Publishing Trust Anchor Details at an Internet Domain

Ty Everett (


This document outlines a protocol that allows an entity to publish trust anchor details, including a public key, at a location on the internet. The information is stored in the /manifest.json file of the domain. This approach provides a user-friendly method for individuals to easily retrieve a trusted entity's public key by entering a known domain name.


The internet today has an increasingly complex landscape of entities that users may or may not trust. As systems decentralize, the need to independently verify the identity of a digital entity becomes vital. By allowing entities to publish trust details at known locations (their domains), users are provided with a recognizable and straightforward method to retrieve and validate their public keys, hence building a more trustable web.


Location & Protocol

  1. The trust anchor details MUST be published in a file named manifest.json.

  2. The manifest.json file MUST be hosted using the HTTPS protocol. Plain HTTP is not supported.

  3. Only Fully Qualified Domain Names (FQDNs) are supported for hosting the manifest.json file.

Data Structure

The trust details should be stored under the key babbage in the manifest.json file. Under the babbage key, the trust object should be defined with the following properties:

  • name: The human-readable name of the entity.

  • note: A brief note describing the role or function of the entity.

  • icon: A URL pointing to an icon image representing the entity.

  • publicKey: The public key of the entity in hexadecimal format.

Validation Rules

  1. name

    • MUST be a string.

    • MUST contain between 5 to 30 characters, inclusive.

  2. note

    • MUST be a string.

    • MUST contain between 5 to 50 characters, inclusive.

  3. icon

    • MUST be a valid image URL.

    • Should be accessed over HTTPS.

  4. publicKey

    • MUST be a string in DER format.

    • MUST be compressed.

    • MUST use the secp256k1 elliptic curve.

    • The string should start with either "02" or "03".

    • MUST be in hexadecimal format, and 66 characters in length (including the starting "02" or "03").


Here is a valid example of a manifest.json containing the trust anchor details:

  "name": "SigniCert",
  "babbage": {
    "trust": {
      "name": "SigniCert",
      "note": "Certifies legal first and last name, and photos",
      "icon": "",
      "publicKey": "0295bf1c7842d14babf60daf2c733956c331f9dcb2c79e41f85fd1dda6a3fa4549"

For this example:

  • name is "SigniCert", which has a length between 5 and 30 characters.

  • note has a length between 5 and 50 characters.

  • icon points to an image hosted over HTTPS.

  • publicKey is a compressed DER-encoded key using the secp256k1 curve, starting with "02" and is 66 characters long.


This technical specification provides a comprehensive framework for entities to publish trust anchor details at a known internet domain. By adhering to the defined structure and validation rules, we ensure a standardized method for users to access and trust these details. This is a step towards creating a more transparent and trustable digital landscape.

Last updated