npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

trusted-issuer-registry

v0.1.3

Published

Registry of trusted credential issuers

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

kalegdkalegd

Keywords

digital-credentialsw3cmdocmobile-ididentity-verificationdigital-idid-verificationcredential-managementcredential-issuer

Readme

Trusted Issuer Registry

A comprehensive registry of digital credential issuers sourced from authoritative trust lists. This registry provides cryptographically signed issuer metadata to enable secure digital credential verification across various platforms and applications.

Overview

The Trusted Issuer Registry aggregates and validates issuer information from multiple authoritative trust lists, including:

  • AAMVA DTS - American Association of Motor Vehicle Administrators' Digital Trust Service
  • UV - Universal Verify's compilation of Apple recommended issuers for digital credential verification

All issuer data is cryptographically signed to ensure integrity and authenticity, providing a reliable foundation for digital credential verification systems.

Trust Model

This registry operates on a robust trust model designed for enterprise and financial applications:

  • Cryptographic Verification: All issuer metadata is signed using NIST P-256 (prime256v1) curve
  • Immutable Audit Trail: All changes are publicly auditable via GitHub's commit history
  • Vetted Sources: Only issuers from carefully vetted trust lists are included
  • Transparent Governance: Clear policies for inclusion, removal, and updates

For detailed information about our trust model and risk considerations, see:

Usage

NPM Module (Recommended)

Install the package:

npm install trusted-issuer-registry

Use the JavaScript SDK:

import TrustedIssuerRegistry from 'trusted-issuer-registry';

const registry = new TrustedIssuerRegistry();

// Get issuer by X.509 AKI
const issuer = await registry.getIssuerFromX509AKI('TprRzaFBJ1SLjJsO01tlLCQ4YF0');
if (issuer) {
    console.log('Issuer found:', issuer.display.name);
    console.log('Entity type:', issuer.entity_type);
    console.log('Certificates:', issuer.certificates.length);
    //Verify signature of your digital credential against the issuer's certificates
}

// Check for deprecation notices
const endOfLifeDate = await registry.getEndOfLifeDate();
if (endOfLifeDate) {
    console.log('Registry will be deprecated on:', endOfLifeDate);
}

Direct HTTP Access

You can also access issuer data directly via HTTP requests to a CDN:

# Get issuer by X.509 AKI
curl https://cdn.jsdelivr.net/npm/[email protected]/x509_aki/TprRzaFBJ1SLjJsO01tlLCQ4YF0.json

# Check deprecation notice
curl https://cdn.jsdelivr.net/npm/[email protected]/deprecation_notice.json

The URL format is:

https://cdn.jsdelivr.net/npm/trusted-issuer-registry@{minor_version}/x509_aki/{x509aki}.json

Replace {minor_version} with the current minor version (e.g., 0.0) and {x509aki} with the X.509 Authority Key Identifier.

Issuer Data Format

Each issuer entry follows the schema defined in trusted-issuer.schema.json. Here's an example:

{
  "issuer_id": "x509_aki:o6sbAJOdtI7_VxKIDCy1e7kIXaM",
  "entity_type": "government",
  "entity_metadata": {
    "country": "US",
    "region": "AZ",
    "government_level": "state",
    "official_name": "Arizona Department of Transportation"
  },
  "display": {
    "name": "Arizona Department of Transportation"
  },
  "certificates": [
    {
      "data": "-----BEGIN CERTIFICATE-----\n...",
      "format": "pem",
      "trust_lists": ["uv", "aamva_dts"]
    }
  ],
  "signature": "..."
}

Fields Explained

  • issuer_id: Unique identifier used by digital credentials to reference issuers/certificates
  • entity_type: Type of organization (government, commercial, educational, etc.)
  • entity_metadata: Additional metadata about the entity
  • display: Human-readable display information
  • certificates: Array of certificates using the given AKI
  • trust_lists: Source trust lists that vouch for this issuer

For the complete schema definition, see trusted-issuer.schema.json.

Versioning and Deprecation

The registry uses semantic versioning with the following approach:

  • Minor version updates indicate schema changes or breaking updates
  • Deprecation notices are published for old minor versions 90 days in advance of its end-of-life date
  • Old minor versions will continue to receive issuer updates until the end-of-life date

Checking for Deprecation

const registry = new TrustedIssuerRegistry();
const endOfLifeDate = await registry.getEndOfLifeDate();

if (endOfLifeDate && endOfLifeDate < new Date()) {
    console.warn('This registry version has been deprecated');
}

Or check directly:

curl https://cdn.jsdelivr.net/npm/[email protected]/deprecation_notice.json

The deprecation notice format is:

{
  "end_of_life": 1761782400
}

Where end_of_life is a Unix timestamp in seconds indicating when the current version will be deprecated.

Future Support

Currently, the registry supports X.509 certificate-based issuers. Support for W3C Decentralized Identifiers (DIDs) will be added as trusted issuers begin adopting this standard.

Security Considerations

  • All issuer data is cryptographically signed
  • Signing certificate for verification is included in the package
  • Transparent change control via GitHub pull requests

Contributing

We welcome contributions from the community. Please see our Trust Policy for information about requesting support for new trust lists.

Are you a security expert or a company with a security team? We'd love to list you as a contributor in this README in exchange for a security review.

License

This project is licensed under the Mozilla Public License 2.0.