working group chair or a community DID) issues a VTC with from = chair and to = [member1, ..., memberN]. Members join by contributing their proofs. The VTC provides a cryptographically verifiable roster.¶
An organizer issues a VTC with credentialSubject.id equal to the meeting DID, from = organizer, and to = [attendee1, ..., attendeeN]. Attendees RSVP by contributing their proofs. Attendance at the meeting is verifiable from the Proof Set.¶
One VTC per candidate is issued by an election official (Notary). Eligible voters cast their vote by contributing their individual proof to the VTC of their chosen candidate. Vote tallying is performed by counting the number of valid member proofs in each candidate's VTC. This supports maximum flexibility in vote-counting policies (simple majority, ranked-choice, threshold).¶
VC-based voting can be applied to implement a Verifiable Data Registry (VDR). Append operations to a distributed registry are authorized through a VTC whose members are the registry trustees.¶
A digital society (e.g., a digital community or nation state) is defined by a VTC whose members are the citizens. Governance operations - electing trustees, passing resolutions - are performed through subsidiary voting VTCs.¶
A conforming VTC implementation:¶
VTCs are valid W3C Verifiable Credentials. All normative requirements of [W3C.VC-DATA-MODEL] apply. VTCs use the issuer and credentialSubject properties as defined therein.¶
VTCs rely on the Proof Set mechanism defined in [W3C.VC-DATA-INTEGRITY], specifically the "add-proof-set-chain" algorithm for incremental proof contributions.¶
This specification is consistent with the ToIP DTGWG Design Principles [DTGWG-DESIGN], the DTG-ZKP Requirements [DTGWG-ZKP], and the VRC Design Proposals [DTGWG-VTC-13].¶
VTCs integrate with the Self-Sovereign Control 7.0 Metamodel [SSC-7]. VTCs may be anchored at the Beneficial Controller, Intermediate Controller, or Technical Controller layer.¶
VTCs are compatible with the Trust Spanning Protocol [TSP] as a credential format for expressing channel-level membership and authorization relationships.¶
Implementations are strongly RECOMMENDED to use confidentialSubject semantics and selective disclosure proof mechanisms (e.g., BBS+ signatures) to allow individual members to prove their membership in a VTC without revealing the full membership list or metadata.¶
The Proof Set mechanism is compatible with zero-knowledge proof (ZKP) contributions. A member MAY contribute a ZKP as their proof entry, revealing only that they meet the membership criteria without revealing their DID. Implementations SHOULD define a profile for ZKP-based proof entries.¶
When multiple agents controlled by one First Person contribute to a shared VTC, care must be taken to ensure that the combined disclosure across proof entries does not exceed the privacy budget of the First Person. The reconstruction ceiling - the probability that an observer can reconstruct the First Person's identity from the combined proof data - MUST be maintained below the threshold defined by the applicable trust framework.¶
The Notary (issuer) occupies a privileged position: it issues the credential shell and contributes the first proof. Verifiers MUST independently verify that the Notary is trusted by all relevant parties. The Notary SHOULD be a well-known, community-governed DID with transparent governance.¶
For voting VTCs, the following security properties MUST be considered:¶
Verifiers MUST validate each proof entry in a Proof Set independently against the secured document using the algorithm specified in [W3C.VC-DATA-INTEGRITY]. The presence of a valid Notary proof does not substitute for validating member proofs, and vice versa.¶
Verifiers MUST NOT assert full circle membership based solely on the presence of the Notary proof or a subset of member proofs. Assertions about membership MUST be scoped to the verified set of proof contributors at the time of verification.¶
This document has no IANA actions. The "VerifiableTrustCircle" credential type identifier is defined within the W3C VC ecosystem and SHOULD be registered in the W3C VC Extensions Registry upon advancement of this specification.¶
The following table summarizes the mapping between VTC cardinality (size of the "to" array) and the equivalent prior credential construct:¶
| N (members) | VTC Type | Prior Equivalent | Proof Count |
|---|---|---|---|
| 0 | Null VTC | None | 1 (Notary only) |
| 1 | Self-Credential | PHC | 2 (Notary + A) |
| 2 | Bilateral | VRC | 3 (Notary + A + B) |
| N > 2 | Multi-Party | None (new) | N+2 (Notary + A + B...Z) |
| Open | Voting VTC | None (new) | 1 + votes cast |
This specification was derived from community discussion contributions by Michael Herman (mwherman2000), talltree, adamstallard, mitchuski, peacekeeper, GraceRachmany, and other participants of the Trust over IP Foundation DTGWG Credentials Task Force. The editors gratefully acknowledge all contributors to GitHub Discussion #8 [DISCUSSION-8].¶