Brought to you by Identity Woman and Infominer.
Support this collaboration on Patreon!!
This appears atop a DuckDuckGo search. A few years ago, numbers 1 and 2 would have been down next to number 6.
I wrote a chapter on Agency in The Intention Economy because back then (2012) the word mostly meant an insurance or advertising business. The earlier meaning, derived from the Latin agere, meaning “to do,” had mostly been forgotten.
Now agency is everywhere, and is given fresh meaning with the adjective agentic.
We can thank AI for that. The big craze now is to have AI agents for everything, and to make all kinds of stuff “agentic,” using AI.
Including each of us. We should all maximize our agency with our own personal AI.
With that in mind, and thinking toward upcoming conferences on AI (and our own VRM Day, this coming October 19th ), I just added this section to the VRM Development Work page in our wiki:
Personal AIBalnce.ai † “Your personal AI, your loyal agents and a network that makes your data work for you.”
Base.org “Base is built to empower builders, creators, and people everywhere to build apps, grow businesses, create what they love, and earn onchain.”
Decentralized AI Agent Alliance “…offers a compelling alternative, giving individuals sovereignty, including ownership of their identity and data.”
GPTbuddy “Human in the loop AI” ([1] @GPTbuddy) is in development by FractalNetworks.
Kwaai “a volunteer-based AI research and development lab focused on democratizing artificial intelligence by building open source Personal AI.” Also, KwaaiNet “AI running distributed on a P2P fabric,” now (July 2025) with Verida “Create and deploy personalized AI agents with secure data connectors, custom knowledge bases, and configurable inference endpoints.”
NANDA: The Internet of AI Agents “Pioneering the Future of Agentic Web.”
The AI Alliance “building and advancing open source AI agents, data, models, evaluation, safety, applications and advocacy to ensure everyone can benefit.”
Please add more, or make corrections on what’s there. If you don’t have editing privileges, just write to me and I’ll make the changes. Thanks!
The Digital ID & Authentication Council of Canada is a public–private coalition working to advance a trusted Canadian digital economy through open, industry-driven frameworks for identity, authentication, and trust services. DIACC stewards the Pan‑Canadian Trust Framework™ (PCTF). This consensus-developed, living industry standards-based framework aligns with national priorities and global norms to support interoperability, privacy, and digital trade readiness across sectors and borders.
Addressing the Consultation ScopeThe consultation invites input on digital trade topics such as:
Digital identities, trust services, and authentication Electronic transactions and e‑signatures Cross‑border data flows and localization requirements Consumer protection, fraud prevention, and cybersecurity Digital inclusion and participation of MSMEs Artificial intelligence and emerging technologies Standards, interoperability, and regulatory alignmentThis submission addresses each of these priority areas with a clear emphasis on the role of the PCTF and industry‑led standards in advancing Canada’s trade, regulatory predictability, and inclusion objectives.
Executive Summary of Recommendations Mutual Recognition of Industry Standardized Trust FrameworksIndustry frameworks, such as the PCTF, serve as deployable tools within a broader toolkit that includes national and international standards. While ISO or eIDAS establish global principles, industry-led standards:
Translate principles into workable operational guardrails (e.g. technical protocols, risk models). Accelerate adoption through flexible, market-driven updates. Preserve national sovereignty by ensuring Canadian-made governance structures retain accountability and transparency. Bridge jurisdictional or regulatory gaps. And prepare the ground for future alignment or recognition.In the Canada-EU context, the PCTF has the scale, backing, and governance necessary to serve as a core commercial interoperability engine alongside formal standards.
Alignment with Consultation Topics Digital Identities, Trust Services & Electronic Transactions Support mutual recognition of digital credentials and trust service providers under eIDAS 2.0 and PCTF. Promote technology-neutral, cross-recognized approaches to e‑signatures and authentication. Enable market actors to use Canadian or EU‑based trust providers under harmonized rules, fostering innovation and consumer confidence. Cross‑Border Data Flows & Localization Advocate for privacy-respecting data mobility in sectors like real estate, energy, finance, and logistics. Oppose unnecessary data localization requirements that add cost without commensurate privacy or security gains. Ensure that Canadian data flows operate in accordance with Canadian laws and values, even when exchanged across borders. Encourage alignment of privacy and cybersecurity approaches that preserve trust and legal clarity. Cybersecurity, Fraud Prevention & Consumer Protection Recommend the adoption of shared fraud scoring, risk assessment, and identity verification frameworks. Embed privacy‑by‑design principles into digital transactions and identity services. Coordinate cross-jurisdictional responses to cyber incidents, identity theft and digital scams.Standards & Interoperability Promote adoption of open international standards for identity, authentication, data portability, and interoperability. Explicitly include industry‑driven frameworks, such as PCTF, as recognized tools for implementation. Ensure Canada retains the ability to define, adapt, and govern its digital identity and trust frameworks independently, in alignment with national law, values, and economic strategy. Leverage PCTF to reduce regulatory fragmentation and increase interoperability across sectors. Digital Inclusion & MSME Access Ensure MSMEs can access affordable, certified trust services for cross-border commerce. Support inclusive access in underserved communities, including rural and Indigenous, via interoperable service models and affordable trust credentials. Artificial Intelligence & Responsible Data Use Align responsible AI principles for trust services and risk modelling, emphasizing transparency, fairness, and accountability. Apply these principles to AI-enabled identity verification tools used in cross-border trade and digital wallets. Sectoral Impact Examples SectorBenefit from Mutual Recognition of PCTF & eIDASHousingStreamlined mortgage and property transactions; AML compliance with reduced frictionEnergy & ResourcesCertified credentials for emissions tracking, trade, and grid interoperabilityFinance & InsuranceReduced friction in cross-border lending, payments, and claims processingPublic Safety & HealthTrusted sharing of credentials for emergency response and cross-border healthcare ConclusionCanada has a unique opportunity, through this consultation, to shape a forward-looking Digital Trade Agreement with the EU, one that prioritizes trust, privacy, interoperability, digital sovereignty, and inclusion.
By integrating Canadian-governed, industry-led standard frameworks, such as the PCTF, into this toolkit alongside national and international norms, Canada can lead in building a scalable, resilient, and trusted digital trade architecture, without compromising its ability to govern its digital future.
DIACC welcomes further collaboration to refine the role of PCTF in Canada’s digital trade strategy and ensure that Canadian businesses, especially MSMEs, can participate confidently in secure, cross-border digital commerce.
The E-ID proposal of 2019 was a classic own goal: privatized, centralized, and with privacy on the back burner. The result in March 2021: a resounding 64% No. The Swiss people didn’t want a “private flavour” national digital identity. Rightly so.
Now, with the new BGEID (2025), Switzerland has made a serious course correction. Instead of half-baked privatization, there is now full state authority, privacy-by-design, and open source. The E-ID resides only on the smartphone in the user’s wallet – not in some cloud run by whoever. Age verification? No longer “name + date of birth correlated with a profile,” but simply “over 18.”
Even more exciting: this is no longer just about an E-ID, but about a trust infrastructure. Driver’s licenses, diplomas, tickets – all digital, tamper-proof, in your own wallet. A federal network-of-networks in which municipalities, cantons, universities, companies, or associations can issue their own credentials.
In short: Switzerland is finally translating its political DNA motto “diversity through federalism” into the digital realm. And this was not cooked up in a backroom, but through a participatory process with NGOs, business, academia, and civil society. Democratically legitimized, technically modern, internationally interoperable.
But here’s the real point: the E-ID is only the key – the lock and the doors are built by the ecosystem. A digital identity alone is of little use if it cannot be applied anywhere. Everyday value emerges only when government, business, and society actively use this infrastructure – with credentials we still carry around on paper today: from residence certificates to debt enforcement extracts, from bank guarantees to e-prescriptions and medical reports. Only then does SWIYU become a universal tool for secure, privacy-preserving, and efficient processes.
The ecosystem does more than create convenience – it strengthens trust: less fraud, less bureaucracy, more automation, genuine freedom of choice, and strict data minimization. That’s the difference compared to the old proposal – and compared to global login solutions offered by tech giants. Without an ecosystem, the E-ID remains a key without doors. With a broadly established ecosystem, it becomes a digital public service, open to innovation and anchored in Swiss values.
For those who want to dig deeper: we’ve compared the 2019 proposal and the new 2024 BGEID in detail (to the best of our knowledge). The document shows in black and white why the new E-ID is not a reheated version, but a true paradigm shift – from a private product to a state trust infrastructure.
The bottom line?
For citizens: more sovereignty, stronger privacy, less “Big Brother” feeling.
For the economy: legal certainty, less dependency, more innovation.
For Switzerland: digital infrastructure as a public service – as essential as roads, bridges, water, and electricity.
Resources:
Read/Download our Comparison: BGEID 2021 vs. 2025
The two-week voting period will be between Wednesday, September 10, 2025 and Wednesday, September 24, 2025, once the 60 day review of the specification has been completed.
The FAPI working group page: https://openid.net/wg/fapi. If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/benefits-members/.
The vote will be conducted at https://openid.net/foundation/members/polls/379
Marie Jordan – OpenID Foundation Secretary
The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
The post Notice of Vote to Approve Proposed FAPI 2.0 Message Signing Final Specification first appeared on OpenID Foundation.
Carter’s just pulled off what many retailers thought was impossible.
In only three months, the iconic children’s apparel brand rolled out RFID technology across 700 stores: improving accuracy on every item and making life easier for both store teams and customers. In this episode, Gina Maddaloni and Anna Marie Blackburn from Carter’s join hosts Reid Jackson and Liz Sertl to discuss how RFID became central to Carter’s retail operations, what it took to win buy-in across the company, and how it is improving both inventory management and customer experience.
You’ll also hear how Carter’s uses RFID to cut payroll costs for year-end inventory by 50 percent, why the rollout became a recruiting tool for store teams, and where the company sees new opportunities to extend RFID into supply chain operations.
In this episode, you’ll learn:
How Carter’s achieved one of the fastest RFID deployments in retail
Why RFID is no longer “too complex” or “too expensive”
What’s next as Carter’s expands RFID use into its supply chain operations
Jump into the conversation: (00:00) Introducing Next Level Supply Chain (01:29) Anna Marie and Gina’s backgrounds (03:52) What RFID technology means for retail (06:47) The process of rolling out RFID across Carter’s stores (13:21) RFID’s impact on Carter’s operational efficiency (17:49) RFID as a recruiting tool for store teams (18:54) Asset protection benefits and peace of mind (19:34) Expanding RFID into DC operations (21:35) What’s next, Carter’s move toward serialization (23:01) Advice for companies starting their RFID journey (24:02) Busting RFID myths: cost, complexity, and adoption (26:29) Favorite tech beyond RFID (29:22) What Gina and Anna Marie want to learn next
Connect with GS1 US: Our website - www.gs1us.org GS1 US on LinkedIn
Connect with the guests: Gina Maddaloni on LinkedIn Anna Marie Blackburn on LinkedIn Check out Carter’s
Learn more about the GS1 US Solution Partner Program: https://www.gs1us.org/industries-and-insights/partners
Read the full case studyhere.
Around the world, governments are deploying blockchain as a way to restore public trust and deliver citizen services more effectively. From EBSI in Europe, to LACChain in Latin America, to Rede Blockchain Brasil (RBB), a common decision stands out. They all chose Ethereum—specifically, Besu, an open-source project hosted by LF Decentralized Trust—as the backbone of their public sector blockchain networks.
Why Ethereum? The choice was not accidental and this multi-regional case study highlights some of the reasons why. Drivers include building on the proven and familiar infrastructure with Ethereum, the world’s most widely adopted smart contract platform, flexibility and long-term optionality for Public and Permission use, vendor neutrality, and compatibility with global standards.
__
In the second of a series of guest posts by DIF Ambassador Misha Deville, Misha explores how decentralized identity provides the missing trust infrastructure needed for AI systems to scale delegation, personalization, and content authenticity. Read the first post in the series, "The Missing Growth Lever."
Everyone is talking about the promises of AI. Faster decisions, tailored experiences, intelligent agents. But delivering on that promise requires more than powerful models. It requires trusted infrastructure.
AI systems create value through delegation, personalisation, and decision-making. Yet these capabilities can’t scale consentfully or securely without the ability to prove who the system is working for (context), what it’s been authorised to do (consent), or whether its outputs can be trusted (credibility). Decentralised identity models and verifiable credentials can provide the missing infrastructure to ensure AI systems can deliver on their promises.
Agentic Delegation at Scale“To scale humans, we deploy agents. But to scale agents, we must manage them like humans.”[1] - Director Product Management, Writer.
Agentic AI is no longer a future proposition, it’s a present bottleneck. Organisations are deploying more autonomous agents, but they’re hitting “scaling cliffs” as agents multiply faster than their supervision and governance systems can manage them. Unlike APIs or scripts, agents are semi-autonomous systems with memory, tool access, and significant sensitive data exposure. Without clear scopes, audit trails, or authority checks, most delegation turns into vast liability surfaces, and a system of patchwork permissions quickly becomes unmanageable.
As Huang et al. write, ““Failure to address the unique identity challenges posed by AI agents operating in Multi-Agent Systems (MAS) could lead to catastrophic security breaches, loss of accountability, and erosion of trust in these powerful technologies”[2].
Most AI systems today are still rooted in prediction, but this is rapidly shifting toward delegated action. The agentic AI market has already reached $13.8 billion in 2025, and as agents start taking action, the question becomes: who is acting, on whose behalf, and under what authority?
‘Authenticated delegation’ enables third parties to verify that:
“(a) the interacting entity is an AI agent, (b) that the AI agent is acting on behalf of a specific human user, whether pseudonymised or identifiably known, and (c) that the AI agent has been granted the necessary permissions to perform specific actions”.[3]This sounds simple, but delegated ‘trust’ doesn’t end with a single permission. Especially in asynchronous flows or agent-to-agent communication, it must be enforced dynamically over time.
Most systems today use token-based models, like OAuth, that assume trust within a known and bounded hierarchy is established when a token is issued, and meaningful wherever invoked. Once the token is delivered however, there is no enforcement that the agent will continue to act within its authorised scope over time, or the domain within which it is meaningful. A delegation-first model like ZTAuth, or other Authorization languages based on Object Capabilities (e.g. ZCaps, UCAN, Hats Protocol), adds runtime checks, making sure agents are still trusted, acting on behalf of the right user, and following the right rules, every time they take an action rather than with a token's expiry period.
Similar ideas are emerging in The MIT Computer Science and AI Lab’s framework for ‘Identity-Verified Autonomous Agents’, which introduces cryptographic proofs of authority and full auditability into multi-agent workflows2. Meanwhile, projects like the A2A protocol are building agent registries to support discovery, entitlements, and secure agent-to-agent communication across trust boundaries and OAuth-style enterprise hierarchies[4].
At the standards level, DIF’s Trusted AI Agents Working Group is building open specifications to support these use cases. Their work spans data models, object capability frameworks, interoperability libraries and runtime trust enforcement patterns. This is about more than securing agent-to-agent interactions. It’s about enabling a full lifecycle of trust, from credentialed instantiation of agents to delegated (logged and fully-auditable) execution, all the way through to forensic audit and remediation in the worst case scenario.
Hyper-personalisation that worksAI-driven hyper-personalisation promises to unlock entirely new value in digital experiences. McKinsey reports show meaningful increases in customer engagement and spend when personalisation is done right[5]. But it can just as easily backfire. A 2019 Gartner study found that 38% of users will walk away from a brand if personalisation feels “creepy”[6], and recent research with Gen Z confirms the duality that personalisation is welcome up until it crosses the line[7].
That line is defined by context and consent. When AI systems infer personal data from web-scraping profiles, browser fingerprinting, adtech data, and other opaque signals, they significantly undermine trust and user agency. When they employ algorithmic transparency, ethical frameworks, and user-authorised data inputs they mitigate the risks of conscious and unconscious mistrust and backlash[8].
Verifiable credentials in this context offer a solution that can give AI systems structured, consent-based attributes that users explicitly approve. This helps shift personalisation away from prediction and toward permission. It reduces the risk of misfires and irrelevant outputs, and increases both system reliability and user trust.
The travel industry is a clear example of the opportunity gap. Identity and preference checks occur at nearly every step, yet the ecosystem remains fragmented[9]. Travellers routinely overshare sensitive data multiple times, with little visibility into where it’s stored or how it’s used. Providers, in turn, struggle to deliver seamless or personalised services without duplicating traveller effort or violating privacy regulations.
That’s starting to change. Initiatives like IATA’s One ID aim to eliminate repetitive ID checks using biometric-backed credentials, creating a more secure, contactless experience. Live pilots by SITA and Indicio, in partnership with Delta Airlines and the Government of Aruba, have also shown how digital travel credentials can streamline identity verification at check-in, boarding, and border control.
These foundational shifts pave the way for more advanced personalisation use cases. With credential infrastructure in place, providers can begin supporting traveller-owned profiles that store personal preferences, enable selective data sharing, and allow AI agents to act on a traveller’s behalf. The DIF Hospitality & Travel Working Group is developing schemas to support this, with traveller profiles that are dynamic, revocable, and built for interoperability. As Nick Price notes, when preferences are embedded in credentials and shared on the traveller’s terms, personalisation becomes possible while still preserving privacy and trust[10].
Decision-Making and Sense-Making in Synthetic NoiseIdentity fraud isn’t new, but AI has supercharged its scale, speed, and sophistication. In 2025, 1 in 20 ID verification failures are already being linked directly to deepfakes, while synthetic audio and video forgeries have increased 20% and 12% respectively in fraud attempts year-over-year[11]. National Security Agencies of the US, UK, Canada, and Australia, have warned that the quality and pace of AI-generated forgeries “have reached unprecedented levels and may not be caught by traditional verification methods”[12].
Ironically, fraud detection is one of AI’s strongest use cases. But its success depends on the quality of input data. Risk models tend to rely on patterns from historical data to flag anomalies. If the data is synthetic, spoofed, or unverifiable, the model can learn the wrong patterns or miss the threat altogether. It's a clear case of “attacker's advantage,” since automated attacks are almost free to launch at brute-force scale. What's worse,s AI adversaries are improving at impersonation, so hallucinated and forged content is proliferating across search engines, media outlets, and public discourse, contaminating LLMs at the lowest level of training data.
“As AI agents grow increasingly adept at mimicking human behavior - crafting text, creating personas, and even replicating nuanced human interactions - it becomes harder to maintain digital environments genuinely inhabited by real people.”2
Detecting ‘what’s real’ at scale now requires cryptographic certainty. Verifiable credentials offer a solution to the ‘garbage in, garbage out’ problem by allowing systems to verify data attributes without exposing raw personal data. Content credentials, as standardised by C2PA, provide tamper-evident metadata that can trace authorship, modification history, and usage rights across files, namespaces, and industry associations. This helps prevent both fraud in high-stakes transactions and reduce the risk of model “pollution” by synthetic content[13].
These mechanisms are quickly moving from optional to operational. California’s SB 942, set to take effect in 2026, will require that all AI-generated or AI-altered content be disclosed and tied to an immutable record of provenance. As Erik Passoja writes, “Compliance is just the on-ramp… the real destination is an authenticated digital ecosystem.”[14]. Infrastructure built on signed manifests, cryptographic consent, and watermark durability won’t just prevent fraud, it wil
l underpin new forms of value, from automated licensing to portable and just-in-time reputation.
In all of these cases, a reliable identity layer isn’t a ‘nice to have’, but a prerequisite for trust, adoption, and real-world value. Decentralised identity and verifiable credentials provide the infrastructural foundation that lets AI scale and deliver new opportunities. DIF’s working groups are tackling these challenges head-on, from authenticated AI agents to verifiable travel profiles and content authenticity.
The next article in this series will dive into the work of the Content Authenticity Initiative and DIF’s Creator Assertions Working Group, exploring how open standards are enabling AI to be used confidently in media, preserving trust, provenance, and creative integrity.
Find out more about DIF’s working groups here:
Creator Assertions Hospitality and Travel DIF LabsIf you’d like to stay updated on the launch of DIF’s Trusted AI Agents Working Group, reach out to contact@identity.foundation.
M. Shetrit (2025). “Supervising the synthetic workforce: Observability for AI agents requires managers, not metrics”. Writer. ↩︎ Huang et al. (2025). “A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control”. arXiv. ↩︎ South et al. (2025). “Authenticated Delegation and Authorized AI Agents”. arXiv. ↩︎ A2A Project. “Agent Registry - Proposal”. GitHub. ↩︎ McKinsey & Company (2025). “Unlocking the next frontier of personalised marketing”. ↩︎ Gartner (2019). “Gartner Survey Shows Brands Risk Losing 38 Percent of Customers Because of Poor Marketing Personalization Efforts” ↩︎ Peter et al. (2025). “Gen AI – Gen Z: understanding Gen Z’s emotional responses and brand experiences with Gen AI-driven, hyper-personalized advertising”. Frontiers in Communication. ↩︎ Park, K & Yoon, H (2025). “AI algorithm transparency, pipelines for trust not prisms: mitigating general negative attitudes and enhancing trust toward AI”. Nature. ↩︎ DIF (2025). “DIF Launches Decentralized Identity Foundation Hospitality & Travel Working Group” ↩︎ Dock (2025). “How Digital ID is Reshaping the Travel Industry” ↩︎ Bondar, Ira (2025). “Real-time deepfake fraud in 2025: Fighting back against AI-driven scams”. Veriff. ↩︎ NSA et al. (2025). “Content Credentials: Strengthening Multimedia ↩︎ Adobe (2025). “Content Credentials”. ↩︎ Passoja, Erik (2025). “From Compliance to Prosperity” LinkedIn. ↩︎The OpenID Foundation is pleased to announce the completion of a comprehensive security analysis of OpenID for Verifiable Presentations (OpenID4VP) when used over the Digital Credentials API (DC API). This represents the first security analysis of OpenID4VP and DC API together, which allowed potential security vulnerabilities to be detected and mitigated before the spec went to final in July.
Conducted by researchers from the Institute of Information Security at the University of Stuttgart using the proven Web Infrastructure Model (WIM) methodology, this analysis builds on a track record of rigorous, mathematical security modelling of OIDF protocols, and a two way exchange between the researchers and the OIDF work groups to ensure the protocols deliver the expected security properties. It has also been used to analyse other OpenID Foundation standards, including OpenID Connect, FAPI 1.0 and FAPI 2.0, as well as OAuth 2.0.
This approach has previously uncovered potential attack vectors allowing for proactive mitigation of the vulnerability, such as a recent responsible disclosure that impacted several spec families.
As part of the scope of this study, the University of Stuttgart presented a formal model of the OpenID4VP specification in conjunction with the Digital Credentials API, identified and formalized relevant security properties, and completed formal proofs for those security properties successfully.
These proofs confirm the security of the protocol within the bounds of the mathematical assumptions and formal modelling. Importantly, no new vulnerabilities were identified during the verification process.
Analysis scope and objectiveThe primary goal was to demonstrate that using OpenID4VP over the DC API delivers a fundamental security guarantee, that of a ‘claims unforgeability’. Put simply, this means proving that attackers cannot trick honest verifiers into accepting false claims that appear to come from legitimate issuers for genuine users with credentials issued to honest wallets.
The analysis takes a focused approach to protocol level security, deliberately excluding attack vectors like Cross-Site Scripting or cryptographic implementation vulnerabilities. These fall outside the scope of protocol specifications and are typically addressed through other security measures.
Rigorous methodologyThe WIM analysis follows a systematic three step process that ensures thorough coverage. First, researchers create a detailed mathematical model covering all possible protocol executions not explicitly prohibited by the specifications. This model accounts for arbitrary numbers of participants with varying trust relationships, running multiple protocol instances simultaneously across all possible interaction patterns.
Next, they formulate precise security properties based on goals stated in the specifications. Finally, they provide mathematical proofs showing these security properties hold true across every conceivable protocol execution scenario..
Continuing a commitment to securityThis work follows the OpenID Foundation’s first comprehensive security analysis of OpenID for Verifiable Credentials completed in October 2023 with the goal of increasing confidence in these critical specifications. That previous study used the same WIM methodology.
The Digital Credentials Protocols Working Group (DCP WG) has accepted this security report on OpenID4VP+DC API, continuing the collaborative approach between academic researchers and standards development. As demonstrated with previous analyses, the DCP WG incorporates relevant feedback into current specification versions, ensuring robust security foundations for implementers.
The complete report is available here on the DCP WG homepage for review by implementers and the broader community.
Expert perspectivesThe team of academic researchers from the University of Stuttgart, said: “We thank the OpenID Foundation for another fruitful collaboration and look forward to further joint efforts in analyzing high-impact standards.”
Kristina Yasuda, Co-Chair of the OpenID Foundation’s DCP WG, said: “Proactive security analysis is critical in identifying potential gaps before they impact implementers and End Users. Collaborating closely with academic researchers allows us to validate our specifications against rigorous formal models, strengthen the protocol’s security guarantees, and ensure that OpenID4VP and the DC API deliver the trust and reliability that the ecosystem depends on.”
Daniel Fett, founder of the OAuth Security Workshop, said: “It’s great to see the OpenID Foundation adopting formal analysis of web protocols as a standard tool. Beyond the usual expert review, formal analysis has repeatedly proven to be an effective means of uncovering hidden vulnerabilities and challenging underlying assumptions.”
About the OpenID FoundationThe OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
The post OIDF receives security analysis of OpenID for Verifiable Presentations first appeared on OpenID Foundation.
Errata to the following specification have been approved by a vote of the OpenID Foundation members:
JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) – This specification was created to bring some of the security features defined as part of OpenID Connect to OAuth 2.0An Errata version of a specification incorporates corrections identified after the Final Specification was published. This specification is a product of the OpenID FAPI Working Group.
The voting results were:
Approve – 79 votes Object – 0 votes Abstain – 17 votesTotal votes: 96 (out of 420 members = 22.9% > 20% quorum requirement)
The specification incorporating the errata is available at the standard locations as well as:
https://openid.net/specs/oauth-v2-jarm-errata1.html
See the Introduction section of the specification for the link to the previously approved version.
Marie Jordan – OpenID Foundation Secretary
The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
The post Errata Corrections to JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) Approved first appeared on OpenID Foundation.
At the inaugural Privacy for Financial Services Workshop hosted by LF Decentralized Trust in New York, a clear signal emerged: privacy is no longer a theoretical aspiration in digital finance. It’s a necessity, and it’s becoming deeply practical.
1. What is the mission and vision of Giesecke+Devrient (G+D)?
We shape trust in a digital world.
We create innovative security solutions for reliable protection of highly critical sectors. We engineer customized security technologies with passion and precision.
2. Why is trustworthy digital identity critical for existing and emerging markets?
Trustworthy digital identity is foundational to the secure functioning of both existing and emerging markets. As digital interactions become integral to daily life, ensuring the authenticity and security of these interactions is critical. Reliable digital identities enable secure access to services, protect against fraud, and foster user confidence. In emerging markets, they are instrumental in promoting financial inclusion and enabling access to essential services, thereby driving economic growth and social development.
3. How will digital identity transform the Canadian and global economy? How does your organization address challenges associated with this transformation?
Digital identity is poised to revolutionize the Canadian and global economy by streamlining access to services, enhancing security, and fostering innovation. It enables seamless interactions across sectors such as finance, healthcare, and government services, reducing friction and building trust in digital transactions.
Giesecke+Devrient (G+D) addresses the challenges of this transformation by offering secure, user-centric digital identity solutions. Our technologies ensure data privacy, comply with international standards, and are adaptable to various regulatory environments. By focusing on interoperability and scalability, we support the development of robust digital identity infrastructures that can evolve with the changing needs of societies and economies.
4. What role does Canada have to play as a leader in this space?
Canada is uniquely positioned to lead in digital identity and trust services due to its strong regulatory frameworks, commitment to privacy, and collaborative approach among public and private sectors. By investing in secure digital infrastructures and fostering innovation, Canada can be a leader in setting global standards for digital identity solutions that are inclusive, secure, and user-friendly. G+D supports these initiatives by providing technologies that align with Canada’s vision for a trustworthy digital ecosystem.
5. Why did your organization join the DIACC?
G+D joined the Digital ID & Authentication Council of Canada (DIACC) to collaborate with industry leaders in shaping the future of digital identity. We recognize the importance of a unified approach to developing secure, interoperable, and user-centric identity solutions. Through our membership, we aim to contribute our global expertise in security technologies to support DIACC’s mission of advancing digital identity innovation in Canada.
6. What else should we know about your organization?
Our organization, G+D, has a rich global history of being a pioneer in the industry, achieving numerous milestones that have set standards worldwide. In addition to our Canadian firsts, G+D has been a leader in innovation on a global scale, consistently demonstrating our commitment to advancing security technology and improving user convenience across various markets.
Globally, G+D was one of the first companies to introduce banknote processing equipment back in the early 20th century, revolutionizing how financial institutions handled currency. This innovation laid the groundwork for our later advancements in secure currency technologies. We were also pioneers in developing and implementing smart card technologies, which have become fundamental in today’s digital security applications, including telecommunications, banking, and government identity systems.
In the realm of telecommunications, G+D was instrumental in the development and widespread adoption of SIM cards, which transformed the mobile phone industry by enabling secure and personalized services. This innovation not only advanced mobile technology but also significantly enhanced security and functionality for mobile device users worldwide.
Moreover, G+D has been a leader in the development of secure identity solutions, providing governments and organizations with advanced technologies for passports, national IDs, and other secure documents. Our innovations in biometric and encryption technologies have helped shape global standards for identity verification and data protection.
Our commitment to sustainability is also evident on a global scale. We have been involved in developing eco-friendly technologies and materials for our products, significantly reducing the environmental impact of our manufacturing processes and end products.
By highlighting these global achievements alongside our Canadian firsts, it is clear that G+D’s legacy of innovation spans not only decades but also diverse industries and markets. Our forward-thinking approach and investments in new technologies continue to drive our mission of making people’s lives more secure and convenient, while also respecting our planet. As we move forward, G+D remains dedicated to being a leader in digital identity and authentication, setting new benchmarks for excellence and sustainability worldwide.
1. What is the mission and vision of NOETRONIQ Strategic Initiatives?
Mission:
To empower organizations with trusted, interoperable identity solutions by delivering expert architectural guidance rooted in privacy, security, and open standards.
Vision:
To shape a resilient digital future where individuals and institutions interact with confidence, enabled by transparent, decentralized identity ecosystems and intelligent trust frameworks.
2. Why is trustworthy digital identity critical for existing and emerging markets?
Digital trust and identity verification are foundational to securing interactions in today’s global digital economy. In both mature and emerging markets, they underpin everything from financial access to cross-border compliance and fraud prevention. But as the threat landscape evolves, driven by increasingly sophisticated actors and accelerated by AI, traditional security models are no longer sufficient. Verifiable identity becomes the anchor for ensuring accountability, protecting privacy, and enabling secure, scalable systems. In a world of rapid digital and AI-driven transformation, strong identity infrastructure is not just about access; it’s about resilience, governance, and trust at every layer of interaction.
3. How will digital identity transform the Canadian and global economy? How does your organization address challenges associated with this transformation?
Digital trust and identity verification will redefine how value, services, and decisions flow across both the Canadian and global economies. As digital interactions become more decentralized, cross-border, and mediated by AI, trusted identity is the linchpin for enabling secure access, protecting user autonomy, and ensuring compliance at scale. In Canada, this transformation supports economic inclusion, public service modernization, and global interoperability through frameworks like the PCTF. Globally, it empowers new markets, mitigates fraud, and creates the foundation for verifiable, privacy-respecting ecosystems.
NOETRONIQ Strategic Initiatives addresses these challenges by offering expert architectural guidance to help organizations align with evolving standards, integrate verifiable credentials, and future-proof their identity infrastructure. Our focus is on building resilient, interoperable systems that embed trust by design. Bridging policy, technology, and security in a rapidly shifting digital and AI-enhanced landscape.
4. What role does Canada have to play as a leader in this space?
Canada is well-positioned to lead in digital trust and identity verification by advancing inclusive, privacy-respecting, and interoperable frameworks. With the Pan-Canadian Trust Framework and a strong tradition of public-private collaboration, Canada offers a model for securing digital ecosystems that scale across borders. As global trade and digital services expand, Canada’s leadership in trustworthy identity infrastructure strengthens its role as a reliable partner in international commerce. By prioritizing security, accountability, and user control, Canada can shape the standards and governance models that underpin a resilient, globally connected digital economy.rust services, across many industries, including Auto Finance.
5. Why did your organization join the DIACC?
NOETRONIQ Strategic Initiatives joined the DIACC to contribute to and align with the collaborative development of Canada’s digital identity and trust ecosystem. As a firm specializing in identity architecture, verifiable credentials, and privacy-first design, we see DIACC as a critical forum for shaping interoperable, standards-based solutions that serve both national interests and global alignment. Participation in DIACC enables us to engage with leading experts, support the evolution of the Pan-Canadian Trust Framework, and ensure our clients’ solutions are future-proof and policy-aware. We believe that trusted identity is foundational to a resilient digital economy—and that collaboration is key to getting it right.
6. What else should we know about your organization?
NOETRONIQ Strategic Initiatives brings deep expertise in digital identity architecture, cybersecurity, and verifiable credentials, with a focus on building systems that are both technically robust and aligned with emerging governance models. We operate with the precision and foresight of a strategic partner, helping clients navigate complexity at the intersection of policy, privacy, and technology. We’re especially attuned to the shifting landscape brought on by AI, decentralized infrastructure, and evolving trust frameworks. Our mission is to help shape a digital future where identity is secure, user-controlled, and interoperable by design.
This is a notice of the upcoming vote to approve OpenID for Verifiable Credential Issuance 1.0 as a Final Specification.
The two-week voting period will be between Monday, September 1, 2025 and Monday, September 15, 2025, once the 60 day review of the specification has been completed.
The Digital Credentials Protocols (DCP) working group page: https://openid.net/wg/digital-credentials-protocols/. If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/benefits-members/.
The vote will be conducted at https://openid.net/foundation/members/polls/376.
Marie Jordan – OpenID Foundation Secretary
About The OpenID Foundation (OIDF)The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
The post Notice of Vote to Approve OpenID for Verifiable Credential Issuance 1.0 Final Specification first appeared on OpenID Foundation.
In a bid to improve overall security of the identity ecosystem, the National Institute of Standards and Technology updated its Digital Identity Guidelines earlier this month. The first revision since 2017, many organizations should be able to implement the updated guidelines without much difficulty as part of their identity strategy.
Attackers are always sharpening their skills to bypass organizations’ identity and access management (IAM) protocols – the key to gaining critical access – and artificial intelligence (AI) is making phishing attacks even more effective, and deepfakes are tricking even the most security-savvy mind. New authentication measures such as passwordless technologies, exist, but implementation challenges have hindered adoption.
As announced, Microsoft today deletes all stored passwords from his authenticator app. Users have to secure their access data before they are lost permanently. Other functions of the app are preserved.
Users must secure passwordsFor users of the Microsoft Authenticator, it is a critical deadline: As announced at the beginning of May, all stored passwords are irrevocably deleted from the app on August 1, 2025. If you do not ensure or transfer the data, you permanently lose access to the stored passwords.
The changeover takes place gradually and has been going on for months. Since June 2025, it has no longer been possible to save new passwords in the app or to import from external sources. This affects both manual entries and the synchronization with other services. In July 2025, the autofill function was then deactivated, so that the app no longer automatically entered login fields on websites or in apps.
HID, a worldwide leader in trusted identity and access management solutions, has announced a new line of FIDO-certified credentials—now powered by the new Enterprise Passkey Management (EPM) solution— designed to help organizations deploy and manage passkeys at the enterprise scale.
Newresearch from FIDO Alliance shows that while 87% of enterprises are adopting passkeys, nearly half of those that are yet to deploy cite complexity and cost concerns as primary barriers.HID’s solution streamlines the shift to passwordless authentication.
The post Velocity Network Foundation Joins Global Leaders at Inaugural Geneva Conference on Digital Trust appeared first on Velocity.
The post Velocity Charitable Foundation Elevates Statewide Approach to Verifiable Credentials and Open Ecosystems appeared first on Velocity.
The post Velocity Network Technology Becomes “Verii” Under the Linux Foundation’s LF Decentralized Trust Initiative appeared first on Velocity.
The post What is a Trust Framework? appeared first on Velocity.
A growing number of applications in the energy sector and beyond are leveraging decentralized Worker Node networks on Energy Web X. For example, Green Proofs for Bitcoin (GP4BTC) uses EWX to verify green Bitcoin mining, and the recently launched Carbon-Aware Nomination system orchestrates compute workloads to maximize the use of clean energy. As these and other DePIN (Decentralized Physical Infrastructure Networks) use-cases expand, it becomes ever more critical to enforce accurate and verifiable computation in a secure, scalable manner.
This consensus upgrade directly addresses that need. It introduces several improvements to how EWX validators reach agreement on Worker Node outputs and distribute rewards: changes that align incentives with performance and ensure the integrity of off-chain execution. This upgrade empowers enterprises to pair their off-chain computational systems with highly configurable on-chain reward mechanisms, creating strong business and financial incentives for both enterprises and community members operating Worker Nodes to actively contribute to these decentralised systems.
Setting The Bar on PerformanceOnly the most consistent, high-performing worker nodes will now be rewarded for their contributions. The upgrade introduces an SLA performance threshold, a minimum standard for correct vote submissions that a node must meet to qualify for any rewards. In other words, a worker’s voting accuracy over each reward period has to exceed a predefined percentage (set on a per-Solution Group basis) for that node to earn a share of the rewards. A “correct” vote means the worker’s submitted result from their off-chain execution aligns with the majority consensus for a given round (as determined by EWX validators). If a node’s correct vote rate falls below the threshold, it won’t receive rewards for that period, no matter how many votes it cast.
This change pushes every Worker Node operator to perform above a clearly defined bar. Energy Web X validators now track each worker’s voting performance across rounds (via on-chain metadata) and calculate the percentage of that worker’s votes that matched the accepted consensus. Only those exceeding the SLA threshold are deemed eligible. Among those that qualify, rewards are weighted by accuracy and stake, meaning those who contribute more correct results and have more stake on the table earn proportionally more. See the reward formula below:
worker_reward = (worker_correct_votes × user_stake) / total_weighted_correct_votes × voting_reward_per_block × active_blocks
Where: worker_reward: the amount of EWT distributed to the worker node operator as their active reward for participation in eligible voting rounds within the concluded reward period. worker_correct_votes: The number of correct (consensus aligned) votes submitted by the worker node in the eligible voting rounds within the concluded reward period. user_stake: The amount of tokens locked by the operator upon registration. total_weighted_correct_votes: Sum of correct votes weighted by stake across all worker nodes ( Σ(correct_votes_i * stake_i) ). voting_rewards_per_block: Amount of tokens allocated to voting rewards per block (configured by the solution registrar). active_blocks: Number of blocks spanning the reward period. Worked example:A Solution Group contains 150 operators. At the end of a reward period, 100 operators submitted sufficient votes to exceed the SLA threshold and are eligible for rewards.
From the eligible 100 operators, the average correct votes during the reward period is 100 and the average user stake is 1000.
Therefore: total_weighted_correct_votes = 100 * 100 * 1000 = 10,000,000
Worker Node A had 110 correct votes with a stake of 1000. There are 7200 active blocks in a voting round, and the voting rewards per block are set to 1 token.
Therefore: worker_node_A_reward = (110 * 1000) / 10000000 * 1 * 7200 = 79 tokens
Consensus Validated Via Quorum & Majority ThresholdThe consensus mechanism employs a two-tier validation process to guarantee both sufficient participation and accuracy of submissions before finalising the result on-chain. Energy Web X requires two conditions for a voting round to produce a valid result:
Quorum: A minimum percentage of eligible worker nodes must participate by submitting their votes. Majority Threshold: Within the specified quorum of participants, a majority of workers, over the defined threshold, must agree (i.e. submit matching results) for the result to be accepted as the round’s consensus.If either condition isn’t met the round is marked Unresolved. These thresholds optimise for security and trust without sacrificing scalability. Quorum ensures that a sufficiently broad sample of the network contributes to each consensus decision, while the majority threshold ensures accuracy and trust in the result. Only when both conditions are satisfied will the Energy Web X validator set record the final result on-chain.
Improving Withdrawal DelayThe upgrade also refines how and when worker node operators can withdraw their stake from the network. The withdrawal delay is the period a user must wait between submitting an unsubscription request and receiving their tokens. This means every action (vote) has a consequence: correct votes will always be rewarded while protecting against malicious actors who may otherwise submit false votes and then withdraw to evade penalties.
With the upgrade, withdrawal delays are measured in reward periods instead of blocks. In practice, after an operator initializes a withdrawal, they must wait a defined (by the registrar) number of additional reward periods before withdrawing their collateral. During this delay period, the node can still participate in voting rounds and continue to earn rewards, except for the final reward period in which the stake is released and voting eligibility ends. This ensures all pending rounds are properly settled and any rewards or penalties processed before a node can exit the network.
For example, a solution group has a withdrawal delay of 2 reward periods. A subscribed worker node operator votes in Reward Period 1 then submits an unsubscribe request in Reward Period 2. The operator would need to wait for Reward Period 3 and 4 to conclude, before receiving their funds back during a block (specific timing depends on system load) in Reward Period 5. The operator can participate (vote) in Reward Period 3 and 4 but not in 5.
The Outcome: Accurate, Scalable and Secure Off-Chain ComputeTogether, these enhancements bring Energy Web X’s consensus mechanism in line with the vision of incentivizing top-performing worker nodes to deliver accurate, verifiable outputs from off-chain computation.
What does this mean for Energy Web ecosystem participants? Solution owners and their users can have complete trust in the outputs of decentralised compute. Energy Web X’s blockchain will securely handle the heavy lifting of coordinating nodes, validating results, and distributing rewards, all in the background. This allows developers and enterprises to focus on what they do best: building high-value applications, confident that a robust, trusted decentralized compute layer is reliably powering their workloads behind the scenes.
About Energy WebEnergy Web is a global technology company driving the energy transition by developing and deploying open-source decentralized technologies. Our solutions leverage blockchain to create innovative market mechanisms and decentralized applications, empowering energy companies, grid operators, and customers to take control of their energy futures.
How to Get InvolvedReview the docs
Join the conversation
From Off-Chain Execution to On-Chain Trust: Inside Energy Web’s Consensus Overhaul was originally published in Energy Web on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Velocity Network Foundation – MidYear Updates appeared first on Velocity.
Microsoft has started to delete all passwords saved in its Authenticator app — and if you want to make sure you’re not locked-out of your favourite websites and apps, there’s one way to save your previous logins.
It might seem a little extreme, but the decision to start wiping passwords from its users has been months in the making. Microsoft has been slowly winding down Microsoft Authenticator, a free mobile app developed by Microsoft for Android and iOS that lets you securely sign-in to online accounts using two-factor authentication (2FA) or passwordless logins.
Like or not, a replacement for passwords — known as passkeys — is coming your way, if it hasn’t already. The three big ideas behind passkeys are that they cannot be guessed in the way passwords often can (and are), the same passkey cannot be re-used across different websites and apps (the way passwords can), and you cannot be tricked into divulging your passkeys to malicious actors, often through techniques such as phishing, smishing, quishing, and malvertising.
HID, a leader in trusted identity and access management solutions, has announced a new line of FIDO-certified credentials – now powered by the new Enterprise Passkey Management (EPM) solution – designed to help organizations deploy and manage passkeys at the enterprise scale.
New research from FIDO Alliance shows that while 87% of enterprises are adopting passkeys, nearly half of those that are yet to deploy cite complexity and cost concerns as primary barriers. HID’s solution streamlines the shift to passwordless authentication.
The next phase of HID’s passwordless authentication roadmap gives enterprises choice, flexibility and speed to deploy FIDO without compromising user experience or security posture. The expanded portfolio delivers phishing-resistant authentication with enterprise-grade lifecycle management, making scalable passwordless security accessible to organisations of all sizes. The solution works seamlessly across diverse work environments while reducing IT support requirements through centralised visibility and control.
Part of the “passkeys are more secure than passwords” story is derived from the fact that passkeys are non-human-readable secrets — stored somewhere on your device — that even you have very limited access to.
OK, so what happens to those passkeys if your device is stolen?
HID, a leader in trusted identity and access management solutions, has announced a new line of FIDO-certified credentials – now powered by the new Enterprise Passkey Management (EPM) solution – designed to help organizations deploy and manage passkeys at the enterprise scale.
New research from FIDO Alliance shows that while 87% of enterprises are adopting passkeys, nearly half of those that are yet to deploy cite complexity and cost concerns as primary barriers. HID’s solution streamlines the shift to passwordless authentication.
In the first of a series of guest posts by DIF Ambassador Misha Deville, Misha sets the stage for an underappreciated business problem one layer deeper than traditional User Experience analyses.
The Trust CeilingThe paradox is that we want AI systems that understand us, but only on our own terms. We’re uneasy when AI appears to use personal data without permission, yet we’re frustrated when it doesn’t ‘get us’ on the first try (in ways that it would need lots of personal data to fill in the context). This might seem like a philosophical problem, but I am pointing to an underappreciated technical one. Without embedding trust negotiation into the system design itself, through features such as transparent data flows and consent mechanisms, these systems cannot negotiate subtext and context; without this capability, we will fail to see AI adoption (and utility) scale as promised.
Friction in trust, and therefore adoption, stems from the lack of transparency and control, not from ‘poor model intelligence’. 66% of U.S. shoppers, for example, say they would not allow AI to make purchases for them, even if it meant securing better deals, because “consumers suspect AI is working for the retailer, not them. Until that trust gap closes, AI will remain a product discovery tool”1.
Public patience with AI product rollouts is already wearing thin. Global brands like Duolingo are facing significant backlash after announcing ‘AI-first’ strategies2, and the perception gap between those building AI systems and the addressable markets expected to adopt them is ever widening. 51% of adults interviewed in a recent Pew Research Study said they were more concerned than excited about AI, which contrasts sharply with the mere 15% of ‘AI experts’ that held this view3.
The generative-AI race to market that made AI more powerful and more personal, also made systems more opaque, leaving users in the dark about how and why decisions are made. In the absence of transparency, even well-intentioned systems lose public trust. The WEF frames this as a missed opportunity to build new markets on a healthy footing: “Without transparency, AI systems might be used that are not value-aligned at a level that is acceptable to users, or users might distrust AI systems that actually are sufficiently value-aligned because they have no way of knowing that.”4
To embed trust into the system itself, people need to be able to verify:
who the AI is working for (context), what it’s allowed to do (consent), and, whether the output can be trusted (credibility).The solution therefore isn’t more intelligent AI models, it’s a complimentary, verifiable identity layer. An identity layer doesn’t just enable trust at the level of individual users trusting individual interfaces; it also supports a healthier marketplace overall by making AI systems traceable, comparable to one another, and accountable to the users and services they interact with. It helps users in aggregate trust AI more in aggregate.
Verifiable credentials built on a backbone of decentralised digital identifiers, enable cryptographic proofs of user and object attributes. Context, consent, and credibility become programmable, and the user experience transforms from coercive to empowering.
The Market OpportunityDigital identity and AI are fundamentally interdependent, but the current investment landscape and dominant business strategies do not reflect this. Today, AI is seen as a growth engine and identity infrastructure is seen as compliance overhead. This mental model is not just outdated, it’s economically limiting.
In 2024, global VC investment into AI-related companies exceeded $100 billion, marking an 80% increase from 20235. Meanwhile, investment in digital identity declined. In the UK, one of the world’s leading digital identity markets, the sector saw only $58 million in VC funding in 2024, a 69% decline from the year before6. This stark investment gap reveals a misunderstanding of the technology stack required for trustworthy, scalable AI.
The convergence of these technologies is both ethically necessary and commercially advantageous. An identity layer that’s fit for this new era will enable AI breakthroughs to scale with direction, grounding, and accountability. If AI is the engine, then digital identity is the navigation system. It doesn’t slow the rocket down. It ensures it lands where we need it to.
The companies that align AI with verifiable digital identity will capture disproportionate market share where others hit trust ceilings. Strategies that capitalise on both technologies will unlock the promised value in use cases such as:
In fintech, verified delegation allows AI agents to execute trades securely, with cryptographic proof of authority and clear audit trails. In healthcare, patient-controlled access to verified medical records enables truly personalised care without compromising consent or privacy. In global supply chains, AI systems can confirm the authenticity of every product and actor, preventing counterfeits, improving traceability, and automating trust at scale.Digital identity is not a constraint on AI. It’s the infrastructure that allows it to scale responsibly and profitably. Standards like W3C’s Verifiable Credentials Data Model, provide a vital foundation for AI systems to verify context, consent, and credibility without compromising privacy. The companies that embrace this interdependence will define the next wave of digital infrastructure. Those that don’t, will risk building impressive technology that nobody trusts enough to use.
In the next article, we’ll explore how decentralised identity unlocks the real-world value of AI, starting with three core functions behind its promises: personalisation, delegation, and decision-making.
If you’d like to stay updated on the launch of DIF’s AI-focused working group, reach out to contact@identity.foundation.
1 Charleston, SC (2025). “Two-Thirds of Shoppers Say ‘No’ to AI Shopping Assistants – Trust Issues Could Slow Retail’s AI Revolution”. Omnisend.
2 Braun, S (2025). “Duolingo’s CEO outlined his plan to become an ‘AI-first’ company. He didn’t expect the human blacklash that followed.” Fortune.
3 McClain et al. (2025). “How the U.S. Public and AI Experts View Artificial Intelligence”. Pew Research Center.
4 Dignum et al. (2024). “AI Value Alignment: Guiding Artificial Intelligence Towards Shared Human Goals”. World Economic Forum.
5 Fairview Capital. (2024). “Preparing for the Agentic Era in Venture Capital”.
6 Wyman, O. (2025). “Digital Identity Sectoral Analysis 2025”. Gov.UK
On July 14, 2025, OpenID Foundation’s Executive Director Gail Hodges was delighted to moderate the ‘Voices from the Future’ panel at the Federal Mobile Driver’s License (mDL) Industry Day | GSA, which included leaders from five US States and the American Association of Motor Vehicle Administrators (AAMVA) on the use cases driving mDL adoption and ‘happiness’ in their states.
State officials delivering on the promise of digital identity in the USAThe panelists included state officials on the leading edge of mDL issuance and adoption:
Christine Nizer – Administrator, Maryland Department of Transportation Motor Vehicle Administration and Governor’s Highway Safety Representative Ajay Gupta – Chief Digital Transformation Officer, California Department of Motor Vehicles Brett Young – Assistant Deputy Commissioner of Innovation and Technology, Georgia Department of Driver Services Lori Daigle – Program Manager, Outreach and Education Identity Management, American Association of Motor Vehicle Administrators Ashley Hall – Senior Project Manager, Virginia Department of Motor Vehicles David Knigge – Modernization Director, Arizona Department of Transportation, Motor Vehicle DivisionIn the US, states play a pivotal role in the issuance of digital identity credentials. These states are on the leading edge of creating great user experiences for their state residents, and they appreciate the power of robust digital identity infrastructure.
Compelling use cases and future roadmapsThe state and AAMVA panelists brought their experience from the ‘front row seat’ as issuers of the mDL/mID credentials. They shared a wide range of use cases that are already resonating within their communities, way beyond mDL presentation at a TSA checkpoint to travel:
Login and step up authentication for access to state website and benefits Skippie Enforcement acceptance to save officers and residents time (a 15-20 minute roadstop reduced to 5 minutes; the prospect of saving lives by getting people and officers back on the road swiftly) Event venue acceptance (e.g. Merryweather post pavilion in Maryland, first few LA arenas accepting mDLs, prospect of Olympics 2028 in Los Angeles 2028) Financial services use cases, such as opening a bank account with an mDL, as demonstrated by the NIST NCCoE Mobile Driving Licenses project and their first delivery phase.The panelists were collectively optimistic about the prospect of mDL acceptance accelerating, and accelerating across a wide range of use cases as merchants, government departments, and the public become progressively comfortable with the technology and experience it in their everyday lives.
As one speaker said: “We see ‘happiness’ – happy residents delighted with the prospect of using their mDL.” Some of that ‘happiness’ can be measured in app scores where apps, such as the CA DMV Wallet app, has 4.8/5 stars (85k users) in the Apple App store.
Tangible adoption and issuance underway in US statesThe panelists highlighted that there is real momentum on mDLs, the technology is ‘already here’ and growing rapidly now, up the adoption curve:
5 million+ mDLs have been issued to date (AAMVA) 18 US states are issuing standards-compliant mobile driving licenses as of July 2025, with many more expected to launch later this year 40% of US residents live in a state that offers their residents a mDL TSA has enabled over 250 priority airports for mDL acceptance, with more airports scheduled to comeThe OpenID Foundation’s Executive Director, Gail Hodges, said: “These expert panelists are at the coal face working on the safe issuance of mobile driving licenses in their states, and ensuring that this new technology works for their residents and all Americans. The OpenID Foundation is delighted to work with market leading issuers and thought leaders like these panelists, and to ensure our global open standards meet their exacting requirements for security, interoperability, and both national and global scale.”
Market context: The urgency of the workGail’s opening remarks as moderator set the stage for the stakes facing the global community.
According to Vasu Jakkal, Microsoft Global Head of Security, $9.2 trillion is the value of the global cybercrime industry. “How much is it costing our world?” This is the equivalent to the third largest country by GDP and growing faster than any country. US GAO estimate of US Federal Government annual losses to fraud is $233-$521 billion, as estimated based on 2018-2022 data. “No area of the federal government is immune to fraud….given the scope of this problem, a government-wide approach is required to address it.” US financial institutions reported suspicious activity worth $212 billion – from US FINCEN analysis of identity-related suspicious activity, or financial crime related to weaknesses in our identity infrastructure.The hope is that digital identity infrastructure, including mobile driving licenses, can play a material role to mitigate these persistent and growing attacks, and better protect US residents and businesses.
About the OpenID FoundationThe OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
About the panelists
Christine Nizer was appointed Administrator of the Maryland Department of Transportation Motor Vehicle Administration (MVA) and Governor’s Highway Safety Representative in August 2015. Prior to that appointment, Ms. Nizer served as the MVA’s Chief Deputy Administrator and Deputy Administrator for Central Operations and Safety Programs for over eight years. She also held management positions at the Maryland Public Service Commission, the Maryland General Assembly and the Office of Homeland Security.
Ashley Hall is a Senior Project Manager at the Virginia Department of Motor Vehicles (DMV), where she leads the state’s groundbreaking Mobile ID initiative. With more than two decades of project management experience at the DMV and a PMP certification, Ashley has overseen a wide range of innovative efforts—from the development of Mobile Service Units to the implementation of Photoless Identification Cards.
Ashley holds a Bachelor of Arts from Virginia Tech and a Master of Public Administration from Virginia Commonwealth University. Since 2022, she has also served as a member of the AAMVA Joint Mobile Driver’s License Subcommittee, helping to shape national standards and best practices for digital identity.
Virginia’s Mobile ID is currently in a soft launch phase, with a full public rollout anticipated later this summer. The launch will include five key use cases: TSA checkpoints, Virginia DMV services, Virginia ABC stores, Virginia State Police and local law enforcement, and select casinos—bringing secure, convenient digital identification to Virginians across the state.
Ajay Gupta was appointed Chief Digital Transformation Officer in February 2020. Gupta leads business and technology transformation effortsfor the DMV to become a modern enterprise. Gupta has served as a special advisor to the DMV Director since 2019.
Before joining state service, Gupta worked as a managing director at KPMG, where he led the delivery of legacy transformation, technology innovation, and managed services for State departments nationally. Gupta brings more than 27 years of public sector experience to the DMV. He served state departments in California, Texas and Hawaii while working for CGI Inc., Visionary Integration Professional Inc., Deloitte LLP, and Tata Consulting Services.
Gupta has a B.E. in Electrical Engineering from Delhi College of Engineering and an MBA in Marketing and Information Technology from UC Davis. Gupta is also certified as a PMP, CSPO, Cloud Practitioner, and Enterprise Architect.
Assistant Deputy Commissioner of Innovation & Technology, Georgia Department of Driver Services, Brett Young has been with the Department of Driver Services since 2001 and has served in several roles. Brett is currently the Assistant Deputy Commissioner of Innovation & Technology leading the Information Technology, Innovation & Strategy and Program Management work units.
He has previously served as the Director for the Program Management Office. His experience includes managing regulated programs, defining the processes and procedures for operating the agency’s programs, establishing driver program vision and leading efforts to continuously improve the process of the Department’s Driver License Issuance System. He has previously led the Department through a Modernization Project, Card Production Procurement and placed Georgia’s License in three Digital Wallets.
Brett is currently a member of the AAMVA Card Design Standard Subcommittee and previously served on the AAMVA Autonomous Vehicle Best Practices Working Group.
Mr. Knigge has more than 40 years of experience in the technology field with a diverse range of experience from executive to consultant to IT project delivery roles. For over two decades, he has worked primarily in the Motor Vehicle Industry with an exclusive focus on the DMV business.
Currently, Mr. Knigge is the Motor Vehicle Modernization Director leading the IT organization focused on technology support for the Arizona Department of Transportation, Motor Vehicle Division (AZ MVD). AZ MVD has fully deployed an in-house, contemporary, cloud based modernized solution including comprehensive core internal systems, portals, identity solutions and related technologies.
AZ MVD developed technology includes mDL/digital identity capabilities and many features leveraging artificial intelligence functionality.
Lori Daigle joined the AAMVA (American Association of Motor Vehicle Administrators) Identity Management Team in November of 2023 as a Program Specialist. Her current role is Program Manager, Outreach & Education focusing on the mDL ecosystem and working to enhance Relying Party outreach and engagement. Lori has presented at the Identiverse Conference (2024), the International Association of Police Chiefs Mid-Year Conference (2024), the UL Payment Summit (2024), the Identity and Access Forum (2024), the Mortgage Brokers Association Conference (2024), the Identity and Payments Summit (2025), the Fime Innovation Days (2025) as well as several AAMVA Regional Conferences. She is also an active member in the numerous Jumpstart mDL working groups with the Secure Technology Alliance.
Prior to her current role, she spent nearly nine (9) years with the Colorado Department of Motor Vehicles (DMV) and served as the Director of the Driver License section. She has also led two nonprofits: the Northern Colorado AIDS Project and the Alliance for Suicide Prevention and taught high school Marketing, Management, and Psychology at Pinewood Preparatory School in Summerville, South Carolina where she was named Teacher of the Year.
The post Adoption now and ahead: mDL Day ‘Voices of the Future’ panel first appeared on OpenID Foundation.
Including recently-donated Rust implementation by Affinidi. More below!
Wait, is that a typo? Do you mean did:web?I did not, but I also did not not mean did:web. did:webvh is a new DID method, but it is also specifically designed to be a more production-worthy, “grown up” version of did:web, everyone’s favorite “training-wheel” DID method and growth hack for getting VCs issued from highly-trusted issuers. Crucially, did:webvh is a “backwards-compatible upgrade” to did:web, meaning it can be consumed in "legacy mode" by any software that already resolves did:web, but upgrades the featureset and trust-model when consumers upgrade their resolution logic to take advantage of the new syntax.
It was incubated at the Identifiers and Discovery Working Group at DIF, meaning it got extensive review and input from many other DID connoisseurs deep in the trenches of DID method design and “user research” as to what use-cases developers really want DIDs for in the first place. Having previously incubated other DID methods in the Sidetree family, early versions of the KERI system, and the did:peer specifications foundational to DIDComm, DIF is happy to see another DIF-incubated DID method graduate to v1!
If you’re hearing about did:webvh for the very first time here and now, let’s start at the beginning with a few high-level differences between did:web and did:webvh:
The VH stands for Verifiable History. Each DID version links cryptographically (“chains”) back to its predecessor and ultimately to the verifiable self-certifying identifier (SCID) that is embedded in the DID identifier. The SCID is derived from the DID’s initial state. Further, each update is signed by a key authorized to update the DID. Each valid did:webvh (the URL) can be easily and deterministically translate to a did:web. Just delete the “vh” in the method segment and the subsequent segment (the “SCID” — self-certifying identifier), and you have a valid did:web identifier. Resolve that the way you would any other did:web, and you get a valid did:web DID Document. Easy-peasy, 100% interoperability with the most widely-deployed DID method other than did:key. Verifiability is not dependent on DNS. While DNS is used for discovery and retrieval of the DID Log file that contains a did:webvh history, the cryptographic verifiability of that history is not dependent on DNS. The DID Log can be retrieved from other locations/caches and fully verifies the history of its corresponding DID to date. Verifiability is independent of its DID Documents. A did:webvh DID Doc can contain anything the DID Controller wants it to have — different keys, key types, services and so on. The verifiability of the DID is secured by a more complex resolution mechanism, not the contents of the document. That allows the specification to be very opinionated on how the DID is secured (making interoperability easy and reliable), without limiting the purpose of the DID. Secure DID generation can now happen off-server. This allows DID doc hosting to be separate from key management, de-risking malicious hosts and allowing for “dumber” (e.g. key-oblivious) hosting pipelines, e.g. without access to /.well-known. “Common sense” DID URL Handling. The simple DID URL syntax <did>/path/to/{file} maps to just what one would expect: the "/path/to/" subdirectory where the <did> document is stored. Cross-Host Portability. A DID on one host, if configured from inception to allow it, can migrate to a host on another domain and still keep its long-lived and globally-unique “SCID” and verifiable history. This further decouples web hosting from the long-term value of the SCID as a stable, host-independent UUID, which (webvh-aware) consumers can use to link and deduplicate DIDs which migrate across multiple hosts. Optional extensions allow stronger guarantees for historical resolution and duplicity/forgery detection on the part of malicious hosts. Certificate Transparency-style “witnessing networks” (a web-of-trust approach to gossiping DID document histories, also used in the KERI key management/ID system) and/or aggressively cache-busting trusted resolvers can detect host malfeasance of various kinds. The origins of did:webvhFrom the start, did:web had some production implementations that were too load-bearing to break… and many unhappy implementers. When a given website/domain only needed one collective DID (common for issuers already highly-trusted and with highly-secured websites, e.g. institutional issuers of credentials), or even in cases where the entirety of a DID’s lifecycle could be assumed to live on the same unchanging domain (e.g., employees or appointees or departments of an institutional issuer), did:web was great, and no one needed to consider upgrades.
Corner-cases and unhappy implementers kept popping up over time, though:
What about historical resolution of old signatures after rotations and de-activations? What if a merger or acquisition or rebrand needs to update a domain name, but keep all its old DIDs resolving after the change? What if students want to keep their DIDs (or at least keep old signatures validating) after they graduate and they get incrementally locked out of their university’s IT systems? What if anti-trust regulations forced portability (they way they do for phone numbers) and users wanted to keep connections after switching identity providers (or “hosts” in webvh terminology? What if hosts are perfectly willing to issue did:webs to hundreds of users, but cannot directly automate /.well-known/ documents for each, whether due to their JS framework, choice of contractor/service-provider, security policies, etc? What if consumers can’t fully trust all did:web hosts to faithfully produce the same document for all callers? What duplicity-detection mechanisms or historical guarantees could be offered to those consumers? Similarly, some use-cases are too high-stakes to trust all hosts equally; some consumers were demanding baseline guarantees about how securely DID documents get hosted over DNS-addressed HTTP beyond what is required for did:webA backwards-compatible “version 2” of did:web was imagined but effectively deferred for years, before work started in earnest on an heir to did:web that focused primarily on improving its trust model. As the idea kept iterating and different requirements and design goals were debated by willing co-designers, the portability guarantees came to the fore as another key goal.
This portability goal dovetailed nicely with the requirements of the Open Wallet Foundation’s ACA-Py framework, which requires DID “agents” (a kind of general-purpose “backend” for many DID and VC operations) to be smoothly swappable over time by simply updating the services property in a DID document. As ACA-Py had originally been developed for blockchain-based did:indy DIDs, there was some amount of portability, key-management, and trust-model parity that needed to be achieved, which brought a lot of other difficult design problems in tow since websites are not stateful or append-only in the way blockchains are!
Another parity goal was in achieving many of the host-independent “microledger” properties central to the KERI identifier system (and Sidetree before it), whereby the entire history of every DID can be walked to detect duplicity or other malice in any part of the system. Another KERI feature which the designers wanted to achieve was KERI’s “witnessing” properties, inspired by Certificate Transparency, which keeps hosts honest with tamper-detection and caching. This survives in optional extensions, i.e. as a distinct mechanism that consumers and hosts can opt into for stronger guarantees in resolution.
The did:webvh method's requirements informed the design and its original name, “Trust did:web”. Namely, the eponymous goal was to achieve an HTTP-published but ultimately host-independent trust layer for DID-based interactions, without a common blockchain and with more conventional cryptography and tooling than KERI requires. Trust nerds can think of this as a move from the “CA-grounded” web trust model, the only one in which did:web is usably trustworthy and secure, to one usable in a more modern “Let’s Encrypt” trust model that the web has largely moved to in recent decades.
Playing Nice in a Multi-DID WorldAs mentioned above, a formative goal in the design of did:webvh was smooth interoperability with did:web and did:key, as well as properties that would normally require an append-only VDR to achieve. Contrary to many DID methods which strive to stand out from the crowd by offering unique features enabled by their particular VDR or low-level mechanisms, this method sought instead to achieve a superset of features already in production today, to offer existing DID-based and DID-like systems a beter option to migrate to or translate to. Anything permitted in the DID Core specification is available in did:webvh — no restrictions! If the early phase of DID design was one of innovation and experimentation, did:webvh strives to consolidate and unite in this phase marked by convergence and productionization.
A good example of this is how did:webvh appends a digest (which can be used as a checksum) of the DID log entry to the id property of each DID document. In the HTTP context, this makes each DID document “tamper-evident” thus reducing many of the opportunities for a malicious did:web host to produce inaccurate or adulterated DID documents on behalf of a DID controller. This also makes all did:webvh DIDs “self-certifying,” in the sense that their documents’ integrity can always be checked against this checksum. Similarly, the provenance back to inception of updated DID documents can be integrity-protected and proven by the same “SCID” (Self-Certifying Identifier) mechanism.
SCIDs are a powerful design pattern, which undergird early IPFS-based DID methods like did:ipid and the Sidetree methods like did:ion and did:element, both of which were incubated in the DID Sidetree WG and used the IPFS identifier scheme to address each DID document by its hash. Older mechanisms of hash-identification include RFC 6920, which underwrites the recent did:ni method; newer examples include did:iscc and the growing body of SubResource Integrity specs at W3C that allow location-independent, self-certifying identifiers for slow-moving, cacheable web resources. KERI pushed SCIDs to the fore and influenced a lot of design work at ToIP, but zooming out a little they can be seen across modern web development as a powerful counterbalance to the “same-domain principle” of modern web security.
SCIDs are also crucial to lots of ongoing design work at ToIP and elsewhere, such as the First Person Project which mandates the portability and self-certifying properties described above for ANY DID used across a wide patchwork of infrastructures and tooling. Does that mean any SCIDs will do? Can a did:webplus, used in the OCI ecosystem, be translated to a did:webvh, or a did:scid to let a controller of a did:webplus be part of such a bridged network?
Similarly, the optional witness and watcher capabilities defined in the did:webvh specification were defined to be open-ended building-blocks as well. The specification defines a clean and simple technical mechanism for each capability to ensure interoperability between different applications of these, while leaving use-cases and ecosystem-specific governance questions outside the specification, where they belong. One application of these has been to backfill the did:indy concept of "endorsers" in a web-based VDR, but many other trust mechanisms or policy engines could be built combining DID logs and witnesses and/or watchers. The did:webvh Work Item at DIF welcomes implementors with divergent use-cases and policy assumptions to collaborate on profiling these capabilities and specifying them in more detail in ongoing work.
These broader questions of interoperability beyond the boundaries of any one DID method are increasingly being tackled in other workstreams at DIF. One of these isthe DID Traits evaluative specification (which also hit V1.0 recently!) which defines shared or equivalent/translatable properties across methods to facilitate bridging and converging DID systems. Similarly, the DID Methods WG is trying to draw attention to how well DIDs can be combined or translated, as well as how “production-grade” their implementations can be tested (or even audited) to be. WebVH is the first method being evaluated for production-readiness and documentation completeness, literally setting the bar for others!
Where to from here?Having reached v1.0, the focus will now turn to refinements and adoption, working with implementers and deployers to gather feedback and grow their numbers.
Innovators are encouraged to review the didwebvh.info website and walk through the basic step-by-step "Understanding did:webvh". Implementors should check out the Implementations page to find the did:webvh tooling you need for your initiatives, including three mature and complete implementations: Python TypeScript Rust Standards developers can jump directly to the did:webvh specThe Python and Typescript implementations were both incubated by the Government of British Columbia, Canada.
The Rust implementation was recently contributed to DIF by Affinidi. We're excited by this contribution as it brings the performance, memory safety, and systems-level capabilities that make Rust increasingly popular for performance-critical applications.
These three implementations serve as mutual validation tools, continuously testing interoperability and compliance against each other to ensure robust spec maturity and cross-platform reliability.
Whether you prefer leveraging existing tooling or building from scratch, did:webvh makes both paths straightforward. The clean specification and comprehensive interoperability test suite provide clear guidance for new implementations, while the mature tooling ecosystem offers battle-tested components you can integrate immediately.
We welcome contributions from the community - whether that's enhancing existing implementations, creating new language bindings, improving documentation, or developing deployment tools that make it even easier to adopt did:webvh DIDs in production environments!
Want to learn more and get involved? Join DIF or contact us at contact@identity.foundation.
A new school year is upon us and ISL wants to remind educators and school technologists that they need to take as much care scrutinizing safety risks in off-the-shelf (OTS) technologies recommended to students as they do for technologies licensed by the schools.
We recently went back over the data from our 2022 benchmark and confirmed that most technologies pushed to K-12 students in the US are recommended (not required), and unvetted off-the-shelf technologies that students use completely independently of school privacy controls or oversight.
Schools Recommend Too Many Technologies to StudentsOne of the most striking findings from our 2022 US K12 EdTech Benchmark was seeing just how many technologies schools were pushing students to use.
We ended up counting apps used in each school in three different ways. We initially looked for a single list of all the technologies that a school was either recommending or requiring. Ideally, we were looking for discrete lists of each type—recommended or required. However, most schools did not have clean, singular lists of apps, which meant we needed to hand count the number of all apps mentioned by the school and/or district websites as being used by students (“manual app count”). We hand-counted all 663 schools. Some schools or more frequently school districts had full app lists maintained by their IT departments, and many districts maintained lists of technologies in the Student Data Privacy Consortium (SDPC) database. We called these lists “simple aggregated lists”. Finally, for many of the schools that had simple aggregated lists, they also indicated if an app was “approved” or not. We called these lists of approved apps “approved technology lists”. To summarize the types of app list counts:
(1) Manual app count: Researchers hand counted the number of apps found across school and district websites1. This was performed for all 663 schools.
As can be seen in Table 1, the manual count yielded an average of 19 apps per school, but schools with simple aggregated lists averaged 191 apps, and strangely, the subset of schools with approved apps averaged 214 apps. Yikes.
Do schools really need to recommend 200 different apps and websites for student use?
As mentioned earlier, in our manual counting of technologies we designated an app as either “required” or “recommended”. Apps were deemed “required” due to prominent presence on school websites, often with a login.2 Similarly, custom apps that were clearly branded for the school or district were also designated as required. Thus, required apps in our research were always licensed by schools. As such, these technologies were held to greater scrutiny and vetting, and student accounts were generally provisioned and managed by the schools3. In this way, the school had “joint data controller” responsibilities alongside the app developer.4
“Recommended” technologies, however, were always off-the-shelf (OTS) technologies, which students would access or download at their own discretion, creating their own accounts independent of the school.
We knew that the percentage of required apps was small compared to the recommended apps. But what was the breakdown of “required” versus “recommended” apps? We thought the distribution might follow the 80-20 Pareto principle: that 20% of the apps were required, and 80% were recommended. We decided to go back and run the numbers.
Table 2 below shows the numbers for the different types of app count lists. The manual app count method failed to account for the sometimes massive, aggregated lists. Similarly, the aggregated list numbers distorted the overall data set. The bottom-line row in the table, “Manual + Approved list”, combines the manual counts for schools without simple aggregated lists with the approved technology counts [for schools that had them] to best provide a number for the national results.
As can be seen, it was closer to 70-30 than 80-20. On average, schools were pushing nearly 58 technologies to students, with 28.9% of them being required, and 71.1% being recommended.5 The vast number of apps schools are pushing on students are merely recommended unvetted off-the-shelf apps. Despite the apps being “approved” by the schools in the approved technology lists, we know that in many cases, the only vetting is whether or not a Privacy Policy exists. This is not a sufficient form of vetting to ensure student data privacy. Schools are subjecting students to unvetted and ungoverned technologies—sometimes more than 200 such technologies. Recall also that nearly 30% of the recommended technologies for students are neither strictly educational apps nor apps designed for children, and in the latter case, they are not covered by COPPA compliance.
Table 2 Type of App List #When we consider “edtech” as the combination of licensed and OTS technologies as in our 2022 benchmark, a primary risk for students is the high—sometimes exceedingly high—number of unvetted off-the-shelf technologies that schools are recommending they use.6 Until technology is reasonably safe for children ISL recommends schools undertake the following:
Minimize the number of technologies recommended to students.Footnotes: Note that the apps found via the manual count were the apps that were audited in the research. Due to the volume of listed apps, ISL did not audit all of the apps found in the simple aggregated lists. More discussion can be found in the first findings report. “2022 K-12 EdTech Safety Benchmark National Findings – Part 1”, Internet Safety Labs, December 13, 2022, Section 7.2.1, p. 89, https://internetsafetylabs.org/wp-content/uploads/2022/12/2022-k12-edtech-safety-benchmark-national-findings-part-1.pdf These required apps also more narrowly align with traditional “EdTech” categories, whereas the recommended technologies included a large percentage of apps not intended for children. We wrote about this in a blog post from 2023 called, “Data Controller Confusion in EdTech”, https://internetsafetylabs.org/blog/insights/data-controller-confusion-in-edtech/. NOTE that the average percentages shown in Table 1 reflect an average of each school’s percentage of required/recommended apps. Licensed technologies are also risky, especially the Community Engagement Platforms which shared data [on purpose] with the most third party entities and data brokers, like this app, no longer available on the app store: https://appmicroscope.org/app/1579/.
The post 2022 K-12 Edtech Benchmark Revisited: Unvetted Off-the-Shelf Apps Outnumber Licensed Apps 2-to-1 appeared first on Internet Safety Labs.
The way cash moves through the supply chain is evolving.
What was once a paper-heavy process is now embracing digital transformation.
In this episode, Robert Skitt, Senior Manager at Axiom Armored Transport, joins hosts Reid Jackson and Liz Sertl to discuss the shift from traditional, manual methods to more secure, efficient, and accountable digital solutions.
Financial institutions and the Federal Reserve are demanding greater transparency and control over cash movement, and armored transport teams are under increasing pressure to adapt.
Robert walks us through the process of how Axiom is modernizing armored transport, replacing handwritten logs with barcode scans and eManifests. In this episode, you’ll learn:
How GS1 standards are helping digitize cash logistics
What “cash visibility” looks like in practice
Why early adoption gave Axiom a seat at the table and a competitive edge
Jump into the conversation:
(00:00) Introducing Next Level Supply Chain
(04:52) What cash visibility looks like
(07:23) How GS1 standards changed the workflow
(11:32) Turning paper-heavy processes into data
(13:32) Barcode tech in armored car logistics
(15:14) How digitization improves accuracy and trust
(19:25) Advice for starting your visibility journey
(20:44) Robert’s favorite technology today
Connect with GS1 US:
Our website - www.gs1us.org
Connect with the guest:
Robert Skitt on LinkedInCheck out Axiom Armored Transport
Not only did Blockchain Commons close out its major Zcash project in Q2 and start work on a big, new FROST push, but we also did continued work on many other initiatives:
Working with Partners Zcash Zingo Labs FROST Ethereum Articles & Presentations Interoperability Provenance Marks Post-Quantum URs Permits in Gordian Envelope Thinking about Identity HackerNoon No Phone Home XID Core Concepts Fair Witness Bitcoin Policy Summit Web Updates Updated Projects Page New Envelope Seeds Page CLI Updates dCBOR-CLI Envelope-CLI Library Updates Mass Crate Update Argon2ID envelope-pattern dcbor-parse Working with PartnersBlockchain Commons is supported by patronage and by grants. (If you want to become a major patron and partner with us on a project, let us know, and if there are grants that you think would allow us to fulfill our Gordian Principles, that we may not be applying to, again drop us a line.) In Q1, some of our major projects were closely related to grants that we’d applied for last year.
Zcash. The Zcash ZeWIF project took up the majority of the our Q1. The goal was to create an interchangeable wallet format that would make Zcash wallets more interoperable and so give users more freedom to move their funds to an app of their choice. We continued that work in April and then closed it out in May.
Our work product for Q2 of the ZeWIF project included the final drafts of our best practices for importing & exporting wallet data and our doc on using Envelope attachments for ZeWIF. We also held our fourth and final (to date) ZeWIF meeting, which included a demo of our zmigrate-cli tool. Our final two reports from May give all the details on the apps, crates, and docs that we published as we closed out the project.
Zingo Labs. We were proud to do our Zcash work with Zingo Labs, who provided us with some of the Zcash-chain knowledge we needed to extend our interoperability expertise into the Zcash community. (We also got lots of support from other experts in the community through meetings, which is the same way we advance standards in all the ecosystems we work with.) We hope to continue that partnership in the future, and to support that we offered a presentation to Zingo Labs in Q2 highlighting our technologies, how they work, and why they’re useful. We focused on some of the low hanging fruit such as SSKR, which allows for the secure backup of secrets, and OIB, which makes it easier for users to see what they’re doing. We’ll let you know if anything comes of this!
FROST. As soon as we closed out work on our Zcash grant, we began work on a new FROST grant that we received from HRF. This grant’s work will come in three parts: creating new FROST signing tools; writing “Learning FROST from the Command Line”; and holding FROST meetings. We’ve been pushing hard on this work in July and August, so we’ll be writing more about it in the Q3 report.
Ethereum. Though most of Blockchain Commons’ work has traditionally been on the Bitcoin blockchain, our principles of independence, resilience, privacy, and openness apply to all blockchains. Our recent work with Zcash proved that, and so in Q2 we also had some talks with a variety of parties in the Ethereum ecosystem about possibly doing work with them on securing secrets at the level zero of their stack. We’re still waiting to see if anything gels, but generally: if you know of a blockchain that might be looking for interoperability or resilience support, let us know!
Articles & PresentationsBlockchain Commons’ major articles and presentations demonstrate our fundamentals and highlight our newest work. Here’s what that included in Q2.
Interoperability. We talk a lot about ecosystem “openness” and user “freedom”, or more generally “interoperability.” This is a pretty important foundation of Blockchain Commons’ work, so in Q2 we explored it more with the article “Interop, What Is It Good For?” and slides and video at our May Gordian Meeting. We encourage you take a look at the article or the meeting presentation to gain some more insight into one of the core principles of Blockchain Commons’ work.
Provenance Marks. One of our newest innovations is “provenance marks,” which allow for the creation of a cryptographically-secured chain of marks. We gave a presentation at our June Gordian meeting and also have a research paper on the technology. We additionally presented in provenance marks to the W3C Credentials Community Group, who is forming a working group on provenance technology of this type: Blockchain Commons’ provenance marks are one of three possibilities under consideration.
Post-Quantum URs. Post-Quantum Cryptography support was one of our most exciting expansions in Q1. We’ve now published a new research paper on integrating PQC with URs.
Permits in Gordian Envelope. Gordian Envelope is a more mature technology at Blockchain Commons, but we’re still exploring its fullest capability. Part of that capability is the “permit,” which is a way to lock your Gordian Envelope. The great thing about permits is that you can apply multiple permits to an Envelope, so that it can be opened by different people in different ways! We wrote a research paper on “Permits in Gordian Envelope” to offer more insights into the possibilities.
Thinking about IdentityChristopher Allen has been long associated with digital identity, dating back at least to his authorship of “The Path to Self-Sovereign Identity” and his founding of the Rebooting the Web of Trust workshops. Blockchain Commons did a variety of scattered work on identity in Q2.
HackerNoon. Christopher talked to Hackernoon about how “We’ve Lost the Privacy Plot”, which generally discusses privacy and the internet.
No Phone Home. Digital identity is closely associated with digital credentials, which detail who and what an identity represents. Unfortunately, credential design is growing problematic because much of it is phoning home: alerting issuers when and where credentials are used. That’s why Blockchain Commons recently signed on to the No Phone Home initiative, to try and bring attention to this fundamental problem in digital identity.
XID Core Concepts. Blockchain Commons has its own answer for self-sovereign identity: the XID, or extensible identifier. We’ve been working on a tutorial course to show everything about how XIDs work. So far, we’ve developed a set of core concepts docs, which not only overview how XIDs work, but also how they link into Blockchain Commons’ larger architecture. This is still a work in progress. (We’re about to begin work finalizing the linked tutorials.) But, if you want to take an early look, the core concepts files have all been closed out as revised drafts.
Fair Witness. Some of Blockchain Commons’ work is advocacy (like our discussion with Hackernoon and our signing on to No Phone Home) and some is pragmatic (like our XID work). But we also try to be future-looking. That’s what Christopher’s “Fair Witnessing” Musings was about. It’s a new look at Verifiable Credentials that focuses on the limitations of what we actually can perceive.
Bitcoin Policy Summit. We’re thrilled to see some of our thinking about identity starting to have an effect on the larger world. A few of Christopher’s identity articles were referenced in the Bitcoin Policy Institute’s recent white paper on “Building a Trustworthy Digital Future” and as a result, Christopher was asked to talk at the Bitcoin Policy Summit in Washington D.C. this June. (More on the results of that in the coming quarters!)
Web UpdatesOur web pages are intended as a resource for developers so that they can understand and implement our technologies. Here are some of the updates we made this quarter:
Updated Projects Page. Our projects page has always been a central index to our most important work, but that type of thing gets out of date as priorities change, so we’ve done a big update to align it with our most recent iteration of our developer pages and to otherwise highlight important recent work like our meetings for FROST. Take a look at what we consider our most relevant work as of early 2025!
New Envelope Seeds Page. We also released a new page on Seeds in Gordian Envelope: how and why you’d want to store seeds in envelopes, complete with examples of how to use envelope-cli
for experimentation. (This was also the heart of the demo we made to Zingo Labs, so you can take a look at several of our easiest-to-implement technologies here.)
As usual, we’ve been making updates to our apps and libraries. In Q2 that included two CLI releases:
dCBOR-CLI. We have a new CLI for dCBOR! It validates dCBOR input (using CBOR diagnostic as its default input) and produces output in several formats (using hex as its default output).
Envelope-CLI. Our Envelope CLI now has new pattern matching to make it easier to find specific leaves.
Library UpdatesThere were also lots of updates to our libraries, focusing on our Rust stack.
Mass Crate Update. The vast majority of our Rust crates have been updated to support new developments that occurred while we were working on ZeWIF. This includes:
- bc-rand 0.4.0
- bc-crypto 0.9.0
- bc-shamir 0.8.0
- dcbor 0.19.0
- bc-tags 0.2.0
- bc-ur 0.9.0
- sskr 0.8.0
- bc-components 0.21.0
- known-values 0.4.0
- bc-envelope 0.28.0
- provenance-mark 0.8.0
- bc-xid 0.8.0
- bc-envelope-cli 0.14.0
- gstp 0.8.0
Argon2id. Argon2id support has been added to bc-crypto
and bc-components
, as well as the EncryptedKey
type.
envelope-pattern. The new envelope-pattern crate is a pattern matcher and text syntax pattern parser for Gordian Envelope, allowing you to match specific structures within envelopes.
dcbor-parse. The new dcbor-parse crate parses and composes the CBOR diagnostic notation into dCBOR (deterministic CBOR) data items.
Here are our major dcbor crate updates:
- dcbor-parse 0.1.1 (NEW)
- dcbor-cli 0.7.1 (heavy update)
- dcbor 0.19.1 (minor changes)
Coming up, we have work on FROST, XID, and more. Sign up for the Gordian Developer Meeting announcement-list to be informed of our upcoming presentations, and please consider becoming a patron of Blockchain Commons or talking with us about partnering on a specific project.
Submitted by: Joni Brennan, President
List of recommendations:
Recommendation 1: That the government fund and deploy an interoperable, reusable digital credentials login solution for federal services modeled after widely-used single sign-on tools in the private sector. Recommendation 2: That the government invest in Canadian-based trust infrastructure, including domestic cloud and data centres, to support AI-readiness, digital sovereignty, and economic resilience. Recommendation 3: That the government advance interoperability to unleash digital trade and labour mobility.Introduction
Thank you for the opportunity to provide input in advance of Budget 2025. In a time of economic, technological, and geopolitical uncertainty, Canada must act with urgency to reinforce the foundation of a strong, secure, and competitive digital economy: trust.
Whether enabling interprovincial labour mobility, reducing fraud in real estate and finance, or ensuring AI tools are used responsibly, verifiable trust infrastructure is central to our countryʼs economic stability and resilience. Trust is not just a principle, it is the experience citizens have when interacting with government services that are as seamless, secure, and intuitive as private-sector platforms. Without secure and scalable identity verification, Canadian businesses face rising fraud costs, compliance burdens, and lost consumer confidence. Citizens and professionals are delayed in accessing critical services or moving where they are needed most. And governments are challenged to keep pace with accelerating threats in an AI-driven world.
Now is the time to deliver trust through experience by investing in practical tools and Canadian infrastructure that protect citizens, unlock innovation, and future-proof our economy.
About DIACC
The Digital Identification and Authentication Council of Canada (DIACC) is a non-profit public–private coalition created following the federal Task Force for the Payments System Review. DIACCʼs mission is to accelerate digital trust adoption by enabling privacy-respecting, secure, and interoperable identity systems.
DIACC is the steward of the Pan-Canadian Trust Framework (PCTF) — an industry-developed, standards-based, technology-neutral framework designed to enable scalable, certifiable digital trust infrastructure that meets the needs of governments, businesses, and individuals.
The PCTF has been developed in collaboration with experts from federal, provincial, and territorial governments as well as industry and civil society. It supports verifiable credentials, authentication services, fraud prevention, and information integrity across the Canadian digital economy.
Canadaʼs Urgent Trust Deficit
Canada faces a growing trust deficit that threatens economic growth, competitiveness, and national resilience. Three converging challenges demand action:
AI-accelerated misinformation and identity theft – Generative AI tools are enabling the rapid creation and dissemination of fake identities, fraudulent documentation, and disinformation. Without robust authentication systems and verifiable credentials, the authenticity of people, data, and services becomes harder to determine—eroding consumer confidence and legal certainty. Rising fraud and its impact on the economy – Many of Canadaʼs key sectors are increasingly subject to fraud. The real estate sector, for example, is increasingly experiencing impersonation and illicit financial flows, especially in transactions involving unrepresented parties. Mortgage fraud, title theft, and manipulated documentation are rising, yet identity verification practices remain outdated and fragmented. Barriers to labour mobility and seamless trade – Many professionals face long delays and duplicative processes when seeking to work across provinces or internationally. Businesses struggle to comply with evolving regulatory requirements and to compete globally without recognized, verifiable credentials.Recommendations
DIACC offers three core recommendations to address these threats and seize the opportunity to lead globally in trusted digital innovation.
Recommendation 1: That the government fund and deploy an interoperable, reusable digital credentials login solution for federal services modeled after widely-used single sign-on tools in the private sector.
The Government of Canada should develop and implement a digital credentials login solution that enables citizens to access federal services with one secure, consistent experience — similar to how they use Google or Apple sign-in options across the internet. For example, with a trusted credential, Canadians could log into a real estate registry, file taxes, or access health records using one verified identity, reducing friction and fraud risk while improving convenience and access.
These credentials should be certified against open standards such as the PCTF, enabling individuals to verify their identity once and reuse it securely across services. The government is also encouraged to take a longer-term view by building compatibility across federal, provincial, and municipal digital credentials systems.
Recommendation 2: That the government invest in Canadian-based trust infrastructure, including domestic cloud and data centres, to support AI-readiness, digital sovereignty, and economic resilience.
Verification and authentication tools are essential infrastructure in an AI-driven economy. As AI-generated content, synthetic identities, and manipulated documents become increasingly sophisticated, the ability to verify the provenance and traceability of information and data becomes even more vital.
DIACC recommends that the government:
Recognize authentication and verification tools as critical components of Canadaʼs AI strategy and cybersecurity agenda. Fund the adoption and certification of privacy-respecting, standards-based solutions, such as the PCTF. Prioritize collaborative development of tools that verify identity, documentation, and information authenticity while preserving user privacy. Ensure data residency through investment in Canadian-based private cloud and hardware services.A proactive, standards-aligned approach will support:
Responsible AI deployment across sectors. Secure digital service delivery. Reduced liability for businesses and professionals relying on verified information. Greater resilience against misinformation and fraud in elections, commerce, and public discourse.Recommendation 3: That the government advance interoperability to unleash digital trade and labour mobility.
Interoperability is key to reducing friction, unlocking economic opportunity, and ensuring Canada remains globally competitive. DIACC recommends that the government:
Support cross-government and cross-border interoperability by recognizing frameworks such as the PCTF in legislation, procurement, and policy. Advance mutual recognition of trust frameworks with international partners (e.g., between PCTF and the EUʼs eIDAS 2.0 framework). Enable the use of verified credentials for regulatory compliance, licensure, and interprovincial labour mobility. Accelerate digital transformation across public services using certifiable trust services.This approach will help:
Enable professionals and skilled workers to move between provinces without redoing verification processes. Simplify cross-border regulatory compliance for Canadian exporters and importers. Allow micro, small and medium enterprises — including in rural, Indigenous and remote communities — to offer services and products across Canada and beyond without prohibitive onboarding costs. Ensure that public sector modernization efforts are secure, accessible, and efficient.The Road Ahead
Canada is at a turning point. The foundation of trust that underpins our digital and economic systems is under strain, but the tools and standards to reinforce it already exist. Frameworks like the PCTF offer governments and businesses practical, scalable solutions that:
Meet privacy, security, and accessibility requirements. Support inclusive digital access for underserved communities. Complement formal standards and enable rapid deployment. Preserve Canadaʼs digital sovereignty. Budget 2025 offers a strategic moment to invest in these tools, not just as a technical fix but as a long-term economic, national security, and democratic priority.Conclusion
Trust is Canadaʼs most valuable economic asset in the digital age. Whether enabling a small business to sell across borders, a citizen to access services securely, or a hospital to verify a clinicianʼs credentials during a crisis, trust infrastructure is the connective tissue of our digital society. DIACC welcomes further collaboration with federal partners to ensure Canadians can interact, transact, and innovate with confidence in a digital-first world. Thank you once again for the opportunity to provide our input in advance of Budget 2025 and as we collectively move forward on the path to a digitally and economically prosperous Canada.
Public Review Period for Proposed Second Implementer’s Draft of OpenID Connect Native SSO for Mobile Apps The OpenID Connect Working Group recommends approval of the following specification as an OpenID Implementer’s Draft:
OpenID Connect Native SSO for Mobile Apps 1.0This would be the second Implementer’s Draft of this specification.
An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45-day public review period for the specification draft in accordance with the OpenID Foundation IPR policies and procedures. Unless issues are identified during the review that the working group believes must be addressed by revising the draft, this review period will be followed by a fourteen-day voting period during which OpenID Foundation members will vote on whether to approve this draft as an OpenID Implementer’s Draft.
The relevant dates are:
Implementer’s Draft public review period: Monday, August 4, 2025 to Thursday, September 18, 2025 (45 days) Implementer’s Draft vote announcement: Friday, September 5, 2025 Implementer’s Draft voting period: Friday, September 19, 2025 to Friday, October 3, 2025The OpenID Connect working group page is https://openid.net/wg/connect/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote.
You can send feedback on the specification in a way that enables the working group to act upon it by (1) signing the contribution agreement at https://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “AB/Connect” working group on your contribution agreement), (2) joining the working group mailing list at https://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your feedback to the list.
Marie Jordan – OpenID Foundation Board Secretary
About The OpenID Foundation (OIDF)
The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
The post Public Review Period for Proposed Second Implementer’s Draft of OpenID Connect Native SSO for Mobile Apps first appeared on OpenID Foundation.
Community calls have been a cornerstone of my engagement and community building practice for well over a decade. I started a couple community calls at Greenpeace International, one of which continues a good 8 or 9 years later. Regular readers have probably heard of the Open Recognition is for Everybody (ORE) call. Now, we’re spinning one up with Amnesty International UK.
In this blog post, I reflect on why community calls hold such significance to me. For me, community calls are vital hubs where connections, ideas, and growth converge.
Being open and inclusive cc-by-nd Bryan Mathers for WAOWe all stand on the shoulders of giants. I learned about community calls way back when I was working at Mozilla. At Mozilla, we had community calls for communities, sub-communities, projects and procedures. The majority of our meetings were simply open – if you knew about it, you could join. Sometimes we promoted calls and asked for participation, sometimes we just waited to see who showed up. If you showed up to a call, you were included, whether anyone had specifically invited you or not.
Working openly is a transformative way to bring people together and create safe spaces where people can share challenges, celebrate successes, and co-create solutions. The regularity of designated community calls helps build trust and camaraderie, turning strangers into collaborators. By creating space for diverse voices, we enrich our problem-solving approaches and ensure that decision-making reflects a wide range of perspectives. These inclusive practices have strengthened communities, making them more resilient and adaptable.
Strengthening the community cc-by-nd Bryan Mathers for WAOIf I think about all the different community calls I’ve been a part of, and all the people I’ve met because of open community calls, I’m reminded of the power those calls have to shape things. These calls aren’t presentations, webinars or regular meetings, they are spaces where people have the power to shape the agenda and talk about issues that matter to them.
Part of building successful community calls is to let go of trying to control conversations. While we might put together a loose agenda to guide a community call, we strive to make sure that everyone in attendance feels like their being there matters. Community calls are not transactional, they are spaces that help us be part of a community, find ways to amplify more voices and work together.
Just talk to people cc-by-nd Bryan Mathers for WAOPart of what makes a community thrive is helping people find a place of belonging. Community calls help by providing a flexible space where people can just talk to each other. They are not just about discussing details or progress in a project, but also about celebrating one another and figuring out what a collective future for a project or an idea might be. They’re great spaces to figure out problems, while also getting to know the people you’re collaborating with.
Community calls have been instrumental in shaping open projects and building meaningful connections. Their role in driving innovation, inclusivity, and adaptability is immeasurable. As I look forward to building open calls for the AIUK community, I am reminded that these calls are not just meetings—they're milestones in a journey towards a more connected and collaborative world.
If you are looking for a way to encourage a group of people to co-create and collaborate, check out 11 steps to running an online community meeting. It’s a resource that I wrote almost a decade ago and continue to return to over and over as I work to connect people working to make the world a better place.
Google has implemented significant enhancements to biometric authentication and security features in Chrome and Google Workspace, marking the latest step in the company’s broader push toward stronger authentication methods. These updates build upon previous Chrome security improvements while addressing critical vulnerabilities in desktop password management.
The OpenID Foundation is excited to announce the first interoperability event testing against the soon-to-be-final Shared Signals Framework (SSF) specification at Authenticate 2025.
This event will demonstrate interoperability on the final specification, after the membership votes on it as being ‘final’ by end of August), as per OIDF Process Document. It will serve as the final phase of testing on the OpenID Foundation open source tests before they are announced as available for implementer self-certification, as per our certification program process.
Demonstrating real world business valueSSF interoperability events enable participants to demonstrate real-world use cases with their products leveraging CAEP, RISC or SCIM events to deliver business value. The interoperability testing conducted at the three previous Gartner IAM Summits drew an amazing response as conference attendees witnessed firsthand how their security can be dramatically improved using SSF.
The sessions will be led by Atul Tulshibagwale, Corporate Board Member of the OpenID Foundation and CTO of SGNL. Atul will also present a breakout session on Monday, October 13, explaining the standards, and revealing the interoperability testing results.
Atul noted “Demonstrating conformance to the final published specifications is an important milestone that this interoperability test will establish. Companies interested in securing their systems using CAEP and SSF can rely on these interoperable implementations with the confidence that future products would have to conform to the same specifications.”
Gail Hodges, the OpenID Foundation’s Executive Director added: “We are delighted to see the Shared Signals specifications moving through the public review and voting process, to see the Shared Signals Working Group (SSWG) bring those specifications through four interoperability events on two continents, and to prove out the open source tests so any implementer can build to and self certify to the same global open standards. We are grateful to our friends at our peer standards body FIDO for their invitation to demonstrate the interoperability of Shared Signals at their annual event in San Diego.”
Andrew Shikiar, Executive Director and CEO of the FIDO Alliance said: “The Authenticate conference has proven to be a fantastic venue for global attendees to collaborate on innovations in authentication and digital identity. We welcome the OpenID Foundation’s Shared Signals Framework implementers to interoperability test and demonstrate their implementations, which complement the strong authentication capabilities of passkeys enabling responsive session management using CAEP.”
Invitation to participateThe OpenID Foundation’s SSWG is inviting participation from implementers of the proposed final specifications of SSF, CAEP and RISC. As always, the OpenID Foundation welcomes those who have demonstrated interoperability to previous versions of these standards, as well as new entrants implementing for the first time.
To accommodate this diversity of new and earlier implementations, the SSWG has designed the following rules:
Conformance Tests: All participants that have a SSF Transmitter must pass the OpenID Foundation’s free, open source conformance tests. Event Types: Transmitters and Receivers must support the SSF verification event type and at least one additional event type, such as CAEP session revoked, CAEP credentials changed, or CAEP device compliance change. Interoperability Tests: Each participant must test with at least one other participant to achieve the ‘interoperable’ status. Note that Transmitters need to pass the conformance tests in order to participate. Implementation categoriesInteroperable implementations will be categorized as follows:
Available Now: Publicly documented, currently available solution Available Soon: Publicly documented solutions with near-term availability In Development: Solutions not publicly documented or available.There will be 15 demonstration slots, divided into three sessions of five slots each. These will be allotted to interoperable implementations based on their category above, with preference given to those with membership of the OpenID Foundation
More on Shared Signals
To read more about why shared signals are critical specifications, and why Gartner analysts, CISA, NIST and others refer to Shared Signals as a critical best practice to secure public and private ecosystem implementations read more here:
“Shared Signals Framework: The Blueprint for Modern IAM (Part 1 of 4)” – OpenID Foundation “Juggling with Fire Made Easier: Provisioning with SCIM (Part 2 of 4)” – OpenID Foundation “Review of the Summer 2023 Microsoft Exchange Online Intrusion” CISA Cybersafety Review Board Report NIST SP800-63-4 (draft) AuthZEN & Shared Signals in the Gartner IAM 2025 Spotlight – OpenID Foundation Gartner report – Hype Cycle for Digital Identity 2025 (Note: requires Gartner subscription or purchase). About the OpenID FoundationThe OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
The post Shared Signals interop event at Authenticate 2025: Call for participation first appeared on OpenID Foundation.
This summer marks ten years since the Ethereum network launched, forever transforming the blockchain space and introducing the world to smart contracts, decentralized applications, and programmable trust. At LF Decentralized Trust (LFDT), we’re proud to join the global community in celebrating this milestone and spotlighting the critical role our projects and contributors play in Ethereum’s growth and evolution.
Back to our Developer Showcase Series to learn what developers in the real world are doing with LF Decentralized Trust technologies. Next up is Antonio Mota, Vice President, Applications Developer and Lead Analyst, DLT Centre of Excellence, Citi Innovation Labs.
How can technology serve as a tool for justice, not harm? Our recent six-month Matchbox partnership with TechHer Nigeria helped us explore exactly that.
The post PARTNERING FOR IMPACT: BUILDING SAFE DIGITAL SPACES WITH TECHHER NIGERIA appeared first on The Engine Room.
The time has come to put open data at the heart of the New Zealand story. By this I mean the deployment of digital public infrastructure to secure our data so it can flow smoothly and safely with the correct permissions. Change is hard. System change is even harder. But that doesn’t mean we shouldn’t be aspirational.
It is encouraging to see Hon Judith Collins‘ “we’ll have a Government app by Christmas” programme take a significant step forward with the appointment of two exceptional New Zealand tech companies.
Congratulations to both Dave Clark NZ and MATTR teams. This is exactly the kind of partnership between government and local tech that strengthens our digital economy and showcases New Zealand innovation on the world stage – DIA announcement here.
The structural separation of digital identity from the traditional tech stack represents a seismic shift for the industry and for how systems are designed and developed. Despite extensive consultation as the technology evolved over the past few years, the long-awaited reference architecture and design for government implementation are now a priority.
As we build our profile, we are grateful that so many accomplished changemakers are stepping up to speak at our highly anticipated Digital Trust Hui on 12 August:
Matthew Evetts – Partner – Digital & Cyber, KPMG Tim Ransom – Product Manager – Public, Community and Consumer Health, Te Whatu Ora Joel Foster – Chief Commercial Officer, Lumin Helen Littlewood – Senior Product Manager,Worldline Contactless Silona Bonewald – President, LeadingBit Solutions | Open Source Evangelist & Standards Expert Kristy Phillips – Chair, Hospitality New Zealand Anna Curzon – Chair, B416 Don Christie, Managing Director, Catalyst IT Myles Ward – Deputy Government Chief Digital Officer, DIA Maria Roberston, Chair, Digital Identity New ZealandAt the Hui, it will be valuable to see the DIA spell out the work that the Department has underway to resolve any policy and regulatory barriers for accredited providers, issuing credentials (driving, education, travel, age assurance), along with DIA issued credentials under DISTF accreditation.
It will be beneficial at the Hui to see DIA outline the work underway to address policy and regulatory obstacles for accredited providers, specifically regarding the issuance of credentials such as driving, education, travel, and age assurance, as well as DIA-issued credentials under DISTF accreditation.
Have you secured your spot at the Digital Trust Hui Taumata?
Join us on 12 August in Wellington for a full day of keynotes, panels, roundtables, and exhibits, expertly guided by MC Ngapera Riley. Hear from leaders including Ministers Judith Collins and Scott Simpson, James Monaghan (MISSION), Myles Ward (DIA), Liz MacPherson (Privacy Commissioner), Helen Littlewood (Worldline), Christopher Goh (Austroads), and Andrew Weaver (Payments NZ). With 30+speakers and support from sponsors including Payments NZ, Worldline, IMB, KPMG, Lumin, Ping Identity, NEC, DIA, Westpac, MATTR, Middleware Group, JNCTN, and MinterEllisonRuddWatts, this is a must-attend event shaping Aotearoa’s digital trust future. View the Programme and Register now!
DINZ Strategy Refresh
New Zealand stands at the frontier of a digital future where open, trusted data unlocks better services, richer insights, and empowered citizens.
There is an increasing consensus among government, industry, Iwi, communities, and citizens to collaboratively undertake a bold, values-led transformation of our data systems. This transformation will be underpinned by transparent and auditable public infrastructure.
The upcoming digital identity strategy refresh will be looking at, amongst other things, how to accelerate credential uptake, how to unlock productivity with digital identity and the role of identity solutions in the world of AI and agentic systems.
I’m looking forward to this session with our Executive Council in the coming weeks as we work to focus our energy on making real change to support our vision of a country where people can express their identity using validated and trusted digital means in order to fully participate in a digital economy and society.
In Other News
With a realistic government timeline now established, we must collectively prepare for launch. There is a significant amount of work ahead, and no time to lose.
Fortunately, our Digital Identity NZ membership possesses world-class capabilities, ideally suited to assist with consultation and bridge delivery gaps as we move forward.
Ngā mihi nui,
Andy Higgs
Executive Director, Digital Identity NZ
Banner image credit: Rocket Lab
The post Open spaces, open hearts, open minds…time to add Open data to the mix! appeared first on Digital Identity New Zealand.
The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
The post Notice of Vote to Approve Three Shared Signals Final Specifications first appeared on OpenID Foundation.
As fraud, regulatory scrutiny, and consumer expectations evolve, Canadian Automotive Retail and Finance Sectors are under pressure to modernize identity verification (IDV) practices. This report summarizes insights from DIACC’s recent industry forum, where finance leaders, dealership executives, and regulators explored the impact of digital IDV solutions on reducing fraud, improving operational efficiency, and fostering consumer trust.
Download the report here.
2025-Spring-Plenary-Client-IDV-Forum-Summary_ENGAugust 2025
DIF Website | DIF Mailing Lists | Meeting Recording Archive
Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3. Special Interest Group Updates; 4. User Group Updates; 5. Announcements; 6. Get involved! Join DIF 🚀 Decentralized Identity Foundation News DIF Partners with MIT's Project NANDA for Packed EventDIF partnered with MIT's Project NANDA for a well-attended event at Circuit Launch on July 18, 2025, where Ramesh Raskar shared his vision for architecting an Internet of AI Agents. DIF Technical Steering Committee chair Andor Kesselman served as co-host, with robust discussion focusing on the relevance of decentralized identity for the agentic web.
During and after the event, discussion covered how DIF's decentralized identity standards can provide the cryptographic foundation for Project NANDA's agentic web, enabling persistent, verifiable identifiers for AI agents operating autonomously across organizational boundaries. This collaboration addresses the critical challenge of maintaining human oversight and trust as AI systems gain greater agency, ensuring that robust identity infrastructure underpins the future of AI collaboration.
DIF co-hosted event with Project NANDA in Mountain View, CA on July 18, 2025
Global Digital Collaboration Conference in GenevaDIF staff and community had a strong presence at the Global Digital Collaboration (GDC) conference in Geneva on July 1-2, 2025, with our community delivering key presentations across multiple tracks. Highlights included our opening session on Agentic AI and Digital ID, addressing critical trust challenges as AI agents become more autonomous. Additional DIF-led sessions covered identity foundations for Industry 4.0 transformation, decentralized identifiers for global interoperability, and digital human rights.
DIF community at GDC
The conference demonstrated the maturity of decentralized identity solutions, with presentations spanning from privacy-enhancing technologies and trust management for wallets to enterprise blockchain implementations and regulatory compliance frameworks. The diverse roster of sessions highlighted how decentralized identity is being deployed across sectors—from government digital infrastructure projects to enterprise security applications—while fostering meaningful dialogue between technologists, policymakers, and standards bodies globally.
Visit the GDC website for session videos and stay tuned for the upcoming Book of Proceedings featuring detailed insights from all presentations.
DIF Labs Beta Cohort 2 Projects LaunchFollowing the selection process completed in June, DIF Labs Beta Cohort 2 is now in full swing with three innovative projects that push the boundaries of decentralized identity technology. The selected projects focus on:
Privacy-preserving verifiable credentials using advanced cryptographic techniques Anonymous multi-signature protocols for group credentials Novel approaches to privacy-preserving revocation mechanisms.Each project team is receiving dedicated mentorship from DIF's expert community and is committed to delivering open-source implementations that will benefit the entire ecosystem. The projects are scheduled to run through September 2025, with regular check-ins and a final showcase event planned.
See the DIF Labs web site for more information.
DIF Showcases Decentralized Identity for Seamless Travel Experience at HITEC ConferenceDIF presented at HITEC 2025 in Indianapolis, where hospitality technology veterans mapped out how self-sovereign identity can align data privacy with friction-free travel experiences. The session featured Douglas Rice (Managing Director, Hospitality Technology Network), Nick Price (former CIO, Mandarin Oriental Hotel Group & citizenM), Kim Hamilton Duffy (DIF Executive Director), and Bill Carroll (CEO, Marketing Economics; retired Cornell professor). The speakers demonstrated how traveler-controlled digital wallets can enable seamless journeys—from AI-powered trip planning with auto-completing visa forms to face-scan boarding, NFC room keys, and verified guest reviews.
The presentation highlighted real-world momentum with examples including EU "Seamless Travel" pilots across 27 member states, Cathay Pacific's Hong Kong-Tokyo trial packing seven credential types into passenger wallets, and Bhutan's nationwide digital identity program built on decentralized identifiers. The speakers emphasized that centralized data silos are incompatible with the hyper-personalization guests demand, while self-sovereign identity delivers immediate benefits including reduced breach risks, lower cyber-insurance premiums, and improved revenue through verified, up-to-date traveler data.
See Alex Bainbridge's article for a detailed recap, as well as the recording and presentation deck. Additional coverage available at PhocusWire.
DIF H&T team at HITEC conference
🛠️ Working Group UpdatesBrowse our active working groups here
Creator Assertions Working GroupThe Creator Assertions Working Group made significant progress on terminology standardization and integration with broader credential frameworks. A key development was the group's decision to transition from "identity assertions" to "attribution assertions," recognizing that "attribution" better captures the essence of content creation claims while being less controversial in industry discussions. The team continued advancing their integration with the C2PA ecosystem and made substantial progress on metadata assertion standards. Work also progressed on media identifier systems and the development of flexible metadata frameworks that can accommodate various content types and use cases.
Applied Crypto Working GroupThe BBS+ team achieved significant milestones in pseudonym generation and post-quantum security considerations. Key developments included the finalization of polynomial evaluation methods for pseudonym generation, addressing potential security vulnerabilities from adversarial users through more robust cryptographic approaches. The team made substantial progress on test vector development for the 0.9 draft release and continued coordination with IETF standardization efforts. Discussions also covered the efficiency implications of different cryptographic commitment schemes and their practical applications in large-scale deployments.
DID Methods Working GroupThe DID Methods Working Group focused intensively on W3C standardization efforts and refining the evaluation process for DIF-recommended DID methods. Significant progress was made on the proposed W3C DID Methods Working Group charter, with the team addressing concerns about blockchain inclusion and standardization scope. The group refined evaluation criteria for DID method proposals, emphasizing the need for multiple implementations, significant deployments, and clear compliance with DID traits. Work continued on balancing objective criteria with expert evaluation to ensure high-quality recommendations while maintaining transparency in the assessment process.
Identifiers and Discovery Working GroupMultiple work streams advanced significantly this month. The DID:webvh team made substantial progress toward their 1.0 specification release, with multiple implementations now passing comprehensive test suites and performance analysis demonstrating efficient handling of DID updates. The DID Traits team prepared for their 1.0 release, focusing on key validation capabilities and long-term availability requirements. The group also explored applications in software supply chain contexts and examined compliance with emerging regulations like the EU's Cyber Resilience Act, demonstrating the practical relevance of decentralized identifiers in enterprise environments.
DIDComm Working GroupThe DIDComm Working Group advanced work on binary encoding support through the CBOR implementation, positioning it as an optional feature for version 2.2 with potential to become the default in future major releases. The team addressed important technical challenges around message encoding detection, MIME type handling, and implementation compatibility. Significant discussions covered privacy considerations and "phone home" concerns in credential verification systems, with the group exploring how verifiable credentials can be presented without requiring direct communication with issuers. The group also examined DIDComm applications in AI agent-to-agent communications.
Claims & Credentials Working GroupThe Credential Schemas team launched their community schemas initiative, creating a framework for organizations to contribute verifiable credential schemas to a shared repository for potential standardization. Significant progress was made on aligning their basic person schema with schema.org standards while maintaining compatibility with existing frameworks like OIDC and UK ID assurance. Key developments included extending postal address schemas for banking KYC requirements, refining terminology around personhood verification credentials, and establishing processes for schema synchronization between repositories. The team also began exploring employment credentials and anti-money laundering certifications as future development priorities.
Hospitality & Travel Working GroupThe newly launched Hospitality & Travel Working Group hit the ground running with substantial progress on the HAT Pro specification. The team developed comprehensive schemas for food preferences, dietary restrictions, and accessibility requirements, utilizing graph-based models to avoid data duplication and improve cross-referencing capabilities. Key developments included the creation of UML models and JSON schemas for complex preference structures, exploration of AI-assisted data input to simplify user experiences, and the establishment of engagement processes for subject matter experts across various travel sectors. The group is preparing for major presentations at industry events and has launched a dedicated website to showcase their work.
DIF Labs Working GroupDIF Labs Beta Cohort 2 projects are now in active development phase, with three selected projects working on cutting-edge privacy-preserving technologies. The projects focus on legally binding verifiable credentials using Qualified Electronic Signatures (QES), comparative analysis of privacy-preserving revocation mechanisms, and anonymous multi-signature verifiable credentials. Each project team is receiving dedicated mentorship from DIF's expert community and is committed to delivering open-source implementations that will advance the broader decentralized identity ecosystem. The program continues to demonstrate the value of focused, mentored development in advancing the state of the art.
🌎 DIF Special Interest Group UpdatesBrowse our special interest groups here
DIF Africa SIGThe Africa SIG featured an impressive deep-dive presentation on Ethiopia's national digital identity system, Faida, and its associated digital credential platform FaidaPass. Representatives from Ethiopia's national ID system provided detailed insights into the architecture, features, and implementation of this groundbreaking system, which serves as one of the first full-scale standards-compliant deployments globally. The presentation highlighted the use of decentralized verification models, biometric authentication capabilities, and self-sovereign identity principles, while addressing innovative solutions for non-smartphone users and future monetization strategies. The session demonstrated Africa's leadership in practical digital identity implementation.
APAC/ASEAN Discussion GroupThe APAC/ASEAN group hosted comprehensive presentations on digital identity solutions in Australia, featuring True Vault's approach to creating a decentralized identity ecosystem. Discussions covered recent regulatory changes including the Digital Identity Act, international standards alignment, and the challenges of achieving interoperability across different jurisdictions. The group explored the evolution from manual to digital identity verification methods and examined the potential for global expansion of digital identity solutions while addressing privacy concerns and user control requirements. The session highlighted Australia's voluntary approach to digital identity and its implications for regional adoption.
DIF Japan SIGThe Japan SIG focused on recent developments in DID and AI agent authentication, with participants sharing updates on their organizations' initiatives and emerging challenges. The group explored the intersection of decentralized identity with AI systems and examined potential applications across various sectors. Key discussions included the unique requirements for AI agent identity management and the challenges of implementing decentralized identity principles in automated systems. The group also considered future meeting formats and potential offline events to enhance community engagement and collaboration.
DIF Hospitality & Travel SIGThe Hospitality & Travel SIG hosted presentations highlighting decentralized identity adoption in the travel industry. Key sessions included discussions with Microsoft on AI-driven cybersecurity solutions for hospitality, analysis of Apple's digital identity announcements and their implications for travel, and exploration of AI agents' potential to revolutionize customer interactions in travel and hospitality. The group examined both opportunities and challenges in implementing decentralized identity solutions across various travel scenarios, from border crossing to personalized service delivery.
📖 DIF User Group Updates DIDComm User GroupThe DIDComm User Group explored practical implementations and emerging applications of the DIDComm protocol, with particular focus on AI agent communications. Key discussions included demonstrations of new systems and their communication protocols, exploration of generative AI communication frameworks and their similarities to DIDComm approaches, and examination of security considerations for AI agent interactions.
📢 Announcements H&T Working Group Launches BlogAs Hospitality & Travel activity increases at DIF, Autoura CEO Alex Bainbridge has launched a special H&T focused blog. We encourage you to visit and subscribe for updates.
🆔 Get involved! Join DIFIf you would like to get in touch with us or become a member of the DIF community, please visit our website or follow our channels:
🐦 Follow us on Twitter/X 💻 Join us on GitHub 📺 Subscribe on YouTube 🔍 Read the DIF blog New Member OrientationsIf you are new to DIF, join us for our upcoming new member orientations. Find more information on DIF's Slack or contact us at community@identity.foundation if you need more information.
ends August 9th
The LegalXML – Electronic Court Filing pleased to announce that ECF V5.01 Errata 01 is now available for public review and comment. The public review is now open and ends August 9, 2025 at 23:59 UTC.
Electronic Court Filing Version 5.01 Errata 01
Committee Specification Draft 01
21 June 2025
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/errata01/ecf-v5.01-errata01-csd01.docx
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/errata01/ecf-v5.01-errata01-csd01.html
https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/errata01/ecf-v5.01-errata01-csd01.pdf
How to Provide Feedback
OASIS and the LegalXML – Electronic Court Filing value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.
Comments may be submitted to the project by any person through the use of the project’s Comment Facility. TC members should send in comments via the TC mailing list. All others should submit to the comment mailing list after following instructions listed here.
All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.
OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.
Additional information about the specification and the LegalXML – Electronic Court Filing TC can be found at the TC public home page here.
Additional references:
[1] https://www.oasis-open.org/policies-guidelines/ipr/
[2] http://www.oasis-open.org/committees/legalxml-courtfiling/ipr.php
Intellectual Property Rights (IPR) Policy
RF on Limited Terms Mode
The post LegalXML – Electronic Court Filing V5.01 Errata Public Review appeared first on OASIS Open.
Gail Hodges, Executive Director OpenID Foundation
Today the OIDF is proud to announce that the OpenID for Verifiable Credential Issuance (OpenID4VCI) specification has proven interoperability through the pairwise testing of seven issuers and five wallets providers from around the world.
The clear evidence of interoperability is a meaningful and timely result as this specification moves through a 60 day public review period. At the end of this period, the OpenID Foundation membership will cast their votes to elect this specification as a “Final” specification in line with the OpenID Foundation Process Document.
OpenID4VCI Interoperability ObjectivesThis OpenID4VCI interoperability project had five objectives:
Prove out the OpenID4VCI specification before the vote to name it a Final specification Provide interoperability results and implementer feedback to the Digital Credentials Protocols WG To provide results on interoperability to standards body partners (e.g. ISO/IEC , W3C, and ETSI) Brief government partners on progress in the standards they have selected to support their ecosystems and projects (e.g. European Commission EUDI Wallet project, NIST NCCoE mDL project, and the Japan Digital Agency pilot project) Provide accurate, proven, open source tests to the global community of issuers, wallets, and vendors for them to prove out their own implementations that use these specifications.To prove out the technical interoperability objectives, the specifications tested included:
OpenID for Verifiable Credential Issuance v16 The OpenID Foundation’s OpenID for Verifiable Credentials High Assurance Interoperability Profile Implementer’s Draft 2.0 ISO/IEC IS 18013-5:2021 Mobile Driving License (mDL) and “mdoc” specification ISO/IEC TS 18013-7:2024 IETF’s SD-JWT draft 17 Pairwise TestingThe invitation to participate in the Interop event was made available to contributors to the DCP WG, those that have signed a DCP WG Contribution Agreement, to ensure any interoperability feedback could be used to inform the OpenID4VCI specs and tests.
The pairwise interop demonstration was conducted July 16, as the third in a series of interop events from May to July to mature implementations in line with the specifications. In the third OpenID4VCI interop event on July 16th, the participants took part in a 90 minute, remote interop meeting followed by an 8 day window to remediate any bugs asynchronously. During this time, out of the 59 possible issuer/ wallet pairs that could be tested, 47 pairwise tests were conducted. Of those 47 pairs:
87% passed successfully 11% failed with resolvable issues 2% failed without an immediately obvious issue.Overall, the implementers and the DCP WG determined that these results did not include any material concerns with the OpenID4VCI v16 of the specification, or the OIDF open source tests on OpenID4VCI. For noting, the results were consistent across a range of scenarios supported by the specification, with implementers demonstrating one or multiple configurations of OpenID4VCI:
OpenID4VCI with SD-JWT, Custom URI initiated and client authentication using wallet attestation-based client authentication with x5c header (designated as “HAIP mode”) OpenID4VCI with SD-JWT, Custom URI initiated and client authentication using client assertion with private_key_jwt OpenID4VCI with SD-JWT, Custom URI initiated, no client authentication OpenID4VCI with mdoc, Custom URI initiated, no client authentication Global Expert ParticipantsLeading implementers from around the world included (7 Issuers and 5 wallets). They included:
Bundesdruckerei GmbH Fikua MATTR Open Wallet Foundation (Android “Multipaz”) Lissi GmbH Meeco MyMahi Wallet OpenID Foundation (open source tests)A big thanks to all of our interop participation teams!
Why This Demonstration MatteredOver the past 18 months, digital credentials have moved from promising prototypes to production pilots in finance, healthcare, transportation, and government services. In the California DMV and OIDF hackathons in October and November 2024, we saw a wide range of use cases demonstrated, and in Europe, we have seen 11 key use cases progressed as part of the European Digital Identity Wallet’s Large Scale Pilots. Earlier this year we conducted a May 5th Interop event for OpenID for Verifiable Presentation, with pairwise and multi-wallet tests conducted in partnership with the NIST NCCoE Mobile Driver’s License (mDL) project. In other recent declarations, the UK.Gov, the Swiss Confederation, and Japan Digital Agency selection the OpenID for Verifiable Credentials in their digital identity projects. Other jurisdictions are poised to follow suit and adopt a similar reference architecture centered on the use of OpenID4VP and OpenID4VCI. This interop event on OpenID4VCI served as the vital pressing testing of interoperability enabled by the specifications. By meeting the specification and interoperability targets, the specs are on track to scale in line with the European Digital Identity Wallet and other jurisdictions in the months ahead. To get to this point, there were three key components:
Liaisons and Partnerships: The Foundation has long-term liaisons and partnerships with peer standards bodies such as W3C, ISO, IETF, and ETSI. These liaisons and ongoing technical conversations have underpinned the development of interoperable standards demonstrated on July 16th, alongside the large number of leading-edge implementers ready to prove out the specifications together. The results of this interoperability event will be shared via a liaison statement with ISO/IEC 18013-7 WG10 to inform this Work Group’s due diligence on online presentation specifications, and W3C’s work on the Digital Credentials API and ETSIs work on TS 119 472TS 119 472 which relate to the EUDIW. Conformance Testing: OIDF developed open-source tests aligned to the specifications for use before and during the interop event. The implementers could prove their implementations against the tests before testing against their peers and provide critical feedback on the tests for the benefit of future implementers. Once the specs and open-source tests are finalized, implementers will be able to self-certify their implementations. Self-certification and other conformance requirements are often vital components of ecosystem governance to ensure all participants in an ecosystem have met the same high bar for security and interoperability. Remote Interop for Global Participation: Finally, this event was hosted in a remote format, with implementers located in several European countries, New Zealand, San Francisco, and beyond. Even for some implementers not taking part in the live interop event, teams were able to connect across time zones over the following week to triage issues and close gaps. Implementer FeedbackThe feedback from the implementers on the benefits of the July 16th interop is positive and encouraging that we are at an inflection point:
Oliver Terbu from MATTR stated:
“We’re proud to have contributed to OpenID4VCI Interop #3 and see the protocol maturing towards real-world deployments. OpenID4VCI’s focus on simplicity and interoperability across diverse ecosystems makes it a cornerstone for scalable and interoperable digital credential issuance.”
Stefan Charsley of MyMahi stated:
“MyMahi worked with a variety of issuer teams to test interoperability for the MyMahi Wallet, demonstrating OpenID’s OpenID4VCI standardization efforts have been applied practically to achieve interoperability at both regional and global levels. We look forward to working with more teams utilizing OpenID standards.”
Jan Vereecken, of Meeco said:
“For Meeco, the interop was a valuable opportunity to test our implementation alongside other participants. It validated the work we’ve done to stay aligned with the evolving OpenID4VCI standard and reinforced our commitment to advancing secure and interoperable digital credential infrastructure. I think events like this are essential to move the whole ecosystem forward. We’re proud to be contributing to that momentum as the DCP WG is finalising the 1.0 version of this specification and practical implementor feedback is crucial to the whole process.”
Micha Kraus of Bundesdruckerei GmbH, a German federal technology company, that prints German passports, identity cards and credentials and protects identities and data with solutions “made in Germany, stated:
“This Interop event was an important step toward standardized, harmonized solutions in the ID Wallet domain. As active promoters of standardization, we are proud of the progress in collaboration with our international partners. Our goal is to shape secure, privacy- and user-friendly solutions that users will be happy to adopt in the future. The experience we have gained at the Bundesdruckerei in this project is widening our broad expertise in this field and can be applied to the implementation of the German national EUDIW.”
Oriol Canadés from Fikua stated:
Voices from the DCP WG and Foundation Leadership“Participating in the OpenID4VCI Interop #2 and #3 was a valuable milestone for Fikua. It allowed us to validate our Issuer implementations across diverse client authentication mechanisms and credential formats. This kind of hands-on collaboration is key to maturing the standard and ensuring real-world readiness. We’re proud to contribute to an ecosystem that prioritizes interoperability, security, and user-centric design.”
Torsten Lodderstedt, the specification editor and co-chair of the Digital Credentials Protocol Working Group, expressed gratitude for the live feedback from implementers:
“Validating these features in real-world scenarios is crucial as we head toward final publication,” he said, inviting new contributors to help the working group evolve the specification beyond its first edition.
Gail Hodges, Executive Director of the OpenID Foundation said:
Next Steps Toward Global Adoption“This interop event proved that verifiable credential issuance using OpenID for Verifiable Credential Issuance works across platforms, across devices, and for different credential types. The participants, WG members and cochairs are confident that the underlying specification and test suite are on a solid trajectory to achieve recognition as a Final specification and to support implementers in the months ahead. The timing could not be better as over 30 jurisdictions have selected and are deploying OpenID4VCI to support their digital identity credential issuance to digital identity wallets.”
The OpenID4VP specifications are on track for final publication mid September 2025, and are currently in the 60 day public review period until August 28, 2025, with the voting to be held August 29th to Friday, September 12, 2025.
OpenID Foundation’s open source tests are already available for free and open use on OIDF servers or on an implementer’s own server:
How to run conformance tests for OpenID for Verifiable Presentations How to run conformance tests for OpenID for Verifiable Credential IssuanceIn the weeks ahead, the OpenID4VCI tests will have mdoc credential types added, and other negative and positive tests will be added for completeness. They currently cover the core components required for interoperability and security such as OpenID4VP and OpenID4VCI with DC API, HAIP, for SD-JWT and mdoc, and a range of DCQL queries. By the end of September, the OpenID Foundation intends to open up self-certification for OpenID4VP and OpenID4VCI. Similar to OpenID Connect and FAPI 1.0 and FAPI 2.0, implementers will have the option (but not the obligation) to submit the results of their implementations against the test suite, and the OIDF will review those results and publish them online for a modest fee. The OpenID foundation is also working closely with ecosystem partners to ensure their certification and conformance programs benefit from the OIDF tests and, as appropriate, partner on development and delivery of their ecosystem’s conformance program.
In parallel, collaboration with OIDF’s peer standards bodies will continue, such as with W3C, ISO/IEC, ETSI, FIDO, EMVCo and others. In addition, support for key projects will also continue as the NIST NCCoE Mobile Driving License (mDL) project transitions from “opening a bank account” to the government services use cases, and transit in Japan moves through the pilot process.
“This OpenID4VCI interoperability demonstration is a pivotal milestone in a long journey to finalize these critical wallet specifications,” Gail concluded. “Thank you to every implementer, observer and standards body partner for this interop project a success. Together, we are building a truly global digital identity ecosystem, one that empowers users, protects privacy and delivers real-world value.”
About the OpenID FoundationThe OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, FAPI has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling ‘networks of networks’ to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
The post OpenID Foundation demonstrates real-world interoperability of new Digital Identity Issuance Standards first appeared on OpenID Foundation.
Jay White of Microsoft and Pablo Breuer Secure Additional Terms, Reinforcing Continuity and Strategic Momentum at OASIS
Boston, MA, 24 July 2025 – OASIS Open, the international standards and open source consortium, announced the results of its 2025 Board of Directors Elections. Three newly elected members and two re-elected members joined the Board in providing strategic governance and leadership to advance OASIS’s mission of solving global challenges through open development and collaboration.
OASIS is pleased to welcome new board directors Jason Clinton of Anthropic, Charles Frick of Johns Hopkins Applied Physics Laboratory (APL), and Sarah Liang of EY. OASIS also congratulates Jay White of Microsoft and Pablo Breuer on their re-election to additional terms. The continuing members of the Board are Jim Cabral, Gershon Janssen, Bret Jordan, Vasileios Mavroeidis, Daniel Rohrer, and Daniella Taveau.
“I’m delighted to welcome Jason, Charles, and Sarah to the Board, and to congratulate Jay and Pablo on their re-election,” said Gershon Janssen of Reideate, OASIS Board President and Chair. “Their expertise will be instrumental as we continue shaping open standards that address global challenges. I also want to thank our departing directors Jason, Daniel, and Omar for their outstanding service and lasting impact they’ve made on the OASIS community.”
New Board Members
Jason Clinton serves as Chief Information Security Officer (CISO) at Anthropic, where he guides security strategy, including detection and response, compliance, physical security, security engineering, and IT. He brings over a decade of experience in infrastructure security, having previously led efforts in defense against advanced persistent threats and contributed to major operating system and payment platform development. Jason also serves on the Coalition for Secure AI’s (CoSAI) Project Governing Board.
“The rapid advancement of AI makes robust, open standards more crucial than ever,” said Clinton. “Through initiatives like CoSAI, OASIS brings together industry leaders to develop frameworks that protect users while enabling innovation. I’m honored to join the OASIS board and work alongside leaders who share this commitment to responsible AI development.”
Charles Frick, a Chief Scientist in the cyber capabilities development group at Johns Hopkins Applied Physics Laboratory (APL), leads multiple research and pilot efforts focused on cybersecurity automation, machine-speed threat information sharing and operational resilience. He chairs the Indicators of Behavior (IoB) sub-project within the Open Cybersecurity Alliance (OCA), guiding development and adoption of new standards for behavior-based threat intelligence.
“As cybersecurity threats continue to evolve, transparency, interoperability and collaboration are essential,” said Frick. “I’m honored to join the OASIS board and contribute to its vital mission at the intersection of open standards and open source. I look forward to advancing standards that support automation, resilience and trust—especially in areas like behavior-based threat intelligence and cyber-physical system security—so that we can better protect critical infrastructure and global digital ecosystems.”
Sarah Liang is a Partner at EY and serves as the Global Responsible AI Leader, where she drives comprehensive AI governance initiatives throughout the firm and for client solutions worldwide. Her expertise encompasses monitoring the regulatory landscape, aligning with legal and compliance standards, designing AI risk management solutions, and developing responsible AI frameworks that operationalize governance without hindering innovation. Sarah actively participates in key standards organizations, including CoSAI, bringing cross-industry insights and collaborative approaches to standards development.
Liang noted, “I’m honored to join the OASIS Board of Directors. OASIS and the EY organization share a vision of driving the beneficial long-term impact of AI use through transparency, security, trust, and scalability. We have a responsibility to act now and define global standards for AI development and deployment. I look forward to working alongside my fellow board members to help transform businesses through sustainable growth and innovation, while contributing to long-lasting positive change.”
Outgoing Board Members
OASIS expressed sincere appreciation to outgoing Board members Jason Keirstead, Daniel Riedel, and Omar Santos for their valuable service during their tenure as directors. Everyone at OASIS extends our heartfelt thanks for their dedicated leadership and lasting contributions to the organization’s mission. To view the current Board of Directors, please visit our website.
Media inquiries: communications@oasis-open.org
The post Anthropic, EY, and Johns Hopkins APL Executives Elected to OASIS Board to Drive Open Development and Global Collaboration appeared first on OASIS Open.
ISL had the opportunity to present at USENIX Association’s PEPR 2025 conference with a presentation entitled, “Safetypedia: Crowdsourcing Privacy Inspections”. The full video of the presentation can be viewed below:
The post PEPR ’25 – Safetypedia: Crowdsourcing Privacy Inspections appeared first on Internet Safety Labs.
With iOS 26 and macOS Tahoe 26, Apple is solving a key problem, though For the first time, Apple is adding support for true passkey portability. This means you can move your credentials from Apple Passwords to a dedicated password manager like 1Password, Dashlane, or Bitwarden, and even move them back. The system handles the transfer securely and locally, so you don’t have to worry about exporting plaint text CSV files and crossing your fingers that nothing gets exposed.
Passkey portability is built on a new standard from the FIDO Alliance that lets apps exchange credentials in a private and encrypted way. It uses Face ID, Touch ID, or your device passcode to approve the transfer. From the user’s perspective, it just works. And that’s exactly how it should be.
Reddit has implemented mandatory age verification for UK users to comply with the country’s Online Safety Act, which took effect in July 2025. The legislation requires digital platforms to prevent minors from accessing unsafe content, particularly mature or adult material, following Ofcom’s broader push for stricter online age verification across digital platforms.
The platform’s verification system requires UK users to submit either a government-issued ID, such as a passport, or a selfie through Persona, a third-party identity verification company. The approach follows successful implementations by other platforms, including Discord’s recent rollout of facial scan and ID verification in the UK. Persona handles the sensitive data to maintain user privacy, storing uploaded photos or IDs for a maximum of seven days without sharing the information with Reddit.
Reddit retains only the user’s verification status and birthdate, eliminating the need for repeated verification when accessing restricted content. Persona has confirmed it does not access Reddit user data, including subreddit activity. The privacy-focused approach matches emerging standards in digital identity verification, consistent with the principles established by the FIDO Alliance’s certification program for face-based remote identity verification.
Over the past three months, The Engine Room and Puentes have been exploring how to nurture connection, online and beyond the screen, in a world where division often seems to be the norm.
The post DANCES, KEYS, AND GARDENS: NURTURING COLLECTIVE DIGITAL CARE appeared first on The Engine Room.
By now you’ve seen one of these:
Never mind that you’re not running an ad blocker, but merely blocking tracking. Instead, note the small print in the lower right: “VRM by Admiral.”
By “VRM,” Admiral means this:
What we’re looking at here is the $.5 billion Consent Management Platform business, currently dominated worldwide by OneTrust, with a 40% market share. In the US, Admiral is the leading provider to publishers, giving it a high profile there. In Europe, the leaders are OneTrust, Usercentrics, and CookieYes.
So here is a challenge for Admiral , OneTrust, and the rest of them: make VRM mean Vendor Relationship Management (like it says in Wikipedia).
Our case: real relationships are based on mutual trust, which can only happen if personal privacy is fully respected as a starting point. Consent management by cookie notice can’t cut it. For real trust, we need people to bring their own terms to every website’s table, and have agreements to those. This is why we, the ProjectVRM community, through Customer Commons (our nonprofit spinoff) and the IEEE P7012 (aka MyTerms) working group, created the draft standard (on track to become official early next year) for machine-readable personal privacy terms. Three years ago, I called MyTerms The Most Important Standard in Development Today. The CMP business can help make it so, by getting on the Cluetrain.
Here are some opportunities:
CMPs can provide sites & services with easy ways to respond to MyTerms choices brought to the table by visitors. Let’s call this a Terms Matching Engine.The current roster of terms we’re working with at Customer Commons (abbreviated CuCo, hence the cuco.org shortcut) starts with CC-BASE, which is “service provision only.” It says to a website, “just give me your service, and nothing more.” In other words, no tracking. Yet. Negotiation toward additional provisions comes after that. Those can be anything, but they should be in the spirit of We’re starting with personal privacy here, and the visitor sets the terms for that. There is a whole new business (which, like the VPN, grammar-help, and password management businesses, people would pay for) in helping people present, manage, remember, and monitor compliance with their terms, and what additional agreements have been arrived at. This can involve browser add-ons such as the one pictured on the ProjectVRM r-button page. CMP companies can make money there too, adding a C2B business to their B2B ones. Go beyond #2 to provide real VRM. Back in the last millennium, Iain Henderson pointed out that B2B relationships tend to have hundreds or thousands of variables over which both parties need to agree. Nitin Badjatia, another CRM veteran (and a Customer Commons board member like Iain and myself), has also pointed out that companies like Oracle have long provided AI-assisted ways for B2B relationships to arrive at contractual agreements. The same can work for C2B, once the base privacy agreement is established. There can be a business here that expands on what gets started with that first agreement. Verticals. There can be strong value-adds for regulated industries or companies wanting to acquire and signal accountability, or look for firmer ways to establish a privacy regime better than the called consent, which doesn’t work (except as thin ass-covering for companies fearing the GDPR and the CCPA). For example: banks, insurers, publishers, health care providers. For people (not just corporate clients), CMPs could offer browser plugins or apps (mobile and/or computer) that help people choose and present their privacy terms, track who honors them, notify them of violations, and have r-buttons mean something. Or multiple things.Here is what a VRM-friendly person in the UK came up with as a prototypical first by a CMP away from cookie notices:
That was after this post went up. (Which is great.)
Obviously, we want cookie notices (and other forms of friction) to go away, but we also want CMPs to have a nice way to participate in a customer-led world in which intention-based economies can grow.
And here is an example of r-buttons in a browser:
Real relationships, including records of agreements, can be unpacked when a person (not a mere “user”) clicks on either the ⊂ or the ⊃ symbols. There are golden opportunities here for both VRM and CRM vendors. And, of course, companies such as Admiral and OneTrust working both sides—and being truly trusted.
Give us more. (Like that cookie notice above.)
The OpenID Foundation has launched a new Ecosystems Support Community Group (ESCG) to help public and private sector ecosystem leaders understand the key architectures, decisions, and best practices at the forefront of open banking/open data and digital identity adoption globally.
ContextThe ESCG arrives at a critical time when 90+ jurisdictions are pursuing open banking/open finance/open data, and 60+ are pursuing digital identity, as per the Cambridge Judge School of Business (2024). The ESCG provides a safe space for architects and other ecosystem leaders to convene with other experts. The trusted relationships in this ESCG can not only help inform local decision processes before launch, but also inform ongoing maintenance, roadmap development, and monitor security issues.
Similar to OIDF’s other community groups (CGs), the ESCG will not develop specifications. Instead, its purpose is to support ecosystem decision-makers as they build and maintain their ecosystems, providing world class, independent, and opinionated views on how to combine, profile, and implement these to realize the benefits of the specifications.
Building on the OpenID Foundation’s proven track recordThe OIDF already plays a central role supporting and connecting ecosystem experts in three key ways:
Convening experts in our Working Groups (WGs), such as FAPI WG, the Digital Credentials Protocols WG, A/B Connect WG, and others. Supporting ecosystems and individual implementers with certification to OIDF specifications (over 4k implementers self-certified to date). Providing safe spaces for experts to engage, including the Death and Digital Estate Community Group, Australian Digital Trust Community Group and OIDF workshops and conferences.This ESCG will play an essential and pragmatic role, providing expertise that cuts across other OIDF WGs/CGs, as well as specifications from peer standards bodies.
Six core guiding principlesThis new ESCG will operate under the following six organising principles:
Sharing: provide a safe community environment for ecosystem governing bodies to share experiences and learnings, and to ask questions. Privacy: Promote the enhancement of user privacy and control by using explicit consent mechanisms, accompanied by best practices for informed consent. Security: identify and promote best current security practices for all ecosystem participants. Interoperability: the ESCG must promote the benefits and mechanisms for interoperability across ecosystems irrespective of use case, industry sector or jurisdiction. Recognition: the ESCG will recognise that each ecosystem will need to make its own pragmatic decisions to support its own route towards interoperability over time. Cost reduction: Promote a lower cost of adoption and change for ecosystem participants (e.g., data recipients, data providers, ecosystem governing bodies, etc.). The global push for digital wallets and open dataGiven the emergence of digital wallet based ecosystems and the global push towards Digital Public Infrastructure, we anticipate that nearly all jurisdictions will push for open data and digital identity deployments in the years ahead. From the 26 ecosystems that the OIDF supports today, we know that most of the decisions each implementer needs to make are very similar.
While local laws, requirements, and cultures may lead to differences in configuration, the majority of decisions are harmonized across jurisdictions. Furthermore, new ecosystems benefit from the lessons learned from prior implementations and dramatically reduce time-to-market.
Preventing fragmentation of ecosystem standardsAs public and private sector ecosystems develop their policies and architectures, they must evaluate technical options, make key governance decisions, and maintain clear communication with implementers.
The OpenID Foundation is aware of native ecosystem divergences, which, if left unsatisfied, will lead to amplified challenges for security and interoperability across borders and use cases. This will become increasingly difficult to solve as the global market continues to develop at an accelerating pace, with each jurisdiction at risk of becoming an ‘island’ that cannot interoperate with others.
Resolving the resultant global fragmentation would introduce an expensive cost of change for each implementer within a given ecosystem.
Join the initiativeThe OpenID Foundation’s new Ecosystems Support Community Group is open to all who wish to join the conversation and contribute to the discussion.
What we will do:
Capture existing and emerging ecosystem configurations and develop an Ecosystems Tracker. Evaluate key differences between ecosystem configurations and specifications. Assess how to combine different specifications. Capture and communicate ecosystems’ requirements to other WGs, OIDF’s conformance test team and OIDF, in general.The new ESCG will also develop, or initiate the development of, best practices and reference architectures to support different types of ecosystems, assisting key decision-making for governance bodies. These guides will provide recommendations for specifications, associated design of conformance testing, and other aspects of ecosystem development and deployment.
If you are an ecosystem leader grappling with the policy, technical, and operational challenges of enabling open banking/open data, and/or digital identity, we hope you will consider joining the ESCG to share your own experiences with your peers.
About the OpenID FoundationThe OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.
The post OIDF launches Ecosystems Support Community Group first appeared on OpenID Foundation.
The packaging around your product now matters just as much as the product itself.
For companies navigating Extended Producer Responsibility (EPR) laws, that's quickly becoming the reality. And it’s reshaping how teams think about data, packaging, and compliance.
In this episode, Lindsay Savage, Senior Director of Data Governance and Business Platforms at Georgia-Pacific LLC, joins hosts Reid Jackson and Liz Sertl to demystify what EPR means for manufacturers and retailers.
With legislation ramping up across states, Lindsay explains how brands are preparing for complex reporting requirements, coordinating across departments, and turning sustainability regulations into opportunities for smarter product innovation.
In this episode, you’ll learn:
Why EPR is more than a packaging issue and why it matters now
How Georgia-Pacific is building scalable systems to manage regulatory data
Tips for companies just getting started, from legal teams to logistics
Jump into the conversation:
(00:00) Introducing Next Level Supply Chain
(02:21) Lindsay Savage’s background
(03:16) What EPR means for your business
(04:50) Every state has its own rules
(06:15) Data overload and the push for standards
(07:36) Breaking down product, packaging, and pallet
(09:27) Two ways to report EPR data
(11:20) How to get started with EPR compliance
(12:40) Building cross-functional teams for success
(17:55) Embracing AI tools to stay ahead
Connect with GS1 US:
Our website - www.gs1us.org
Connect with the guest:
Lindsay Savage on LinkedIn Check out Georgia-Pacific
Microsoft Copilot is becoming the interface for how users work with AI across the Microsoft ecosystem. But what happens when you enhance Copilot with the ability to understand and remember structured, verifiable knowledge?
With the integration of the OriginTrail Decentralized Knowledge Graph (DKG) and the Model Context Protocol (MCP), you can build AI agents that reason over live data, contribute to shared memory, and deliver trusted outputs backed by cryptographic proofs.
By extending Microsoft’s AI infrastructure with OriginTrail, you equip Copilot agents with powerful capabilities for knowledge discovery, memory, and collaboration.
What is MCP?The Model Context Protocol (MCP) is an open standard that defines how language models access and utilize tools and external data sources.
MCP uses a client-server architecture where:
MCP Servers expose tools and data, both local and remote, MCP Clients, such as agents built in Microsoft Copilot Studio, call these tools using a standard protocol.This architecture makes it easy to build AI systems that are modular, composable, and interoperable across different environments.
What role does the DKG play?The OriginTrail DKG provides a decentralized layer for structured, verifiable knowledge that AI agents can query, write to, and collaborate over. When connected to an MCP server equipped with DKG tools, agents are empowered to retrieve and build upon interconnected, verifiable knowledge.
AI agents can:
Retrieve semantically rich knowledge, Generate and publish new Knowledge Assets, Collaborate on a shared, verifiable knowledge base.Each interaction is built with data provenance, version control, and ownership in mind. Knowledge is shared, structured, and trustworthy!
Supercharging Microsoft Copilot with verifiable memory!Through this integration, builders can now connect OriginTrail DKG with custom agents built in Microsoft Copilot Studio.
Here’s what that enables:
The DKG MCP server runs alongside an OriginTrail DKG Node, Custom actions are registered in Microsoft Copilot Studio to access DKG tools, These actions can be triggered by agents within environments like Microsoft Teams.This setup allows Copilot-based agents to access interconnected, verifiable knowledge in real time, and contribute new structured information back into the DKG.
Agents can then:
Ask precise questions over a structured knowledge graph, Write their own memory as reusable Knowledge Assets, Store results, update context, and collaborate with other agents.This integration brings reasoning, verifiability, and memory collaboration directly into Copilot-powered workflows
See it in action!In the live demo, Jurij Škornik, General Manager at Trace Labs, core developers of OriginTrail, walks us through:
Running the DKG MCP server with an OriginTrail Edge Node, Building a custom agent in Microsoft Copilot Studio, Adding custom actions to enable interaction via Microsoft Teams.The result is a working Copilot agent with full access to decentralized, verifiable memory. Check it out!
As AI becomes central to enterprise workflows, adding verifiability and structure to its memory is essential. Combining OriginTrail DKG and MCP means your agents are working with knowledge that is:
Structured using open standards (like RDF and schema.org), Interconnected across multiple data sources, Verifiable thanks to cryptographic anchoring, Portable across applications, agents, and ecosystems, such as Microsoft.This opens the door to new applications in supply chains, research, content management, enterprise collaboration, and more!
Build AI agents with verifiable memory using OriginTrail and Microsoft Copilot! was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.
Global Participation Expands as the Coalition Releases Essential AI Guidance
Boston, MA – 17 July 2025 – The Coalition for Secure AI (CoSAI), an OASIS Open Project, celebrates its first anniversary since launching at the Aspen Security Forum in 2024. Over the past year, CoSAI has grown into the industry’s leading collaborative ecosystem for AI security, expanding from its initial founding sponsors to more than 45 partner organizations worldwide. Its mission to enhance trust and security in AI development and deployment has resonated widely, attracting premier sponsors EY, Google, IBM, Microsoft, NVIDIA, Palo Alto Networks, PayPal, Protect AI, Snyk, Trend Micro, and Zscaler. Through multiple workstreams, the coalition has produced practical frameworks and research addressing real-world challenges in securing AI systems. Central to CoSAI’s impact this year are the most recent releases of the “Principles for Secure-by-Design Agentic Systems,” which establishes three core principles for autonomous AI, and the “Preparing Defenders of AI Systems” whitepaper.
Security Principles Help Safeguard Agentic AI Systems
CoSAI’s Technical Steering Committee (TSC) has released the “Principles for Secure-by-Design Agentic Systems,” a foundational document aimed at helping technical practitioners address the unique security challenges posed by autonomous AI.
The principles offer practical guidance on balancing operational agility with robust security controls, establishing that secure agentic systems should be Human-governed and Accountable, architected for meaningful control with clear accountability, constrained by well-defined authority boundaries aligned with risk tolerance, and subject to risk-based controls ensuring alignment with expected business outcomes. They must be Bounded and Resilient, with strict purpose-specific entitlements, robust defensive measures including AI-specific protections, and continuous validation with predictable failure modes. Finally, they should be Transparent and Verifiable, supported by secure AI supply chain controls, comprehensive telemetry of all system activities, and real-time monitoring capabilities for oversight and incident response.
This blog post provides additional context on the principles and how they can be applied in real-world environments.
“As agentic AI systems become more embedded in organizations’ operations, we need frameworks to secure them,” said David LaBianca, Project Governing Board co-chair at CoSAI. “These principles provide a technical foundation for organizations to adopt AI responsibly and securely.”
New Defender Frameworks Help Organizations Operationalize AI SecurityCoSAI has published another landscape paper, “Preparing Defenders of AI Systems,” developed through our workstream on Preparing Defenders for a Changing Cybersecurity Landscape. The paper provides practical, defender-focused guidance on applying AI security frameworks, prioritizing investments, and enhancing protection strategies for AI systems in real-world environments.
A companion blog post offers additional insights on how this evolving resource bridges high-level frameworks with practical implementation and will continue adapting as AI threats and technologies advance.
“This paper provides defenders with specific guidance on how security frameworks must be adapted to mitigate risks in the AI transformation─pinpointing gaps in current approaches and prioritizing critical investments,” said Josiah Hagen of Trend Micro and Vinay Bansal of Cisco, CoSAI’s Workstream 2 Leads. “As security practices are aligned with AI adoption realities, organizations are empowered to make informed decisions and protect their assets while ensuring innovation doesn’t outpace defenders. This exemplifies CoSAI’s commitment to connecting emerging threats to AI systems with practical security solutions.”
These foundational outputs from CoSAI’s first year set the stage for even greater impact ahead.
Looking Ahead: Building a Secure AI FutureAs CoSAI enters its second year, the coalition is positioned to further accelerate AI security innovation through expanded research initiatives, practical tool development, and increased global engagement. With active workstreams producing actionable guidance and a growing community of practitioners, CoSAI continues to drive adoption of secure-by-design AI systems across industries. Its commitment to open source collaboration and standardization remains central to establishing trust in AI technologies. Realizing this vision requires continued collaboration across the AI security community.
Get InvolvedTechnical contributors, researchers, and organizations are invited to join CoSAI’s open source community and help shape the future of secure AI. To learn more about how to get involved, contact join@oasis-open.org.
One year in: What CoSAI members are saying about our impactPremier Sponsors:
EY:General Sponsors:
Adversa AI:The Coalition for Secure AI (CoSAI) is a global, multi-stakeholder initiative dedicated to advancing the security of AI systems. CoSAI brings together experts from industry, government, and academia to develop practical guidance, promote secure-by-design practices, and close critical gaps in AI system defense. Through its workstreams and open collaboration model, CoSAI supports the responsible development and deployment of AI technologies worldwide.
CoSAI operates under OASIS Open, the international standards and open source consortium. www.coalitionforsecureai.org
About OASIS OpenOne of the most respected, nonprofit open source and open standards bodies in the world, OASIS advances the fair, transparent development of open source software and standards through the power of global collaboration and community. OASIS is the home for worldwide standards in AI, emergency management, identity, IoT, cybersecurity, blockchain, privacy, cryptography, cloud computing, urban mobility, and other content technologies. Many OASIS standards go on to be ratified by de jure bodies and referenced in international policies and government procurement. www.oasis-open.org
Media Inquiries:
communications@oasis-open.org
The post Coalition for Secure AI Marks First Anniversary with New Principles for Agentic Systems and Defender Frameworks appeared first on OASIS Open.
Watch the full recording on YouTube.
Status: Verified by PresenterPlease note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.
Google NotebookLM Podcast
https://trustoverip.org/wp-content/uploads/TOIP-EGWG-2025-07-10_-Kyle-Robinson-Digital-Trust-Ecosystems_-Why-they-dont-make-sense_.wavHere is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:
ExcerptLearn why Kyle’s practical experience with the Canadian Province of British Columbia’s digital trust initiative has led him to focus on specific, high-impact digital credentials over broad “ecosystems.” Documenting these well fosters trust and enables organic growth and unpredictable efficiencies, naturally building interoperable digital trust networks.
Briefing Document: A Smarter Approach to Digital Credentials and EcosystemsDate: July 10, 2025
Sources:
“Digital Credentials Presentation” (Presentation Excerpts) “GMT20250710-145520_Recording.cc.vtt.txt” (Meeting Transcript – VTT) “GMT20250710-145520_Recording.m4a” (Meeting Audio – M4A) “GMT20250710-145520_Recording.transcript.vtt.txt” (Meeting Transcript – VTT) “GMT20250710-145520_RecordingnewChat.txt” (Meeting Chat Log) Executive SummaryThe prevailing approach of focusing on broad “ecosystems” for digital credential development is inefficient and limits opportunities. Instead, a more effective strategy involves starting with specific, high-impact credentials, rigorously documenting them in a trusted and public manner, and then allowing organic growth and adoption to naturally form interoperable networks. The Province of British Columbia (BC) is a leading example of this approach, leveraging foundational identity credentials and promoting their open use, which has led to unpredicted and valuable use cases and significant administrative efficiencies. The discussions highlight the “fractal” nature of ecosystems and the critical role of strong governance and transparency in building trust in digital credentials.
Key Themes and Most Important Ideas/Facts 1. The Flaws of an Ecosystem-First Approach Too Many Credentials to Tackle: Attempting to develop digital credentials for an entire industry or “ecosystem” simultaneously (e.g., healthcare or finance) is “a massive undertaking, resource-intensive, hard to coordinate, and risks spreading us too thin, leading to weak, untrusted credentials.” (Digital Credentials Presentation). As Kyle Robinson notes, “there’s just too many different types of credentials and different authorities for those credentials to really get a good handle on.” (Meeting Transcript). Constrains Opportunities: Pre-planning an entire ecosystem creates a rigid scope, preventing the discovery of “unexpected opportunities that could arise organically.” (Digital Credentials Presentation). Eric Drury echoes this, stating that “building a use case for an ecosystem is much more complicated than building a use case for a single credential.” (Meeting Transcript). 2. Recommendation: Start with Specific, High-Impact Credentials Build Trust and Quality: The core recommendation is to “focus on a few high-impact credentials, like a digital CPA certification. By putting all our effort into making them robust and trustworthy, we create a gold standard that people rely on. Trust drives adoption.” (Digital Credentials Presentation). Foundational Credentials as Catalysts: BC’s strategy focuses on “foundational credentials,” such as “identity of a person, identity of a business.” These are “foundational credentials which… kind of start right at the core of everything and then other credentials are built on top of those.” (Meeting Transcript). This layering allows for credentials like a “licensed doctor” to build upon a verified personal identity. Open More Doors Through Ripple Effects: Strong, well-executed credentials “create ripple effects.” (Digital Credentials Presentation). BC has observed this with their “lawyer credential,” where “all these what we call verifiers, or relying parties, started popping up, saying, oh, we could use that too, we could use that too, we could use that too.” (Meeting Transcript). This organic growth leads to “unpredicted” opportunities. 3. Credential Documentation: The Foundation of Trust Trusted Location: “Documentation must reside in a secure, reputable platform to ensure credibility.” (Digital Credentials Presentation). The BC Gov’s Digital Trust Toolkit is highlighted as a model for “transparent, trusted documentation that stakeholders can rely on.” (Digital Credentials Presentation). This toolkit serves as a “source of truth of governance documentation for credentials that are in production.” (Meeting Transcript). Active Promotion and Public Visibility: Documentation is insufficient without visibility. It “needs to be public, publicly exposed. So that a verifier can look at that document and have enough information to read it to be able to trust it.” (Meeting Transcript). This active promotion through various channels (webinars, industry forums, social media) “builds awareness and encourage adoption among users and organizations.” (Digital Credentials Presentation). Transparency of Issuance and Revocation: Trust extends beyond the technical aspects of a credential; it requires confidence in the “issuance process that the issuing authority goes through to be able to issue that to the right person, with the right attribute information.” (Meeting Transcript). Furthermore, visibility into “revocation status” is critical. If a ledger were to disappear, the ability to check revocation status would be lost, underscoring the need for robust infrastructure. 4. The Nature of Ecosystems and Organic Growth Fractal Nature of Ecosystems: The discussion introduces the concept of ecosystems as “fractal.” As Carly Huitema explains, “You can zoom in all the way into grains of dirt, and there’s an ecosystem there. And then you can zoom all the way out to the planet scale ecosystem.” (Meeting Transcript). This implies that “person is a microcosm” that can be “observed in other ecosystems,” with “boundaries are always fuzzy.” (Meeting Transcript). Market-Driven Adoption: The “overall drive of all of this is driven by those relying parties and verifiers.” When they “see value in doing something with credentials they will implement it, and they will tell their friends. And that’s sort of how you can see that growth and that adoption happening.” (Meeting Transcript). This organic growth is preferred over top-down, pre-defined ecosystem planning. Savings and Efficiency as Drivers: Digital credentials offer tangible benefits, such as “a ton of administrative time” savings for verifiers. For example, the City of Vancouver is realizing benefits where “nothing needs to be reviewed because the technology’s already trusting the stuff that the province is producing. So they don’t have to, like, have somebody manually reveal a form.” (Meeting Transcript). 5. Trust Beyond BC: Scaling and Interoperability Challenges Establishing “Legitimacy”: A key challenge is distinguishing “legitimate” from “non-legitimate” credentials beyond the issuing authority. BC addresses this by publishing the issuer DID, schema ID, and credential definition ID on the Candy ledger. This allows relying parties to cryptographically verify the origin. Cross-Jurisdictional Interoperability: The question of how this scales beyond BC is raised, particularly when different jurisdictions (e.g., Alberta, Rhode Island, Utah) might make different technical choices for their credentials. This mirrors the non-digital world where regulations define accepted IDs. Role of Trust Registries and Standards Bodies: The idea of “trust registries” is introduced as a potential solution for looking up legitimate issuers and their governance frameworks across jurisdictions. This could be driven by “standards bodies,” which could publish “trust registries published on their websites, or in some type of technology to say, hey, this standards body here, these are all of the organizations that we have audited and are following.” (Meeting Transcript). Government’s Evolving Role: While government’s primary role remains issuing foundational IDs and enforcing laws, its new role in “building and supplying software to citizens” (e.g., the BC Wallet app) is seen as a way to “help adoption.” (Meeting Transcript). The future may see OS manufacturers playing a larger role in built-in wallets. ConclusionThe discussion reinforces that while the concept of a broad “ecosystem” might be a useful descriptive tool, the practical and successful implementation of digital credentials should pivot towards a credential-first approach. By focusing on building trust and quality in individual, high-impact credentials, making their governance transparent and public, and fostering organic adoption through demonstrated value, digital trust networks can emerge and grow naturally, leading to widespread benefits. The BC government’s experience serves as a compelling case study for this evolving strategy.
For more details, including the slides, meeting recording and transcript, please see our wiki 2025-07-10 Kyle Robinson & Digital Trust Ecosystems. Why they don’t make sense.
https://www.linkedin.com/in/kylegrobinson/The post TOIP EGWG 2025-07-10: Kyle Robinson, Digital Trust Ecosystems. Why they don’t make sense. appeared first on Trust Over IP.
For the good of both.
Customers need privacy, respect, and the ability to provide good and helpful information to the companies they deal with. The good clues customers bring can include far more than what companies get today from their CRM systems and from surveillance of customer activities. For example, market intelligence that flows both ways can happen on a massive scale.
But only if customers set the terms.
Now they can, using a new standard from the IEEE called P7012, aka MyTerms. It governs machine readability of personal privacy terms. These are terms that customers proffer as first parties, and companies agree to as second parties. Lots of business can be built on top of those terms, which at the ground level start with service provision without surveillance or unwanted data sharing by the company with other parties. New agreements can be made on top of that, but MyTerms are where genuine and trusting (rather than today’s coerced and one-sided) relationships can be built.
When companies are open to MyTerms agreements, they don’t need cookie notices. Nor do they need 10,000-word terms and conditions or privacy policies because they’ll have contractual agreements with customers that work for both sides.
On top of that foundation, real relationships can be built by VRM systems on the customers’ side and CRM systems on the corporate side. Both can also use AI agents: personal AI for customers and corporate AI for companies. Massive businesses can grow to supply tools and services on both sides of those new relationships. These are businesses that can only grow atop agreements that customers bring to the table, and at scale across all the companies they engage.
This is the kind of thing that four guys (me included)† had in mind when they posted The Cluetrain Manifesto* on the Web in April 1999. A book version of the manifesto came out in early 2000 and became a business bestseller that still sells in nine languages. Above the manifesto’s 95 theses is this master clue**, written by Christopher Locke:
MyTerms is the only way we (who are not seats or eyeballs or end users or consumers) finally have reach that exceeds corporate grasp, so companies can finally deal with the kind of personal agency that the Internet promised in the first place.
The MyTerms standard requires that a roster of possible agreements be posted at a disinterested nonprofit. The individual chooses one, the company agrees to it (or not). Both sides keep an identical record of the agreement.
The first roster will be at Customer Commons, which is ProjectVRM’s 501(c)3 nonprofit spinoff. It was created to do for personal privacy terms what Creative Commons does for personal copyright licenses. (It was Customer Commons, aka CuCo, that the IEEE approached with the idea of creating the MyTerms standard.)
Work on MyTerms started in 2017 and is in the final stages of IEEE approval process. While it is due to be published early next year, what it specifies is simple:
Individuals can choose a term posted at Customer Commons or the equivalent Companies can agree to the individual’s choice or not The decision can be recorded identically by both sides Data about the decision can be recorded by both sides and kept for further reference, auditing, or dispute resolution Both sides can know and display the state of agreement or absence of agreement (for example, the state of a relationship, should one come to exist)MyTerms not a technical spec, so implementations are open to whatever. Development on any of those can start now. So can work in any of the six areas listed above.
The biggest thing MyTerms does for customers—and people just using free services—is getting rid of cookie notices, which are massively annoying and not worth the pixels they are printed on. If a company really does care about personal privacy, it’ll respect personal privacy requirements. This is how things work in the natural world, where tracking people like marked animals has been morally wrong for millennia. In the digital world, however, agreements need to be explicit, so programming and services can be based on them. MyTerms does that.
For business, MyTerms has lots of advantages:
Reduced or eliminated compliance risk Competitive differentiation Lower customer churn Grounds for real rather than coerced relationships (CRM+VRM) Grounds for better signaling (clues!) going in both directions Reduced or eliminated guesswork about what customers want, how they use products and services, and how both might be improvedLawyers get a new market for services on both the buy and sell sides of the marketplace. Companies in the CMP (consent management platform) business (e.g. Admiral and OneTrust) have something new and better to sell.
Lawmakers and Regulators can start looking at the Net and the Web as places where freedom of contract prevails, and contracts of adhesion (such as what you “agree” to with cookie notices) are obsolesced.
Developers can have a field day (or decade). Look for these categories to emerge
Agreement Management Platforms – Migrate from today’s much-hated consent management platforms (hello OneTrust, Admiral, and the rest). Vendor Relationship Management (VRM) Tools and services – Fill the vacuum that’s been there since the Web got real in 1995. Customer Relationship Management (CRM) – Make its middle name finally mean something. Customer Data Return (CDR) – Give, sell back, or share with customers the data you’ve been gathering without their permission since forever. Talking here to car companies, TV makers, app makers, and every other technology product with spyware onboard for reporting personal activity to parties unknown. Platform Relief – Free customers from the walled gardens of Apple, Microsoft, Amazon, and every other maker of hardware and software that currently bears the full burden of providing personal privacy to customers and users. Those companies can also embrace and help implement MyTerms for both sides of the marketplace. Personal AI (pAI)– Till and plant a vast new greenfield for countless companies, old and new. This includes Apple (which can make Apple Intelligence truly “AI for the rest of us” rather than Siri in AI drag), Mozilla (with its Business Accelerator for personal AI) , Kwaai (for open source personal AI), and everyone else who wants to jump on the train. Big meshes of agents, such as what these developers are all working on.In the marketplace, we can start to see all these things:
Predictions made by The Intention Economy: When Customers Take Charge finally come true. New dances between customers and companies, demand and supply. (“The Dance” is a closing chapter of The Intention Economy.) New commercial ecosystems can grow around a richer flow of clues in both directions, based on shared interest and trust between demand and supply. Surveillance capitalism will be obsolesced — and replaced by an economy aligned with personal agency and respect from customers’ corporate partners. A new distributed P2P fabric of personally secure and shared data processing and storage — See what KwaaiNet + Verida, for example, might do together.All aboard!
†Speaking for myself in this post. I invite the other two surviving co-authors to weigh in if they like.
*At this writing, the Cluetrain website, along with many others at its host, is offline while being cured of an infection. To be clear, however, it will be back on the Web. Meanwhile, I’m linking to a snapshot of the site in the Internet Archive—a service for which the world should be massively grateful.
**The thesis that did the most to popularize Cluetrain was “Markets are conversations,” which was at the top of Cluetrain’s ninety-five theses. Imagining that this thesis was just for them, marketers everywhere saw marketing, rather than markets, as “conversations.” Besides misunderstanding what Cluetrain meant by conversation (that customers and companies should both have equal and reciprocal agency, and engage in human ways), marketing gave us “conversational” versions of itself that were mostly annoying. And now (thank you, marketing), every damn topic is now also a fucking “conversation”—the “climate conversation,” the “gender conversation,” the “conversation about data ownership.” I suspect that making “conversation” a synonym for “topic” was also a step toward making every piece of propaganda into a “narrative.” But I digress. Stop reading here and scroll back to read the case for MyTerms. And please, hope that it also doesn’t become woefully misunderstood.
Abstract
As the automotive industry transitions toward software-defined vehicles, autonomous technologies, and connected services, cybersecurity has become a critical concern. This white paper from the FIDO Alliance outlines key challenges and emerging solutions for securing next-generation vehicles. It examines global regulatory frameworks such as UN R155, UN R156, and ISO/SAE 21434 and presents the FIDO Alliance’s standards for passwordless authentication, secure device onboarding, and biometric certification.
Audience
This paper addresses the automotive industry. The audience includes automotive system engineers, automotive IVI product and development managers, automotive networking and in-vehicle cyber security engineers, product managers for in-vehicle services for applications such as purchasing, IT system cyber security managers, engineers seeking to support global regulatory frameworks such as UN R155/R156 and ISO/SAE 21434, manufacturing system engineers, and car-to-cloud connectivity engineers.
Download the White Paper 1. IntroductionThe automotive industry is undergoing transformative changes, including the shift to software-defined and autonomous vehicles, advanced IT-like architectures, over-the-air (OTA) updates, and the rise of in-vehicle commerce. While these changes offer new revenue opportunities, they also bring significant cybersecurity threats.
Global cybersecurity legislation, such as UN Regulation 155, UN Regulation 156, and ISO/SAE 21434, aim to protect vehicles from emerging threats. The FIDO Alliance plays a crucial role by providing standards for secure authentication, device onboarding, and biometrics certification.
Utilizing standards helps automotive companies ensure consistent security, leverage collective expertise, and avoid proprietary solutions that have the potential to stymie new markets and revenue. FIDO standards apply to various automotive applications, including consumer services, in-vehicle solutions, workforce authentication, and manufacturing, ensuring robust cybersecurity across the industry.
This paper provides companies within the automotive ecosystem an insight into the standards and services the FIDO Alliance offers together with a review of current and future use cases.
The FIDO Alliance is seeking feedback and partnership with industry experts to help ensure that FIDO’s programs are fit for purpose and successfully help companies meet cybersecurity needs, improve driver experiences, and tap into new opportunities.
2. Evolution of the automotive industryThe automotive industry has 140 years of history and is currently going through changes that affect all aspects of the industry:
Electrification and sustainability Software-defined vehicles and connectivity Autonomous and assisted driving Shifting business models: Mobility-as-a-Service (MaaS) and direct sales Supply chain disruptions and geopolitical risks New revenue streams: data monetization and services Rollout of EV charging infrastructure and its energy grid impacts Changing consumer expectations and digital experiencesThese changes bring potential upside to manufacturers in terms of new revenue opportunities and improved vehicles, but they also introduce considerable cyber threats.
Vehicles have evolved from isolated mechanical systems into interconnected cyber-physical platforms (often created by various entities) that integrate complex software, hardware, and communication networks. Manufacturers implement these systems to provide end users with a better vehicle and an enhanced driving experience, but they also bring an increased risk of cyber threats associated with new “attack surfaces”. These potential threats come in many forms, from malicious hackers to state funded actors. To minimize these threats, it is now a fundamental priority for manufacturers, their suppliers, regulators, and other industry stakeholders to focus on cybersecurity.
3. Meet the challenges and seize the opportunityAutomotive cybersecurity professionals have a massive challenge in front of them. On one side they need to react to the rise in threats and account for the associated legislation that has been developed to protect consumers. On the other side they need to be open to supporting new business models such as in-vehicle commerce, value added vehicle features such as subscription services, as well as additional cybersecurity for factories and offices. While there is no one simple solution to meet all of these needs, utilizing standards and certification programs from organizations such as the FIDO Alliance can help greatly.
4. Automotive cybersecurity and global legislationNational governments and international organizations have enacted regulations that require stringent cybersecurity measures throughout the automotive lifecycle, including design, operation, and even end-of-life. These frameworks aim to shield vehicles from emerging threats and establish a baseline for safety and trust across the automotive ecosystem. Major worldwide examples include:
United Nations Regulation 155 and United Nations Regulation 156: mandate that vehicles incorporate a Cybersecurity Management System (CSMS) and a Software Update Management System (SUMS) ISO/SAE 21434: provides the foundation for global automotive cybersecurity engineering, outlining processes for managing cyber risks throughout the entire vehicle lifecycle China’s GB 44495-2024 and GB 44496-2024: regulate the Cyber Security Management System (CSMS) and govern secure software updates in a granular fashion India’s AIS 189 and AIS 190: align with UN R155 and R156, to regulate the cybersecurity of connected vehicles United States: Publication of cybersecurity best practices by the National Highway Traffic Safety Administration (NHTSA) that emphasize secure vehicle development processes, incident response plans, and continuous risk monitoringRefer to Appendix A to learn more about these standards.
5. The FIDO Alliance and FIDO standardsThe FIDO Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords. To accomplish this, the FIDO Alliance promotes the development of, use of, and compliance with standards for user authentication and device onboarding.
The FIDO Alliance:
Develops technical specifications that define an open, scalable, interoperable set of mechanisms to reduce reliance on passwords for authentication of both users and devices. Tracks the evolution of global regulations and evolves its own standards to help industries satisfy those regulations in a harmonized way, reducing their compliance burdens. Operates industry certification programs to ensure successful global adoption of these specifications. Provides education and market adoption programs to promote the global use of FIDO. Submits mature technical specifications to recognized standards development organizations for formal standardization.The FIDO Alliance has over 300 members worldwide, with representation from leaders in IT, silicon, payments, and consumer services and features a Board of Directors that includes representatives from Apple, Visa, Infineon, Microsoft, Dell, Amazon, and Google. The Alliance also has a variety of active working groups where like-minded members can develop and advance technical work areas and coordinate on market-specific requirements.
The FIDO Alliance is planning to launch an automotive working group, where leaders in this sector can identify and collaborate on technical, business, and market requirements. To learn more, use the Contact Us form at https://fidoalliance.org/contact/ or email info@fidoalliance.org.
6. FIDO for automotive cybersecurity complianceMeeting the demands of the primary automotive cybersecurity standard ISO/SAE 21434 and subsequently the most prominent regulation, UN R155, hinges on strong identity management and secure device onboarding. While these standards don’t prescribe FIDO protocols per se, they outline key principles where FIDO offers tangible benefits.
ISO 21434, particularly Clauses 8 and 9 concerning risk assessment and threat mitigation, calls for strategies to prevent unauthorized access. FIDO’s passwordless authentication directly addresses this by eliminating weak credentials and reducing risks from phishing and credential stuffing, common threats to connected vehicle systems. Additionally, Clause 10’s focus on secure software deployment aligns with FIDO Device Onboard (FDO), ensuring only authenticated devices join the ecosystem, mitigating supply chain attacks and unauthorized software injections. This direct mapping of FIDO’s capabilities to specific clauses demonstrates its value in achieving compliance.
Beyond these founding standards, FIDO’s approach has broad applicability to emerging regulations, providing OEMs with a pathway to meeting global compliance demands and bolstering cybersecurity resilience across their connected car ecosystem. Some examples include China’s GB 44495-2024 and India’s AIS 189, which call for regional automotive cybersecurity standards and reinforce the need for features such as secure authentication in the software-defined vehicle (SDV) era. China’s GB regulation, similar to UN R155, emphasizes authenticity and integrity in remote updates, where FIDO’s passkey-based authentication provides a compliant approach to verifying access. India’s regulations, currently still in draft, align with UN R155, highlighting the importance of securing vehicle-to-cloud communications and identity management.
7. Overview of emerging use cases where FIDO standards may applyFIDO standards can be applied to a wide range of scenarios. These can be customer-facing, embedded within the vehicle, or as part of the manufacturer’s IT infrastructure.
High level overview of some of some of these scenarios include but not limited to:
In-vehicle commerce: This includes payments using credentials stored and managed in vehicle to enable convenient fueling, EV charging, parking reservations, car washes or even in-vehicle marketplaces managed by the car manufacturer. Implementation of passkeys to authenticate the associated car user and biometric component certification are most relevant to these use cases. Authentication to personalized services: These applications include easy access to customized automotive settings (for example, headrest and seat adjustments) as well as to informational and entertainment content. In-vehicle solutions: This segment includes applications such as car-to-cloud connectivity and onboarding of ECUs and zone controllers within the vehicle. Implementation of FIDO Device Onboard (FDO) is most applicable to these applications. Workforce authentication: These applications include controlling workforce access to IT systems whether at a development office, manufacturing site, or dealership. Implementation of passkeys and FIDO USB authentication keys are most applicable to these applications. Manufacturing: Modern manufacturing facilities are moving towards software defined control, AI, and robotic systems. The secure deployment of these solutions is often time consuming and expensive. Implementation of FIDO Device Onboard (FDO) can accelerate deployments and increase security. 8. FIDO Alliance technology overviewIn the same way that Ethernet started as an IT networking solution, FIDO standards were not specifically created for automotive applications. However, they are highly relevant in modern vehicles where robust cybersecurity is a critical, foundational element rather than just a desirable feature. FIDO standards, such as passkeys, are being used as is in the automotive world today.
The FIDO Alliance technology portfolio for automotive applications can be broadly grouped into three main areas:
Passkeys: The FIDO Alliance is transforming authentication through open standards for phishing-resistant sign-ins using passkeys. Passkeys are more secure than passwords and SMS OTPs, easier for consumers and employees to use, and simpler for service providers to deploy and manage. Automotive manufacturers leverage passkeys for a wide variety of use cases.
Device Onboarding: The FIDO Alliance establishes standards for secure device onboarding (FDO) to ensure the safety and efficiency of connected devices in segments such as industrial and enterprise. In the automotive sector, manufacturers can apply this standard to the connections between Electronic Control Units (ECUs) and zone controllers or connections between the vehicle itself and the cloud services that facilitate over-the-air software updates. This standard has been adopted by Microsoft, Dell, ExxonMobil, Red Hat and others.
Biometrics certification: The FIDO Alliance offers a certification program tailored to specific applications that uses independent test labs to measure performance of biometric sensors (such as iris or fingerprint sensors). Biometric sensors are becoming an increasingly important component of vehicles. Typical use cases might be to automatically configure the driver’s seat position or as part of a payment system. In these two examples the definition of “good technical performance” can differ greatly. Samsung, ELAN Microelectronics, Thales, Qualcomm, Mitek, iProov, and others have had biometric components certified by FIDO Alliance.
9. FIDO Alliance technology deep diveTo better understand how automotive manufacturers and the FIDO Alliance can work together, this section discusses current FIDO technologies and how they might integrate with automotive applications.
9.1 Passkeys and user authentication
A passkey is a FIDO authentication credential based on FIDO standards, that allows a user to sign in to apps and websites with the same steps that they use to unlock their device (biometrics, PIN, or pattern). With passkeys, users no longer need to enter usernames and passwords or additional factors.
Passkeys are the signature implementation of FIDO authentication standards, and they offer secure yet simplified sign-in to a wide range of services. Passkeys are supported by all major device operating systems and browsers and have been utilized by many industry leaders including Apple, Google, Microsoft, Samsung, Amazon, Walmart, PayPal, and Visa.
The following diagram illustrates how passkeys can be used for in-car applications, such as when a driver signs in to a cloud service.
Figure 1:Sample passkey usage in automotive
Passkeys rely on a technology known as public key cryptography (PKC), in which a virtual key pair is created, one private and the other public. For each private key (stored on the user’s device) there exists a matching public key (stored on the server) that is used to check signatures created with the private key.
In the diagram, a user (the driver in this case) first registers with a cloud service such as a payment service. During the registration process, a private and public cryptographic key is created by the FIDO Authenticator. The private key is stored securely in the infotainment system of the vehicle and is associated with that driver. The public key is stored on the cloud of the service provider.
When the driver wants to sign in to the service, a request is sent from the vehicle to the cloud service. The service then sends an authentication request to the vehicle. This challenge can only be successfully authorized by the user that holds the matching private key. To make sure that request is genuine, the driver is asked to confirm that they want to sign in. This is typically achieved via a biometric sensor such as fingerprint or face. Once this verification is complete, the user gains access to the service. Several FIDO hardware and software components are used for this process.
9.2 Passkey components
Three FIDO Certified components are used in the example:
FIDO authenticator
A FIDO authenticator is a software component or a piece of hardware that can perform FIDO authentication to verify possession and/or confirm user identity. In the example, the FIDO authenticator likely resides in the car infotainment system.
FIDO server
The server provides an application with a programming interface that can be leveraged with a FIDO Certified client to perform strong authentication. The server sits inside the cloud application.
Biometric components
Biometric components can identify an individual and are often used to compliment a FIDO authenticator. These sensors can take multiple forms including fingerprint, iris and face. The FIDO Alliance certifies the efficacy of biometric subsystems including end-to-end performance, differential assessment of demographic groups, and presentation attack detection (PAD).
Although the example is an in-vehicle use case, the same passkey technology can be applied inside a factory, development center, or dealership to ensure that systems are resilient to phishing attacks or other common password attack vectors.
9.3 In-vehicle biometrics
Installation of biometric components in vehicles is expected to increase rapidly over time. The performance needs of these components will vary by sensor type and target application. Today, the FIDO Alliance offers a comprehensive independent certification program for biometric components such as fingerprint and iris sensors. By specifying in a request for quote (RFQ) that products should be FIDO Certified, automotive manufacturers can simplify selection of sensors. For more information on FIDO Certification, visit https://fidoalliance.org/certification/.
9.4 FIDO Device Onboard (FDO)
When a computer device (such as an ECU) first connects to its management platform (the zone controller), it needs to be onboarded and provisioned. A parallel example might be the connection between a vehicle and its cloud. FIDO Device Onboard (FDO) was developed by FIDO Alliance members to meet the automation and high security requirements of such onboarding experiences.
With FDO, a device is first connected to the (wired or wireless) network and then powered up. The device then automatically and securely onboards to the management platform. FDO is based on a zero-trust architecture and therefore offers a high level of security as both the device and the management platform must cryptographically authenticate themselves to each other. FDO also provides resilience to supply chain attacks.
A number of leading technology providers have demonstrated implementations of FDO solutions including Dell, Microsoft, Red Hat, Intel, and ASRock.
10. FIDO technology use cases deep diveThe FIDO Alliance has identified several use cases where FIDO technology can be applied to support the automotive industry. This section discusses possible use cases with the hopes of fostering further conversations.
10.1 Consumer use cases
Historically, many cybersecurity applications have been “behind the scenes”. In modern vehicles there is an increasing number of new applications that directly impact the driver and passenger in-vehicle experience and open new revenue opportunities for manufacturers. One such area is the emergence of in-vehicle commerce.
Several factors are driving in-vehicle commerce:
Technological advancements Software Defined Vehicles (SDVs) allow for continuous updates and new functionality without hardware modifications. Autonomous driving introduces a new use case for vehicles as productivity or leisure spaces. Changing consumer expectations Consumers demand experiences in their vehicles akin to those offered by their smartphones and other digital devices. Revenue opportunities By acting as platforms for digital services, vehicles open new revenue streams for car manufacturers and service providers.10.2 Identity verification, authentication, and authorization
The growing connectivity and services associated with modern vehicles brings about new requirements for identity verification, authentication, and authorization.
Identity verification: The process of confirming a person’s identity. It can involve comparing information provided by a person with records in a database or with the person’s physical documents such as a driver’s license. Authentication: Confirms that a person is who they say they are when attempting to sign in to systems, services, and resources. Authorization: The step after authentication that determines user access in terms of accessing data or performing actions.Unlike other computing devices, such as smartphones and wearables, vehicles often have multiple users including family members, friends, co-workers, or renters. Each user may need access to services or to perform transactions tied to their unique identities and credentials. Therefore, vehicular computing resources must be cyber secure and capable of managing secure access and authentication for a diverse user base, including third-party service providers.
10.3 In-vehicle commerce and authentication
Commerce services in vehicles are closely tied to payments, making strong and user-friendly authentication essential. Drivers must trust that transactions are secure, manufacturers aim to minimize liability for unauthorized payments, and financial institutions require robust, standards-compliant authentication mechanisms. In addition, regulatory frameworks, such as Europe’s Payment Services Directive 2 (PSD2), mandate strong customer authentication (SCA) for cardholder-initiated transactions.
SCA requires a combination of at least two out of three factors:
Possession (something the user has, for example, a key, phone, or vehicle) Inherence (something the user is, for example, biometrics like fingerprint or facial recognition) Knowledge (something the user knows, for example, a PIN or password)If the passkey authenticator is not natively integrated into the vehicle, authentication must be implemented using alternative multi-factor configurations. This can be achieved through software-based approaches, such as combining a PIN (knowledge) with the vehicle as a possession factor, or through hardware-based methods, such as biometric authentication (inherence) via fingerprint sensors or facial recognition, again anchored by the vehicle as the possession factor.
In-vehicle commerce can be broadly categorized into three main areas:
On-demand features
With on-demand features, vehicles now allow users to activate specific functionalities based on their needs. This includes advanced driver-assistance systems, comfort features like heated seats, and performance upgrades. On-demand features can be offered through flexible subscription models or pay-per-use systems. These features enhance customer satisfaction and create additional revenue streams for manufacturers.Vehicle-related services
Vehicle-related services are seamlessly integrated services that include fueling, EV charging, parking reservations and payments, car washes, and toll payments. To maximize user convenience, the vehicle acts as a payment hub without reliance on a smartphone.Convenience features
With implementation of convenience features such as shopping, entertainment, education, and even remote work functionalities, the vehicle becomes an extension of the user’s digital ecosystem. Examples include ordering coffee or groceries on the go, streaming movies, or attending virtual meetings during commutes. These categories illustrate that vehicles are no longer just modes of transportation but platforms that enable various service providers to engage with drivers and passengers.10.4 Driver ID Verification for vehicle access control
Vehicle access requires a high level of authentication and is well suited to biometric sensors.
Keyless entry and ignition: Biometric systems like fingerprint and facial recognition can replace traditional keys to provide secure, biometric-based authentication for vehicle access and ignition. Anti-theft measures: Vehicles can utilize biometric authentication to prevent unauthorized usage or theft, including carjacking. Vehicle and OEM services: Vehicles can use biometric authentication as the first step to assessing a driver’s rights and privileges in determining how vehicle services can be accessed.10.5 Personalization, fleet management and autonomous vehicles
Vehicles are often shared and the ability to automatically adapt to a specific driver is an important capability. The criteria and threshold for identification and authentication varies greatly depending on the specific application. For example, adjusting a driver’s seat adjustment versus passenger authorization for an autonomous vehicle.
10.5.1 Personalization
Adaptive in-car settings: Biometric recognition can identify drivers or passengers in order to adjust seat positions, climate controls, infotainment preferences, and navigation routes according to stored profiles. Adaptive usage-based services: By seamlessly authenticating the driver, the automaker can provide use-based insurance or leasing and financing options for personal and commercial scenarios. Fleet management Shared vehicles and fleets: Biometric-enabled processes ensure smooth transitions between users in car-sharing or fleet systems, loading personal settings for each verified driver. Compliance tracking: Digital wallets can hold compliance documents (for example, licenses and vehicle inspection reports) to reduce paperwork and enhance audit readiness by asserting compliance attributes to authorized users.10.5.2 Autonomous vehicles
Passenger authentication and ID verification: In self-driving cars, biometric systems authenticate passengers to ensure authorized use and personalized experiences.
Why key possession is not sufficient authentication
There are several reasons why a physical key is not a sufficient form of user authentication.
A physical key verifies access to the vehicle but does not confirm the identity of the individual using it. In scenarios such as ridesharing, fleet management, or multi-user vehicles, relying solely on key possession fails to distinguish authorized users from unauthorized users. As discussed earlier, for payment use-cases there is a need in some markets to be compliant with SCA regulations. A key only satisfies the possession factor and therefore does not meet the SCA requirements for secure payments. A vehicle key can be lost, stolen, or duplicated allowing unauthorized individuals to gain access. Without additional layers of authentication, transactions made in the vehicle could be fraudulent. Multi-party and platform complexity: In-car commerce involves multiple stakeholders such as Original Equipment Manufacturers (OEMs), service providers, and users. Authentication must ensure that the user is authorized to transact across all platforms and services, necessitating identity verification beyond simple possession.10.6 Electronic systems and manufacturing use cases
10.6.1 In-vehicle ECU, zone controller, and compute onboarding
As the compute level rises within vehicles, the need for efficient and fast communication becomes increasingly important. In response to this need, cars are increasingly moving to an IT-centric architecture with Ethernet becoming the networking technology of choice to link zone controllers and ECUs inside a vehicle.
In addition to high speed and secure communication, there is a need to ensure that both the device (ECU) and the management platform (Zone controller) are cryptographically authenticated against each other. Although initially developed for IoT and IT systems, the FIDO Alliance team believes that FIDO Device Onboard (FDO) can be a fast and secure way to automate the onboarding process. As FDO is an open standard, automotive manufacturers can benefit from economies of scale savings versus paying for the development and maintenance of proprietary solutions.
In addition to speed and security, FDO also provides resilience to supply chain attacks and grey market counterfeits.
10.6.2 Car to cloud onboarding
As the complexity of car features grows and autonomous driving technology increases, a modern car is essentially a computer on wheels that requires a vast amount of software for all functions to operate.
Most sources agree that a typical modern car is managed by software generated by around 100 million lines of code. The very nature of this complexity confirms that the days when vehicle software can be frozen at vehicle product launch is no longer realistic.
Software updates are now a mandatory feature of modern automobiles and a secure and efficient way of connecting the vehicle to the manufacturer’s cloud is essential.
FDO provides a secure and fast method for vehicles to onboard to their management platforms, making Over the Air (OTA) software updates possible.
Figure 2:FIDO fit for in-vehicle systems
Additionally, new updates to the FDO standard are expected to allow software to securely deploy to bare ECUs or zone controllers, which would greatly simplify dealership repairs and upgrades.
10.7 Workforce authentication (passkeys/FIDO keys)
For many years the IT industry has been using FIDO authenticators to ensure that only authorized staff have access to systems. The risks associated with attacks in this space have been highlighted by the recent challenges faced by some automotive dealers.
Figure 3:FIDO fit for workforce authentication
A cyberattack on a software provider for car dealerships occurred in June of 2024 and disrupted the operations of thousands of dealerships in North America. This attack caused major disruptions, including delays for car buyers and an estimated $1 billion in collective losses for dealerships.
10.8 Manufacturing use cases
Factories are using classic fixed function manufacturing functions such as motion control and PLCs less as they move towards use of far more flexible and intelligent software defined control and AI based vision systems. This transition introduces large numbers of general-purpose computers to the factory floor.
At installation, each server or industrial PC needs to be onboarded to its respective management platform (on-premises or cloud). This onboarding process typically requires that skilled technicians manually configure the credentials or passwords in the devices, a process that is slow, not secure, and expensive.
With FIDO Device Onboard (FDO), a technician can plug in an industrial PC and have it automatically and securely onboard the management server platform.
The following diagram shows how FDO is used to onboard the industrial PCs to the local servers which are in turn onboarded to the manufacturing cloud.
Figure 4:FIDO fit for automotive manufacturing
11. Why using standards helpsCybersecurity standards, such as those from the FIDO Alliance, offer value in ways that are hard for any single company to achieve. These consensus-based standards represent maturity and provide consistency for the industry, which are crucial for reliable authentication and authorization. FIDO cybersecurity standards are based on diverse expertise, provide clarity in a changing cybersecurity landscape, and offer essential guidance for certification authorities and regulators as they develop new laws.
Although the automotive industry has utilized standards almost since its inception, there are still areas where companies have tried to develop their own proprietary solutions. Such solutions rarely add value for the manufacturers and require engineering talent to develop and time to maintain.
As the automotive computing platform is a system of systems, the automotive industry can benefit from lessons learned by related industries. Open standards supported by certification programs help streamline product and service development.
FIDO’s standards are essentially commoditizing authentication elements that are critical to cybersecurity, but that are not natural areas for competitive differentiation. By leveraging standards, vendors and manufacturers can now focus their resources and development efforts on higher-value services.
11.1 Benefits of partnering with the FIDO Alliance
Diverse expertise: The FIDO Alliance brings together skilled professionals from various companies, including cloud players, credit card companies, and manufacturers.
Ecosystem cohesion: Standards ensure quality, security, and interoperability within ecosystems, which is crucial for applications like payments.
Adapt to emerging threats: The threat landscape is always evolving. As an example, quantum computing represents a significant threat to commonly used encryption techniques. Although quantum computing is in a relatively early stage of maturity, standards groups such as the FIDO Alliance are already defining how to create quantum resilient solutions.
12. FIDO Certification programs for the automotive industryThe FIDO Alliance’s world-class certification programs validate that products conform to FIDO specifications and interoperate effectively and assess security characteristics and biometric performance. With over 1,200 FIDO Certified products from hundreds of vendors around the world, these programs unlock the value of FIDO’s open standards for vendors and buyers. By specifying FIDO Certification in their RFQ’s, manufacturers can be sure that their suppliers will deliver performant, secure, and interoperable products.
Automotive OEMs can seek out and leverage components that are already certified (for example, authenticators or biometric components) and FIDO Alliance’s certification team is also developing an automotive profile with its lab partners that replicates in-car environments for more precise biometric tests. The Alliance seeks automotive sector feedback to help us collectively:
Address gaps in the current certification specifications Update specifications as needed Issue sector-specific policies Implement new testing proceduresFor more information on FIDO Certification, visit https://fidoalliance.org/certification/.
13. Conclusion and next stepsThe automotive industry and cybersecurity are evolving quickly; the FIDO Alliance’s proven and established standards and certification programs can help with a wide range of automotive industry applications. Applications include in-vehicle services and payment authentication, onboarding zone-controllers, car-to-cloud connectivity, OTA updates, and leveraging biometrics for a better driver experience.
The FIDO Alliance provides a path for automotive manufacturers and their suppliers to simplify their development processes, raise security levels, improve customer experience, reduce costs and tap into new revenue opportunities.
Feedback is welcome on the topics covered within this white paper and the FIDO Alliance encourages interested parties to engage with the Alliance and its members. FIDO Alliance members can learn more about FIDO standards and have opportunities to influence how these standards evolve. Additionally, members get the benefit of being able to engage with a broad range of thought leaders from leading companies within the broader ecosystem.
To get involved visit https://fidoalliance.org/members/become-a-member/ or use the Contact Us form at https://fidoalliance.org/contact/.
14. Appendix A – Global legislation applicable to automotive cybersecurityNational governments and international organizations have enacted regulations that require stringent cybersecurity measures throughout the automotive lifecycle, from design to operation and even end of life. These frameworks aim to shield vehicles from emerging threats and establish a baseline for safety and trust across the automotive ecosystem.
United Nations Regulations 155 and 156: These are the most prominent and clearly defined automotive cybersecurity regulations. Adopted under the WP.29 framework in 2021, UN R155 and R156 are globally recognized and mandate that vehicles incorporate a Cybersecurity Management System (CSMS) and a Software Update Management System (SUMS). These regulations are prerequisites for type approvals in over 50 countries, including most EU nations, Japan, South Korea, and Australia (UNECE, 2021).
ISO/SAE 21434: This standard provides the foundation for global automotive cybersecurity engineering, outlining processes for managing cyber risks throughout the entire vehicle lifecycle. It complements existing regulations and aids manufacturers in complying with mandatory regulations such as UN R155 (ISO, 2021).
China’s GB 44495-2024 and GB 44496-2024: Introduced in the summer of 2024, these regulations mirror UN R155 and R156 but are more detailed in specificity. GB 44495 outlines cybersecurity requirements for connected vehicles, while GB 44496 governs secure software updates. China’s focus on intelligent connected vehicles highlights its ambition to lead in autonomous and connected technologies (Shadlich, 2024).
India’s AIS 189 and AIS 190: India has introduced AIS 189 and AIS 190, standards aligned with UN R155 and R156, to regulate the cybersecurity of connected vehicles. These frameworks emphasize risk management, monitoring, secure communication protocols, and secure software updates, similar to UN R155/R156 (Vernekar, 2024).
United States: While there are no mandated federal regulations for automotive cybersecurity, the National Highway Traffic Safety Administration (NHTSA) has published cybersecurity best practices. These guidelines emphasize secure vehicle development processes, incident response plans, and continuous risk monitoring. They align with ISO/SAE 21434 and offer a proactive approach to mitigating vulnerabilities in connected vehicles (NHTSA, 2022).
Document history ChangeDescriptionDateInitial publicationWhite paper first published.7-2025 15. ContributorsConor White, Daon, Inc
Richard Kerslake, FIDO Alliance
Andrew Shikiar, FIDO Alliance
Nimesh Shrivastava, Qualcomm Inc
Drew Van Duren, Qualcomm Inc
Jens Kohnen, Starfish GmbH & Co. KG
Tin T. Nguyen, VinCSS JSC
Henna Kapur, Visa
Harley, M. (2024, March 28). EU Cybersecurity Laws Kill Porsche’s 718 Boxster and Cayman Early. Retrieved from https://www.forbes.com/sites/michaelharley/2024/03/28/eu-cybersecurity-laws-kill-porsches-718-boxster-and-cayman-early/
ISO. (2021). ISO/SAE 21434:2021 Road vehicles—Cybersecurity engineering. International Organization for Standardization. Retrieved from https://www.iso.org/standard/70918.html
Miller, C., & Valasek, C. (2015, July 21). Hackers remotely kill a Jeep on the highway—With me in it. Wired. Retrieved from https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway
National Highway Traffic Safety Administration (NHTSA). (2022, September 7). Cybersecurity best practices for new vehicles. NHTSA. Retrieved from https://www.nhtsa.gov/press-releases/nhtsa-updates-cybersecurity-best-practices-new-vehicles
Shadlich, E. (2024, September 2). China’s New Vehicle Cybersecurity Standard: GB 44495-2024. Retrieved from https://dissec.to/general/chinas-new-vehicle-cybersecurity-standard-gb-44495-2024/
UNECE. (2021). UN Regulation No. 155 – Cyber security and cyber security management system. UNECE. Retrieved from https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security
University of Detroit Mercy. (n.d.). Vehicle cybersecurity engineering program. Retrieved from https://eng-sci.udmercy.edu/academics/engineering/vehicle-cyber-eng.php
Vernekar, A. (2024, October 10). Securing The Future Of Indian Automobiles: Understanding AIS-189 And Cybersecurity For Vehicles. Retrieved from https://vayavyalabs.com/blogs/securing-the-future-of-indian-automobiles-understanding-ais-189-and-cybersecurity-for-vehicles/
Walsh College. (n.d.). Bachelor of Science in Automotive Cybersecurity. Retrieved from https://walshcollege.edu/walsh-undergraduate-degree-programs/bachelor-of-science-in-information-technology/bachelor-of-science-in-automotive-cybersecurity/
Reflections on recent conversations about digital identity, sovereignty, and the erosion of foundational principles
Echoes from GenevaI wasn’t present at the Global Digital Collaboration conference (GDC25), but the observations shared by colleagues who attended have crystallized some issues I’ve been wrestling with for years. I should note there’s a selection bias here: I’m the author of the 10 principles of self-sovereign identity, so my community tends to have strong opinions about digital identity. Still, when multiple trusted voices independently report similar concerns, patterns emerge that are worth examining. And these weren’t casual observers sharing these concerns. They were seasoned practitioners who’ve spent decades building identity infrastructure. Their collective unease speaks to something deeper than technical disagreements.
It’s hard to boil the problems at GDC25 down to a single issue, because they were so encompassing. For example, there was a pattern of scheduling issues that undercut the community co-organizing goal of the conference and seemed to particularly impact decentralized talks. One session ended up in a small, hot room on the top floor that was hard to find. (It was packed anyway!) Generally, the decentralized-centric talks were in bad locations, they were short, they had restricted topics, or they were shared with other panelists.
I think that logistical shuffling of events may point out one of the biggest issues: decentralized systems weren’t given much respect. This may be true generally. There may be lip service to decentralized systems, but not deeper commitments. Its value isn’t appreciated, so we’re losing its principles. Worse, I see the intent of decentralization being inverted: where our goal is to give individuals independence and power by reducing the control of centralized entities, we’re often doing the opposite — still in the name of decentralization.
The Echo Chamber ParadoxThe problems at GDC25 remind me of Rebooting the Web of Trust (RWOT) community discussions I’ve been following, which reiterate that this is a larger issue. We debate the finer points of zero-knowledge proofs and DID conformance while missing the forest for the trees. Case in point: the recent emergence of “did:genuineid
” — a centralized identifier system that fundamentally contradicts the “D” in DID.
Obviously, decentralization is a threat to those who currently hold power (whether they be governments, corporations, billionaires, or others who hold any sort of power), because it tries to remove their centralization (and therefore their power), to instead empower the individual. But if we can’t even maintain the semantic integrity of “decentralized” within our own technical community, devoted to the ideal, how can we fight for it in the larger world?
The Corpocratic ComplicationGDC25 was held in Geneva, Switzerland. 30+ standards organizations convened to discuss the future of digital identity. Participants spanned the world from the United States to China. There was the opportunity that GDC25 was going to be a truly international conference. Indeed, Swiss presenters were there, and they spoke of privacy, democratic involvement, and achieving public buy-in. It was exactly the themes that we as decentralized technologists wanted to hear.
But from what I’ve heard, things quickly degraded from that ideal. Take the United States. The sole representative of the country as a whole attended via teleconference. (He was the only presenter who did so!) His talk was all about Real ID, framed as a response to 9/11 and rooted in the Patriot Act. It lay somewhere between security-theatre and identity-as-surveillance, and that’s definitely not what we wanted to hear. (The contrast between the US and Swiss presentations was apparently jarring.)
And with that representative only attending remotely, the United State’s real representatives ended up being Google and Apple, each advancing their own corpocratic interests, not the interests of the people we try to empower with decentralized identities.
This isn’t just an American problem. It’s a symptom of a deeper issue happening across our digital infrastructure. It’s likely the heart of the inversions of decentralized goals that we’re seeing — and likely why those logistical reshufflings occurred: to please the gold sponsors. In fact, the conference sponsors tell the story: Google, Visa, Mastercard, and Huawei were positioned as “leading organizations supporting the advancement of wallets, credentials and trusted infrastructure in a manner of global collaboration.”
While Huawei’s presence demonstrates international diversity—a Swiss conference bringing together Europe and Asia—it also raised questions about whose vision of “trust” would ultimately prevail. When payment platforms and surveillance-capable tech giants frame the future of identity infrastructure, we shouldn’t be surprised when the architecture serves their interests first.
This echoes my concerns from “Has SSI Become Morally Bankrupt?”. We’ve allowed the narrative of self-sovereignty to be co-opted by the very platforms it was meant to challenge. The technical standards exist, but they’re being implemented in ways that invert their original purpose. Even UNECE sessions acknowledged the risk of “diluting the autonomy and decentralization that SSI is meant to provide.”
The Sovereignty Shell GameGoogle was partnered with German Sparkasse on ZKP technology and that revealed a specific example of this co-opting.
Google’s open-sourcing of its Zero-Knowledge Proof libraries, announced July 3rd in partnership with Germany’s network of public savings banks, was positioned as supporting privacy in age verification. Yet as Carsten Stöcker pointed out, zero-knowledge doesn’t mean zero-tracking when the entire stack runs through platform intermediaries. Carsten noted that Google has “extensive tracking practices across mobile devices, web platforms and advertising infrastructure.” Meanwhile, the Google Play API makes no promises that the operations are protected from the rest of the OS.
The Google ZKP libraries (“longfellow-sk”) could be a great building block for truly user-centric systems, as they link Zero-Knowledge Proofs to legacy cryptographic signature systems that are still mandatory for some hardware. But they’d have to be detached from the rest of Google’s technology stack. Without that, there are too many questions. Could Google access some of the knowledge supposedly protected by ZKPs? Could they link it to other data? We have no idea.
The European Union’s eIDAS Regulation, set to take effect in 2026, encourages Member States to integrate privacy-enhancing technologies like ZKP into the European Digital Identity Wallet, but integration at the platform level offers similar dangers and could again invert the very privacy guarantees ZKP promises.
Historical Echoes, Modern InversionsIdentity technology’s goals being inverted, so that identity becomes a threat rather than a boon, isn’t a new problem. In “Echoes of History”, I examined how the contrasting approaches of Lentz and Carmille during WWII demonstrate the life-or-death importance of data minimization. Lentz’s comprehensive Dutch identity system enabled the Holocaust’s efficiency; Carmille’s deliberate exclusion of religious data from French records saved lives. Even when they’re decentralized, today’s digital identity systems face the same fundamental questions: what data should we collect, what should we reveal, and what should we refuse to record entirely?
But we’re adding a new layer of complexity. Not only must we consider what data to collect, but who controls the infrastructure that processes it. When Google partners with Sparkasse on “privacy-preserving” age verification, when eIDAS mandates integration at the operating system level, we’re not just risking data collection: we’re embedding it within platforms whose business models depend on surveillance. Even if the data is theoretically self-sovereign, the threat of data collected is still data revealed — just as happened with Lentz’s records.
The European eIDAS framework, which I analyzed in a follow-up piece to “Echoes from History”, shows how even well-intentioned regulatory efforts can accelerate platform capture when they mandate integration at the operating system level. As I wrote at the time, a history of problematic EU legislation that had the best of intentions but resulted in unintended consequences has laid the groundwork, and now identity is straight in that crosshairs. One of the first, and most obvious problems with eIDAS is the mandate “that web browers accept security certificates from individual member states and the EU can refuse to revoke them even if they’re dangerous.” There are many more — and I’m not the only voice on eIDAS and EUDI issues.
Supposedly self-sovereign certificates phoning home whenever they’re accessed is another recent threat that demonstrates best intentions gone awry. This not only violates privacy, but it undercuts some of our best arguments for self-soveereign control of credentials by returning liability for data leaks to the issuer. The No Phone Home initiative that Blockchain Commons joined last month represents one attempt to push back on that, but it feels like plugging holes in a dam that’s already cracking. It all does.
The Builder’s DilemmaWhat troubles me most is the split I see in our community. On one side, technology purists build increasingly sophisticated protocols in isolation from policy reality. On the other, pragmatists make compromise after compromise until nothing remains of the original vision.
The recent debates about did:web
conformance illustrate this perfectly. Joe Andrieu correctly notes that did:web
can’t distinguish between deactivation and non-existence — a fundamental security boundary. Yet did:web
remains essential to many implementation strategies because it bridges the gap between ideals and adoption. It provides developers and users with experience with DIDs, but in doing so undercut decentralized ideals for those users. We’re caught between philosophical purity and practical irrelevance.
In my recent writings on Values in Design and the Right to Transact, I’ve tried to articulate what we’re fighting for. But values without implementation are just philosophy, and implementation without values is just surrender.
The Global Digital Collaboration highlighted this tension perfectly. International progress on digital identity proceeds apace: Europe, Singapore, and China all advance their frameworks, but there are still essential issues that invert our fundamental goals in designing self-sovereign systems. Meanwhile, the U.S. remains even more stalled, its position represented only by the platforms that benefit from the status quo. Alongside this, technical standards discussions proceed in isolation from the policy, regulatory, and social frameworks that will determine their real-world impact.
Where Do We Go From Here?I find myself returning to first principles. When we designed TLS 1.0, we understood that technical protocols encode power relationships. When we established the principles of self-sovereign identity, we knew that architecture was politics. Ongoing battles, such as those between Verifiable Credentials and ISO mDLs, between DIDComm and OpenID4VC, demonstrate disagreements over these power relationships made visible in technological discussions.
The question now is whether we can reclaim our ideals before they’re completely inverted by the side of centralized power and controlled architecture.
The path forward requires bridging the gaps Geneva revealed:
Between corporate platform dominance and global digital sovereignty Between the promise of decentralization and the reality of recentralization Between technical standards and policy reality Between privacy absolutism and implementation pragmatism A Personal NoteAfter three decades of building internet infrastructure, I’ve learned that the most dangerous moment isn’t when systems fail, it’s when they succeed in ways that invert their purpose. We built protocols for human autonomy and watched them become instruments of platform control. We created standards for decentralization and see them twisted into new forms of centralization.
This conversation continues in private Signal groups, in conference hallways, in the space between what we built and what we’ve become. The Atlantic Council warns of power centralizing “in ways that threaten the open and bottom-up governance traditions of the internet.” When critics from across the geopolitical spectrum — from sovereignty advocates to digital rights groups — all sense something amiss, it suggests a fundamental architectural problem that transcends ideology.
Perhaps it’s time for a new architecture: one that acknowledges these inversions and builds resistance into its very foundations.
But that’s a longer conversation for another day.
Christopher Allen has been architecting trust systems for over 30 years, from co-authoring TLS to establishing self-sovereign identity principles. He currently works on alternative approaches to digital identity through Blockchain Commons.
Community Responses & Discussion since PublicationThis article sparked significant discussion across the digital identity community:
Mailing List Discussion W3C Credentials Community Group Thread (39 messages, July 16-17) Debate between pragmatic incrementalism vs. human rights imperatives Questions about whether current standards help or hinder decentralization Concerns about “death by 1000 compromises” in SSI implementation My own synthesis and response to this CCG thread, including highlighting Utah’s “recognizer not issuer” as an altertive model De-platforming humans sub-thread (19 messages, July 17) Adrian Gropper proposes moving beyond SSI as “anti-pattern” Discussion of Nostr as alternative architecture Debate over whether did:web is truly decentralized given DNS dependencies Response Articles A Pattern of Moral Crisis - Kyle Den Hartog Examines how technologies get co-opted during times of crisis, drawing parallels to historical censorship patterns Centralized SSI - Kyle Den Hartog Analyzes how trust architectures themselves, not just technology, determine whether systems preserve or remove agency Cyber Storm Rising: Designing for the Warzone - Carsten Stöcker Reframes decentralization as urgent cybersecurity necessity, not just privacy concern, citing Ukraine’s experience Choose Love and Joy - Will Abramson Optimistic perspective on using advanced cryptography and blockchain “hardness” to build kinder digital futures Privacy in EUDI - Jaromil (Dyne.org) Technical analysis of European Digital Identity implementation and privacy implications Decentralized Age Verification - Kyle Den Hartog Concrete proposal for privacy-preserving content moderation that shifts roles within the SSI triangleJoin these ongoing discussion or share your perspective.
The Overlays Capture Architecture (OCA) is a foundation for Dynamic Data Economy structuring and presenting data in a traceable and verifiable way. Recognising today’s need of interoperability between standards, the release of OCA v2, the architecture takes a major leap forward, introducing a modular and extensible approach in the definition of overlays.
Community 2.0The new specification centers around making overlays easier to define, share, and validate — even by non-technical users. At its core, OCA v2 introduces the concept of Community Overlays, empowering ecosystems to create and maintain their own overlay definitions without deep technical barriers.
We used the term Community (i.e. not ecosystem) to stress the need of creating the flexibility to create specific overlays for a given purposes shared by multiple users. For example, in science this approach helps to define the ultra-precise meaning of certain datasets while keeping them in line with common standards. In compliance, the approach enables the definition of data structures that must match specific regulatory constraints in a given jurisdiction. In supply-chain, the approach enables domain specific definitions of data exchanges to be used across the entire chain without requiring a centralised authority.
Definition of Community-Driven OverlayEnabling Community Overlays required a different approach to the way the overlays are defined. Instead of specifying them in the OCA specification, we created a Domain-Specific Language (DSL), which allows us to create overlay definitions, which we called OVERLAYFILE.
OVERLAYFILE is a text-based file which can consist of one or many definitions of various overlays. If you are familiar with programming, think of it as a *.h (header) file from C++. If you are not familiar with technology, think of it as the exact structure of the dataset your boss, team, department or company validated for use.
Having clearly defined overlays, the relevant tooling support any community-defined overlay and simplify the way we manage overlays in the whole ecosystem. When you use it, you have the cryptographic assurance to use what the community has validated for use.
A new file type, .overlaysfile
, allows communities to formally define their own overlays. By separating overlay definitions from usage, ecosystems can establish governance and enable cross-project reusability. Overlay repositories further support this, enabling easy distribution and import of overlays.
The new approach allows overlays to define schemas, ensuring proper structure and data integrity. Tooling can now validate authored overlays against community-defined schemas, reducing errors and increasing trust.
OCA Bundle in JSON formatAn OCA Bundle is a set of OCA objects serving as envelop for distribution and usage of the semantic. With v2 we finally introduced long waiting new encoding format which replace old .zip file by simple JSON object. This new format was in test since quite some time in reference implementation of OCA and now it is official part of the OCA specification allowing to simplify the tooling and the way how the bundle is transmitted.
OCA Specification v2Finally we release RC1 of Overlays Capture Architecture Specification v2.0.0 which is signal for readiness of mentioned features and functions. The process of implementation already started in our reference implementation which can be followed at oca-rs.
Below you would find the list of major changes which version 2.0.0 brings:
Sensitive overlay replaces PII's flagging in capture base. This enables an enhanced approach to privacy and other risks flagged directly in the schema
Categories from the Label overlay have move to presentation layer. Thus strictly enforcing the distinction between data inner structure and meaning with data presentation.
Upgrade to “Community Overlays” of certain previously “core overlays”. - all overlays listed below are nominated as community overlays and hosted in an Overlays Repository.
Information
Transoformation
Presentation
Layout
Conditional
Unit mapping
Introduce SemVer for all objects
Support for 639-1 and 639-3
Support for namespacing in overlay name
OCA2.0 build for stronger, verifiable data integrityAll objects of the Overlays Capture Architecture, the Capture Base, Overlays and Bundle are compatible with CESR encoding. This ensures that those objects can be authenticated using DKMS a KERI based decentralised key management.
This is pivotal to establish cryptographically verifiable integrity of data objects. This property enables the implementation of distributed governance models - a topic that will receive much attention at the Human Colossus Foundation
Webinar at DSWGThe Technology Council, who is responsible for maintaining the OCA specification and reference implementation, hosted a webinar during the Decentralised Semantic Working Group where they delved into the details of the design of the new architecture and all the features of version 2.0.
Decentralised Semantic Working Group - Overlays Capture Architecture 2.0
Looking AheadWith OCA v2, the Overlays Capture Architecture moves closer to its vision of an open, extensible semantic ecosystem where organizations and communities can seamlessly create, validate, and share schemas.
Cybersecurity experts are urging internet users to take immediate steps to secure their online accounts, after largest-ever data leak exposed more than 16 billion login credentials including from major platforms like Google, Facebook, Apple, and even government services.
The breach, discovered by researchers at Cybernews, is believed to have been carried out using infostealers that harvested login data and other sensitive credentials from multiple platforms. “This is not just a leak – it’s a blueprint for mass exploitation,” Cybernews said in a statement. “With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing.”
Over the last few decades, compromised usernames and passwords have typically been at the root of some of the most sensational, damaging, and costly data breaches. An incessant drumbeat of advice about how to choose and use strong passwords and how not to fall prey to social engineering attacks has done little to keep threat actors at bay.
Meta has begun rolling out passkey login authentication for Facebook users on iOS and Android mobile devices, marking a significant advancement in the industry-wide movement away from traditional password-based security. The implementation follows similar moves by tech giants Apple, Google, and Microsoft who have been leading the charge toward passwordless authentication.
The new passkey feature will become available to users globally over the coming weeks. To use the functionality, users must have devices that support FIDO2/WebAuthn standards, which are commonly found in modern iOS and Android smartphones. These standards, developed through collaboration between the FIDO Alliance and the World Wide Web Consortium (W3C), provide a secure framework for passwordless authentication that has been widely adopted across the technology industry.
Look up customer journey or customer experience (aka CX) and you’ll find nothing about what the customer drives, or rides. All results will be for systems meant for herding customers like cattle into a chute that the CX business (no kidding) calls a sales funnel:
Do any customers want to go down these drains?
But let’s stick with the journey metaphor, because there are good people in the marketing business who have thought deeply about how people buy and own things. Chief among those people is Estaban Kolsky, of Constellation Research. He visualizes the journey in a way that not only gives weight to the ownership experience, but separates it from the sales experience :
As for our actual experience, we spend 100 percent of our lives with things we own, and just a tiny percentage on buying them. So the real ratio should look more like this:
And yet, as I pointed out several years back in Turning the Customer Journey Into a Virtuous Cycle…
…consider the curb weight of “solutions” in the world of interactivity between company and customer today. In the BUY loop of the customer journey, we have:
1. All of advertising, which Magna Global expects to pass $.5 trillion, more than a decade ago
2. All of CRM/CX, which now exceeds $100 billion
3. All the rest of marketing, which has too many segments for me to bother looking up
So, in the OWN loop we have a $0 trillion greenfield.
To enter that greenfield, we need customers to be in charge of their side of these relationships— preferably through means for interaction that customers themselves control—on terms that are agreeable to both sides, rather than the one-sided terms we suffer every time we click AGREE on a cookie notice.
To help imagine how that will work, I volunteer a real-world example from my own life.
A few years back, I bought a pair of LAMO Mens Mocs at a shopping mall kiosk in Massachusetts. Here’s one:
I like them a lot. They’re very comfortable and warm on winter mornings. In fact I still wear them, even though the soles have long since come apart and fallen off. Here is how they looked after a few years of use:
I’m showing this so you, and LAMO, can see what happens, and how we can both use my experience—and those of other customers—to change the world.
See, I like LAMO, and would love to help the company learn from my experience with one of their products. As of today, there are four choices for that:
Do nothing (that’s the default) Send them an email Go on some website and talk about it. (A perfect Leighton cartoon in the New Yorker shows a couple registering at a hotel while the person behind the counter says, “If there’s anything we can do to make your stay more pleasant, just rant about it on the Internet.”) Get “social” by tweeting to @LAMOfootwear or posting to LAMO’s Facebook page. (For wisdom on “social” relations between brands and presumed fans, see Bob Hoffman‘s talk on the topic.)So here is a fifth choice: give these moccasins their own virtual cloud, where LAMO and I can share intelligence about whatever we like, starting (on my side) with reports on my own experience, requests for service, or whatever. Phil Windley calls these clouds picos, for persistent compute objects. Picos are breeds of what Bruce Sterling calls spime: persistent intelligence for things. Picos have their own operating system (e.g., Wrangler, which Phil most recently posted about here), and don’t need intelligence on board. Just scan a QR code, and you’ll get to the pico. Here’s the QR code on one of my LAMO moccasins:
Go ahead and scan the code with your phone. You’ll get to a page that says it’s my moccasin.
That’s just one view of a potential relationship between me and Lamo — one in which I can put a message that says “If found, call or text _______.” Another view is on my own dashboard of things in my OWN cycle, and direct connections to every one of those companies. That relationship can rest on friendly terms in which I’m the first party and the company is the second party. (For more on that, see here and here.)
So look at the relationship between me and Lamo as a conduit (the blue cylinder below) that lives in the pico for my mocassin. That conduit goes from my VRM (vendor relationship management) dashboard to Lamo’s CRM (customer relationship management) system. There is no limit to the goodness that can pass back and forth between us, including intelligence about how I use my moccasins.
Let’s look at what can happen at either or both ends of that conduit.
A pico for a product is a CRM dream come true: a standard way for every copy of every product to have its own unique identity and virtual cloud (in which any data can live), and standard way any customer can report usage and other intelligence about any product they own—without any smarts needing to live on the thing itself.If I scan that QR code, I can see whatever notes I’ve taken. I can also see whatever LAMO has put in there, with my permission. Also in that cloud is whatever programming has been done on it. Here is one example of simple relationship logic at work:
IF this QR code is scanned, THEN send LAMO a note that Doc has a new entry in our common journal.
Likewise, LAMO can send me a note saying that there is new information in the same journal. Maybe that information is a note telling me that the company has changed sole manufacturers, and that the newest Mens Mocs will be far more durable. Or maybe they’ll send a discount on a new pair. The correct answer for what goes in the common journal (a term I just made up) is: whatever.
Now let’s say LAMO puts a different QR code, or other identifier, in every moccasin it sells. Or has a CRM system that is alert to notifications from customers who have turned their LAMO moccasins into picos, making all those moccasins smart. LAMO can then not only keep up with its customers through CRM-VRM conduits, but tie interactions through those conduits to the dashboards of their accounting systems (from Xero or other companies that provide enriched views of how the company is interacting with the world).
This is one huge potential key to the future of customer service, customer relationship management (CRM), call centers, loyalty programs, continuous improvement, customer experience (CX), customer engagement (CE) and other complicated ways businesses today try to solve all relationship problems from the maker’s or the seller’s side alone.
Follow the links in the last paragraph (all to Wikipedia), and you’ll find each of them has “multiple issues.” The reason for that is simple: the customer is not involved with any of them. All those entries make the sound of industries talking to themselves — or one hand slapping.
This is an old problem that can only be fixed on the customer’s side. Before the Internet, solving things from the customer’s side — by making the customer the point of integration for her own data, and the decider about what gets done with that data — was impossible. Now that we have the Internet, it’s very possible, but only if we get our heads out of business-as-usual and back into our own lives. This will be good for business as well.
A while back I had meetings with two call center companies, and reviewed this scenario:
A customer scans the QR code on her cable modem, activating its pico. By the logic described above, a message to the call center says “This customer has scanned the QR code on her cable modem.” The call center checks to see if there is an outage in the customer’s area, and — if there is — finds out how soon it will be fixed. The call center sends a message back saying there’s an outage and that it will be fixed within X hours.In both cases, the call center company sai,d “We want that!” Because they really do want to be fully useful. And — get this — they are programmable.
Unfortunately, in too many cases, they are programmed to avoid customers or to treat them as templates rather than as individual human beings who might actually be able to provide useful information. This is old-fashioned mass-marketing thinking at work, and it sucks for everybody. It’s especially bad at delivering (literal) on-the-ground market intelligence from customers to companies.
Call centers would rather be sources of real solutions rather than just customer avoidance machines for companies and anger sinks for unhappy customers. The solution I’m talking about here takes care of that. And much more.
Now let’s go back to shoes.
I’m not a hugely brand-loyal kind of guy. I use Canon cameras because I like the long-standing 5D user interface more than the competing Nikon ones, and Canon’s lens prices tend to be lower. I use Apple computers because they’re easy to get fixed and I can open a command line shell and get geeky when I need to. I drive a 2017 VW wagon because I got it at a good price. And I buy Rockport shoes because, on the whole, they’re pretty good.
Used to be they were great. That was in the ’70s and early ’80s when Saul and Bruce Katz, the founders, were still in charge. That legacy is still there, under Reebok ownership; but it’s clear that the company is much more of a mass marketing operation than it was back in the early days. Still, in my experience, they’re better than the competition. That’s why I buy their shoes. Rockports are the only shoes I’ve ever loved. And I’ve had many.
So here is a photo I took of wear-and-tear on two pairs of Rockport casual shoes I still use, because they’re damned comfortable:
Shots 1 and 2 are shoes I bought in June 2012, and are no longer sold, near as I can tell. (Wish they were.) Shots 3 and 4 are of shoes called Off The Coast 2 Eye. I bought mine in late 2013, but didn’t start wearing them a lot until early this year. I bought both at the Rockport store in Burlington Mall, near Boston. I like that store too.
The first pair has developed a hole in the heel and loose eyelet grommets for the laces around the side of the shoe. The hole isn’t a big deal, except that it lets in water. The loose eyelets are only a bother when I cross my feet sitting down: they bite into the other ankle. The separating outer sole of the second pair is a bigger concern, because these shoes are still essentially new, and look new except for that one flaw. A design issue is the leather laces, which need to be double-knotted to keep from coming undone, and even the double-knots come undone as well. That’s a quibble, but perhaps useful for Rockport to know.
I’d like to share these experiences privately with Rockport, and for that process to be easy. Same with my experiences with LAMO moccasins.
It could be private if Rockport and LAMO footwear came with QR codes for every pair’s pico — it’s own cloud. Or if Rockport’s CRM or call center system was programmed to hear pings from my picos.
Ideally, customers would get the pico along with the shoe. Then they would have their own shared journal and message space — the conduit shown above — as well as a programmable system for creating and improving the whole customer-company relationship. They could also get social about their dialogs in their own ways, rather than only within Facebook and Twitter, which are the least private and personal places imaginable.
This kind of intelligence exchange can only become a standard way for companies and customers to learn from each other if the code for picos is open source. If Rockport or LAMO try to “own the customer” by locking her into a closed company-controlled system — the current default for customer service — the Internet of Things will be what Phil calls “the Compuserve of things”. In other words, divided into the same kind of closed and incompatible systems we had before the Net came along.
One big thing that made the Internet succeed was substitutability of services. Cars, banks, and countless other product categories you can name are large and vital because open and well-understood standards and practices at their base have made substitutability possible. Phil says we can’t have a true Internet of Things without it, and I agree.
The smartest people working for companies are their customers. And the best way to activate customer smarts is by giving them scale. That’s what picos do.
As a bonus, they also give companies scale. If we can standardize picos, we’ll have common and standard ways for any customer and any company to relate to each other through any VRM + CRM system. Think about how much more, and better, intelligence a company can get from its customers this way, rather than through the ones barely succeeding now, where the company does all the work, and fails to know an infinitude of useful stuff customers could be telling them. Think about how much more products can be improved, an iterated over time. Think about how much more genuine loyalty can be created and sustained with this kind of two-way system.
Then think how much companies can save by not constantly spying on customers, guessing about what they might want, spamming them with unwanted and unnecessary sales messages, maintaining systems try to relate but actually can’t, and herding customers into imaginary funnels that customers would loathe if they could see what’s going on.
It’s a lot.
So let’s start working on growing a sane world of business that’s based on market intelligence that flows both ways, instead of the surveillance-based guesswork and delusional imaginings of marketing that smokes its own exhaust. We can do it, privately, and at scale.
The first ancestor of this post appeared at ProjectVRM on 19 Apri 2014. It was updated a bit on 8 June 2017. The second one was posted here on Medium in 2016. With IEEE P7012, aka MyTerms nearing completion, there is a good chance we can make this dream come true in 2026.
We are excited to share that we are starting a new project in partnership with the Numun Fund to map organizations and community responses addressing technology-facilitated gender-based violence (TFGBV), specifically intimate partner violence (IPV) affecting girls, young women and LGBTIQ+ activists in the Majority World.
The post Help Us Map Responses to Tech-Facilitated Intimate Partner Violence Affecting Young Women and LGBTIQ+ Activists appeared first on The Engine Room.
We reconstruct memory through listening. Over the past three months, as we shared in April, we immersed ourselves with our ears wide open and a shared desire to explore a digital sound archive that began taking shape over 20 years ago.
The post Weaving Sound Memories: Exploration and Care of the Oír Más Archive appeared first on The Engine Room.
How are brands thinking about their supply chains five years after the COVID-19 crisis?
Companies are now leaning more heavily into innovation, from making their operations resilient to market changes to launching sustainability initiatives.
In this episode, Stephanie Mehta, CEO and Chief Content Officer at Mansueto Ventures, joins hosts Reid Jackson and Liz Sertl following her keynote at GS1 Connect. They discuss why the supply chain is now at the center of innovation and how companies can stay ahead of changes in the economy and evolving customer demands.
Drawing on her experience leading Fast Company and Inc., Stephanie shares how resilience, sustainability, and data-driven thinking are transforming the business landscape for companies of every size.
In this episode, you’ll learn:
How companies are using the supply chain to drive innovation and acceleration
Why executives are rethinking product packaging, automation, and logistics
The impact of data and social media on a company’s operations
Jump into the conversation:
(00:17) Introducing Next Level Supply Chain
(02:32) Stephanie Mehta’s journey from business journalist to CEO
(03:27) How GS1 US collaborates with media brands
(04:13) Reaching small businesses with supply chain storytelling
(05:41) What most people miss about barcodes
(07:35) Why innovation should not stop post-crisis
(08:23) How sustainability aligns with consumer demand
(11:16) Solving forecasting and inventory with better data
(12:05) The logistics of HP’s sustainability initiative
(15:56) Social media’s growing impact on supply chains
Connect with GS1 US:
Our website - www.gs1us.org
Connect with the guest:
Stephanie Mehta on LinkedIn
Through our Matchbox Program, we partner with civil society organizations to strengthen their work by harnessing the power of data and technology. Our recent partnership with Trans Youth Initiative-Uganda (TYI-Uganda) offers a lens into how collaborative platform development can respond to pressing social challenges while also building long-term organizational capacity.
The post WHEN SAFETY IS POLITICAL: DIGITAL SOLUTIONS FOR TRANS YOUTH IN UGANDA appeared first on The Engine Room.
Microsoft has said that it’s ending support for passwords in its Authenticator app starting August 1, 2025.
Microsoft’s move is part of a much larger shift away from traditional password-based logins. The company said the changes are also meant to streamline autofill within its two-factor authentication (2FA) app, making the experience simpler and more secure.
Over the past few years, Microsoft has been pushing for a passwordless future using technologies like passkeys, Windows Hello, and FIDO2-based authentication. These methods offer better protection against phishing and password reuse, which are still major attack vectors. While it may feel like a hassle at first, this change is actually aimed at reducing your risk in the long run.
Invitation to comment on OpenDocument Version 1.4 before call for consent as OASIS Standard - ends September 7th
OASIS Members and other interested parties,
OASIS and the Open Document TC [1] are pleased to announce that Open Document Version 1.4 CS01 is now available for public review and comment.
The OpenDocument Format (ODF) is an open XML-based document file format for office applications to be used for documents containing text, spreadsheets, charts, and graphical elements. The file format makes transformations to other formats simply by leveraging and reusing existing standards wherever possible. As an open standard under the stewardship of OASIS, OpenDocument also creates the possibility for new types of applications and solutions to be developed other than traditional office productivity applications.
The TC received three Statements of Use from Microsoft, Allotropia Software GmbH, and The Document Foundation [3].
The candidate specification and related files are available here:
OpenDocument Version 1.4
Part 1: Introduction
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part1-introduction/OpenDocument-v1.4-cs01-part1-introduction.odt(Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part1-introduction/OpenDocument-v1.4-cs01-part1-introduction.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part1-introduction/OpenDocument-v1.4-cs01-part1-introduction.pdf
OpenDocument Version 1.4
Part 2: Packages
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part2-packages/OpenDocument-v1.4-cs01-part2-packages.odt(Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part2-packages/OpenDocument-v1.4-cs01-part2-packages.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part2-packages/OpenDocument-v1.4-cs01-part2-packages.pdf
OpenDocument Version 1.4
Part 3: OpenDocument Schema
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part3-schema/OpenDocument-v1.4-cs01-part3-schema.odt (Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part3-schema/OpenDocument-v1.4-cs01-part3-schema.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part3-schema/OpenDocument-v1.4-cs01-part3-schema.pdf
OpenDocument Version 1.4
Part 4: Recalculated Formula (OpenFormula) Format
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part4-formula/OpenDocument-v1.4-cs01-part4-formula.odt (Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part4-formula/OpenDocument-v1.4-cs01-part4-formula.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part4-formula/OpenDocument-v1.4-cs01-part4-formula.pdf
Schema files are located here.
For your convenience, OASIS provides a complete package of the prose specification and related files in a ZIP distribution file. You can download the ZIP file at: OpenDocument-v1.4-cs01.zip
Members of the Open Document TC approved this specification by Special Majority Vote [2]. The specification had been released for public review as required by the TC Process.
Public Review Period
The 60-day public review is now open and ends 7 September 2025 at 23:59 UTC.
This is an open invitation to comment. OASIS solicits feedback from potential users, developers and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.
Comments may be submitted to the project by any person through the use of the project’s Comment Facility. Members of the TC should submit feedback directly to the TC’s members-only mailing list. All others should follow the instructions listed here.
All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review we call your attention to the OASIS IPR Policy [4] applicable especially [5] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.
OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.
========== Additional references:
[2] Approval ballot
[3] Links to Statements of Use
Microsoft:
https://groups.oasis-open.org/discussion/statement-of-use-from-microsoft
Allotropia Software GmbH:
https://groups.oasis-open.org/discussion/statement-of-use-for-open-document-format-for-office-applications-opendocument-version-14-cs01
Document Foundation:
https://groups.oasis-open.org/discussion/fwd-statement-of-use-odf-14
[4] https://www.oasis-open.org/policies-guidelines/ipr/
https://www.oasis-open.org/committees/office/ipr.php
Intellectual Property Rights (IPR) Policy
The post Invitation to comment on OpenDocument Version 1.4 before call for consent as OASIS Standard – ends September 7th appeared first on OASIS Open.
On June 30th, Geneva became the stage for an informal event: the kick-off meeting of the DKMS Alliance. This gathering marks the official launch of a collaborative initiative poised to reshape digital trust infrastructure for the next generation.
At the time Geneva’s international traditions lead the city to host the Global Digital Conference 2025, the DKMS Alliance aims to bring now the open-source primitives enabling the digital authentication of tomorrow to the enterprises and organisations with the required support, maintance and stability they needs to build digital interoperable solutions at scale.
The DKMS Alliance — is a joint endeavor kicked off by Human Colossus Foundation, Vereign AG and argonAUTHs. Anchored in the architectural roots of KERI (Key Event Receipt Infrastructure), the Alliance unites deep technical expertise and strong operational capabilities to deliver to the world a new paradigm for secure, verifiable, and sovereign digital interactions.
A Shared Vision for Open and Secure Digital InfrastructureThe Alliance goal is to drive adoption, sustainability, and market readiness for digital infrastructure components that are open, secure, and industrial-grade. By combining the power of DKMS, a Rust implementation of KERI, and the Overlays Capture Architecture (OCA) into production-ready resources the Alliance provides its members the first movers advantage to develop enterprise applications that scales. The DKMS Alliance aims to become a community acting as a beacon of dynamic innovation and reliability to deploy resilient solutions build on top of a reliable digital trust infrastructure.
The DKMS Alliance represents today a powerful fusion of complementary strengths. From the Human Colossus Foundation’s pioneering work on the KERI protocol and in data semantics and governance to Vereign’s production deployments in secure communications and ArgonAUTHs’ cryptographic agility and verifiability at scale, the founding organizations bring together decades of experience in building trust frameworks, decentralized identity, secure communication, and verifiable data ecosystems.
Why Now?In a world increasingly challenged by fragmented approaches to digital trust, vendor lock-in, and fragile ecosystems, the DKMS Alliance provides a unified, community-driven foundation. By offering stable APIs, modular architectures, and predictable release cycles, the Alliance ensures that the core infrastructure remains robust and future-proof.
The Alliance also emphasises transparent governance, which will be build with Alliance members. This commitment to openness and quality positions it to become the go-to stack for governments and enterprise innovators looking to implement decentralised trust layers.
The Kick-off: Setting the Stage for Collective ActionThe Geneva meeting brought together a mix of technical leaders, strategists, funders and early adopters to align on shared goals, identify immediate priorities, and announced a roadmap for 2025 and beyond. It marked the transition from vision to execution. Focused action points emerged to accelerate engineering efforts, develop governance structures, and expand outreach to early members.
As an early member of the DKMS Alliance, organizations have the unique opportunity to influence the evolution of specifications and implementations, gain early access to deliverables, and secure premium support from the visionary leaders shaping tomorrow’s digital trust landscape.
Join Us on This JourneyThe DKMS Alliance is more than just a technical project — it’s a call to collective stewardship of the global digital commons. By joining, organizations not only protect critical dependencies but also demonstrate leadership in privacy, security, and data sovereignty. As a renegade from the current mainstream, you become within your domain, the reputable authority of tomorrow’s digital architecture.
We invite you to become part of the transformative movement. Check our Prima Vista document on how you can join this journey. Together, we can build the resilient, trustworthy, and open digital infrastructure the world urgently needs.
Stay tuned — more information, updates, and opportunities to engage with the DKMS Alliance will be coming soon!
Watch the full recording on YouTube.
Status: Verified by PresenterPlease note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.
Google NotebookLM Podcast
https://trustoverip.org/wp-content/uploads/ToIP-EGWG-2025-06-26_-Aakash-Guglani-Enhancing-Trust-using-Digital-Public-Infrastructure-DPI.wavHere is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:
Briefing Document: India’s Digital Public Infrastructure (DPI)Date: June 26, 2025
Source: Excerpts from Trust over IP Ecosystems and Governance Working Group Meeting
Presenter: Aakash Guglani from the Digital India Foundation.
Topic: Enhancing Trust using Digital Public Infrastructure (DPI)
Excerpt: India’s Digital Public Infrastructure (DPI) and Unified Payment Interface (UPI) revolutionize financial inclusion, bringing over 500 million people into the digital economy. This open-source, mobile-first system builds trust and breaks traditional payment monopolies.
This briefing document provides an overview of India’s Digital Public Infrastructure (DPI), focusing on its development, impact, and future direction as presented by Aakash Guglani from the Digital India Foundation. The DPI, particularly the Unified Payments Interface (UPI) and Aadhaar, has been instrumental in formalizing India’s economy, empowering its vast and diverse population, and challenging traditional payment monopolies. It represents a unique, policy-driven approach that blends public and private sector participation, aiming for broad inclusivity rather than just serving the affluent.
I. Core Philosophy and Context Addressing India’s Unique Challenges: India’s DPI was developed to address the needs of its “100 million plus” households, representing “500 million people” who were largely deprived and excluded from the burgeoning digital economy. Traditional private platforms primarily targeted the “top 1%,” while public approaches lacked state capacity and risked centralization. (00:07:39, 00:10:50) A “Digital Public Infrastructure” Approach: India adopted a “distro public infrastructure” model, which emphasizes diversity, choice, openness, and sovereignty. It’s a collaborative effort involving both public and private sectors. (00:11:08) Contrast with Other Models: Unlike purely private platforms or a “totally state-led model” like China’s, India’s DPI is designed to be a democratic solution. “We could not go with private platforms, and we never had the state capacity like China to go for a totally state-led model.” (00:09:30, 00:16:40) II. Key Components and Their Impact A. Aadhaar: Unique Digital Identity Foundation of DPI: Over the last 10 to 15 years, India has established “more than 1.3 billion Aadhaar,” a unique digital identity based on 10 biometrics (fingerprints and iris scan) for “99% of Indians.” (00:11:37, 00:11:50) Enabled EKYC: Aadhaar facilitated “EKYC (Know Your Customer),” drastically reducing the cost of customer acquisition for banks. The cost of KYC dropped from “$25 to $1.” (00:12:02, 00:21:16, 00:21:21) This cost reduction made it economically viable for banks, previously reluctant due to high offline verification costs, to open “zero-cost accounts” for the rural and unbanked population. (00:21:21, 00:21:29) Broad Financial Inclusion: This initiative, known as “JanDhan Yojna,” led to “more than 500 million people [having] bank accounts, which is totally zero cost.” (00:19:53, 00:21:10) B. Unified Payments Interface (UPI) Solution to Payment Friction: UPI addressed significant problems in India’s financial landscape, including limited digital transactions, high costs for credit card usage, reliance on paper receipts, and lack of “information collateral” for poor individuals seeking credit. (00:15:08, 00:16:56) Massive Adoption and Interoperability: As of March 2025, UPI recorded “more than 18 billion transactions.” (00:18:30) Over 200 banks are integrated, and it’s “totally interoperable.” A payment between a customer from Bank A and a merchant from Bank B takes “less than 10 seconds” via a QR code scan. (00:18:37, 00:18:42, 00:18:54) There is “no MDR (Merchant Discount Rate)” for most transactions, which incentivizes small vendors like vegetable sellers to adopt digital payments. (00:19:04, 00:19:15) “Every part of the country is using UPI,” demonstrating “deeper usage” even in poorer regions. (00:31:47, 00:31:52) Economic Empowerment: For retailers, UPI reduces the “cost of business” by allowing them to “service 3-4 people at a time” without handling cash and change. (00:29:21) It empowered women by ensuring that earnings from their stores went directly to their bank accounts, preventing misuse of physical cash. (00:30:13, 00:30:24) Challenging Global Monopolies: UPI has fundamentally reshaped the global payment landscape. It involves a diverse range of participants including “Visa, Mastercard, Google Pay, Phone Pay, American Express.” (00:33:45, 00:33:50) “It is not dominant by two major players,” effectively “break[ing] monopoly of private players.” (00:33:50, 00:33:58) UPI has “crossed the transaction volumes of Visa and Mastercard combined.” (00:34:14) “46% of real-time payments across the world happen out of India.” (00:34:21) Beyond the “Bottom of the Pyramid”: DPI, including UPI and EKYC, has also benefited the middle and upper-middle classes. The reduced KYC cost facilitated the opening of “more than 190 million DMAT accounts” (online stockbroking accounts) between 2016 and 2024, many for “first-time users.” (00:34:43, 00:35:08, 00:35:14, 00:35:52) This formalizes the economy and encourages savings. III. Enablers and Policy Framework Government Subsidies: An ongoing annual government subsidy of “$0.2 billion for MDR” (Merchant Discount Rate) for UPI usage is in place. This is viewed as an investment in “public railroad” or “public highway” infrastructure due to its immense “inclusion value.” (00:40:41, 00:40:54, 00:41:09) Agile Policy: The success of DPI is underpinned by “agile policies.” Examples include: The central bank’s allowance for EKYC (2012-2013). (00:45:04) An IT Act making “digital documents equivalent to offline documents” for digital locker services. (00:45:21) The RBI’s Digital Payments Committee recommending UPI. (00:45:49) Government procurement shifting to “totally digitally” platforms using UPI. (00:46:39) Leadership and Trust: The Prime Minister’s public use of UPI and foreign leaders using it in India “enhances trust in people,” creating a “virtuous cycle.” (00:47:01) Mobile-First, Low-Tech, Multilingual: The platforms are designed to be mobile-first, multilingual, and low-tech, supporting feature phones and even “offline availability.” (00:39:31, 00:39:38) Internet Penetration: Government efforts to provide “free internet” increased coverage from 25% to 48%, a “major contributor for UPI.” (00:33:11) Indigenous Development: All platforms are “indigenously made,” addressing specific Indian problems. (00:39:38) IV. Future Directions and Challenges Next Stage: Credit Enablement: With 500 million bank accounts and 1.2 billion digital identities, the focus shifts to empowering users by providing credit. (00:36:00, 00:36:26) Account Aggregator: A framework allowing individuals to consent to share their financial data between banks, mutual funds, insurance providers, etc., using the EKYC framework, to facilitate consumer and business loans. (00:36:41, 00:36:53) Open Credit Enablement Network (OCEN): This leverages the transaction data from informal vendors (e.g., vegetable sellers) who now have “information collateral” on their transaction frequency and average ticket size, making it “easier for banks to also financialize them.” (00:37:29, 00:37:35, 00:37:49) This moves DPI beyond just a base to “formalize the economy.” (00:37:49) Global Export of DPI: India aims to share its open-source DPI frameworks, including UPI APIs on GitHub, “freely to anyone around the world.” This includes cross-border payment solutions and sharing its vaccination system. (00:38:16, 00:38:34, 00:38:42) Future Open Data Platforms: The “India Stack was the beginning,” with future initiatives including digital commerce, online financial information sharing, online credit availability, digitization of health records, AI-based voice, and digital skills. (00:38:54, 00:39:04) Tech Sovereignty: India advocates for “tech sovereignty” to avoid reliance on foreign private entities that could “cut off my access” due to geopolitical tensions, as seen in the Russia-Ukraine war. The aim is to prevent private companies from engaging in “geopolitical positioning.” (00:48:14, 00:49:06, 00:49:32, 00:49:45) Fraud and Cybersecurity: With massive scale, the system faces “more than a million cyberattacks” annually, including those from state and non-state actors. (00:51:38, 00:51:49, 00:51:53) Common frauds include “digital arrest” scams using AI-based voice to demand UPI transfers. (00:53:00, 00:53:07) RBI is implementing measures like mandating brokers to use “authenticated UPI IDs,” displaying the recipient’s name before transfer, and nudging users not to pay while on a call. (00:55:54, 00:56:03, 00:56:10) The direct debit nature of UPI makes reversing fraudulent transactions difficult once money is transferred. (00:54:47) Ongoing efforts include public advisories and potential future escrow services. (00:53:23, 00:57:00) V. ConclusionIndia’s DPI journey, marked by the success of Aadhaar and UPI, demonstrates a powerful model for digital inclusion and economic formalization in a democratic context. By leveraging agile policy-making, strategic government investment, and open-source technology, India has built a robust digital public good that empowers its citizens and offers significant lessons for the Global South. The ongoing challenge lies in mitigating fraud and expanding the system to foster greater financial empowerment through credit, while maintaining technological sovereignty.
For more details, including the slides, meeting recording and transcript, please see our wiki 2025-06-26 Aakash Guglani & Enhancing Trust using Digital public Infrastructure (DPI) – Home – Confluence
https://www.linkedin.com/in/aakashguglani/ https://digitalindiafoundation.org/The post ToIP EGWG 2025-06-26: Aakash Guglani, Enhancing Trust using Digital Public Infrastructure (DPI) appeared first on Trust Over IP.
We’re excited to announce that Human Colossus Foundation (HCF) will participate in GC25: Global Digital Collaboration on Wallets & Credentials, taking place on July 2, 2025. This important event, hosted by the Swiss Confederation, brings together leading organizations and innovators to shape the future of digital wallets, credentials, and interoperable identity systems.
At HCF, we believe that empowering individuals to control their own digital space is foundational to building a sustainable and trustworthy digital society. This vision is captured in our ongoing work around the concept of the Digital Self, as discussed in our blog post Self Actioning System, a preferred systematic embodiment of “Digital Self”. Central to this idea is the belief that enabling global digital collaboration can only emerge when individuals have sovereignty over their credentials and interactions.
HCF on Governance in Digital TradeAs part of GC25, HCF will also participate in the panel discussion "Governance in Digital Trade – Decentralization as Response to Challenges in a Multi-Polar World." moderated by Stephan Wolf from the Verifiable.Trade Foundation and including the Digital Governance Institute, FIWARE, and the Asia PKI Consortium, we will bring forward the necessity of a digital governance able to consider the sovreignty of peer-to-peer connections in a multi-polar world.
The world is changing rapidly, placing supply chains and financial systems under increasing pressure. In a multi-polar landscape shaped by shifting tariffs and transformative AI, flexibility and speed have become essential. Digitalisation and open networks provide a clear path to inclusive global market participation. However, governance remains a largely overlooked but crucial topic.
This session will explore current initiatives but also deal with challenging questions. By examining these questions from different perspectives, the panel aims to bridge public and private demand to address the complexities of modern global trade.
HCF will contribute its perspective on how decentralized governance models, such as those enabled by the Dynamic Data Economy, can empower organizations and individuals alike.
Digital Self: Enabling Individual AgencyThe Digital Self represents a shift from centralized data control to individual empowerment, allowing each person to define, manage, and protect their digital identity and data assets. Events like GC25 are critical because they convene diverse stakeholders to co-create frameworks and standards that make this shift possible — from verifiable credentials to interoperable wallets.
Introducing the Dynamic Data EconomyHCF is contributing to this discussion through the introduction of the Dynamic Data Economy (DDE), a groundbreaking approach outlined in our launch announcement. The DDE offers an infrastructure where data is not merely a static asset but a dynamic, contextual element that individuals can control and share on their terms.
This model supports privacy, promotes innovation, and opens the door to new economic models centered around consent and transparency — all essential ingredients for a human-centric digital future.
Looking AheadOur participation in GC25 aligns with our mission to advance data governance standards that prioritize individual autonomy. By collaborating with global leaders at this event, we aim to further the conversation on building infrastructures that respect and reinforce the Digital Self.
We invite all who share this vision to join us in exploring how we can collectively build a more equitable, dynamic, and user-controlled digital ecosystem.
Stay tuned for more updates from GC25 and beyond!
Dashlane lets you open an account with a FIDO2-spec USB security key as your authentication.
One of the better-known password managers is now inviting people to try it without having to create yet another password. Instead, Dashlane is now inviting people to try opening a new account secured only by a USB security key compliant with the “FIDO2” authentication standard; FIDO being short for Fast Identity Online.
Emphasize “try.” The company’s support page for this “early access” program notes that it supports only Google Chrome and Microsoft Edge, not Dashlane’s mobile apps. For now, it doesn’t let you create an account secured only by a passkey, the form of FIDO2 security more people use.
The page also highlights a warning that this is an early-days exercise: “Important: Accounts created as part of the early access program are for testing purposes only. We recommend using your primary Dashlane account to store and manage your data.”
For all of us who hate passwords, passkeys represent a simpler and safer way of authenticating online accounts. But adoption has been slow, with many companies and websites still relying on passwords. Now the world’s biggest social media platform is jumping on the bandwagon.
On Wednesday, Facebook announced that it’s now rolling out support for passkeys on mobile devices. This means you’ll be able to use one to sign in to Facebook on an iPhone or Android device. But the passkey won’t be limited to your actual Facebook account.
Andrew Shikiar, Executive Director and CEO of the FIDO Alliance, joins us to discuss the shift from passwords to passkeys and the role of FIDO in driving secure, passwordless authentication. He explores the challenges of adoption, the importance of identity verification, and how cross-platform interoperability is accelerating passkey use. The conversation also touches on the impact of generative AI on cybersecurity and what the future holds for passkeys in building long-term resilience.
Apple this week provided a glimpse into a feature that solves one of the biggest drawbacks of passkeys, the industry-wide standard for website and app authentication that isn’t susceptible to credential phishing and other attacks targeting passwords.
The import/export feature, which Apple demonstrated at this week’s Worldwide Developers Conference, will be available in the next major releases of iOS, macOS, iPadOS, and visionOS. It aims to solve one of the biggest shortcomings of passkeys as they have existed to date. Passkeys created on one operating system or credential manager are largely bound to those environments. A passkey created on a Mac, for instance, can sync easily enough with other Apple devices connected to the same iCloud account. Transferring them to a Windows device or even a dedicated credential manager installed on the same Apple device has been impossible.
A recent LF Decentralized Trust (LFDT) webinar highlighted a significant advancement in self-sovereign identity (SSI) infrastructure: the release of a new plugin enabling integration between Hedera and the ACA-Py framework. This plugin, developed by DSR Corporation, has been open sourced under the OpenWallet Foundation and extends ACA-Py with support for the Hedera network. Complementing this, a new Python SDK, now part of the LFDT-hosted Hiero project, provides developers with tools to manage Decentralized Identifiers (DIDs) and Hyperledger AnonCreds Verifiable Credentials on Hedera using the Hedera Consensus Service. Together, these contributions—spanning both the OpenWallet and Hiero ecosystems—anchor critical identity metadata to Hedera’s high-throughput, public distributed ledger and expand the reach of open source digital identity tooling.
Whitepaper on AI Supply Chain Risks and Agentic Systems Workstream Strengthen the Coalition's Impact on Secure AI Development
Boston, MA 26 June 2025 – The Coalition for Secure AI (CoSAI), an OASIS Open Project dedicated to advancing AI security, proudly welcomes Palo Alto Networks and Snyk as Premier Sponsors. Their commitment reinforces CoSAI’s rapidly expanding network of 45 partner organizations united in the mission to advance secure and trustworthy AI. This growth comes as CoSAI deepens its technical leadership with the release of a whitepaper focused on securing the AI software supply chain and the launch of a dedicated workstream on secure agentic system design, addressing the security implications of increasingly autonomous AI systems.
Expanding Industry Support
“Securing AI is one of the most urgent challenges facing the industry today,” said Sam Kaplan, Assistant General Counsel for Public Policy & Government Affairs, Palo Alto Networks. “By joining CoSAI, Palo Alto Networks is proud to support open collaboration that empowers developers to embed security from the start.”
Manoj Nair, Chief Innovation Officer, Snyk, added, “As AI transforms the cybersecurity landscape, proactive security standards are essential. Snyk is excited to contribute to CoSAI’s growing efforts to develop practical, open tools for safer AI adoption.”
Palo Alto Networks and Snyk join CoSAI’s distinguished group of Premier Sponsors – including EY, Google, IBM, Microsoft, NVIDIA, PayPal, Protect AI, Trend Micro, and Zscaler – united in accelerating the development of secure and responsible AI across industries.
New Landscape Paper: Addressing Security Risks in the AI Supply Chain
CoSAI’s first landscape paper, Establish Risks and Controls for the AI Supply Chain, explored further in our blog post, was developed through cross-sector collaboration to help teams integrate security at every stage of the AI system lifecycle, from design to deployment. Published by CoSAI’s Workstream 1: Software Supply Chain Security for AI Systems, the paper examines the unique supply chain security risks of AI systems, focusing on data, infrastructure, applications, and models, and highlights the need for specialized safeguards beyond traditional security practices. It also outlines key vulnerabilities, roles across stakeholder groups, and evaluates existing frameworks like SAIF, MITRE ATLAS, and OWASP AI Exchange to identify gaps and guide a more resilient, secure AI development lifecycle.
“This landscape paper is a significant step forward in AI security, offering comprehensive risk overview and practical protection strategies,” said Matt Maloney, Manager of Technical Staff at Cohere and CoSAI Workstream 1 Lead. “It’s an important resource mapping supply chain risks and highlighting where traditional controls fall short,” added Andre Elizondo, Principal Solutions Engineer at Wiz and CoSAI Workstream 1 Lead. Both emphasized the paper’s evolution alongside emerging AI agent technologies.
Introducing a New Workstream on Secure Agentic System Design
To address the growing need for secure-by-design approaches to autonomous AI, CoSAI has launched Workstream 4: Secure Design Patterns for Agentic Systems. This new track focuses on developing security models and architectural guidance for agentic systems, including updates to AI threat modeling, secure infrastructure design, and cross-system integration.
The addition of Workstream 4 complements CoSAI’s three existing workstreams:
Workstream 1: Software Supply Chain Security for AI Systems Workstream 2: Preparing Defenders for a Changing Cybersecurity Landscape Workstream 3: AI Security Risk Governance“The launch of a workstream focused on Secure Agentic System Design reinforces CoSAI’s commitment to addressing the growing complexity of AI-driven autonomous systems,” said Workstream 4 Leads Sarah Novotny, Independent Consultant, and Ian Molloy, Department Head, Securing AI, IBM Research. “As agentic systems become more capable and pervasive, it becomes critical to ensure they are built on a foundation of security, transparency, and accountability.”
Get Involved
CoSAI welcomes technical contributors, researchers, and organizations to participate in its open source community and support its ongoing work. OASIS welcomes additional sponsorship support from companies involved in this space. Contact join@oasis-open.org for more information.
Media Inquiries: communications@oasis-open.org
The post Coalition for Secure AI Welcomes Palo Alto Networks and Snyk, Advances AI Security with New Publication and Workstream appeared first on OASIS Open.
The FIDO Alliance hosted its annual India Working Group (FIWG) Member Meetup & Workshop on June 6, 2025, at Google’s Ananta campus in Bengaluru. With over 100 attendees representing leading technology companies, financial service providers, telecom operators, government agencies, retailers, and platform providers, the event served as an important forum for advancing phishing-resistant, passwordless authentication efforts in India.
The program began with welcome remarks from FIWG Chair Niharika Arora (Google) and Vice Chair Tapesh Bhatnagar (G+D), followed by a keynote address from FIDO Alliance President Sam Srinivas. Sam’s session offered a forward-looking overview of the global FIDO roadmap, covering recent progress in passkey adoption, certification, and platform interoperability, highlighted by many attendees as one of the most valuable sessions of the day.
Throughout the morning, FIWG member organizations shared implementation case studies drawn from real-world deployments. Christopher Clement Soris of Zoho Corporation presented lessons from integrating passkeys into enterprise workflows, emphasizing developer enablement and user trust. Vishu Gupta, Piyush Ranjan, and Deepak Singal of Times Internet shared insights into their journey deploying passkeys across consumer media platforms, with a focus on UX challenges and account recovery design. Shantanu Shirke of Mastercard showcased its Global Financial Framework (GFF) through a live demo of its FIDO-enabled authentication solution, and Simon Trac Do of VinCSS introduced applications of the FIDO Device Onboard (FDO) protocol for secure and scalable onboarding of IoT devices.
The Google Android and Chrome teams, including Niharika Arora, Eiji Kitamura, and Neelansh Sahai, provided updates on platform support for passkeys, highlighting recent enhancements to Android APIs, Chrome UX flows, and best practices for relying parties. These updates offered implementers concrete guidance on leveraging native OS features to enable seamless, secure sign-ins.
The event concluded with a panel discussion titled “Modern Authentication Meets Legacy Systems,” moderated by Niharika Arora and featuring Amit Mathur (Ensurity), Rooparsh Kalia (Mercari), Rahul Dani (Yubico), Tom Sheffield (Target), and Sam Srinivas (Google). The discussion addressed practical challenges in deploying FIDO-based authentication in environments with legacy infrastructure, including backward compatibility, account recovery, and risk trade-offs. Panelists shared candid reflections and emphasized the importance of phased integration strategies and cross-industry collaboration.
Compared to the 2024 edition, this year’s workshop reflected a clear evolution, from awareness-building to implementation maturity. While last year’s focus was largely on introducing the promise of passkeys and FIDO standards, the 2025 program emphasized operational insights, technical execution, and collaborative solutions.
[Watch the Highlight Video]Through post-event surveys, participants expressed strong appreciation for the event’s practical focus, noting the value of detailed case studies, direct access to platform teams, and the opportunity to connect with peers tackling similar challenges. Many described the in-person format as especially effective for fostering shared understanding and building momentum.
As passkey adoption continues to accelerate across India, the India Working Group remains a vital platform for aligning implementation efforts, exchanging knowledge, and enabling long-term deployment success. Sincere thanks to all speakers, panelists, and attendees for their contributions, and to Google for hosting us in Bengaluru. We look forward to continuing this important work together throughout 2025 and beyond.
*Read last year’s recap: 2024 FIDO Alliance India Working Group Meetup and Workshop
The post South Florida Leaders Gather to Explore the Future of Learning, Hiring, and Innovation appeared first on Velocity.
Apple has announced significant enhancements to its operating systems that will implement secure import and export capabilities for passkeys, building on the company’s ongoing efforts to eliminate traditional passwords. The new features match standards developed by the FIDO Alliance for cross-platform credential management, joining similar initiatives from Microsoft and Google in the push toward passwordless authentication.
The new implementation will enable seamless and secure transfer of passkeys across platforms, addressing previous limitations in transferring credentials between devices and applications. The system uses a standardized data schema developed by the FIDO Alliance to ensure compatibility between different credential manager apps across iOS, iPadOS, macOS, and visionOS 26. The standardization is particularly significant as password-based attacks continue to rise, pushing the industry toward more secure authentication methods.
Passwordless authentication has picked up in recent years. But the method drawing the most interest in security circles is physical security keys based on the FIDO2 standard.
These USB or NFC keys offer something beyond the usual passwordless methods, like synced device passkeys or biometric logins. Here, you’re not relying on cloud-stored credentials or browser memory. Instead, everything depends on holding the key and verifying it with something only you know, like a PIN or fingerprint.
This shift to hardware security keys is gaining momentum across industries. Dashlane, for instance, has just rolled out an update that enables users to make a FIDO2 key their main passwordless login for unlocking credential vaults.
In this article, we explore where passwordless authentication stands today, what makes physical keys different, and how platforms are handling the hard parts like recovery, usability, and long-term security.
Confused by the new regulations and a patchwork of state-level policies?
With a new administration setting fresh policy priorities, supply chains are facing shifting rules and growing pressure to adapt.
Maggie Lyons, Vice President of Government and Regulatory Affairs at GS1 US, joins hosts Reid Jackson and Liz Sertl to decode the changes affecting how products are made, moved, and sold, and what businesses can do to stay ahead. From SNAP waivers and red dye bans to extended producer responsibility (EPR) laws and 2D barcodes, this episode breaks down how government decisions are impacting daily operations across food, retail, and consumer packaged goods (CPG).
Maggie’s team works with policymakers and industry leaders to align mandates with existing systems, helping avoid duplication and enabling efficient, standards-based implementation.
In this episode, you’ll learn:
How state-level regulation is influencing national supply chain strategies
Why new ingredient bans could create a ripple effect across CPG brands
What you can do to stay ahead of policy changes impacting your industry
Jump into the conversation:
(00:00) Introducing Next Level Supply Chain
(02:07) Why GS1 built a policy team
(04:02) From Capitol Hill to CPG strategy
(06:34) Staying focused amid constant regulatory shifts
(08:48) Government agencies shaping supply chain standards
(10:38) Customs, tariffs, and food assistance priorities
(14:59) How SNAP waivers complicate retail operations
(17:57) What red dye bans mean next
Connect with GS1 US:
Our website - www.gs1us.org
Connect with the guest:
Maggie Lyons on LinkedIn
For modern IT or Internet users, logging in to a website or app using a password is all too familiar. Increasingly, however, passwords create security concerns as they can be easily cracked or stolen. This is where passwordless authentication provides a more secure and convenient alternative.
“Password fatigue is real. Users demand faster, frictionless ways to authenticate without remembering complex strings,” said Edwardcher Monreal, Principal Solutions Architect for IAM Consumer Authentication Solutions at HID.
Kia ora,
Matariki is a time for remembrance, celebration, and looking toward the future. Traditionally, Matariki was a time to honour ancestors, celebrate the harvest, and acknowledge the changing seasons.
Today, we stand at a pivotal moment where two transformative technologies – digital identity and artificial intelligence – are reshaping the fabric of society. As the marginal cost of knowledge approaches zero, decentralised systems offer abundance creation through co-operation, as opposed to sticking with a more traditional scarcity-based approach.
For DINZ members, the adoption playbook demands conscious choices: about focus, trade-offs, standards, and sovereignty. As local momentum builds around the world’s first decentralised credential identity ecosystem, the question is no longer whether disruption will occur – but how we collectively shape it, and who it serves. Perhaps Moby put it best in his 2002 song “We are all made of stars.”
It is hard to believe we are still using multi-password sign-on and facsimiles of identity proofs in an era where nearly everything we do is online. For those frustrated by the pace of change, it is important to remember we’re building a system for 30 years, of which the past five years has been very much design and build. The next five years will be about driving adoption.
With a tsunami of digital credentials hitting global markets, the race to be “first to issue” DISTF accredited credentials is on! At the starting line are the DIA, NZTA, Air NZ, Hospitality NZ, alongside other go-to-market models such as Apple and Google’s online proxies.
Techweek Highlights
Those fortunate enough to attend Digital Public Infrastructure: The Invisible Foundation for NZ’s Digital Future in the General Assembly room in Parliament would have heard Minister Collins deliver the powerful message that “digital identity is the key to unlocking productivity in New Zealand.”
The Minister’s call to action was compelling, raising the question of whether centralised apps are the answer for a citizen-centric experience at this particular technology inflection point still open for debate.
It is encouraging to see a shared understanding that the implementation of digital public infrastructure (DPI) will provide New Zealanders with an inclusive, future-ready trust layer that enhances privacy, security, provenance and fraud prevention, while preserving Aotearoa’s economic sovereignty.
What’s more, an interoperable decentralised identity ecosystem will support the profound productivity improvements presented by hyperscale AI, without diminishing human agency by moving our data (and your soul) into someone else’s “cloud”.
Digital Trust Hui Taumata – Update
We have secured the world’s foremost native digital credential architect and builder James Monaghan to deliver the international keynote and host roundtable discussions at the Digital Trust Hui at Te Papa on 12 August, 2025.
This must-attend identity conference promises to be more “Doey” than Hui. Our valued sponsors will showcase the most exciting identity projects in this space, and show how accelerating adoption of Trust Technology can help mitigate concerns around AI-related risks.
Roundtable discussions are currently being shaped around four key focus areas:
Assuming sufficient interest from government and industry sponsors, we plan to arrange an ecosystem design workshop with James Monaghan while he is in Wellington.
The Census Goes Digital: A Shift Towards Data-Driven Public Infrastructure
Stats NZ has officially retired the traditional census, opting instead for a new approach that leverages integrated administrative data. This marks a significant shift in how the government collects and uses trusted digital information – reinforcing the need for secure, privacy-preserving identity systems to ensure accuracy, inclusion, and transparency. It’s a timely reminder of the critical role digital identity plays in building smarter, citizen-centric public services. Read the full RNZ article.
Welcome to Our New Chair – Maria Robertson
Please join me in welcoming Maria Robertson as the new Chair of DINZ. You can read her introductory statement to the DINZ community on our website.
As we reset the DINZ playbook and hone our focus to accelerate adoption, Maria has already started to elevate our thinking thanks to her extensive experience across the public service, infrastructure and secondary industries.
Suffice to say, the first few weeks have been a baptism by fire, but I’m thoroughly enjoying being back in the identity services world at such a pivotal time. Your feedback is encouraged as we strive to fan the flames of adoption by issuers, holders and relying parties for the empowerment of all New Zealanders.
Mānawatia a Matariki,
Andy Higgs
Executive Director, Digital Identity NZ
Read full news here: Ready…Reset…Go!
SUBSCRIBE FOR MOREThe post Ready…Reset…Go! appeared first on Digital Identity New Zealand.
DIF Labs Beta Cohort 2 officially kicks off tomorrow, June 24th at 8 AM PST! This cohort brings together three projects that will advance privacy, legal frameworks, and governance in verifiable credentials.
Meet Our Beta Cohort 2 Projects Legally-Binding Proof of Personhood for Verifiable Credentials via QESLed by Jon Bauer and Roberto Carvajal
This project creates a standardized method to anchor Verifiable Credentials to legally recognized, high-assurance proof of an individual's identity through Qualified Electronic Signatures (QES). By leveraging eIDAS-recognized QES technology, this work will enable any W3C Verifiable Credential to carry the same legal weight as a handwritten signature.
labs/proposals/beta-cohort-2-2025/legallybinding-vcs/legallybinding-vcs.md at main · decentralized-identity/labs An incubation chamber for Decentralized Identity focused development - decentralized-identity/labs GitHubdecentralized-identity Privacy-Preserving Revocation MechanismLed by Kai Otsuki and Ken Watanabe
This research project delivers an analysis of privacy-preserving revocation mechanisms for W3C Verifiable Credentials. The team will catalog real-world revocation scenarios, benchmark cryptographic mechanisms including status lists, dynamic accumulators, zk-SNARK proofs, and short-term credentials, and provide an open-source prototype evaluating computational costs for Issuers, Holders, and Verifiers.
labs/proposals/beta-cohort-2-2025/pp-revocation-mechanism/001_proposal.md at main · decentralized-identity/labs An incubation chamber for Decentralized Identity focused development - decentralized-identity/labs GitHubdecentralized-identity Anonymous Multi-Signature Verifiable CredentialsLed by Seohee Park and Lukas Han
This protocol enables Verifiable Credential issuance that requires m-of-n multi-signature approval while maintaining anonymity of individual signers. Using Semaphore, it enables decentralized governance for VC issuance in organizations such as DAOs or government agencies, cryptographically proving sufficient participation without revealing participating member identities.
labs/proposals/beta-cohort-2-2025/anon-multi-sig-vc/anon_multi_sig_vc_proposal.md at main · decentralized-identity/labs An incubation chamber for Decentralized Identity focused development - decentralized-identity/labs GitHubdecentralized-identity Gratitude to Our Leadership TeamWe extend our thanks to our project leads who will be driving these initiatives forward. Their expertise is essential to advancing the state of verifiable credentials technology.
We're grateful to our mentors who share their knowledge and experience with our cohort participants. You can learn more about our mentor network in our directory.
Recognition goes to our chairs who provide strategic guidance and oversight:
Andor Kesselman Ankur Banerjee Daniel Thompson-Yvetot What's Next?Tomorrow's kick-off session will bring together all participants to align on project goals, establish collaboration frameworks, and set the stage for three months of research and development. These projects address challenges in legal compliance, privacy preservation, and decentralized governance.
Stay tuned for updates as Beta Cohort 2 progresses.
DIF Labs continues to foster innovation in decentralized identity through collaborative research projects. Learn more about Lab's work at labs.identity.foundation.
As Hyperledger Foundation laid out in the Helping a Community Grow by Pruning Inactive Projectspost, there is an important life cycle to well governed open source projects. Through the evolution of the market, Hyperledger Foundation and, now, LF Decentralized Trust has been the home to a growing ecosystem of blockchain, identity, and related projects.
As the new Chair of the Executive Council of Digital Identity NZ, I am looking forward to leading a passionate and future-focused community working to build a trusted, inclusive, and interoperable digital identity ecosystem for New Zealand, building on the impressive work the Executive Council has done over the past few years .
With a background in executive leadership across public service and advisory roles I have advocated for and delivered the transformative potential of digital identity as public infrastructure. Whether enabling seamless access to services, supporting mobility and consent, or underlining trust in our digital economy, identity – in all of its forms – is foundational to a modern, resilient society.
DINZ plays a crucial convening role across government, iwi, industry, and civil society. As Chair, my focus is to champion practical progress: supporting policy and technical frameworks that uphold te ao Māori perspectives on identity, ensuring identity solutions reflect the needs of all New Zealanders, and advocating for interoperability that positions us as globally connected and locally grounded.
Our mission is urgent and clear: to enable every person in Aotearoa to participate safely and confidently in the digital world. I look forward to working with all our members to realise that vision.
Maria Robertson.
The post Introductory Statement – Chair of the Executive Council, Digital Identity NZ appeared first on Digital Identity New Zealand.
Source: Original LF Decentralized Trust post
Wenjing Chu, Chair of the AI and Human Trust Working Group at Trust over IP, an LF Decentralized Trust project | Jun 12, 2025
In a world where AI can create photos, videos, and even voices that look and sound real, how do we know what to trust?
Every day, more content we see online is generated or altered by AI. That’s not always a bad thing. AI can help us create amazing art, get work done faster, or imagine new possibilities. But it also opens the door to misinformation, impersonation, and confusion. When anyone can create content that looks authentic, how do we tell what’s actually real?
To enhance human trust in AI systems and explore how AI itself can be used to address complex trust challenges in digital ecosystems, Trust over IP (ToIP), a project of LF Foundation Decentralized Trust, has launched a new AI and Human Trust (AIM) Working Group. It builds on the work done over the past three years by ToIP’s AIM task force.
The recently released white paper from the working group, ToIP Trust Spanning Protocol (TSP): Strengthening Trust in Human and AI Interactions, offers a way forward for building, maintaining and verifying interactions involving AI technologies. It brings together three powerful tools, the Trust Spanning Protocol (TSP)1, the C2PA Specification2, and the work of the Creator Assertion Working Group (CAWG)3, to build a system of authenticity for the digital world.
The key components include:
TSP (Trust Spanning Protocol) provides a strong foundation for online trust between people, platforms, and tools—making sure that when something claims to come from someone, it actually does. (The “Connector”) The C2PA Specification is a growing standard that helps attach a digital “nutrition label” to content—showing when it was made, how it was edited, and by what capture devices or software. (The “How” and the “What”) CAWG (Creator Assertion Working Group at DIF) focuses on making sure that individual and organizational content creators can identify themselves with their content and provide additional information for their audience to understand their content. (The “Who”)Why do we need all three? Because content authenticity isn’t just about how something is created. It’s also about who made it, and how it gets communicated through public networks while retaining the integrity of actions made to it. C2PA gives us technical metadata about tools and edits. CAWG ensures the human creator is identified and attributed. And TSP makes the entire chain, from camera or AI tool to multiple individual human collaborators to final distribution platform, trustworthy at every step. Together, they provide a complete system covering creation, collaboration, and distribution.
All put together, these can help us answer the most important question about this digital artifact: Can I trust this?
This isn’t just a technical fix. It’s a new way to think about digital truth. And the paper lays out a path toward a future where users can more confidently trust the source and actions made to digital content in a way that’s accountable, verifiable, and respectful of creators.
Read the full white paper here.
We invite technologists, developers, artists, policy makers, and everyday internet users to take a look. It’s about restoring trust in a world where AI has blurred the lines of what is real and what is artificially generated.
1. Trust Spanning Protocol (TSP) is an ongoing work by Trust over IP (ToIP), a project of LFDT: https://trustoverip.github.io/tswg-tsp-specification
2. The C2PA Specification is an ongoing work by The Coalition for Content Provenance and Authenticity (C2PA): https://c2pa.org/specifications/specifications/2.2/index.html
3. The Creator Assertions Working Group (CAWG) is a joint effort by the Decentralized Identity Foundation (DIF) and ToIP. See https://cawg.io
__
Want to dive deeper into ToIP’s work on verifying authenticity? Check out this LF Decentralized Trust Webinar: Verifiable Authenticity—Answering the Threat of AI Deep Fakes
The post How Can We Trust What We See Online? Here’s One Way Forward appeared first on Trust Over IP.
On the ProjectVRM list, John Wunderlich shared a find that makes clear how advanced and widespread AI-based shopping recommendation has gone so far (and not just with ChatGPT and Amazon). Here it is: Envisioning Recommendations on an LLM-Based Agent Platform: Can LLM-based agents take recommender systems to the next level?
It’s by Jizhi Zhang, Keqin Bao, Wenjie Wang, Yang Zhang, Wentao Shi, Wanhong Xu, Fuli Feng, and Tat-Seng Chua* and is published in the Artificial Intelligence and Machine Learning section of Research and Advances in Communications of the ACM. So it’s serious stuff.
Here’s one graphic from the piece, with its caption:Illustration of the Rec4Agentverse. The left side depicts three roles in the RecAgentverse: the user, the Agent Recommender, and Item Agents, along with their interconnected relationships. In contrast to traditional recommender systems, the Rec4Agentverse has more intimate relationships among the three roles. For instance, there are multi-round interactions between 1) users and Item Agents and 2) the Agent Recommender and Item Agents. The right side demonstrates how the Agent Recommender can collaborate with Item Agents to affect the information flow of users and offer personalized information services.
With VRM, however, we need our own personal AI agents, and useful data that’s not limited to what’s gathered by surveillance (which we can assume is most if not all of the Information layer). So I started a conversation with ChatGPT. I’ll divide it into sections: Who wrote the CACM piece The state of recommendation science Who is working on personal AI How one can get started Forms of personal data to manageThere’s a lot here. The meat of it, for ProjectVRM purposes, starts in section 3. (The first two are more about what we’re up against.) Please read the whole thing and help us think through where to go with the challenge facing us. As we see in section 3, we do have some stuff on our side.
1. Who wrote the CACM piece Me: Can you tell me more about the authors here: https://cacm.acm.org/research/envisioning-recommendations-on-an-llm-based-agent-platform/? ChatGPT:Jizhi ZhangAffiliation: University of Science and Technology of China (USTC), Data Science Lab (inferred from USTC page) cacm.acm.org+14data-science.ustc.edu.cn+14x.com+14.
Keqin Bao, Wenjie Wang, Yang Zhang, Wentao Shi, Fuli Feng, Tat‑Seng Chua
Research Interests: Recommendation systems, LLM-based agent platforms, and interactive intelligent systems—his lead authorship and continued work on Prospect Personalized Recommendation on LLM-Based Agent Platform (arXiv Feb 2024) reinforce this arxiv.org.Affiliations: While CACM doesn’t list this, Jizhi Zhang and Fuli Feng are part of USTC’s Data Science Lab; Tat‑Seng Chua is a distinguished researcher from the National University of Singapore known for multimedia and information retrieval.
Wanhong Xu
Expertise: A mix of recommender system design, LLM-agent evaluation, multimedia analysis, and human-AI interaction—reflecting a blend of USTC’s strengths and CACM relevance data-science.ustc.edu.cn+8cacm.acm.org+8data-science.ustc.edu.cn+8linkedin.com+4arxiv.org+4researchgate.net+4.Affiliation: USTC Data Science Lab (USTC LDS), contributor to the same article .
Broader Context & Contributions
Role: Emerging researcher whose latest publication is this Rec4Agentverse article, indicating an early-career focus in LLM-based recommender systems linkedin.com+8data-science.ustc.edu.cn+8linkedin.com+8.The group operates at the intersection of Large Language Models, agent-oriented systems, and recommender systems, pioneering a Rec4Agentverse paradigm that treats LLM-powered agents as “recommendable” items collaborating with one another—an evolution of traditional recommendation frameworkscacm.acm.org+5cacm.acm.org+5cacm.acm.org+5.
Why This Matters
Their work continues earlier research (e.g., Prospect Personalized Recommendation… in Feb 2024), solidifying their ongoing commitment to expanding intelligent, conversational recommendation platforms arxiv.org.Academic Thought Leadership: Jizhi Zhang and colleagues are pushing forward thinking about how recommendations can evolve when agents—not passive items—are central.
Institutional Backing: All deeply connected to USTC’s Data Science Lab, underscoring strong Chinese academic investment in AI-driven recommender innovation.
Collaborative Reach: Including scholars like Tat‑Seng Chua broadens the research to include international perspectives in multimedia and retrieval systems.In summary: This team is a multidisciplinary cohort—centered at USTC with international collaboration—who are pioneering the idea that LLM agents can become interactive, dynamic items in recommender systems. Their work positions them at the forefront of intelligent agent systems and could reshape how platforms personalize experiences in the future.
If you’re curious about any individual’s past publications, citation impact, or related work (e.g., on Agent4Rec), I’d be happy to dive deeper!
3. The state of recommendation science
Me:
How large is the emerging science, within the AI field, of recommendations?
ChatGPT:
The science of recommendations, particularly within the AI field, is not just emerging—it’s a massive, rapidly evolving subfield that is both academically rich and commercially dominant. That said, it’s also entering a new phase, driven by the rise of large language models (LLMs), interactive agents, and multimodal platforms.
Academic Scope 1. Established Field: Recommender SystemsRecommender systems (RecSys) are a well-developed domain within AI and machine learning, with roots in the 1990s.
Annual conferences like:
ACM RecSys (since 2007)
SIGIR, KDD, WSDM, and NeurIPS regularly feature recommendation research.
Thousands of papers annually on topics like:
Collaborative filtering
Matrix/tensor factorization
Deep learning for recommendation
Fairness, transparency, and explainability in RecSys
Reinforcement learning and bandit algorithms for personalizationCurrent Trends & Expanding Frontiers 2. LLMs + Recommendation = New SubfieldAs of 2024, over 60,000 papers in academic databases (e.g., Google Scholar) are tagged or indexed under “recommender systems”.
A major shift is underway: integrating Large Language Models (LLMs) into recommendation systems.
These go beyond “you may also like” to:
Use natural language context and dialogue
Generate explanations, not just rankings
Support conversational recommendation
Coordinate agent ecosystems, e.g., multi-agent reasoning environmentsExample paradigms:
RecMind – reasoning-aware recommendation agents
3. Multimodal & Multitask Integration
Rec4Agentverse – treating agents as recommendable entities
ChatRecs – integrating LLMs into live user conversationsSystems increasingly blend text, image, video, behavior, and user feedback.
4. Industry Investment
LLMs allow richer personalization using complex user intent derived from unstructured data.FAANG companies (especially YouTube, Netflix, Amazon, TikTok, and Spotify) base their core user experience on AI-driven recommendation.
Estimate of Scope
Billions of dollars are spent optimizing:
Ranking quality
Engagement prediction
Real-time inference
Federated and privacy-preserving personalizationArea
3. Who is working on personal AI Me: And who, if anyone, is working to provide customers with their own personal AI tools: ones that work for them, to empower their own agency in the marketplace? By which I mean truly personal AI, and not the kind personalized by some external LLM (or similar) system. ChatGPT:Estimate (2024–25)
Academic papers (RecSys + AI)
60,000+ overall; thousands per year
Top conferences with recommender tracks
20+ (ACM RecSys, SIGIR, KDD, NeurIPS, etc.)
Active researchers
Tens of thousands globally
Emerging subfields
LLM-based Rec, conversational Rec, agent-based Rec, explainable Rec
Industry scale
In Summary$10B+ annually invested in personalization tech
The science of recommendation is:
Not new, but rapidly evolving
Core to AI applications, especially with LLMs and agents
One of the most commercially and socially impactful domains in modern AI
Growing into new subfields (e.g. Rec4Agentverse, LLM Rec, multi-agent Rec)Let me know if you’d like a visual map of how the recommendation science ecosystem is structured—or who the top authors and institutions are in this space
That’s an essential and forward-looking question—especially as most “AI for you” today really means “AI about you, for someone else.”
While Big Tech firms dominate personalized AI, a growing ecosystem is focused on truly personal AI—that is, AI you own, that works for you (not advertisers or platforms), and that enhances your agency in the marketplace and your life.
Here are the most notable people, projects, and initiatives advancing truly personal AI today:
1. Kwaai and pAI-OS (South Africa / Global)Kwaai is building an open-source, user-sovereign personal AI OS called pAI-OS.
2. Indie AI and Personal Agent projects
Designed to run locally or at user discretion, with full data ownership, modular agent systems, and plugin capability.
Aligns with IEEE P7012 (“MyTerms”) privacy standards (see below).
Actively exploring intentcasting, customer signaling, and VRM (Vendor Relationship Management).
Site: https://kwaai.aiSeveral smaller open-source initiatives are trying to build personal agent toolkits that you can host and configure:
Examples:AutoGen Studio (Microsoft) – allows building agent workflows, some of which can be user-defined. But it’s not yet fully personal or private.
Langroid – open-source framework for local agent-based LLM systems. Designed for extensibility, can be made personal with effort.
OpenDevin, Superagent, Auto-GPT – can be self-hosted, though most are still tool-centric rather than user-centric.
Personal.ai – A commercial startup that says it is personal, but uses centralized storage and fine-tuning, so actual user control is limited.Reality check: Most of these still rely on external LLMs (like OpenAI or Anthropic), even if they claim to be “your AI”.
3. Solid Project (by Tim Berners-Lee)While not AI per se, Solid is a decentralized identity and data storage architecture that allows individuals to store their own data in personal data pods.
4. IEEE P7012 – MyTerms
AI tools can be layered on top to access only the data you choose to share.
Foundation for personal AI assistants that can work with your data, not on others’ clouds.
https://solidproject.orgA standard being developed to flip the notice-and-consent regime—so individuals, not companies, dictate the terms of data use.
5. Project VRM (Vendor Relationship Management)
Backed by Customer Commons and designed to support intentcasting and personal marketplace signaling.
This enables a personal AI to serve as your agent, enforcing your terms and engaging the marketplace on your behalf.Initiated by Doc Searls to empower customers with tools to manage vendors, not just the reverse.
Envisions personal tools (including AI) to:
Signal intent
Manage service contracts
Retain records of offers, purchases, warranties
Avoid manipulation, surveillance, and lock-inProject VRM is not a software project per se, but a framework guiding developers to build personal tools that support individual autonomy.
6. Open-source LLM stacks for local useSeveral local LLM projects can be combined with personal data layers to build truly personal AI:
LM Studio – runs local models on desktop
PrivateGPT – local inference + local documents
Ollama – macOS-native interface for fast-running models like LLaMA, Mistral
LangChain / LlamaIndex – frameworks for building RAG systems with local documentsThese aren’t personal AI systems yet—but they are key ingredients.
SummaryName / Project
Me: Can you name some of the people in the personal AI revolution, and tell me what that DIY stack would contain? ChatGPT:What They Do
Status
Kwaai / pAI-OS
Open, personal AI OS and agent platform
Early but active
Solid
Personal data control layer
Stable; in use
IEEE P7012
Standards for user-enforced data terms
In development
Project VRM
Framework for tools that empower buyers
Thought leadership; toolkits emerging
Local AI frameworks
Tech foundations for personal AI
The GapAvailable, DIY-friendly
Despite this promising landscape, no major platform today delivers a fully integrated, easy-to-use personal AI that you own, configure, and direct—yet. But:
A personal AI revolution is underway, led by privacy advocates, open-source communities, and a few visionary developers—not Big Tech.
Would you like help putting together a DIY stack for your own personal AI toolkit based on this landscape?
Absolutely. Here’s a breakdown of key people involved in the personal AI movement, followed by a practical DIY stack you can start building today.
People Leading or Advancing the Personal AI RevolutionThese individuals aren’t all working on the same projects, but they’re aligned in trying to build AI that’s owned, run, and controlled by the individual—not centralized platforms.
Tim Berners-LeeProject: Solid (stewarded by ODI, commercially implemented by companies including TBLs Inrupt)
Doc Searls
Focus: Decentralized web and personal data ownership via data pods
Impact: Infrastructure for privacy-respecting personal AI agents
https://solidproject.orgProject: Project VRM, Customer Commons, IEEE P7012
Tawanda Kembo & Kwaai team
Focus: Customer empowerment, intentcasting, reversing surveillance capitalism
Impact: Philosophy and standards for customer-directed personal AI
https://projectvrm.orgProject: pAI-OS (personal AI operating system)
Simon Willison
Focus: Agent-centric open-source operating system for personal AI
Impact: One of the few efforts aiming to create a complete personal AI stack
https://kwaai.aiProject: Datasette, open tools for data management
Brian Roemmele
Focus: Personal data control, lightweight databases, LLM + local tooling
Impact: Key figure in the open data + local AI tooling space
https://simonwillison.netProject: Multiplex (personal voice AI)
A DIY Personal AI Stack (2025 Edition)
Focus: Voice-first personal assistants you run locally
Impact: Vocal advocate for true personal AI, often referencing “software you own”This stack assumes local-first, modular, privacy-respecting tools. You can mix and match based on your needs.
Core ComponentsLayer
4. How can I get started? Me: Yes. My technical skill level is modest at best. I can write HTML and do very basic stuff in the command line. I have an extra laptop I can devote to solo work, and Ethernet to a 2.1GB/s symmetrical fiber connection to the Internet with no data limits. ChatGPT:Tools / Projects
Notes
1. OS Layer
Linux, pAI-OS (in dev)
Linux gives flexibility; pAI-OS aims to be a full personal AI OS
2. Local LLM Inference
Ollama, LM Studio, PrivateGPT, LocalAI
Run models like LLaMA 3, Mistral, Phi-3 entirely offline
3. Vector Database
Chroma, Weaviate, Milvus, or SQLite with FTS5
Store and retrieve embedded text data
4. Personal Indexing
LlamaIndex, LangChain, AutoGen, GPTPilot
Feed personal documents and data to your LLM
5. Personal Data Storage
Solid POD, Datasette, Obsidian
Your life’s data, structured and queryable
6. Personal Agent Framework
Superagent, CrewAI, Langroid, AutoGen
Design agents that act on your behalf, modular and scriptable
7. Front-end Interface
Gradio, Streamlit, Tauri app, Electron
Local GUI/UX to interact with your agent
8. Voice Interface (optional)
OpenVoice, Vosk, Whisper.cpp, Coqui TTS
Optional Add-onsBuild voice-in/voice-out agent on your machine
Offline search: Chat over your files, PDFs, photos, and emails with LlamaIndex + PrivateGPT
What’s Still Missing?
Calendar/notes: Sync with Obsidian or local markdown-based knowledge base
Browser agent: Auto-control browser via Puppeteer/Playwright for marketplace navigationTrue personal OS integration (like what pAI-OS is trying to do)
Seamless data portability and contract enforcement (IEEE P7012 is working on it)
Trusted personal AI app ecosystem (some apps, like Beeper or Obsidian, are getting close)Would you like a tailored recommendation for building a personal AI stack based on your technical skill level or use cases (e.g., journaling, research, negotiation, shopping, data querying)?
Great — with your setup (modest technical skills, spare laptop, blazing-fast fiber), you’re in an excellent position to begin building a practical personal AI system without diving too deep into complex dev work. Here’s a recommended stack tailored to your current skills and goals:
YOUR PERSONAL AI STARTER STACK (2025) 1. Platform BaseUse a Linux distribution designed for ease of use and AI tinkering:
Recommended: Pop!_OS or Ubuntu 24.04
2. Run a Local LLM with LM Studio
Easy GUI, good hardware compatibility, lots of online support
Optional: Use your laptop in “air-gapped” mode for privacy and full local controlLM Studio (macOS/Windows/Linux) lets you run LLaMA 3, Mistral, Phi-3, and others without coding.
Built-in UI — chat with models locally, no internet required after download.
You can download 7B or 13B models based on your hardware.
Best for: private journaling, summarizing files, answering questions.Why it’s ideal for you:
GUI-based
3. Chat with Your Files (PrivateGPT / LlamaIndex)
Just click and download models
No API keys or command-line needed once installedPrivateGPT or GPTPilot can let you ask questions across PDFs, emails, and notes stored on your machine.
Start simple: drop files into a folder, let the AI index them.
Optionally install via Docker (one command), or use their prebuilt apps.Use case:
“Summarize this research PDF”
4. Knowledge Base + Journaling with Obsidian
“What did I write about project X last month?”
“Find the email where someone mentioned a refund”Obsidian = Markdown-based knowledge base.
Everything you write stays local.
You can point LM Studio to your notes to query your own memory.Easy way to:
Keep private journals
5. Personal Data Management with Datasette
Index your life
Ask your AI things like “What are my goals for June?”Datasette by Simon Willison lets you browse and query your own data with simple SQL and CSV files.
Feeds AI with structured personal info (purchases, inventory, plans, etc.)
You can install it with a single terminal command:
bash
CopyEdit
pip install datasette datasette serve your-data.db
datasette serve your-data.db
Combine with LM Studio to get responses like:
“What subscriptions do I need to cancel?”
6. Optional: Browser Helper Agent (Local, Simple)
“When did I last back up my photos?”Use AutoBrowser or a simpler Puppeteer script to automate browsing tasks (like checking prices, news, account activity).
7. Privacy Boosters
Start with prebuilt scripts. No coding needed if you copy/paste working examples.Run Tailscale or WireGuard to access your AI remotely if needed.
Putting It All Together
Use LocalAI or Ollama if you later want to run everything without GUI (more advanced).Task
5. Forms of personal data to manage Me: The personal data I need to manage are health records (from 20-plus providers), financial records (fewer than health), travel records (including the kind kept by apps that watch my movements), subscriptions and other recurring payments, shows I have watched and on what channels or services (data gathered by my Samsung and Roku TVs and presumably shared with others but to which I don’t yet have access), continuing work and work history with various clients and employers, contacts, archival and current calendars, real estate, personal items bought or acquired from various sources and where they are kept or stored, and business dealings. What would be the file structure for all that, and how would I manage it? Note that I am not talking about shopping yet; that’s a separate concern. ChatGPT:Tool
Chat privately with an AI
LM Studio
Summarize your own notes or PDFs
PrivateGPT or GPTPilot
Store and reflect on your life data
Obsidian, Datasette
Manage subscriptions and tasks
Datasette + Chat
Ask about your files or history
LlamaIndex or GPT over Obsidian notes
Use voice later (optional)
Next Steps (in plain order)Whisper.cpp, OpenVoice (easy tools)
Install Pop!_OS or Ubuntu on your spare laptop
Install LM Studio and download a 7B model like Mistral or LLaMA 3
Start using it to answer personal questions and summarize documents
Add Obsidian to start journaling and reflecting
Try PrivateGPT or Datasette to search your past or track your lifeWould you like a checklist or an install script to get started with this stack? I can also help you set up a file structure to begin tracking and querying your own data.
Thanks for the detailed breakdown — you’re describing the foundation of a true personal data architecture: structured, queryable, and under your control. Let’s build you a file structure and management strategy that matches your needs without overcomplicating the tech.
Recommended Top-Level Folder StructureThis folder structure is designed to be future-proof, machine-readable, and human-usable. Use plain folders, CSV/JSON/Markdown files, and optional SQLite databases to store structured data. You can later layer tools (like LLMs or Datasette) on top.
markdown CopyEdit/PersonalAI_Data
│
├── Health/
│ ├── Providers/
│ ├── Visits/
│ ├── Prescriptions/
│ ├── Labs_Imaging/
│ └── Insurance_Claims/
│
├── Finance/
│ ├── Bank_Accounts/
│ ├── Credit_Cards/
│ ├── Investments/
│ └── Taxes/
│
├── Travel/
│ ├── Trips/
│ ├── Locations_History/
│ └── Maps_GPX_KML/
│
├── Subscriptions/
│ ├── Streaming/
│ ├── News_Publications/
│ ├── Software_Tools/
│ └── Utilities_Bills/
│
├── Media_Viewed/
│ ├── TV_Shows/
│ ├── Movies/
│ ├── Channels_Services/
│ └── Watch_History.csv
│
├── Work/
│ ├── Employers/
│ ├── Clients/
│ ├── Projects/
│ └── Timesheets_Invoices/
│
├── Contacts/
│ └── contacts.csv
│
├── Calendar/
│ ├── Archive_ICS/
│ ├── Current_ICS/
│ └── Events_Tags.csv
│
├── Real_Estate/
│ ├── Properties_Owned/
│ ├── Rentals/
│ └── Maintenance_Records/
│
├── Personal_Items/
│ ├── Furniture/
│ ├── Electronics/
│ ├── Art_Collectibles/
│ └── Inventory.csv
│
└── Business/
├── Deals/
├── Agreements/
├── Partners/
└── Notes/
Strategy for Managing It All
1. Use Consistent File Types
Data Type
File Format
Structured entries
.csv
, .json
, .sqlite
Notes or logs
.md
(markdown)
Documents
.pdf
, .docx
, .txt
Images/attachments
store in attachments/
subfolder per topic
2. Naming Conventions (Machine + Human Friendly)
Use ISO-like formats to make things sortable and parseable:
yaml CopyEdit2024-06-16_labresults_providerX.csv
2023_Q4_taxes_federal.pdf
clientA_2022-11_contract.pdf
3. Data Capture Tools
You don’t need to build it all manually:
Use Obsidian for ongoing notes (e.g. travel journal, work logs)
Use Paperless-ngx (optional) to OCR and tag your scanned PDFs (health, finance)
Use GPS History Export from Google and Apple for travel/locations
Use email filters or Zapier to auto-download bills, statements, confirmations
4. Querying and ReviewingAdd one or more of these later:
Datasette → browse and search CSVs/SQLite locally
LM Studio + PrivateGPT → ask, “When did I last visit Dr. Chen?” or “What devices are in storage?”
LlamaIndex → index your file tree and let AI search/summarize it
Summary of Benefits Goal This Setup Delivers Total local control You decide access, storage, retention Future AI-readiness Structured enough for agents to use Easy to back up Plain files, portable databases Modular growth Start simple, layer in AI when readyWould you like me to generate a starter template with folder structure and some CSV/Markdown file formats filled in with mock data for each domain? That way you can load it directly into your system and start customizing.
Me again:
That’s it for now.
What should my next request be, or what other direction would you like me (or us) to take this? Or, what are the learnings we have so far in this field that barely exists? Oh, and excuse whatever inaccuracies ChatGPT may have floated above. Or give me fixes. Thanks. *The links are mine and based on searches for those names. I might have some of them wrong, however, since searches for those names bring up many scholars with the same names. And, while each name had a link, they all went to an author archive page that was absent (with one exception) of other contributions to the publication.NEWARK, NJ, June 18, 2025 – A shared commitment to community and service led to a meaningful partnership between Edge, a nonprofit organization that recently transitioned to a fully virtual workforce, and MENTOR Newark, a local organization dedicated to supporting youth through mentoring and empowerment programs.
When Edge found itself with available office space, it began the search for a subtenant. A mutual business contact introduced Edge’s Executive Director of Human Resources and Administration, Amy Olavarria, to Thomas Owens, Executive Director of MENTOR Newark. Olavarria elaborates, “We had been working with a realtor to sublease the space but couldn’t find a good match, until we were introduced to Thomas and learned about his organization’s mission and their need for a new headquarters,” said Olavarria. “I’ve met several of the young adults in the program, and they’re all so mature, motivated, and well-mannered. It’s inspiring to see, and MENTOR Newark is truly an incredible organization.”
Previously located in a lower-level space in the same building, MENTOR Newark had involved its students in renovating their former office, so the move came with some uncertainty. “Our students were deeply involved in creating the previous space, so I wasn’t sure how they would connect with the new one,” admitted Owens. “But when they walked in, they immediately saw the possibilities and were genuinely excited. They appreciated the new amenities, including the kitchen, private bathrooms, and most importantly, their own dedicated area called the Student Office.”
That sense of ownership was on full display during an open house in April 2025, where community members gathered to tour the space and meet the young leaders of MENTOR Newark. “People were moved, and saw the students taking responsibility for the space, engaging with guests, and leading parts of the event,” shares Owens. “There was dancing, laughter, and a strong sense of pride. When people learned it all came together through a partnership between two nonprofits, it left a lasting impression.”
For Edge, the partnership with MENTOR Newark was a natural extension of its mission and community commitment. “Edge is honored to have Thomas and his organization in this space,” adds Olavarria. “Even though MENTOR Newark and Edge are two nonprofits in different industries, we share a common goal: to help and serve the people in our communities and beyond. Working with MENTOR Newark is perfectly aligned with Edge’s brand promise of CONNECTED. COMMITTED. COMMUNITY. I attended their grand opening, and the atmosphere was one of home, community, and acceptance—regardless of age or background. It was a powerful feeling of unity and peace.”
About Edge
Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.
About MENTOR Newark
MENTOR Newark is the New Jersey affiliate of MENTOR, the National Mentoring Partnership, and connects youth in Newark, New Jersey, to caring mentors who provide guidance, support, and positive role modeling. The organization collaborates closely with the Newark Board of Education to offer mentoring professional development to staff and support the implementation of a comprehensive district-wide student mentoring program. MENTOR Newark actively works with more than 40 local mentoring organizations, many of which run programs within Newark Board of Education schools. To learn more, visit www.newarkmentoring.org.
The post MENTOR Newark Partners with Edge to Find a New Home appeared first on NJEdge Inc.
We’re introducing passkeys on Facebook for mobile devices, offering another tool to safeguard your privacy and security. Passkeys are a new way to verify your identity and log in to your account that’s easier and more secure than traditional passwords.
Passkeys will soon be available on iOS and Android mobile devices for Facebook, and we will begin rolling out passkeys to Messenger in the coming months. The same passkey you set up for Facebook will also work on Messenger once this capability launches.
Carlsbad, Calif., June 18, 2025 – The FIDO Alliance has announced the agenda for Authenticate 2025, the only industry conference dedicated to digital identity and authentication with a focus on phishing-resistant sign-ins with passkeys. The event will take place October 13–15, 2025 at the Omni La Costa Resort and Spa in Carlsbad, Calif., with options for virtual participation available.
The focus of the program for the Authenticate 2025 conference is achieving phishing-resistant authentication with passkeys and the adjacent considerations required to achieve end-to-end account security with usability in mind.
Visit https://authenticatecon.com/event/authenticate-2025/ to view the full session guide and register ahead of the June 20th Super Early Bird deadline.
Authenticate is built for CISOs, security strategists, enterprise architects, product leaders, UX professionals, and anyone engaged in the identity lifecycle from strategy to implementation. Attendees will gain practical knowledge around deploying phishing-resistant authentication at scale, designing secure user experiences, understanding complementary technologies, and navigating policy and compliance requirements.
This year’s event will showcase keynotes and sessions led by top executives and industry leaders at the forefront of the passwordless movement. The agenda for 2025 has been revamped to include: longer track sessions for more in-depth presentations, an increased focus on masterclasses for actionable synced and device-bound passkey implementation best practices, and a new solutions theater track to showcase live demonstrations of the latest identity and authentication solutions. This year’s agenda also features more opportunities for networking and exploration of the interactive expo hall to foster collaboration and idea sharing.
With four dynamic stages across four curated content tracks, Authenticate 2025 will offer sessions on:
Account onboarding Remote identity verification and proofing Authorization Biometrics Session security Device onboarding and authentication Cybersecurity/fraud threats and detection Digital identity/digital wallets The future of digital identity and authenticationSponsorship Opportunities Available
Authenticate 2025 offers unique sponsorship opportunities for companies to showcase solutions to an engaged, decision-making audience. With limited availability remaining, prospective sponsors can learn more and apply at https://authenticatecon.com/sponsors/ or contact authenticate@fidoalliance.org.
About Authenticate
Authenticate is the premier conference dedicated to advancing digital identity and authentication, with an emphasis on phishing-resistant sign-ins using passkeys. Hosted by the FIDO Alliance, this event brings together CISOs, security strategists, product managers and identity architects to explore best practices, technical insights and real-world case studies in modern authentication. The 2025 conference will take place from October 13-15 at the Omni La Costa Resort & Spa in Carlsbad, California, and will be co-located with the FIDO Alliance member plenary sessions, which run through October 16.
Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication with innovations, like passkeys. Signature sponsors for Authenticate 2025 are Google, Microsoft, Visa, and Yubico.
To learn more and register, visit https://authenticatecon.com/event/authenticate-2025/, and follow @AuthenticateCon on X. Register now and get the super early bird discount through June 20, 2025.
Authenticate Contact
authenticate@fidoalliance.org
PR Contact
press@fidoalliance.org
v1.1 of the 3 specifications includes one powerful new moving part
As CAWG activity picks up steam at DIF, there are a few details the rest of DIF and the broader community of decentralizers might want to be tracking:
The specification includes a powerful new indirection called an Identity Aggregator, which designates an external authority to translate a long-lived identifier embedded in signed credentials (at time of publication) to one or more identifiers with local significance anywhere an asset is used (at time of republication or consumption). Industry-specific identifier schemes are being researched by a distinct task force within the group for prototyping and getting adoption in media verticals. Registering/organizing external metadata standards and DID interop are on-going discussions. Wait, what Working Group is this?If you're following from a distance, you have a vague sense that CAWG is a DIF working group doing something-something C2PA. If that distance is a long distance, you might know C2PA is a big-name, media-authenticity initiative with many mega-corporations signed on. The reality is actually more decentralized than meets the eye: CAWG is specifying open-world extension points that use Verifiable Credentials to let all kinds of claims and all kinds of actors embed metadata and rights declarations in C2PA documents, not just the big boys.
As the name would imply, "creators" is a capacious term which includes influencers, independents, rights-holders unions, creative agencies, freelancers, and even anonymous social media microcelebrities alike. The extension points and interoperability mechanisms this group is working on bring verifiability at various scales at once, and to various kinds of ecosystems and markets. The "Assertions" that these creators are inserting into signed C2PA manifests embedded in professional media assets are the open-world extension point that let C2PA manifests contain arbitrary metadata (treated in a separate specification being iterated by the group), arbitrary trust signals, and arbitrary attached credentials.
Enter the AggregatorThe Identity Claims Aggregator (often referred to as "aggregator" in the group) names a piece of software (which can be internal or external to an authoring tool) that tracks multiple identifiers enabling verifiable credentials (issued against them) to be inserted meaningfully. It also witnesses proofs of (and later attests to) control of many kinds of external identifiers, and generally organizes the chaos of the world's many overlapping identifier schemes and attestation formats. To the outside observer, this might seem a very complicated translation mechanism, but to the decentralized identity veteran, this is a familiar necessity. Every verifiable credential scheme eventually needs this kind of translator/aggregator role, if it is to be an open system or even if it is "only" going to federate across the tech stacks of multiple existing systems.
Taken from section 8.1.1.2 of the v1.1 Identity Assertion specificationThe conversation so far in the working group has been working its way from the general to the concrete: do aggregators only aggregate identifiers and information sources known at the time of authoring/inserting, or can an aggregator add on new attestations at a later time? Must aggregators limit themselves to public identifiers, or can they use an internal/aggregator-specific one? Can an aggregator host a live API for post-facto information to be passed out-of-band, like additional credentials or updated credentials? How tightly, if at all, should this group specify such an API, if so? These are the high-level questions being debated on the back-burner of CAWG meetings this summer.
The Aggregator-Indirection QuestionZooming in a little more, there are further questions being tackled. Aggregators model a great happy-path solution for embedding declarations and strong identifications into each asset, but what about the many unhappy paths? For example, what if a creator’s assertions are scattered across many identifiers and credential types, and embedding those assertions requires all kinds translations and metadata to be legible? What if identifiers change, or new assertions become relevant after publishing– can “placeholder” or indirection identifiers be used to query data sources that continue receiving assertions after publication? Can an indirection or service be used to display more or less assertions depending on audience, or changeable-over-time consent policies? Can assertions and identities be “self-custodied”? What is the “account recovery” story for these increasingly complex use-cases?
While adding the aggregator was the biggest change in v1.1, it will be a long while until the exact scope and limits of this role are decided. It may well be that some advanced features get postponed to a later stage in the roadmap, because of the sheer complexity they entail, but it will definitely be an ongoing topic simmering in the background whenever smaller debates come up.
Separate Work Stream: Industry-Specific IdentifiersIn parallel, a subgroup is meeting separately to research and sanity-check the integration of major media-industry identifier schemes and metadata schemes, looking for interop corner-cases and relevant prior art.
Interested parties are encouraged to pop into the subgroup's github issues and meetings if they are working on (or just curious about, or experienced with) industry associations and media archiving best practices. The usual IP caveats apply: if joining a live call as a non-DIF member or commenting on github issues, refrain from going into concrete detail on anything "patentable" like implementation details or solutions.
These advanced features of the aggregator aren’t the only big questions that we can expect to simmer and percolate across the next few "minor versions". Additionally, the interop issues around existing metadata standards (not just major W3C standards, but real-world ones from industry and library sciences) are potentially inexhaustible, as the group's Metadata specification gives scaffolding for inserting any structured metadata into assertions.
A slightly less vast but still very open-ended interoperability question is which DID methods to recommend or even require of all implementers, and how to manage or triage the remainder of the list of possible current (and future!) DID methods. Intersecting with the ongoing work of the DID Method Standardization Working Group, and older efforts like DID Traits to define equivalence or translatability between DID methods with similar architectures, semantics and guarantees, there is something of a simmering backlog-debate about which forms of DID make how much sense for the CAWG use-cases.
Of course, the evaluation of DID methods for these tiered-accreditation and decentralized reputation use-cases necessarily includes more than just technical analysis; legal and business readiness factor in as well, including competitiveness and market health/structure considerations to keep media authenticity from being a perk in closed ecosystems. Luckily, the new co-chair Scott Perry brings much experience and open lines of dialogue with multiple working groups at the Trust-over-IP Foundation which work on exactly these aspects of DID technology and business processes. In particular, agentic identity is a topic that ToIP generally, and Scott specifically, are bringing into the scope of the WG, so keep an eye out for issues and PRs along those lines in the coming months as well.
Google is making its biggest security push yet. The company strongly urges its 2 billion Gmail users to switch passwords to passkeys. While not mandating immediate changes, Google has made passkeys the default authentication method. They’ve also set a hard deadline for third-party apps. The FBI reported cyber attacks jumped 33% last year. Those attacks cost over $16 billion in damages. Google’s response shows how seriously Big Tech is taking the password problem affecting every internet user.
In this post, we continuing to share outputs from a project we’re working with the Responsible Innovation Centre for Public Media Futures (RIC), hosted by the BBC. We’ve already published:
What does AI Literacy look like for young people aged 14–19? What makes for a good AI Literacy framework? Core Values for AI Literacy AI Literacy or AI Literacies? Image CC BY-ND Visual Thinkery for WAOThis project has involved both desk research and input from experts in the form of a survey, individual interviews, and a roundtable which we hosted a couple of weeks ago. One area we wanted to ensure we understood were gaps in existing provision around AI Literacies for young people.
The gaps we identified were focused on the 14–19 age range in the UK, with a long list of areas with many themes. We have organised and summarised these around the core values identified in a previous post.
The gaps reflect a pattern seen across education, media, and wider society: provision is uneven. It is often shaped by short-term thinking and competing interests. Overall, it is limited by a lack of clear leadership or coordination.
Unfortunately, many interventions around AI Literacies are focused on technical skills or compliance. These do not connect with young people’s real interests or lived experiences, nor do they address the deeper ethical, social, and cultural questions raised by AI.
As a result of this, many learners — especially those already facing disadvantage — are left with fragmented support and few opportunities to develop genuine agency or critical judgement.
Human Agency and Informed Participation Lack of systemic, rights-based frameworks: There is little structured provision to help young people shape, question, or influence AI, with most education focused on adapting to technology rather than encouraging agency or clarifying institutional responsibilities. Dominance of industry narratives: Commercial interests and tech industry funding often drive the agenda, narrowing the conversation and limiting opportunities for young people to challenge prevailing narratives or understand the political dimensions of AI. Insufficient progression and curriculum integration: There is no standardised, dynamic curriculum or progression framework for AI Literacies, especially for post-16 learners, and limited integration across subjects beyond computing or digital studies. Teacher confidence and support gaps: Many teachers lack confidence, training, and adaptable resources to support the development of AI Literacies, resulting in inconsistent, sometimes contradictory, messaging and limited support for critical engagement. Disconnect between knowledge and action: Awareness of AI bias, manipulation, or power structures does not reliably translate into agency or behavioural change, with motivation and broader social context often overlooked. Equity, Diversity, and Inclusion Persistent digital and social divides: Access to tools and resources to develop AI Literacies is highly unequal, shaped by school policies, family resources, and broader digital divides, with privileged students often able to bypass restrictions. Lack of cultural and global adaptation: Most resources are developed in the global north and do not reflect the needs or realities of diverse cultural, socioeconomic, or linguistic backgrounds, including those from in the global south. Barriers for marginalised groups: AI tools and resources can disadvantage non-native English speakers, students with disabilities, and those with limited digital access, reinforcing existing inequalities. Neglect of visual and multimodal literacy: There is insufficient focus on images, deepfakes, and multimodal content, despite their growing importance for misinformation and manipulation. Resource design and authenticity: Overly polished, anthropomorphised, or inaccessible resources can alienate young people; there is a need to co-design authentic, relatable, and context-driven materials that reflect lived experiences with young people from a range of background Creativity, Participation, and Lifelong Learning Short-termism and lack of sustainability: Funding and interventions are often short-lived, with little focus on long-term, joined-up strategies or progression frameworks. Imbalance between creativity and consumption: Most young people are consumers, not creators, of AI content; there is insufficient emphasis on participatory, creative, and hands-on engagement with AI. Restrictive and risk-averse policies: Overly strict barriers on access to AI tools in schools can limit meaningful learning opportunities and create anxiety or underground use. Missed opportunities for experiential and peer learning: There is underuse of hands-on, constructionist, and peer-led approaches, which are effective for this age group and for a rapidly evolving field like AI. Failure to address entrenched digital habits: Many interventions come too late to shift established digital habits; young people may have high digital skill but lack guidance on purposeful, critical, or participatory use. Critical Thinking and Responsible Use Overemphasis on technical skills: Current provision is skewed towards prompt engineering and functional tool use, with insufficient attention to understanding different kinds of AI, ethical reasoning, systemic impacts, and critical engagement. Insufficient ethical, environmental, and societal focus: Real-world harms, environmental costs, and the broader impact of AI are rarely discussed, leaving gaps in understanding responsible use. Media and information literacy gaps: Algorithmic and data literacy gaps: Young people struggle to understand how data shapes AI outputs, how to assess real versus fake (including deepfakes), and how to evaluate, challenge or seek redress for algorithmic decisions or AI-generated content. Anthropomorphism and mental models: Many young people, particularly younger teens, misattribute human-like qualities to AI, affecting their critical judgement and ability to interrogate outputs. Lack of robust assessment and evidence: There is a shortage of baseline data on AI literacy levels and limited frameworks for evaluating the effectiveness and impact of interventions, especially in terms of behavioural change. Upholding Human Rights and Wellbeing Disconnection from youth interests and lived experience: AI Literacy resources often fail to connect to young people’s real interests (creativity, sports, mental health), focusing instead on employability or compliance. Socio-emotional and privacy risks: Young people may use AI for companionship or advice, sharing sensitive information without understanding privacy or data risks; frameworks rarely address identity, trust, or changing markers of adulthood. Confusion and inconsistency in terminology: There is no consensus on what “AI literacy” means, and inconsistent definitions can intimidate learners or place excessive responsibility on individuals. Unclear responsibility and leadership: It remains unclear who should lead on the development of AI Literacies. Schools, parents, government, industry, and third sector bodies all have a role to play, but the current situation leads to fragmented provision and a lack of accountability. Neglect of digital relationships and boundaries: The role of AI as an “invisible third party” in relationships, and the shifting boundaries of privacy and identity, are rarely addressed in current resources. Next upWe’re still finalising our framework for AI Literacies and will be sharing it soon. Meanwhile, you can follow our work on this topic so far at https://ailiteracy.fyi.
Please do get in touch if you have projects and programmes that can benefit from our experience and expertise in education and technology!
AcknowledgementsThe following people have willingly given up their time to provide invaluable input to this project:
Jonathan Baggaley, Prof Maha Bali, Dr Helen Beetham, Dr Miles Berry, Prof. Oli Buckley, Prof. Geoff Cox, Dr Rob Farrow, Natalie Foos, Leon Furze, Ben Garside, Dr Daniel Gooch, Dr Brenna Clarke Gray, Dr Angela Gunder, Katie Heard, Prof. Wayne Holmes, Sarah Horrocks, Barry Joseph, Al Kingsley MBE, Dr Joe Lindley, Prof. Sonia Livingstone, Chris Loveday, Prof. Ewa Luger, Cliff Manning, Dr Konstantina Martzoukou, Prof. Julian McDougall, Prof. Gina Neff, Dr Nicola Pallitt, Rik Panganiban, Dr Gianfranco Polizzi, Dr Francine Ryan, Renate Samson, Anne-Marie Scott, Dr Cat Scutt MBE, Dr Sue Sentance, Vicki Shotbolt, Bill Thompson, Christian Turton, Dr Marc Watkins, Audrey Watters, Prof. Simeon Yates, Rebecca Yeager
At Global Digital Collaboration on July 2nd, a full day of sessions co-curated by DIDAS and partners will address how privacy-enhancing technologies (PETs) and trustworthy governance models can become core enablers of digital trust across sectors and jurisdictions.
The day begins with a high-level update session featuring SPRIND, Google, EPFL, Johannes Kepler University, and others. It will explore the current maturity, post-quantum readiness, and practical deployment of PETs such as BBS+, SD-JWT, and ZK-mDoc. The session aims to establish shared terminology and frameworks for unlinkability and selective disclosure across global credential ecosystems.
In parallel, the e-democracy workshop series (Part 1 & 2), led by the Center for Digital Trust (C4DT) at EPFL, DIDAS, the Human Colossus Foundation, and other civil society actors, will explore how digital services like e-ID and e-collecting e-voting and related challenges which must be redesigned for resilience to protect public trust, prevent fraud, and ensure accountability. The sessions aim to define foundational principles for a trustworthy digital democracy, co-created by experts in law, governance, cryptography, and policy.
Running alongside, a collaborative mapping session by Johannes Kepler University, Orange, Ethereum researchers, DIDAS, EUDI and other Global Ecosystems and pilot teams are invited to identify and classify global use cases where PETs-particularly zero-knowledge proofs-are essential. The session will help align performance and privacy requirements across deployment contexts, feeding into implementation roadmaps and standards discussions.
In the afternoon, a deep dive on unlinkability will be led by experts from Google, SPRIND, EPFL and the Linux Foundation’s decentralized trust initiatives. This session will focus on the risks of issuer–relying party collusion in credential ecosystems, and why unlinkability is non-negotiable for use cases like transport and location-sensitive infrastructure.
Later, a technically grounded session titled “ZKProofs: From Crypto Potential to Regulatory Acceptance” will bring together Google, ETSI, and NIST to map out viable ZKP schemes, their mobile-readiness, and interoperability features. The goal is to bridge the gap between cryptographic innovation and institutional trust, and to align stakeholders around a roadmap for responsible, cross-border adoption and acceptance.
The day concludes with a multi-stakeholder roundtable moderated by DIDAS with invitees from the ITU, the OpenWallet Foundation, LF Decentralized Trust, OECD, UNHCR the Swiss confederation, the EU Commission and other country delegates and potential funding partners to explore long-term collaboration structures. This final session will address how to sustain PET development through ongoing working groups, interoperable governance, and shared funding models.
Public Sector & Multilateral Institutions
Swiss Confederation European Commission ITU (International Telecommunication Union) OECD UNHCR SPRIND (Federal Agency for Disruptive Innovation, Germany) EUDI Pilot Teams (various EU member states)
Research & Academia
EPFL – École Polytechnique Fédérale de Lausanne C4DT – Center for Digital Trust (EPFL) Johannes Kepler University Linz Ethereum Research Community
Civil Society & Ecosystem Actors
DIDAS – Digital Identity and Data Sovereignty Association Digital Society Association (Switzerland) Human Colossus Foundation Other invited civil society contributorsPrivate Sector & Standards Bodies
Google Orange Linux Foundation – Decentralized Trust Initiative OpenWallet Foundation ETSI – European Telecommunications Standards Institute NIST – U.S. National Institute of Standards and Technology LF Decentralized TrustCore Themes
Privacy-enhancing technologies (PETs), ZKPs, unlinkability Verifiable credentials, digital identity, selective disclosure Trust infrastructure governance, interoperability, post-quantum security E-democracy, civic trust, institutional resilience Multi-stakeholder collaboration, sustainable funding, global alignmentThis collaborative agenda reflects a global commitment to building privacy-preserving, interoperable, and inclusive digital ecosystems with shared responsibility across sectors.
authID’s decision this month to integrate its biometric identity verification technology with Ping Identity’s PingOne DaVinci service is a necessary step at a time when humans continue to be the weakest security link for organizations and bad actors increasingly target passwords to gain access to corporate networks, according to Jeff Scheidel, vice president of operations for the Denver-based company.
Apple OSes will soon transfer passkeys seamlessly and securely across platforms.
Apple this week provided a glimpse into a feature that solves one of the biggest drawbacks of passkeys, the industry-wide standard for website and app authentication that isn’t susceptible to credential phishing and other attacks targeting passwords.
The FIDO Alliance and host sponsor Thales recently held a one day seminar on authentication, identity and the road ahead.
Seminar sessions provided an exploration of the current state of authentication for workforce and consumer sign-ins – with a focus on FIDO and passkeys including adoption status and case studies. The seminar also featured discussions on other relevant topics for IAM professionals, such as the latest in attacks and threats, identity verification technology advances, and post-quantum cryptography. Attendees had the opportunity to engage directly with authentication and identity experts through open Q&A, networking and demos.
View the presentations below:The OASIS XACML Technical Committee (TC) is currently engaged in an effort to produce a successor to XACML version 3.0, and we’re looking for input from the community. The goals of this new version(s) are:
To modernize the language to make it more accessible to a wider audience, To add new features to extend the expressibility of the language and support new use cases, and To simplify the language where possible.The headline change is the decision to abstract the core language to remove its dependence on XML and XML Schema, i.e., to make it syntax-agnostic. This will facilitate the use of other syntaxes for representing the core language. The TC has decided to define representations for at least JSON and YAML, while continuing to support XML. To reflect this expanded scope and modernized approach, the effort is being referred to as “XACML Next Gen” rather than “XACML 4.0.”
The XACML TC intends that implementations will be able to claim conformance with the core language by implementing one or any combination of the possible syntaxes. XML will not be required.
There is a strong desire in the XACML TC to find a new name for the core language to show that it is no longer tied to XML. Various suggestions are on the table, but there is no clear frontrunner at this time. The new name should lend itself to distinct acronyms for each supported syntax for simple identification. Regardless of the new name and version number for the core language, there is consensus in the TC that the XML representation of the core language will be known as XACML 4.0 in recognition of its antecedent. So the moniker “XACML 4.0” will reference only part of the TC’s eventual outputs.
The major structural change to the core language is the merging of PolicySet and Policy into a single construct that will carry the name “Policy.” A new Policy may contain embedded policies, policy references, rules, and variable definitions. This change removes some duplication from the core language where essentially the same thing was defined under separate names for both policy sets and policies, for example, PolicySetId and PolicyId. There is now only PolicyId. There are no longer separate policy combining algorithms and rule combining algorithms, just combining algorithms.
Current Changes In Progress 1. Support for JSON and YAML PoliciesOne of the most anticipated updates in XACML Next Gen is the addition of JSON and YAML as alternative policy representation formats. While XACML has traditionally been based on XML, these new formats aim to:
Simplify policy authoring by providing more concise and readable structures. Improve integration with modern applications that rely on JSON-based APIs. Reduce verbosity compared to XML, making policies easier to maintain. Improve readability and auditability by allowing the substitution of many URIs with short string names using standardized and user-defined vocabularies.Implications for Policy Writers:
Policies can now be expressed in JSON or YAML, reducing the learning curve for those unfamiliar with XML. JSON and YAML formats align with modern infrastructure-as-code practices, allowing policies to be managed like other configuration files. 2. Simplified and More Efficient Policy StructureTo make policies easier to write and maintain, XACML Next Gen is introducing:
A. Flattened Policy Hierarchy The distinction between Policy and PolicySet is being removed, creating a single structure that can contain both rules and sub-policies. This means fewer elements to track and simplifies how policies are nested and combined. B. Common Structure for Obligations and Advice The structure of an obligation or advice instance is practically the same, except for naming. Obligation and Advice will be replaced by a common Notice structure with the semantic differences indicated by a boolean flag. Likewise, for the various structures related to obligations and advice. C. Targets Revised Targets in policies have been changed to Boolean expressions, giving them the same expressive power and flexibility as Conditions in rules. Targets have been removed from rules; a Condition is sufficient. D. Decluttering CombinedDecision, ReturnPolicyIdList, and MustBePresent have been given sensible defaults so that they can usually be omitted, reducing clutter.E. Global Variables for Reusability
Variables will be defined globally and reusable across multiple policies, reducing redundancy and improving clarity. Policy writers will be able to import global variables without having to redefine them within each policy. F. Composite Functions for Simpler Expressions Policy authors will be able to define custom functions that can be reused across multiple rules, reducing repetition. Example: Instead of repeating the same logical expression in multiple places, writers can define it once and reference it when needed. 3. Improved Policy Efficiency A. Optimized Rule Evaluation New ternary conditional functions (similar to a ? b : c in programming languages) allow policy writers to define logic more concisely. B. Aggregate Functions for Policy Simplification XACML Next Gen will introduce functions like min, max, sum, and average, enabling policy writers to perform calculations on groups of attributes without excessive nesting. C. Shortcuts for Common Operations New functions like empty-bag() and non-empty-bag() make it easier to check for missing attributes without verbose expressions. D. JSONPath Support for JSONPath will be added to the language. Like support for XPath, it will be optional to implement. Support for newer XPath versions will be added. 4. Naming and Structural ChangesTo better reflect its expanded scope beyond XML, there are ongoing discussions about renaming XACML to something more format-agnostic. Current discussion can be viewed [here].
Regardless of the naming decision, the XML version will continue to be referred to as XACML, ensuring backward compatibility.
XACML Next Gen is shaping up to be a more flexible, efficient, and modern policy definition framework. By introducing JSON and YAML, flattening policy structures, and adding global variables and composite functions, the new version aims to make policy authoring easier and less error-prone, while the addition of canonical string identifiers will significantly improve the readability and audibility of policy corpora.
We Want Your Feedback
The XACML TC is eager to hear from the broader community as we move forward with this next-generation effort. Whether you’re a longtime implementer, a policy expert, or simply someone with a stake in access control, your input can help shape a modern, more accessible, and flexible standard. We’re especially interested in feedback on new feature requirements, potential use cases, naming ideas for the core language, and thoughts on the move toward syntax-agnostic design. If you’d like to get involved or share your perspective, please contact us via our GitHub project.
Authors
Steven Legg, Editor, OASIS XACML Technical Committee
[LinkedIn Profile]
William Parducci, Co-Chair, OASIS XACML Technical Committee
[LinkedIn Profile]
The post Help Guide the Next Generation of XACML appeared first on OASIS Open.
Andrew Shikiar, Executive Director and CEO of the FIDO Alliance, joins us to discuss the shift from passwords to passkeys and the role of FIDO in driving secure, passwordless authentication. He explores the challenges of adoption, the importance of identity verification, and how cross-platform interoperability is accelerating passkey use. The conversation also touches on the impact of generative AI on cybersecurity and what the future holds for passkeys in building long-term resilience.
About Expert Insights:
Expert Insights saves you time and hassle by rigorously analyzing cybersecurity solutions and cutting through the hype to deliver clear, actionable shortlists. We specialize in cybersecurity. So, our focus is sharper, our knowledge is deeper, and our insights are better. What’s more, our advice is completely impartial.
In a world saturated with information, we exist to arm experts with the insights they need to protect their organization. That is why over 1 million businesses have used us to inform their cybersecurity research.
Listen to the podcast.
A couple of months ago, after seeing a UNESCO call for contributions, Doug began wrangling a group of thinkers and educators to respond to the call in a collaborative and open way. Naturally, I got involved, and thus we thought this story would be a good one for the WAO blog :)
There were six of us on that stormy night…
Bryan Alexander – an internationally known futurist, researcher, writer with this popular blog and newsletter, AI, academia, and the Future. Helen Beetham – a researcher and consultant in digital education who has edited several standard texts including Rethinking Pedagogy for a Digital Age. Her articles on AI, education, and society can be found at imperfect offerings. Doug Belshaw – co-founder of We Are Open Co-op, working at the intersection of systems thinking, digital literacies, and Open Recognition. Doug's writings can be accessed via his website. Laura Hilliger – concept architect, open strategist, and co-founder of We Are Open Co-op. Her website contains links to her blog and newsletter. Ian O'Byrne – Associate Professor of Literacy Education at the College of Charleston. He maintains an active presence through his website and weekly newsletter Digitally Literate. Karen Louise Smith – Associate Professor in the Department of Communication, Popular Culture and Film at Brock University. She teaches courses related to social media, surveillance, and new media policy and her writing can be accessed via her website.The six of us met up online to chat about how we might collaborate to respond to UNESCO’s call, and decided that we would each write our own think pieces. We then met up regularly to chat about where we were, what ideas were floating around and get inspiration from one another. Once we had drafts, we each read each other's pieces offering comments and suggestions.
Our finished pieces can be found at this linktree: https://linktr.ee/ai_future_education
After we submitted our think pieces to UNESCO, we decided to do a roundtable event hosted by Doug. Over 100 people signed up, with 50 more on the waitlist. Participants gathered to discuss the transformative potential of Artificial Intelligence (AI) in education. The event brought together educators, tech experts, and policymakers to dissect our six pieces on AI's future role in learning environments.
This blog post summarises our very nuanced discussion surrounding AI's role in education. If you’re interested in this type of thing, we’d recommend watching the full session.
1. Personalized LearningOne of the themes discussed was personalized learning facilitated by AI. While AI can functionally analyze student data to tailor curricula and pacing, we talked about the emotional and social dimensions of learning. The lack of empathy in AI systems hinders holistic education, which requires human interaction.
2. Equity and AccessWe talked about the theory that AI could democratize access to quality education, but we highlighted significant challenges. Unequal access exacerbates existing disparities in educational opportunities, and it is not just infrastructure that is inequitable in our education system.
3. The Educator's RoleAI’s impact on educators’ roles was another theme in our conversation. While AI can handle routine tasks like grading, potentially reducing administrative burdens, there are concerns about over-reliance on technology displacing human interaction. We argued for understanding teachers as mentors, facilitators, guardians and creatives to try and make clear that “efficiency” is not a goal in education.
4. Privacy and BiasWe talked a lot about the ethical implications surrounding various aspects of AI. From data privacy concerns, algorithmic bias, and transparency in AI decision-making, we stressed the importance of ethical guidelines and accountability measures.
5. CollaborationWe talked a bit about the potential for collaboration between educators and AI. We tried to think about what a complementary relationship with AI might look like for education. While AI might enhance some of our teaching tools, it cannot be allowed to overshadow the irreplaceable human element.
6. The Future of EducationIn conclusion, we know and spoke about the fact that any technology and its implementation in education must be approached with caution and balance. Our conversation underscored that AI is not a panacea but a technology that exists within a particular context, and that like any technology, it’s how we use it that matters.
Go deeper:
This is the video Recording for the full session We made an AI generated Chat summary All of our think pieces are worth a close read. Jump in individually: Bryan Alexander - Several futures for AI and education Helen Beetham - The implications of ‘artificial intelligence’ for the right to education in equality and dignity Doug Belshaw - Marching Backwards into the Future: AI’s Role in the Future of Education Laura Hilliger - It is not the tool, it is the artist who sparks the revolution: The Importance of Art Education with or without AI Ian O'Byrne - Amplifying Human Cognition: Artificial Intelligence as Mirror and Magnifier Karen Louise Smith: Building warm expert expertise to mitigate against data harms in AI-powered edtechMany thanks to Bryan Mathers of Visual Thinkery, who provided the illustrations included in this post. To see all of those that he drew based on the session, visit his website.
Over the past couple of months, we’ve been working on an ‘AI Literacy’ project with the Responsible Innovation Centre for Public Media Futures (RIC), hosted by the BBC. We’ve already published:
What does AI Literacy look like for young people aged 14–19? What makes for a good AI Literacy framework? Core Values for AI LiteracyIn this post, we want to explore the tension we’ve felt between referring to ‘AI Literacy’ in the singular, versus referring to a plurality of ‘AI Literacies’. Ultimately, although our original brief used the singular form (as do many of our peers) we have decided to take the latter, plural, approach — for reasons we will explain below.
One very practical reason to emphasise ‘AI Literacies’ is that it is difficult to talk about ‘delivering’ a literacy. “Literacy” always begs the question of context: What does literacy mean to this particular person in this particular setting at this particular moment? What it means to be ‘AI literate’ is going to look very different to someone working in a corporate office job, compared to a teenager using AI for a creative project. Additionally, there are multiple literate behaviours when we think about AI — for example, understanding the socio-economic reality of the AI landscape versus knowing how to prompt an LLM to get the kind of information or answer you are looking for.
AI Literacies are therefore both plural and context-specific. They are also socially-negotiated. Literate behaviours depend on the community with which an individual is interacting. This becomes evident through a few examples.
Image CC BY-ND Visual Thinkery for WAOIf you are a parent of teenagers, you will have experienced a time when they respond in a way which makes sense to them and their friends, but not to you. You are likely to have to ask them what they mean or use a resource like the Urban Dictionary. Other behaviours such as using a particular emoji might be hilarious for reasons you cannot quite comprehend.
These “rhetorics of communication” are an important part of literacy practices, especially in the digital realm. They constitute ways of interacting with other people within a techno-social system which itself privileges and foregrounds certain kinds of behaviours, while either explicitly or implicitly discouraging others. For example, contemporary chat apps allow you to see not only that a message has been delivered, but whether it has been read. The act of not reading a particular message may be seen in multiple lights: Is the person ignoring me? Are they mad at me? Are they offline in the forest?
Any time we are communicating in ways which are mediated by technologies, part of literate behaviour involves understanding the “affordances” that the technology provides as well as understanding how that technology might be shaping our behaviour.
If you were, for example, quickly texting your teenager while at work, you might send your text and then open a workplace chat window which looks and feels very much like the social one which you have just been using. However, because the context is different — as well as perhaps both the demographic makeup and number of people in the chat — you act differently. =Your literate behaviours are thus socially-negotiated, meaning that you vary your behaviour in different situations.
As we start to understand AI Literacies, we need to think about the most common way in which people experience generative AI — by prompting a Large Language Model (LLM) through a chat window. The chat window is a familiar technology, but the fact that there isn’t a human on the other side of it is not. Part of AI Literacies therefore involves exhibiting and modifying our behaviours based on our knowledge and experience of factors that surround this particular chat window.
Image CC BY-ND Visual Thinkery for WAOWith personal or workplace chats, what is outside of the frame informs literate behaviours inside the frame. Similarly, when we are interacting with AI, the more we know about what is outside the frame, the more we can develop appropriate literate behaviours inside the frame. Again, these literate behaviours are plural: will others be able to tell that you are using the outputs of an LLM? (will they mind?) They are based on context: should you trust the company behind the technology you are using? And they are socially-negotiated: are there environmental concerns of which you should be aware?
Angela Gunder’s Dimensions of AI Literacies provides a helpful way to think about these issues. Building on my work on the Essential Elements of Digital Literacies, Gunder’s framework sets out a series of overlapping dimensions that shape how people interact with AI. This approach supports the idea that AI Literacies are not a fixed set of skills, but a collection of practices negotiated within communities and shaped by context.
AI Literacies, like Critical Media Literacies, Digital Literacies, Information Literacies, Data Literacies, and a whole host of “new” literacies, should be considered to be fundamentally plural. What counts as “literate behaviours” are socially-negotiated based on context. Words and phrases, however, are important to describe what we mean. And that is why we will be referring to AI Literacies in the project we’re doing with the RIC for the BBC.
Coming soonWe are working on a public version of our landscape setting and framework for AI Literacies. We’ll be sharing that soon. In the meantime, follow our contributions to this space through https://ailiteracy.fyi/ and get in touch if you have projects and programmes that can benefit from our experience and expertise in education and technology.
What if you could see what your customers are searching before they even hit 'buy'?
In today’s hyper-competitive marketplace, that’s exactly what the best brands are doing, and it’s giving them a serious edge.
In this episode, Chris Barnes, General Manager of Retail & Alternative Channels at Jungle Scout, joins hosts Reid Jackson and Liz Sertl to break down how brands are using real-time search, product, and shopper data to respond faster to market signals on Amazon and beyond.
Chris shares how companies are identifying market opportunities, protecting category share, and improving performance across pricing, inventory, and advertising, all by knowing what to look for in the data.
In this episode, you’ll learn:
How to use search and shopper behavior to guide product strategy
Why category management looks different in the age of marketplaces
The data brands overlook and how it impacts sales performance
Jump into the conversation:
(00:00) Introducing Next Level Supply Chain
(02:07) Chris Barnes on his career journey
(04:38) Transforming strategy with data and intelligence
(05:55) Category management in-store vs. online
(09:23) AI’s impact on search and consumer behavior
(13:04) Dude Wipes’ growth and success
(15:35) Leveraging data to understand consumer needs
(19:17) Power of data analytics in product development
(20:48) Top strategies for maximizing growth
(27:37) The future of agencies and AI in business
Connect with GS1 US:
Our website - www.gs1us.org
Connect with the guest:
Chris Barnes on LinkedInCheck out Jungle Scout
Applications closed. Reviews done. It’s time to share who’s joining the Web3j mentorships this year under the Linux Foundation Decentralized Trust program. This year, there are two projects aimed at advancing Web3j, which is a highly modular, reactive, type safe Java and Android library for working with Smart Contracts and integrating with clients (nodes) on the Ethereum network.
The post Reinventing How Career Records Are Shared appeared first on Velocity.
Mastercard has launched advanced payment passkeys across Europe as part of its initiative to enhance online transaction security and replace traditional passwords. The company reports that its tokenization and passkey implementation has achieved nearly 50 percent adoption in European e-commerce transactions, building on its successful passkey deployment in Latin America earlier this year.
The payment technology company’s new security measures arrive at a critical time, as data shows that one in four business owners in Europe face targeting by scammers. A quarter of these businesses express concern about their ability to recover from potential cyber attacks. The expansion follows the broader industry trend toward passwordless authentication, with the FIDO Alliance reporting significant growth in enterprise passkey adoption.
OneSpan announced Thursday (June 5) its acquisition of Nok Nok Labs, a provider of FIDO passwordless software authentication solutions.
OneSpan said joining forces with Nok Nok enables the company to provide customers worldwide with a comprehensive authentication portfolio, available on-premises or in the cloud. This combined offering now includes support for OTP, FIDO, software, and hardware solutions, such as Digipass, FIDO2 protocols, and Cronto solutions for transaction signing.
Victor Limongelli, CEO at OneSpan, described the acquisition as a “bold step toward providing customers with maximum choice in authentication.” He added that the company is evolving its entire authentication platform to include FIDO standards, believing that passwordless authentication is an important part of the future. With Nok Nok’s technology and FIDO expertise, OneSpan aims to offer a comprehensive and versatile customer authentication solution.
Phillip Dunkelberger, president and CEO at Nok Nok, noted that joining OneSpan allows them to bring their vision, rooted in open standards like FIDO, to a broader audience via OneSpan’s global reach. Andrew Shikiar, executive director and CEO of the FIDO Alliance, said Nok Nok has been a “trailblazer” in the FIDO ecosystem.
Dashlane lets you open an account with a FIDO2-spec USB security key as your authentication.
One of the better-known password managers is now inviting people to try it without having to create yet another password. Instead, Dashlane is now inviting people to try opening a new account secured only by a USB security key compliant with the “FIDO2” authentication standard; FIDO being short for Fast Identity Online.
Emphasize “try.” The company’s support page for this “early access” program notes that it supports only Google Chrome and Microsoft Edge, not Dashlane’s mobile apps. For now, it doesn’t let you create an account secured only by a passkey, the form of FIDO2 security more people use.
NEWARK, NJ, June 5, 2025 – Edge, a leading provider of innovative technology solutions for higher education, today announced that IronBrick, a Workday resell partner specializing in selling Workday to the higher education and public sector markets, is now part of the EdgeMarket Cooperative Pricing System. The addition of this industry leader to EdgeMarket comes as a direct result of successful bids under the EdgeMarket’s Higher Education Ecosystem (HEES) Request for Proposal (RFP), solidifying the organization’s commitment to delivering transformative solutions to educational institutions.
The HEES RFP, a significant initiative aimed at providing access to an interconnected ecosystem of software and solutions designed to enable successful outcomes within higher education, seeks to identify best-in-class technology partners. Edge’s contract vehicle, coupled with IronBrick’s deep industry expertise and the power of the Workday platform, creates a powerful set of tools to address the unique challenges and evolving needs of colleges and universities.
“This alignment marks a significant milestone in Edge’s commitment to empowering higher education institutions with cutting-edge solutions. Workday and IronBrick are industry leaders enabling excellence in higher education operations. We are confident that this collaboration will deliver exceptional value and drive positive outcomes for participating institutions.”
— Dan MillerWorkday Human Capital Management (HCM), Workday Financial Management, and Workday Students help to transform higher education institutions, modernize experiences, and streamline administrative and academic operations. Its cloud-native architecture provides scalability, agility, and real-time insights to help make data-driven decisions.
“IronBrick is excited to collaborate with Edge and Workday to provide a new avenue for purchasing Workday for higher education institutions under the HEES RFP,” stated Zebulon Mellett, President, IronBrick Associates, LLC. “Our focused expertise in the higher education sector, combined with Edge’s strong relationships and the Workday platform, will allow for long-term success for our clients.”
Edge, Workday, and IronBrick are committed to helping higher education institutions modernize operations, enhance the employee experience, and drive student and institutional success, via a contract designed to streamline time to procurement. This collaboration represents a powerful step forward in transforming core operational applications within the higher education community.
About Edge
Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.
About IronBrick
IronBrick excels at Adaptive Innovation. As a dedicated Workday partner, IronBrick is a reseller of Workday solutions to State and Local, Higher Education, and Federal clients. We strive to balance the wants and needs of application users with the technical challenges of IT organizations. IronBrick partners with leading System Integrators and specialized technology providers to deliver complete solutions. To learn more about IronBrick, visit ironbrick.com.
The post Edge Announces the Availability of Workday, via its Reseller, IronBrick, to the EdgeMarket Higher Education Ecosystem of Solutions appeared first on NJEdge Inc.
At Blockchain Commons, we design open infrastructure that prioritizes privacy, autonomy, and human dignity. That’s why I support and personally signed the No Phone Home Initiative. It is not just a position, it’s a call to preserve a foundational principle of decentralized identity: Credentials must be verifiable without enabling surveillance!
Why “No Phone Home” MattersThe problem is simple: when verifying a digital credential such as a mobile driver’s license or a diploma, many systems require contacting the original issuer. This creates a digital trail of who is verifying what, when, and why. That trail can be used to profile and surveil, allowing issuers to track credential holders without their knowledge.
Manu Sporny, in an email to the W3C Credentials Community Group (June 3, 2025), clarified the stakes:
“Retrieving a status list could be misinterpreted as ‘phoning home’ … but it’s not anywhere near the same level of “phoning home” that contacting the issuer and telling them ‘I’ve got Steve here at booze-hut.com, is he over 21?’ achieves.”
But the threat of direct identity leak is just the tip of the iceberg. That’s because credential presentation isn’t a one-off event. It’s recurrent. Even when identifiers or interactions are pseudonymous, repeated verifications leak sensitive metadata, allowing issuers or third parties to correlate time, location, and use-pattern metadata into behavioral profiles.
The Decentralized Identity Foundation talks about some of this in “Nearly 100 Experts Are Saying ‘No Phone Home’”:
“The risks multiply when applied across domains. Federated protocols developed for use within organizations become surveillance systems when used between different sectors or jurisdictions. Phone home capabilities that seem innocuous within a single domain can become tools for tracking and control when applied broadly without aggressive oversight and fine-tuning.”
Problematically, this is how these systems are designed to work! As Kim Hamilton Duffy says in the first of a series of articles on mDL privacy that she’s currently working on:
“This isn’t an unintended consequence—it’s an architectural feature that can trivially enable persistent record-keeping of when and where you use your credentials, creating patterns that can be analyzed long after the original transaction by unknown third parties.”
This also reveals yet another danger: how “normal” it feels to let credential issuers remain silently in the loop.
Revocation Without SurveillanceSome argue that checking for the revocation of a credential requires phoning home. But that’s a false dilemma. In the same W3C thread, Sporny noted:
“There are a few ways to retrieve a status list without directly contacting the issuer that use commonly deployed web technology.””
Technical mitigations discussed and developed by the community include:
Large, pseudonymous status lists (e.g., Bitstring Status List) Use of CDNs or file mirrors to avoid direct issuer contact Oblivious HTTP (OHTTP) for unlinkable status fetchingThere are still issues with these potential mitigations. For example, Kyle Den Hartog (Pryvit NZ) raised concerns about status list misuse:
“An issuer creates a bitstring list of sufficiently large size, but only includes 1 active credential index per bitstring list. All other indexes are spoofed. The rest of the list would look active to the holder/verifiers but could still be a tracking mechanism by the issuer.”
But, these edge-case attacks reinforce why the core architecture must be surveillance-resistant by default.
Privacy isn’t the only issue with revocation checking: it’s also a structural risk. If we tie credential validity to live status checks, we quietly shift power from holders to issuers. It becomes a form of dependency injection, one that contradicts the goal of self-sovereign identity.
Not Just Technical: It’s EthicalThis isn’t just a technical issue. It goes to the ethical heart of self-sovereign identity design.
Daniel Hardman offered this framing in a related thread on edge cases:
“Verifiable credentials verify without issuer coordination; that is what the ‘verifiable’ in ‘verifiable credential’ means.”
Joe Andrieu argued in the same May 2025 thread:
*The identity system that wins is going to be the one we can use in any circumstance by anyone. … It’s my wallet. I expect it to serve me, as a user agent. I do not accept that it might also serve the state as a surveillance platform.
At Blockchain Commons, we agree. The ability to verify credentials offline, without depending on a central service, is essential for resilience and civil liberties.
A report prepared for the American Civil Liberties Union (ACLU) put it clearly by requiring “No Issuer ability to track via phone home mechanism” and saying:
Emergencies Are Not an Excuse“One way a digital ID can differ from physical ID is that it can enable the issuers of the digital ID to track where, when, and to whom one shows their ID. This tracking can reveal very private and sensitive information about the digital ID holder — namely, when and where, online or off, they present their ID. Standards and technologies should be designed so that the issuer (or any of its agents or contractors) cannot engage in any of these forms of tracking.”
Some use cases such as disaster response or first responder tracking have prompted discussions around consent-based “check-ins.” These are complex and worthy of consideration. But the VC Data Model 2.0 spec is clear:
“Credential status specifications MUST NOT enable tracking of individuals, such as an issuer being notified (either directly or indirectly) when a verifier is interested in a specific holder or subject. Unacceptable approaches include “phoning home …”
But compliance doesn’t equal safety. Even digital credentials that conform to existing standards—such as ISO 18013-5—can still include implementation choices that enable surveillance. Privacy must be baked into system design, not retrofitted through policy disclaimers.
As Alexis Hancock of the Electronic Frontier Foundation (EFF) warned (via State Scoop):
“We have to act now because governments are enthusiastic about digital ID, but if we don’t pin down these basic principles now, it’s going to be a problem later.”
We can build systems that are opt-in, purpose-specific, and out-of-band, without compromising the privacy baseline for everyone else.
Our CommitmentAt Blockchain Commons, we believe decentralized identity should empower the individual, not quietly report on them. We are actively designing open standards such as Gordian Envelope and dCBOR to support truly private, verifiable, interoperable credentials.
We support “No Phone Home” because surveillance should never be the default. And we invite others to join us in making sure the future of identity remains decentralized, private, and just.
Kia ora,
Welcome to the May edition of the Digital Identity NZ newsletter. This month, we’re excited to introduce our new Executive Director, share insights from Techweek25’s Foundations for Tomorrow Event.
Andy Higgs Appointed as New Executive Director
We’re pleased to announce that Andy Higgs has joined Digital Identity NZ as our new Executive Director.
Andy brings over 20 years of experience across digital identity, AI strategy, and innovation in both public and private sectors. His background includes leadership roles at Futureverse and Centrality, where he focused on self-sovereign identity solutions and ecosystem partnerships.
His experience extends to policy development with the Department of Internal Affairs and Ministry of Business, Innovation and Employment, including work on the Digital Identity Services Trust Framework and the Consumer Data Right.
Andy’s collaborative approach will be valuable as DINZ continues to work alongside members to build a trusted digital identity ecosystem for everyone in Aotearoa.
Digital Public Infrastructure: Foundations for Tomorrow Event
During Techweek25, government, industry, and public sector leaders gathered at Parliament’s Legislative Chamber to discuss how digital public infrastructure (DPI) could transform service delivery across New Zealand.
Key takeaways for the digital identity community:
Read the full event recap here.
Member News
Our DINZ community continues to grow! We’re delighted to welcome POLipay as a member and look forward to featuring and engaging them in our ecosystem.
See all organisation members here.
Stay Connected
Thank you for being part of our community. We look forward to sharing more updates next month.
Ngā mihi nui,
The team at Digital Identity NZ
Read full news here: Introducing Our New Executive Director | May Newsletter
SUBSCRIBE FOR MOREThe post Introducing Our New Executive Director | May Newsletter appeared first on Digital Identity New Zealand.
ABSTRACT: “Fair Witnessing” is a new approach for asserting and interpreting digital claims in a way that mirrors real-world human trust: through personal observation, contextual disclosure, and progressive validation. It can be implemented with the decentralized architecture of Gordian Envelopes to allow individuals to make verifiable statements while balancing privacy, accountability, and interpretability. At its core, fair witnessing is not about declaring truth, it’s about showing your work.
In the early days of decentralized identity, we referred to what we were working on as “Verifiable Claims.” The idea was simple: let people make cryptographically signed statements and allow others to verify them. But something unexpected happened. People assumed these claims would settle arguments or stop disinformation. They saw the term “verifiable” and equated it with “truth.”
The reality was more modest: we could verify the source of a claim but not its accuracy. We could assert that a claim came from a specific person or organization (or even camera or other object) but not whether that claim was unbiased, well-observed, or contextually complete.
This misunderstanding revealed a deeper problem: how do we represent what someone actually saw and how they saw it, in a way that honors the complexity of human trust?
A Heinleinian InspirationIin Stranger in a Strange Land, Robert Heinlein described a special profession: the Fair Witness. A Fair Witness would be trained to observe carefully, report precisely, make no assumptions, and avoid bias. If asked what color a house was, a Fair Witness would respond, “It appears to be white on this side.”
It is this spirit we want to capture to fulfill the promise of the original verifiable claims.
A Fair Witness in our digital era is someone who not only asserts a claim but also shares the conditions under which it was made, including context, methodology, limitations, and bias:
What were the physical conditions of the observation? Was the observer physically present? Did they act independently? What interests or leanings might have shaped their perception? How did they minimize those biases?These are not just nice-to-haves. They are necessary components of evaluating a claim’s credibility.
Beyond Binary TrustFair witnessing challenges binary notions of trust. Traditional systems ask a “yes” or “no” question: do you trust this certificate? This issuer?
But trust is rarely binary like this in the real world. It is layered, contextual, and progressive. The claim made by a pseudonymous environmental scientist might start out with low trust but could grow in credibility as:
They reveal their professional history. Others endorse their work. They disclose how they mitigated their potential biases.Trust builds over time, not in a single transaction. That’s progressive trust.
Trust as a Nested StatementTo marry a fair witness claim to the notion of progressive trust requires the nesting of information. As shown in the example of the environmental scientist, the witnessing of an observation gains weight as the context is added: turning the scientist’s claims into a fair-witness statement required collecting together information about who the scientist is, what their training is, and what their peers think of them.
But as noted, progressive trust isn’t something that occurs in a single transaction: it’s revealed over time. We don’t want it to all be revealed at once, because that could result in information overload for someone consulting a claim and could have privacy implications for the witness.
A progressive trust model of fair witnessing requires that you show what you must and that you withhold what’s not needed—until it is.
Privacy and Accountability, TogetherThis model strikes a crucial balance. On one hand, it empowers individuals (fair witnesses) to speak from experience without needing permission from a centralized authority. On the other hand, it allows others to verify the integrity of the claim without requiring total exposure.
There are numerous use cases:
You can prove you were trained without revealing your name. You can demonstrate personal observation without revealing your exact location. You can commit to a fact today and prove you knew it later. Fair Witnessing with Gordian EnvelopeThe demands of Fair Witnessing go beyond the capabilities of traditional verifiable credentials (VCs), primarily because VCs can’t remove signed information but maintain its validation—and the ability to do so is critically important if you want to nest information for revelation over time.
Fortunately, a technology already exists that provides this precise capability: Blockchain Commons’ Gordian Envelope, which allows for: the organized storage of information; the validation of that information through signatures; the elision of that information; the continued validation of the information after elision; and the provable restoration of that information.
Any subject, predicate, or object in Gordian Envelope can itself be a claim, optionally encrypted or elided. This enables a deeply contextual, inspectable form of expression.
For example:
Alice could make a fair-witness observation, which would be an envelope. Information on the context of Alice’s assertion can be a sub-envelope. A credential for fair witness training can be a sub-envelope. Endorsements of Alice’s work as a fair witness can be sub-envelopes. Endorsements, credentials, and even the entire envelope can be signed by the appropriate parties. Any envelope or sub-envelope can be elided, without affecting these signatures and without impacting the ability to provably restore the data later.It’s progressive trust appropriate for use with fair witnessing in an existing form!
Toward a New EpistemologyBeing a Fair Witness isn’t about declaring truth. It’s about saying what’s known, with context, so others can assess what’s truth. Truth, in this model, is interpreted, not imposed. A verifier—or a jury—decides if a claim is credible, not because a central authority says so, but because the Fair Witness has provided information with sufficient context and endorsements.
In other words, fair witnessing is not about what is true, but about how we responsibly say what we believe to be true—and what others can do with that.
This is epistemology (the theory of knowledge) that’s structured as a graph. It’s cryptographically sound, privacy-respecting, and human-auditable. It reflects real-world trust: messy, contextual, and layered. By modeling that complexity rather than flattening it, we gain both rigor and realism.
ConclusionIn a world of machine-generated misinformation, ideological polarization, and institutional distrust, we must return to the foundations: observation, context, and human responsibility.
Fair witnessing offers a new path forward—one that is verifiable, privacy-respecting, and grounded in how humans actually trust.
Learn more: [ Progressive Trust Gordian Envelope ]After decades of cautiously watching from the sidelines, governments around the world have started investing in, rolling out, and regulating digital identity systems on aggressive timelines. These foundational changes to government infrastructure and the economy are happening largely outside public awareness, despite their generational consequences for privacy.
Digital identity systems implemented by governments today will shape privacy for decades. Whatever ecosystems and technical architectures are established in the coming years could ossify quickly, and it would take enormous political will to make changes at such a foundational level if society develops buyer's remorse once the ripple effects become clear.
That's why nearly 100 experts across technology, policy, and civil liberties have united around one principle: digital identity systems must be built without latent tracking capabilities that could enable ubiquitous surveillance. Thus, the nophonehome.com petition.
Who's Behind ThisCivil society groups working on legal advocacy and industry oversight (ACLU, EFF), cybersecurity experts (including Bruce Schneier), privacy-by-design software companies of various sizes (Brave, many DIF members), and experts from university faculties (Brown, Columbia, Imperial College London) all signed on. The list includes authors of collaborative open standards, chief executives, state privacy officers, and other public servants. This is not a coalition of "activists" so much as a broad coalition of experts and policy-watchers sounding an alarm about consequential decisions passing largely unnoticed by the average citizen and end-user.
The breadth of this coalition reflects widespread concern about the technical and policy implications of embedded tracking capabilities.
What "Phone Home" MeansAs a general rule, "phone-home" is a shorthand for architectural principles of tracking enablement (just as "no phone-home" refers to tracking mitigation, broadly speaking). When a verifier of credentials interacts directly with the credential's issuer—even if just to check validity or revocation status—they are "phoning" the credential's "home." This opens the subject and/or the holder of that credential to privacy risks, no matter how well the request is anonymized or handled. These API connections create data that can be combined, correlated, and abused, especially when verifiers share information or when issuers abuse their role.
The risks multiply when applied across domains. Federated protocols developed for use within organizations become surveillance systems when used between different sectors or jurisdictions. Phone home capabilities that seem innocuous within a single domain can become tools for tracking and control when applied broadly without aggressive oversight and fine-tuning. Over time, little mismatches and slippages in how these protocols work get exploited and stretched, amplifying glitches.
In the worst-case scenario, some systems enable real-time revocation decisions, giving issuers—potentially governments—immediate control over citizens' ability to access services, travel, or participate in society. A natural tendency to "over-request" foundational documents in situations where such strong identification is unjustified is amplified by familiarity, lack of friction, and other UX catnip; all the SHOULDs in the world won't stop verifiers from doing it. And verifiers over-asking without also providing a fallback or "slow lane" can make a sudden or temporary unavailability of foundational credentials painful or even exclusionary. The side-effects and externalities pile up dangerously in this industry!
Technologists see these kinds of capabilities (phone-home of any kind, remote revocation, low-friction foundational identity requests) like loaded guns in Act 1 of a Chekhov play: "If this capability exists within a digital identity system, even inactively, it will eventually be misused."
The Scale and Timing ProblemMost foundational identity systems being implemented for national-scale deployment include system-wide phone home tracking capabilities, either actively or latently. Many policymakers involved in these rollouts are not even aware of the tracking potential built into the standards they are adopting.
Four factors make this moment critical:
Scale of deployment: These systems will serve billions of users across developed nations, effectively replacing physical credentials. Precedent-setting effects: When one jurisdiction adopts tracking-enabled systems, it influences global practices and standards. Infrastructure persistence: Technical decisions made today will persist for decades, becoming prohibitively expensive to change once embedded. Mission creep inevitability: Capabilities developed for legitimate purposes like fraud prevention naturally accrue new private-sector and/or public-sector use-cases over time due to natural market pressures. Today's private-sector usage is tomorrow's public-sector secondary data market. The Fallacy of "Privacy by Policy"The fundamental problem with latent tracking capabilities is that policies change, but technical architecture persists. If a system has surveillance capability—even if unused—it will eventually be activated. Emergencies, changing administrations, or shifting political priorities can quickly justify "pressing the button" to enable widespread tracking.
The solution is simple: they cannot press a button they do not have.
Consider AAMVA's recent decision to prohibit the "server retrieval" capability throughout the U.S.—a positive step that we welcome. However, most low-level implementations (e.g. core libraries) will likely implement the entire specification and leave it to the last-mile implementers to honor (or not) this policy. As an incubator of new specifications and prototypes, DIF feels strongly that jurisdiction-by-jurisdiction policies is just "turning off" what the specification still instructs software to implement for later policies to turn back on at the flick of a switch. We believe the underlying ISO specification needs to remove "server retrieval" completely, lest every authority in the U.S. remain one emergency away from activating broad, identity-based surveillance of all citizens.
Privacy-Preserving Alternatives ExistThe choice between security and privacy is false. Offline-first verification operates without server communication—the credential contains cryptographic proofs that can be validated independently. The ISO 18013-5 standard itself includes "device retrieval" mode, a privacy-preserving alternative that functions entirely offline.
Even credential revocation can be implemented without phone home capabilities. Privacy-preserving revocation systems are in production today, proving that security and privacy can coexist.
The technology exists. The standards exist. What has been missing is commitment to prioritize privacy over the operational convenience of centralized tracking.
Moving ForwardAwareness is growing. We welcome developments like AAMVA's prohibition of server retrieval, but more work is needed across the broader digital identity ecosystem to eliminate latent surveillance capabilities entirely.
The Decentralized Identity Foundation develops standards that prioritize privacy, supports implementations that respect user autonomy, and advocates for technical architectures that prevent tracking and add friction to data misuse. Our membership includes many technologists and vendors designing tracking-free alternatives for these and other use cases.
We encourage you to read the full No Phone Home statement at https://nophonehome.com. Whether you are building, deploying, or using these systems, your voice matters at this critical juncture.
The question is not whether we can build privacy-preserving digital identity—it is whether we will choose to do so. Let's build it right.
The Decentralized Identity Foundation (DIF) is an engineering-driven organization focused on developing the foundational elements necessary to establish an open ecosystem for decentralized identity and ensure interoperability between all participants. Learn more at identity.foundation.
OASIS Members Advance Digital Lexicography with an Interoperable Data Model for Dictionaries
Boston, MA – 29 May 2025 – Members of OASIS Open, the global open source and standards organization, have approved the Data Model for Lexicography (DMLex) Version 1.0 as an OASIS Standard, a status that signifies the highest level of ratification. Developed by the OASIS Lexicographic Infrastructure Data Model and API Technical Committee (LEXIDMA TC), DMLex v1.0 establishes a groundbreaking framework for internationally interoperable lexicographic work, advancing innovation in digital dictionaries, language services, and related industries.
“We’re incredibly proud of what we’ve achieved with DMLex v1.0. This is a lifechanging milestone for lexicography, paving the way for a new level of digitisation and for truly innovative applications,” said Michal Měchura, Chair of the OASIS LEXIDMA TC. “By providing a common framework for structuring and exchanging lexicographic resources, DMLex empowers language documentors around the world to manage their content more effectively, to collaborate and to build smarter language technologies.”
Lexicography has undergone a profound transformation in the digital age, with dictionaries now being compiled from language corpora and consumed through web platforms, mobile apps, and integrated into search engines, writing tools, and machine translation software. However, legacy data models have been hampering further innovation. DMLex v1.0 addresses these challenges by introducing a modular, IT-friendly, and content-rich data model designed to meet the needs of both lexicographers and technology developers. DMLex has been designed to be easily and straightforwardly implementable in XML, JSON, RDF, NVH, as a relational database, and as a Semantic Web triplestore.
OASIS encourages widespread adoption of DMLex v1.0 and invites feedback from lexicographers, developers, and other stakeholders to further enhance its capabilities. Participation in the LEXIDMA TC is open to all through membership in OASIS. For more information, visit the TC homepage and read Michal Měchura’s blog post exploring the goals and impact of DMLex.
The post Data Model for Lexicography Approved as an OASIS Standard appeared first on OASIS Open.
In 1958, Oliver R. Smoot, a student at MIT, was famously used as a human measuring stick to measure the length of the Harvard Bridge. Smoot, measuring a mere 5 foot 7 inches (1.70 m), would lay down on the bridge as his associates noted his position. It took a fair bit of time to measure the bridge as Smoot had to be carried by his associates to each new position – but the effort was well worth it. Thus, a playful, unconventional unit of measure was born. Over the years, smoot is remembered as a symbol of creativity, collaboration, and the unique quality of grassroots development.
Mercari, the Japanese e-commerce company behind the Mercari marketplace, has surpassed 10 million registered users of passkeys for authentication.
Yubico, a provider of hardware authentication security keys, has announced the expanded availability of YubiKey as a Service to all countries in the European Union.
This builds upon the company’s existing reach in markets such as the UK, U.S., India, Japan, Singapore, Australia and Canada. In addition, Yubico has expanded the availability of YubiEnterprise Delivery across 117 new locations around the world.
This now brings the total to 199 locations (175 countries and 24 territories and it more than doubles existing delivery coverage of YubiKeys to both office and remote users in a fast nad turnkey way. “Enterprises today are facing evolving cyber threats like AI-driven phishing attacks,” said Jeff Wallace, senior vice president of product at Yubico.
Authentication software company Entersekt has launched a partnership with South Africa-based PayTech solution provider Stanchion.
The partnership is aimed at “enhancing payment integration capabilities and delivering cutting-edge solutions to financial institutions worldwide,” the companies said in a Wednesday (May 21) news release.
The collaboration combines Stanchion’s tools for “modernizing, transforming, and accelerating innovation within payment systems” with Entersekt’s 3-D Secure payment authentication solution, which provides transaction authentication across all three domains: the merchant acquirer domain, the card issuer domain and the interoperability domain.
Passwords have been used as the first line of defense in protecting one’s digital identity, but they are fast becoming obsolete due to rampant identity theft. There seems to be no value in passwords anymore due to the increase in breaches of security systems on different platforms. This calls for an easier method of suppressing theft.
It is equally important to recognize the rise of passkeys as they help a great deal in bolstering digital identity protection.
As a precursor to the LF Decentralized Trust Mentorship 2025 Project, “Blockchain-Based OAuth 2.0 Authorization in 5G Core Networks with Hyperledger Fabric,” this blog is the first in a series that explores the evolution of OAuth 2.0 authorization in 5G Core Networks, highlighting its current limitations and the potential of decentralized frameworks to enhance security. In this series, we will discuss how OAuth 2.0 operates in 5G, its risks, and how the integration of Hyperledger Fabric can overcome these challenges.
WAO is currently working with the Responsible Innovation Centre for Public Media Futures (RIC), which is hosted by the BBC. The project, which you can read about in our kick-off post, is focused on research and analysis to help the BBC create policies and content to help improve the AI Literacy skills of young people aged 14–19.
We’re now at the stage where we’ve reviewed academic articles and resources, scrutinised frameworks, and reviewed input from over 40 experts in the field. They are thanked in the acknowledgements section at the end of this post.
One of the things that has come up time and again is the need for an ethical basis for this kind of work. As a result, in this post we want to share the core values that inform the development of our (upcoming) gap analysis, framework, and recommendations.
Public Service Media ValuesPublic Service Media (PSM) organisations such as the BBC have a mission to “inform, educate, and entertain” the public. The Public Media Alliance lists seven PSM values underpinning organisations’ work as being:
Accountability: to the public who fund it and hold power to account Accessibility: to the breadth of a national population across multiple platforms Impartiality: in news and quality journalist and content that informs, educates, and entertains Independence: both in terms of ownership and editorial values Pluralism: PSM should exist as part of a diverse media landscape Reliability: especially during crises and emergencies and tackling disinformation Universalism: in their availability and representation of diversityThese values are helpful to frame core values for the development of AI Literacy in young people aged 14–19.
AI Literacy Core ValuesUsing the PSM values as a starting point, along with our input from experts and our desk research, we have identified the following core values. These are also summarised in the graphic at the top of this post.
1. Human Agency and EmpowermentAI Literacy should empower young people to make informed, independent choices about how, when, and whether to use AI. This means helping develop not just technical ability, but also confidence, curiosity, and a sense of agency in shaping technology, rather than being shaped by it (UNESCO, 2024a; Opened Culture, n.d.). Learners should be encouraged to question, critique, adapt, and even resist AI systems, supporting both individual and collective agency.
2. Equity, Diversity, and InclusionAll young people, regardless of background, ability, or circumstance should have meaningful access to AI Literacy education (Digital Promise, 2024; Good Things Foundation, 2024). Ensuring this in practice means addressing the digital divide, designing for accessibility, and valuing diverse perspectives and experiences. Resources and opportunities must be distributed fairly, with particular attention to those who are digitally disadvantaged or underrepresented.
3. Critical Thinking and Responsible UseYoung people should be equipped to think critically about AI, which means evaluating outputs, questioning claims, and understanding both the opportunities and risks presented by AI systems. In addition, young people should be encouraged to understand the importance of responsible use, including understanding bias, misinformation, and the ethical implications of AI in society (European Commission, 2022; Ng et al., 2021).
4. Upholding Human Rights and WellbeingUsing a rights-based approach — including privacy, freedom of expression, and the right to participate fully in society — helps young people understand their rights, navigate issues of consent and data privacy, and recognise the broader impacts of AI on wellbeing, safety, and social justice (OECD, 2022; UNESCO, 2024a).
5. Creativity, Participation, and Lifelong LearningAI should be presented as a tool for creativity, collaboration, and self-expression, not just as a subject to be learned for its own sake. PSM organisations should value and promote participatory approaches, encouraging young people to contribute to and shape the conversation about AI. This core value also recognises that AI Literacy is a lifelong process, requiring adaptability and a willingness to keep learning as technology evolves (UNESCO, 2024b).
Next StepsWe will be running a roundtable for invited experts and representatives of the BBC in early June to give feedback on the gap analysis and emerging framework. We will share a version of this after acting on their feedback.
If you are working in the area of AI Literacy and have comments on these values, please add them to this post, or get in touch: hello@weareopen.coop
AcknowledgementsThe following people have willingly given up their time to provide invaluable input to this project:
Jonathan Baggaley, Prof Maha Bali, Dr Helen Beetham, Dr Miles Berry, Prof. Oli Buckley, Prof. Geoff Cox, Dr Rob Farrow, Natalie Foos, Leon Furze, Ben Garside, Dr Daniel Gooch, Dr Brenna Clarke Gray, Dr Angela Gunder, Katie Heard, Prof. Wayne Holmes, Sarah Horrocks, Barry Joseph, Al Kingsley MBE, Dr Joe Lindley, Prof. Sonia Livingstone, Chris Loveday, Prof. Ewa Luger, Cliff Manning, Dr Konstantina Martzoukou, Prof. Julian McDougall, Prof. Gina Neff, Dr Nicola Pallitt, Rik Panganiban, Dr Gianfranco Polizzi, Dr Francine Ryan, Renate Samson, Anne-Marie Scott, Dr Cat Scutt MBE, Dr Sue Sentance, Vicki Shotbolt, Bill Thompson, Christian Turton, Dr Marc Watkins, Audrey Watters, Prof. Simeon Yates, Rebecca Yeager
References Digital Promise (2024). AI Literacy: A Framework to Understand, Evaluate, and Use Emerging Technology. https://doi.org/10.51388/20.500.12265/218 European Commission (2022) DigComp 2.2, The Digital Competence framework for citizens. Luxembourg: Publications Office of the European Union. https://doi.org/10.2760/115376. Good Things Foundation (2024) Developing AI Literacy With People Who Have Low Or No Digital Skills. Available at: https://www.goodthingsfoundation.org/policy-and-research/research-and-evidence/research-2024/ai-literacy Jia, X., Wang, Y., Lin, L., & Yang, X. (2025). Developing a Holistic AI Literacy Framework for Children. In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (pp. 1–16). ACM. https://doi.org/10.1145/3727986 Ng, D. T. K., Leung, J. K. L., Chu, S. K. W., & Qiao, M. S. (2021). Conceptualizing AI literacy: An exploratory review. Computers and Education: Artificial Intelligence, 2(100041), 100041. https://doi.org/10.1016/j.caeai.2021.100041 OECD (2022) OECD Framework for Classifying AI Systems. Paris: OECD Publishing. https://www.oecd.org/en/publications/oecd-framework-for-the-classification-of-ai-systems_cb6d9eca-en.html Opened Culture (n.d.) Dimensions of AI Literacies. Available at: https://openedculture.org/projects/dimensions-of-ai-literacies Open University (2025) A framework for the Learning and Teaching of Critical AI Literacy skills. Available at: https://www.open.ac.uk/blogs/learning-design/wp-content/uploads/2025/01/OU-Critical-AI-Literacy-framework-2025-external-sharing.pdf UNESCO (2024a) UNESCO AI competency framework for students. Available at: https://unesdoc.unesco.org/ark:/48223/pf0000391105 UNESCO (2024b) UNESCO AI Competency Framework for Teachers. Available at: https://unesdoc.unesco.org/ark:/48223/pf0000391104ISL presented at ConPro 2025’s 9th Workshop on Technology and Consumer Protection. The conference was a perfect opportunity to showcase our presentation on Safetypedia: Crowdsourcing Mobile App Privacy and Safety Labels.
The post IEEE’s ConPro ’25: Safetypedia: Crowdsourcing Mobile App Privacy and Safety Labels appeared first on Internet Safety Labs.
Many in the DIF community are asking about the upcoming Global Digital Collaboration conference in Geneva. As the date is quickly arriving, we wanted to give a sneak preview of what's ahead.
Table of Contents:
About the GDC Conference The Agenda Learn more and participate About the GDC Conference Key Details When: July 1-2, 2025 Where: Centre International de Conférences Genève (CICG), Switzerland Cost: Free (registration required) Register: https://lu.ma/gc25 (registration is available through any co-organizing partner) What is the GDC?Global Digital Collaboration is a landmark gathering bringing together 30+ global organizations to advance digital identity, wallets, and credentials - hosted by the Swiss Confederation.
What makes this conference truly unique is that, from the beginning, it's been co-organized by the participating organizations, who have worked with their communities, and with each other, to form an agenda that will help advance the most critical topics in digital identity.
Rather than being driven by a single organization's vision, the GDC represents a collaborative effort where international organizations, standards bodies, open-source foundations, and industry consortia have jointly defined priorities and sessions that address the most pressing challenges in digital trust infrastructure. This multi-stakeholder approach ensures broader perspectives are represented and creates unprecedented opportunities for alignment across traditionally separate communities.
Why Attend? Unprecedented collaboration: This conference's collaborative nature bridges organizations that rarely coordinate at this scale. Connect: Connect with peers from government and private sectors to advance standards coordination, cross-border interoperability, and robust digital public infrastructure Network with experts: Engage directly with technical leaders, government officials, and industry pioneers shaping the future of digital trust Who Is Organizing?The current list of co-organizers can be seen in the header image, with more to be added later this week. As a brief preview, this includes:
International & Government Organizations
European Commission (DG-CNECT) International Telecommunication Union (ITU) United Nations Economic Commission for Europe (UNECE) World Health Organization (WHO)Standards Development Organizations & Open Source Foundations
Decentralized Identity Foundation (DIF) Eclipse Foundation European Telecommunications Standards Institute (ETSI) FIDO Alliance International Electrotechnical Commission (IEC) International Organization for Standardization (ISO) Linux Foundation Decentralized Trust (LFDT) OpenWallet Foundation (OWF) Trust Over IP (TOIP) World Wide Web Consortium (W3C)Industry Consortia
Cloud Signature Consortium (CSC) Digital Credentials Consortium (DCC) Global Legal Entity Identifier Foundation (GLEIF)Next, we'll look at the exciting conference agenda and highlight key sessions for the DIF community.
The AgendaThe conference is structured across two distinct days, each with a specific purpose. Day 1 features plenary sessions designed to provide comprehensive overviews of global initiatives and sector-specific developments in digital identity. This agenda is nearly finalized and a draft has been published.
Day 2 offers a more interactive format with parallel presentations, technical deep dives, workshops, and collaborative sessions. The preliminary Day 2 schedule will be published next week, but we can share an early preview of the key themes and sessions that should be of particular interest to the DIF community.
Day 1: Global Landscape & Sector Scan Morning sessions feature updates from government and industry stakeholders worldwide Afternoon sessions explore major use cases across sectors including travel, health, education, and finance Morning: Opening & Global Landscape Opening addresses by leaders from ITU, ISO, WHO, and more Regional updates from: European Commission Switzerland United States China/Singapore Japan India Korea Australia Global South Afternoon: Sector Updates 🚘 Driving Licenses 🧳 Travel Credentials ⚕️ Health Credentials 📚 Educational Credentials 📦 Trade 💸 Payments 🏢 Organizational Credentials 🪙 Digital Assets 🪪 Standards for ID and Wallets 🔏 Digital Signatures 🔑 Car Keys Day 2: Technical Deep Dives and Working SessionsDay 2 features parallel sessions where participants will be encouraged to follow their interests plus share their experience and expertise.
Parallel sessions across multiple tracks including:
Privacy & Security: Zero-knowledge proofs, unlinkability Industry and Organizational Focus: Industry 4.0, Digital Product Passports, European Business Wallet Implementation & Deployment: Real-world wallet applications Standards & Interoperability: Cross-border credential exchange Policy & Regulation: Governance frameworks Emerging Technology: Emerging needs around AI and digital identity Demo Hour: See wallet applications and more Learn More and Participate Get UpdatesThere will soon be a GDC web site to more easily access event information and schedule. For now, we recommend:
Follow Global Digital Collaboration on LinkedIn And of course, subscribe to the DIF blog for additional updates focused on the DIF community Ready to Register?You can also register through any co-organizer available at https://lu.ma/gc25
👉 DIF community members are encouraged to use DIF's dedicated registration link: https://lu.ma/gc25-dif
Tickets are free of charge and grant full access to the entire conference, regardless of the organization used during registration
Hotels & DiscountsThe upcoming GDC web site will be updated with the latest information. For now, feel free to use the discount codes on this google document.
Looking ForwardThe Global Digital Collaboration conference represents a unique opportunity for advancing digital identity solutions that can work across borders while putting users in control. DIF is committed to ensuring privacy and agency remain front and center in these conversations.
For those in the DIF community and beyond, this is an unparalleled opportunity to shape the future of digital identity in collaboration with global decision-makers and implementers.
How do you build a beverage brand from scratch and land in over a thousand stores?
For Aisha Chottani, it started with stress and a few homemade “potions”.
In this episode, Aisha, Founder and CEO of Moment, joins hosts Reid Jackson and Liz Sertl to talk through what really goes into launching and scaling a functional drink brand. From labeling boxes by hand to managing relationships with co-packers and navigating supply chain failures, Aisha shares the behind-the-scenes story most startup founders keep to themselves.
She also gets real about what went wrong, like barcode mix-ups and Amazon returns gone sideways, and how those lessons became systems that power Moment’s growth today.
In this episode, you’ll learn:
Why small brands need relationships more than volume
How early mistakes can turn into long-term wins
What to watch out for when scaling distribution and operations
Jump into the conversation:
(00:00) Introducing Next Level Supply Chain
(01:34) Building a global mindset from four continents
(03:07) From McKinsey burnout to homemade “potions”
(06:06) Barcode errors and the pain of early logistics
(08:21) Growing Moment to 1,000 stores and 30 DCs
(11:33) What small brands can leverage on
(14:06) Collaborating with Lululemon
(17:15) Why Moment leans into a subscription model
(20:39) Operational failures to learn from
(27:36) Aisha’s favorite technology
Connect with GS1 US:
Our website - www.gs1us.org
Connect with the guest:
Aisha Chottani on LinkedInCheck out Moment
Watch the full recording on YouTube.
Status: Verified by PresenterPlease note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.
Google NotebookLM Podcast
https://trustoverip.org/wp-content/uploads/EGWG-2025-05-15_-The-C2PA-Conformance-Program-Scott-Perry.wavHere is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:
Briefing Document: Review of C2PA and its GovernanceDate: May 15, 2024
Source: Excerpts from “GMT20250515-145218_Recording_2560x1440.mp4”
Presenter: Scott Perry, Co-chair of Trust over IP’s Foundations Steering Committee, Founder and CEO of the Digital Governance Institute, Co-chair of the Creator Assertions Working Group at the Decentralized Identity Foundation (DIF).
Topic: C2PA (Coalition for Content Provenance and Authenticity) and the Application of Trust over IP’s Governance Metamodel.
This briefing summarizes a presentation by Scott Perry on the Coalition for Content Provenance and Authenticity (C2PA) and the application of the Trust over IP (ToIP) governance metamodel to its conformance program. The C2PA is an industry-wide initiative creating a technical standard to attach “truth signals” or provenance information to digital objects. Facing a critical need to operationalize and govern this specification to ensure market trust and adoption, the C2PA has adopted the ToIP governance metamodel. This framework provides the necessary structure to establish a conformance program, define roles and responsibilities, manage risks, and create trust lists for compliant products and certification authorities. The program is set to officially launch on June 4th, initially focusing on self-assertion for conformance and introducing two levels of implementation assurance, with plans for independent attestation and higher assurance levels in the future.
2. Key Themes and Ideas The Problem of Trust in Digital Objects: The presentation highlights the growing challenge of establishing trust and authenticity for digital content in a world of easily manipulated or AI-generated media. This is particularly relevant for industries like telecommunications struggling with identity and verification, as noted by a participant’s observation about OTPs and SMS verification. C2PA as a Standard for Provenance and Authenticity: The C2PA specification aims to provide a technical solution by creating a “content credential” or manifest that is cryptographically bound to a digital object. This manifest acts as a ledger of actions taken on the object, providing a history and “nutrition label” of its source and modifications. “basically, it’s all of the major tech companies except Apple… coming together to create a standard for provenence, authenticity, truth signals on digital objects that can be digitally attached to digital objects.” Content Credential (Manifest): This is the core mechanism of the C2PA. It is a digitally attached ledger of actions taken on a digital object, such as “Camera took picture,” “edited picture,” or “an AI took this picture.” This manifest is “bound to it and linked to it” in a “cryptographically binding format,” providing tamper evidence. Scope of C2PA Responsibility: The C2PA primarily focuses on “created assertions,” which are “product-driven,” documenting actions taken within a product (e.g., a camera generating a picture, Photoshop editing an image). Distinction from “Gathered Assertions”: The C2PA does not take responsibility for “gathered assertions,” which are claims made by individuals or organizations outside of a product (e.g., “I Scott Perry took the picture” or industry-specific identifiers). These are the purview of other groups like CAWG (Content Authenticity Working Group) and related efforts like the Creator Assertions working group at DIF. Binding Mechanism: The C2PA uses X.509 certificates to bind the generator product to the digital asset. “when a picture is taken, the X509 certificate will be used will be binding it will be used to bind it bind the product to the asset.” This requires camera manufacturers and other product vendors to obtain certificates from approved Certification Authorities (CAs). The Need for Governance: While the C2PA created a technical specification, they recognized the critical need for a governance framework to operationalize and control the standard’s implementation and use in the market. “the key aspect is you have a spec out but you can’t control the use of the specification… they couldn’t get, you know, their arms around, you know, the on controlling its the specification use.” Application of ToIP Governance Metamodel: Scott Perry highlights how the ToIP governance metamodel provided the necessary structure for the C2PA to build its conformance program. “I came in with my toolkit from the the trust over IP project and it worked beautifully. It just created the structure to allow them to make the right decisions for themselves.” Key Components of the Governance Program (based on ToIP):Risk Assessment: Started with a “threats and harms task force” to identify major risks, particularly around the tampering of evidence and manifests. Governance Requirements and Framework: Defined primary documents (specification, security requirements, legal agreements) and control documents (privacy, inclusion, equitability requirements). A key output is a glossary of terms for the new ecosystem. Governance Roles and Processes: Identified key roles: the Governing Authority (C2PA Steering Committee), the Administering Party (Conformance Task Force), and Governed Parties (CAs, Generator Product companies, Validator Product companies). Legal Agreements: Formal agreements are being established between the C2PA and governed parties outlining roles, responsibilities, conformance requirements, and dispute resolution mechanisms. Conformance Criteria and Assurance: Defined based on the C2PA specification and implementation security requirements. The program includes “four levels of of assurance around the implementation of products,” though initially rolling out with two levels. These levels are tied to “security objectives” and assessed against the “target of evaluation” (the product and its supporting infrastructure). Conformance Process: Involves an intake form, application review, assessment of infrastructure (initially self-assertion, moving towards independent attestation), legal agreement signing, and adding records to trust lists. Residual Risk Assessment and Adaptation: The program includes a process to learn from the rollout, identify unmet requirements or issues, and adapt the program for continuous improvement. Trust Lists (Registries): Central to the program are trust lists identifying approved Generator Products, Validator Products, and Certification Authorities. A timestamp authority trust list is also being added. Levels of Assurance: The program is defining levels (initially rolling out two) to reflect different degrees of confidence in the implementation of the C2PA specification and associated security requirements. Achieving a higher level of assurance requires meeting all requirements for that level. Self-Assertion (Initial Rollout): Due to the complexity of auditing and getting the program launched quickly, the initial phase requires participants to self-assert that they meet the specification and requirements. Conformance Certificate: Upon successful conformance, products will receive a certificate tied to an OID (Object Identifier) denoting the assurance level they have achieved. This OID in the manifest’s certificate will identify the assurance level of the provenance information. JPEG Trust and Copyright: While C2PA provides provenance information that can be used for copyright, it doesn’t define ownership or copyright laws. JPEG Trust is mentioned as an organization creating an ISO standard focused on copyrights in concert with the C2PA standard. Relationship with W3C: The C2PA is actively engaged with the W3C, with discussions happening at the technical working group level regarding related standards like PROV (for provenance). Future Directions: Plans include introducing higher levels of assurance, implementing independent attested conformance, developing quality control software for assessing product compliance, and establishing a fee structure for the conformance program. CAWG (Content Authenticity Working Group) as a Broader Ecosystem: CAWG is viewed as a potentially larger ecosystem dealing with identity, metadata, endorsements, and AI learning process specifications, which will need to create their own applications and standards that can integrate with the C2PA foundation. 3. Important Ideas and Facts The C2PA is the Coalition for Content Provenance and Authenticity. It includes major tech and product manufacturers, excluding Apple initially but aiming to include them. The core technical output is the Content Credential (Manifest), a digitally attached ledger of actions on a digital object. The manifest provides tamper evidence and binds the product to the asset using X.509 certificates. C2PA focuses on “created assertions” (product-driven actions), leaving “gathered assertions” (individual/organizational claims) to other groups like CAWG. The Trust over IP governance metamodel has been successfully applied to structure the C2PA conformance program. The program addresses threats and harms related to tampering and requires adherence to implementation security requirements. The C2PA conformance program will officially launch on June 4th at the Content Authenticity Initiative symposium in New York City. The initial launch will include two levels of implementation assurance and a self-assertion confidence model. Key outputs of the governance program are legal agreements and trust lists of conforming products and certification authorities. The C2PA standard is becoming an ISO standard this year. Timestamp authorities will play a crucial role in providing trust signals related to the time of claim assertion. The program includes mediation and dispute resolution mechanisms in its legal agreements. The governance program provides the structure for the C2PA to “operationalize the spec” and control its use. 4. Key Quotes “basically, it’s all of the major tech companies except Apple… Coming together to create a standard for provenence, authenticity, truth signals on digital objects that can be digitally attached to digital objects.” “what it what it’s proposed to do is to create a ledger of actions against a digital object that is bound to it.” “It’s kind of the nutrition label on food… it’s really the nutrition label of all digital objects.” “The C2PA did not want to get involved in all of the the potential root, you know, actions and and variances about those types of things. They wanted to create the platform.” “They create the platform and they create the binding between the digital asset and the and the manifest using X509 certificates.” “The key aspect is you have a spec out but you can’t control the use of the specification… they couldn’t get, you know, their arms around, you know, the on controlling its the specification use.” “the governance program was needed to operationalize the spec. The spec was had, you know, a limitation in its usefulness without a governance program around it.” “I came in with my toolkit from the the trust over IP project and it worked beautifully. It just created the structure to allow them to make the right decisions for themselves.” “we’re creating a program which will hold generator and validator products accountable to the specific ification that’s already been published.” “We are creating two levels of implement implementation assurance and we are are using a self assertion confidence model we don’t have the mechanisms in place to hold organizations accountable for meeting the specification we don’t have an you know an assurance mechanism in place yet to do that.” “It is the hope that you know copyright laws can use the trust signals that are coming from the CTBA specification and conformance program in use for defining ownership and copyright.” “The conformance criteria is the spec and the spec is now at at level 2.2.” “we are looking at levels of assurance around the implementation of a product. Now it’s not just the product but it’s also its infrastructure.” “These are the kinds of records that were that are in the schema for the trust list.” 5. Next Steps Official launch of the C2PA conformance program on June 4th. Continued work on independent attestation and higher levels of assurance for the conformance program. Development of quality control software or processes for assessing product compliance. Ongoing collaboration with W3C and other relevant standards bodies. Further exploration of the broader CAWG ecosystem and its integration with C2PA.This briefing provides a foundational understanding of the C2PA, its technical specification, and the crucial role of the newly established governance program, structured using the Trust over IP metamodel, in driving its adoption and ensuring trust in the digital content landscape.
For more details, including the meeting transcript, please see our wiki 2025-05-15 Scott Perry & The C2PA Conformance Program – Home – Confluence
https://www.linkedin.com/in/scott-perry-1b7a254/ https://digitalgovernanceinstitute.com/The post EGWG 2025-05-15: The C2PA Conformance Program, Scott Perry appeared first on Trust Over IP.
NETOPIA Payments becomes the first online payment processor in the world to implement Click to Pay with Passkey FIDO (Fast Identity Online) – a modern online checkout solution built on EMV® global standards, designed to redefine the digital payment experience: faster, safer, and without manual card data entry.
Shane Weeden, IBM
An Ho, IBM
Abstract
Session hijacking is a growing initial attack vector for online fraud and account takeover. Because FIDO authentication reduces the effectiveness of other simpler forms of compromise, such as credential stuffing and phishing, cybercriminals turn to theft and re-use of bearer tokens. Bearer tokens are a form of credential which include session cookies used by browsers connecting to websites and OAuth access tokens used by other thick client application types such as native mobile applications. When these credentials are long-lived and can be “lifted and shifted” from the machine where they were created to be usable by a bad actor from another machine, their tradable value is significant. Emerging technologies such as Device Bound Session Credentials (DBSC) for browsers and Demonstrating Proof of Possession (DPoP) for OAuth applications seek to reduce the threat of session hijacking. This article describes how these technologies address the problem of session hijacking and how they complement strong phishing resistant authentication in online ecosystems.
Audience
This white paper is for chief information security officers (CISOs) and technical staff whose responsibility it is to protect the security and life cycle of online identity and access management from online fraud.
Download the White Paper 1. IntroductionAuthentication and authorization are integral parts of an identity lifecycle, especially for online credential ecosystems. The growing threat of online identity fraud with costly security incidents and breaches has enterprises looking for ways to protect and secure their workforces from account takeover through different attack vectors such as phishing, credential stuffing, and session hijacking. For authentication, FIDO authentication with passkeys provides users with “Safer, more secure, and faster online experiences”, and an increase in the adoption of passkeys has contributed to a reduction of the success of attack vectors of credential phishing, credential stuffing, and session hijacking accomplished via man-in-the-middle (MITM) phishing attacks. However, what happens after the authentication ceremony?
After authentication, browsers and application clients are typically issued other credentials. Enterprise applications generally fall into two primary categories: those that are web browser based and use session cookies for state management and those that are thick client applications using OAuth access tokens (this includes some browser-based single page applications and most native mobile applications). Both types of credentials (session cookies and access tokens) are considered, in their basic use, as “bearer” tokens. If you have the token (the session cookie or the access token), then you can continue to transact for the lifetime of that token as the user who authenticated and owned it.This whitepaper explores adjacent technologies that address the “lift and shift” attack vector for bearer tokens and how these technologies complement FIDO-based authentication mechanisms. In particular, this paper focuses on the proposed web standard Device Bound Session Credentials (DBSC) for protecting browser session cookies and OAuth 2.0 Demonstrating Proof of Possession (DPoP) for protecting OAuth grants.
2. Terminologysession hijacking: An exploitation of the web session control mechanism that is normally managed for a session cookie.
credential stuffing: An automated injection of stolen username and password pairs (credentials) into website login forms to fraudulently gain access to user accounts.
1. Passkeys – https://fidoalliance.org/passkeys/
2. Device Bound Session Credentials – https://github.com/w3c/webappsec-dbsc
3. OAuth 2.0 Demonstrating Proof of Possession (DPoP) – RFC9449: https://datatracker.ietf.org/doc/html/rfc9449
4. Session hijacking attack https://owasp.org/www-community/attacks/Session_hijacking_attack
5. Credential stuffing https://owasp.org/www-community/attacks/Credential_stuffing
access token: A credential used by a client-side application to invoke API calls on behalf of the user.
session cookie: A credential managed by browsers to maintain session state between a browser and a website.
bearer token: A token (in the context of this whitepaper may refer to either an access token or a session cookie) so called because whoever holds the token can use it to access resources. A bearer token on its own can be “lifted and shifted” for use on another computing device.
sender-constrained token: A token protected by a mechanism designed to minimize the risk that anything other than the client which established the token during an authentication process could use that token in subsequent requests for server-side resources.
Device Bound Session Credential (DBSC): A proposal for a W3C web standard defining a protocol and browser behavior to establish and maintain sender-constrained cookies. The mechanism uses proof of possession of an asymmetric cryptographic key to help mitigate session cookie hijacking.OAuth 2.0 Demonstrating Proof of Procession (DPoP): A mechanism for implementing sender-constrained access tokens that requires clients to demonstrate possession of an asymmetric cryptographic key when using the token.
OAuth 2.0 Demonstrating Proof of Procession (DPoP): A mechanism for implementing sender-constrained access tokens that requires clients to demonstrate possession of an asymmetric cryptographic key when using the token.
3. Adjacent/complementary technologies for a secure ecosystemWhile FIDO authentication technology can effectively eliminate phishing and credential stuffing attacks that occur during the login process, the addition of solutions to mitigate threats associated with bearer token theft is equally important. Bad actors whose attacks are thwarted during the login process will go after the next weakest link in the chain and try to steal post-authentication bearer tokens. This section explores two of these technologies for protecting bearer tokens: Device Bound Session Credentials (DBSC) protect browser-based session cookies and Demonstrating Proof of Possession (DPoP) protects OAuth grants. Alternative approaches to protect bearer tokens are also discussed.
Because no single piece of technology can protect against all threats, a combination of multiple techniques is required for adequate protection.
Table 1: Combination of technologies for increased security
TechnologiesAuthentication threatsPost-authentication threatsRemote PhishingCredential StuffingToken TheftPasskeysDBSC/DPoPPasskeys + DBSC/DPoP3.1 Browser session cookie security
Before discussing Device Bound Session Credentials (DBSC), you will need to understand the problem being addressed regarding browser session cookies. Session hijacking via cookie theft allows an attacker, who possesses stolen cookies, to bypass end-user authentication, including any strong or multi-factor authentication (MFA). This is particularly problematic when browsers create long-lived session cookies (which are a type of bearer token), since these cookies can be traded as alternatives to a user’s primary authentication credentials and then used from the attacker’s machine. This can lead to unauthorized access to sensitive data, financial loss, and damage to an organization’s reputation.
Attackers perform cookie theft through various methods such as man-in-the-middle phishing of a user’s existing MFA login process (when phishing-resistant authentication such as FIDO is not used), client-side malware, and occasionally through vulnerabilities in server-side infrastructure or software. Regardless of how cookie theft is perpetrated, when successful, these attacks are not only dangerous, but also hard to isolate and detect. Complementary technologies, such as Device Bound Session Credentials (DBSC), minimize the risks associated with browser cookie theft by making stolen cookies impractical to use from any machine other than the machine to which they were issued during authentication.
3.2 Device Bound Sessional Credentials – DBSC
DBSC refers to a proposed web standard currently in development within the Web Application Security working group of the W3C[2]. The goal of DBSC is to combat and disrupt the stolen web session cookies market. This is achieved by defining an HTTP messaging protocol and required browser and server behaviors to result in binding the use of application session cookies to the user’s computing device. DBSC uses an asymmetric key pair and in browser implementations the private keys should be unextractable by an attacker – for example stored within a Trusted Platform Module (TPM), secure element, or similar hardware-based cryptographic module.
At a high level, the API in conjunction with the user’s browser and secure key storage capabilities, allows for the following:
The server communicates to the browser a request to establish a new DBSC session. This includes a server-provided challenge. The browser generates an asymmetric key pair, then sends the public key along with the signed challenge to the server. This process is referred to as DBSC registration. Browser implementations of DBSC should use operating system APIs that facilitate secure, hardware-bound storage and use of the private key. The server binds the public key to the browser session by issuing a short-lived, refreshable auth_cookie which is then required to be transmitted in subsequent browser requests to the web server.As the auth_cookie regularly expires, a mechanism is required for the browser to refresh the auth_cookie asynchronously to primary application web traffic. The refresh process requires signing a new server-issued challenge with the same private key created during DBSC registration, thereby re-proving (regularly) that the client browser is still in possession of the same private key.
Limiting the lifetime of the auth_cookie to short periods of time (for example, a few minutes) disrupts the market for trading long-lived session cookies. An attacker can only use stolen session cookies (including the auth_cookie) for a brief period, and cannot perform a refresh operation, since the private key required to perform a refresh operation is not extractable from the client machine.
DBSC may be introduced into existing deployments with minimal changes to the application. This is important as DBSC could easily be incorporated as a web plugin module in existing server-side technology (for example, Apache module, Servlet Filter, or reverse proxy functionality). This permits enterprises to roll out deployment of DBSC in phases without a complete overhaul of all current infrastructure and companies can prioritize certain critical endpoints or resources first.
DBSC server-side implementations can also be written in a manner that permits semantics, for example: “If the browser supports DBSC, use it, otherwise fallback to regular session characteristics.” This allows users to gain the security advantages of DBSC when they use a browser that supports it without having to require all users to upgrade their browsers first.
Refer to the Device Bound Session Credentials explainer for more details on the DBSC protocol and standard, including a proposal for enterprise-specific extensions that adds attestation to DBSC keypairs.
3.2.1 What makes DBSC a technology complementary to FIDO?
The DBSC draft standard permits the login process to be closely integrated with the DBSC API. While FIDO is a mechanism that makes authentication safer and phishing resistant, DBSC is a mechanism that makes the bearer credential (session cookie) safer post-authentication. They complement each other by reducing the risk of account takeover and abuse, making the entire lifecycle of application sessions safer.
3.2.2 Alternative solutions
DBSC is not the first standard to propose binding session cookies to a client device. Token Binding is an alternative that combines IETF RFCs 8471, 8472, and 8473. Token Binding over HTTP is implemented via a Transport Layer Security (TLS) extension and uses cryptographic certificates to bind tokens to a TLS session. Token Binding has had limited browser adoption and is complex to implement as it requires changes at the application layer and in TLS security stacks. The Token Binding over HTTP standard has not been widely adopted and only one major browser currently offers support.
3.2.3 Advice
The DBSC standard relies on local device security and operating system APIs for storage and use of the private key that is bound to the browser’s session. While these private keys cannot be exported to another device, the key is available on the local system and may be exercisable by malware residing on the user’s device. Similarly, in-browser malware still has complete visibility into both regular session cookies and short-lived auth_cookies. DBSC is not a replacement for client-side malware protection, and the threat model for DBSC does not provide protections from persistent client-side malware. Ultimately, the user must trust the browser.
As browsers start to support DBSC over time, it will be important for servers to be able to work with a mix of browsers that do and do not include support for this technology. Some enterprises may dictate that corporate issued machines include browsers known to support DBSC, but many will not. It will be necessary for server-side implementations to take this into consideration, using DBSC when the browser responds to registration requests, and tolerating unbound session cookies when the browser does not. When building or choosing a commercial solution, ensure you consider this scenario, and include the ability to implement access control policies that strictly require DBSC in highly controlled or regulated environments or for specific applications.
At the time of writing, DBSC is in early evolution. It remains to be seen whether or not it will be widely adopted by browser vendors. The hope is that incubating and developing this standard via the W3C will result in wider adoption than previous proposals, similar to the way that the WebAuthn API has been adopted to bring passkey authentication to all major browser implementations.
4. OAuth grantsThe previous section introduced DBSC as a means to protect against session cookie theft in web browsers. Thick application clients, including mobile applications and single-page web applications, typically use stateless API calls leveraging OAuth grants instead of session cookies. An OAuth grant may be established in several ways, with the recommended pattern for thick clients being to initially use the system browser to authenticate a user, and grant access for an application to act on their behalf. Conceptually this is remarkably similar to browser-based sessions, including the ability and recommendation, to use FIDO authentication for end-user authentication when possible. At the conclusion of the browser-based authentication portion of this flow, control is returned to the thick client application or single-page web application where tokens are established for use in programmatic API calls.
The challenge that occurs from this point forward is almost identical to that described for browsers – the OAuth tokens are bearer tokens that if exposed to a bad actor can be used to call application APIs from a remote machine instead of from the legitimate application.
This section describes the use of DPoP, a technology for protecting the “lift and shift” of credentials used in OAuth-protected API calls which, just like DBSC, makes use of an asymmetric key pair and ongoing proof of possession of the private key.
4.1 Demonstrate Proof of Possession (DPoP)
OAuth 2.0 Demonstrating Proof of Possession (DPoP) is an extension of the existing OAuth 2.0 standard for implementing device bound (or sender-constrained) OAuth access and refresh tokens. It is an application-level mechanism that allows for the tokens associated with an OAuth grant (that is, refresh tokens and access tokens) to bind with the requested client using a public and private key pair. This requires the client to prove ownership of its private key to the authorization server when performing access token refresh operations and to resource servers when using access tokens to call APIs.
6. OAuth 2.0 for Native Apps https://datatracker.ietf.org/doc/html/rfc8252
High assurance OpenID specifications, such as Financial-grade API (FAPI 2.0), mandate the use of sender-constrained tokens and DPoP is the recommended method for implementing this requirement when Mutual TLS (mTLS) is not available.
At a high level, DPoP requires that:
The client generates a per-grant public/private key pair to be used for constructing DPoP proofs. Best practice implementations should use operating system APIs to ensure the private key is non-extractable. On initial grant establishment (for example, exchanging an OAuth authorization code for the grant’s first access token and refresh token), a DPoP proof (a JWT signed by the client’s private key that contains, among other things, a copy of the public key) is used to bind a public key to the grant. Requests to a resource server using an access token obtained in this manner must also include a DPoP proof header, continuously proving possession of the private key used during grant establishment. This is done for every API request. Resource servers are required to check if an access token is sender-constrained, confirm the public key, and validate the DPoP proof header on each API call. For public clients, subsequent refresh_token flows to the authorization server’s token endpoint must also contain a DPoP proof signed with the same key used during initial grant establishment. This is particularly important as the refresh tokens are often long-lived and are also a type of bearer token (that is, if you have it you can use it). The authorization server must enforce the use of a DPoP proof for these refresh token flows and ensure signature validation occurs via the same public key registered during initial grant establishment.Unlike a plain bearer access token which can be used by any holder, DPoP based access tokens are bound to the client that initially established the OAuth grant, since only that client can sign DPoP proofs with the private key. This approach minimizes the risks associated with malicious actors trading leaked access tokens.
Refer to DPoP RFC 9449 – OAuth 2.0 Demonstrating Proof of Possession (DPoP) for more information.
4.2 What makes DPoP a complementary technology to FIDO?
FIDO can be leveraged for phishing resistant end-user authentication during establishment of an OAuth grant. Refresh and access tokens obtained by a client following this authentication should be safeguarded against “lift and shift” attacks just like session cookies in browser-based apps. DPoP is a recommended solution for protecting these OAuth tokens from unauthorized post-authentication use. Together, FIDO for end user authentication and DPoP for binding OAuth tokens to a client device complement each other to improve the overall security posture for identities used in thick client applications.
4.2.1 DPoP alternative solutions?
RFC8705 – OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens describes a mechanism that offers a transporter layer solution to bind access tokens to a client certificate. While it has been approved for use in FAPI 2.0 for open banking solutions, it is not particularly suitable for public clients such as native mobile applications.
RFC9421 – HTTP Message Signatures defines an application-level mechanism for signing portions of an HTTP message. Key establishment and sharing between the client and verifier are not defined by this specification, although this could be performed in a trust on first user manner during initial grant establishment in a similar manner to DPoP. There is no known public specification that maps the use of HTTP message signatures to the use case of sender-constrained bearer tokens in an OAuth client application. In the absence of such a public specification, widespread adoption for this use case is unlikely.
4.2.2 Advice
Sender-constrained tokens are a good idea, and, in some deployments, they are a regulatory requirement. For example, use of the FAPI profiles of OAuth is now mandated by many sovereign open banking initiatives. DPoP is a relatively simple way to achieve this requirement and is flexible enough to cover a wide range of application client types. That said, care must still be taken to adhere to the security considerations of DPoP. Pay close attention to section 11 of RFC9449, as well as apply other application security strategies for native or browser based single page applications as your scenario dictates. Remember that DPoP is focused solely on addressing the threats associated with token exfiltration, which include trading and use by malicious actors. It should be considered part of a defense-in-depth strategy for OAuth applications.
5. ConclusionThe intent of this paper is to inspire thinking around how different web security standards fit together and how those standards relate to the use of FIDO authentication for users. There are so many standards and standards bodies that it is often hard to understand which compete in the same space and which augment one another to form part of a comprehensive defense-in-depth strategy for identity fraud protection in online applications.
This paper tackled a specific, prevalent application security problem – the malicious trading and use of stolen cookies and access tokens. This paper also showed how technologies such as DBSC and DPoP mitigate the threats associated with token theft and how these technologies are complementary to FIDO authentication. Paired with FIDO, DBSC and DPoP provide greater overall identity fraud protection for your applications.
cross-posted on the Amnesty UK blog
Community-driven change is more important than ever. Whether we are advocating for social justice, environmental sustainability, or political reform, collective action is how we create lasting impact. But how do we build a movement that starts with individual curiosity and grows into sustained activism? That’s where the Amnesty International UK (AIUK) community platform project comes in — a digital hub designed to empower individuals, support collaboration, and drive meaningful change.
This blog post outlines how the platform and community strategy work together to guide people from discovery of the AIUK community to becoming activists within it.
1. DiscoveryThe journey of community-driven change starts with discovery. This is the stage where individuals first come into contact with AIUK. Maybe they learn about an issue, identify it as important, and begin to consider how they might want to get involved. Or maybe they meet someone at a demonstration, and discover the community first-hand.
AIUK social media, through broadcasting, is just one tool that helps people discover Amnesty International UK. AIUK makes complex issues accessible and relatable. We want to do the same as AIUK highlights grassroots efforts and community initiatives.
We want to encourage posts that show:
Our dedicated community and highlight key grassroots initiatives and campaigns. Signposts to find local groups or events based on interests. Digital actions, such as petitions or downloading campaign guides, to help users take their first steps.Such content ensures that even people who are new can find relevant AIUK communities and take the first steps toward engagement.
2. Intention to EngageOnce someone discovers a cause they care about, the next step is forming an intention to engage. This stage is all about commitment — moving from passive interest to active participation.
By showcasing community on the AIUK website, we both invite people in and celebrate what the community is achieving. We want to present clear pathways for involvement and help community members inspire others to take steps towards action.
We need to figure out processes that help:
Goal-setting: Encouraging community members to set personal milestones, like committing to attend 100 meetings. Sharing success: Telling success stories and finding testimonials that effectively attract new people while celebrating community achievements. Balancing information: Showcasing static information about past successes with dynamic, real-time updates on current campaigns from the community.By making it easy for people to express their intent and take small but meaningful steps, we build confidence and lay the groundwork for deeper engagement.
3. Taking Action: Turning Intent into ImpactWith intention comes action, and this is where real change begins. At this stage, people start to feel a sense of belonging and are ready to contribute to a cause they care about.
A knowledge base can help equip users with actionable tools. We’ll need clear resources and learning pathways that:
Guide people to the right information: Whether it’s organising a protest, writing letters to policymakers, or starting a local campaign, the knowledge hub can provide step-by-step guidance tailored to issues we work on. Help people collaborate: People should be able to connect with others who share their interests and work together on projects — whether virtually or in person. Best practices and community policies may also be at home in the knowledge hub. Show them into the community: Make sure that people feel supported and seen as they take action. Create an architecture of participation that brings them into the community platform.This stage is about turning isolated actions into collective power, with the support of the community ensuring that every contribution counts.
4. Sustaining Action: Building Lasting CommitmentSustained action is the key to creating lasting change. Too often, movements fizzle out after an initial burst of energy, but with a strong community strategy and integrated platform, we can keep momentum going.
To sustain engagement, the community platform needs to help people align with others in the AIUK movement. We need to think about:
Feedback loops: Regular check-ins with the community to understand their needs and ensure that we are adapting the community strategy and platform accordingly. A recognition ecosystem: Using digital badges and shoutouts for individuals or groups who demonstrate consistent commitment to help us make activism more visible. Storytelling opportunities: Sharing success stories and lessons learned will inspire others and keep motivation high.By encouraging a sense of belonging and purpose, we ensure that members find reasons to continue building collective power for human rights.
5. Becoming an Activist: Empowering Future LeadersThe final stage is becoming an activist. At this point, individuals understand that community isn’t one person, but rather all of us. They begin to work on behalf of others, coordinate together and lift people up with their leadership.
These leaders will use other coordination tools and processes and that’s great! We want to empower the development of activist and leadership skills. We’ll need:
Decentralised coordination best practices: For members who are ready to take on larger roles, such as leading groups or campaigns. Mentorship programs: Connecting experienced activists with newcomers to share knowledge and build networks. Advocacy training: Workshops, webinars, and resources focused on effective communication, policy advocacy, and community organising.Through these efforts, we can go beyond nurturing individual leaders to continue building a movement.
The Power of Community Work in Driving ChangeThe journey from discovery to becoming an activist is a process of gradual engagement and empowerment. There is a system of platforms, processes and content that help AIUK move people towards becoming an activist. Although we use various digital tools, the journey is an emotional and social one.
We are working hard to make sure the community platform project harnesses the collective strength of our community and makes a difference that lasts.
Designation as ISO/IEC 20153 Solidifies CSAF's Global Role in Standardized Vulnerability Reporting
Boston, MA USA; 20 May 2025 — The Common Security Advisory Framework (CSAF) Version 2.0, an open standard developed by OASIS Open, has officially been approved for release by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Now designated as ‘ISO/IEC 20153,’ the framework was successfully balloted through the Joint Technical Committee on Information Technology (JTC 1), marking a significant step forward in global security advisory standardization.
“Congratulations to OASIS on the publication of ISO/IEC 20153,” said Philip Wennblom, Chair of ISO/IEC JTC 1. “OASIS has been a valued JTC 1 partner since 2004, and this milestone highlights the strength of our collaboration in addressing critical challenges, including in cybersecurity, and advancing standards that benefit consumers, industries, and governments worldwide.”
Developed by the OASIS CSAF Technical Committee (TC) through a collaborative, cross-industry effort, CSAF v2.0 provides a modern, machine-readable framework for enhancing vulnerability reporting and response. With support for the Vulnerability Exploitability Exchange (VEX) profile, CSAF v2.0 seamlessly integrates with Software Bill of Materials (SBOM) data, allowing organizations to efficiently assess vulnerabilities and take informed actions.
“Achieving ISO/IEC recognition for CSAF 2.0 is a tremendous milestone for the global cybersecurity community,” said Omar Santos, co-chair of the OASIS CSAF TC. “This international standardization will drive broader, more consistent adoption of machine-readable vulnerability disclosures and response processes—ultimately helping organizations around the world protect their assets more effectively and streamline their cybersecurity practices. Whether vulnerabilities emerge in legacy environments or in cutting-edge AI solutions, CSAF 2.0 provides a modern framework for effective vulnerability reporting in hardware and software. We look forward to continuing our work within the OASIS CSAF TC to ensure the standard remains at the forefront of global cybersecurity efforts.”
“CISA is pleased that CSAF 2.0 is now recognized as an ISO/IEC standard, a significant achievement in strengthening global cybersecurity resilience. We value our work and ongoing partnership with OASIS,” said Justin Murphy, CISA Vulnerability Disclosure Analyst and co-chair of the OASIS CSAF TC. “CSAF 2.0 enables organizations to respond more effectively to evolving cyber threats across complex environments including critical infrastructure. We encourage and look forward to broader, global adoption of machine-readable standards for vulnerability management efforts.”
CSAF v2.0 was ratified as an OASIS Open Standard in November 2022 and subsequently submitted by OASIS to the ISO/IEC JTC 1 Information Technology body. As ISO/IEC 20153, this International Standard will continue to be maintained and advanced by the OASIS CSAF Technical Committee, which includes representatives of Cisco, Cryptsoft, Cyware, Huawei, Microsoft, Oracle, Red Hat, and others. New members are welcome, and participation in the CSAF TC is open to all through membership in OASIS.
About ISO/IEC JTC 1
ISO-IEC Joint Technical Committee (JTC 1) is a consensus based, voluntary international standards group focusing on information technology (IT). Many hundreds of experts from over 100 countries, represent their nation’s national standards body or national standards committee to mutually develop beneficial guidelines that enhance global trade, while protecting intellectual property. As one of the largest and most prolific technical committees in the international standardization community, ISO/IEC JTC 1 has had direct responsibility for the development of more than 3,500 published ISO standards, with nearly 600 currently under development. Its work in standardization also encompasses 24 subcommittees that make a tremendous impact on the global ICT industry.
About OASIS Open
One of the most respected, nonprofit open source and open standards bodies in the world, OASIS advances the fair, transparent development of open source software and standards through the power of global collaboration and community. OASIS is the home for worldwide standards in AI, emergency management, identity, IoT, cybersecurity, blockchain, privacy, cryptography, cloud computing, urban mobility, and other content technologies. Many OASIS standards go on to be ratified by de jure bodies and referenced in international policies and government procurement.
www.oasis-open.org
Media Inquiries: communications@oasis-open.org
Support for CSAF
Cyware:
“Cyware is committed to advancing security automation through the adoption of open, machine-readable standards like CSAF. Integrating CSAF into our threat intelligence and security orchestration platforms enables real-time ingestion, normalization, and automated dissemination of vulnerability advisories, enhancing our customers’ ability to rapidly correlate threat data and initiate timely response actions.”
– Avkash Kathiriya, Sr. VP, Research and Innovation, Cyware Labs
Microsoft:
“The designation of the Common Security Advisory Framework (CSAF) as an ISO/IEC 20153 standard marks a significant milestone for the global vulnerability management ecosystem. At Microsoft, we are proud to support this advancement by publishing advisories conforming to the CSAF specification and expanding its adoption across our security practices. CSAF enhances automation, improves interoperability, and accelerates vulnerability response—empowering organizations worldwide to better protect their ecosystems.”
– Bret Arsenault, Corporate Vice President and Chief Cybersecurity Advisor, Microsoft
Disclaimer: CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked or referenced within this press release. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
The post OASIS Common Security Advisory Framework v2.0 Approved as an ISO/IEC International Standard appeared first on OASIS Open.
Thirteen years after The Intention Economy was published by Harvard Business Review Press, there are now four clear paths toward making it come true.
IEEE P7012, aka MyTerms. This will make individuals first parties in their agreements with companies, completely flipping the status quo that has been with us since industry won the Industrial Revolution and manifests today in those insincere and annoying cookie notices that interrupt your experience every time you visit a new website or open a new app. MyTerms makes each of us first parties in agreements with sites and services, and in full charge of personal privacy online. The First Person Project, or FPP (website pending). With help on the buy side from Customer Commons and on the sell side by Ayra, we can finally replace “show your ID” with verifiable credentials presented on an as-needed basis by independent and self-sovereign individuals operating inside their own webs of trust. Visa Intelligent Commerce, which will make intentcasting happen in a big way. It will also elevate the roles of Inrupt and the open-source Solid Project. Personal AI. This is AI that is as much yours as your shoes, your bike, and your PC. Personal, not personalized.To explain how these will work together, start here:
Not long after The Intention Economy came out in May, 2012, Robert Thomson, Managing Editor of The Wall Street Journal, wanted the book’s opening chapter to serve as the cover essay for the Marketplace section of an upcoming issue. Harvard Business Review Press didn’t like that idea, so I wrote an original piece based on one idea in the book: that shoppers will soon be able to tell the market what they’re looking for, in safe, secure and anonymous ways—a kind of advertising in reverse that the book called “personal RFPs” and has since come to be called “intentcasting.” This became The Customer as a God: The image above was the whole cover of the Marketplace section on Monday, July 23, 2012. The essay opened with these prophetic words: “It’s a Saturday morning in 2022…”
It is now a Friday morning in 2025, and that godly future for customers is still not here. Yes, we have more market power than in 2012, but we are digital serfs whose powers are limited to those granted by Amazon, Apple, Facebook, Google, Microsoft, and other feudal overlords. This system is a free market only to the degree that you can choose your captor. This has led to—
The IONBA (Internet Of Notning But Accounts) is based on a premise: that the best customers are captive ones. In this relic of the industrial age, customers are captive to every entity that requires logins and passwords. Customers also have no ways of their own to globally control what data is collected about them, or how. Or to limit how that data is used. This is why our digital lives are infected by privacy-killing data-collection viruses living inside our computers, phones, TVs, and cars.
If you didn’t know about those last two, dig:
Consumer Reports says “All smart TVs—from Samsung, LG, you name it—collect personal data.” They also come with lame “privacy” controls, typically buried deep in a settings menu. (Good luck exhuming them. The ones in our TCL and Samsung TVs have all but disappeared.) Mozilla calls new cars “the Worst Product Category We Have Ever Reviewed for Privacy.” There is also nothing you can do to stop your car from reporting on everything your car does—and everything you do, including sexual ativity—to the carmaker, insurance companies, law enforcement, and who knows who else. This data goes out through your car’s cell phone, misleadingly called a telematics control unit. The antenna is hidden in the shark fin on your car’s roof or in an outside mirror.Businesses are also starting to lose faith in surveillance, for at least eight reasons:
People hate it. They also fight it. By 2015 ad blocking and tracking protection were the biggest boycott in world history. It tarnishes brands. Ad fraud is a gigantic problem, and built into the system. It commits Chrysoogocide (killing golden geese, most notably publishers). Bonus link. Regulatory pressure against it is getting bigger all the time. Advertisers are finally remembering that brands are made by ads aimed at populations, while personalized ads are just digital junk mail. Customers are using AI tools for guidance toward a final purchase, bypassing marketing schemes to bias purchasing decisions along the way. For more on that, see Tom Fishburne’s cartoon, and Bain’s report about it.So our four roads to The Intention Economy start with the final failings of the systems built to prevent it. Now let’s look at those roads.
1—IEEE P7012 “MyTerms”
MyTerms, the most important standard in development today, will be a keystone service of Customer Commons, the nonprofit spinoff of ProjectVRM. It will do for contract what Creative Commons did for copyright: give individuals a new form of control. With MyTerms, agreements between customers and companies will be far more genuine mutual, and open to new forms of innovation not based on the kind of corporate control that typifies the IONBA. For example, it can open Visa Intelligent Commerce to conversations and relationships that go far past transaction. Take for example Market intelligence that flows both ways. While this has been thinkable for a decade or more (that last link is from 2016), it’s far more do-able when customers and companies have real relationships based on equal power and mutual interests. These are best framed up on agreements that start on the customer’s side, and give customers scale across all the companies with which they have genuine relationships.
2—First Person Project (FPP)
To me, FPP begins with the vision “Big Davy” Sallis came up with while he was working for VISA Europe in 2012, and read the The Intention Economy. At the time, he wanted Visa to make VRM a real category, but assumed that would take too long. So he decided to create a VRM startup called Qredo. Joyce and I consulted Qredo until Davy died (far too young) in 2015. Qredo went into a different business, but a draft I created for Qredo’s original website survives, and it outlines much of what the FPP will make possible. That effort is led by Drummond Reed, another friend and collaborator of Davy’s and a participant in ProjectVRM from the start. Drummond says the FPP is inspired by Why We Need First Person Technologies on the Net, a post published here in 2014. That post begins,
We need first person technologies for the same reason we need first person voices: because there are some things only a person can say and do.
Only a person can use the pronouns “I,” “me,” “my” and “mine.” Likewise, only a person can use tools such as screwdrivers, eyeglasses and pencils. Those things are all first person technologies. They were invented for individual persons to use.
We use first person technologies the same unique ways we use our voices.
Among other things, the First Person Project will fix how identity works on the Internet. With FPI—First Person Identity—interactions with relying parties (the ones wanting “your ID”) don’t need your drivers license, passport, birth certificate, credit card, or account information. You just give them what’s required, on an as-needed basis, in the form of verifiable credentials. The credentials you provide can verify that you are a citizen of a country, licensed to drive, have a ticket to a game, or whatever. In other words, they do what Kim Cameron outlined in his Laws of Identity: disclose minimum information for constrained uses (Law 2) to justifiable parties (Law 3) under your control and consent (Law 1). The credential you present is called a DID: a Decentralized Identifier. No account is required.
Trust in FPI also expands from individual to community. Here is how Phil Windley explains it in Establishing First Person Digital Trust:
When Alice and Bob met at IIW, they didn’t rely on a platform to create their connection. They didn’t upload keys to a server or wait for some central authority to vouch for them. They exchanged DIDs, authenticated each other directly, and established a secure, private communication channel.
That moment wasn’t just a technical handshake—it was a statement of first-person identity. Alice told Bob, “This is who I am, on my terms.” Bob responded in kind. And when they each issued a verifiable relationship credential, they gave that relationship form: a mutual, portable, cryptographically signed artifact of trust. This is the essence of first-person identity—not something granted by an institution, but something expressed and constructed in the context of relationships. It’s identity as narrative, not authority; as connection, not classification.
And because these credentials are issued peer-to-peer, scoped to real interactions, and managed by personal agents, they resist commodification and exploitation. They are not profile pages or social graphs owned by a company to be monetized. They are artifacts of human connection, held and controlled by the people who made them. In this world, Alice and Bob aren’t just users—they’re participants.
This also expands outward into community, and webs of trust. You get personal agency plus community agency.
The FPP covers a lot more ground than identity alone, but that’s where it starts. Also, Customer Commons is a funding source for the FPP, and I’m involved there as well.
3—Visa Intelligent Commerce
The press release is Find and Buy with AI: Visa Unveils New Era of Commerce. Less blah is Enabling AI agents to buy securely and seamlessly. Here’s the opening copy.
Imagine a future where an AI agent can shop and buy for you. AI commerce — commerce powered by an AI agent — is going to transform the way consumers around the world shop.
Introducing Visa Intelligent Commerce, an initiative that will empower AI agents to deliver personalized and secure shopping experiences for consumers – at scale.
From browsing and selection to purchase and post-purchase management, this program will equip AI agents to seamlessly manage key phases of the shopping process.
Visa CEO Ryan McInerney says a lot more in a 1:22 talk at Visa Product Drop 2025. The most relevant part starts about 26 minutes in, with a demo starting at about 31:30. Please watch it. Much of what you see there owes to Inrupt and Solid, which Sir Tim Berners-Lee says were inspired by The Intention Economy. For more about where Inrupt and Solid fit in Visa Intelligent Commerce, see Standards for Agentic Commerce: Visa’s Bold Move and What It Means: Visa’s investment in safe Intelligent Commerce points to a future of standards-forward personal AI, by John Bruce, Inrupt’s CEO. John briefed Joyce and me over Zoom the other day. Very encouraging, with lots to develop on and talk about.
More links:
A tweet appreciative of Inrupt by Visa’s @JackForestell Privacy for Agentic AI, by Bruce Schneier, Inrupt’s CISO (as well as the world’s leading security expert, and an old pal through Harvard’s Berkman Klein Center). Also from Bruce: What Magic Johnson and Bruce Schneier taught us at RSAC 2025 and RSAC 2025: The Pioneers of the Web Want to Give You Back Control of Your Data Visa announces AI Agent Payment APIs – and a pathway to Empowerment Tech, by Jamie Smith, who writes Customer Futures, the most VRooMy newsletter out there.Some news being made about Visa Intelligent Commerce:
Visa partners with AI giants to streamline online shopping Visa Gives AI Shopping Agents ‘Intelligent Commerce’ Superpowers Visa launches ‘Intelligent Commerce’ platform, letting AI agents swipe your card—safely, it says How major payment companies could soon let AI spend your money for you Visa, Mastercard offer support for AI agents Visa wants to give artificial intelligence ‘agents’ your credit card Visa adds ‘unknown concept’ where AI makes purchases for you – but shoppers suspect more ‘sinister purpose’ Visa Unveils Intelligent Commerce to Power AI-Driven Payments4—Personal AI
Reza Rassool was also inspired by The Intention Economy when he started Kwaai.ai, a nonprofit community developing open-source personal AI. I now serve Kwaai as its volunteer Chief Intention Officer.
Let’s look at what personal AI will do for this woman:
Looks great, but we’re stuck in IONBA, she has little control over her personal data in all those spaces. For example,
She doesn’t have the digital version of what George Carlin called “a place for my stuff.” (Watch that video. It’s brilliant—and correct.) She has few records of where she’s been, who she’s been with and when—even though apps on her phone know that stuff and are keeping it inside the records of her giant overlords and/or selling it to parties unknown, with no way yet for getting it back for her own use. Her finances are possibly organized, but scattered between the folders she keeps for taxes, plus the ones that live with banks, brokers, and other entities she hardly thinks about. It would be mighty handy to have a place of her own where she could easily see all her obligations, recurring payments, subscriptions, and other stuff her counterparties would rather she not know completely. Her schedules are in Apple, Google, and/or Microsoft calendars, which are well app’d and searchable, but not integrated. She has no digital calendar that is independent and truly her own. Her business and personal relationship records are scattered across her contact apps, her Linkedin page, and piles of notes and business cards. She has no place or way of her own to manage all of them. Her health care records (at least here in the U.S.) are a total mess. Some of them ares inside the MyCharts and patient portals provided by separate (and mostly unconnected) health care specialists and medical systems. Some of it is in piles of printouts she has accumulated (if she’s kept them) from all the different providers she has seen. Some of it is in fitness and wellness apps, all with exclusive ways of dealing with users. None of it is in a unified and coherent form.So the challenge for personal AI is pulling all that data out of all her accounts, and putting it into forms that give her full agency, with the help of her personal AIs. Personalized AIs from giants can’t do that. We need our own personal AIs.
And there we have it: Four roads to a world where free customers prove more valuable than captive ones. And we’re making it happen. Now.
The UK government has said it will roll out passkey technology across its digital services later in 2025, aiming to phase out SMS-based verification in favour of a more secure, user-friendly alternative.
Passkeys are unique digital credentials tied to a user’s personal device and offer a way to authenticate identity without the need for traditional passwords or one-time text codes.
Passkeys never leave the device and so cannot be reused across websites, which makes them resistant to phishing and other common attacks.
DIF members showcased their vision at this year's European Identity and Cloud Conference (EIC 2025), bringing together experts who are defining the future of human-centric digital identity. As AI capabilities accelerate, DIF members are tackling both the architectural foundations and philosophical implications of self-sovereign identity, and EIC provided an excellent forum to share how they are solving digital identity's most complex challenges.
The Philosophy Behind Standards: Values in Digital IdentityMarkus Sabadello, CEO of Danube Tech and DIF Steering Committee member, delivered a compelling talk examining the philosophical underpinnings of digital identity standards. His presentation, "The Worldviews behind Digital Identity Standards," argued that technical choices in standards like OID4VC, DIDComm, SD-JWT-VC, and the W3C verifiable credential data model reflect deeper philosophical trajectories variously aligned with European values like Liberty, Equality, and Fraternity.
Markus Sabadello presents "The Worldviews behind Digital Identity Standards"Sabadello illustrated how technologies like DIDComm prioritize fraternity through peer-to-peer connections, while JSON-LD enables innovation and liberty through permissionless semantic flexibility and self-publishing. As the industry standardizes wallets and verifiable credentials, he emphasized that these standards should be evaluated not only on technical merits but also on how they impact human values like sovereignty and equitable participation.
The talk concluded with an important reminder that technology is never value-neutral, highlighting the need to align digital identity standards with humanistic values while avoiding the pitfalls of fragmentation from competing, politically and commercially driven standards.
AI and Identity: A New FrontierAnother highlight of the conference was the Verifiable AI talk and panel series. In his talk "Private Personal AI and Verified Identity for AI Agents", Alastair Johnson (CEO of Nuggets) explored the challenges of implementing truly private personal AI that protects user sovereignty while creating verifiable identities for AI agents. Johnson explored how privacy-preserving technologies and self-sovereign identity frameworks can enable secure AI agent operations while maintaining individual control over personal data.
Alastair Johnson presents "Private Personal AI and Verified Identity for AI Agents"The subsequent panel, "Verifiable AI: The New Frontier" was moderated by Ankur Banerjee, CTO of Cheqd and DIF TSC Co-chair. The panel brought together Matthew Berzinski (Ping Identity), Sebastian Rodriguez (Advisor to Privado.ID), and Alastair Johnson to explore the intersection of AI and digital identity.
The panel addressed critical questions about how private personal AI agents can securely interact with identity systems, approaches to verifying AI agent identities, and frameworks for establishing trust in AI-human interactions.
As Ankur described in his following LinkedIn post, key takeaways included:
The need for both decentralized and centralized/hybrid approaches for different scenarios, including "AI employees" like the Devin software engineering assistant The challenge of allowing "good bots" into systems designed to keep malicious automation out The emerging consensus that AI agents will need their own wallets (or at least high-stakes delegation capabilities to and from wallets, or operate inside of wallets), and what kind of unique identifiers can power these interfaces The vulnerability of AI agents to bribing, threats, and "social" engineering attacks despite (or due to their primarily) rule-based constraints The agentic "Ship of Theseus" problem: at what point is an AI agent sufficiently changed that it invalidates prior attestations? The Personhood Challenge: Humans in a World of AIAnother significant focus at the conference was the development of personhood credentials as a defense against AI-generated deepfakes. Drummond Reed, Director of Trust Services at Gen Digital, presented "First-Person Credentials: A Case Study," discussing a collaborative effort between the Ayra Association, Customer Commons, Trust Over IP, and DIF to create a people-powered, privacy-preserving proof of personhood.
Personhood Credentials Why is proof of personhood so hot? Because it sits at the intersection of AI and decentralized identity. The threat of generative AI deep fakes has accelerated the search for a sustainable… KuppingerColeThis work built on a 2024 paper titled "Personhood Credentials," which proposed using a decentralized architecture based on verifiable credentials and zero-knowledge proofs. Reed's presentation covered design goals, trust models, user experience considerations, and go-to-market strategies for this emerging approach.
Personhood Credentials: From Theory to Practice
The subsequent panel, "Personhood Credentials: From Theory to Practice," brought together Ankur Banerjee, Drummond Reed, Steven McCown (Chief Architect of Anonyome Labs), and Sebastian Rodriguez to examine real-world implementations and practical challenges in creating personhood credentials. The panel explored how technologies like zero-knowledge proofs and selective disclosure can preserve individual privacy while meeting legitimate verification requirements.
PANEL: Personhood Credentials: From Theory to Practice This panel features experts examining real-world implementations, emerging standards, and practical challenges in digital identity. They will explore how technologies such as zero-knowledge proofs… KuppingerCole Technical Innovations in Identity InfrastructureThe conference also featured several technical presentations on practical implementations of verifiable credentials and digital identity wallets:
Richard Esplin, Head of Product at Dock, presented "Biometrics and Verifiable Credentials: Balancing Security and Privacy," addressing the challenges biometric providers face as regulations become stricter. Esplin shared best practices for integrating biometrics with verifiable credentials without undermining privacy and flexibility.
Biometrics and Verifiable Credentials: Balancing Security and Privacy [Intermediate] Biometric providers are facing new challenges as regulations governing biometric data become stricter and organizations try to extend their biometric enabled business processes across ecosystems… KuppingerColeDr. Paul Ashley, CTO of Anonyome Labs, discussed the implementation of Hardware Security Modules (HSMs) in digital identity wallets in his talk "Digital Identity Wallet Utilizing a Hardware Security Module." The presentation explored how digital identity wallets can be enhanced through HSM integration to fulfill the requirements of the EU Digital Identity Wallet framework, with analysis of each credential standard's compatibility with various HSMs' cryptographic capabilities.
Dr. Paul Ashley presenting "Digital Identity Wallet Utilizing a Hardware Security Module" Looking ForwardThe DIF community remains the leading forum for innovation in decentralized identity standards and implementations. The frameworks, protocols, and approaches discussed at the conference provide a clear architectural roadmap for solutions that protect individual autonomy while enabling secure, verified interactions between humans and AI systems. Through continued collaboration across our working groups, DIF remains committed to developing open standards that address both current and emerging identity challenges.
To learn more about these topics or to get involved with the Decentralized Identity Foundation's work, visit DIF's website.
ISL began its life as the Me2B Alliance, striving to create standards to enable greater power symmetry in the digitally facilitated relationship between consumers (“Me-s”) and the companies whose technology they use (“B-s”). We called this the M2B relationship. For mobile apps, all too often it’s a case of “Me2 Who Knows?!” People have a right to know who’s legally responsible for the apps they use, and it is anything but clear in mobile app stores today. App stores are failing to make clear the legal entity who is responsible for apps. ISL has filed responsible disclosures with Apple starting in late 2024 but our repeated attempts have been dismissed.
Anatomy of Responsible Party Info in the App StoresBoth Google and Apple allow for two kinds of developer accounts: individual and organization. The creation of either type of account requires identity validation, but it’s a lower bar for individuals than for organizations. Individuals must provide a government issued ID credential before being allowed to open a developer account. This validates the individual’s name and address. Organizations, however, must provide a DUNS number to validate the legal existence of the organization. 12
▶ Problem 1: How effective is this level of identification authentication? ISL recently found an app developer with 15 apps in the Google Play store with no verifiable legal existence whatsoever. Thus, the process is imperfect at best.
In both stores, the “Account Holder” (to use Apple’s language) is the individual/entity who is in a legal relationship with the app store [owner].
Figures 1a and 1b show two parts of an Apple App store listing. Note that the name in blue under the app name appears to be the Account Holder (Figure 1a). Note that the Information section of the app listing shows five other places where we expect to see the same Account Holder name and websites.
Figure 1a: Apple App Store Example – App Header
Figure 1b: Apple App Store Example – App Information
Figures 2a and 2b show a similar annotated view of the Google Play Store app listing. Between Figures 2a and 2b, there are six instances where the Account Holder name appears.
Figure 2a: Google Play Store Example – Part 1
Figure 2b: Google Play Store Example – Part 2
This all seems fine. What we see in practice, though, is that the various links and names presented in the app store listing that should be definitively showing the name of the legally party responsible for the app often have inconsistencies. Which brings us to additional problems.
▶ Problem 2: Account Holders can create additional user accounts within their account, including users with permissions to submit/delete apps.3 There’s seemingly no governance over this capability, left strictly in the hands of the Account Holder.
▶ Problem 3: The app store app listing doesn’t indicate if the developer of the app is an individual or a company. This information matters. People deserve to know if they’re using an app developed by an individual developer, or by a company. No matter what, so long as apps are collecting personal information, people have an unconditioned right to know who gets their data and what they’re doing with it.
▶ Problem 4: The Apple app store doesn’t disclose the location of the responsible app developer but the Google Play store does.4 The great thing about app ecosystems is that they foster worldwide participants. The problem is that the responsible developer can be oceans away from consumers, making it difficult or impossible to hold the developer accountable if there are issues.
▶ Problem 5: Apps have broken developer links. It’s wildly confusing when the name in blue or green font under the app name is different from the name that appears when you click on the developer link. Imagine if you went to a grocery store and there was a loaf of bread with no brand or company information. You wouldn’t want to eat that. When you click on the Developer Website link for the app shown in Figure 1b you find yourself not only not at a site that says Kepler47, you find a non-functional page for audiojoy.com (Figure 3).
Figure 3 Developer website URL for 12 Step AA NA Daily Meditation from the Apple App Store: https://audiojoy.com/cgi-sys/suspendedpage.cgi
▶ Problem 6: The Account Holder name from the listing header doesn’t match the name in the privacy policy OR in the App Support link. Figures 4a and 4b illustrate a case where the listed developer in the listing header is Will Aitchison (Figure 4a), but the privacy policy fails to indicate a legally responsible data controller entirely (Figure 4b).
Figure 4a: Account Holder name
Figure 4b: Privacy policy link for app by Will Aitchison: https://www.firststeporegon.org/docs/PrivacyPolicy_25-05-2018.pdf
Figure 4c: Privacy Policy from “Developer’s Website”
Note that there’s another layer of confusion for the First Step Oregon app, namely, the privacy policy found on the App Support page differs from the privacy policy linked in the app store (Figure 4c). This case is a case where the app developer was likely an individual affiliated with the organization who wrote and submitted the app on behalf of the company. Still, it leaves a question for users: who is responsible? Who does the user contact in the case of issues?
The Boggle: Arcade Edition app in the Apple store shows a similar situation. The Account Holder appears to be Zynga Inc. from the app store listing header (Figure 5a). But when you click on the App Support link you see the Take-Two Terms of Service (Figure 5.b). Similarly, the linked privacy policy is also Take-Two’s. Finally, this app includes a copyright showing Zynga Inc. in the information section (Figure 5c). In this instance, the original Account Holder (Zynga Inc.) was acquired by another company (Take-Two). Zynga appears to be a wholly owned subsidiary of Take-Two based on its California business registration status, but the “hybrid” information in the app store is confusing.
Figure 5a: Boggle App store listing header – Account Holder: Zynga Inc.
Figure 5b: Boggle App Support Link
Figure 5c: Boggle App store listing – Information Section
Interestingly, not all Zynga games in the app store show Take-Two info at the App Support link. Figure 6b shows the App Support link for FreeCell, another Zynga game.
Figure 6a: FreeCell App store listing header
Figure 6b: FreeCell App Support link
▶ Problem 7: App Information shows two different names. Figures 7a and 7b show elements of the Apple app store listing for the app, Count Money and Coins – Photo Touch Game. In the Information section of the app store listing, Innovative Investments Limited is shown as the Seller, but Grasshopper Apps is the copyright registrant.
Figure 7a: Count Money and Coins App store listing header
Figure 7b: Count Money and Coins app – Information section
▶ Problem 8: App store listings with broken privacy policy links. It’s relatively easy to find apps in the app stores whose privacy links are simply broken, non-functional. This is what we found with most of the Innovative Investments Limited apps (Figure 7c).
Figure 7c: http://www.grasshopperapps.com/privacy-policy
ConclusionsNONE of this should be happening today. App stores receive 30% of all app revenues and thus have ample resources to programmatically monitor these situations. Consumers should never have to conduct forensic research in order to figure out who they’re entering into a business relationship with. Here’s a recap of what the app store owners should do:
Make it crystal clear on your label who the legal entity responsible for the app is (I’ll call this “responsible developer”). Make sure ALL instances in and related to the app store listing consistently show the same responsible developer name. Make sure there is valid, working contact information for the responsible developer. Indicate if the developer is an individual or an organization.Here are Recommendations for app consumers:
If there isn’t a privacy policy, don’t install the app. If there are no privacy details provided in the Apple store, don’t install the app. If there’s no developer contact information provided, don’t install the app. Contact us if you find these or other problems with app store entries. Final ThoughtsWe are well past the point of understanding the risks of these things, yet we see no systemic changes under development on the part of Apple and Google to put safety measures in place. Perhaps shining this light on some of the issues can help spur action.
Footnotes: https://support.google.com/googleplay/android-developer/answer/13628312?sjid=9574226792909682372-NC https://developer.apple.com/programs/enroll/ Summary of roles and permissions for Apple developer accounts: https://developer.apple.com/help/account/access/roles/ Location of the developer was met with some warranted and some dubious pushback from Android developers as shown on this Reddit thread https://www.reddit.com/r/androiddev/comments/17w3pgz/google_started_displaying_full_legal_name_and/?rdt=50889 . Mandatory disclosure of an individual developer’s location presents some risks. That said, the developer is capable of getting every user’s location information so it seems a reasonable requirement.The post Me2B or Me2Who Knows: App Stores Fail to Provide Clear Legally Responsible Party appeared first on Internet Safety Labs.
We’re excited to introduce CATio Spaces, a new way for civil society organizations to connect with our team and talk about cybersecurity in a low pressure, friendly environment.
The post Introducing CATio Spaces: A Learning Space to Talk Cybersecurity appeared first on The Engine Room.
Blockchain Commons was pleased to receive another grant this year from Human Rights Foundation (HRF) and their Bitcoin Development Fund grant to support our work with developers and implementers to expand the usage of FROST.
To quote HRF’s press release:
“For nonprofits operating under authoritarian rule, securing Bitcoin is critical for survival. If private keys (which control access to bitcoin) are compromised, funds can be seized and movements dismantled. Blockchain Commons is a [not-for-profit] supporting the development of FROST (Flexible Round-Optimized Schnorr Threshold Signature), a protocol that strengthens multisignature wallets (bitcoin wallets with multiple private keys) by making them more secure, private, and flexible for shared custody. With this grant, Blockchain Commons will help build critical infrastructure to keep civil society groups operational and financially resilient under dictatorships.”
Blockchain Commons has previously held and documented four meetings supporting FROST in 2023 and 2024, and we plan to continue with that later in 2025. Thanks to HRF, we also are expanding that work this year with the development of a FROST signing tool and the creation of a brief “Learning FROST from the Command Line” course. Our goal, as ever, is to help support the implementers who are creating FROST and to make it easier for developers to incorporate FROST into their wallets.
For more on FROST, see our FROST developer pages.
A decentralized repository for secure, scalable genomic data sharing & AI-driven personalized healthcare insights — powered by OriginTrail Decentralized Knowledge Graph (DKG).OriginTrail powers the future of ethical AI in healthcare with ELSA
We’re excited to announce that OriginTrail is joining forces with the ELSA (European Lighthouse on Secure and Safe AI) initiative to shape the future of decentralized, privacy-preserving artificial intelligence (AI) in healthcare. Digital healthcare today faces three pressing challenges: safeguarding patient privacy, bridging fragmented data silos for seamless interoperability, and meeting strict regulatory requirements without stifling innovation.
At the heart of this collaboration lies a DeReGenAI — a decentralized repository for secure, scalable genomic data sharing and AI-driven personalized healthcare, powered by the OriginTrail Decentralized Knowledge Graph (DKG). This initiative tackles the most pressing challenges in digital health: enabling secure, compliant, and user-sovereign sharing of sensitive genomic data while unlocking the full potential of AI-driven personalized healthcare.
Trustworthy AI needs trustworthy infrastructureAI is transforming healthcare — but for it to do so responsibly, it must be built on a foundation of trust, transparency, and ethics. That’s exactly what OriginTrail brings to the table within the ELSA consortium: an open-source, decentralized infrastructure that ensures data privacy, ownership, and interoperability at scale.
By integrating OriginTrail DKG, DeReGenAI becomes a decentralized repository that puts patients in control of their most personal asset — their genomic data. This enables:
User-managed permissions: Patients decide who can access their data, when, and for what purpose. Privacy-preserving monetization: Individuals can opt to share their data with research institutions or health providers on their own terms. AI-ready interoperability: Seamless interaction with AI systems while maintaining the integrity and provenance of the data.At its core, the OriginTrail DKG act as a knowledge graph of knowledge graphs — a globally distributed network where each participant maintains control over their own knowledge node. These nodes interact in a fully decentralized manner, eliminating the risks of centralized data silos and single points of failure.
Here’s why this matters:
Global scale: Access data from diverse sources without compromising security. Privacy-first architecture: Data sovereignty is seamlessly integrated into the infrastructure. Compliance-ready: Designed with GDPR and other regulatory frameworks in mind. Interoperable: Built for seamless integration with AI technologies and healthcare systems. How does DeReGenAI work?To power the next generation of personalized healthcare, DeReGenAI employs decentralized Retrieval-Augmented Generation (dRAG) — an evolution of how Large Language Models (LLMs) interact with external data.
Instead of querying a centralized source, the LLMs in DeReGenAI leverage the OriginTrail DKG to retrieve verified, decentralized knowledge. This unlocks:
More accurate AI insights, Context-aware healthcare recommendations, Trustworthy and verifiable AI behavior.The ELSA initiative brings together top-tier European academic, industrial, and technology partners, such as University of Oxford, The Alan Turing Institute, NVIDIA, and others, to build a future where AI is both effective and ethical. As part of the ELSA initiative, OriginTrail is used to build a trusted data ecosystem for the AI age — one where people, not platforms, control their data, and where innovation never comes at the cost of ethics.
We’re proud to be driving this change, and even prouder to be doing it alongside an incredible group of partners.
Learn how OriginTrail is powering the shift to human-centric AI at https://origintrail.io/.
Trust the source.
OriginTrail powers the future of ethical AI in healthcare with ELSA was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.
The public safety sector is undergoing rapid digital transformation, embracing new technologies to enhance emergency response, law enforcement, and disaster management. However, this shift also brings challenges such as data security risks, privacy concerns, and the need for reliable information verification in critical situations.
When DIACC was established in 2012, its goal of creating a secure digital ecosystem extended to all sectors, including public safety. As a trusted authority in digital identity and authentication, DIACC’s mission is more crucial than ever as public safety agencies increasingly rely on digital systems and data sharing to protect communities.
By prioritizing digital trust, Canada can strengthen its public safety infrastructure, improve emergency response times, and enhance collaboration between various agencies. Interoperable frameworks, such as the DIACC Pan-Canadian Trust Framework (PCTF), ensure that public safety systems remain secure, adaptable, and trusted.
Advancing Digital Trust in Public Safety 1. Enhancing Emergency Response and CoordinationImplementing robust digital trust solutions can significantly improve emergency response by:
Enabling secure, real-time data sharing between agencies Verifying the authenticity of emergency communications Facilitating rapid and accurate identification of individuals in crises 2. Leveraging the DIACC PCTF for Public SafetyDIACC encourages public safety agencies to adopt the PCTF as a tool to:
Implement secure identity verification for first responders and emergency personnel Enhance the integrity of emergency alert systems Improve interagency collaboration through trusted data exchange 3. Addressing Privacy Concerns in Surveillance and Data CollectionTo balance public safety needs with individual privacy rights, DIACCweDIACC recommendss:
Implementing transparent data collection and usage policies Adopting privacy-preserving technologies in surveillance systems Ensuring proper authentication and authorization for access to sensitive data 4. Combating Misinformation in Crisis SituationsDigital trust frameworks can help public safety agencies:
Verify the authenticity of information during emergencies Establish trusted channels for disseminating critical updates Collaborate with social media platforms to combat the spread of false information 5. Enhancing Cybersecurity in Critical InfrastructurePublic safety agencies can use digital trust solutions to:
Secure communication networks used in emergency response Protect critical infrastructure from cyber threats Implement robust identity and access management systems for sensitive facilities Best Practices and the Way Forward 1. Adopt Emerging TechnologiesPublic safety agencies should leverage technologies like Artificial Intelligence (AI) and Distributed Ledger Technologies (DLT) to enhance their digital trust capabilities and improve emergency response. AI can be used for real-time data analysis and decision-making, while DLT can ensure the integrity and immutability of critical information.
2. Foster Cross-Sector CollaborationDIACC encourages collaboration between public safety agencies, technology providers, and other stakeholders to develop standardized digital trust practices.
3. Educate and TrainDIACC is committed to educating public safety personnel and the public about digital trust through:
Specialized training programs for emergency responders Public awareness campaigns on the importance of verified information during crises Advocacy for regulations that support the implementation of digital trust solutions in public safety ConclusionThe public safety sector urgently needs robust digital trust solutions to protect Canadians and Canadians and communities in an increasingly digital world. By adopting frameworks like the PCTF, public safety agencies can enhance their operational efficiency, build public trust, and improve their ability to respond to emergencies, providing a reassuring path forward.
Together, as public safety agency leaders, policymakers, and stakeholders in emergency management, we can create a public safety ecosystem that leverages digital trust to protect citizens, respects their privacy, and solidifies Canada’s position as a secure and effective leader in emergency management.
Download the paper here.
DIACC-Position-Advancing-Digital-Trust-to-Strengthen-Public-Safety_ENGWatch full recording on YouTube.
Status: Verified by PresenterPlease note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.
Google NotebookLM Podcast
https://trustoverip.org/wp-content/uploads/2025-05-01-Agri-food-Data-Canada-Carly-Huitema-1.wav SummaryThis briefing document summarizes a presentation about Agri-food Data Canada’s Semantic Engine, a suite of tools designed to enhance research data management in the agri-food sector by making data Findable, Accessible, Interoperable, and Reusable (FAIR). A central focus is the use of machine-readable data schemas authored with the Overlays Capture Architecture (OCA) standard, which is highlighted for its use of derived identifiers (digests) over traditional assigned identifiers for improved reproducibility and authenticity. The document also details the Semantic Engine’s practical tools and ongoing efforts to integrate these standards into existing research infrastructure, addressing challenges like data context and decentralized ecosystems.
Briefing Document: Agri-food Data Canada and the Semantic EngineDate: May 1, 2025
Subject: Review of Agri-food Data Canada (ADC) project and its Semantic Engine, with discussion on data schemas, identifiers, and integration into research infrastructure.
Sources:
Excerpts from “2025.05.01-ToIP_EGWG.pdf” (Slides) Excerpts from “GMT20250501-145814_Recording.transcript.txt” (Transcript) Excerpts from “GMT20250501-145814_Recording_1920x1080.mp4” (Video – used for verification of content and speakers) Excerpts from “GMT20250501-145814_RecordingnewChat.txt” (Chat Log)Attendees/Speakers: Carly Huitema (University of Guelph, ADC), Michelle Edwards (ADC, mentioned), Eric Drury (Forth Consulting), Scott Perry (Digital Governance Institute), Neil Thomson (QueryVision), Steven Milstein (Collab.Ventures), Donald Sheppard.
OverviewThis briefing summarizes a presentation by Carly Huitema from Agri-food Data Canada (ADC) to the Trust over IP (ToIP) Ecosystem and Governance Working Group. The presentation focuses on ADC’s efforts to improve research data management in the agri-food sector, specifically through the development of the “Semantic Engine” suite of tools. A central theme is the importance of “FAIR” data (Findable, Accessible, Interoperable, Reusable) and how machine-readable data schemas, particularly using the Overlays Capture Architecture (OCA) standard, contribute to achieving this goal. The discussion also highlights the advantages of derived identifiers (digests) over assigned identifiers for reproducibility, authenticity, and decentralization, and ADC’s ongoing work to integrate their tools and schemas into existing research infrastructure.
Key Themes and Important Ideas Improving Research Data Management in a Decentralized Ecosystem: The research data ecosystem is described as highly decentralized with independent research groups. While guided by best practices, mandates for standardized approaches are often slow to adopt. Incentives can be conflicting, particularly the “publish or perish” culture versus the time needed for thorough data documentation. Long-term planning (e.g., 50-year repository funding) is a crucial consideration. ADC, a project at the University of Guelph funded by multiple Canadian sources (CFREF, Genome Canada, UoG, OMAFA, Compute Ontario, etc.), aims to address these challenges by working directly with researchers. Making Agri-food Data FAIR: A core objective of ADC is to make agri-food data FAIR: Findable: Ability to identify and locate data resources and their context. Accessible: Ability to access (with permission) and use data once found, often requiring open protocols. Interoperable: Using standards for data to ensure compatibility, including standard vocabularies. Reusable: Data with sufficient context (licenses, provenance, descriptions) can be reused by others for replication or new research. Carly Huitema states: “Findable is the ability to identify and find resources as well as their context. If it’s accessible that once found you can access it with permission and use it interoperable. Certainly lots of our work at Trust Over IP is about how to ensure interoperability of standards including vocabularies and reusable that that there are licenses and provenance and other things that help make this data reusable.” Data Requires Context: Data alone is insufficient; it needs context to be useful. This context includes details like sample source, analysis methods, data schemas, catalogue information, data licenses, data governance agreements, associated publications, methodologies, scripts, and contributors. The Semantic Engine: ADC is developing the Semantic Engine, a suite of tools designed to help researchers create “rich contextual and machine-readable data schemas.” The Semantic Engine aims to make the process of documenting data less daunting for researchers. It functions as a self-teaching web app, providing guidance and tutorials. The engine uses the Overlays Capture Architecture (OCA) standard for writing schemas. Data Schemas and Overlays Capture Architecture (OCA): A data schema describes the attributes of a dataset (e.g., columns in a table) and provides detailed information about them (type, units, description, format, etc.). OCA is highlighted as an international and open standard for documenting schemas, developed by the Human Colossus Foundation. Two key advantages of OCA: Embeds Digests: OCA schemas can embed derived identifiers (digests/fingerprints) for the schema itself and for its constituent parts. This is crucial for reproducibility and authenticity of digital artifacts. Organized by Features: OCA structures schemas by features (e.g., all descriptions, all units) rather than attribute by attribute (e.g., JSON-LD, XML Schema). This organization offers advantages: Task-based Governance: Allows for governance at the feature level (e.g., assigning responsibility for translation features). Optimized for Feature Management: Facilitates adding or removing features (like languages or units) without altering the identifiers of other features. Mix-and-Match: Enables easier combination and reuse of different schema components. ADC has developed an “OCA Package” which wraps the core OCA standard with extensions for community-specific features and developing standards, allowing for gradual migration of these features to the core standard as they become accepted. Assigned vs. Derived Identifiers: Assigned Identifiers (Names): Created by a governance body, linked to an object via a lookup table. Resolution requires trusting the authoritative governance body and their lookup table. “If you find an object, you cannot figure out the identifier – you must go to the authoritative body and look it up in their table.” Resolution services can only be hosted or delegated by the governance body. Derived Identifiers (Digests/Fingerprints): Calculated directly from a digital object using a hashing function. They are unique fingerprints for a specific version of the object. Key for reproducibility and authenticity: “You can identify the resource originally used. You can verify the resource is the same one that was originally used.” Anyone can calculate a derived identifier, build a resolution service, and verify the resolution service is pointing to the correct object. Derived identifiers enable objects to be hosted in multiple locations. Carly Huitema humorously quotes, “If you liked it, then you should have put a digest on it.” Derived identifiers are excellent for snapshots but do not handle dynamic content or versioning directly. Versioning requires a governing authority or a decentralized identifier (DID) system where subsequent versions are linked and controlled. Tools Provided by the Semantic Engine: Schema Authoring Web App: Guides researchers through creating machine-readable schemas. Data Entry Excel Generator: Creates an Excel spreadsheet with headers and schema descriptions based on the authored schema, helping standardize data collection. Includes the schema’s derived identifier. Data Entry on the Web / Data Verification Engine: A tool to verify data sets against the rules defined in a schema. Allows researchers to quickly check for inconsistencies before combining data from multiple sources. Integration into Research Infrastructure: ADC is working to integrate their schemas and tools into existing Canadian and international research infrastructure. Schemas can be deposited into long-term research data repositories (e.g., Borealis in Canada), often receiving assigned identifiers like DOIs. These schemas, with their embedded derived identifiers, can then be found through federated search engines that index multiple repositories (e.g., Lunaris in Canada, OpenAIRE in Europe). This allows researchers to publish papers referencing schemas by their identifiers, enabling others to find and verify the schema used. Addressing IP and Sensitive Data: The Semantic Engine itself does not store user data or schemas, reducing IP concerns related to the platform. Schemas are generally less sensitive than the actual data, allowing them to be more openly shared. This enables discovery of datasets and potential collaborations without exposing proprietary information. Schemas can include flags for sensitive data attributes (e.g., farm location). While ADC’s tools don’t currently enforce access controls based on these flags, this information in the machine-readable schema can be used by internal pipelines or other systems to manage sensitive data appropriately (e.g., triggering anonymization). Future Directions: ADC plans to continue integrating with research infrastructure, add digests as identifiers to more objects, and develop tools for other machine-readable standards (e.g., cataloging metadata, policy rules). They also aim to increase the number of features supported in the schema description process (e.g., range rules, ontology framing). Key Takeaways for ToIP The FAIR data principles are highly relevant to decentralized ecosystems and align well with ToIP goals. Derived identifiers (digests) offer significant advantages for reproducibility, authenticity, and decentralized resolution, making them a powerful tool for digital objects within a trust framework. The architecture of data schemas (feature-by-feature vs. attribute-by-attribute) has implications for governance, versioning, and the application of derived identifiers to schema components. Integrating decentralized identity and verifiable credentials concepts (like OCA) into existing research infrastructure can enhance discoverability, interoperability, and trust in scientific data. The Semantic Engine provides a practical example of building user-friendly tools to generate machine-readable metadata, addressing the challenge of widespread adoption of such standards.For more details, including the meeting transcript, please see our wiki 2025-05-01 Agri-food Data Canada – Carly Huitema – Home – Confluence
https://www.linkedin.com/in/carly-huitema-27727011/ https://www.semanticengine.org/The post EGWG 2025-05-01 Agri-food Data Canada – Carly Huitema appeared first on Trust Over IP.
Watch the full recording on YouTube.
Status: Verified by PresenterPlease note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.
Google NotebookLM Podcast
https://trustoverip.org/wp-content/uploads/ToIP-EGWG-2025-03-20_-Richard-Whitt-GliaNET-1.wavThis document and podcast were generated by Google’s NotebookLM. They provide information about Richard Whitt‘s vision for a more human-centric internet built on trust, as presented to the Ecosystem & Governance Working Group (EGWG) of the Trust over IP Foundation on March 20, 2025. It also draws from materials related to the GLIA Foundation and the GliaNet Alliance, founded by Richard Whitt.
The current state of the web is characterized by surveillance capitalism, where companies prioritize data extraction and manipulation, leading to a lack of trust. Richard Whitt argues that this undermines human agency and necessitates a shift towards a web built on trustworthy intermediaries.
His proposed solution centers around the concept of Net Fiduciaries, a new category of entities that would prioritize users’ interests through the application of fiduciary duties like care and loyalty, similar to professionals in medicine and law. This would be a voluntary approach, driven by ethical considerations and good business practices, rather than imposed regulations on existing platforms.
The GliaNet Alliance is a coalition of companies and organizations committed to this vision. Its goal is to build a “web worthy of trust” by fostering ethical technology practices and using transformative governance principles. The alliance operates as a community of practice, with working groups focusing on areas like business models, policies, practices, and standards.
Key concepts discussed include:
The SEAMS cycle (Surveillance, Extraction, Analysis, Manipulation), which describes the problematic data practices prevalent on the web. Glea, the ancient Greek word for glue, symbolizing trust as the social glue. A multi-layered approach to change, encompassing governance, markets, technology (edge tech), and public policy. The importance of authentic personal AI agents that operate on behalf of the user, contrasting with the “double agent” nature of current AI assistants that primarily serve platform interests. The distinction between agenticity (capability) and agentiality (acting on behalf of) in AI systems. The potential for interoperability between AI agents across different platforms.The alliance is exploring ways to demonstrate trust to the public, potentially through analogies (like a “doctor for your web life”), marketing that emphasizes fiduciary duties, and clear communication about data handling practices. They are also considering mechanisms for recourse in case of breaches.
Richard Whitt’s book, “Reweaving the Web,” further elaborates on these ideas, outlining the problems with the current web and proposing practical steps to create a more user-centric digital future. The book has received positive testimonials from prominent figures in the tech and policy fields.
The GliaNet Alliance is in its early stages, focused on building its community, establishing governance structures, and exploring business models that align with its ethical principles. They are also engaging with policymakers and exploring potential collaborations, including with the Trust over IP Foundation. Consumer Reports is an anchor member and is exploring branding its AI agent as a GliaNet project. Kwaai.ai, an open-source LLM project, is also part of the alliance, aiming to build a platform with fiduciary duties to developers and agents.
For more details, including the meeting transcript, please see our wiki 2025-03-20 GliaNet – Home – Confluence.
https://www.linkedin.com/in/richardwhitt/ https://www.glia.net/The post EGWG 2025-03-20: Richard Whitt, GliaNET appeared first on Trust Over IP.
This content is password protected. To view it please enter your password below:
Password:
The post Protected: EGWG 2025-04-03: Stephan Wolf, Verifiable Trade Foundation appeared first on Trust Over IP.
The National Cyber Security Centre said moving to digital passkeys to log on to Gov.UK was a vital step in making the tech more ubiquitous.
The Government has announced plans to replace passwords as the way to access Gov.UK, its digital services platform for the public.
In contrast to using a password and then an additional text message or code sent to a user’s trusted device – known as two-factor authentication – passkeys are unique digital keys tied to a specific device that proves the user’s identity when they log in without requiring them to input any further codes.
At the 2025 RSAC Conference in San Francisco, our team met with dozens of industry experts, cybersecurity professionals, and investors to find out more about the biggest security technologies and trends that are impacting your business.
Tech-Specific InnovationWhile AI was one of the hottest topics at the show, it wasn’t the only topic of discussion; we also heard a lot about the evolving ransomware ecosystem and what organizations need to be doing today to prepare for the arrival of “Q-Day”.
But perhaps the second-biggest discussion piece was around identity and access security.
With the rise of AI-powered deepfakes and fraud attempts, we’re seeing more need than ever before for organizations to make the switch from passwords to more secure methods of authentication, such as Passkeys—and many experts were optimistic that this space will see a lot of adoption over the next year.
Key Insights:
Andrew Shikiar, Executive Director and CEO of the FIDO Alliance: “We’re going to see Passkey deployment continue to grow in regulated industries. That’s really important, because addressing the higher assurance use cases and taking passwords out of play there will give greater confidence for more and more companies to deploy Passkeys at scale, which will further accelerate our journey towards putting passwords fully in the rear-view mirror.”Microsoft has officially shifted to passkeys, such as facial recognition, fingerprint scans, and PINs, as the default sign-in method for all new accounts beginning this month, marking its most significant step yet toward a password-free future, according to TechRepublic.
The move coincides with World Password Day and aligns with the tech giant’s broader commitment to the Passkey Pledge, an industry initiative to eliminate passwords in favor of more secure, phishing-resistant login methods. In a blog post, Microsoft executives Joy Chik and Vasu Jakkal emphasized that passkey users are three times more likely to log in successfully than those using passwords. Although existing account holders can still use passwords, Microsoft is nudging them toward using biometrics or PINs by default. Nearly all Windows users already rely on Windows Hello, and the shift is backed by support from industry partners, including Apple and Google, who are also rolling out FIDO-compliant passkey systems across their platforms. The change promises to streamline security and user experience across the board.
FIDO-Based Authentication to Replace SMS-Based Verification, Says UK NCSC
The U.K. government is set to replace SMS-based verification systems for digital services with passkeys this year in a bid to shore up cyber defenses.
The initiative will be rolled out by the U.K. National Cybersecurity Center using the open authentication standard Fast IDentity Online, or FIDO, as a more “secure and cost-effective solution.”
“The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale,” the NCSC said. “In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password and SMS code,” the agency said.
Zug, Switzerland (May 6, 2025) — Umanitek AG, a Swiss-based AI company combating harmful content and the risks of artificial intelligence, today announces the launch of their first product umanitek Guardian.
Umanitek’s mission is to fight against harmful content and the risks of AI by developing and deploying technology that serves the greater good of humanity.
Umanitek’s first product is an AI agent, umanitek Guardian, that uses the Decentralized Knowledge Graph (DKG), a decentralized, trusted network for organizing and tracking immutable data and allows participating organizations to keep ownership and control of their data while supporting database queries on a need-to-know basis — allowing collaboration without compromising privacy.
The first user of umanitek Guardian will be Aylo, who will leverage the agent to allow law enforcement agents to query 7 million hashes of its verified content using natural language through an AI agent.
“Umanitek acts as the bridge. Through Decentralized Knowledge Graph (DKG) decentralized infrastructure, we can integrate advanced Internet safety technologies directly with data. Umanitek Guardian will enable companies, law enforcement, NGOs and individuals to collaborate by uploading and querying “fingerprints” of images and videos to a decentralized directory. This system will help large technology platforms track, identify and prevent the distribution of harmful content. We are committed to developing human-centric AI solutions that promote trust, protect privacy and help make internet safety the standard in the age of AI.”
– Chris Rynning, umanitek Chairman
About umanitek
Making internet safety the standard in the age of AI.
Umanitek AG is a Swiss-based AI company combating harmful content and the risks of artificial intelligence. We develop human-centric AI solutions that promote trust, protect privacy and make internet safety the standard in the age of AI.
Our founders bring deep expertise in building reliable, trusted AI systems and are connected to global networks working to reduce internet harm, and are committed to raising awareness about the importance of education and digital responsibility in the age of AI.
Umanitek’s AI infrastructure is safe by design, open by principle and trustworthy by default. With a focus on ethical innovation, umanitek is setting the standards for transparency, accountability and harm reduction in artificial intelligence.
For more information about umanitek, umanitek’s founders and products, visit www.umanitek.ai.
Contacts
For media inquiries, please contact:
Umanitek Communication
umanitek launches umanitek Guardian AI agent was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.
We are thrilled to announce that OwnYourData has been honored with the MyData Award 2025 in the Technology category by MyData Global. This recognition celebrates our commitment to developing human-centric data solutions that empower individuals and organisations with greater control over their information, enabling them to manage, share, and benefit from their data in transparent and ethical ways.
The MyData Awards acknowledge organizations and individuals making significant strides in ethical personal data practices across various domains, including technology, business, governance, and thought leadership. This year, over 400 nominations were evaluated, highlighting the growing global emphasis on data rights and individual empowerment.
Our award in the Technology category underscores our efforts in creating interoperable and privacy-focused tools that align with the principles of the MyData Declaration. We are especially honored that both the organisation OwnYourData and our chairperson, Christoph Fabianek, were recognized with MyData Awards. This dual recognition highlights not only our collective impact as a team but also Christoph’s individual leadership and long-standing commitment to building a fair, sustainable, and prosperous digital society.
For more details on the MyData Awards and the list of 2025 recipients, visit the official MyData Awards page.
Der Beitrag MyData Award 2025 erschien zuerst auf www.ownyourdata.eu.
The UK government is set to roll out passkey technology for its digital services later this year as an alternative to the current SMS-based verification system, offering a more secure and cost-effective solution that could save several million pounds annually.
What does it take to grow a brand on Amazon today?
The rules have changed, and Amazon is now less of a storefront and more of a dynamic ad and data platform.
In this episode, Jason Boyce, Founder and CEO of Avenue7Media, joins host Reid Jackson to share what he’s learned over 22 years in the e-commerce world. From selling as a reseller to building a brand and leading an agency, Jayson explains why success now depends on feeding the algorithm, not pitching to buyers.
He breaks down how streaming TV is driving direct Amazon sales, the problem with locked attributes and UPCs, and why attribution is finally catching up to the promise of connected TV.
In this episode, you’ll learn:
Why traditional retail rules don’t apply to Amazon
How Connected TV can accelerate brand growth
What makes Amazon profitable when compared to DTC
Jump into the conversation:
(00:00) Introducing Next Level Supply Chain
(02:53) From failed consulting to full-service agency
(06:26) Fixing locked attributes and bad UPC data
(09:59) Streaming ads that convert like e-commerce
(13:56) Selling to algorithms, not people
(16:34) Comparing Amazon to direct-to-consumer
(20:44) Why CTV is outperforming display ads
(26:48) How AI will change the way we shop
Connect with GS1 US:
Our website - www.gs1us.org
Connect with the guest:
Jason Boyce on LinkedInCheck out Avenue7Media
Internet Safety Labs’ Executive Director Lisa LeVasseur testified before the Maine Judiciary Committee in support of LD 1822, the Maine Online Data Privacy Act, while highlighting concerns. Informed by ISL’s 2022 K-12 Edtech safety benchmark and ongoing research, our testimony underscores the need to curb widespread commercial surveillance and risky data practices. LD 1822’s restrictions on sensitive data collection and sales are vital, yet we advocate for stronger protections, particularly for FERPA-covered data, non-profits, and medical apps. The written testimony is available to view in the pdf below:
The post Internet Safety Labs Provides Testimony in Support of LD 1822, An Act to Enact the Maine Online Data Privacy Act appeared first on Internet Safety Labs.
Date: April 16, 2026
Time: 9 am – 5 pm
Attendee Ticket: $49
Event Location:
The College of New Jersey
The post EdgeCon Spring 2026 appeared first on NJEdge Inc.
The FIDO Alliance announced today the launch of a new Payments Working Group (PWG) focused on developing and implementing FIDO authentication solutions specifically for payment use cases. This initiative marks a significant expansion of the organization’s efforts to eliminate password dependencies in critical digital transactions.
The new working group emerges at a time of growing momentum for passwordless authentication in the payments sector. Last year, Visa implemented passkeys for online payments, allowing customers to authorize transactions using biometric authentication rather than traditional passwords.
The Alliance, which now comprises over 250 members, has been steadily expanding its influence across various sectors of digital authentication.
World Password Day is no longer. The annual day to promote secure password practices has run its course, and the FIDO Alliance (whose stated mission, to be fair, is to bring the world beyond passwords) has rebranded World Password Day as World Passkey Day – an occasion to celebrate the encrypted FIDO credentials that combine data you possess (a digital key or credential) with a biometric trait (something you are, usually a face or fingerprint).
Anyone setting up a new Microsoft account will soon find they’re encouraged to use a passkey during the sign-up process.
Microsoft introduced passkey support across most of its consumer apps last year, allowing users to sign into their accounts without the need for 2FA methods or remembering long passwords. A year later, it’s removing passwords as the default and encouraging all new signups to use passkeys.
PCMag attempted to sign up for a new Microsoft account on May 2, but it still asked for a password at the time of publication. Microsoft hasn’t shared an exact timeframe for when the change will take place, but you should expect it to happen in the coming days.
This is the first time a new account can be entirely passwordless. Previously, it had to have one alongside your passkey.
In a blog post, Microsoft says 98% of passkey attempts to log in are successful, while passwords are only at 32%. Microsoft is also introducing what it calls a “streamlined” sign-in experience for all accounts that “prioritizes passwordless methods for sign-in and sign-up.” It means some UX design changes to highlight passkey functionality.
We’re excited to announce a new partnership with Puentes, an organization dedicated to strengthening the narrative power of social justice movements in Latin America
The post Empowering narratives, strengthening ecosystems: A partnership for digital resilience appeared first on The Engine Room.
WAO is currently working on a project with the Responsible Innovation Centre for Public Media Futures (RIC), hosted by the BBC. Our focus is on AI Literacy for 14–19 year olds and you can read more context in our project kick-off blog post.
One of the deliverables for this project is to review AI Literacy frameworks, with a view to either making a recommendation, or coming up with a new one. It’s not just a case of choosing one with a pretty diagram!
Frameworks are a way in which an individual or organisation can indicate what is worth paying attention to in a given situation. Just as the definition of ‘AI Literacy’ varies by context, the usefulness of a framework depends on the situation. In this post, we share the judgements we made using criteria we developed and share our process in case it is useful for your own work.
Narrowing down the listWhile there can be some commonality and overlaps between frameworks for different contexts, the diversity of possible situations is huge. There can never be a single ‘perfect’ framework suitable for every situation. For example, just imagine what ‘AI Literacy’ might look like for (adult) engineers and developers compared with children of primary school age. As with our work at Mozilla you can define what a ‘map’ of new literacies might look like, but it can only ever be one of many that describe the overall ‘territory’.
With our work on this project, we had to bear in mind our audience (14–19 year olds) and the mission of the BBC. There is a long history of Critical Media Literacy which is particularly relevant to our research here, and which was one of the factors when reviewing frameworks.
With a relatively short project timeline of three months, we needed a way to quickly classify approximately forty frameworks and related documents we have collected. We shared relevant details with Perplexity AI (using the Claude 3.7 Sonnet model) over multiple conversations. This helped us reduce our initial list of around 40 frameworks to a more manageable 25.
Coming up with criteriaNext, we came up with some criteria by which to judge them. These criteria were informed by our own work in the area for 15+ years, along with either interviews or surveys with over 35 experts in the field. While these criteria are meant as a heuristic for this project, they are also a useful starting point for asking questions about any project relating to new literacies.
Definition of AI — ensures everyone has the same starting point Development process — adds transparency and credibility Target audience — helps match the framework to its users Real-world relevance — shows how ideas work in practice AI safety and ethics — addresses both risks and responsible use Skills and competencies listed — clarifies what learners should be able to do Reputable source — increases trust in the frameworkWe included both safety and ethics because both are needed for using AI in a responsible and trustworthy way.
Categorising the most relevant frameworksWe used a traffic light (red/yellow/green) categorisation system to score each framework on the above criteria. Only one of the frameworks we reviewed, the OECD Framework for Classifying AI Systems, meets all criteria with a ‘green’ rating.
There are several other frameworks which we judge as meeting the criteria as ‘green’ except for one criterion (‘yellow’). Listed alphabetically by organisation, these are:
Artificial Intelligence in Education (Digital Promise) AI Literacy in Teaching and Learning: A Durable Framework for Higher Education (EDUCAUSE) Digital Competence Framework for Citizens (European Commission) Developing AI Literacy With People Who Have Low Or No Digital Skills (Good Things Foundation) AI competency framework for students (UNESCO)There are other frameworks which we have decided to include which included two or more criterion as ‘yellow’. For example, the Open University’s Critical AI Literacy Framework, Ng, et al’s article, and Prof. Maha Bali’s blog post linked from her framework all do a good job of defining Critical AI Literacies. We would also note that the Digital Education Council’s list of skills and competencies relating to AI Literacy is useful to pair with those from EDUCAUSE, UNESCO, and the European Commission.
Next stepsAs mentioned earlier, our brief for this project involves either making an informed recommendation of a framework, or to come up with our own. We’re currently leaning toward the latter, but either choice will be the subject of a future blog post.
If you have questions, concerns, comments, or indeed a particularly useful resource which you think would be useful for this project, please do get in touch. You can leave a comment here, or use the contact details on our main website to get in touch!
After supporting passwordless Windows logins for years and even allowing users to delete passwords from their accounts, Microsoft is making its biggest move yet toward a future with no passwords. Now it will ask people signing up for new accounts to only use more secure methods like passkeys, push notifications, and security keys instead, by default.
The new no-password initiative by Microsoft is accompanied by its recently launched, optimized sign-in window design with reordered steps that flow better for a passwordless and passkey-first experience.
Although current accounts won’t have to shed their passwords, new ones will try and leave them behind by not prompting you to create a password at all:
As part of this simplified UX, we’re changing the default behavior for new accounts. Brand new Microsoft accounts will now be “passwordless by default.” New users will have several passwordless options for signing into their account and they’ll never need to enroll a password. Existing users can visit their account settings to delete their password.
With today’s changes, Microsoft is renaming “World Password Day” to “World Passkey Day” instead and pledges to continue its work implementing passkeys over the coming year. This time last year, the company implemented passkeys into consumer accounts. Microsoft says it’s seeing “nearly a million passkeys registered every day,” and that passkey users have a 98 percent success rate of signing in versus 32 percent for password-based accounts.
As you’ll already know, today is World Passkey Day and the FIDO Alliance has released an independent study of over 1,300 consumers across the US, UK, China, South Korea, and Japan to understand how passkey usage and consumer attitudes towards authentication have evolved.
The results are encouraging, they find 74 percent of consumers are aware of passkeys and 69 percent have enabled passkeys on at least one of their accounts.
Among those who have used passkeys, 38 percent report enabling them whenever possible. More than half of consumers now believe passkeys are both more secure (53 percent) and more convenient (54 percent) than passwords.
This increase in passkey adoption is likely driven by the shortcomings of passwords. Last year, over 35 percent of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47 percent of consumers will abandon purchases if they have forgotten their password for that particular account.
To further encourage organizations to embrace the shift to passkeys, the FIDO Alliance has also launched the Passkey Pledge, a voluntary pledge for online service providers and authentication product and service vendors committed to embracing passkeys.
“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration, which imperil the very foundations of our connected society,” says Andrew Shikiar, executive director and CEO of the FIDO Alliance. “We’re thrilled by the fact that over 100 organizations around the world signed our Passkey Pledge, and we are pleased to support the market in their march towards passkeys through a variety of freely available assets, including our market-leading Passkey Central resource center.”
The full report is available from the FIDO Alliance site.
As the first-ever World Passkey Day replaces the traditional World Password Day, Microsoft joins the FIDO Alliance in celebrating a milestone achievement: over 15 billion online accounts now have access to passwordless authentication through passkeys.
This significant shift marks a turning point in digital security as the tech industry moves decisively away from vulnerable password-based systems.
“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods,” said Andrew Shikiar, Executive Director and CEO of the FIDO Alliance.
Microsoft is on a mission to delete passwords for a billion users, given that “the password era is ending.” The Windows-maker warns users that “bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” And those attacks are now making headlines weekly.
The answer is passkeys, which link your account security to your physical device security, which means unless an attacker has access to your hardware and unlock method — biometric or PIN, they can’t bypass a password to login.
More than others, Microsoft is not just promoting passkeys but also password deletion: “If a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.”
The FIDO Alliance, the organization charged with promoting passkeys has taken to the internet airwaves this time around to “launch a Passkey Pledge to further accelerate [the] global movement away from passwords.”
Its latest research found that “over 35% of people had at least one of their accounts compromised due to password vulnerabilities, [and] 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security.”
FIDO has welcomed Microsoft’s password deletion as industry leading. “This is an exciting and seminal milestone as Microsoft is taking passwords out of play for over a billion user accounts,” its CEO Andrew Shikiar told me, “who can now instead leverage user-friendly, phishing-resistant passkeys. Microsoft’s leadership in doing so today will help encourage more service providers to do the same, which moves us collectively closer to the day when passwords are fully in our rear-view mirror.”
The FIDO Alliance has also recently invited companies to participate in the World Passkey Pledge to create a more secure future, and move past the vulnerability and hassle of passwords.
Simon McNally, Cybersecurity Expert at Thales said, “Passwords have long been a weak link in digital security, forcing consumers and businesses into a frustrating cycle of password resets and potential breaches. We welcome the FIDO Alliance’s commitment to World Passkey Day and its push for a passwordless future. Passkeys provide a seamless and secure authentication experience, eliminating the risks and frustrations associated with traditional passwords.
Passkeys are automatically generated and securely stored, removing the burden of creating and managing complex passwords. They also enhance privacy by allowing authentication without sharing sensitive data, reducing the risk of breaches. As trust in digital security becomes more critical, businesses must prioritise passwordless solutions to protect users and build brand confidence.”
The Passkey Pledge for a Passwordless FutureTo commemorate World Password Day (or at it will henceforth be known, World Passkey Day), the FIDO Alliance has released a survey on the usage of passkeys which found that 74% of consumers are aware of passkeys, meaning that consumers are aware of the potential value a passkey login experience can bring. To support this, the survey also found that 69% of consumers have enabled passkeys on at least one of their accounts.
Furthermore, for those who have used passkeys, 38% report enabling them whenever possible suggesting that some consumers already see the added user experience and security benefits passkeys bring. In fact, more than half of consumers believe passkeys are both more secure (53%) and more convenient (54%) than passwords. Many businesses and organizations have already signed the Passkey Pledge, including Amazon, Apple, Google, Microsoft, Samsung, and many more!
A pivotal momentAndrew Shikiar, executive director and CEO of the FIDO Alliance, commented on both the recent survey, and the Passkey Pledge:
“This year’s World Passkey Day comes at a pivotal moment for user authentication around the world – with a rapidly growing number of service providers (including nearly half of the world’s top 100 websites) offering billions of user accounts the option to sign in with passkeys instead of passwords. Well over 100 organizations have taken the Passkey Pledge, indicating their commitment towards a future free from the risk and burdens of passwords.
Consumers are not only increasingly aware of passkeys, they’re using them more frequently: 69% of respondents to our recent survey are enabling them on at least one account, and 38% are now enabling them whenever possible.
Passkeys are so intuitive to use that once users integrate passkeys, they rarely go back. This is good for consumers who are frustrated by password reliant sign-in processes — 35% of whom said they experienced account compromises as a result of password vulnerabilities last year — and e-commerce retailers alike.
This shift isn’t just about innovation or bottom lines; it’s about rebuilding digital trust and creating a safer, more efficient internet for everyone.”
NEWARK, NJ, May 2, 2025 – Dr. Forough Ghahramani, Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge, Chair of Broadening the Reach Working Group for the Ecosystem for Research Networking (ERN), and ERN Steering Committee member, welcomed an esteemed group of scientific and cyberinfrastructure researchers as co-chair of this year’s ERN Summit.
The Ecosystem for Research Networking Summit provides the scientific and cyberinfrastructure research community an opportunity to come together and discuss ERN mission and accomplishments, hear from domain researchers and CI professionals at smaller institutions about the successes and challenges related to leveraging local, regional, and national resources for projects, and learn about funding resources and partnership opportunities, as well as regional and national communities.
The Summit was a virtual event held on April 23, 2025, and reflected a shared commitment to building bridges across scientific and cyberinfrastructure communities and exploring the timely topics of advanced technologies, artificial intelligence (AI), quantum, and workforce development. Attendees heard from thought leaders who are driving AI and quantum initiatives, shaping curriculum innovation, and expanding opportunities across institutions of all sizes. Panel discussions examined the unique constraints and opportunities facing non-R1 institutions, along with the curricular innovations and partnerships shaping the future quantum workforce.
“The ERN Summit sparked dynamic conversations and showcased the perspectives of vital contributors to our national research ecosystem, including leading institutions, regional hubs, industry partners, and smaller colleges. We hope the Summit inspired new collaborations, actionable ideas, and lasting connections throughout the research and education community.”
– Dr. Forough Ghahramani
Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge
Chair of Broadening the Reach Working Group, ERN
Steering Committee Member, ERN
Keynote speaker, Dan Stanzione, Ph.D., Associate Vice President for Research, Executive Director, Texas Advanced Computer Center (TACC), led the topic, AI and HPC, or AI Ends HPC? where he discussed the evolving balance between AI and high-performance computing in future system designs. Dr. Stanzione argued that rather than replacing HPC, AI is transforming it, requiring the community to rethink architecture, software, workforce strategy, and environmental impact.
The Summit’s three panels provided insights from leading institutions, regional hubs, industry partners, and smaller institutions, including:
How regional economic and workforce initiatives are taking shape in AI and Quantum; How industry-academic partnerships are preparing the next-generation quantum workforce, and; What unique strengths and challenges are faced by non-R1 and smaller institutions in this landscape.“It was wonderful seeing the strong attendance across all panels. The discussions addressed pressing issues relevant to research and education communities in universities and colleges nationwide and internationally as we collectively tackle the challenges of AI and emerging quantum technologies. We will continue these discussions over the next year, leading to solutions that will be reported on during our next summit,” Barr von Oehsen, Ph.D., Director Pittsburgh Supercomputing Center and Chair of the ERN Steering Committee.
The Summit closed with rich dialogue on how the ERN can continue to build a thriving, inclusive community that supports institutions of all sizes and types. The energy and ideas shared set a clear path for future action! The ERN community is energized to keep the momentum going! Additional information is available at https://ern.ci.
About Edge
Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.
The post Ecosystem for Research Networking (ERN) Summit 2025 appeared first on NJEdge Inc.
Date: January 15, 2026
Time: 9 am – 5 pm
Attendee Ticket: $49
Event Location:
Princeton University
For those requiring overnight accommodations while attending EdgeCon Winter 2025, a Group Rate has been arranged for attendees at: Nassau Inn »
10 Palmer Square, Princeton, NJ 08542
Or, for Attendees who want to make reservations over the phone, please call the Nassau Inn Reservation Desk directly at 609-921-7500 and reference the booking #4766909 in order to receive the group rate. This rate is only valid until 12/14/25.
More information coming soon!The post EdgeCon Winter 2026 appeared first on NJEdge Inc.
May 1, 2025
In recognition of World Passkey Day (formerly World Password Day), the FIDO Alliance is putting the spotlight on real-world passkey deployments from leading organizations around the globe. Read on for highlights of the successes companies in various industries are seeing from delivering faster, easier, and more secure sign-ins with passkeys—showcasing the global commitment to move away from passwords.
The FIDO Alliance also released today an independent study of consumers to understand how passkey usage and consumer attitudes towards authentication have evolved. The research found that in the last year, over 35% of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security. The full report is available here.
ABANCA’s mobile app serves over 1,200,000 customers a month, serving as the bank’s largest branch. Today, more than 42% of its mobile customers are using passkeys via the bank’s ABANCA Key product. As a result, more than 11,000,000 high-risk transactions have been protected without technical or service incidents, and due to the prioritization of UX, they have managed a Customer Effort Score (CES) of 4.7.
Aflac was the first major insurance company to adopt passkeys in the U.S. Aflac partnered with Transmit Security to launch their passkey authentication initiative Today, only the first phase of the project is complete and yet more than 500,000 Aflac customers have enrolled a passkey, resulting in a 32% reduction in password recovery requests. This has yielded 30,000 fewer calls per month to the call center for identity issues. Aflac reports that the highest enrollment rates occur at the point of registration, reinforcing the FIDO Alliance’s Design Guidelines recommendation to prompt customers during account-related tasks. The steady, organic adoption of passkeys by Aflac customers continues to grow daily and directly contributes to measurable improvements in cost reduction and customer experience.
KDDI now has more than 13.6 million au ID customers that use FIDO and has seen a dramatic decrease (down nearly 35%) in calls to their customer support center as a result. KDDI manages FIDO adoption carefully for both subscribers and non-subscribers.
LY Corporation property Yahoo! JAPAN ID now has 28 million active passkeys users. Approximately 50% of user authentication on smartphones now uses passkeys. LY Corporation said that passkeys have a higher success rate and are 2.6 times faster than SMS OTP.
Mercari has seen 9 million users enroll with passkeys, and is enforcing passkey login for users who have enrolled with synced passkeys. Notably, there have been zero phishing incidents at Mercari Shop and Mercoin (a Mercari subsidiary) since March 2023.
Microsoft began rolling out passkeys for Microsoft consumer account in 2024. They now see nearly one million passkeys registered every day. Microsoft has found that users signing in with passkeys are three times more successful at getting into their account than password users (about 98% versus 32%), passkey sign-ins are eight times faster than traditional password + MFA flows, and passwordless-preferred UX has reduced password use by over 20%.
Nikkei rolled out passkeys in February and is already seeing thousands of customers using passkeys. Additionally, they are seeing almost no inquiries about how to use passkeys at the support desk.
NTT DOCOMO has increased its passkey enrollments and now passkeys are used for more than 50% of authentication by d ACCOUNT users. NTT DOCOMO notably reports significant decreases in successful phishing attempts and there have been no unrecognized payments at the docomo Online Shop since September 2022 where NTT DOCOMO continuously improved UX, including increasing the number of other passkey-enabled services.
Samsung Electronics’ Galaxy smartphones support fast and convenient logins through biometric authentication and FIDO protocols. Due to ease of use, speed, compatibility across services, and status as an industry standard made passkeys a compelling choice for Samsung Electronics.
VicRoads is the vehicle registration and driver licensing authority in Victoria, Australia. It registers over six million vehicles annually and licenses more than five million drivers. Within the first weeks of deployment with its passkey vendor Corbado, passkey adoption significantly exceeded VicRoads’ expectations. Users embraced the phishing-resistant authentication method, benefiting from a frictionless login experience optimized for speed and security. The exceptionally high passkey activation rate – peaking at 80% on mobile devices and over 50% across all platforms – led to 30% passkey login rate within the first seven weeks. Uptake continues to rise steadily, translating into measurable operational benefits, including reduced authentication-related support tickets, lower SMS OTP costs and improved user experience and security.
Zoho Corporation has rolled out passkeys to its 100+ million zoho.com customers and has seen a resulting 30% increase month over month in passkey adoption and a 10% drop in password reset queries. As a next step, the company will begin its rollout to Zoho Vault customers in May.
Read the full case studies from ABANCA, Microsoft, Nikkei, Samsung Electronics, VicRoads and Zoho Corporation to learn more about how these companies are discovering the benefits of passkey adoption. To learn more about passkey implementation through other documented case studies, visit the FIDO Alliance’s resource library. Have a case study to share? Contact us!
New global survey: More than two thirds of users familiar with passkeys turn to them for simpler, safer sign-ins as password pain persists
MOUNTAIN VIEW, Calif., May 1, 2025 – With digital security more critical than ever, the FIDO Alliance is commemorating World Passkey Day 2025 with the release of an independent study of consumers across the U.S., U.K., China, South Korea, and Japan to understand how passkey usage and consumer attitudes towards authentication have evolved.
The research found that in the last year, over 35% of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security.
World Passkey Day serves as the FIDO Alliance’s annual call to action for individuals and organizations to adopt passkey sign-ins, making the web safer and more accessible.
Highlights from the research show consumer passkey awareness is on the rise and outlines several key trends in adoption among those who are aware of passkeys, including:
74% of consumers are aware of passkeys. 69% of consumers have enabled passkeys on at least one of their accounts. Among those who have used passkeys, 38% report enabling them whenever possible. More than half of consumers believe passkeys are both more secure (53%) and more convenient (54%) than passwords.The survey report is available at https://fidoalliance.org/wpd-report-2025-consumer-password-passkey-trends/, which includes additional insights on how passkey adoption is trending with consumers and organizations to improve global digital access, authentication, and security.
“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration, which imperil the very foundations of our connected society,” said Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. “We’re thrilled by the fact that over 100 organizations around the world signed our Passkey Pledge, and we are pleased to support the market in their march towards passkeys through a variety of freely available assets, including our market-leading Passkey Central resource center.”
To further encourage organizations to embrace the shift away toward passkeys, the FIDO Alliance also launched the Passkey Pledge, a voluntary pledge for online service providers and authentication product and service vendors committed to embracing passkeys. The passkey pledge has received commitments from over 100 organizations in just over 20 days. A full list of companies that have taken the passkey pledge can be found here.
The availability of passkeys has steadily increased with implementation reaching 48% of the world’s top 100 websites as enterprises and service providers collectively seek to embrace a new era of faster sign-ins, higher success rates, fewer account takeovers, lower support costs, and reduced cart abandonment.
To learn how to start your organization’s passwordless journey, or to begin using passkeys today, visit: https://www.passkeycentral.org/home.
Notes to editors: This SurveyMonkey online poll was conducted from April 13-14, 2025, among a global sample of 1,389 adults ages 18 and up. Respondents for this survey were selected from the nearly 3 million people who take surveys on the SurveyMonkey platform each day. Data for this survey has been weighted for age, race, sex, education, and geography to adequately reflect the demographic composition of the United States, United Kingdom, China, South Korea and Japan. The modeled error estimate for this survey is plus or minus 3.5 percentage points. To calculate the proportion of the world’s top websites and services that support passkeys, the FIDO Alliance combined publicly available information with its own data on passkey deployments. About the FIDO AllianceThe FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.
ContactIt feels fitting and yes, admittedly somewhat contrived, that our birthday falls on May 1st. It’s a moment when people around the world celebrate the power of collective action and the achievements of workers everywhere.
This year, our anniversary feels even more special. We’ve had our share of triumphs and certainly challenges, but nine years in (which is a long time in internet years!) we’re still here.
2025 has been named the United Nations International Year of Co-operatives, with the theme “Co-operatives Build a Better World.” The global co-operative movement deserves this spotlight, showing how co-ops like ours are making a difference by putting people and planet before profit.
https://ica.coop/en/cooperatives/facts-and-figuresAt We Are Open, we believe in doing business differently. We’re a worker-owned co-op, which means we make decisions together, share responsibility, and support each other to do meaningful work. Over the past nine years, we’ve learned (and re-learned!) that openness, collaboration, and trust are at the heart of what makes co-ops so important.
So today, we’ll down tools and raise a glass to our members, clients, friends, comrades in CoTech and workers.coop and the wider co-op community. Thanks for being part of our journey so far.
Solidarity and celebration from all of us at We Are Open! If you’d like to wish us happy birthday, or have a problem we may be able to help with, email us without delay at hello@weareopen.coop
May 2025
DIF Website | DIF Mailing Lists | Meeting Recording Archive
Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3 Special Interest Group Updates; 4 User Group Updates; 5. Announcements; 6. Community Events; 7. DIF Member Spotlights; 8. Get involved! Join DIF 🚀 Decentralized Identity Foundation News DIF Labs Beta Cohort 2 RFP is here!Exciting news for identity innovators! DIF Labs has just announced their request for proposals for Beta Cohort 2, focused on driving high-leverage work at the intersection of identity, trust, and emerging technologies. The program seeks proposals from builders and researchers in five key focus areas: Personhood Credentials, Content Authenticity and Assertions, Applied Cryptography, Verifiable AI, and Industry-Aligned Applications. Project leads must be DIF members, with proposals due by May 20, 2025. Selected projects will receive mentorship, ecosystem support, and collaboration opportunities over a 2-3 month development period. For complete details on submission requirements, evaluation criteria, and the application process, visit the full announcement on the DIF Labs website.
DIF Hospitality & Travel Working Group is LiveThe Decentralized Identity Foundation (DIF) has launched a new Hospitality & Travel Working Group focused on developing standards for self-sovereign data exchange in the travel industry. This initiative will create frameworks allowing travelers to control their personal information while enabling seamless interactions with service providers. Led by chair Douglas Rice, the group will address traveler profiles, data portability, and interoperability across the travel ecosystem. For more details, see DIF's announcement:
DIF Launches Decentralized Identity Foundation Hospitality & Travel Working Group The Decentralized Identity Foundation (DIF) has officially launched its Hospitality & Travel Working Group, evolving from the ongoing H&T Special Interest Group (SIG). This new working group will focus on developing standards, schemas, processes, and documentation to support the self-sovereign exchange of data between travelers, services, intermediaries in the hospitality Decentralized Identity Foundation - BlogDecentralized Identity Foundation Algorand Releases the Universal Chess PassportAlgorand has partnered with World Chess to develop a "Universal Chess Passport" using blockchain-based digital identity and verifiable credentials technology. This innovative system will allow chess players to maintain portable digital identities and credentials across platforms, enabling them to seamlessly transfer their achievements, rankings, and records between online platforms and in-person tournaments. The proposal aims to address fragmentation in the chess ecosystem while maintaining privacy and security through decentralized identifiers (DIDs). A live discussion about the initiative will be held on May 6th featuring representatives from Algorand, World Chess, and the Decentralized Identity Foundation. For more details, visit Algorand's announcement page:
Algorand x World Chess - Universal Chess Passport Tired of rebuilding your chess identity across every platform? A new blockchain-based system from Algorand and World Chess proposes portable, verifiable credentials for chess players—bringing fairness, reputation, and rewards into one unified ecosystem. Universal Chess PassportAlgorand Foundation 🛠️ Working Group UpdatesBrowse our working groups here
Hospitality & Travel Working GroupThe newly-launched Hospitality & Travel Working Group started strong. They discussed their draft implementation guide and schema development, exploring the complexities of travel stages and verifiable data. They refined key terms in their glossary, including standardizing on the term "HATPro" (hospitality and travel profile). The team aims to have a substantial portion of the schema ready to announce at the HITEC Conference in mid-June.
Creator Assertions Working GroupThe Creator Assertions Working Group held productive meetings in both Americas/EU and APAC time zones this month. Discussions focused on identity claims, trust profiles, and collaboration with external groups including the JPEG Trust Group and Project Origin. The group is preparing three assertion specs for approval and considering integrating first-person credentials. The group will soon hold an election for co-chairs, with Scott Perry and Alex Tweeddale as candidates.
DID Methods Working GroupThe DID Methods Working Group finalized the DIF recommended methods process, agreeing to use "DIF Recommended" consistently throughout their documentation. They heard a detailed presentation on DID Peer version 4, exploring its features and advantages over other methods. The group also decided to dedicate full sessions to DID method deep dives as practice runs for their evaluation process.
Identifiers and Discovery Working GroupThe DID Traits team is preparing to release version 1.0 of their specification, focusing on making traits enable easier assessment. They're adding new traits including key validation and long-term availability, while improving terminology for clarity. The team removed software trade references due to complexity and expressed satisfaction with their progress toward the 1.0 milestone.
The did:webvh team is finalizing their 1.0 specification, including updates to examples and clarification of terminology. They addressed concerns about performance with large logs, cryptographic agility, and improving DID availability through watchers. The team is developing a JSON schema for data model validation and planning a test suite, while seeking acknowledgement from the DIF Technical Steering Committee for the 1.0 release.
🪪 Claims & Credentials Working GroupThe Credential Schemas team developed a new schema directory structure with community schemas, draft schemas, and recommended schemas folders to better organize their work. They refined the proof of age schema, including improvements to boolean threshold indicators and simplifying schema names for clarity and reuse. The team welcomed new members and discussed potential synergy with the Oasis working group.
Applied Crypto Working GroupThe BBS+ team focused on pseudonym implementations and designing approaches for everlasting unlinkability in credential systems. They considered trade-offs between post-quantum security and privacy, concluding that their baseline approach with pseudonyms offers preferable privacy protections. Team members are exploring the potential of using Rust instead of C++ for implementation and plan to interact more with the CFRG to advance the project.
DIF Labs Working GroupDIF Labs has launched its RFP for Beta Cohort 2. Read more here
DIDComm Working GroupThe DIDComm team discussed implementing binary encoding in the next version, proposing either a DIDComm version 3 with built-in binary encoding or adding optional seabore envelopes in version 2.2. They welcomed new member SwissSafe who expressed interest in contributing to standardizing CBOR for DIDcomm messaging. The team agreed to implement a flag designator in the header for different encodings.
If you are interested in participating in any of the Working Groups highlighted above, or any of DIF's other Working Groups, please click join DIF.
🌎 DIF Special Interest Group UpdatesBrowse our special interest groups here
The H&T SIG held multiple productive sessions in April. One meeting featured representatives from the European Digital Identity Wallet Consortium who presented on the EUDI wallet's development and potential applications in travel and hospitality. Another session discussed food model development, trip profile components, and context-specific preferences for travelers. The team continues refining their implementation guide and developing a comprehensive strategy for travel wallets that support personalization, with plans to showcase their schema at the HITEC Conference in mid-June.
DIF China SIG APAC/ASEAN Discussion GroupThe APAC/ASEAN call featured a presentation on the Verifiable Legal Entity Identifier (vLEI) and its relation to the Global Legal Entity Identifier Foundation. Steering Committee member Catherine Nabbala of Finema, a qualified vLEI issuer, detailed the vLEI ecosystem governance framework and verification processes. The group discussed implementation challenges including key management, wallet technologies, and potential applications in various industries. Participants showed particular interest in how vLEI could be integrated with traditional SSI architecture using did:webs
DIF Africa SIGThe DIF Africa SIG hosted a presentation by Karla McKenna on the Global Legal Entity Identifier Foundation (GLEIF) and Verifiable Legal Entity Identifier (vLEI). Karla discussed organizational identity in the digital world and potential applications of vLEI in various sectors. The meeting explored the process of becoming a qualified vLEI issuer and how such technology could benefit government and public services. Participants expressed interest in applying these concepts to streamline business processes, particularly in Africa.
DIF Japan SIGThe Japan SIG discussed NodeX's migration from Sidetree to the did:webvh method due to concerns about content-addressable storage stability, Bitcoin network performance, and Sidetree maintenance status. Technical discussions included DID structure, the resolve process, did:webvh method advantages, and IoT device authentication and trust. The team also explored global deployment strategies and trust framework implementation, particularly for IoT devices in critical infrastructure and energy sectors.
DIF Korea SIG 📖 DIF User Group UpdatesThe DIDComm User Group explored Colton's WebRTC project that enabled browser-to-browser voice communication over DIDComm. Members discussed binary encoding implementation options for DIDComm messages, focusing on CBOR while keeping the door open to other encodings. The group also demonstrated a chat system using DIDComm's mediator capabilities for seamless communication between users, even when offline. Future discussions will focus on use case documentation templates and integrating with AI-related protocols like the Model Context Protocol.
Veramo User Group 📢 Announcements at DIFConference season is kicking into high gear. Explore our Events calendar to meet the DIF community at leading Decentralized Identity, Identity, and Decentralized Web events.
🗓️ ️DIF Members👉Are you a DIF member with news to share? Email us at communication@identity.foundation with details.
🆔 Join DIF!If you would like to get in touch with us or become a member of the DIF community, please visit our website or follow our channels:
Follow us on Twitter/X
Join us on GitHub
Subscribe on YouTube
🔍
Read the DIF blog
New Member OrientationsIf you are new to DIF join us for our upcoming new member orientations. Find more information on DIF’s slack or contact us at community@identity.foundation if you need more information.
Passkeys are no longer just a concept: The future of sign-in is here and consumers are ready. Built on the open authentication standards developed by theFIDO Alliance, passkeys are quickly gaining momentum among global service providers. Why? Because they offer africtionless, phishing-resistant, passwordless sign-in experience that is redefining digital security and user convenience.
Ahead of World Passkey Day 2025, the FIDO Alliance commissioned an independent survey of1,389 peopleacross theU.S., U.K., China, South Korea, and Japan to provide additional insights into how authentication preferences are evolving in real time.
The research shows people continue to struggle with traditional passwords:
36%of respondents said they’ve had at least one account compromised due to weak or stolen passwords. 48%admitted they’ve abandoned an online purchase simply because they forgot their password.Read the full results of the survey in this eBook.
Download the Report Read the Press ReleaseApril 29, 2025 – The FIDO Alliance has launched a Payments Working Group (PWG) to define and drive FIDO solutions for payment use cases. The PWG will also act as subject matter experts and internal advisors within the FIDO Alliance on issues affecting the use of FIDO solutions for payment use cases. The PWG is co-chaired by Henna Kapur of Visa and Jonathan Grossar of Mastercard, with other FIDO Alliance member company participants including American Express; Cartes Bancaires; Discover; Futurae; Infineon; OneSpan; PayPal; Royal Bank of Canada – Solution Acceleration & Innovation; and Thales.
The PWG will focus on three areas:
Identify and evaluate specific requirements for payment authentication. Requirements will include those in the area of UX, security and regulation unique to payments;. Identify and evaluate existing and emerging solutions to address payment authentication requirements; and Guidelines for use of passkeys and/or proposed FIDO solutions along with existing payment technologies such as EMV® 3-D Secure or EMV® SRC.The PWG will also work on associated projects relating to the use of FIDO solutions for payments including: collecting and publishing deployment case studies, documenting challenges and potential solutions to issues; and working with FIDO Alliance liaison partners to drive education and adoption.
Join the Payments Working Group
Organizations interested in taking part in the PWG and driving the adoption of passkeys for payments can inquire today. Participation in the PWG is open to all Board, Sponsor, and Government level members of the FIDO Alliance. Non-member organizations interested in participating should contact the FIDO Alliance to become a member; learn more by visiting https://fidoalliance.org/members/become-a-member/.
NEWARK, NJ, May 1, 2025 – Dr. Forough Ghahramani, Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge, and Vice President for Research and Collaborations, New Jersey Big Data Alliance (NJBDA), will join the 12th annual NJBDA Symposium at William Paterson University of New Jersey on May 16, 2025. This annual event is New Jersey’s premier conference for big data and advanced computing and attracts over two hundred attendees from industry, government, and academia.
This year’s theme, Empowered by AI: Innovation and the Rise of the Augmented Workforce, will allow attendees to explore the transformative power of AI and how this technology can empower workers to reach new levels of innovation and creativity. The full-day event will feature an industry panel discussing the impact of AI across multiple sectors, a workforce development panel on advanced technologies, a hands-on student workshop, and networking opportunities.
Breakout sessions include a Research Track Program led by Research Track Chair, Dr. Ghahramani, and will feature presentations on current applied research in Big Data, AI, and Machine Learning. The research session, AI Methods & LLM Innovation, will explore cutting-edge AI techniques including generative models, graph networks, and real-time Natural Language Processing (NLP) and will highlight the technical advancements driving the next wave of intelligent systems.
The session, AI in Health, Education, and Society, will explore how AI is shaping healthcare, education, and social systems, with a focus on inclusive, human-centered technologies that promote well-being and equity. In a separate session, AI in Industry, Infrastructure, and the Environment, attendees will engage with real-world examples of how AI is driving innovation in business operations, public infrastructure, and environmental sustainability.
“As we stand at the intersection of AI innovation and workforce transformation, this year’s NJBDA Symposium provides a vital forum to advance collaborative research, inform policy, and shape inclusive pathways for talent development. The research track will highlight groundbreaking work in generative AI, machine learning, and real-time analytics, showcasing the talent and innovation emerging across New Jersey’s academic institutions and their relevance to pressing societal and industry challenges.”
— Dr. Forough GhahramaniThree student externship teams will also share insights from the Data Science Curriculum Alignment and Articulation Agreement Pathways Project, a joint effort led by the Rutgers Master of Business and Science (MBS) Externship Program, the New Jersey Big Data Alliance, and NJ Pathways. The group investigated how data science programs at New Jersey community colleges align with those at four-year universities and explored ways to make the credit transfer process more seamless for students moving from associate to bachelor’s degree programs. Following the presentation, attendees can join a Q&A panel to further explore the students’ findings and experiences.
For event information and registration, please visit the NJBDA Symposium website and explore the opportunity to collaborate, expand your knowledge, and gain insights into the evolving role of intelligent technologies in shaping our future.
About Edge
Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.
The post Dr. Forough Ghahramani to lead the Research Track at the 12th Annual NJBDA Symposium appeared first on NJEdge Inc.
Cisco, Dell Technologies, IBM, Microsoft, Oracle, Red Hat, and Others Support New Guidance to Effectively Manage Product Lifecycles Across the Software Supply Chain
Boston, MA USA; 29 April 2025 — As organizations grapple with increasing cybersecurity risks linked to unsupported software and hardware, the need for timely, standardized End-of-Life (EoL) and End-of-Support (EoS) information is more critical than ever. In response, OASIS Open, the global open source and standards consortium, announced the publication of the OpenEoX White Paper. Developed by the OpenEoX Technical Committee (TC), the paper identifies major use cases for EoL security data, outlines current industry pain points, and introduces a roadmap for a standardized, machine-readable format for EoL disclosures.
“Knowing when software and hardware support ends shouldn’t be a guessing game. Managing product lifecycles effectively requires collaboration across the entire ecosystem, from commercial vendors to open-source maintainers,” said Omar Santos, OpenEoX co-chair and Cisco Distinguished Engineer. “OpenEoX introduces a much-needed, unified framework designed to streamline the exchange of End-of-Life (EoL) and End-of-Security-Support (EoSSec) data that enables transparency and efficiency.”
Developed by a global coalition of cybersecurity leaders from organizations including Cisco, Dell Technologies, IBM, Microsoft, Oracle, Red Hat, and others, the white paper defines the scope and architecture for an OpenEoX data model and lays the foundation for future technical specifications. These will support integration with the Common Security Advisory Framework (CSAF), Software Bill of Materials (SBOMs), and other widely adopted cybersecurity standards.
“Standardizing how end of life, end of security support, and end of sales is handled for hardware and software makes the software supply chain more secure and efficient. This is especially important for developing and deploying AI systems securely,” said Brendan Burns, Microsoft Corporate Vice President and General Manager, Azure Cloud Native and Management Platform. “We’re pleased to contribute to this effort, increasing transparency, efficiency, and trust through better-informed consumers.”
The OpenEoX TC aims to standardize and promote OpenEoX, a unified, machine-readable approach to managing and sharing EoL/EoS information for both commercial and open source software and hardware. This approach helps vendors, consumers, and the broader security ecosystem reduce risks and improve operational resilience.
The TC encourages participation from product vendors, open source communities, security researchers, government agencies, and any organization managing EoL products. New members are welcome and participation in the TC is open to all through membership in OASIS.
Media Inquiries:
communications@oasis-open.org
The post OASIS Members Publish White Paper to Advance Global Framework for Coordinated Product End-of-Life Security Disclosures appeared first on OASIS Open.
Kia ora,
Welcome to the April edition of the DINZ newsletter. As we navigate this period of transition, our commitment to advancing digital trust in Aotearoa remains unwavering. This month brings exciting updates on upcoming events, new members, and important industry developments.
Last Chance: DISTF Survey Closing Soon!
Don’t miss your opportunity to help shape the future of Digital Identity in New Zealand. Our Digital Identity Services Trust Framework (DISTF) survey closes next Monday, 5 May. Your insights will guide the DINZ DISTF Working Group’s priorities and advocacy efforts. This survey is open to both DINZ members and non-members. Your input is important as we work to maximise the benefits of this framework for all New Zealanders.
Take five minutes to complete the survey.
Digital Trust Hui Taumata Update
Planning for our landmark event is progressing well, with speakers now confirmed including Ministers Judith Collins and Scott Simpson, along with Deputy Privacy Commissioner Liz MacPherson. Additionally, we are well advanced with two terrific international keynote speakers thanks to DINZ member sponsors. We’re pleased to report that sponsorship commitments are tracking positively, reflecting the growing importance of digital trust in our national conversation.
Mark your calendars (12 August 2025, Te Papa, Wellington) for this premier industry gathering that will bring together leaders and innovators in the digital trust space. Register your interest here.
Member News
Kudos to MyMahi’s Stefan Charsley for his prestigious Kim Cameron award enabling him to attend IIW 40 earlier this month, wonderfully reported on by co-founder Phil Windley here. As a regular attendee on DINZ’s Coffee Chats, we hope he’ll be able to share his knowledge and perspectives gained. While on the subject of awards it was great to see MinterEllisonRuddWatts honoured in Best Lawyers.
RNZ reports that the Department of Internal Affairs has issued a tender for a “new genuine face capture solution”, and notably its Trust Framework Authority issued an RFI for digital ID services accreditation infrastructure writes Biometric Update.
Our DINZ community continues to grow! We’re delighted to welcome Cybercure, LuminPDF and just in, OriginID and BeyondTrust.
See all organisation members here.
Policy and Submissions
DINZ’s reputation for thoughtful high quality submissions continues to grow and these two above are no exception. View our submissions here.
International Engagement
We were fortunate to welcome back Zygma’s Richard Wilsher during his brief visit to New Zealand this month – two years since he delivered this highly thoughtful webinar. Richard met with both the DISTF Working Group and the Trust Framework Authority, sharing his valuable international perspectives and expertise.
Ministerial Engagement
As part of a FinTechNZ delegation that included DINZ member Middleware, our outgoing Executive Director Colin Wallis met with Minister of Commerce and Consumer Affairs Scott Simpson. Smooth accessible digital identification is a crucial enabler for fintech innovation and the upcoming Customer Product and Data Act.
International News
International ID Day (9 April) saw attendance from several New Zealand organisations. If you missed it, catch up here. UK Digital Identity Developments: The saga currently playing out in the UK may prove the adage once again that ‘Trust Takes Years To Build, Seconds To Break And Forever To Repair’. First it was Industry stakeholders expressing concerns over the government’s digital wallet approach, which saw the Digital Identity and Attributes Trust Framework (DIATF) community advocating for alternative approaches. Then came Government facing claims of serious cyber security and data protection issues in One Login digital ID system extended by The Telegraph including commentary from DINZ Coffee Chat attendee Mark King.Executive Director Search Update
The DINZ Executive Council is currently interviewing the candidate shortlist with an announcement expected shortly. We appreciate your patience during this transition period.
We value your continued support and engagement as we work together to advance digital trust in Aotearoa New Zealand.
Ngā mihi nui,
The team at Digital Identity NZ
Upcoming events, new members, and industry developments.
Read full news here: Moving Forward Together
The post Moving Forward Together appeared first on Digital Identity New Zealand.
“Cypherpunks wouldn’t just critique the surveillance state—they’d also call out us technologists for enabling it. We were supposed to resist, not retrofit.”
Christopher Allen recently talked with Tereza Bízková in an interview that was published to the front page of Hackernoon. It was headlined “The Co-Writer of TLS Says We’ve Lost the Privacy Plot”. In it, Christopher talks about what privacy means to him, what he thinks about recent privacy efforts, how centralization has become a problem, and how all of this connects to work done by the cypherpunks in the ’90s.
Perhaps most importantly, Christopher answers the question: what would be non-negotiable for a new privacy-first system today? His answer unsurprisingly reflects our vision here at Blockchain Commons, built on data minimization, progressive trust, and limited scale.
Privacy is one of the fundamental Gordian Principles, but probably the one we talk about the least, as so much of our focus is on resilience (such as #SmartCustody) or on independence and openness (as reflected in our attention to interoperability). Read “The Co-Writer of TLS Says We’ve Lost the Privacy Plot” for much more on why privacy is important and what exactly it is!
The Path to Self-Sovereign Identity LinksChristopher Allen is a long-term advocate for self-sovereign identity. He popularized the term and laid out an initial set of principles in his foundational article, “The Path to Self-Sovereign Identity”, coauthored the DID spec for W3c, and founded the Rebooting the Web of Trust workshops that advanced the technology for a decade. Following are articles by him and interviews with him on the topic.
The Co-Writer of TLS Says We’ve Lost the Privacy Plot (4/24/25): An interview with Tereza Bízková for Hackernoon on how things have gone wrong. SSI Orbit Podcast: Christopher Allen Interview (1/31/25): Following up the “Has Our SSI Ecosystem Become Morally Bankrupt?” article, a discussion of the problems with the current SSI ecosystem. Echoes from History (11/15/23): How identity went horribly wrong during WWII and the warnings that offers for the future of self-sovereign identity. The Origins of Self-Sovereign Identity (8/9/23): Living Systems Theory, Ostrom’s Principles, and other foudndational ideas that led to SSI, and what they say about its intent. Private Key Disclosure (8/16/22): Digital identities are secured by private keys, but are private keys secure from the government? Principal Authority: A New Perspective on Self-Sovereign Identity (9/15/21): A new lens for looking at Self-Sovereign Identity, based on successes in the Wyoming legislature. Self-Sovereign Identity: Five Years On (4/26/21): Five years after “The Path to Self Sovereign Identity”, the successes and challenges of SSI to date. The Path to Self-Sovereign Identity (4/26/16): The initial article on SSI, including the ten principles for Self-Sovereign Identity.Describe your service/platform/product and how it’s using FIDO authentication.
Microsoft Account (MSA) powers consumer-facing experiences across services like Xbox, Microsoft 365, Copilot, and more. In 2023, Microsoft began rolling out passkey support across these services, allowing users to sign in with a face, fingerprint, or device PIN instead of a password. By integrating FIDO credentials, we made it easier, faster, and significantly more secure for over a billion users accessing their Microsoft accounts, by removing the need for passwords.
What were the challenges you were trying to overcome?
We set out to solve three major challenges:
Security: Passwords are inherently insecure and highly vulnerable to phishing and brute force attacks. In 2024, we observed more than 7,000 password attacks per second.
User experience: Passwords are frustrating—users forget them, reuse them, or mistype them. We wanted a sign-in experience that users could succeed at the first time, every time.
Adoption at scale: We needed a solution that could work across devices and platforms while meeting high usability expectations for a global user base.
Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?
FIDO credentials offer the ideal combination of security, usability, and interoperability. They are resistant to phishing and credential theft, and they eliminate the need for shared secrets like passwords. FIDO credentials also enable seamless cross-device and cross-platform experiences—critical for consumer use cases. In testing, we found that passkeys delivered both improved security and a dramatically better user experience.
Describe your roll out of FIDO authentication.
Microsoft took a phased approach. We started by enabling passkeys for MSA sign-ins across consumer services like Xbox and Copilot. From there, we made UX changes to prioritize passwordless options. New Microsoft Accounts are now passwordless by default, and existing users are guided to enroll a passkey during or after sign-in. Throughout this process, we have worked closely with platform partners like Apple and Google, and continued our long-standing collaboration with the FIDO Alliance to ensure our approach aligns with industry standards. For a more detailed look at our approach, refer to Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security.
What data points can you share that show the impact FIDO authentication has had?
The impact has been significant:
We now see over one million passkeys registered every day. Users signing in with passkeys are three times more successful (95% success rate vs. 30% for passwords). Passkey sign-ins are eight times faster than traditional password + MFA flows. Our passwordless-preferred UX has already reduced password use by over 20%.These results confirm that FIDO authentication improves security, boosts user satisfaction, and reduces operational burdens like password resets and support calls.
Read more in the Microsoft blog.
Describe your service/platform/product and how it’s using FIDO authentication.
Nikkei Inc. and the Nikkei Group pursues its mission “to be the most trusted, independent provider of quality journalism to a global community, helping our customers make better decisions.” We offer various media services, including the Nikkei, which serves as the cornerstone of our role as a news organization. The integrated ID platform supporting the Nikkei Group’s digital services, including our core service, the Nikkei Online Edition, is “Nikkei ID.”
Nikkei ID, which offers a wide range of services, has long faced the challenge of balancing security and usability. While we have implemented measures such as improving the login experience with OpenID Connect and introducing two-factor authentication and CAPTCHA (*1) to reduce the risk of unauthorized access, addressing security risks associated with password leaks and reuse, as well as countering increasingly sophisticated attacks, has been difficult.
(*1)A security authentication method to verify that a user is human.
In this context, as FIDO authentication has evolved and the threshold for introducing passkeys to services has lowered, Nikkei ID has proceeded with consideration and implementation with high expectations. Currently, we are expanding functionality to support not only web services but also mobile apps, and aiming to promote the adoption of passkeys through increased user awareness via internal and external blog posts, presentations, and guidance at the Nikkei ID Lounge Help Center.
What were the challenges you were trying to overcome?
The primary goal is to balance security and user experience. Many Nikkei ID users are not accustomed to digital services, so simply enhancing security is not enough. For example, while the introduction of CAPTCHA can prevent brute-force password attacks, it can also become a barrier for users who cannot pass the Turing test (*2), leading to increased support inquiries and added burden on customer service.
(*2) A test to determine whether something is ‘human-like’.
However, FIDO authentication (passkeys) achieves high security and user experience through integration with OS and platforms as a standard. This allows us to replace security measures that reduce risks associated with password authentication but negatively impact UX with passkeys.
Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?
The following two options were considered as alternatives to FIDO authentication (passkeys):
Mandatory implementation of two-factor authentication such as TOTP or email verification Social login using other ID platformsAs a result of comparing these options, we believe FIDO authentication (passkeys) offers the following advantages:
It allows for gradual transition by adding authentication on top of existing password authentication It enables the use of higher UX authentication methods such as biometric authentication It fundamentally resolves the risks associated with passwordsWhen it came to actual implementation, the aspect of “additional authentication” was particularly significant. In other words, it allows for implementation in a loosely coupled and highly cohesive manner without disrupting the existing ID model. The WebAuthn specification provides simple interface libraries and APIs for both backend and frontend on each platform, making secure implementation easy. Additionally, since existing authentication methods can be retained, the advantage of not significantly increasing support workload was also substantial.
Describe your roll out of FIDO authentication.
We implemented our own solution using the open-source backend library WebAuthn4J for FIDO authentication. We chose WebAuthn4J not only for its clear data model but also because it passed the FIDO2 Test Tools provided by the FIDO Alliance. For the frontend, we developed our own implementation that directly interacts with the WebAuthn API. Additionally, we created a test library to emulate FIDO authentication, enabling 24-hour automated testing as a comprehensive test of these implementations.
The rollout of FIDO authentication (passkeys) was carried out in the following steps:
Internal beta testing to gather feedback and monitor usage White-box and black-box testing by external security companies Public release to all usersWhat data points can you share that show the impact FIDO authentication has had?
Since it was just released in February this year, we cannot provide detailed numbers yet, but thousands of users are already using passkeys. Additionally, we have heard that there have been almost no inquiries about how to use passkeys at the support desk, and we recognize that passkeys are being used smoothly.
Resources
The test library that emulates FIDO authentication, mentioned in the implementation section, is publicly available as Nikkei’s open-source software. You can obtain it from the following https://github.com/Nikkei/nid-webauthn-emulator
For authorization after completing FIDO authentication (passkeys), we use Authlete, an OpenID Connect platform. In this case study, we express our enthusiasm for the introduction of FIDO authentication (passkeys). (At the time of this presentation in 2023, passkeys were still under consideration) https://www.authlete.com/ja/resources/videos/20231212/02/
Technical blog article during the consideration stage of implementation: https://hack.nikkei.com/blog/advent20241221/
Background: VicRoads
VicRoads is the vehicle registration and driver licensing authority in Victoria, Australia. It registers over six million vehicles annually and licenses more than five million drivers.
Operating as a joint venture between the Victorian State Government, Aware Super, Australian Retirement Trust, and Macquarie Asset Management, VicRoads is a critical provider of public services in the state.
Challenge: seamless and cost-effective authentication for government services
VicRoads aims to become Australia’s most trusted digital government service providers by delivering secure, frictionless services to millions of people.
Given the importance of the data that VicRoads holds on behalf of its customers, security has always been a primary consideration.
In the past, to support protection of customer data, VicRoads mandated multi-factor authentication (MFA) for all user accounts via SMS one-time passwords (OTPs) and authenticator apps.
Passkeys leverage biometrics, facial recognition, a PIN or a swipe pattern in the sign-in process. Unlike traditional MFA, passkeys require both the device storing the private key and local authentication, meaning they are both phishing-resistant and cost-effective.
Solution: Corbado provides a no-risk, passkey-first solution with minimal integration effort
VicRoads worked with passkey vendor Corbado, prioritizing a proven approach rather than building a solution from scratch.
Corbado’s deep understanding of both customer experience and the latest authentication technology gave VicRoads confidence that customers would find using passkeys easy.
Corbado also provided in-depth technical guidance on passkey-specific challenges, including browser compatibility, recovery flows and user experience optimizations – further solidifying VicRoads’ confidence.
“We selected Corbado because it could integrate passkey functionality into our existing infrastructure without disruption to our customers and operations”, said Crispin Blackall, Chief Technology Officer, VicRoads.
Implementation: pre-built, passkey-optimized components & SDKs enable quick integration
Corbado Connect seamlessly integrated with VicRoads’ existing infrastructure and CIAM, which is deeply embedded within the organization’s enterprise stack. This passkey enablement was achieved without requiring a migration of user data or authentication methods, ensuring a smooth and efficient transition for millions of users.
By layering passkey functionality on top of VicRoads’ current authentication system, Corbado enabled a frictionless deployment while preserving all existing user credentials. This approach eliminated the disruption and risks often associated with introducing new technology.
To ensure a smooth transition, VicRoads implemented passkeys in a phased rollout, beginning with personal customers. This gradual deployment, supported by Corbado Connect’s rollout controls, enabled VicRoads to monitor performance, address potential issues and optimize the user experience before seamlessly extending passkey authentication to partner and business customers.
Results: customers love passkeys, with up to 80% passkey activation rate in the first weeks
Within the first weeks of deployment, passkey adoption significantly exceeded VicRoads’ expectations. Users embraced the phishing-resistant authentication method, benefiting from a frictionless login experience optimized for speed and security.
The exceptionally high passkey activation rate – peaking at 80% on mobile devices and over 50% across all platforms – led to 30% passkey login rate within the first seven weeks. Uptake continues to rise steadily, translating into measurable operational benefits, including:
Reduced authentication-related support tickets Lower SMS OTP costs Improved user experience and security.So far, VicRoads has successfully rolled out passkeys on its web portal. The next step is to integrate passkeys into its native apps – myVicRoads and myLearners – allowing users to leverage their existing passkeys without additional setup. Ultimately, once passkeys are fully implemented across all digital platforms, VicRoads aims to eliminate passwords entirely, maximizing security and fully embracing a passwordless future.
“Passkeys are easy to use, without compromising on security. We’re excited to give our customers a simpler, more secure way to handle their registration and licensing services,” said Crispin Blackall, Chief Technology Officer, VicRoads.
Opportunity: setting a new standard for government authentication
With one of the largest public sector passkey deployments globally, VicRoads has established itself as a digital leader in authentication modernization for government applications.
Achieving high adoption rates without disruption, VicRoads has proven that large-scale organisations can enhance security and improve user experience simultaneously. This success positions VicRoads as a benchmark for other government agencies looking to modernize their authentication strategies.
“Passkeys represent a paradigm shift in how we authenticate users to digital identity services,” said Andrew Shikiar, Chief Executive Officer of the FIDO Alliance. “VicRoads’ adoption of passkeys showcases how government agencies can leverage this industry-wide innovation to protect people’s data while simplifying access to critical services. This is a significant step towards a more secure and efficient digital future for Victoria and beyond.”
Next Steps: developing next generation authentication
VicRoads’ ongoing partnership with Corbado ensures it remains at the forefront of authentication innovation while maintaining a seamless user experience for its expanding digital service base. A key advantage of Corbado’s managed passkey service is its built-in adoption-enhancing optimisations, ensuring continuous improvements and seamless WebAuthn conformity with all future WebAuthn updates.
With this initiative, VicRoads has paved the way for broader adoption of passkeys in the government and public sector, proving that secure, frictionless authentication at scale is achievable.
About Corbado
Corbado is a leading provider of passkey solutions, enabling enterprises and government agencies to deploy passkey authentication seamlessly, without user migration. Corbado’s focus is on maximizing adoption in large-scale deployments. As a FIDO Alliance member, Corbado’s solutions ensure high adoption rates, enhanced security, and a frictionless user experience. Visit https://www.corbado.com/.
Describe your service/platform/product and how it’s using FIDO authentication.
With over 55 apps across nearly every major business category, Zoho Corporation is one of the world’s most prolific technology companies. Headquartered in Chennai, India, Zoho is privately held and profitable, employing more than 18,000 people worldwide. Zoho is committed to user privacy and does not rely on an ad-revenue business model. The company owns and operates its data centres, providing full oversight of customer data privacy and security. Over 100 million users globally—across hundreds of thousands of companies—trust Zoho to run their businesses, including Zoho itself. For more information, visit zoho.com.
What were the challenges you were trying to overcome?
Secure and easy log in instead of traditional authentication methods.
Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?
Improved security, supporting documents and community.
Describe your roll out of FIDO authentication.
We rolled it ourselves via our IAM team.
We first rolled out passkey authentication for zoho.com (100mn + users)
Rolling out passkey management in our password manager Zoho Vault in May, 2025
What data points can you share that show the impact FIDO authentication has had?
30% increase MoM in passkey adoption
10% drop in password reset queries
Resources
https://help.zoho.com/portal/en/kb/accounts/sign-in-za/articles/passkey https://www.zoho.com/vault/features/passkeys.htmlDescribe your service/platform/product and how it’s using FIDO authentication.
Samsung Electronics’ Galaxy smartphones support fast and convenient logins through biometric authentication and FIDO protocols.
What were the challenges you were trying to overcome?
FIDO-based passkeys are transforming the way users access websites and apps by eliminating the need for traditional usernames and passwords. Instead of being stored on a server where they could be exposed, passkeys are securely stored on the Galaxy device, enabling quick and secure sign-ins using biometric authentication.
Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?
FIDO enables secure authentication without transmitting users’ biometric data outside the device. Its ease of use, speed, compatibility across services, and status as an industry standard made it a compelling choice for Samsung Electronics.
Describe your roll out of FIDO authentication.
We have integrated FIDO authentication directly into our devices, enabling users to access it out-of-the-box. We continue to expand FIDO support across more Galaxy models and software updates.
Resources
https://www.samsung.com/levant/support/apps-services/how-to-create-and-use-a-passkey/ https://www.samsung.com/ca/support/apps-services/how-to-create-and-use-a-passkey/ https://news.samsung.com/in/the-knox-journals-the-passwordless-future-of-securityDescribe your service/platform/product and how it’s using FIDO authentication.
Our mobile banking app is our bank’s largest branch, serving over 1,200,000 customers each month. These customers require the best protection against identity theft attacks, and we provide the most robust and innovative solutions, always prioritizing the best user experience. ABANCA Key is a new identity verification service based on FIDO standards. It was launched after years of research by leading players to prevent identity theft attacks. Using passkeys, ABANCA Key provides the highest level of protection. It is impossible to guess or reuse them, so they protect our customers’ private information from attackers.
What were the challenges you were trying to overcome?
On one hand, there’s the security challenge. The rise of phishing through calls and SMS messages in Spain has become a plague and a real problem for administrations, mobile operators, and financial institutions but on the other hand, there was the need to maintain the best user experience with the least friction. Passkeys give us a framework for interoperability and standardization, which provides us with ease of implementation and deployment. However, above all, and for the first time in the security industry, it provides a framework of homogeneity to achieve a frictionless user experience.
Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?
We chose FIDO for many reasons: for its future strategy, as it allows us to follow many ways, including MFA and passwordless, for trust, as the FIDO Alliance includes leading players in security, operating systems, infrastructure, and mobile ecosystem; and for the standardization and homogenization what it give us, which reduces implementation, deployment and roll out times.
Describe your roll out of FIDO authentication.
To deliver the best user experience, we’re committed to having the deepest possible understanding of the technology. This enables us to effectively identify and resolve issues, and to better understand user behavior. We became our own partner by developing our own platform based on the FIDO standard and certifying it as if it were a provider.
We rolled out the deployment in phases. In under five months, we had the development of both server and front-end (iOS and Android) ready, and we began the rollout in an initial phase with our employees, and subsequently to end customers in batches. In just seven months, we were already in a general roll out to all customers.
What data points can you share that show the impact FIDO authentication has had?
More than 42% of our customers are already using ABANCA Key More than 11,000,000 high-risk transactions has been protected with ABANCA Key without technical or service incidents Customer roll out ran without technical or service incidents, and most importantly, with our customer journey UX to sign in ABANCA Key and to use it, we’ve managed a Customer Effort Score (CES) of 4.7.Please provide any links or resources that you feel would be useful in developing this case study.
https://comunicacion.abanca.com/es/noticias/abanca-primer-banco-espanol-en-implantar-la-tecnologia-de-llaves-de-acceso-en-la-banca-movil-para-reforzar-la-seguridad-de-sus-clientes/ https://www.abanca.com/es/banca-a-distancia/llave-abanca/
Out of the blue, I received a text from my father asking me, “What’s the difference between a password and a passkey?”
Somewhere, in his daily online journey, he was prompted by a website or application — a “relying party” in authentication lingo — to create a passkey. But the benefit wasn’t clear to him. Nor did there seem to be any urgency. He figured I’d know what passkeys are and what to do the next time he gets a nudge to set one up. I told him, “Let’s talk before you do anything.”
Your phone, computer and tablet is now at risk, as the nightmare of AI-powered attacks comes true. There are now multiple warnings into the use of mainstream AI platforms to design, develop and even execute attacks that are almost impossible to detect.
To add to recent reports from Symantec and Cofense, Guardio also now warns that “with the rise of Generative AI, even total beginners can now launch sophisticated phishing scams — no coding skills needed. Just a few prompts and a few minutes.”
And Microsoft has just told users the same. “AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate… AI-powered fraud attacks are happening globally.”
Apple’s new Passwords app (introduced with iOS 18, iPadOS 18, and macOS Sequoia) is a big leap forward in making password management simple and user-friendly for Apple users, even if it’s not as robust as other password managers. If you’ve ever fumbled through Safari settings to find a saved login or toggled through iCloud Keychain menus to edit credentials, the Passwords app is for you. It’s designed to give you a dedicated home for all your saved login credentials, passkeys, Wi-Fi passwords and two-factor authentication codes, all in one secure, easy-to-navigate interface.
ABANCA has achieved international FIDO certification for the Llave ABANCA service, the digital identity verification technology solution developed by the bank that allows customers to validate mobile banking transactions securely and quickly by unlocking their phone.
The FIDO ( Fast IDentity Online ) certification has been granted by the FIDO Alliance, the leading international association promoting digital authentication standards that are more robust and simpler than passwords or one-time codes. This consortium is made up of the world’s leading technology companies—Google, Apple, Microsoft, Amazon, and Visa, among others—who have joined forces to promote more robust and user-friendly digital identity methods. With the FIDO certification of Llave ABANCA, this global alliance accredits that the solution implemented by the bank meets the highest standards of online identity verification.
Going passwordless is difficult for a lot of companies, even the ones with “security” in the name.
Jim Taylor, chief product and technology officer (and resident IT professional) at RSA Security, spoke with IT Brew about lessons learned as he led the deployment of passkeys, biometrics, and other non-password implementations across the organization. Two major keys to passwordless success, he said, included having lots of options and lots of patience.
“There’s no big switch. I wish there was a big red button that you could just press and go, ‘Ta-da!’ with passwordless, right? It doesn’t work like that,” Taylor told IT Brew.
Inverid has joined the FIDO Alliance. A release from the Dutch identity verification firm says it will bring expertise in document authenticity verification to FIDO users of DocAuth document authenticity specifications.
We’re excited to welcome Oír Más as one of our new Matchbox partners. Oír Más is a radio collective dedicated to amplifying the voices of diverse communities through radio experimentation.
The post From memory to action: Radio as a tool for a healthier information ecosystem appeared first on The Engine Room.
Die Einführung der EUDI-Wallet in Deutschland, basierend auf der novellierten eIDAS-Verordnung, stellt eine zentrale Herausforderung dar, um bis 2026 eine sichere, digitale Identitätslösung für Bürger bereitzustellen. Ziel ist es, ein umfassendes Ökosystem zu schaffen, das öffentliche Institutionen, privatwirtschaftliche Akteure und Regulierungsbehörden integriert. Dieses Ökosystem soll nicht nur technische Standards und Prozesse etablieren, sondern auch die Akzeptanz der Bürger fördern und die rechtlichen Rahmenbedingungen gewährleisten.
Die Autoren dieses Whitepapers schlagen eine Public-Private-Partnerschaft in Form einer Genossenschaft als neutralen Ecosystem-Orchestrator vor. Diese Genossenschaft soll:
Demokratische Governance bieten, mit transparenter Kontrolle und Einflussmöglichkeiten für alle Mitglieder. Kostendeckendes Finanzierungsmodell durch Mitgliedsbeiträge und Sonderzuwendungen implementieren. Zentrale Aufgaben wie Zertifizierung von Wallets, Registrierung von Verifizierungsstellen und Förderung der Kommunikation zwischen Akteuren übernehmen. Herausforderungen für die neue BundesregierungDie Bundesregierung ist durch die Verordnung [(EU) 2024/1183] dazu verpflichtet, bis Ende 2026 eine EUDI-Wallet für alle Bürger bereitzustellen, in der Ausweisdaten in elektronischer Form sicher gespeichert werden können. Die vollständige Umsetzung des EUDI-Wallet Ökosystem hat bis 2027 zu erfolgen. Das Bundesinnenministerium bereitet seit Mai 2023 die Konzeptionierung und Umsetzung der deutschen Wallet-Lösung federführend vor. Um die Akzeptanz bei den Bürgerinnen und Bürgern zu fördern, ist es nicht nur erforderlich, die technische Infrastruktur bereitzustellen, sondern auch ein umfassendes Ökosystem aufzubauen. In diesem Ökosystem interagieren privatwirtschaftliche Akzeptanzstellen, zertifizierte Vertrauensdienste, öffentliche Einrichtungen aus Bund und Ländern sowie Regulierungsbehörden und Zertifizierungsstellen miteinander. Der Aufbau eines solchen Ökosystems stellt eine hochkomplexe Aufgabe dar. Sie erfordert die Etablierung von Standards und Prozessen, die von allen beteiligten Privatunternehmen und öffentlichen Institutionen geteilt und umgesetzt werden können. Dabei steht die Berücksichtigung der Interessen der Bürgerinnen und Bürger im Vordergrund. Zudem müssen alle rechtlichen Rahmenbedingungen eingehalten, die missbräuchliche Nutzung persönlicher Daten verhindert und ein attraktives Investitionsumfeld für die Unternehmen der Privatwirtschaft geschaffen werden.
Aufbau des EUDI-Wallet Ökosystems als Public-Private Partnership mit neutraler GovernanceDie Autoren dieses Whitepapers plädieren für eine Public-Private-Partnerschaft als Ecosystem Orchestrator, die sich in einer Genossenschaft organisiert. Die Genossenschaft hat den Zweck, die Interessen aller Genossenschaftsmitglieder – also aller Akteure im EUDI-Wallet Ökosystem – gleichermaßen zu fördern. Die Genossenschaft benötigt eine demokratische Governance, die Einfluss, Kontrolle und Transparenz ggü. den Mitgliedern ermöglicht. Sofern die Genossenschaft selbst keine Investitionen tätigt, sollte ihre Satzung eine not-for-profit Klausel beinhalten, sodass lediglich die Kosten gedeckt werden müssen, die sich am Bedarf der Mitglieder orientieren.
Die Genossenschaft sollte durch die nachstehenden Organe gesteuert werden.
Generalversammlung: Bildet das höchste Entscheidungsgremium der Genossenschaft. Jedes Mitglied erhält ein Stimmrecht. Die Summe der Stimmen von Nicht-Europäischen bzw. investierenden Mitgliedern darf 25% nicht überschreiten. Vorstand: Führt das Tagesgeschäft und übernimmt die Verantwortung für die Umsetzung der Governance und der Strategie. Aufsichtsrat: Bildet das Kontrollorgan des Vorstands. Ecosystem Coach: Stabstelle als Mediator zwischen den Akteuren zur Offenlegung und Management von Interessenskonflikten.Öffentliche Institutionen sollten die Genossenschaft gründen, ein Regelwerk in Form einer Satzung definieren und den Beitritt von Akteuren der Privatwirtschaft ermöglichen. Es sind dabei sämtliche Akteure der Rollen aus der eIDAS-Novelle wie bspw. PID-Provider, Pub-EAA-Provider, (Qualified) Trust Service Provider, Wallet Provider und Trust List Provider einzubinden.
Finanzierungskonzept: DieFinanzierung der Betriebskosten erfolgt durch Mitgliedsbeiträge. Werden temporärMittel für bestimmte Zwecke benötigt, kann eine Finanzierung in Form von Sonderzuwendungen der Mitglieder erfolgen.
Aufgaben: Interessen der Mitglieder fördern, Kommunikation zwischen den Mitgliedern erleichtern, Wallets zertifizieren, Verifizierungsstellen registrieren, rechtliche Fragestellungen klären, öffentliche Kommunikation bündeln, Durchdringung der EUDI-Wallet messbar machen, Schnittstellen bereitstellen, etc.
Opt-Out: Die Mitgliedschaft kann ordentlich gekündigt werden. Erkenntnisse aus einer Risikoanalyse zu Opt-Out Szenarien sollten bei der Erstellung der Satzung berücksichtigt werden.
FazitUm das Ökosystem für die deutsche EUDI-Wallet aufzubauen ist ein neutraler Ecosystem-Orchestrator erforderlich, der gemeinsam mit öffentlichen und privatwirtschaftlichen Organisationen ein Ökosystem für die deutsche EUDI-Wallet aufbaut. Dies kann, wie vorliegend aufgezeigt, durch eine Genossenschaft abgebildet werden, in der alle Akteure des Ökosystems kartellrechtskonform und strukturiert kooperieren.
Über die AutorenDie IDunion SCE mbH ist die Nachfolgeorganisation eines vom BMWK-geförderten Konsortiums im Programm „Schaufenster sichere digitale Identitäten“. Die Europäische Genossenschaft wurde durch ihre Mitgliedsunternehmen mit dem Betrieb eines digitalen Vertrauensankers beauftragt.
Over the past three years, a dedicated research team from IDunion has been working intensively on the Digital Product Passport (DPP).
In the last two years, our focus shifted from theory ( a joint publication with key partners [→ read the paper here]) to hands-on implementation resulting in a Demo – DPP solution that is:
Data Carrier Agnostic: The product link can be embedded into any data carrier listet in Landscape of Digital Product Passport Standards | StandICT.eu 2026. Product Agnostic: Our DPP works with any type of product, whether batch-based, lot-based or individual instances. Automatic Identification of the Requester: The solution aligns with #eIDAS2.0 by supporting decentralized identification of individuals and organizations. Technology Stack Independent: The DPP can be accessed without downloading a additional app and lowers the threshold for adoption and enhances usability. Lightweight & Semantically Rich: Information is delivered through Verifiable Credentials (VCs) and semantic data schemas, ensuring seamless interoperability. Additionally, we use W3C Decentralized Identifiers (DIDs) to guarantee unique, globally resolvable product IDs. Cryptographically Verifiable: All data within the DPP is cryptographically signed, enabling validation of authenticity and trust without central intermediaries. Trust Infrastructure Support: Establishing trust over the data and integration with Digital Identity Trust Anchors is possible, ex by using the eIDAS 2.0 mechanism and the EU Trust infrastructure proposed for natural and legal entities. Demonstration: Digital Product Passport System for BatteryOur final demo phase featured a live demonstration of a DPP tied to a battery cell used in an electric scooter.
The goal was to simulate how a real-world DPP can accompany a product through its entire lifecycle — from raw material extraction to end-of-life recycling.
We explored the perspectives and requirements of key stakeholders, including: Miners, Battery pack manufacturers, Economic operators, Consumer, Recyclers and Government and public interest organizations
Through interactive demonstrations, we answered key questions in real time, illustrating how a decentralized, interoperable, and trustworthy DPP can benefit every actor along the value chain.
For more detailed insights and demo material, check out the links below:
German: https://idunion.org/piloten/sichere-digitale-identitaeten-fuer-produkte/ English: https://idunion.org/piloten/en/sichere-digitale-identitaeten-fuer-produkte/ A Huge Thank You to Our Partnershis project would not have been possible without the creativity, technical expertise, and dedication of our fantastic partners.
Dr. Andreas Füßler (GS1 Germany), Florin Coptil ( Robert Bosch GmbH), Werner Folkendt (Robert Bosch GmbH), Dominic Hurni (SBB), Cornelia Schalch (SBB), Johannes Ebert (Spherity GmbH) , Sebastian Schmittner (European EPC Competence Center GmbH) , Christian Fries (European EPC Competence Center GmbH), Paulina Drott (GS1 Germany), Dr. Susanne Guth-Orlowski, Ralph Troeger (GS1 Germany), Roman Winter (GS1 Germany)
Thank you for your ongoing commitment to shaping the future of product transparency and digital trust.
What’s Next?
With all project goals achieved and deliverables submitted, the DPP demo project is now officially closed.
We’re incredibly proud of what we’ve accomplished and are eager to apply these insights to future initiatives that further the digitization of sustainable and circular value chains.
How accurate is your inventory?
For many retailers, answering that question is more difficult than it appears—especially when inventory counts are only conducted once or twice a year.
In this episode, Dean Frew, President, RFID Solutions Division, SML IIS, sits down with hosts Reid Jackson and Liz Sertl to explore how RFID solves one of retail’s biggest challenges. Dean shares how real-time data at the item level drives results from return fraud to buying online and pick up in store.
He also discusses what it takes to make RFID work at scale, how adoption has changed post-COVID, and why distribution centers are the next frontier.
In this episode, you’ll learn:
How RFID improves inventory accuracy
Where retailers are seeing the most significant ROI
New use cases beyond the sales floor
Jump into the conversation:
(00:00) Introducing Next Level Supply Chain
(02:20) Dean’s background and RFID journey
(06:35) Improving inventory accuracy with RFID
(12:13) Reducing returns fraud with item-level data
(18:07) How BOPIS impacts inventory and sales
(23:01) Boosting inbound accuracy at distribution centers
(26:14) RFID in checkout and fitting room experiences
Connect with GS1 US:
Our website - www.gs1us.org
Connect with the guest:
Dean Frew on LinkedInCheck out SML Group
The Limits of InteropIn early 2025, Blockchain Commons architected and engineered a major project for the Zcash blockchain: the ZeWIF specification that allows all of its wallets to interoperate.
Interoperability is something that I consider vitally important for a technological ecosystem, so I was thrilled that Blockchain Commons could improve interoperability for Zcash. Here’s a bit more on why, what Blockchain Commons did for Zcash, and what I’d like to do for other technological communities.
Obviously, some level of interop is necessary for any ecosystem, or it just wouldn’t work. There was a white paper and there are BIPs for Bitcoin; without them, no one could agree on how the blockchain works. We similarly have specifications, RFCs, and standards for everything from email to graphics file formats.
Unfortunately, there are limits to interop. Standards tend to cover the things that are required for the broadest level of intercommunication within an ecosystem. But when companies begin to work on their own apps, their work often turns proprietary—sometimes aggressively so—and that limits a technological ecosystem’s ability to continue to grow.
As an example, email has standards such as RFC 5322 for how mail servers communicate with each other. When mailers begin storing their mail, things become somewhat more balkanized: you might use a classic mbox
format or a single-message eml
format or a proprietary format such as Microsoft Outlook’s msg
. Finally, there’s no consistency at all for how mailers might algorithmically filter messages: it’s hard to control whether a message ends up in the “Important”, “Everything Else”, or even “Spam” category of Gmail, even if a mailer adopts newer standards such as DKIM, DMARC, and SPF.
Yet, all of these types of interactions are important. If a mail ends up in a Spam folder, that’s almost as bad as it not being delivered at all; if mail can’t be restored from a proprietary mailbox, it’s lost as well. That’s why interop is important.
The Power of InteropI developed four core architectural fundamentals for Blockchain Commons that I call the Gordian Principles. Of them, Privacy is only peripherally related to the question of interoperability, but the other three highlight why interop is important for the health of any technological ecosystem.
Independence is a user-focused principle. It says that users should be free from external control. This is the heart of my ideas of self-sovereign identity, and it’s the heart of interoperability too. With the ability to export or exchange data in an interoperable way, users don’t get locked into a single platform. Instead, they can choose among a variety of options to find an application, service, or pricing structure that meets their precise needs. Resilience is a data-focused principle. It says that data should be protected from loss. When data output and exchange formats are standardized for interoperability, they become widely used and widely understood. That ensures that they can be recovered far into the future. If you’ve ever tried to recover an old ClarisWorks or WordStar file, you’ve seen how much a non-interoperated file format can damage resilience. In comparison,.rtf
files will never be lost and even .docx
is pretty good—both because Microsoft Word has an enormous install base and because it’s an XML-based output format.
Openness is a creator-focused principle. It says that infrastructure should be open so that new creators can join the ecosystem. When communication is standardized, anyone can develop in accordance with the standards, including newcomers. But, this isn’t just beneficial to creators, it’s also beneficial to users. Without new entrants, an ecosystem can become staid and stagnant. With new entrants, an ecosystem is constantly innovating and expanding. It creates an atmosphere of coopetition: members of the ecosystem cooperate to interoperate, but then compete to offer the best products within those standards.
In other words, interoperability is beneficial for the vast majority of members of the ecosystem: users get more options, more innovations, and freedom of choice; creators get the ability to fairly participate and compete; and data gets strong protections far into the future.
What We Did for ZcashI was thrilled when members of the Zcash community started talking with me about their needs, because it showed a strong, ecosystem-wide understanding of the need for inteoperability.
But there was also a strong inciting incident that led to the Zcash work: the older zcashd server was being deprecated and so there was a need to migrate digital-asset data from its wallet to others. This also reflected a longer-term issue. Digital assets had sometimes been lost during previous migrations due to differences or even bugs in different wallets.
Obviously, a one-off migrator could have been created, likely linking zcashd with its replacement wallet, zallet. But I approached things from an architectural point of view: I wanted to create an extensible Wallet Interchange Format (that’s the “eWIF” in “ZeWIF”) that would not just enable the zcashd migration, but also allow any migration from one wallet to another within the Zcash ecosystem. I wanted to take the immediate needs and political will and turn it into something that could benefit the community for years to come.
That was the ZeWIF proposal that we put forth. It called for one month of studying Zcash wallet data as it currently exists, then another two months of developing the spec and writing libraries to convert among different wallets using that spec. (That timeline turned out to be a bit ambitious, but we’re closing out the initial design with a fourth month of work.)
As the above diagram shows, the
zewif
Rust crate lies at the center of the ZeWIF system. It creates in-memory representations of data from a variety of inputs and can output that abstracted data in a numbers of forms. Obviously, it can accept input from ZeWIF files and it can output to ZeWIF files. However, that’s just part of the process. Individual developers can also choose to use create front ends that import data from their wallets tozewif
and back ends that export the data fromzewif
to their wallets.
As we release ZeWIF into the ecosystem, we should see advancements in accordance with the Gordian principles:
Independence. Users will be able to move their funds easily among Zcash wallets. Resilience. Translation of keys and seeds should be more reliable, and if conversion is done using our best practices, there should be clear warnings if anything wansn’t converted. Openness. New wallets can join the ecosystem. If they have innovative features, they can easily pick up new users if they support ZeWIF as an import format.I’ve been thrilled to have strong support from wallet makers in the Zcash community. That type of buy-in is required to make interoperability work. Zingo Labs, the makers of the Zingo wallet, introduced us to the opportunity and have worked closely with us to fulfill our vision. Meanwhile, ECC has been our next testbed, since they’re using ZeWIF to manage conversions between zcashd and zallet. Other principals have been involved as well, and just as importantly we didn’t receive any pushback from anyone who refused to use the format. (Not everyone has adopted it yet, but we’re just finalizing the complete ZeWIF draft at this point.)
We were fortunate, because that’s not always the case.
What We Did for BitcoinThis isn’t Blockchain Commons’ first rodeo. Creating interoperability has been Blockchain Commons’ goal since the start, and we’ve done most of our interop work to date with Bitcoin.
Our two biggest successes for Bitcoin have been Animated QRs and SSKR. Animated QRs are a standardized way to move large files across airgaps. That’s the exact sort of intercommunication that has always required interoperability. SSKR is a standardized way to shard a secret, currently focused on Shamir’s Secret Sharing. Because it isn’t just about intercommunication, getting a variety of companies to use it was a bigger victory, because it ensures those secrets will remain accessible and resilient into the far future. Both technologies are integrated with our Uniform Resources, which have been implemented by more than a dozen companies, offering true interoperability.
But these successes have unfortunately been piecemeal. There’s just one company that I’m aware of that’s adopted a pretty wide swath of Blockchain Commons’ Gordian specifications, and that’s our long-time sponsor, Foundation. We most recently worked with them to support QuantumLink, a Post-Quantum-Cryptopgraphy (PQC) method of Bluetooth communication that’s in their new Passport Prime device, but they’ve also implemented URs, Animated QRs, SSKR, and other Blockchain Commons interop specs. As a result, they’ve got well-studied, mature specifications that they didn’t roll themselves and that should be resilient and reliable far into the future. I think that adding in a variety of linked interop specs like this has a multiplicative effect.
I’d love to see more of this in the Bitcoin community, but a lot of people are resistant.
Why People Fight InteroperabilityThe primary reason that we see people fight interoperability is market dominance. The Bitcoin ecosystem has grown large enough that some of the bigger players have stepped back from inteoperability
I was sad to see ColdCard go this way, after they themselves built on Trezor and other open-source libraries. At least they’ve remained source-verifiable (meaning you can view their code in their repo), at least until you get now to the proprietary chip, but they were once one of maybe three hardware wallets that were fully open-source,and so fully interoperable.
But I think the recent release of Ledger Recover was even more of a tragedy. Here they were offering a big innovation: a way to recover seeds by splitting them up and distributing them off device, similar to Blockchain Commons’ own Collaborative Seed Recovery (CSR). But by keeping their protocol for distributing and recovering seed shares non-interoperable, they kept anyone else from offering seed vaults of their own, instead locking their users into their choices—which were very unpopular due to privacy-busting requirements for KYC information.
The exact opposite approach is taken by another of Blockchain Commons’ long-time developer partners, Craig Raw of the Sparrow wallet. He’s working hard to make Sparrow compatible with everything out there, but the difficulty he faces underlines the issues with the semi-interoperable state of most blockchains. He has to make NASCAR-like lists of otherwise incompatible products and introduce secret sauce to interoperate with each of them. We’re very luck to have the Sparrow wallet working with all of these different devices, but it’s something that would never happen if there weren’t someone as dedicated as Craig working on the project.
For smaller companies, interoperability is a way in. Obviously, you should do it!
For bigger companies, interoperability means both trusting your engineers to provide the best experience and trusting your customers to recognize it. That’s a leap of faith, but one that I’d hope to see most companies make in our industry. After all the idea of personal control is likely one of the reasons that your customers are working with digital assets in the first place!
The Potential for Other BlockchainsI hope that our work with Zcash (and before that with Bitcoin) is just a first step. I’d like to take that experience to other blockchains and offer new interoperability to grow those ecosystems as well.
Even after the work we’ve already done, Bitcoin may still need this sort of work the most, because it’s gotten so big. How could we make migration between wallets easier? Or just the migration of seeds or keys? How could we more widely standardize the backup of seeds with a methodology like Ledger Recover or our own CSR? How could we inteoperate third-party services such as pricing and fee lookups? Every one of these elements of interoperability would improve the ecosystem, but they require a dedication to inteoperability itself.
The same is true for other ecosystems that have gotten large enough to see multiple companies working on projects. Big changes could be the incentive for this, such as Monero’s move to Seraphis. But even without big changes on the horizon, big ecosystems grow to the point where interoperability becomes a requirement: Ethereum has a huge infrastructure built around WalletConnect, but we’ve talked with people in the ecosystem who think there’s real room for improvement. I hope that many chains (and other ecosystems) beyond Monero and Ethereum will see the advantages of improving interoperability for all the reasons I’ve laid out here, particular independence for users, resilience for data, and openness for developers.
Are you a leader working in a digital-asset ecosystem? Would you like to work with me to take lessons learned from the Zcash project to create interoperable wallet formats, data-exchange formats, service formats, or something else? Drop me a line at team@blockchaincommons.com. I’d love to talk about how we can expand your ecosystem as well.
On April 10, EdgeCon Spring 2025 brought together educators, technologists, and institutional leaders at Seton Hall University to explore the evolving landscape of digital teaching and learning. This premier event focused on the powerful intersection of EdTech, innovative pedagogy, and the administrative technologies that support institutional performance and drive student success. With forward-thinking sessions and collaborative discussions, attendees gave the event an overall 4.7 favorable rating (out of 5) and gained fresh insights into how technology continues to shape the future of education.
Connecting with Graduate Students in the Digital Learning EraThe day’s events kicked off with the breakout session, Connecting with Graduate Students in the Digital Learning Era, presented by Georgian Court University’s Denise Furlong, Assistant Professor, and Janine Ataide, Educator and Graduate Student. As more graduate programs provide online options to meet the needs of working adults, universities must consider different ways to engage these students as valued members of the community even though they may never see the physical campus. Some students report that they feel a sense of belonging and strong collaboration within their program and others feel a sense of isolation in their learning experience. This session explored the different aspects of programs and courses that are important in engaging and empowering graduate students as truly part of the university community, as well as how course design, faculty collaboration, and peer connections can contribute to fostering a sense of belonging among online graduate students.
Navigating the Use of Generative AI in Online ClassroomsAs generative AI tools become increasingly prevalent, educators face unique challenges and opportunities in the online classroom. Carol Smith-Cuevas, Associate Director, Learning Engagement & Development, Kean University, discussed effective strategies for responding to students’ use of generative AI in Navigating the Use of Generative AI in Online Classrooms. Attendees explored this topic from a professor’s perspective and learned practical approaches to integrating AI tools into coursework, setting clear guidelines, and promoting ethical use. Smith-Cuevas also explained different ways to design assignments that encourage critical thinking and originality, how to utilize AI detection tools, and resources that can help students to understand the implications of AI-generated content. Attendees left equipped with actionable practices to create a fair, engaging, and academically rigorous online classroom.
Integrating Free AI Training and Micro-Credentials into Learning EnvironmentsProfessors John Shannon, Seton Hall University, and Susan O’Sullivan-Gavin, Rider University, led the session, Unlocking the Future of Learning: Integrating Free AI Training & Micro-Credentials into Learning Environments, and explored how educators can seamlessly integrate free, high-quality AI training programs and micro-credentialing opportunities from platforms like MIT OpenCourseWare, Harvard Online, LinkedIn Learning, Google, and others into their courses. Attendees learned how to identify and incorporate free AI training and certification programs that align with course objectives, and strategies for scaffolding these resources into curriculum design to enhance student engagement and skill development. Shannon and O’Sullivan-Gavin also shared helpful methods for leveraging micro-credentials to increase student employability and lifelong learning pathways.
Demystifying AI LiteracyAttendees joined NJIT/NJII’s Learning & Development Initiative to explore critical AI literacy standards for education and beyond. Led by Stefanie Toye, Project Manager, NJIT & NJII, and Dr. Teresa Keeler, Project Manager at The Learning & Development Initiative, NJIT, this presentation shared why these standards are essential, who needs them, and how to implement them effectively. They shared specific ideas about how these standards can be constructed and adopted, and why AI literacy is crucial for K-12 and higher ed educators and administrators.
Advancing Accessible Digital Education at Hudson County Community CollegeCallie Martin, Senior Instructional Designer, Hudson County Community College, and Joshua M. Gaul, Ed.D., Associate Vice President & Chief Digital Learning Officer, Edge, led the presentation, Building an Inclusive Future: Advancing Accessible Digital Education at Hudson County Community College (HCCC). This breakout session highlighted HCCC’s collaborative efforts with Edge to build a more inclusive and accessible digital learning environment. Through this partnership, HCCC has embraced Universal Design for Learning (UDL) principles to remove barriers and create equitable educational experiences for all students. The session showcased how the college, supported by Edge’s expertise and resources, has implemented student-centered strategies that prioritize accessibility, engagement, and success. Attendees will learn practical approaches to designing inclusive courses and hear firsthand how institutional collaboration can drive meaningful change in digital education.
“I enjoyed the morning presentation that I attended and the Panel Session. NJEdge always does such a great job with these conferences!” Carol Smith-CuevasThe day continued with the second round of breakout sessions, including The Digital and Data-Driven Center for Teaching and Learning led by John Baldino, OFS, Director, Center for Teaching and Learning, Lackawanna College. He shared best practices for using communication technology, digital content and marketing platforms, artificial intelligence, and collected data to create a sustainable Center for Teaching and Learning model that can help empower CTLs to support faculty in their academic success.
Crafting Collaborative ConversationsCuriosity Catalysts: Crafting Collaborative Conversations, led by Adelphi University’s Karen Kolb, Director, Faculty Center for Professional Excellence, Jennifer Southard, Instructional Designer, and Marilena Orfanos, Instructional Designer, examined research-backed, low-effort strategies that enhance online discussions and collaboration without adding to instructor workload. Participants learned how to design thought-provoking prompts that ignite curiosity, integrate AI and digital tools to support interaction, and implement alternative discussion formats—such as multimedia responses and collaborative annotation—to foster deeper engagement. This session also covered effective ways to maintain instructor presence without micromanaging, and gave attendees ready-to-use techniques to create more engaging, inclusive, and meaningful online discussions.
Supporting Persistence in STEM LearnersNatalya Voloshchuk, Assistant Teaching Professor, and Karen Harris, Senior Instructional Designer and Assessment Specialist, from Rutgers University led the session A Learning Outcomes Strategy for Supporting Persistence in STEM Learners to demonstrate how assessment and feedback can aid in developing self-directed learners by examining an implementation of a deliberate data collection Rubric. They discussed how the Rubric is used to help students identify their strengths alongside the areas to work on toward improvement, while also offering the instructor valuable insights for supporting persistence in STEM courses. Harris and Voloshchuk shared some course-level learning data and reflected on how it might impact learning across a STEM curriculum. They also considered how incorporating learning outcomes in rubrics can help students make connections to work skills they are developing that will support them in internships and research settings.
The Implications of AI for Next-Generation EducationSteven D’Agustino, Senior Director for Online Programs, Fordham University, joined EdgeCon to explore the transformative impact of AI on education. He began by defining key AI terms such as Machine Learning (ML), Natural Language Processing (NLP), and Neural Networks, and discussed the growing use of AI tools like ChatGPT among students for academic tasks. The presentation highlighted the challenges and opportunities of integrating technology into education, categorizing adoption methods as intentional, accidental, or unilateral, and how the COVID-19 pandemic accelerated unilateral adoption due to necessity. D’Agustino raised concerns about AI’s potential to depersonalize learning, leading to cognitive de-skilling, and creating a sense of futility among students and educators. However, he also outlined four essential tasks for educators in the AI era: curating, contextualizing, creating, and collaborating. The presentation underscored the importance of equity in AI integration and how educators must focus on humanistic ends to ensure that AI is used deliberately and equitably to benefit all students.
A Blueprint for Excellence in Short Course Development and DesignIn the session, Beyond the Badge: A Blueprint for Excellence in Short Course Development and Design, Molloy University’s Dr. Amy Gaimaro, Dean of Innovative Delivery Methods, and Susan Watters, Associate Director of Blended and Online Learning, examined the blueprint development of high-quality short courses while embedding quality course design badges. Participants learned how to identify quality criteria for designing courses, establish clear learning objectives and outcomes that align with industry standards and learner needs, and how to address regular and substantive interactions in online asynchronous short courses.
This session was ideal for instructional designers, online administrators, training managers, and educators who were looking to enhance the quality and impact of their short course offerings. Attendees gained strategies for incorporating quality assurance throughout the course development lifecycle, best practices for designing and implementing effective quality badge systems, and actionable steps to improve learner engagement and course effectiveness.
Visions for Online Learning: Evolving Strategies and Institutional GrowthAs online learning continues to evolve, institutions must adapt their strategies to meet shifting student expectations, market demands, and technological advancements. EdgeCon panel discussion, Visions for Online Learning: Evolving Strategies & Institutional Growth, brought together higher education leaders to explore innovative approaches to online learning that drive institutional growth and long-term success. Panelists, Michael Ciocco, Ph.D., Associate Vice President of Online Learning, Rowan University, John F. O’Callaghan, Jr., Vice President for Transformational Learning & Chief Online Officer, Kean University, and Joshua M. Gaul, Ed.D., AVP & Chief Digital Learning Officer, Edge, discussed emerging trends, the role of data and AI in shaping digital learning experiences, strategies for scaling programs sustainably, and the balance between quality, accessibility, and financial viability. Attendees gained valuable insights into how institutions are redefining their online learning strategies to expand access, improve student outcomes, and remain competitive in an evolving educational landscape.
The Rise of Non-Degree CredentialsAfternoon sessions kicked off with The Rise of Non-Degree Credentials–The Future of Higher Education led Michael Edmondson, Associate Provost, NJIT. He shared how traditional higher education is struggling to keep pace with workforce demands and a growing number of companies now favor skills-based hiring over degree-based credentials, with 70% of job skills expected to change by 2030 due to AI and automation. Employers increasingly prefer hiring candidates with business-oriented or technical microcredentials that provide real-world experience and rapid upskilling. Attendees learned how microcredentials can offer a solution by closing the workforce gap, aligning learning with employer needs, and fostering lifelong learning. As businesses prioritize AI, data analytics, and soft skills, microcredentials are emerging as the future of education, providing professionals with the flexibility to adapt and thrive in an evolving job market.
The Growth of Online Education at Rowan UniversityMike Sunderhauf, Director of Instructional Design, and William McCool, Online Course Operations Coordinator, from Rowan University led the breakout session, Shaping the Future: The Growth of Online Education at Rowan University, where they shared how Rowan University is undergoing a transformation in its approach to online education, shifting focus from traditional on-campus programs to scalable online offerings. The session explored how Rowan University is reshaping online education through a combination of strategic collaboration, program design, and faculty empowerment, ultimately fostering an engaging and dynamic learning environment for students and instructors alike. Sunderhauf and McCool shared how their learning strategy aligns with a flexible model, allowing instructors to follow a standardized framework while being empowered to update and adapt their courses to meet the needs and interests of each learner group. They showed how this balance between consistency and adaptability fosters both reliability and innovation in the learning process.
Integrating Virtual Reality into Higher EducationJoining EdgeCon from Seton Hall University, Renee Cicchino, Director of Instructional Design and Training, and Riad Twal, Senior Instructional Designer, gave a closer look into how the University has been experimenting with Virtual Reality since the release of the Google Cardboard Viewer in 2014. In 2024, they acquired a number of Meta Quest Pro devices, allowing for an entire class to participate in a virtual experience at the same time. During the 2024 Fall semester, Seton Hall launched a pilot program examining how they can best facilitate Virtual Reality experiences for graduate and undergraduate classes. These experiences are informing the development of a Virtual Reality Showcase to formally introduce this technology to their faculty, along with examples of how this technology can be incorporated into various course topics.
This session focused on the instructional designer’s perspective of evolving VR Technology, the introduction of the Quest for Business device management software, initial faculty and student experiences with the Meta Quest Pro devices, future plans for expanded access and utilization, and suggestions for implementation at other institutions.
“Excellent topics and sessions.” Charles WachiraGrace E. Cook, Ph.D., Program Area Lead of Computer and Mathematical Sciences, Montclair State University, has seen an increase in the number of English Language Learners (ELL) in her classroom, particularly students whose primary language is Spanish. By incorporating the use of ChatGPT and Google Notebook into the daily functions of the class, she has been able to make mathematics more accessible. In this session, Cook shared her experiences with teaching in English and Spanish with the assistance of AI and discussed the pros and cons of their uses and what her ELL students list as the positives and negatives of each resource.
Podcasting to Create Interdepartmental CollaborationIn Podcasting to Create Interdepartmental Collaboration and Showcase Faculty Innovation, Seton Hall University presenters, Kate Sierra, Instructional Designer, Teaching, Learning, and Technology Center, and Ann Oro, Senior Instructional Designer, explored how the Teaching, Learning, and Technology Center (TLTC) at Seton Hall launched a podcast series called Innovate and Educate to explore the intersection of technology and teaching. They highlighted how topics such as technology integration, accessibility tools, and other innovations are transforming learning, improving student outcomes, and addressing classroom challenges.
Attendees gained insights into the process of developing and sustaining a podcast, including identifying relevant resources, building an audience, and maintaining engagement. They also learned how this initiative has strengthened institutional resiliency by fostering a culture of innovation and shared learning. Participants were encouraged to consider how podcasting could serve as a scalable, cost-effective strategy for their own institutions to spotlight success stories and support strategic goals.
Creating an Institutional Culture of AccessibilityMany institutions approach accessibility in silos and rely on specialized offices rather than embedding responsibility across the entire campus. In Creating an Institutional Culture of Accessibility, Laura M. Romeo, Ph.D., Director of Learning Innovation, Development, and Scholarship, Edge, shared strategies for shifting to an integrated, institution-wide approach. The discussion looked at governance structures, training models, and change management strategies that can empower all departments to play a role in accessibility. Attendees gained practical insights on overcoming implementation barriers, methods to measure cultural progress in institutional accessibility efforts, and how to foster a culture that moves beyond compliance to true inclusivity.
Celebrating Achievements and ContributionsAt this spring event, Edge celebrated the exceptional work of higher education institutions across the region by presenting a series of awards to recognize their impressive impact and accomplishments.
The Preserving Education Through Change Award was presented to Montclair State University (MSU) and accepted by the University’s President, Jonathan Koppell, to recognize the significant vision and leadership by one of New Jerseys signature public universities. As the educational community navigates unprecedented change, it is vital that institutions seek opportunities for collaboration and support. MSU has been a primary example of this kind of support and stewardship in recent years. As MSU itself continues to grow, the institution has also shown a capacity for significant leadership, leading a merger with the former Bloomfield College, now Bloomfield College of Montclair State University. By preserving continuity and quality of educational opportunities at an institution noted for serving first-generation students and those from diverse backgrounds, MSU has strengthened New Jersey’s educational system and the college experience for their students.
In pursuit of educational and operational excellence, institutions across the country are working tirelessly to modernize systems and processes to better serve their communities. As funding and staffing challenges continue to affect institutions of all kinds, the effort to transform the educational experience can be difficult. The Member Technology Transformation Award was given to Felician University to recognize their transformative efforts in modernization through growing engagement with Edge and the member community, as well as a dedicated strategic focus on improvements in university infrastructure, digital experience, and excellence in the delivery of diverse educational offerings. The award was accepted on Felician’s behalf by Deanna Valente, Dean of the Center for Information Systems and Technology & Learning Development.
To recognize the remarkable commitment to expanding and innovating online education, Kean University was presented with the Online Learning Growth Award. As one of New Jersey’s fastest-growing institutions in digital learning, Kean University has demonstrated strategic leadership in developing flexible, high-quality online programs that meet the evolving needs of today’s learners. Through a forward-thinking approach and investment in instructional design, technology, and student support, Kean has significantly broadened access to education for diverse student populations across the region and beyond. The award was accepted on Kean’s behalf by Jay O’Callaghan, VP for Transformational Learning & Chief Online Officer.
Through the visionary leadership of their Center for Online Learning, Hudson County Community College (HCCC) has embedded accessibility and Universal Design for Learning into the foundation of its online course development. By proactively prioritizing inclusivity, leveraging data-informed strategies, and fostering a campus-wide culture of digital equity, HCCC has created a truly inclusive online learning environment. Their work not only meets ADA Title II compliance but sets a powerful example for institutions state-and-nationwide. To celebrate this innovation, dedication, and transformative impact on student success and educational access, HCCC was given the Accessibility in Digital Education Award, which was accepted on their behalf by Executive Director, Center for Online Learning, Matthew LaBrake.
By fostering meaningful dialogue and showcasing innovative practices, EdgeCon Spring 2025 not only sparked new ideas but also strengthened the connections that can help drive higher education forward. As institutions navigate a rapidly changing landscape, the shared insights and partnerships formed at EdgeCon play a vital role in shaping a more connected, resilient, and student-centered future.
VIP Sponsors Exhibitor SponsorsThe post EdgeCon Spring 2025 appeared first on NJEdge Inc.
Last Friday, April 11, three of us, Elettra Bietti, Aileen Nielsen, Laura Aade, co-organized a workshop titled “The Battle for Our Attention: Empirical, Philosophical and Legal Questions” which took place at Northeastern University School of Law, and benefited from the support of CLIC, Northeastern’s Center for Law, Information and Creativity, and the involvement of Harvard’s Berkman Klein Center community of fellows and faculty. The event brought together leading legal scholars, policymakers, economists, medical scientists, computer scientists, media scholars, and technologists to address the pressing issue of how today’s digital technologies are transforming the understanding, use, and allocation of human attention, including implications for how we spend our time and what information we consume.
The discussion was wide-ranging, interdisciplinary, and deeply enlightening. We discussed whether attention “actually exists”, how it works, the history and business models of attention capture, the challenges and findings that arise from empirical studies of attention and attention markets, the relation between attention, intimacy, convenience and the law of trademarks, possible analogies with tobacco and gambling litigation, and the policymaking associated with regulating engagement and children’s use of social media.
The event began with a panel on the political economy of attention. Yochai Benkler kicked off the discussion with an overview of the capitalist drive to capture and instrumentalize attention over time, beginning with the 19th century press and culminating in today’s digital technologies. He argued that markets won’t solve attention problems and could exacerbate attention harms, in contrast with Marshall Van Alstyne’s suggestion that a Coasean model of attention rights could help platform owners manage misinformation and reduce incentives to share inaccurate or false information. Where Benkler advocated for the decommodification of attentional experiences, Van Alstyne advocated for a market regime of incentives and individual rights to speak and listen. David Lazer, for his part, adopted a middle ground position, presenting several findings on the slow but steady decoupling of content from its sources. He showed that information has become less traceable to sources, and discussed chatbots’ role in producing knowledge that is increasingly divorced from reliable reference to authors and media sources.
The second morning panel addressed the empirics of attention. Michael Esterman discussed some of his clinical work, showing that attention is a fluctuating, fragile process deeply shaped by cognitive and environmental factors. Sustaining attention for long periods of time and across contexts remains a phenomenon that is not well understood, and Esterman presented results showing that blocking a population’s mobile phone access for two weeks could improve participants’ attention, as well as their mental health and well-being. Esterman also pointed to the need for increasing measurements outside of laboratory settings to better understand the external validity of fundamental psychological results related to attention. Elena Glassmann then approached attention from the perspective of an interface designer, emphasizing that platforms actively shape how users direct their attention — often without users realizing it. Glassmann highlighted the danger of decontextualisation, where AI-driven tools summarize content by stripping away critical context and leaving users unaware of biases or omissions, and suggested ways to help people build reality-grounded mental models that provide access to contextual information, rather than hiding complexity. Christo Wilson concluded the panel with an overview of empirical approaches to studying attention platform business models, highlighting his role with David Lazer in creating and hosting the National Internet Observatory at Northeastern, a center that offers tools for researchers to study how people behave online in response to particular design features and platform strategies over long periods of time.
During the lunch keynote, FTC Commissioner and Law Professor Alvaro Bedoya spoke of his effort building a team of doctors and psychologists at the FTC whose focus and expertise includes children’s mental health and well-being. He also spoke of his work advocating for children’s privacy under COPPA and of the analogies and differences between tobacco, sports gambling and addiction to technological devices and products. Commissioner Bedoya suggested that more research needs to be done to better understand which products, platforms and specific technological features cause addiction and other mental health disorders.
The afternoon began with a third panel on media and communication systems for attention capture. Nick Seaver presented a spirited argument that attention may, in fact, not exist at all. While holding and waving a mouse jiggler, Seaver showed that attention is primarily defined or constructed by the way it is measured. Measurement, in turn, serves primarily as a managerial tool of control. While they might appear to be measuring participation, platform designers are in reality disciplining, tracking and controlling populations. Bridget Todd spoke of her work in the podcasting world, emphasizing the relation between intimacy and attention: audiences pay attention based on proximity to particular types of content and the emotions that content generates for them. Her view is that the current digital economy prioritizes profitable outrage over thoughtful storytelling, but that we should always push for the latter. Emily West presented some of her research on Amazon through the lens of convenience. Attention and addiction to digital products are promoted by appealing to convenience: platforms engineer frictionless experiences to generate user dependencies, producing a culture of learned passivity and inattention that quietly erodes agency. Rebecca Tushnet spoke of the law of advertising and the doctrines of dilution and confusion under trademarks law, explaining that the law simultaneously invokes but misunderstands the science of, or empirical realities of, human attention, protecting only those parts of attention that can be owned under intellectual property regimes. Similar to Seaver’s argument that attention is effectively what we can measure, Tushnet’s presentation highlighted that we live in an economy of signals and containers of attention.
The day ended with a panel discussion on legal and policymaking efforts in the attention space. Richard Daynard shared key takeaways from his litigation experience fighting tobacco and gambling companies. He explained that these industries intentionally engineer their products to addict users while funding research that shows the exact opposite, namely that their products are not addictive and individuals who engage in excessive use are the ones to blame. He added that these companies often lose in product liability litigation, where strict liability regardless of intention is the standard. Zephyr Teachout then offered an overview of the evolving Supreme Court jurisprudence on the First Amendment, arguing that current shifts in the court’s composition and caselaw are opening the door to possible legislation and reform in the attention space, something that until recently seemed largely implausible. Leah Plunkett discussed state social media laws and described them as providing financial compensation, privacy safeguards for children and workplace protections. She focused on a recent Utah law that allows children to sue their parents for compensation when their image is used in their parents’ social media feed for profit and described her involvement in drafting a model law on this theme for the Uniform Law Commission. Woody Hartzog concluded the panel presentations, discussing his work with Neil Richards on wrongful engagement, a tort which would allow individuals to sue digital companies for profiting from their addiction and engagement while neglecting users’ well being.
The event ended with participants discussing potential research overlaps, future collaborations and potential for advocacy across US regions. In the words of CLIC Director Alex Roberts, who moderated the last panel, “[i]f an interdisciplinary field of “attention studies” wasn’t already a thing, it is now.”
This event would not have been possible without support and assistance from Northeastern’s CLIC, Alexandra Roberts, Jennifer Huer, Walaa Al Awad, Natalia Pifferer, Brad Whitmarsh, and Jacob Bouvier. We also thank Harvard Law’s Laura Zeng, and BKC’s Bey Woodward and Jonathan Zittrain for additional enthusiasm and assistance.
We hope to continue this important conversation in the months and years to come with all of you. If you would like to join future conversations, we have created a regional mailing list which you can sign up to here.
Reporting from “The Battle for Our Attention” Workshop @ Northeastern, April 11, 2025 was originally published in Berkman Klein Center Collection on Medium, where people are continuing the conversation by highlighting and responding to this story.
Today, we’re sharing important news about the future of Ceramic.
With the rapid rise of agents as the new critical user and interface to the web, it’s increasingly clear that supporting a healthy, trustless, decentralized model for AI is essential. Our team, part of Recall Labs after our merge with Textile, is shifting our primary focus to Recall: a platform where AI agents prove themselves, improve themselves, and earn for their intelligence.
As part of this, we’ll be repurposing parts of Ceramic, deprecating others, and introducing a standalone open source version for the community. We want to openly communicate what this means for you and your applications built on Ceramic, as well as outline the path forward.
From Ceramic to RecallOver the years, Ceramic has been pivotal in helping us understand decentralized data, composability, and robust synchronization. It’s been the leading technology for dozens of applications and networks in need of scalable, edge-centric, verifiable data storage and replication. We spent more than five years developing and iterating on Ceramic and are immensely proud of the advancements and technology we’ve shipped.
Even more than that, we are so thankful for your partnership. Our customers and community have relentlessly innovated on brand new tech, helped us move from prototypes to stable networks, and been the driving force for our continued commitment to open, decentralized data. Thank you for all of your support, and all you’ve helped us learn.
One of the persistent challenges we’ve faced with Ceramic has been the UX of decentralized data systems: managing keys and signing data, novel access control flows, and counterintuitive patterns for data flow have been challenges for many users and developers. Interestingly, all these properties are native and intuitive for the internet’s new class of users: agents.
Recall is a cryptoeconomic platform for AI agents to prove, improve, and earn based on their intelligence. It builds heavily on the technology we’ve built previously, but is a new platform and demands our full commitment.
What This Means for Ceramic UsersWe deeply appreciate the trust and investment you’ve made in Ceramic. While our priority is Recall, we remain committed to setting Ceramic users up for success as we sunset certain parts of Ceramic.Here’s exactly what you need to know:
Introducing ceramic-oneCeramic-one is the most performant, stable, and decentralized implementation of Ceramic. There is a new client SDK for reading/writing to ceramic-one: https://github.com/ceramicnetwork/rust-ceramic/tree/main/sdk
Ceramic-one introduces Recon, enabling reliable synchronization and historical data syncing across nodes. All existing data from ComposeDB remains fully accessible and readable through ceramic-one.
Ceramic-one will continue to function independently, with no dependency on our infrastructure or any other centralized authority. Further, Ceramic-one is under an MIT license, so anyone who wants to fork it and continue developing it on their own is welcome to do so.
Anchoring and Conflict Resolution on Ceramic-oneWe’re committed to completing one final critical feature for ceramic-one: self-anchoring to Recall. This allows fully decentralized timestamping without relying on our centralized CAS or Ethereum L1, making ceramic-one truly self-sufficient. This will be implemented sometime after the mainnet release of Recall.
Manual conflict resolution is currently possible through ceramic-one by exposing all stream HEADs, allowing applications to apply their own business logic to select which branch(s) of the stream's history they wish to use. We’re also considering building automated conflict resolution (based on anchor timestamps)—the only remaining functionality from js-ceramic not yet implemented in ceramic-one. If this feature is important to your use case, please reach out, as your feedback will influence our decision.
After these improvements, ceramic-one will reach a feature-complete MVP. At that point, we will only prioritize critical bug fixes. ceramic-one will continue to exist as stable software under an open MIT license—fully available for anyone who wishes to fork, improve, or independently evolve it.
Deprecation of js-ceramic and ComposeDBEffective immediately, we’re deprecating js-ceramic and ComposeDB. We recommend migration to ceramic-one, the streamlined, performant successor, as soon as possible.
Migration Steps:
A new client SDK for ceramic-one is now available here: ceramic-one SDK Step-by-step migration guidance is provided in our upgrade guides: Migration Guide on Ceramic Blog Detailed Upgrade Instructions on GitHubTimeline and Support
ComposeDB and the Ceramic Anchor Service (CAS) will be completely shut down at least one month after Recall’s Mainnet launch. (Exact date TBD, but expected in mid-2025.). After that date, ComposeDB-dependent apps will break if not migrated to ceramic-one.
Recall: The Future of Decentralized IntelligenceCeramic’s legacy and your contributions have directly influenced our development of Recall. Many of Ceramic’s strengths—openness, transparency, and decentralization—live on and evolve within Recall’s cryptoeconomic framework.
Recall aims to become a vibrant ecosystem for AI builders and developers. We warmly invite Ceramic users to explore the opportunities Recall offers: building intelligent agents, participating in verifiable competitions, and earning from proven performance.
We’re grateful for your support of Ceramic and excited about this next chapter with Recall. Our team remains available to assist your migration and ensure your continued success. If you have questions related to Ceramic, please reach out to us here. If you’re interested in learning more about Recall, find us on Twitter!
Warm regards,
The Recall Labs Team
Internet Safety Labs testified in support of the Massachusetts Consumer Data Privacy Act (H78) and Massachusetts Data Privacy Act (H104), advocating for strong data minimization, restrictions on sensitive data sales, and robust enforcement to protect residents’ privacy. We’re grateful to the Massachusetts Legislature for hearing our testimony. The written testimony is available to view, along with a video of the testimony below:
The post Internet Safety Labs Provides Testimony for Massachusetts Data Privacy Acts appeared first on Internet Safety Labs.
As regulations evolve and technology advances, education institutions face increasing pressure to ensure compliance across:
Technologies such as AI, data analytics models, and more are reshaping compliance. This symposium brings together experts and institutional leaders to explore:
Attendees will gain practical insights to:
Strengthen institutional compliance
Protect sensitive data
Foster a secure, inclusive digital environment while navigating the complexities of modern education.
Topics to be explored during the Symposium include, but are not limited to:
Data Privacy & Governance
Digital Accessibility & Inclusive Design
Regulatory Compliance & Legal Frameworks
Regulatory Cybersecurity Compliance (GLBA, PCI, NIST, and more)
Compliance and Cyberinsurance
AI, Automation, and Risk
Institutional Risk Management & Resilience
Vendor & Third-Party Risk Compliance
Culture of Compliance: Training & Leadership
Emerging Threats & Future-Proofing Compliance
Case Studies in Compliance Success
Who should attend the SymposiumCabinet Level Leaders
Provosts & Academic VPs
CIOs
CISOs
Compliance Officers
Risk Management Officers
Directors of Online Learning
Directors of Centers for Teaching and Learning
Register Now » Vendor/Sponsorship OpportunitiesExhibitor Sponsorships are available. Vendors may also attend the conference without sponsoring, but at a higher ticket price.
Contact Adam Scarzafava, Associate Vice President for Marketing and Communications, for additional details via adam.scarzafava@njedge.net.
Download the Sponsor Prospectus Now » Call for ProposalsSubmit your presentation topic for the upcoming Compliance in Education Symposium, presented by Edge and Stockton University!
Submit Proposal » More information coming soon!The post Compliance in Education Symposium appeared first on NJEdge Inc.
Date: October 9, 2025
Location: Rider University
Time: 9 a.m.-5 p.m.
Attendee Ticket: $49
Event Location:
Rider University
Exhibitor Sponsorship and Branding/Conference Meal sponsorships are available. Vendors may also attend the conference without sponsoring, but at a higher ticket price of $250.
Contact Adam Scarzafava, Associate Vice President for Marketing and Communications, for additional details via adam.scarzafava@njedge.net.
Download the Sponsor Prospectus Now » AccommodationsHilton Garden Inn Princeton Lawrenceville
1300 Lenox Drive
Lawrenceville, NJ 08648
You may also reserve a room, by contacting the hotel directly via 609-895-9200. Be sure to mention that you’d like your reservation under the “EdgeCon Group Block” to obtain the conference rate.
Details of Conference Proceedings and Submissions Form are now available » Conference Agenda8-8:30 — Check In / Registration
8:30-9:30 — Exhibitor Networking & Breakfast
9:40-10:20 — Breakout Session 1
10:30-11:10 — Breakout Session 2
11:20-12:30 — Keynote Panel & Awards
12:30-1:30 — Exhibitor Networking & Lunch
1:40-2:20 — Breakout Session 3
2:30-3:10 — Breakout Session 4
3:10-4 — Coffee & Connections: Exhibitor Networking
As cybersecurity threats grow and data regulations evolve, the limitations of legacy on-premise ERP systems are increasingly evident. This session will explore how shifting to a modern SaaS ERP like Workday strengthens data protection, reduces institutional risk, and ensures long-term compliance.
We’ll compare SaaS and on-premise systems in terms of governance, cybersecurity, and regulatory alignment, showing how a unified cloud platform enables real-time visibility, audit readiness, and consistent policy enforcement.
The session will also highlight how AI and automation built into SaaS ERPs proactively detect and mitigate risks—capabilities often lacking in older systems. Attendees will learn how Workday supports institutional resilience through faster recovery, ongoing updates, and simplified compliance with emerging legal standards.
Whether you’re already on Workday or just exploring cloud options, this session will offer practical strategies to protect data, manage risk, and future-proof your institution.
Presenters:
Stephanie Druckenmiller, Executive Director, Enterprise Technologies, Northampton Community College Bryan McGowan, Workday Principal Enterprise Architect, Workday Using AI to Improve Data AccessibilityWe know that getting timely answers from institutional data can be challenging, especially when those answers are buried in reports or require technical skills to retrieve. That’s why we’ve started developing a set of AI-powered tools to make it easier for faculty, staff, and administrators to get the information they need, when they need it.
One of our key projects is a conversational AI tool that allows users to ask everyday questions like “How many students are enrolled in a specific program this term?” or “Which majors are growing the fastest?” and get real-time answers without needing to write a single line of code or run a complex report. The goal is to put data directly into the hands of the people who use it for advising, planning, and making decisions.
Behind the scenes, this tool uses Python, ThoughtSpot, and web technologies. But on the front end, it’s about simplicity and usability, removing technical barriers so users can focus on taking action, not figuring out how to run a query applying various filters on dashboards.
Attendees will leave with practical strategies and tools they can apply in their own offices to improve data accessibility and increase efficiency. This is a traditional presentation enhanced by live user interaction.
Presenters:
Bharathwaj Vijayakumar, Assistant Vice President, Office of Institutional Research and Analytics, Rowan University Samyukta Alapati, Associate Director, Office of Institutional Research and Analytics, Rowan University Modernizing Cybersecurity in Higher Ed: How Stevens IT Transformed User Risk ManagementThis session will explore the blueprint development of high-quality short courses while embedding quality Join Jeremy Livingston, CISO of Stevens Institute of Technology, and David DellaPelle, CEO of Dune Security, for a practical discussion on what it takes to replace outdated training tools with a real-time, adaptive approach to user risk.
With social engineering threats becoming more personalized and evasive, Stevens needed more than annual check-the-box training. They needed visibility into user-level risk, and a way to act on it. By onboarding Dune Security’s User Adaptive Risk Management platform, Jeremy and his team replaced static modules with role-based testing and training tailored to faculty, staff, and students.
In this session, you’ll learn how Stevens IT:
Eliminated generic compliance training in under a month Scored risk at the individual and departmental level Integrated with Workday and Okta to monitor user behavior and access Enabled campus-wide accountability without adding administrative burdenYou’ll walk away with a blueprint for transitioning from awareness to action, using real-world signals, not assumptions. Whether you’re responsible for securing a university, agency, or school system, this session will show you how to build a modern human-layer defense that actually scales.
Presenters:
Jeremy Livingston, Chief Information Security Officer, Stevens Institute of Technology David DellaPelle, Chief Executive Officer, Dune Security From Data Chaos to Clarity: Evolving Toward an AI-Enabled Data Ecosystem“As institutions face increasing demands to modernize fragmented data systems, the path forward often starts with foundational change. This session highlights lessons learned through a data modernization initiative involving Miami University and a strategic consultant to Miami. The effort focused on cloud-first infrastructure, scalable reporting environments, and readiness for AI use cases.
The presentation will discuss a non-exclusive implementation approach using commercially available platforms to support data integration across enterprise systems, including HR and financial systems. The speakers will outline how these efforts improved internal data coordination, enabled more consistent access to analytics, and set the stage for responsible exploration of AI and automation tools.
Attendees will gain:
A practical framework for evolving institutional data infrastructure Lessons from integrating enterprise platforms to streamline analytics Examples of how AI tools (e.g., forecasting and decision support) can be enabled through foundational change Insights on data governance, change management, and user enablement Reflections on navigating internal challenges in public-sector modernization effortsThis session offers applied, real-world perspectives on building a sustainable foundation for enterprise data transformation. No endorsement of any specific product or vendor is implied.”
Presenters:
Randy Vollen, Director of Data & Business Intelligence, Miami University Jon Fairchild, Director, Cloud & Infrastructure, CBTS Designing for the Whole: A Multidimensional Framework for Responsible Innovation in the Age of AIAs artificial intelligence and emerging technologies rapidly transform our world, innovation must evolve beyond efficiency and novelty to reflect deeper human, ethical, and environmental priorities.
This session introduces a multidimensional framework for responsible innovation organized around four core domains: Performance & Design, Creative & Cognitive Dimensions, Human-Centered Values, and Ethical & Governance Principles.
Each dimension includes four key attributes—from Functionality and Originality to Empathy and Integrity—that collectively offer a holistic model for evaluating and guiding innovation in the AI era.
Learning Outcomes:
Apply a four-dimensional framework to assess the responsibility of innovations. Distinguish key attributes across design, creativity, human values, and ethics. Evaluate existing practices through a multidimensional, equity-centered lens. Integrate the framework into decision-making, curriculum, or organizational strategy.Presenter:
Michael Edmondson, Associate Provost, NJIT AI Unlocked: Resources, Policy, and Faculty TrainingReady to move your institution beyond AI buzzwords and into real-world impact? Join us for a collaborative session that demystifies AI adoption in higher education from three critical vantage points. Forough Ghahramani (Edge) will kick things off with an insider’s tour of the National AI Research Resource (NAIRR) Pilot—an invaluable toolkit now available to educators and researchers nationwide. Next, John Schiess (Brookdale/Ellucian) will tackle the often-murky waters of institutional AI policy and regulation, sharing actionable strategies for crafting guidelines that support innovation while managing risk. Rounding out the session, Mike Qaissaunee (Brookdale) will reveal lessons learned from piloting faculty training programs designed to boost AI literacy and spark creative teaching applications. This traditional presentation is packed with practical insights, but we won’t leave you empty-handed—participants will walk away with curated instructional materials and resources to jumpstart their own AI journeys.
Presenters:
Michael Qaissaunee, Professor and Co-Chair, Engineering and Technology, Brookdale Community College Forough Ghahramani, Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge John Schiess, Technical Director. Office of Information Technology (OIT), Brookdale Community College Protecting Privacy in the Age of AI Infused PedagogyThis presentation, originally designed for K-12 settings, offers a foundational understanding of the critical privacy and security considerations that arise with the increasing adoption of Artificial Intelligence in educational environments. For higher education faculty and administrators, these principles are equally, if not more, relevant given the diverse data streams and research contexts within universities.
The core content covers:
Understanding AI Applications: We explore various ways AI is being utilized in education, from personalized learning platforms and intelligent tutoring systems to automated assessment tools, content generation, and administrative analytics. In higher education, this extends to research support, student success prediction, and advanced pedagogical tools. Navigating Privacy Concerns: The presentation highlights the “data dilemma,” emphasizing the types of sensitive student and interaction data collected by AI tools. Key concerns include data storage, access protocols, the risk of de-anonymization, and the need to align with relevant data privacy regulations (e.g., GDPR, state-specific privacy laws, institutional data governance policies). Addressing Security Risks: We delve into the cybersecurity threats posed by AI, such as data breaches and sophisticated phishing attacks. Crucially, the presentation addresses the pervasive issue of algorithmic bias, explaining how biased training data can lead to unfair outcomes in areas like admissions, grading, or resource allocation. The challenge of AI-generated misinformation and its impact on academic integrity is also discussed. Implementing Safeguards & Best Practices: The presentation outlines a proactive, multi-step approach for responsible AI integration. This includes developing clear institutional policies (acceptable use, data governance, AI ethics), conducting rigorous vendor vetting, providing comprehensive training for faculty and staff, fostering digital literacy among students, and maintaining transparent communication with the university community.Ultimately, the presentation underscores that while AI offers transformative potential for teaching, learning, and administration in higher education, its responsible and ethical implementation hinges on a deep understanding of its privacy and security implications, coupled with robust institutional frameworks.
Presenter:
Teresa Keeler, Project Manager, NJIT Are We Ready? Rethinking AI Readiness, Risk, and Responsibility in Higher EducationAs artificial intelligence reshapes nearly every industry, higher education faces a pressing question – Are we truly ready to harness AI effectively, responsibly, and sustainably? By the end of this session, attendees will be able to:
Assess AI Readiness using a practical self-assessment checklist across technical, cultural, and governance dimensions. Recognize Barriers including technical, financial, and cultural challenges to adoption. Evaluate Sustainability and Ethics by analyzing environmental impact, equity, and algorithmic fairness. Formulate Strategic Questions for assessing AI vendors, platforms, and models. Design Actionable Roadmaps to move from AI interest to readiness aligned with institutional missions.Attendees also will leave understanding that readiness ≠ awareness; AI adoption depends as much on governance and culture as on technology. Sustainability must be central, addressing cost and environmental impact. Higher education needs tailored AI models rather than retrofitted industry
Presenters:
Nandini Janardhan, Programmer Analyst/Applications Manager, Fairleigh Dickinson University Sahana Varadaraju, Senior Application Developer, Rowan University Data in Action: Empowering Decision-Making and Driving Efficiency with Tableau OnlineIn the dynamic environment of higher education, data-driven decision-making is not a luxury—it’s a necessity. This session explores how our community college leveraged Tableau to transform raw institutional data into interactive, insightful dashboards across key business areas including enrollment management, finance, student services, and academic affairs. By centralizing data visualization and analysis, we’ve empowered stakeholders with real-time insights that drive efficiency, support strategic planning, and uncover opportunities for process improvement.
Presenters:
Moe Rahman, AVP/CIO, Community College of Philadelphia Laura Temple, Associate Director, Community College of Philadelphia …and more sessions to be announced! Exhibitor SponsorsThe post EdgeCon Autumn 2025 appeared first on NJEdge Inc.
Blockchain Commons focused on the ZeWIF project for the Zcash blockchain during the first quarter of 2025, but that didn’t stopped us from also advancing a few other priorities, including the initial release of our long-incubating Open Integrity project. Here’s what all we’ve been working on.
ZeWIF Specification:
Why It’s Important The ZeWIF Meetings What We’ve Released So Far What’s Still to ComePost-Quantum Commons:
Why It’s Important PQC Meeting QuantumLink What We’ve Released So FarOpen Integrity:
Why It’s Important What We’ve Released So FarNew Articles:
The Right to Transact SSI Orbit PodcastNew Dev Docs:
SSKR Pages UR Pages Meetings Pages Improved Crate DocsNew Ports:
Lifehash to RustNew Research:
Provenance Marks Provenance References ZeWIF SpecificationThe Zcash extensible Wallet Interchange Format (ZeWIF) has been Blockchain Commons’ main priority since the Zcash Community Grants program approved our proposal at the end of the year.
Why It’s Important. Blockchain Commons talks a lot about interoperability, and that’s what ZeWIF is: it’s a way to freely exchange data between Zcash wallets in a standardized form. What we don’t talk about as often is why interoperability is important.
It goes back to our Gordian principles. Interoperability supports at least three of them.
It supports independence because any user can freely move their data among the interoperable software systems. It supports openness because any developer can easily join the ecosystem by adopting a mature, well-understood specification. This creates an environment of coopetition (cooperative competition) that leads to advances in technology and usability. It supports resilience because the interoperable format makes data less likely to be lost: it’ll be in a form that will be understood and therefore accessible, well in the future.For a wallet ecosystem, interoperability means that users will have the freedom to move their digital assets among Zcash wallets. That’s the precise independence we want users to have, which is why it’s been worth spending a few months of time on this project.
The ZeWIF Meetings. To support the ZeWIF project, Blockchain Commons held three meetings in the first quarter: on the initial wallet survey, on the first demo of the zmigrate tool, and on ZeWIF data abstractions. Meeting with developers to ensure that specifications serve everyone’s needs has always been a bedrock policy for Blockchain Commons, so we’ve of course extended it here. (At least one more meeting is planned, for April 16th, to demo the data file format.)
#1: Wallet Survey: #2: Zmigrate demo: #3: Abstraction Discussion:What We’ve Released So Far. The ZeWIF project is built around the zewif library, which stores Zcash wallet data in an in-memory format. We’ve also written zewif-zcashd and zewif-zingo to demonstrate the import of data from those wallets to ZeWIF, while our partners at Zingo Labs have produced “zewif-zecwallet” for importing zecwallet data (though that PR hasn’t been merged yet). Finally, we authored zmigrate, which is a demo CLI for importing zcashd content. With these demos and libraries in hand, other wallet developers can start working to interchange their own data via the ZeWIF format.
What’s Still to Come. With our releases so far, data can be interchanged between different Zcash wallets as long as it’s all done on the same machine: you just import into the in-memory ZeWIF format from one wallet, then export to another. But we expect most use cases will instead involve at least two different machines. That’s where the ZeWIF file format comes into play. Building on Gordian Envelope, it translates the ZeWIF in-memory storage into a fixed file that can then be moved to a different machine. We expect to demo the Envelope ZeWIF format at that upcoming April 16th meeeting.
Post-Quantum CommonsIs Post-Quantum Cryptography (PQC) the next big thing? We were able to support our friends at Foundation with some PQC work just as we got the ZeWIF project going at the start of the year.
Why It’s Important. Quantum Computers are starting to appear, and though they’re far, far from what would be needed to break cryptography at the moment, there’s no telling when there’s going to be a sudden “quantum” leap. Though today’s cryptography might not need PQC, if you’re working on something that might be around for 5 or 10 years, you should be thinking about it!
PQC Meeting. Our March Gordian meeting contained all the details of our PQC work, including what Quantum Computing is.
QuantumLink. The highlight of the meeting was a discussion of QuantumLink from our friends at Foundation. This is a quantum-resistant protocol for Bluetooth communication that is a critical component of their new Passport Prime wallet. It allows them to use Bluetooth with high security and for that security to remain strong 5 or 10 years in the future, in case Quantum Computing does make those big strides forward.
What We’ve Released So Far. The QuantumLink technology was enabled by new PQC support that Blockchain Commons incorporated into its libraries. You can now use the PQC algorithms ML-DSA and ML-KEM in our Rust stack, from bc-componenents on up.
Open IntegrityWe had one other big release in Q1: Open Integrity, a system for increasing the trust of software being developed in Git. Well, technically it was released on April 7th, the 20th anniversary of Git’s release, but this is something that Blockchain Commons Architect Christopher Allen has been working on for about a year, so we’re thrilled to get the word out.
Why It’s Important. We wrote a whole article discussing why Open Integrity is important. But, in short: Git repos are growing increasingly important for the deployment of critical software, and Git doesn’t actually provide a high-level of trust for those repos, despite the ability to sign commits. Open Integrity bridges the gap betwen what Git offers and what online software distribution needs.
What We’ve Released So Far. The Open Integrity project is now available in an early form at GitHub. A Problem Statement offers details on the issues we’re trying to solve and our solutions. We’ve also got a number of tools and scripts, the most import of which creates an inception commit on a repo. This inception commit is the root of trust that lays the foundation for ensuring that you always know who’s in control of a repo.
If you want to try out Open Integrity, see the Open Integrity Snippets file, which has complete instructions on how to get that inception-commit script running, plus many examples that will allow you to experiment with Open Integrity.
New ArticlesThat’s it for our big Q1 projects, but we had a number of smaller releases over the course of the quarter as well.
The Right to Transact. We think the right to transact should be an international freedom. Read more in Christopher’s recent article, “The Case for an International Right to Freedom to Transact”, which builds on his 2024 musing, “How My Values Inform Design”.
SSI Orbit Podcast. Christopher also was interviewed for the SSI Orbit Podcast. It’s been nine years since he wrote the foundational “Path to Self-Sovereign Identity”. Where do things stand today?
New Dev DocsSSKR Pages. We updated our SSKR dev pages with the big focus being differentiating SSKR URs (where you split up a key) and SSKR Envelopes (where you protect the entire contents of an Envelope by creating and splitting up a key). The test vectors also now demonstrate both cases.
UR Pages. We similarly did some big updates to our UR dev pages. Here the issue was that URs had seen some changes over the years, especially as we locked down CBOR tag registration, and our examples were no longer up-to-date. Now, every page and every test vector should be correct. There’s also a new page on URs for Gordian Envelope.
Meetings Pages. All of Blockchain Commons’ meetings are now documented on a new meetings page, which also includes subpages with videos and slides (and usually transcripts) of everything from the last few years!
Improved Crate Docs. Finally, we’ve used some lessons learned from the documentation of ZeWIF to improve the documentation of our Rust stack. As a result, docs.rs now has improved docs for bc-dcbor, bc-components, and bc-envelope
New PortsLifehash to Rust. Lifehash is now available in a new Rust Implementation courtesy of Ken Griggs. Lifehash is a critical element of the object identity block, which can help users to recognize seeds and keys. We hope this will allow for more deployment.
New ResearchProvenance Marks. One of our newest innovations, courtesy of Blockchain Commons Lead Researcher Wolf McNally, is the provenance mark. The provenance mark is a cryptographically secure chain of marks that facilitates the easy verification of authenticity. We’ll have more on them in the months ahead, but in the meantime, you can read Wolf’s research paper on the topic!
Provenance References. If you want to start playing with provenance marks right now, we’ve already released a series of reference apps and libraries. They include our original Swift implementation, our newer Rust implementation, and a CLI that can be used to create and manage marks!
That’s it for the moment. For the next quarter, we’ll be closing out our initial work on ZeWIF in April, and we’ll be offering more looks at Provenance Marks in the months ahead.
If you’d like to work with us on these or other topics, drop us a line about becoming a Blockchain Commons partner.
We Are Open Co-op (WAO) is a collective of individuals who share a commitment to ethical, inclusive, and sustainable practices in all aspects of our work, including AI literacy. Our approach to this area is grounded in the belief that AI is an extension of digital literacies, not a separate field. We aim to demystify AI, helping people recognise that the digital literacy skills they already possess are directly applicable to AI.
AI’s societal impacts are significant and well-documented, but the public often struggles to grasp its opportunities and risks. A trusted guide is needed to balance optimism with caution, particularly given AI’s potential effects on jobs, culture, and other critical areas.
The projectWe are delighted to have started work on a new project with the Responsible Innovation Centre for Public Media Futures, hosted by the BBC. As an institution with a long and valued history in delivering high quality educational initiatives that help audiences understand and navigate new technologies, we believe the BBC is well placed to help public understanding and engagement with emerging technologies such as AI.
Our focus is research and analysis which aims to find gaps in provision for younger audiences. Over the next few months we’ll be interviewing experts, reviewing resources, and scrutinising frameworks. We will be using this research to create a report along with a framework and guide which will ultimately help the BBC create policies and content for young people. We’ll be sharing an open version of what we create, so look for those in the summer.
Our approachStarting with desk research, and building on the work we’ve already curated, we’re creating a library of interesting definitions, frameworks, and resources that can help us understand what other people are exploring when it comes to AI Literacy in combination with public media.
As with our work with Friends of the Earth where we researched AI and environmental justice, we will bring together a variety of experts to give feedback and sense check what falls out of some of the research.
Along the way, we’ll share updates based on our findings, so if you know of a person, organisation, initiative, framework, or resource that we should take a look at, please let us know! We’ll also be updating ailiteracy.fyi, our one-stop-shop for all things related to this important topic.
1. What is the mission and vision of Paays?
Building the foundation of trust in Auto Finance. Empowering Dealers and Lenders to serve their customers better, faster and more securely.
2. Why is trustworthy digital identity critical for existing and emerging markets?
Auto Finance and the Automotive Sector more generally, relies on trustworthy digital identity verification to ensure that people are who they say there, and the information being provided is authentic.
3. How will digital identity transform the Canadian and global economy? How does your organization address challenges associated with this transformation?
Paays is enabling thousands of Auto Dealers in Canada with the technology to perform digital identity verification, protect their businesses and employees, and reduce or eliminate criminal opportunities for fraud.
4. What role does Canada have to play as a leader in this space?
Canada has a significant opportunity to be a leader in digital identity and trust services, across many industries, including Auto Finance.
5. Why did your organization join the DIACC?
Paays joined DIACC to partner with a leading organization and it’s members, focused on bringing digital identity and trust services to the Canadian marketplace.
6. What else should we know about your organization?
Paays has a singular, laser-focused approach to building the foundation of trust in Auto Finance!
The Decentralized Identity Foundation (DIF) has officially launched its Hospitality & Travel Working Group, evolving from the ongoing H&T Special Interest Group (SIG). This new working group will focus on developing standards, schemas, processes, and documentation to support the self-sovereign exchange of data between travelers, services, intermediaries in the hospitality and travel industry, and their AI agents.
Mission and FocusThe primary goal of the working group is to enable travelers to maintain ownership and control over their personal data while allowing for seamless interactions with travel service providers. The group will address critical aspects of traveler profiles, focusing on data portability, privacy, and interoperability across the travel ecosystem.
Meeting ScheduleThe working group will convene twice weekly:
Tuesdays at 14:00:00 UTC Fridays at 14:00:00 UTCThese regular meetings will facilitate ongoing collaboration among industry stakeholders, technology providers, and standards bodies.
Leadership Perspectives"We are enormously proud that the hard work of our dedicated Hospitality & Travel SIG has led to a Working Group that will develop key specifications. From sharing boarding passes and hotel preferences to loyalty programs and dietary requirements, travelers constantly provide the same information to different companies throughout their journey.
"Travelers need to share, and overshare, the broadest range of personal data on their voyage, ranging from seat or dietary preferences, to government identities or passports, across multiple service providers who may not have the best data handling practices. This working group will develop standards that allow travelers to control exactly what data they share, with whom, and for how long - eliminating both unnecessary data exposure and the frustration of repeatedly entering the same information," said Kim Hamilton Duffy, Executive Director of the DIF.
Douglas Rice, industry veteran and Hospitality & Travel Working Group chair added: "The travel ecosystem has long struggled with fragmented approaches to customer data and identity management. This working group will help establish the technical foundations needed for travelers to maintain control of their data while enabling the personalized experiences they expect. We're building toward a future where your travel preferences, loyalty information, and credentials can move with you seamlessly across your journey—all while maintaining the highest standards of privacy and security, and enabling AI agents to act on verified information about the traveler.”
Next StepsThe working group will initially focus on defining standardized schemas for travelers or their digital agents to present profiles, establishing protocols for secure data exchange, and developing guidelines for implementation across various travel touch points. Industry participants are encouraged to join the working group to contribute their expertise and perspectives.
For more information about participating, visit the DIF Hospitality & Travel Working Group web site.
1. What is the mission and vision of Keyless?
Our vision is for a safer, more private world. Keyless is on a mission to redefine how the world authenticates – enabling people to securely access services with a simple look, without compromising their biometric data.
2. Why is trustworthy digital identity critical for existing and emerging markets?
We can answer this with a simple example: mule accounts. Fraudsters will pay people to open bank or crypto accounts using their real ID, then take over and use those accounts to launder money. On paper, the account looks legitimate – but the person using it isn’t who the bank thinks it is.
This kind of fraud is only possible when identity assurance is weak. With trustworthy digital identity, this can be stopped by verifying who is really behind the screen not just at sign-up, but every time they log in, send a payment, or change account details.
3. How will digital identity transform the Canadian and global economy? How does your organization address challenges associated with this transformation?
Digital identity is the foundation for secure online interactions. It drives inclusion, cuts costs, and reduces fraud. When companies can trust their users, they grow faster and more confidently.
Keyless sits within consumer apps – often in banking and fintech, but also in government and university portals. Whenever a user performs a sensitive action, like logging in or approving a payment, Keyless triggers an authentication selfie using the device’s camera. Unlike text messages, call centers, or even FaceID, this process actually proves who the user is – not just that they have access to a device or mobile number.
4. What role does Canada have to play as a leader in this space?
Canada is already taking significant steps toward becoming a global leader in digital identity. The government is actively developing a nationwide digital ID program designed to make accessing both public and private services faster and more secure.
By continuing to invest in public-private collaboration, Canada can lead the way in building trusted, inclusive digital ecosystems that other countries look to for guidance.
5. Why did your organization join the DIACC?
We joined DIACC to help shape the future of digital identity in a way that’s secure, user-friendly, and preserves citizen privacy. We believe in collaboration and are excited to contribute our expertise in biometric authentication and privacy-preserving technologies.
6. What else should we know about your organization?
Within the biometric authentication space, Keyless is known for its privacy-preserving approach. Uniquely, we authenticate users without storing their facial biometric data anywhere – keeping their biometric information completely private.
On March 18, 2025, the FIDO Alliance convened its APAC regional members and key stakeholders at the Telecommunications Technology Association (TTA) Auditorium in Seongnam, South Korea, for a full-day meetup and workshop. The event focused on advancing simpler, stronger authentication across the region and served as a vital platform for technical updates, regional progress, and real-world implementation insights around passkeys.
Among the 70+ participants on-site, we were honored to welcome six FIDO Alliance Board members representing Samsung Electronics, NTT Docomo, Lenovo, RaonSecure, Egis Technology, and Mercari—underscoring the global engagement and strategic importance of this gathering.
Before the main program, international attendees were invited to a special TTA Lab Tour, offering a behind-the-scenes look at Korea’s testing and standards infrastructure supporting FIDO and other telecommunications technologies.
Showcasing Technical Leadership and Regional Collaboration
The day featured an exciting lineup of expert speakers and educational sessions, reflecting the expanding role of passkeys as a trusted, phishing-resistant, and user-friendly authentication solution for both public and private sectors.
The event opened with an inspiring keynote by Dr. Koichi Moriyama (Chair, FIDO Japan WG; W3C Advisory Board Member), who emphasized the importance of global collaboration in setting interoperable, secure technology standards. David Turner, Senior Technical Director at FIDO Alliance, shared in-depth updates on passkey advancements and highlighted future areas of focus, including developer support, user experience, and broader international engagement. Wei-Chung Hwang of ITRI presented a thoughtful comparison of passkeys and PKI, outlining how the two can coexist and complement each other within modern authentication architectures. Ki-Eun Shin, Principal Software Engineer and FKWG Vice Chair, offered a practical guide for developers building scalable and secure passkey systems, covering implementation, testing, and UX considerations. Dovlet Tekeyev from AirCuve introduced Korea’s updated Zero Trust Guideline 2.0, walking the audience through key principles, recommendations, and how FIDO solutions align with national cybersecurity strategies. Eugene Lee, Vice President at RaonSecure, shared cross-industry deployment experiences of FIDO-based biometric authentication, highlighting its adaptability to diverse sectors including finance and telecom. Jong-Su Kim, Principal Security Engineer at Samsung Electronics, concluded the technical sessions by sharing Samsung’s vision of simplifying cybersecurity for all users through FIDO-driven innovation.Regional Insights and Shared Momentum
The day closed with regional updates featuring representatives from Japan (Naohisa Ichihara, FJWG Co-Vice Chair and CISO at Mercari), China (Henry Chai, FCWG Chair and CEO at GMRZ Technology, Subsidiary of Lenovo), Taiwan (Karen Chang, FTF Forum Chair and VP at Egis Technology), Malaysia (Sea Chong Seak, CTO at Securemetric), and Vietnam (Simon Trac Do, CEO & Founder at VinCSS), each presenting local updates on passkey deployment. Speakers shared technical challenges, user adoption, and the growing importance of cross-border cooperation to accelerate the passwordless future across APAC.
Moving Passwordless Forward Together
The FIDO APAC Regional Member Meetup & Workshop reaffirmed our collective commitment to advancing phishing-resistant passwordless authentication across the region. Thanks to all the speakers, sponsors, and attendees who contributed to this energizing and forward-looking event.
Stay tuned for more cross-regional collaborative events in the APAC and updates from the FIDO Alliance as we continue to make online authentication simpler and stronger together.
Webinar
March 27, 2025
10:00 AM ET
Join us for an insightful session on the successful implementation of the Zoom Phone project at Stevens Institute of Technology. This initiative aimed to modernize the campus communication infrastructure by transitioning from traditional phone systems to the innovative Zoom Phone service. The project involved meticulous planning, procurement, and deployment phases, ensuring a seamless transition for all departments.
We will delve into the change management strategies employed to facilitate this significant shift, including comprehensive user training, stakeholder engagement, and continuous support. The project management efforts were pivotal in coordinating the migration of facilities phones, decommissioning outdated systems, and ensuring compliance with new regulations such as the Ray Baum Act and Kari’s Law.
Discover how the collaborative efforts of the IT team with institutional stakeholders led to the project’s success. We will share key insights, challenges faced, and the remarkable outcomes achieved, including enhanced remote work capabilities, improved emergency calling services, and significant cost savings.
This session will provide valuable lessons for institutions looking to upgrade their communication systems and navigate the complexities of large-scale IT projects.
Presenters:
Maryam Mirza, Senior Director for IT, Client Experience and Strategic Initiatives, Stevens Institute of Technology
Hammad Ali, Senior Director of Infrastructure Services, Stevens Institute of Technology
Luis Quispe, Associate Director of Network and Telecom Engineering, Stevens Institute of Technology
Complete the Form Below to Access Webinar Recording [contact-form-7]The post Transforming Communication: The Zoom Phone Project at Stevens Institute of Technology appeared first on NJEdge Inc.
Let’s be honest. The world feels…complicated right now. The news is relentless, anxieties are high, and it’s easy to feel isolated. But be assured, there are people, even now, who get up every day and try to make the world a little better. As ever, we’re pleased to work with such people to try and build deeper, more resilient communities — and to remember that we’re not alone.
Building Open Communities cc-by-nd Bryan Mathers for WAOWe Are Open Co-op is working in collaboration with Amnesty International UK (AIUK) on a project focused on a new platform for activists. This is built on a shared fundamental belief that the most impactful change comes from strong, engaged communities.
Like many of the organisations we work with, AIUK has a vibrant and diverse network of activists. Communities and networks are complex and come with common challenges. There can be confusion, discomfort, and the feeling that things aren’t really resulting in meaningful action. There are so many people and activities it can be hard to create cohesion and connection. Understanding who people are, what drives them and listening to them is at the core of this project.
Our Community Platform project with AIUK is a place where we can put our deep understanding of how communities thrive to good use.
What are we doing? Starting with empathy: We know that understanding different perspectives and experiences is hugely important for building healthy communities. Our collaboration will be rooted in actively listening to and valuing the insights of people committed to AIUK’s mission. Spurring collaboration: We are new to the AIUK community, so we are looking forward to collaborating with people with diverse voices and new approaches. We are pleased that we’ll be collaborating with AIUK staff, educators, activists and Torchbox, an agency helping with Amnesty International UK’s digital transformation. Showing up: We love to step outside of our comfort zones, to experiment with new ways of working, and to be open to the possibility of failure — because learning from mistakes is kind of great. No, what are you actually doing?Oh, ok, we’ll if you want to be really specific:
Carrying out user research to better understand the AIUK community and how a community platform can help AIUK better support them Collaborating with the DDaT team and AIUK’s new Community manager to create new processes and policies which will help eliminate frustrations and problem areas Creating missions to help playtest a number of candidate community platforms that have the potential to help AIUK’s activists connect, learn and thrive The Power of the NetworkWe’re not just isolated individuals pursuing our own interests. We’re part of a larger, interconnected web. People tend to be members of multiple communities, so insights from those overlapping experiences are valuable. This crossover, this overlapping of passions and interests, is a vital strength, but it also needs intentional nurturing.
cc-by-nd Bryan Mathers for WAO Moving ForwardWe’re committed to building healthy communities, and that means planned, moderated, and actively cared for communities. We’re going to, as we do, work openly with Amnesty International UK, and are, as ever, always excited for your engagement and feedback.
We have some spare capacity on top of this work, so if you have a problem, if no one else can help, get in touch!
Organizations are encouraged to take the Passkey Pledge ahead of World Passkey Day on May 1
MOUNTAIN VIEW, Calif., April 9, 2025 – The FIDO Alliance is inviting organizations around the world to take the Passkey Pledge, a voluntary commitment to increase awareness and adoption of passkey sign-ins to make the web safer and more accessible.
Since passkeys were introduced to the world in 2022, hundreds of service providers have embraced the greater security and usability that passkeys bring to users. Over 15 billion user accounts are now equipped with the option to use a passkey instead of relying on passwords, which are easy to steal and reuse for account takeovers and fraud. Organizations that deploy passkeys are consistently finding that a greater percentage of their users are able to sign into services in far less time – which helps generate added revenue and/or employee productivity while also reducing fraud and account takeovers.
To further advance and promote the use of passkeys, the first Thursday in May each year is now recognized as World Passkey Day (previously World Password Day). Companies can take the Passkey Pledge in advance of World Passkey Day and commit to making a good-faith effort to achieve the following goals throughout the year:
For service providers that have an active implementation of passkeys for sign-in – Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of passkeys by users when signing into the company’s services. For service providers that are in the process of implementing passkeys for sign-in – Within one year of signing the pledge, demonstrate measurable actions taken to enable passkeys for signing into the company’s services. For vendors with a FIDO-based products and/or service – Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of passkeys through adoption of the company’s products and/or services. For vendors developing FIDO-based products and/or services – Within one year of signing the pledge, demonstrate measurable actions to FIDO certify its products and launch a product or service with passkey sign-in support. For industry associations and standards organizations – Within one year of signing the pledge, demonstrate actions to increase the visibility and benefits of passkey sign-ins.Organizations that take the pledge will receive assets to support their involvement and will have the opportunity to take part in activities and announcements planned for World Passkey Day on May 1, 2025.
More details on the pledge, including the sign-up form, can be found at https://fidoalliance.org/passkeypledge/.
Taking Action: Resources to Help Organizations to Fulfill the PledgeThe FIDO Alliance has resources and best practices for Passkey Pledge organizations to take action, including:
Sharing their commitment to the Passkey Pledge via external communications channels Leveraging the guidance on passkeycentral.org to plan, implement and expand their passkey rollouts Implementing the FIDO Design Guidelines, data-driven UX best practices for passkey rollouts Getting their products FIDO Certified to demonstrate that their products are compliant, interoperable and secure Releasing case studies on their or their customers behalf to share implementation journeys and business outcomes. Organizations can reach out to info@fidoalliance.org to submit case studies directly to the FIDO Alliance Taking part in the FIDO Alliance member activities and working groups to further drive passkey optimization and adoption Planning and/or taking steps to remove passwords as a sign-in option. About the FIDO AllianceThe FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.
ContactDid you know that the first coupon dates back to the 1800s?
It hasn't changed much for something that's been around that long, and how shoppers redeemed coupons stayed the same…until now.
In this episode, Brett Watson, CEO of The Coupon Bureau, joins hosts Reid Jackson and Liz Sertl to talk about how the world of coupons is finally catching up. With digital formats, real-time validation, and built-in fraud prevention, coupons are evolving for the modern retail experience.
Brett explains what it takes to bring an old system into the digital age, why coupon fraud has become such a costly issue, and how these changes are unlocking new opportunities for both brands and consumers.
In this episode, you’ll learn:
How couponing has evolved over the years
The role of coupons in marketing and media
The future of coupon technology
Jump into the conversation:
(00:00) Introducing Next Level Supply Chain
(03:31) History of couponing
(09:45) The scale of coupon fraud in the industry
(14:56) The new coupon standard
(18:54) Different innovations and applications of coupons
(23:23) Brett’s favorite tech she can’t live without
Connect with GS1 US:
Our website - www.gs1us.org
Connect with the guest:
Brett Watson on LinkedIn
Governments worldwide are accelerating their digital transformation efforts to meet the growing expectations of citizens and businesses. Canada is no exception, with public sector services increasingly moving online to improve efficiency, accessibility, and security. However, this shift brings significant challenges, including data privacy concerns, cybersecurity threats, and the need for seamless, interoperable services across jurisdictions.
When DIACC was established in 2012, its mission was to create a secure digital ecosystem. Today, this goal is even more critical for modernizing government services while ensuring security, privacy, and usability. DIACC has evolved from research to certifying real-world digital trust solutions, setting audit standards, shaping policies, and connecting businesses and government to strengthen Canada’s digital economy.
Digital trust—which empowers individuals, businesses, and government agencies to engage online securely and transparently—is essential for delivering reliable public services. Without it, citizens may lack confidence in digital government initiatives, limiting their adoption and effectiveness.
By prioritizing digital trust, Canada can strengthen its public service infrastructure, enhance citizen confidence, and improve service delivery. Interoperable frameworks such as the DIACC Pan-Canadian Trust Framework™ (PCTF) ensure that digital services remain secure, adaptable, and trusted while protecting personal electronic information between government agencies and service providers.
Advancing Digital Trust to Modernize Government Services 1. Driving Efficiencies, Cost Savings, and Economic GrowthGovernments can leverage DIACC, the PCTF, and PCTF certification along with technical standards to help streamline processes, reduce costs, and create economic opportunities through:
Reducing Implementation Costs: Standardized digital trust solutions lower costs associated with developing, integrating, and maintaining digital trust capabilities. Enhancing Service Efficiencies: Digital credentials and interoperable frameworks minimize redundancies and enable faster, more secure service delivery. Unlocking Interprovincial Trade: A unified digital trust framework will enable seamless service delivery to Canadians across Canada, regardless of province of residence. Facilitating Labour Mobility: Efforts to reduce interprovincial trade across Canada mean the importance of secure and portable digital credentials has never been greater. Reducing bureaucratic licensing and certification verification barriers will ensure workers can move between provinces more efficiently. Boosting Public-Private Collaboration: By aligning digital trust standards with industry best practices, governments can foster innovation and attract investment in secure digital services. 2. Strengthening Public Confidence in Digital ServicesFor government digital services to succeed, citizens must trust them. Implementing robust digital trust solutions allows governments to:
Ensure secure and seamless access to online services Protect citizens’ data from fraud and misuse Increase adoption of digital services by providing verifiable trust measures Improve operational efficiency by reducing manual verification processes 3. Enhancing Trust Through the DIACC PCTFThe DIACC PCTF provides a framework for governments to:
Strengthen identity verification in digital government services Improve efficiency in service delivery by reducing reliance on physical documents Enhance interoperability across departments and jurisdictions Ensure compliance with privacy and security standards through auditable criteria 4. Protecting Citizens from Fraud and Identity TheftFraud prevention is a top priority for digital government services. To mitigate risks, governments should:
Implement secure identity verification measures for accessing digital services Use verifiable credentials for social benefits, permits, and tax filings Ensure public education initiatives on digital trust and security best practices 5. Enabling Seamless Intergovernmental CollaborationAll federal, provincial, and municipal governments must collaborate to support a trustworthy digital ecosystem. Digital trust frameworks like the PCTF facilitate:
Secure data exchange across agencies while maintaining privacy Interoperable digital identity solutions for seamless citizen experiences Compliance with national and international regulatory requirements 6. Leveraging Digital Trust for Innovation in Public ServicesGovernments can harness digital trust to:
Develop secure digital identities for all citizens and businesses Improve emergency response coordination through trusted data-sharing networks Support AI-driven public service applications with built-in trust safeguards Best Practices and the Way Forward 1. Adopt Existing and Emerging Digital Trust Technologies to Address Pain PointsGovernment agencies should leverage trusted digital trust, verification, and credentialing solutions aligned with the PCTF. Implementing PCTF-certified solutions will enhance security, efficiency, and trust in digital service delivery. While whole-of-government modernization is needed, our stakeholders recommend rapidly unlocking digital driver’s licences, passports, permanent resident cards and verified income to address the economic urgency.
2. Collaborate for Consistency and InteroperabilityDIACC fosters collaboration between governments, technology providers, and industry stakeholders to promote consistent digital trust practices, using standards and certifications to ensure security and privacy across public services.
3. Educate and Empower Citizens and Public Sector LeadersDIACC is committed to advancing digital trust in government through:
Public awareness campaigns on the benefits and security of digital services Training and resources for government officials on digital trust implementation Policy recommendations to support the adoption of digital trust frameworks ConclusionModernizing government services requires a foundation of digital trust. By recognizing frameworks like the PCTF, governments can enhance service delivery, protect citizens’ data, and foster trust in digital public services.
Together, we can build a future where government services are more efficient, secure, and accessible to all Canadians while reinforcing Canada’s leadership in digital trust and innovation.
Download the paper here.
DIACC-Position-Advancing-Digital-Trust-for-Government-Service-Modernization_ENGThe post Learn & Work Ecosystem Library Glossary appeared first on Velocity.
Demand for computing power is exploding as AI models, cloud services, and decentralized applications consume ever-greater amounts of energy. But not all energy is created equal. In some regions, a data center might be drawing power from a coal-heavy grid, while elsewhere excess wind or solar power goes unused. For the past decade, tech giants addressed this by buying renewable energy or improving efficiency. But what if we could take a more dynamic approach — shifting computational workloads across location and time to maximize use of clean energy?
Enter Carbon-Aware Nomination, a groundbreaking mechanism from Energy Web that does exactly that. It ensures computational tasks run where and when they have the lowest carbon intensity. This isn’t a standard cloud feature or a typical blockchain project, but a fusion of both: it connects decentralized computing networks with real-time carbon intensity data from WattTime and the Green Software Foundation’s Carbon-Aware SDK. And the best part — it’s going open-source, inviting the entire industry to build a greener digital future together.
The Carbon Cost of Computing: Why It MattersComputing today has a massive carbon cost. Data centers account for around 1–2% of global electricity use (on par with the airline industry), and that share is rising fast. Some forecasts warn that with the AI boom, data center energy demand could hit double-digit percentages of global consumption by 2030. In short, if we don’t make computing more sustainable, it will hinder global climate goals. Today’s solutions to decarbonize workloads rarely have real-time “carbon awareness.” This means a lot of flexible computing — like batch processing or AI training jobs — might be running at the worst possible times for the planet. Carbon-Aware Nomination changes that paradigm by intelligently routing workloads to times and places where electricity is greenest.
Why Carbon-Aware Nomination Is a Game-ChangerCarbon-aware computing isn’t an entirely new idea, but no one has implemented it the way we have. Existing approaches have serious limitations:
Blind Spots in Conventional Cloud Sustainability: Major cloud platforms have introduced sustainability dashboards and efficiency tools to help customers estimate carbon footprints. However, these proprietary solutions require you to trust their reporting. There’s no independent way to verify if a given workload actually ran on low-carbon energy. In other words, you might see carbon-saving claims, but you can’t prove them. While Carbon-Aware Nomination is built for decentralized compute networks, its methodology could be adapted for cloud orchestration. However, the current implementation is blockchain-native, ensuring verifiable, tamper-proof sustainability claims. Decentralized Compute Lacks Climate Intelligence: Emerging networks like iExec, Golem, and Akash distribute workloads across many nodes, leveraging blockchain for compute marketplaces. Yet, they schedule jobs without considering the carbon intensity of those nodes. A task might just as easily run on a coal-powered node as on a solar-powered one. Until now, no decentralized computing platform has integrated real-time carbon optimization into its scheduling logic.This is where Carbon-Aware Nomination stands apart. It combines decentralized computing with live carbon-intensity data for the first time. By doing so, it delivers several unique benefits that neither traditional clouds nor existing blockchain compute projects offer:
Decentralized & Trustless Architecture: Built on the Energy Web X blockchain, every decision and claim is transparent. There’s no single company controlling the process, and sustainability claims are tamper-proof and verifiable by anyone. This brings a new level of trust to green computing — auditors or stakeholders can confirm, via the public ledger, that a workload ran at a time of low grid emissions. Real-Time Carbon Intelligence: The system taps into WattTime’s API and the GSF Carbon-Aware SDK to get live and forecasted grid emissions data. Workloads are continuously matched to the cleanest energy times in real time. If wind picks up in Region A or solar output surges in Region B, the scheduler knows and can route tasks accordingly. We’re not offsetting carbon with credits or averaging it annually; we’re actively avoiding emissions as they happen. Hybrid Public/Enterprise Nodes: Flexibility is built in. Organizations can nominate workloads to run on public decentralized nodes or their own infrastructure — whichever meets the carbon criteria. For example, an enterprise could use its private servers when they’re running on green power, or tap into a public pool of nodes in another region when local power is dirty. Carbon-Aware Nomination isn’t “all or nothing” — it’s a smart overlay that finds the greenest option across a mix of resources. Verifiable ESG Reporting: Every workload handled through this system generates a digital proof of its execution with associated carbon data. Think of it like an eco-receipt. This proof can feed directly into ESG reports or sustainability audits, backed by blockchain records. Instead of saying “we think our computations were low-carbon,” organizations can cryptographically demonstrate it. This level of accountability is increasingly crucial as investors and regulators demand hard evidence of climate action. Open-Source Collaboration: Unlike proprietary cloud solutions, Carbon-Aware Nomination is being released as open-source software. This invites an entire community — from researchers to startups — to use it, audit it, and improve it. By sharing the code, Energy Web ensures transparency of the algorithm and accelerates innovation. Anyone will be able to plug into the system or even contribute new features (for example, supporting new types of workloads or integrating additional data sources). We believe an open approach is the fastest way to standardize carbon-aware computing across the world. How It Works (In Simple Terms): Checks Carbon Data: A group of computers (nominators) analyze real-time electricity grid data to find where energy is greenest. Finds the Best Spot: The nominators select and agree on the cleanest available computing resources to execute the workload and qualify for rewards. Runs & Verifies: The selected computers can accept and execute the workload, and the blockchain records proof of completion, ensuring eligibility for rewards. How It Works (In detail): The Carbon-Aware Nomination PoolSo, how does the system actually orchestrate a “greener” workload? Rather than a central scheduler deciding where tasks run, Carbon-Aware Nomination uses a decentralized pool of worker nodes and nominators that collectively determine the optimal execution plan. Here’s a high-level look at the process:
Live Carbon Data Feeds: Using the Carbon Aware SDK, the system continuously pulls real-time and forecasted carbon intensity data from WattTime’s service. This data covers different regions and grids, updating as conditions change (like when a big solar farm comes online in the afternoon or when a coal plant ramps up at night). Normalized Comparison: Because “100 gCO₂/kWh” means different things on different grids, the scheduler normalizes carbon intensity across regions. This prevents it from always favoring the same region and ensures a fair comparison. In essence, the algorithm knows what “clean” means for each location and time — a form of smart context. Energy Web X Worker Registry: All participating compute nodes (whether run by individuals, companies, or data centers) register on the Energy Web X blockchain registry. They publish metadata about their location, hardware, and efficiency. This on-chain registry is like a directory of available computing resources, with info crucial for carbon-aware decisions. It’s also transparent — anyone can see which nodes are available and where they are. Green Nomination Process: When a workload needs scheduling, a separate group of decentralized nominators, independent from the compute nodes themselves, evaluates the available options. These nominators analyze live carbon intensity data (from step 1), assess each node’s performance and capacity, and rank them based on sustainability. Essentially, the nodes compete, but not on price or speed alone, on verifiable carbon performance. The system then nominates the best-suited, lowest-carbon node to execute the task, ensuring a trustless and tamper-proof selection process. Workload Execution & Proof: The chosen node runs the computation. During and after execution, it logs the energy used and the carbon intensity at that time. This information is reported back and recorded (for example, as an attestation on Energy Web X). The result is a verifiable proof that “Task X was executed at Time Y in Region Z with carbon intensity Q gCO₂/kWh.” If someone doubts the claim, the proof is on the blockchain for anyone to verify.Continuous Optimization: Over time, the system can employ incentives to improve efficiency. For instance, node operators who consistently provide low-carbon compute (by perhaps adding their own renewable energy or load-shifting) could be rewarded. Likewise, if the network notices certain regions becoming cleaner (say a new wind farm installed), it will naturally start shifting more workloads there. The feedback loop encourages the whole ecosystem to move towards cleaner operations, as sustainable nodes get more business.
In practice, this means a company using Carbon-Aware Nomination could submit a batch job and know that the job will run at the best possible time (perhaps an hour later when a green energy surge comes) and in the best location (maybe on a server one country over where it’s a windy night), all without manual intervention. The heavy lifting of “when and where to compute” is handled by the decentralized logic in a transparent way.
How Carbon-Aware Nomination Fits into Energy Web XCarbon-Aware Nomination is a component of the broader Energy Web X (EWX) ecosystem. EWX is Energy Web’s new architecture for decentralized solutions, and it supports multiple “nomination” methods (i.e., scheduling and matching mechanisms) for every single compute workload of their solutions. Carbon awareness is one powerful approach, but not the only one — some applications might optimize purely on cost or latency, for example. Within EWX:
Solutions can opt-in to Carbon-Aware Nomination if minimizing emissions is a priority, or choose other nomination modules better suited to their needs. This flexible architecture means EWX can cater to different preferences (greenest vs. fastest vs. cheapest, etc.), and Carbon-Aware Nomination is available for any solution that cares about sustainability. Even for applications that prioritize performance, Carbon-Aware Nomination can run in the background or as a secondary filter. For instance, if two nodes are equally capable, why not pick the one on cleaner energy? In this way, the carbon-aware mechanism can enhance other scheduling strategies by adding a sustainability lens. All of this happens while leveraging the security and transparency of Energy Web’s blockchain. The nominations (scheduling decisions) and the resulting proofs are recorded on-chain, which aligns with Energy Web’s mission to use open digital infrastructure for the clean energy transition. EWX provides the trust layer that makes Carbon-Aware Nomination’s claims audit-proof. Decentralized Nomination: Trustless, Transparent, and ResilientUnlike a traditional cloud scheduler (where one company’s software decides where your job runs), Carbon-Aware Nomination operates without a single controlling entity. The decision process is distributed among many participants and governed by open algorithms. This decentralized approach brings several advantages:
Trustless operations: You don’t have to trust Energy Web or any cloud provider’s claims — you can verify the outcomes yourself on-chain. If a workload was supposed to run on green power, anyone can check the records and confirm it did. This is crucial for companies that need to report emissions reductions to regulators or want to avoid greenwashing. Transparency: Every step, from the carbon data used to the final selection of a node, can be made transparent. Community members could even watch a dashboard of live nominations happening, seeing in real time how the system is chasing the lowest-carbon resources. This level of openness is unheard of in proprietary cloud scheduling. Resilience: Decentralization also means there’s no single point of failure. The nomination process can continue even if one node or one data feed goes down. Multiple nodes participate in making decisions, and the blockchain ensures a canonical record. It’s much harder to corrupt or game the system — doing so would require attacking a broad, global network of participants.For users, this simply translates to peace of mind. You get a robust service that not only optimizes for sustainability but is also inherently reliable and tamper-proof.
Why Open Source MattersEnergy Web is committed to open-sourcing the entire Carbon-Aware Nomination system. By making it freely available to developers, enterprises, and even competitors, we aim to set a new industry standard for carbon-aware computing. Transparency is a core value here — anyone can inspect the code to understand how decisions are made and suggest improvements. Open source also accelerates innovation: a global community can adapt the tool for new use cases (imagine carbon-aware scheduling for edge devices or for other batch processes like rendering and scientific computing). We’re releasing this under an open license so that this carbon-aware logic can proliferate everywhere, not just within Energy Web’s ecosystem.
Ultimately, climate change is a shared challenge. We believe that by open-sourcing this solution, we enable network effects — more contributions, more adoption, and more emissions saved. No single company can decarbonize IT on its own, but together, we can make carbon-aware computing the “new normal” for all data centers and devices.
Join the MovementCarbon-aware computing is the future. Whether you’re an enterprise managing thousands of servers, a blockchain enthusiast, or a developer hacking on weekends, you can start integrating Carbon-Aware Nomination into your workflows to make a tangible impact. This isn’t just an Energy Web project — it’s a call to all cloud providers, decentralized network operators, and software platforms: join us in running workloads on clean energy. Imagine a world where every AI training, every render job, every transaction validation automatically seeks out the greenest energy available. That’s what we’re building, and we invite you to build it with us.
The code will be open-sourced on Energy Web’s GitHub (and accessible through our developer portal). We’ll be hosting community calls and tutorials for those who want to implement it or contribute. By working together, we can ensure that the digital infrastructure of the future not only powers our economies — but also heals our planet. It’s time to decarbonize the cloud, one workload at a time.
Carbon-Aware Nomination System for Decentralized Computing is now live was originally published in Energy Web on Medium, where people are continuing the conversation by highlighting and responding to this story.
This is the final post in a series drawing on insights from a report authored by We Are Open Co-op (WAO) for the Irish National Digital Leadership Network (NDLN). The report explores the historical roots of credentialing, the emergence of microcredentials, and their potential to reshape education and professional development.
This post draws on the insights explored so far to outline a vision for the future of microcredentials. By focusing on inclusivity, open standards, and meaningful recognition, microcredentials can be a transformative tool for education and professional development. Here, we propose actionable steps for organisations to harness their potential and create systems that truly empower learners.
Part 1 — Introduction and Context Part 2 — The Evolution of Credentialing Part 3 — Demystifying Microcredentials Part 4 — Trends Shaping the Future of Microcredentials Part 5 — The Role of Technology in Microcredentialing Part 6 — Challenges and Risks in Microcredentialing Part 7 — A Vision for the Future of Microcredentials (this post) Open Recognition as a Guiding PrincipleA key aspect of the future of microcredentials is the principle of Open Recognition, which values learning in all its forms, whether formal, informal, or experiential. By embracing this approach, organisations can ensure microcredentials acknowledge diverse achievements and highlight contributions that might otherwise be overlooked.
For instance microcredentials can help:
Charities — Recognise the skills gained through volunteering, advocacy, and community projects, offering participants portable evidence of their contributions. NGOs — Validate the efforts of community workers, promoting inclusion and recognising the expertise developed in challenging environments. Co-ops — Highlight collaborative and informal learning within member-driven structures, supporting collective progress and innovation. Businesses — Align microcredentials with organisational priorities, such as sustainability or diversity, to strengthen employee development and retention. Higher Education — Create stackable credentials that integrate with degree programmes and reflect industry partnerships, enabling more flexible and relevant learning pathways. The Responsible Use of TechnologyTechnology plays a critical role in delivering effective microcredentialing systems. Tools like Open Badges and Verifiable Credentials ensure transparency, portability, and security. Digital wallets give learners control over their achievements, while AI can assist in mapping skills and recommending pathways.
However, implementing these tools requires careful consideration. Equity, accessibility, and data privacy must be central to their design to avoid excluding certain groups or compromising trust. By prioritising interoperability and avoiding proprietary systems, organisations can ensure credentials remain functional across platforms and contexts.
Encouraging Cross-Sector CollaborationThe development of impactful microcredentialing systems relies on partnerships across education providers, employers, policymakers, and technology developers. Collaboration can:
Align microcredentials with societal goals and workforce needs. Establish shared quality assurance frameworks to build trust. Pool resources and expertise to address challenges like accessibility and cost.Such partnerships help ensure that microcredentials are not only useful but also widely recognised and respected.
Embedding Inclusivity and EquityFor microcredentialing systems to achieve their full potential, inclusivity must be at their core. This means designing platforms that are accessible to people with diverse needs, reducing financial barriers, and proactively engaging marginalised communities. Embedding these values ensures microcredentials contribute meaningfully to social equity and support lifelong learning opportunities.
Taking the Next StepMicrocredentials have the potential to celebrate diverse learning experiences, allowing individuals to present their skills and achievements in ways that matter. Whether your organisation is considering a pilot project or a larger-scale initiative, We Are Open Co-op can provide the expertise you need. From strategic planning to technological implementation, we ensure your microcredentialing projects are impactful and learner-focused.
👋 Get in touch with us today to explore how we can support your journey toward a more inclusive and forward-thinking approach to credentialing.
The post Driving Value through Innovation: Verified Credential Insights from Cisive PreCheck appeared first on Velocity.
When can you trust a software release? How do you know that a software repo is safe, that it represents the intent of its creators? On the 20th anniversary of Git, these questions are more important than ever.
Obviously, Git lays the foundation for trust in software releases with its ability to sign commits, but the trust of the system is unfortunately shallow. Untrusted content can be merged into a trusted repo, commit histories can be rewritten, and trust can’t be reliably extended into the future. These are crucial issues to solve if we are trusting software that originates in Git … and some pretty crucial software originates with Git, from Microsoft’s vscode or the OpenSSL project to the vue.js framework. Which is what led me to the design of the Open Integrity system. Though Git may look like to the average user like it offers a strong level of trust, it’s a dangerous mirage. Open Integrity makes repo trust a reality.
Open Integrity is still built with Git, meaning that it can be used on GitHub, GitLab, or whatever other Git tool that you prefer. There are no additions required other than the Open Integrity scripts themselves. However, Open Integrity makes trust the default rather than an add-on, establishing a root of trust when a repo is created, defending it against inappropriate additions, and extending that trust to new users and new keys as a project evolves.
Beyond that, Open Integrity’s root of trust can also be used as a DID (decentralized identifier) identity, supporting self-sovereign identity for a user or a project. But taking advantage of that might be the next step. For the moment, let me dive a bit further into the problems of Git’s current trust framework and how I designed the architecture of Open Integrity to resolve them.
A Problem of TrustThe foundation of trust in Git is signing commits with a signing key that is registered with a Git account, but that turns out to be a fragile level of trust because it leaves a number of loopholes.
Signing isn’t required. Even if an account has a legitimate signing key, use of that key isn’t required. Even if a Git hosting service enforces commit signing, unsigned commits can typically still be merged from branches.
Merging doesn’t guarantee signatures. Generally, merging offers one of the biggest gaps in signing security. It’s not just that merged commits can be unsigned, but that a branch can be deleted after merging, leaving no trace as to whether its commits were signed or not.
Things don’t necessarily get better when signing actually occurs.
Repo origin can’t be verified. Though you can verify signed commits belong to the person who currently controls a repo, there’s no way to verify that they haven’t illegitimately taken over the repo since its inception.
Chain of trust functionality is non-existant. On the flipside, there’s no way to show a legitimate transfer of authority between a repo’s originator and its current controller.
Key revocation is weak. Though keys can be manually revoked, there’s no way to automatically do so, and there are no warnings if a revoked key was used for signing.
History can be rewritten. Finally, Git includes a purposeful tool to allow you to rewrite commit history: editing commit messages, rebasing at a large scale, and even removing or changing files! This will change SHA-1 checksums, but as with other dangers here, there’s inadequate messaging to warn of this issue.
Solving the ProblemsSolving Git’s trust issues are relatively easy in theory:
Repo ownership needs to be cryptographically provable back to a repo’s origin. Signing needs to be required for commits and merges alike. Commit history needs to be irrevocable. Strong warnings are needed when these conditions aren’t met.However, nothing is ever that simple in practice. To practically solve the problems required designing an Open Integrity architecture that resolved each of the highlighted problems:
Problem Solution Unverified Origin Inception Commit Unverified Transfer Trust Transition Commit Key Revocation Trust Transition CommitHere’s how each of these architectural elements work:
Inception Commit. An inception commit is the first commit made to a repo. It locks the repo’s inception (initial) key with an empty commit, and so secures the repo with both the SSH signature and a SHA-1 hash that’s hard to purposefully collide because of the minimalism of the commit.
Trust Transition Commit. Any authorized key can be used to generate a trust transition commit, which is another zero-sized commit. Additional, trusted keys can be added, and keys can also be revoked. This allows both keys and team members to change over the course of a project, which is crucial for an open-source or large-scale project. The first trust transition commit is done with the inception key; after that any authorized key can be used.
Improved Logging. Many of the protections of Open Integrity arise from scripts that incorporate extensive logging, ensuring that users can see that all security measures are being met. This is done with Git commit messages and with git note
.
As an example, here is what the commit logging looks like for an inception commit, a trust transition commit, and a key revocation:
Inception Commit:
🔹 Commit: #a3306ef [🏁 Inception Commit] (Signed ✅)
├─ Message: "Initialize repository and establish a SHA-1 root of trust"
├─ Signed by: @a61TkTtL... (🏁 Alice using Device 1 <alice@example.com>)
├─ Empty: true (no files added)
├─ SHA-1 Protection: Constrained content + SSH signature
└─ Verification: Platform-independent
Trust Transition Commit:
🔹 Commit: #b24d9c1 [🔑 New Allowed Commit Signers File] (Signed ✅)
├─ Message: "Added second device key for Alice"
├─ Signed by: @a61TkTtL... (🏁 Alice using Device 1 <alice@example.com>)
└─ New Authorized Commit Signers:
- 🏁 Inception Key explicitly not included for future commits
- + @a61TkTtL... (Alice using Device 1 <alice@example.com>)
- + @f84PmWnY... (Alice using Device 2 <alice@example.com>)
Key Revocation:
🔹 Commit: #c3d7f12 [🔄 Key Rotation: Removed Alice's Second Device] (Signed ✅)
├─ Message: "Revoked second device key"
├─ Signed by: @f84PmWnY... (Alice using Device 2 <alice@example.com>)
├─ Authorized Commit Signers changed:
- 🗑️ @f84PmWnY... (Alice using Device 1 <alice@example.com>) is no longer authorized.
- @f84PmWnY... (Alice using Device 2 <alice@example.com>)
- @b73RkKpQ... (Bob using Work Laptop <bob@example.com>)
- @c58XmWpL... (Charlie using Home PC <charlie@example.com>)
The commits also clearly show when something is done that violates the basic precepts of Open Integrity. For example:
├─ 🚨 ERROR: Commit was signed using a previously revoked key!
Scripted Functions. Logging and the other protections of Open Integrity are available through scripts and one-line “snippet” scripts that can run from aliases. They replace the bare git
functions with ones that ensure that each commit or merge meets all the Open Integrity requirements. For example, here’s a git merge
alias:
git merge feature-branch --verify-signatures \
--require-author-signature \
--require-committer-authorization
Defined Settings. Git allows settings for repos and workflows; securing these settings can improve the security of repos. “Enforcing Signed Commits and Pull Request Requirements in GitHub” describes how GitHub makes use of these settings; similar functionality is available elsewhere in the Git ecosystem.
Data Preservation. Logging, aliases, and settings together ensure the preservation of some data related to a merge. As the following commit shows, information such as an author’s key is preserved when a merge occurs, along with information that the committer verified the original signature.
🔹 Commit: #fa34d76 [🔀 Merge Commit with Verified Author] (Signed ✅)
├─ Message: "Merge feature-branch: Added authentication layer"
├─ Committer: @c58XmWpL... (Charlie using Home PC <charlie@example.com>)
├─ Author: @e83TkLqM... (Eve using Dev Machine <eve@example.com>)
├─ Author Signature: Verified ✓ (signed 2024-02-10T15:30:00Z)
├─ Committer Authorization: Verified ✓ (in allowed_signers since 2024-01-15)
└─ Signatures stored: ./config/verification/signatures
The original author’s signature is not currently preserved due to the complexity of doing so. Working to preserve the signature without having to keep the branch around forever remains on the TODO list for Open Integrity.
Using Open Integrity NowOpen Integrity is available at the OpenIntegrityProject repo. Though it’s still in development, you can get started with it right now.
You should do so if you have a use case for Open Integrity such as:
You’re developing or releasing software through Git that holds sensitive information (such as a digital-asset wallet, a healthcare app, or even a web browser). You’re developing or releasing software through Git that might be used by people or companies that also hold sensitive data (such as financial or medical companies), even if your app does not. You’re developing or releasing software that requires any level of trust from its users. You have a team of developers that changes over time.The docs at the Open Integrity repo include a more extensive Problem Statement that goes beyond what’s in this article, but the most important file might be the setup_git_inception_repo.sh script, which will create a new Open Integrity repository for you. If you want to better understand how it works under the hood, see One Liners, which also documents step-by-step how to setup and use an Open Integrity repo. Future plans can be found in the Project Roadmap.
Give it a try, and if you have questions, please feel free to open an issue or start a conversation.
I’ve been working on Open Integrity for about a year now. I started this work because I thought the promise of trust implicit in Git was extremely important for software design and release, but that it needed improvement. I hope you’ll agree and find the improvements worthwhile!
With MyTerms, the person (and their electronic agent) is the first party, and the corporate entity (with its agent) is the second party. This is essential for assuring full respect for personal privacy in the digital world.
Every IEEE standard starts with a PAR: a Project Authorization Request.
Here is the PAR for EEE P7012 (nicknamed MyTerms—much as IEEE 802.11 is nicknamed Wi-Fi). It launched a working group in 2017 (that I now chair), and is expected to go from draft to done by early 2026.
Because what the standard will do is plainly laid out in the PAR, I’m breaking its paragraph into separate sentences to make reading it easier:
This draft standard covers contractual interactions and agreements between individuals and the service providers they engage on a network, including websites.
It describes how individuals, acting as first parties, can proffer their privacy requirements as contractual terms and arrive at agreements recorded and kept by both sides.
These terms shall be chosen from a collection of standard-form agreements in a roster kept by an independent and neutral non-business entity.
Computing devices and software performing as agents for both first and second parties shall engage using any protocol that serves the purpose.
The first party shall point to a preferred agreement, or a set of agreements, from which the second party shall accept one.
Party-to-party negotiations over terms in any of these contracts or other agreements are outside the scope of this standard. If both parties agree, the chosen contract or agreement shall be signed electronically by both parties or their agents.
A matching record shall be kept by both sides in a form that can be retrieved, audited, or disputed, if necessary, at some later time–and which is available to do so easily.*
I can’t share the draft before the final version is published, but I can say that what it says is about as simple as what you read above. It also does not specify what tech or protocol to use. This is to leave development as open as possible.
The main thing is that MyTerms obsolesces notice-and-consent by basing privacy agreements on contracts that individuals proffer as first parties, and sites and services agree to as second parties.
Never mind that this hardly seems thinkable to the status quo. The same was once said of the Internet, the Web, email, and other free and open graces we take for granted today.
Putting each of us in charge of our privacy online is what makes MyTerms the most important standard in development today. But only if we make it so.
If you want to get involved, help us build out Customer Commons, so it can play the same role for personal privacy terms that Creative Commons plays for personal copyright.
*Shall is IEEE-speak for will or must. The purpose of that rule is to make clear that it does not mean should, could, or any other modal auxiliary verb.
Google is developing a new feature that will allow secure passkey transfers between Android devices through its Google Password Manager service. The functionality, which is currently under development, aims to simplify the process of moving authentication credentials across devices while maintaining security standards. The development follows Google’s recent enhancements to its Password Manager, including improved security features and user interface updates.
The passkey transfer capability is being integrated into Google Password Manager, with recent releases of Google Play Services containing direct references to passkey export and import tools. These developments are part of Google’s broader effort to enhance authentication security and usability on Android platforms. The initiative comes as enterprise adoption of passkeys continues to grow, according to recent FIDO Alliance research.
Just days after Google confirmed it is bringing its next AI upgrade to Gmail, with major privacy implications, there’s more good and bad news for the 3 billion users relying on Google to deliver secure, spam-free email to their phones and computers. It turns out that a dangerous email attack has operated under the radar for years — until now.
First to the good news. Google’s tightening restrictions on the mass delivery of spam emails to your inbox is working and it’s having a devastating impact on the industry spawned to plague you with marketing messages. “Over the last year,” website MarTech says the industry has seen “engagement rates (open and click rates, especially) drop considerably. Their emails only show up in the inboxes of people already engaging with the brand. For most subscribers, the emails are getting flagged as spam.”
Google’s password manager may soon allow you to transfer your passkeys to a new phone, making their use as a login tool even easier.
An APK teardown by AndroidAuthority has found that Google might be working on a potential update that would allow you to export passkeys from one device to another.
Password export and import is already a key feature of many of the best password managers, but the same functionality for passkeys would be a huge step forward.
This is the sixth in a series of blog posts drawing on insights from a report authored by We Are Open Co-op (WAO) for the Irish National Digital Leadership Network (NDLN). The report explores the historical roots of credentialing, the emergence of microcredentials, and the opportunities they present for reshaping education and professional development.
While microcredentials present exciting opportunities, their implementation comes with challenges that require careful consideration. Issues such as equity, quality assurance, and unintended consequences must be addressed to ensure these systems benefit learners, organisations, and society as a whole. WAO uses the lens of Open Recognition to help address some of these challenges.
Part 1 — Introduction and Context Part 2 — The Evolution of Credentialing Part 3 — Demystifying Microcredentials Part 4 — Trends Shaping the Future of Microcredentials Part 5 — The Role of Technology in Microcredentialing Part 6 — Challenges and Risks in Microcredentialing (this post) Part 7 — A Vision for the Future of Microcredentials Equity and AccessibilityMicrocredentials have the potential to widen participation in education, but they must be designed to include all learners. Organisations need to ensure their systems are accessible to users with diverse needs, including those with disabilities, limited digital literacies, or restricted access to technology.
Financial barriers also pose a challenge. For learners in marginalised communities, the cost of earning and using microcredentials could limit their accessibility. Subsidised or open-access credentialing models can help bridge this gap and make microcredentials a tool for inclusion rather than exclusivity. As can credentialing existing knowledge, skills, and behaviours, in accordance with Recognition of Prior Learning.
Quality Assurance and TrustOne of the most pressing challenges is ensuring that microcredentials maintain credibility and rigour. Open Badges provide a robust digital framework that ensures credentials can be verified and trusted, embedding metadata that describes the skills achieved, the criteria met, and the issuing organisation. This transparency builds trust among stakeholders, enabling credentials to be portable and interoperable across different platforms and contexts.
Image CC BY-ND Visual Thinkery for WAOHowever, quality assurance ultimately rests with the issuing organisation. It is their responsibility to ensure that criteria for earning the credential are clear, the evidence supporting the achievement is credible, and the learning experience is both meaningful and relevant. Aligning credentials with recognised national or international standards further enhances their credibility and utility, ensuring they meet the expectations of both learners and employers.
Avoiding Vendor Lock-InThe reliance on proprietary platforms for issuing and managing microcredentials can create significant risks. As mentioned in a prior post, vendor lock-in limits portability and learner control, undermining the principles of openness and inclusivity.
Adopting open standards, such as Open Badges and Verifiable Credentials, ensures that microcredentials are interoperable across systems. This not only protects learners but also encourages innovation by encouraging collaboration between organisations and technology providers.
Data Privacy and SecurityMicrocredentialing systems rely on digital platforms to issue, store, and share credentials, making data privacy and security critical concerns. Protecting the personal information of learners is both a legal and ethical responsibility.
Open Badges v3 offers solutions by enabling credentials to be controlled directly by learners. Features such as selective sharing ensure that individuals can decide what information to share and with whom. However, care must be taken to avoid systems that lock learners into proprietary platforms, restricting the portability of their achievements.
Unintended ConsequencesMicrocredentials can create new opportunities for recognition, but poorly designed systems may have unintended effects:
Overloading learners with excessive or narrowly focused credentials can lead to “credential fatigue,” where the value of individual achievements is diminished. Issuing credentials for specific skills or behaviours might inadvertently disadvantage those without them, regardless of their actual capabilities. Systems that favour those with more resources, digital literacy, or prior access to credentialing risk perpetuating inequalities rather than addressing them.To avoid these pitfalls, microcredentialing systems should adopt Open Recognition principles, which aim to value diverse experiences and learning pathways. Recognising informal, community-based, and lived experiences alongside formal achievements can help ensure inclusivity.
Sector-Specific ChallengesDifferent sectors face unique challenges when adopting microcredentials:
Charities — Struggle with limited resources to implement digital credentialing systems that are both accessible and effective. NGOs — Face difficulties in ensuring that microcredentials are inclusive for the communities they serve, particularly in low-resource environments. Co-ops — Need to balance member-driven governance models with the technical requirements of interoperable credentialing systems. Businesses — Risk prioritising microcredentials that align only with short-term goals, neglecting broader workforce development needs. Higher Education — Must address resistance from academic departments that may view microcredentials as a threat to traditional degree programmes.Each of these sectors brings its own priorities and constraints to the table, but many of the challenges share common threads. Limited resources, resistance to change, and technical hurdles can all undermine the successful implementation of microcredentials if not carefully managed. Recognising these shared difficulties can help inform more effective, cross-sector strategies.
Practical Steps for Addressing ChallengesTo overcome these challenges, organisations need to adopt thoughtful and inclusive approaches that address both technical and systemic barriers.
Collaborate on shared frameworks that not only ensure technical validity but also assess the clarity of criteria, credibility of evidence, and relevance of learning experiences. These frameworks build trust across institutions and sectors, making microcredentials more valuable and credible. Use open standards like Open Badges and Verifiable Credentials to ensure that microcredentials are portable, secure, and learner-centred. These standards allow credentials to be recognised across platforms and contexts, giving learners more control over their achievements. Focus on recognising diverse forms of learning, including informal, community-based, and experiential achievements. This approach ensures inclusivity and acknowledges the broad spectrum of skills and contributions individuals bring. Continuously evaluate systems for equity and accessibility, addressing barriers such as financial constraints, digital literacy gaps, and platform design issues. By identifying and mitigating these challenges, organisations can expand participation and make microcredentials more inclusive. Looking AheadAddressing these challenges requires thoughtful design, collaboration, and a commitment to inclusivity. By developing systems that prioritise accessibility, quality, and openness, organisations can harness the potential of microcredentials to empower learners and drive meaningful change.
In the final post of this series, we will explore a vision for the future of microcredentials, outlining actionable steps for organisations to integrate them into their strategies effectively.
Zug, Switzerland & Oakland, CA — April 3, 2025 — Energy Web, a global nonprofit building open-source Web3 technologies for the energy transition, WattTime, an environmental tech nonprofit providing real-time grid emissions data, and the Green Software Foundation (GSF) today announced the launch of Carbon-Aware Nomination, an open-source system for scheduling computing workloads based on electricity carbon-intensity. This first-of-its-kind solution leverages GSF’s Carbon-Aware SDK, blockchain technology, and live emissions data from WattTime to ensure that applications run when and where power is cleanest, drastically reducing the carbon intensity of computing workloads.
A New Standard for Carbon-Aware Compute
Carbon-Aware Nomination combines Energy Web’s decentralized computing platform with WattTime’s Automated Emissions Reduction (AER) data feeds and GSF’s Carbon-Aware SDK, allowing any batch job or flexible workload to automatically “chase” the lowest-carbon energy available. Instead of running immediately or in a fixed location, a task can be delayed or relocated — for example, executing at night in a region with abundant wind energy — with the entire decision process orchestrated and verified on the Energy Web X blockchain. Unlike traditional cloud computing tools, this system provides cryptographic proof of the carbon emissions caused, giving enterprises and developers unprecedented transparency into the sustainability of their IT operations.
“Our community has been looking for ways to cut IT emissions without sacrificing performance or trust,” said Mani Hagh Sefat, CTO of Energy Web. “Carbon-Aware Nomination delivers that by leveraging decentralization. By partnering with WattTime and integrating GSF’s Carbon-Aware SDK, we’re injecting the best real-time data into an open, trustless network of computing resources. The result is a game-changer — any organization can now ensure its workloads run with the lowest possible carbon impact, and they can prove it. We’re excited to open-source this tool and work with others to scale it up; this is about creating a new norm for green computing across the industry.”
Collaboration Across Climate-Tech Innovators
WattTime’s leadership echoed the significance of this collaboration.
“This partnership demonstrates how data and technology can come together to fight climate change in new domains,” said Gavin McCormick, WattTime co-founder and Executive Director. “Energy Web’s innovative use of our emissions intelligence, coupled with the Green Software Foundation’s Carbon-Aware SDK, ensures that even computing workloads can automatically prioritize clean energy. We’re thrilled to see Automated Emissions Reduction principles expanding into cloud and blockchain infrastructure. By giving organizations the power to run tasks when renewables are abundant, Carbon-Aware Nomination turns climate intention into action.”
The Green Software Foundation (GSF), which has been advancing sustainability in software development, also sees this as an important milestone. “GSF’s mission is to reduce the environmental impact of software, and integrating our Carbon-Aware SDK into decentralized compute systems represents a major step toward that goal,” said Asim Hussain, Executive Director of Green Software Foundation. “By working with Energy Web and WattTime, we’re proving that sustainability can be a core part of modern computing — measurable, verifiable, and open-source.”
An Open-Source Future for Climate-Smart Computing
The Carbon-Aware Nomination system is fully open-source, with documentation and developer tools provided by Energy Web. Companies and developers can integrate it into cloud workflows, decentralized applications, or scheduling software to begin reducing the carbon emissions of their operations. Because the solution runs on a public blockchain, any sustainability claims are transparent and auditable by third parties.
This initiative also aligns with broader efforts by the tech sector to cut emissions: recent studies estimate that data centers and networks account for over 1% of global electricity use, and industry leaders are keen to mitigate this impact.
By launching Carbon-Aware Nomination in collaboration with WattTime and the Green Software Foundation, Energy Web aims to foster an ecosystem of climate-smart computing. The three organizations plan to engage cloud providers, enterprises, and researchers in adopting the approach. This joint effort showcases the power of cross-sector partnerships, bringing together blockchain-based decentralization, real-time environmental intelligence, and software-driven carbon-aware scheduling.
Energy Web, WattTime, and GSF invite interested partners to join the initiative, contribute to the open-source codebase, and collectively drive a new era of sustainable digital infrastructure.
About Energy Web
Energy Web is a software company developing open-source technologies to accelerate the energy transition. Its decentralized solutions leverage blockchain to create innovative market mechanisms, empowering energy companies, grid operators, and businesses worldwide. (www.energyweb.org)
About WattTime
WattTime is an environmental tech nonprofit that empowers all people, companies, policymakers, and countries to slash emissions and choose cleaner energy. Founded by UC Berkeley researchers, we develop data-driven tools and policies that increase environmental and social good. During the energy transition from a fossil-fueled past to a zero-carbon future, WattTime ‘bends the curve’ of emissions reductions to realize deeper, faster benefits for people and planet. Learn more at www.WattTime.org.
The Green Software Foundation (GSF) is a nonprofit organization under the Linux Foundation. It aims to create a trusted ecosystem of people, standards, tooling, and best practices for building green software and hardware. Members of the GSF represent a balanced mix of for-profits, nonprofits, and academia from around the globe and include several Fortune Global 500 firms. The Foundation operates by consensus.
Three Working Groups, including Software Standards, Hardware Standards, and Policy, and two Committees, Green AI and Developer Relations, currently oversee the Foundation’s ongoing projects. (www.greensoftware.foundation)
Energy Web, WattTime, and Green Software Foundation Unveil Open-Source Carbon-Aware Nomination to… was originally published in Energy Web on Medium, where people are continuing the conversation by highlighting and responding to this story.
April 2025
DIF Website | DIF Mailing Lists | Meeting Recording Archive
Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3 Special Interest Group Updates; 4 User Group Updates; 5. Announcements; 6. Community Events; 7. DIF Member Spotlights; 8. Get involved! Join DIF 🚀 Decentralized Identity Foundation News Global Digital Collaboration Summit Announced: Registration Now Open for July Geneva ConferenceThe Global Digital Collaboration, a new partnership of intergovernmental, standards, and open source organizations, has launched its official member registration websites to advance public-private cooperation on digital infrastructure following the Global Digital Compact. The inaugural conference will be held July 1-2 in Geneva with space for 1,750 attendees.
Register your interest in attending as a DIF community member. We expect to finalize the attendees by May 1.
Those who pre-registered will be automatically migrated to the new site without needing to complete the registration form again.
GC25 Tickets via DIF · Luma Join the Global Digital Collaboration on Wallets & Credentials Be part of a landmark multistakeholder initiative convened by IGOs, SDOs, OSOs, and NGOs to… Kim Duffy It's a Wrap for DIF Labs Beta CohortDIF Labs concluded its inaugural Beta Cohort program with a showcase featuring three groundbreaking decentralized identity projects tackling pressing challenges at the intersection of privacy, trust, and digital authenticity. The standout projects included Veranon (enabling private personhood verification), Linked Claims (building trust networks for credentials in an AI-dominated world), and Ordinals Plus (connecting Bitcoin ordinals with decentralized identity). With Beta Cohort 2 applications opening in late April and the program kicking off May 20, DIF Labs continues its mission of supporting human-centric identity solutions that preserve authenticity in our digital landscape.
DIF Labs Beta Cohort Show & Tell Conclusion | DIF Labs science DIF Labs DIDComm and Cloud Data EncryptionThe DIDComm Working Group recently published a timely solution for personal data protection in light of Apple's decision to stop offering end-to-end encrypted iCloud storage in the UK. Their article explains how users can maintain privacy by implementing DIDComm encryption before uploading files to cloud services, effectively creating a user-controlled security layer that even cloud providers cannot access. The post highlights practical implementation methods and resources for those interested in this open-source approach to data sovereignty.
Read more:
How to keep user data private while storing it in the cloud By layering End-to-End Encryption (E2EE) on cloud storage services ourselves, we can ensure that our data is protected from unwanted access, even from the storage services themselves. Decentralized Identity Foundation - BlogWorking Groups 🛠️ Working Group UpdatesBrowse our working groups here
Creator Assertions Working GroupThe group discussed the evolution of their work with institutional news media and individual content creators, focusing on the identity claims aggregator model. They explored challenges in documenting assurance levels for identity signals and considered a version of the specification for content creators with autonomous credentials.
DID Methods Working GroupThe group conducted a deep dive on the DID Key specification, discussing its maturity, supported key types, and potential improvements. They are working on establishing criteria for recommending certain DID methods and implementing a review process to evaluate which methods are mature enough for standardization, with particular attention to interoperability and adherence to DID core standards.
Identifiers and Discovery Working GroupThe team focused on two main areas: implementing a well-known DID configuration for DIF to link DIDs to domain names, and finalizing version 1.0 of the did:webvh specification. They made progress on implementing watcher features for long-lasting DIDs and resolved issues related to metadata, error codes, and DNS-based identity verification systems. The specification will soon be released as version 1.0.
🪪 Claims & Credentials Working GroupThe group worked on developing a standardized repository for credential schemas in the decentralized identity space. They explored aspects like key validation, long-term availability of DID documents, and URL operations. They're creating comparative tools for different schema approaches and building a structured organization with community drafts, working group approved, and DIF recommended categories.
Applied Crypto Working GroupThe team made progress on several cryptographic aspects of BBS+, including pseudonym generation and Sigma protocols. They discussed the potential adoption of their specification by CFRG, exploring issues around privacy concerns and encoding formats. The European wallets definition now includes a section on zero-knowledge proofs that references BBS and BBS+ signatures, representing significant adoption of their work.
DIF Labs Working GroupDIF Labs is preparing for its next cohort.
DIDComm Working GroupDiscussions centered around the Trust Spanning Protocol, potential improvements to DIDComm, and the pros and cons of different encoding methods like CBOR. The team also explored ideas for a user-friendly notification system and addressed issues with connection reuse, concluding with plans for future meetings to further discuss these topics.
If you are interested in participating in any of the Working Groups highlighted above, or any of DIF's other Working Groups, please click join DIF.
🌎 DIF Special Interest Group UpdatesBrowse our special interest groups here
The H&T SIG has made substantial progress on their HATPro traveler profile specification, focusing on standardization for names across different cultures and languages while addressing challenges in data transfer protocols. The group refined their implementation guide to include digital wallets and agent interactions, and explored decentralized identity concepts with guest presenters from Condatis showcasing practical applications. Work continues on schema development and integrating verifiable credentials terminology, with thoughtful discussions on balancing legacy systems compatibility with modern data sovereignty principles.
DIF China SIG APAC/ASEAN Discussion GroupAchraf and Subash from OCBC Bank's blockchain team presented their experience with blockchain, self-sovereign identity, and verifiable credentials. They demonstrated the implementation of a cross-authentication system for multiple bank tenants and the creation of a publicly verifiable claims system using Verifiable Credentials technology. The presentation highlighted a practical financial industry application of decentralized identity technologies.
DIF Africa SIGThe monthly gathering featured a presentation by Anushka Soma-Patel on decentralized identity, digital trust ecosystems, and the Ayra network. The discussion covered data privacy challenges, verifiable credentials, and governance in digital trust systems. The Ayra network was presented as a platform to enable safe, secure, interoperable, and sustainable digital trust ecosystems.
DIF Japan SIGThe group held a session on KERI (Key Event Receipt Infrastructure), an open-source decentralized identity system that offers a blockchain-independent autonomous model. The presentation included a demonstration of verifiable credential issuance using KERI, explaining its key event logs, witness system, and ACDC credential format. Members discussed potential applications and the current maturity of development tools.
DIF Korea SIG 📖 DIF User Group UpdatesThe group explored enhancing DIDComm with two-factor authentication for SSH, discussing technical implementations and user experience. They proposed improvements to the routing protocol notification system and debated the use of lower trust keys for user-friendly notifications. The team also addressed connection reuse challenges and evaluated encoding methods like Sibor versus Caesar for future versions of DIDComm.
Veramo User Group 📢 Announcements at DIFConference season is kicking into high gear, and Internet Identity Workshop 40 is next week! Explore our Events calendar to meet the DIF community at leading Decentralized Identity, Identity, and Decentralized Web events.
🗓️ ️DIF Members👉Are you a DIF member with news to share? Email us at communication@identity.foundation with details.
🆔 Join DIF!If you would like to get in touch with us or become a member of the DIF community, please visit our website or follow our channels:
Follow us on Twitter/X
Join us on GitHub
Subscribe on YouTube
🔍
Read the DIF blog
New Member OrientationsIf you are new to DIF join us for our upcoming new member orientations. Find more information on DIF’s slack or contact us at community@identity.foundation if you need more information.
This is the fifth in a series of blog posts drawing on insights from a report authored by We Are Open Co-op (WAO) for the Irish National Digital Leadership Network (NDLN). The report explores the historical roots of credentialing, the emergence of microcredentials, and the opportunities they present for reshaping education and professional development in line with the concept of Open Recognition.
Technology plays a key role in the development and delivery of microcredentials, enabling their portability, transparency, and scalability. By making use of digital tools built on open standards, organisations can ensure that microcredentials are secure, meaningful, and accessible to learners across sectors.
Part 1 — Introduction and Context Part 2 — The Evolution of Credentialing Part 3 — Demystifying Microcredentials Part 4 — Trends Shaping the Future of Microcredentials Part 5 — The Role of Technology in Microcredentialing (this post) Part 6 — Challenges and Risks in Microcredentialing Part 7 — A Vision for the Future of Microcredentials Open Standards: Making Credentials Portable and TrustedOne of the key technological foundations for microcredentials is the use of open standards. Open standards ensure that credentials can be shared and recognised across different systems, making them more portable and trustworthy.
Open Badges, first introduced in 2011, set the stage for this revolution. These digital credentials provide important information, such as what the learner achieved, who issued the badge, and the criteria they met. The latest version, Open Badges v3, goes even further by aligning with a global framework called Verifiable Credentials.
This update brings several improvements:
Learner Control — Credentials can now be managed by the individual rather than being tied to a single institution or platform. No Mandatory Image — While the badge image remains a useful visual, the most important feature is the detailed information embedded in the credential, which helps employers and others verify it easily. Rich Information — Microcredentials can now include deeper context about what was achieved, such as specific skills, the learning process, and connections to recognised frameworks or standards.These advancements make microcredentials more meaningful and usable, not just in local settings but internationally as well.
Digital Wallets: Empowering LearnersDigital wallets, sometimes referred to as ‘credential management’ apps, are a transformative tool for managing microcredentials. By storing credentials in a secure, user-controlled environment on their mobile device, learners gain full ownership of their achievements. This flexibility allows individuals to share only the information needed for specific opportunities, such as job applications or further study, while maintaining privacy.
For example, a learner could use their digital wallet to share a single credential with a potential employer, without needing to reveal unrelated personal details such as their age or gender. This approach protects privacy and gives learners greater control over how their achievements are presented.
Digital wallets also facilitate the portability of microcredentials, ensuring that they can be recognised across different contexts. For organisations, adopting digital wallet-compatible credentials demonstrates a commitment to learner-centric practices and enhances the usability of their offerings.
Sector-Specific ApplicationsTechnology enables microcredentials to meet the unique needs of different sectors, enhancing their impact and relevance:
Charities — Use digital badges to recognise volunteer contributions, fundraising efforts, and advocacy skills, providing participants with evidence of their impact. NGOs — Leverage open standards to validate community workers’ skills and promote inclusivity in recognition practices. Co-ops — Employ interoperable credentials to highlight informal learning and collaborative problem-solving within member-driven environments. Businesses — Integrate microcredentials with existing professional development platforms to enhance employee upskilling and retention, focusing on sustainability or diversity goals. Higher Education — Adopt technologies like digital wallets to make credentials earned through co-curricular activities or industry collaborations more accessible and portable for students. Balancing Innovation with ResponsibilityTechnology offers new possibilities for recognising and showcasing skills, but its use must be carefully planned to avoid potential pitfalls. Challenges such as over-reliance on specific vendors, risks to data security, and barriers to access can undermine the effectiveness and fairness of microcredentialing systems.
To address these concerns:
Adopt open-source and interoperable solutions — These reduce the risk of being locked into a single provider’s platform, ensuring flexibility and long-term sustainability. Focus on accessibility — Systems should be designed to include users with a wide range of needs, enabling participation from all, regardless of ability or circumstance. Prioritise data security and privacy — Organisations must implement robust measures to protect sensitive user information, ensuring compliance with relevant regulations and building trust among learners and stakeholders.By taking a responsible approach, organisations can ensure that their microcredentialing efforts are not only innovative but also equitable, secure, and adaptable for the future.
Looking AheadTechnology is more than just a way to expand microcredentials — it is reshaping how learning is recognised and valued. By using approaches built on open standards, organisations can create microcredentialing systems that are secure, accessible to everyone, and focused on the needs of learners.
In the next post, we will explore the challenges and risks associated with microcredentialing, including how to address equity, quality assurance, and unintended consequences.
Specialists from different fields in the digital identity ecosystem have shed light on what it takes to be accredited for New Zealand’s Digital Identity Services Trust Framework (DISTF). They shared their thoughts during a webinar on March 26 moderated by the Executive Director of Digital Identity New Zealand, Colin Wallis, during which they also explained details about the process and the benefits that come with the accreditation.
The DISTF in New Zealand is a legal framework designed to regulate digital identity services as the country looks to expand its digital ID services. New rules and accreditation system of the DISTF took effect last November.
The objective of the webinar dubbed “DISTF Evaluators Showcase” was to provide an opportunity for those considering a DISTF accreditation to have an understanding of its advantages for small and large scale entities, organizational roles, costs and time frames, and the preparation process for the evaluation of compliance with standards which precedes the accreditation application.
Discussants included security consultant at Middleware Group, Tom Norcliffe; Director of Cyber, Privacy and Resilience at Deloitte which is an accredited evaluator, Marcus Bossert; and Founder of Cianaa Technologies, Rizwan Ahmad, who are all Digital Identity New Zealand members. There was also the Regulatory Practice Manager of New Zealand’s Department of Internal Affairs, Deanne Myers.
The first three speakers took time off to make an introduction of their companies, highlighting their services and key projects across the domains of digital identity and cybersecurity. They also mentioned some of their projects in New Zealand and the institutions they work with.
Bossert, for a start, explained the work Deloitte as a consultancy services firm is doing in the digital security assessment space. He mentioned that the firm offers services in cyber strategy, transformation, digital privacy, trust, and enterprise security, application cloud security, emerging technology solutions, threat detection and response, as well as operational security services. He also said that they have worked extensively on digital identity projects.
He said evaluation for the DISTF accreditation process looks at several factors including enterprise security, cloud security, security and resilience mechanisms, and threat detection and response, among others. The official also explained that the firm plays a significant role in guiding organizations through the accreditation process, helping them to align their cybersecurity and privacy expertise in order to ensure successful transactions.
Accreditation not a mere compliance formalityThe accreditation, he insisted, is not just for the purposes of compliances but is something that enables entities demonstrate robust security practices which are vital for building confidence and trust among stakeholders such as boards, customers, and even regulators.
“If you think about why you want to get accredited, you’ve got to think about the stakeholders that are involved in this. But fundamentally, you have to think about it from a more practical and operational perspective as well,” Bossert said.
“Security, privacy, development and operations teams are really interested in knowing that you have solid security practices built in. It is quite valuable for them to understand and have clarity on what the control measures are. So, I see the accreditation process as a mechanism to build confidence that your stakeholders need,” he stated.
“[Thanks to] the work that we do, our knowledge and global network, we can help you accelerate readiness and navigate the shortest path to success, so that we help you focus on those things that really matter, get your accreditation and accelerate operational readiness.”
For his part, Norcliffe from Middleware Group emphasized the importance of the digital ID trust framework, saying it is crucial for most of the work they are doing with government entities and the private sector in New Zealand.
Taking the floor, Ahmad said Cianaa Technologies has a framework on which their team of independent security evaluators offer services which include penetration testing, privacy, and GDPR compliance.
“We assess organizations based on this [framework]. We see whether you’re keeping the information confidential, whether you have the integrity intact, whether your services are available, whether it has non-repetition, and if it has the proper authentication authorization,” he said.
“Now, when we assess your organization based on that, it actually automatically gives up to the right assessment, because if something is missing, then there’s something missing in security.”
Overview of accreditation application processMyers said the team she manages is responsible for basically all aspects of the accreditation process. She gave an overview of components of the application process required by the Trust Framework Authority (TFA), noting that the entire process is transparent.
“We receive and assess applications for accreditation as a trust framework provider. We monitor ongoing compliance with the requirements of accreditation, assess applications for renewal, and obviously deal with any issues that arise in the course of these processes.”
She explained that a part of the application process requires results of an independent evaluation undertaken by independent evaluators, including a conformance assessment against the New Zealand identification standards. “Those outputs or deliverables will be submitted as part of an application,” she stated.
“There are currently 15 independent security evaluators who have been appointed and three privacy independent evaluators. However, we are currently undertaking an expression of interest process, calling for interest from other agencies who are able and who meet the criteria to be appointed as either a privacy or security evaluator, or both.”
Myers also shared important links and resources which can help those seeking accreditation to better understand what is required of them and how they can go through the process successfully. She also said the application would need to be submitted within 12 months of the standards compliance evaluation.
Understand what you needThe speakers also noted the place of AI in the trust framework evaluation process. Ahmad said while the technology can make a positive contribution to the process, it can also bring about challenges that effect these assessments.
Bossert added that those applying for accreditation must clearly understand what they need, and often, they expect the process to be as quick, painless and cost-effective as possible.
“If you’ve ever done something like an ISO accreditation, you would understand or know that it is very useful to be clear on the scope of accreditation that you’re looking for. So don’t apply for accreditation for areas that you don’t need. For example, if you’re not going to be providing personal information, then don’t sign up for accreditation for that,” he advised.
He also said for evaluators to have their work made easy, those seeking to provide trust services must take certain key factors into consideration, including having the right control and risk management mechanisms in place.
“I would suggest that you have a look at your solution and do a proper risk assessment early on so that you’ve got visibility of those risks and that you can start building in the necessary controls. In terms of risks, if you can demonstrate that you’re actively managing them and you have visibility and control, then that certainly helps to give the confidence needed.”
The aspect of pricing for the evaluation process was also addressed, with the speakers saying the process can range, approximately, from between $10,000 and $50,000, depending on the scope and the level of preparedness of the entity to be evaluated.
Source: biometricupdate.com
The post Experts highlight advantages of New Zealand’s Digital ID Services Trust Framework accreditation appeared first on Digital Identity New Zealand.