Currently, the application provides as a option, the ability to configure a keystore that contains trust anchors (root certificates). This is used during validation of the wallet response (which contains the Verfiable Presentation) to check the Issuer's signature (both for mso_mdoc and sd-jwt-vc formats).

This keystore can be populated with the contents of the Trusted Lists as specified by ETSI 119 612

• Spec
• XML Schema

Probably we are going to need more than one keystores, given that ARF defines 3 kinds of EAA providers (issuers).

Changes:

• There should be three distinct keystores. Each keystore will contain the trusted issuers.
• There should be an association between well-known credentials like PID or mDL (regardless of format) to one of the above keystore. This should be a configurable deployment option (for instance in JSON or YAML)
• While validating the issuer's trust during a presentation, the app must peek the appropriate keystore(s) according to the credential(s) presented, based on the above association.
• The population of the keystores from the respective LOTL(s) is orthogonal to the above requirements.