T-01: Identity & Credential Layer

T-01: Identity & Credential Layer
W3C DID 1.1
Decentralized Identifiers. Every participant (human, organisation, AI agent, IoT sensor) has a DID. CTH uses 
did:web for organisations and 
did:key for ephemeral agent sessions.
cth:FPICCredential (CTH-original)
A W3C VC 2.0 credential encoding Free Prior and Informed Consent. Fields: 
territoryId (links to official IGN cadastral ID), 
permittedPurposes[] (e.g. ['eudr','csrd']), 
benefitSharingTerms (hash of signed agreement), 
revocable: true. The community council holds the signing key — stored in their own HSM or managed key service, not CTH infrastructure.
W3C VC 2.0 with BBS+ Selective Disclosure
Verifiable Credentials allow coffee buyers to prove EUDR compliance without revealing GPS coordinates to competitors. BBS+ signatures enable selective disclosure — present only the fields the verifier needs.
OID4VP (OpenID for Verifiable Presentations)
Presentation protocol used by the compliance export API. EU customs systems can request a Verifiable Presentation containing only the EUDR-relevant fields, verified against the issuer DID.
Credential Type
Issued By
Held By
Expires
Revocable
cth:SubmitterCredential
CTH Accreditation Svc
Data Submitter
12 months
Yes — by CTH Steward
cth:ValidatorCredential
CTH Accreditation Committee
Accredited Validator
24 months
Yes — by Governance Board
cth:CommunityCredential
CTH + Community Council
Community Sovereign
Indefinite
Yes — by Community only
cth:StewardCredential
Governance Board
CTH Staff Member
12 months
Yes — by Board vote
cth:AuditorCredential
CTH (on regulatory mandate)
Regulator
Audit scope only
Yes — auto-expires
cth:AgentCredential
Delegating human DID
AI Agent / Script
Human session
Yes — immediate