# Credential Layer

#### **2.4.1 The Role of Credentials in NSF**

Credentials are the primary interface between **governance logic and actionable rights** in NSF. They represent:

* Licenses
* Permissions
* Certifications
* Delegations
* Evidence of compliance
* DAO roles
* Simulation authorship
* Risk domain authority

But unlike traditional credentials (PDFs, badges, or government IDs), NSF credentials are:

* **Verifiable** using cryptographic proofs
* **Bound to clause execution logic**
* **Issued and revoked by governance-controlled actors**
* **Portable across institutions, jurisdictions, and systems**

The Credential Layer ensures every entitlement in the system is **traceable, permissioned, revocable, and governed**.

***

#### **2.4.2 W3C Verifiable Credentials (VCs) as Canonical Format**

NSF adopts and extends the W3C VC standard, ensuring compatibility with:

* Global identity networks
* Decentralized identity frameworks (DIDComm, Sovrin, EBSI, etc.)
* Credential wallets and verifier APIs
* ZK-compatible credential presentations

Every credential in NSF includes:

| Field               | Purpose                                                                      |
| ------------------- | ---------------------------------------------------------------------------- |
| **Issuer DID**      | Identity of credential authority                                             |
| **Subject DID**     | Holder (person, machine, institution)                                        |
| **Context**         | Domain schema reference                                                      |
| **Credential Type** | E.g., `FlightLicenseVC`, `WaterSafetyComplianceVC`, `DisasterZoneOperatorVC` |
| **Valid From / To** | Enforced by clause or credential schema                                      |
| **Proof**           | Signature + optional ZK bundle                                               |
| **Clause Link**     | The CAC or Smart Clause that triggered issuance                              |
| **Revocation Link** | Revocable via governance-signed attestation                                  |

***

#### **2.4.3 Credential Lifecycle in NSF**

1. **Trigger**: A clause executes (e.g., training completed, inspection passed)
2. **CAC Generated**: Clause-Attested Compute record is signed
3. **Credential Issued**: By authority with role-gated permissions
4. **Credential Used**: By agent, system, or DAO
5. **Revocation (if needed)**: Based on another clause or governance decision
6. **Audit Logged**: All actions signed, time-stamped, and stored in credential registry

This ensures credentials are **not claimed—they are earned, governed, and provable**.

***

#### **2.4.4 DID Anchors and Identity Governance**

NSF uses **Decentralized Identifiers (DIDs)** for all subjects:

* Individuals
* Autonomous agents
* Institutions
* DAO nodes
* Data providers
* Simulations
* Jurisdictions

Each DID:

* Has one or more associated credentials
* Is linked to governance logs and credential registries
* Can be **rotated, retired, or delegated** per clause or DAO policy
* May support **on-chain, off-chain, or hybrid resolution** for multi-network interoperability

DID documents in NSF include:

* Service endpoints
* Credential index
* Trust anchor paths
* Public keys and rotation logic
* Governance DAO affiliation

***

#### **2.4.5 Credential Types and Domains**

NSF includes modular credential classes for:

| Category             | Examples                                                    |
| -------------------- | ----------------------------------------------------------- |
| **Legal Authority**  | `SovereignRegulatorVC`, `MunicipalInspectorVC`              |
| **Licensing**        | `MedicLicenseVC`, `PilotCredentialVC`, `HazmatVC`           |
| **Simulation Role**  | `ClimateSimAuthorVC`, `RiskValidationPeerVC`                |
| **DAO Governance**   | `ClauseProposerVC`, `MultisigDelegateVC`                    |
| **Execution Role**   | `TEEValidatorVC`, `CredentialIssuerVC`                      |
| **Compliance**       | `FoodSafetyComplianceVC`, `ExportReadyVC`, `EmissionPassVC` |
| **Revocation Agent** | `CredentialRevokerVC`, `JurisdictionDisputerVC`             |

Every type is versioned, governed by schema clauses, and tracked in the **Global Credential Registry**.

***

#### **2.4.6 Credential Revocation and Suspension**

Credential revocation is **not discretionary**—it must follow a **revocation clause** or governance trigger.

Revocation includes:

* Signed attestation
* Reference to clause or simulation violation
* Optional ZK inclusion for privacy
* Public or private propagation depending on domain
* Anchoring in the **Revocation Registry**

Suspended credentials cannot be used for clause execution, DAO voting, or role enforcement until revalidated.

***

#### **2.4.7 Privacy and ZK Credential Presentations**

In sensitive domains (e.g., health, finance, refugee protection), NSF supports:

* **Selective disclosure**: Proving attributes without exposing full credential
* **ZK credential proofs**: Showing “I hold a valid `AidWorkerCredentialVC` for Country X” without revealing name, institution, or ID
* **Pseudonymous governance participation**: Role-based DAO voting with verifiable ZK attestations

These are governed by **clause-defined privacy and revocation logic**, ensuring privacy and accountability co-exist.

***

#### **2.4.8 Interoperability and Wallet Integration**

Credentials are compatible with:

* W3C DID and VC standards
* Mobile-first and humanitarian credential wallets
* Sovereign identity stacks (e.g., Aadhaar+, EBSI, MOSIP, etc.)
* OpenID Connect and OAuth2-compatible ID layers

Each NSF deployment can define:

* Accepted credential issuers
* Resolution registries
* Expiry conditions
* Credential translation or cross-certification policies

***

#### **2.4.9 Audit Trails and Credential Provenance**

All credential issuance and usage actions are:

* Logged in the **Credential Audit Layer**
* Linked to specific Smart Clause executions (via CAC ID)
* Stored as part of the subject’s governance trace
* Queryable under jurisdictional access policies
* Forkable for reissuance under system transitions

Credentials in NSF are **not just artifacts—they are institutional memory, verified in real time, with full provenance.**

***

#### **2.4.10 The Credential Layer as Institutional Trust Fabric**

NSF’s Credential Layer ensures:

* **No role is assumed without clause-bound logic**
* **No credential is valid without execution context**
* **No permission is permanent or non-revocable**
* **All identities—human or machine—are governed transparently**
* **Credential issuance, usage, and revocation are publicly attestable**

It is the **interface between governance and agency**, between machine enforcement and human rights, and between trust and verifiability.

Without the Credential Layer, NSF would have no actors.\
With it, every actor is **verifiably governed, transparently accountable, and cryptographically empowered.**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.therisk.global/organization/standardization/nexus-sovereignty/ii.-architecture/credential-layer.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.