This document maps the TRQP Security & Privacy Baseline (TSPP) to the Trust Systems Meta Model (TSMM).
Within TSMM terms, TRQP-TSPP is primarily about:
Its center of gravity is therefore operator-side trust infrastructure assurance. In the current stack, TSMM defines the abstract concepts, while trust-infrastructure-schemas provides the canonical machine-readable trust artifact layer that TSPP-aligned deployments can reference alongside protocol-specific metadata.
| TSMM concept | TRQP-TSPP instantiation |
|---|---|
| Governance Context | TRQP ecosystem and Assurance Hub aligned operating context |
| Profile | security and privacy baseline for TRQP deployments |
| Requirement | profile requirements and stable control IDs |
| Entity | trust registry operator, directory service, relying client, bridge participant |
| Role | operator, query provider, verifier, client |
| Authority | authority to expose a query interface and publish trust-relevant metadata within governance constraints |
| Artifact | OpenAPI contract, metadata declaration, signed response envelope, bridge fixture, conformance report |
| Claim | service freshness, context constraints, signed response support, assurance posture, bridge equivalence |
| Policy | profile-required fields and headers, freshness semantics, context allowlisting, deployment guidance |
| Control | anti-enumeration expectations, rate-limiting evidence, authentication support, signed-envelope requirements, safe bridge behavior |
| Threat | enumeration, correlation, spoofed responses, unsafe exposure, bridge inconsistency |
| Evidence | evidence bundles, traceability material, JSON conformance results, deployment artifacts, test outputs |
| Assessment | posture evaluation against profile requirements and evidence expectations |
| Verification | pytest-based harness validation, schema checks, metadata checks, optional bridge-equivalence testing |
| Level Framework | assurance-level-parameterized expectations, with AL semantics sourced externally rather than redefined locally |
| Trust Decision | deployment passes or fails profile expectations at a required posture |
| Effect | relying systems may consume registry output with confidence appropriate to the validated posture |
| Lifecycle Event | registration, metadata update, signed-response enablement, bridge change, reassessment, remediation closure |
Projects that are not implementing TRQP directly can still reuse the TSPP pattern through TSMM by adopting the following generic structure:
TRQP-TSPP can continue to define protocol- and deployment-specific controls, but it no longer needs to pretend it is the source of truth for generic trust artifact classes. Those concrete artifact definitions belong in trust-infrastructure-schemas, while TSMM explains why those artifacts exist and how they relate to policy, evidence, and effect.