The Trust over IP Foundation (ToIP) is a Linux Foundation project that defines a complete architecture for Internet-scale digital trust, combining cryptographic trust at the machine layer with human trust at business, legal, and social layers through a four-layer technology stack and governance framework.
Related Concepts
No related concepts available
Comprehensive Explanation
trust-over-ip-foundation
Official Definition
The Trust over IP Foundation (ToIP) is formally defined as a Linux Foundation project focused on defining a complete architecture for Internet-scale digital trust that combines both cryptographic trust at the machine layer and human trust at the business, legal, and social layers. The foundation operates under the governance of the Linux Foundation and maintains multiple working groups developing specifications, governance frameworks, and reference implementations.
Canonical Abbreviations:
ToIP: Trust over IP Foundation
TSWG: Technical Stack Working Group (primary technical body)
The Trust over IP Foundation operates as a hosted project under the Linux Foundation, providing it with established legal infrastructure, intellectual property management, and community governance processes. This positioning gives ToIP credibility and sustainability while enabling it to leverage Linux Foundation resources and expertise.
Key Governance Bodies:
Steering Committee: Provides strategic direction and oversees foundation operations
Technical Stack Working Group (TSWG): Develops core technical specifications including KERI, ACDC, and CESR
Governance Stack Working Group: Develops governance frameworks and policies
Utility Foundry Working Group: Addresses infrastructure and utility layer concerns
Implementation Notes
Governance Implementation
For Ecosystem Developers
When building trust ecosystems using ToIP specifications:
Reference Normative Specifications: Cite specific ToIP specification versions as normative requirements
Adopt Governance Frameworks: Use ToIP governance metamodel to structure ecosystem governance
Participate in Working Groups: Engage with ToIP community to influence specification development
Implement Conformance Testing: Use ToIP test suites to verify specification compliance
For Implementers
Specification Compliance:
Follow ToIP specifications as authoritative requirements
Implement all MUST requirements from specifications
Document any deviations or extensions
Participate in interoperability testing
Version Management:
Track ToIP specification versions used in implementations
Plan for specification upgrades (18-month support for previous versions)
Maintain backward compatibility during transitions
For Governance Framework Authors
Framework Development:
Use ToIP Governance Metamodel as structural template
Reference ToIP technical specifications for technical requirements
Define ecosystem-specific policies within ToIP framework
Technical resources for implementation and testing
Relationship to KERI Ecosystem
ToIP serves as the primary standardization body for KERI-related specifications. The KERI protocol suite, including ACDC and CESR, transitioned from earlier governance at the Decentralized Identity Foundation (DIF) and IETF draft status to ToIP governance. This transition reflects ToIP's comprehensive approach to both technical and governance aspects of decentralized identity.
IPEX Specification: Issuance and Presentation Exchange protocol
did:webs Method: DID method leveraging KERI and web infrastructure
GLEIF Integration
The Global Legal Entity Identifier Foundation (GLEIF) operates its vLEI (verifiable Legal Entity Identifier) Ecosystem under governance frameworks that reference and build upon ToIP specifications. GLEIF's vLEI Ecosystem Governance Framework explicitly adopts ToIP's four-layer model and references ToIP technical specifications as normative requirements.
ToIP-GLEIF Relationship:
GLEIF vLEI credentials are implemented as ACDCs (ToIP specification)
GLEIF governance frameworks cite ToIP specifications as technical requirements
GLEIF participates in ToIP working groups and specification development
Roles & Responsibilities
Primary Mission
ToIP's fundamental responsibility is defining the complete architecture for Internet-scale digital trust. This encompasses both technical protocols and governance frameworks, recognizing that sustainable digital trust requires addressing human, legal, and business concerns alongside cryptographic security.
Technical Standardization
Specification Development:
ToIP develops and maintains technical specifications through its Technical Stack Working Group. These specifications undergo community review, implementation testing, and formal approval processes before publication. The foundation maintains version control, manages intellectual property through contributor agreements, and ensures specifications remain open and freely implementable.
Key Technical Responsibilities:
Maintain normative specifications for KERI protocol suite
Define interoperability requirements across implementations
Establish cryptographic algorithm requirements and security parameters
Provide reference implementations and test suites
Manage specification versioning and backward compatibility policies
Governance Framework Development
ToIP recognizes that technical protocols alone are insufficient for establishing trust at scale. The foundation develops governance frameworks that address:
Layer 2 - Provider Governance: Governance of credential issuers and verifiers
Layer 3 - Credential Governance: Governance of specific credential types and schemas
Layer 4 - Ecosystem Governance: Governance of complete trust ecosystems
Governance Responsibilities:
Define governance framework templates and patterns
Establish best practices for trust assurance
Provide guidance on legal and regulatory compliance
Support ecosystem-specific governance development
Community Coordination
ToIP serves as a neutral convening body bringing together diverse stakeholders including technology vendors, enterprises, government agencies, standards bodies, and academic institutions. The foundation facilitates collaboration through:
Community Activities:
Regular working group meetings (bi-weekly for most groups)
Annual member meetings and technical symposia
Public comment periods for draft specifications
Interoperability testing events
Educational webinars and documentation
Intellectual Property Management
ToIP manages intellectual property through the Open Web Foundation Agreement (OWFa) and related contributor agreements. This ensures that:
IP Protections:
Specifications remain freely implementable without patent encumbrances
Contributors grant necessary patent licenses for implementation
Copyright is managed to enable broad adoption
Trademark protection for ToIP branding and certification marks
Authority and Permissions
Specification Authority
ToIP specifications carry normative authority within the ToIP ecosystem. Organizations implementing ToIP-compliant systems reference these specifications as authoritative requirements. However, ToIP does not have regulatory authority—compliance is voluntary unless required by specific ecosystem governance frameworks (such as GLEIF's vLEI requirements).
Specification Status Levels:
Draft: Under active development, subject to change
Approved: Completed community review, stable for implementation
Deprecated: Superseded by newer versions, maintained for backward compatibility
Governance Framework Authority
ToIP governance frameworks serve as templates and guidance rather than binding regulations. Individual ecosystems (like GLEIF's vLEI) adopt and adapt ToIP frameworks to their specific needs. ToIP provides:
Governance Guidance:
Recommended governance structures
Best practice policies
Risk assessment frameworks
Compliance verification approaches
Ecosystems retain authority to modify frameworks for their specific requirements while maintaining ToIP compatibility.
Certification and Compliance
ToIP does not currently operate a formal certification program. Compliance claims are self-asserted by implementers, though the foundation provides:
Compliance Support:
Test suites for specification conformance
Interoperability testing frameworks
Reference implementations
Compliance checklists
Future certification programs may be developed as the ecosystem matures.
Limitations
Regulatory Boundaries
ToIP is not a regulatory body and cannot enforce compliance. The foundation develops voluntary standards and frameworks. Regulatory authority remains with government agencies and industry regulators. ToIP specifications may be referenced by regulations but do not themselves carry legal force.
Implementation Neutrality
ToIP maintains implementation neutrality, meaning specifications define requirements without mandating specific implementation approaches. Multiple implementations in different programming languages and architectures are encouraged, provided they meet specification requirements.
Ecosystem Autonomy
While ToIP provides foundational specifications and governance frameworks, individual ecosystems retain autonomy over their specific implementations and governance decisions. ToIP does not control how ecosystems apply its specifications or govern their operations.
Trust Decisions: User-driven verification and acceptance
ToIP Design Goals and Principles
Security Prioritization
ToIP explicitly prioritizes security properties in the following order:
Priority Order:
Authenticity: Cryptographic proof of origin and integrity (highest priority)
Confidentiality: Protection of content from unauthorized access
Privacy: Protection of metadata and correlation (optimized within constraints)
This prioritization reflects the PAC Theorem (Privacy, Authenticity, Confidentiality) which states that systems can achieve any two properties at the highest level but not all three simultaneously.
End-Verifiability
ToIP specifications emphasize end-verifiability—the ability for any party to cryptographically verify claims without relying on trusted intermediaries. This principle drives:
End-Verifiability Requirements:
Self-certifying identifiers (KERI AIDs)
Cryptographically verifiable data structures (KELs, ACDCs)
Ambient verifiability (any-data, any-where, any-time, by any-body)
Transition specifications from Draft to Approved status
Develop comprehensive test suites and conformance criteria
Expand reference implementations across programming languages
Establish formal certification programs
Ecosystem Growth
ToIP supports growth of trust ecosystems beyond vLEI:
Ecosystem Development:
Supply chain traceability and provenance
Healthcare credential exchange
Educational credentials and transcripts
Government identity and authorization
Financial services and regulatory compliance
Governance Evolution
Governance frameworks continue maturing:
Governance Priorities:
Refined governance metamodels and templates
Legal and regulatory compliance guidance
Risk assessment and audit frameworks
Cross-ecosystem interoperability governance
Conclusion
The Trust over IP Foundation serves as the primary standardization and governance body for KERI-based decentralized identity infrastructure. Through its four-layer architecture combining technical specifications and governance frameworks, ToIP provides the foundation for Internet-scale digital trust. The foundation's work enables ecosystems like GLEIF's vLEI to implement production-grade verifiablecredential systems while maintaining interoperability, security, and governance best practices. As the KERI ecosystem matures, ToIP's role in coordinating specification development, fostering community collaboration, and ensuring intellectual property protection becomes increasingly critical to the success of decentralized identity infrastructure globally.
Legal review of contributor agreements
Integration Patterns
With Existing Systems
Legacy Integration:
Use ToIP specifications as overlay on existing infrastructure
Implement KERI witnesses and watchers alongside traditional PKI
Migrate credentials to ACDC format incrementally
Maintain interoperability with non-ToIP systems during transition
With Other Standards
Standards Coordination:
Map ToIP concepts to W3C VC terminology
Implement did:webs for web-based DID resolution
Use ISO standards for organizational identity (LEI)