| 1. Definition | 2. Functional Requirements | 3. Syntax | 4. Semantics |
1 Definition
A Trust Anchor is an entity whose public key and associated metadata are accepted as authoritative for issuing Instance Credentials within the MPAI‑PTF Trust Framework. A Trust Anchor defines the cryptographic identity, validity period, permitted issuance scope, and optional revocation information for an authority that signs Instance Credentials for AIMs and Processes.
A Trust Anchor enables PTF components to verify that an Instance Credential originates from a recognized and authorized issuer and that the issuer’s signing authority is valid at the time of verification.
2 Functional Requirements
A Trust Anchor shall:
- Include a Header identifying the version of the Trust Anchor structure.
- Include an AnchorID uniquely identifying the Trust Anchor (e.g., URI, DNS name, or opaque identifier).
- Optionally include AnchorTime, indicating when the Trust Anchor was created or last updated.
- Include a PublicKey object containing:
- A Signature algorithm identifier from the Security Algorithm Taxonomy.
- A KeyEncoding specifying the encoding format of the public key.
- A KeyValue containing the public key material.
- Include a Validity object specifying:
- A NotBefore time before which the Trust Anchor must not be used.
- A NotAfter time after which the Trust Anchor must not be used.
- Optionally include Policies describing constraints on what the Trust Anchor is authorized to issue, including:
- Allowed AIM instance classes.
- Allowed Process instance classes.
- Allowed algorithm identifiers.
- Maximum credential lifetime.
- Optionally include Revocation information, such as:
- A CRL URI.
- An OCSP or equivalent status service URI.
- A timestamp indicating when revocation information was last updated.
- Optionally include DataXMData and DescrMetadata.
- Use only the keys defined in this Data Type.
3 Syntax
https://schemas.mpai.community/PTF/V1.0/data/TrustAnchor.json
4 Semantics
| Label | Description |
|---|---|
| Header | Trust Anchor Header — standard “PTF‑TRA‑V”. |
| AnchorID | Identifier of the Trust Anchor (URI, DNS name, or opaque string). |
| AnchorTime | Time at which the Trust Anchor was created or last updated. |
| PublicKey | Public key used by the Trust Anchor to sign Instance Credentials. |
| – Algorithm | Signature algorithm identifier from the Security Algorithm Taxonomy. |
| – KeyEncoding | Encoding format of the public key (raw, spki, or jwk). |
| – KeyValue | Public key material encoded as base64 or base64url. |
| Validity | Validity window for the Trust Anchor’s signing authority. |
| – NotBefore | Time before which the Trust Anchor must not be used. |
| – NotAfter | Time after which the Trust Anchor must not be used. |
| Policies | Constraints on what the Trust Anchor is authorized to issue. |
| – AllowedAIMInstances | AIM instance classes or identifiers allowed by this Trust Anchor. |
| – AllowedProcessInstances | Process instance classes or identifiers allowed by this Trust Anchor. |
| – AllowedAlgorithms | Algorithm identifiers from the Security Algorithm Taxonomy that the Trust Anchor may use or authorize. |
| – MaxCredentialLifetime | Maximum validity duration for issued credentials (ISO 8601 duration). |
| Revocation | Optional revocation information for the Trust Anchor. |
| – CRL | URI of a certificate revocation list or equivalent. |
| – OCSP | URI of an online status service. |
| – LastUpdated | Timestamp of the last update to revocation information. |
| DataXMData | Metadata exchanged with other Processes or AIMs. |
| DescrMetadata | Descriptive metadata (max length 2048). |
