Organizations | Identosphere Blogcatcher

This story was supported by the Pulitzer Center and The Uproot Project Environmental Justice Fellowship. It was produced by Grist and republished by Rest of World. As W.H. Wong hugged his family goodbye...

Today, we’re excited to announce the release of Web3j 5, a major milestone in a journey that began back in September 2016. What started as an open source project to make Ethereum accessible to Java and Android developers has now grown into one of the most widely used Java libraries in the blockchain ecosystem. And established itself as an important integration technology in the LF Decentralized Trust project landscape.

This content is password protected. To view it please enter your password below:

Password:

Der Beitrag Protected: Digital Product Passports Towards More Sustainable Futures erschien zuerst auf www.ownyourdata.eu.

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. At Dokport, our journey […]

The OpenID Foundation has today released a critical new whitepaper addressing one of the most pressing challenges facing organizations deploying AI agents – how to securely authenticate and authorize these autonomous systems while maintaining proper governance and accountability.

Identity Management for Agentic AI: The new frontier of authorization, authentication, and security for an AI agent world has been researched and compiled by the OpenID Foundation’s Artificial Intelligence Identity Management Community Group – a team of global experts collaborating to address rising identity management challenges in AI systems.

Why this whitepaper matters

The whitepaper reveals a number of significant challenges that have immediate implications for three key audiences. 

Developers and architects building AI agent systems need to understand how to leverage existing standards while preparing for emerging models of delegated authority and agent-native identity. The research provides them with both immediate best practices and a roadmap for future-proofing their systems. Standards organizations must accelerate the development of protocols that formalize new concepts around agent identity and delegation, ensuring future systems are built on interoperable foundations rather than fragmented proprietary solutions. This research highlights the specific areas where new standards are most urgently needed. Enterprises need to begin treating agents as first-class citizens within their identity and access management infrastructure, establishing proper lifecycle management, governance policies, and accountability measures. The research provides a framework for making these organizational changes before they become critical.

These key audiences must act now to prepare for the future of AI agent deployment. The whitepaper provides vital resources for these audiences to enable them to secure AI agents as they are today, while offering a strategic agenda to help them address the foundational authentication, authorization, and identity problems that will come as these autonomous systems become more widespread.

Existing frameworks can only handle today’s simple agents

The good news is that current authentication and authorization standards are already capable of securing many of today’s AI agent use cases. When agents operate within well-defined boundaries, such as an enterprise assistant accessing internal tools or a consumer agent managing personal services, the established infrastructure works effectively.

Modern authentication frameworks provide a solid foundation for scenarios where agents work within a single organization’s systems or help individual users access their own data. These protocols, which have been battle-tested across billions of authentication flows, offer robust security when agents operate in straightforward, predictable environments with synchronous operations.

The Model Context Protocol (MCP) has emerged as the leading standard for connecting AI models to external data sources and tools. Its growing adoption demonstrates the industry’s recognition that agents need specialized frameworks for interacting with resources. For organizations implementing agents today, the research recommends a “separation of concerns” approach: use specialized authentication servers to handle security decisions rather than building custom security into each system.

Enterprise infrastructure is already agent-ready – to a point. Existing Single Sign-On (SSO) systems and user management tools can support today’s AI agents while providing IT administrators with centralized control over agent permissions. This allows organizations to leverage their current identity infrastructure without starting from scratch.

However, this seemingly solid foundation reveals significant cracks when agents begin operating with greater autonomy. The current approaches work well only because today’s agents remain relatively simple, operating within single trust domains, following predictable patterns, and requiring frequent human oversight. As AI systems evolve toward true autonomy, these same frameworks will struggle to address fundamentally new challenges.

The autonomy inflection point is approaching faster than many realize. While a single agent calling a handful of internal APIs poses manageable security challenges, the vision of highly autonomous agents – spawning sub-agents, operating across organizational boundaries, and making thousands of decisions daily – requires a fundamental rethinking of identity and authorization. The frameworks that secure today’s agents weren’t designed for recursive delegation chains, cross-domain trust propagation, or the scale of authorization decisions that autonomous systems will demand.

This creates an urgent imperative: organizations must secure their current agent implementations using existing best practices while simultaneously preparing for the more complex authorization challenges that increased autonomy will bring. The window for establishing robust, interoperable standards is now, before proprietary solutions fragment the ecosystem and create security gaps that will be far more costly to address later.

Next steps for the industry

How organizations manage trust, authority, and accountability in digital systems must evolve. This means moving beyond basic login systems to more sophisticated identity and permission models that can handle complex networks of connected agents. While current frameworks provide a secure baseline for today’s agents, the gaps identified in the OpenID Foundation’s new whitepaper must be proactively addressed in order to ensure a foundation for secure, responsible AI agent deployment at scale. 

The full research paper can be found here.

Contribute to the discussion 

The OpenID Foundation welcomes feedback and input from the broader community on this whitepaper. Readers can share their perspectives either through:

The community group repository  This Google Form

All feedback will be reviewed by the Artificial Intelligence Identity Management Community Group and discussed during their weekly calls. These calls are open to anyone interested in participating. For meeting schedules and details on how to join, visit https://openid.net/calendar/.

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

The post New whitepaper tackles AI agent identity challenges first appeared on OpenID Foundation.

Who we are The Engine Room (TER) is a nonprofit organization with a distributed global team of experienced and committed activists, researchers, technologists and community organizers. Our vision is for social justice movements to use technology and data in safe, responsible and strategic ways, while actively mitigating the vulnerabilities created by digital systems. Since 2011, […]

The post Join our team! We’re looking for an Associate for Resilient Tech! appeared first on The Engine Room.

Shortly after Colombian presidential candidate Miguel Uribe Turbay was shot at a political rally in June, hundreds of videos of the attack flooded social media. Some of these turned out...

The OpenID Foundation Board has approved the development of a new service to enable stronger partnership with “managing entities” and “accredited laboratories” that wish to deploy the OpenID Foundation tests and best practices within a wider ecosystem conformance service. This additional service is scheduled for launch in Q2 2026, and will operate alongside the existing self-certification service.   This strategic investment responds to a strong demand from existing and prospective ecosystem partners who believe an accreditation option will help them meet their local regulatory requirements, foster market competition for conformance testing, and incorporate the OpenID Foundation tests within a wider conformance program. The Foundation anticipates 60 countries already are or will pursue digital identity initiatives and 90 countries are or will be pursuing open data programs. Many of these ecosystems are likely to select the OpenID Foundation’s global open standards and open source tests.   The current self-certification service will continue to operate. To date it has facilitated the successful self-certification of more than 4,000 implementations, including many vendors as well as public and private sector ecosystems in Brazil, the United Kingdom, Australia, the United Arab Emirates, Saudi Arabia, and the United States. Giving ecosystems the choice of self-certification through either the current service operated by the OpenID Foundation and/or the managing entities and accredited laboratories will help ecosystems choose the best fit option for their jurisdiction. The OpenID Foundation is committed to ensuring its specifications, open source tests, and conformance services support the Foundation’s ability to deliver to its mission and vision, and ensuring all implementers can realize the security, privacy and interoperability benefits inherent in the specifications.    In the months ahead, the OpenID Foundation will engage with pilot partners to establish and validate the new model, with plans to scale the service throughout 2026.   Ecosystem managing entities and accreditation laboratories interested in participating are invited to contact the OpenID Foundation at director@oidf.org for more information. About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

 

The post OIDF Announces New Investment to Expand Conformance Services first appeared on OpenID Foundation.

Jiying Zhang, a nutritionist and health coach, saw a therapist for four years before she decided to try DeepSeek. She was immediately impressed. The artificial intelligence model provided support instantly,...

Germany’s Federal Office for Information Security (BSI) is asking for public comment on a draft document that outlines technical considerations for configuring passkey servers.

The draft was published on September 30 and seeks to get inputs from relevant stakeholders, the BSI said in a news release.

The BSI TR-03188 Passkey Server guidelines are available as a draft in version 0.9, the BSI says. It was drafted within the scope of FIDO2 and WebAuthn standards, among others.

There is a persistent disconnect between perceived cybersecurity and actual vulnerability. That’s the key finding from Yubico’s 2025 Global State of Authentication Survey. The findings indicate a world still reliant on outdated authentication practices, highlighting the need to align personal and workplace cyber hygiene.

Passkeys are revolutionizing the way we secure our online accounts, with the potential to eliminate passwords altogether. We explain why they offer stronger protection for your digital life and how you can start using them.

There’s a reason everyone is working on a way to replace passwords. They’re often easy to guess, hard to remember, and changing them after every data breach is a pain, even if you do have a password manager. Thankfully, the Fast Identity Online (FIDO) Alliance developed passkeys, a new authentication technology that eliminates the need to enter your email address or a password into login fields around the web, and they’re gaining popularity. For example, Microsoft deleted passwords from its authenticator app in August, but left in support for passkeys.

Bojan Simic, Chief Executive of HYPR and a FIDO Alliance board member, warns that IT help desks are increasingly targeted by attackers using social engineering tactics. These tactics often involve leveraging stressful scenarios, such as an executive locked out of their account just before boarding a flight, to pressure help desk agents into bypassing or overlooking security protocols. “The help desk shouldn’t be the weakest link; it should be the first line of defence. That means moving beyond guesswork and adopting identity verification that confirms who someone is, versus what they know or the device they’re using. With phishing-resistant, standards-based verification built into support workflows, agents stop being human lie detectors and start being defenders,” said Simic. 

A Letter from the President, DIACC

The choices we make about digital trust and identity verification architecture today will shape Canadian privacy, security, and digital rights for generations to come. Recent developments in the United Kingdom offer a timely reminder: how we build digital trust and identity systems matters as much as whether we build them.

Canadians demand a path that’s grounded in the principles of federation, decentralization, privacy by design, and user control. As pressure mounts globally for mandatory and centralized digital identity systems, we must advocate for principles that ensure our implementations live up to the designs that Canadian’s demand.

The UK’s Announced Approach

The UK faces genuine challenges that digital trust and identity could address. Document fraud in right-to-work verification creates significant problems. Administrative burden on employers is substantial. And approximately 10% of UK residents have never held a passport, creating barriers to proving identity for routine transactions. A digital credential accessible via a smartphone, which 93% of UK adults possess, could help address these legitimate issues.

The critical question isn’t whether digital trust and identity can solve real problems. It’s how it’s implemented.

The UK government has committed to making its proposed BritCard system mandatory and references “a central database of people entitled to live and work in the UK.” Cybersecurity experts have been explicit in their warnings: centralized databases create “enormous hacking targets,” particularly when complex dependency chains involving contractors and integrators are involved. Within days of the announcement, 1.6 million people had signed petitions opposing the scheme, expressing concerns about surveillance and the notion of “Big Brother in your pocket.”

These concerns aren’t theoretical. Centralized identity databases have been compromised in multiple jurisdictions, impacting millions of individuals. Once compromised, the consequences include identity theft, widespread fraud, and erosion of public trust that takes years to rebuild. The attack surface, which arises from aggregating millions of records in centralized systems, is of enormous importance.

Architecture as Values Made Concrete

There is an alternative architectural strategy that is privacy-preserving and uses decentralized credentials. This approach uses:

Cryptographically-signed credentials that are held on user devices, not in centralized databases Verification happens through cryptographic proofs rather than database lookups Selective disclosure enables proving what’s necessary (like eligibility to work) without revealing your complete identity profile Users control when and how their credentials are shared

This isn’t experimental technology. Estonia has operated such a system successfully for over two decades. The EU Digital Identity Wallet regulation explicitly requires selective disclosure and offline verification capability. Singapore’s Singpass uses QR-code-based verification to minimize tracking. These approaches have been proven at the national scale.

The lesson for Canada isn’t “don’t build digital trust and identity verification.” It’s “architecture must reflect values.“

A mandatory system built on centralized databases carries fundamentally different privacy risks, security vulnerabilities, and civil liberties implications than a voluntary system using privacy-preserving credentials held by users. The efficiency gains and fraud reduction can be achieved through either approach; however, one strategy respects privacy by design rather than by promise.

Canada’s Distinctly Different Approach

Canada has already charted a different course. Aligning with our governance models and values, our approach is decentralized. There is no single national digital identity system, no central government database of all Canadians, and no mandatory credential that citizens are required to obtain. Learn more about our vision for Canada’s decentralized approach.

Instead, our vision of a digital trust and identity verification ecosystem aligns with the Pan-Canadian Trust Framework (PCTF), developed by DIACC in collaboration with federal, provincial, and territorial governments, financial institutions, telecommunications providers, privacy advocates, and civil society organizations. The PCTF enables digital trust and identity services through:

Federated Architecture: Multiple credential issuers (provinces, federal government, private sector organizations) can issue credentials that are mutually recognized through conformance to a common framework of components without creating centralized databases or requiring technological uniformity.

Privacy by Design: The PCTF embeds privacy protections at the architectural level. Requirements include data minimization, purpose limitation, selective disclosure capabilities, transparent consent management, and security safeguards proportionate to the sensitivity of the information. These aren’t policy aspirations; they’re assessed through independent certification.

User Control: Individuals maintain control over their credentials and decide when and with whom to share information. Credentials can be stored on personal devices, and users can revoke consent and withdraw their credentials through clear procedures for data deletion.

Voluntary Adoption: Digital credentials supplement rather than replace existing identity documents. Canadians choose whether to use digital identity based on convenience, security, and trust. It’s not a government mandate.

Verifiable Privacy Protections: Through DIACC’s PCTF Certification Program, organizations can obtain independent verification that their digital trust and identity verification services implement privacy-preserving architectures. This shifts privacy from a policy promise to a verified reality.

This approach reflects what Canadians want. Our research consistently indicates that privacy, security, and choice are key factors driving Canadians’ desire for digital trust and identity. The bottom line is that voluntary, privacy-focused solutions earn public trust, while mandatory systems face resistance.

The Technologies That Enable Privacy

Privacy-preserving digital trust and identity isn’t just philosophically preferable; it’s technically achievable through verifiable credentials and related technologies that the PCTF supports:

Selective Disclosure: Instead of presenting your entire driver’s licence to prove you’re old enough to purchase age-restricted products, you can present a cryptographic proof that you’re over 19, without revealing your birth date, address, or even your name. The verifier gets the answer they need; you retain privacy over information they don’t.

Decentralized Verification: Credentials can be verified through cryptographic signatures without requiring queries to centralized databases. This means verification can happen offline, in real-time, without creating transaction records that enable tracking or surveillance.

Zero-Knowledge Proofs: Advanced cryptographic techniques enable proving statements about your identity (such as “I am a resident of Ontario” or “I hold a valid professional license”) without revealing the underlying credential or creating linkable identifiers across different interactions.

User-Held Credentials: When credentials live on your device rather than in government or corporate databases, you control when they’re shared. A data breach at one organization doesn’t compromise your credentials held elsewhere.

These technologies are standardized and operating at scale internationally. Canada’s PCTF is designed to accommodate them as they become more widely deployed, ensuring that our framework supports the most privacy-preserving approaches available.

What This Means for Canada’s Digital Future

The path forward requires intentionality about the choices we make now, in procurement specifications, in system design, in policy development, and in public dialogue:

For Government Leaders: The PCTF bridges regulations with operational realities to provide a foundation for cross-sector interoperability. Resist pressure for centralized databases or mandatory systems. Ensure procurement specifications prioritize privacy-preserving architectures and require independent DIACC’s PCTF certification. Build the physical-digital bridges (assisted digital services, multi-modal access) that ensure universal accessibility.

For Industry Stakeholders: Pursue PCTF certification for digital trust and identity solutions and design products that implement selective disclosure and user control, rather than relying on maximalist data collection. Accept certified credentials from diverse issuers to create convenience that drives voluntary adoption. Contribute expertise to framework evolution.

For Privacy Advocates and Civil Society: Hold organizations accountable for their privacy promises by demanding PCTF certification. Participate in framework governance to ensure that citizen perspectives inform the technical architecture. Help build public understanding of how privacy-preserving systems work and why architecture matters.

For Technology Providers: Align product development with PCTF specifications and privacy-preserving technologies. Seek DIACC PCTF certification for competitive differentiation. Invest in open standards that prevent lock-in and enable interoperability. Innovate on capabilities including: verifiable credentials, selective disclosure, and zero-knowledge proofs.

For Citizens: Engage with digital trust and identity programs as they launch. Demand transparency about whether systems use centralized databases or decentralized credentials. Provide feedback on usability, accessibility, and privacy concerns. Exercise control over personal information through consent management: support organizations that pursue voluntary, privacy-preserving approaches over mandatory, surveillance-enabling architectures.

Building Services Worthy of Trust

Canada can build a digital trust and identity verification infrastructure of services that are:

More secure because it’s decentralized — no honeypot databases to target Widely adopted because it’s genuinely helpful and voluntary — convenience without coercion Privacy-protecting through architecture, not only policy promises — verified through independent testing Interoperable while respecting jurisdictional sovereignty — federation without centralization Inclusive by design rather than by afterthought — multi-modal access serving all Canadians

Our success demands that we prioritize privacy-preserving architectures in procurement specifications, insist on open standards and independent verification, invest in accessibility for all Canadians regardless of their digital literacy or access to technology, and establish strong trust frameworks and mutual recognition mechanisms that enable effective federation.

The path forward isn’t about government versus private sector, federal versus provincial, or mandatory versus voluntary in the abstract. It’s about all of us, across jurisdictions and sectors, committing to build and use digital trust infrastructure services that are distinctly Canadian: digital trust infrastructure that reflects our federal structure, our values, and our constitutional commitments to privacy and individual rights.

The UK’s experience with BritCard is a reminder that design choices matter. Centralized, mandatory systems may promise efficiency, but they carry profound risks to privacy, security, and civil liberties. Canadians have chosen differently, and we must ensure our implementations honour their choice.

We can develop digital trust and identity verification services that earn the confidence of Canadians. The architecture exists. The technologies are operational. The framework is ready. What remains is a collective commitment to getting the implementation right.

The choices are ours to make. The time to make them thoughtfully is now.

Joni Brennan
President, DIACC

Further Reading:

Pan-Canadian Trust Framework Understanding Canada’s Decentralized Approach PCTF Certification Program What Canadians Want: Privacy, Security, and Choice Verifiable Credentials and Privacy-Preserving Technologies

DIACC is Where Digital Trust Means Business

Contact us to be a part of the change you want to see, stay informed about developments in digital trust and identity verification, and learn how you can contribute to discussion drafts or become a member.

A Chinese city that failed to attract people has become a sandbox for machines. Ordos, a coal-rich northern Chinese city that never took off after prices crashed in 2012, has...

October 2025

DIF Website | DIF Mailing Lists | Meeting Recording Archive

Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3 Special Interest Group Updates; 4 User Group Updates; 5. Announcements; 6. Community Events; 7. DIF Member Spotlights; 8. Get involved! Join DIF 🚀 Decentralized Identity Foundation News DIF Steering Elections are coming up soon!

We sent out an explainer last week with all the details, but the most urgent reminder is until the 9th, you can:

Nominate someone else you think would make a great steering committee member (we will reach out to them), Self-nominate , and/or Submit questions you'd like all candidates to answer.

Keep an eye out for the answers to those questions from the final slate of candidates 16 Sept, and feel free to use the #sc-elections channel on Slack to discuss.

DIF Labs Beta Cohort 2 Concludes with Successful Show & Tell

DIF Labs Beta Cohort 2 concluded with a successful Show & Tell event on September 24, 2025, showcasing three months of development across three innovative projects.

The Anonymous Multi-Signature Verifiable Credentials (ZKMPA) project built a protocol for m-of-n multi-party credential approval while preserving signer anonymity. Using Semaphore with cryptographic membership proofs and nullifiers, the team achieved W3C VCDM 2.0 compatibility and demonstrated how DAOs can issue credentials with privacy-preserving governance.

The Privacy-Preserving Revocation Mechanisms project delivered the first comprehensive comparative study of revocation strategies for W3C Verifiable Credentials, analyzing status lists, accumulators, zk-SNARK proofs, and short-term credentials. The team created a detailed taxonomy and reference implementation benchmarking costs for issuers, holders, and verifiers, with collaboration from the Ethereum Foundation on Merkle-tree approaches.

Legally-Binding Proof of Personhood via QES (QVC) bridged W3C Verifiable Credentials with Qualified Electronic Signatures under EU eIDAS regulation, bringing legally non-repudiable identity to decentralized credentials. The project explored pseudonymous QES flows and ETSI standards compliance for use cases including contracts, academic credentials, healthcare, and financial agreements.

All three projects presented working demonstrations to global participants from Korea, Japan, Europe, and the United States. The community provided structured feedback using the Roses/Buds/Thorns framework, and projects will continue development as open-source implementations. Visit the DIF Labs blog for complete details and event recording.

DIF Labs Beta Cohort 2: Show & Tell Recap 🚀 | DIF Labs science DIF Labs Trusted Agents Working Group Launches

DIF has launched a new Trusted Agents Working Group to address the emerging challenges of AI agent identity, authentication, and trust. As AI systems gain increasing autonomy and operate across organizational boundaries, the need for robust identity infrastructure becomes critical.

Co-chaired by Andor Kesselman, Nicola Gallo and Dmitri Zagidulin, the working group will develop standards and frameworks ensuring AI agents can maintain verifiable identities, establish trust relationships, and operate with appropriate human oversight. According to Kesselman, "The Trusted AI Agents Working Group focuses on defining an opinionated, interoperable stack to enable trustworthy, privacy-preserving, and secure AI agents."

The inaugural meeting focused on brainstorming use cases and shaping initial focus areas, with the first work item addressing Agentic Authority Use Cases. Read more in Kesselman's LinkedIn post and learn how to get involved here.

Our first Trusted AI Agents Working Group Decentralized Identity… | Andor Kesselman Our first Trusted AI Agents Working Group Decentralized Identity Foundation meeting today was a big success! We ran a cross-work item session to brainstorm use cases and shape initial ideas for the group’s focus areas. This is just the beginning-multiple work items will now move forward within the broader Working Group. We’re focusing on providing artifacts and outputs that the community can anchor to. Each work-item is self governed. I expect we will eventually get into MCP, A2A, NANDA, NLIPs, oCAPs, oAuth, AP2, ANS, Agent Delegation, and many other systems. Our first work item is Agentic Authority Use Cases. What’s Our Scope? The Trusted AI Agents Working Group (WG) at the Decentralized Identity Foundation (DIF) focuses on defining an opinionated, interoperable stack to enable trustworthy, privacy-preserving, and secure AI agents. These agents act on behalf of users or systems and require robust mechanisms for identity, authority, and governance. Feedback form if you’re interested in participating: https://lnkd.in/gaU4hQFw Join DIF to get involved and check https://lnkd.in/gEHvKTYt for more information. Check the mailing list: https://lnkd.in/gCHX8uuJ. Thanks to Nicola Gallo and Dmitri Zagidulin 🇺🇦 for co-chairing this beast of a working group. This is going to be a lot of fun and we’re going to make some amazing progress really fast. My overall take was that this group was a bunch of doers. Also, updates: This pairs really well with https://lnkd.in/g6aitZpQ, so come on October 24 if you want to meet some of us live and work on agentic protocols. And also the Open Agent Labs with IBM AI Alliance should benefit a lot from this feedback Dave Nielsen Adam Larter Alan Karp Eric Scouten Jim St. Clair Kaliya Young Ken Griggs Tom Jones Mitchell Travers Neil Thomson Sachio Iwamoto Matthew McKinney Przemek Praszczalek Geun-Hyung (Peter) Kim Makki Elfatih Adrian Field Daniel Glinz Viraj Patva @iian henderson LinkedInAndor Kesselman Credential Schema Specification 1.0 Released

The Claims & Credentials Working Group, co-chaired by Otto Mora and Valerio Massimo Camaiani, has released Credential Schema Specification 1.0. This specification provides standardized schemas for basic identity credentials, defining the fields required to identify an individual for KYC purposes and other foundational use cases. The 1.0 release ensures schemas are interoperable, extensible, and aligned with existing standards including W3C Verifiable Credentials, OIDC, and schema.org, and includes comprehensive documentation, reference implementations, and guidance for schema developers.

DIF Represented at UNGA Identity Panel

DIF members Matt McKinney and Nicola Gallo spoke on a hands-on panel about digital public infrastructure, trust, and identity two weeks ago, raising awareness and bringing the good word (and up-to-date architectural thinking) to specialists and builders closer to government infrastructure deployments. See last week's blog post for a more detailed read-out.

🛠️ Working Group Updates

Browse our working groups here

Creator Assertions Working Group

The Creator Assertions Working Group continues advancing work on content provenance and authenticity assertions for digital media. Recent discussions have focused on integrating creator assertions with broader verifiable credential frameworks, exploring how content creators can make cryptographically verifiable claims about their work. The group is examining metadata standards that support various content types while maintaining flexibility for emerging use cases. Work continues on alignment with the C2PA ecosystem and development of assertion types that can accommodate both individual creators and organizational content production workflows.

👉 Learn more and get involved

DID Methods Working Group

The DID Methods Working Group focused on updating evaluation criteria for DIF-recommended DID methods. The group refined its assessment framework to emphasize multiple independent implementations, demonstrated production deployments, and clear compliance with core DID traits. Discussions addressed balancing objective technical criteria with expert evaluation to ensure recommendations reflect both standards compliance and practical viability. The group continues work on the proposed W3C DID Methods Working Group charter, addressing community feedback about scope and the role of blockchain-based methods in standardization efforts.

👉 Learn more and get involved

Identifiers and Discovery Working Group

Multiple work streams advanced within the Identifiers and Discovery Working Group. The did:webvh team made significant progress toward their 1.0 release, with implementations demonstrating successful interoperability through comprehensive test suites. Performance analysis shows efficient handling of DID document updates even in high-frequency scenarios. The DID Traits team finalized specifications for their 1.0 release, with particular focus on traits related to key validation capabilities and long-term identifier availability. The group explored applications in software supply chain security contexts and examined how DID traits align with emerging regulations including the EU Cyber Resilience Act.

👉 Learn more and get involved

🪪 Claims & Credentials Working Group

Following the successful release of version 1.0 specification, the Claims & Credentials Working Group launched a community schemas initiative. This program creates frameworks for organizations to contribute verifiable credential schemas to a shared repository, with pathways for community review and potential standardization. Recent work includes extending schemas for banking KYC requirements, with particular attention to international postal address formats. The team refined terminology around personhood verification credentials and established processes for synchronizing schemas across multiple repositories. Future development priorities include employment credentials and anti-money laundering certification schemas.

👉 Learn more and get involved

Applied Crypto Working Group

The Applied Crypto Working Group made substantial progress on BBS+ signature schemes and privacy-preserving cryptographic primitives. Key developments include refinements to pseudonym generation approaches, with the team evaluating polynomial methods and their security properties against adversarial scenarios. Discussions addressed post-quantum security considerations and their implications for long-term privacy guarantees in credential systems. The group continues coordination with IETF standardization efforts and is preparing updated test vectors for upcoming draft releases. Members are exploring implementation approaches in both Rust and C++, weighing trade-offs in performance, security, and ecosystem compatibility.

👉 Learn more and get involved

DIF Labs Working Group

With Beta Cohort 2 successfully concluded, the DIF Labs Working Group is evaluating the program structure and considering timing for future cohorts. The group continues providing support to Beta Cohort 2 projects as they transition to ongoing open-source development. Discussions have focused on lessons learned from the cohort model, including the effectiveness of mentorship structures, project scoping approaches, and mechanisms for ensuring long-term project sustainability. The Labs team is also exploring opportunities to showcase project outcomes at industry conferences and standards bodies.

👉 Learn more and get involved

DIDComm Working Group

The DIDComm Working Group advanced work on binary encoding support through CBOR implementation. The team evaluated architectural approaches for supporting multiple encoding formats, considering whether to introduce binary encoding as an optional feature in version 2.2 or as the default in a future major release. Technical discussions addressed message encoding detection, MIME type handling for different encoding schemes, and backward compatibility with existing implementations. The group also explored DIDComm's role in AI agent-to-agent communications, examining how the protocol can support secure, privacy-preserving interactions between autonomous systems.

👉 Learn more and get involved

Hospitality & Travel Working Group

The Hospitality & Travel Working Group made substantial progress on the HAT Pro (Hospitality and Travel Profile) specification. The team developed comprehensive schemas for food preferences, dietary restrictions, and accessibility requirements using graph-based models that eliminate data duplication and improve cross-referencing capabilities. Recent work includes creating UML models and JSON schemas for complex preference structures that can adapt to varied travel contexts. The group is exploring AI-assisted data input mechanisms to simplify the user experience while maintaining data accuracy. Subject matter experts from multiple travel sectors have joined the working group, bringing valuable domain expertise to schema development.

👉 Learn more and get involved

If you are interested in participating in any of the Working Groups highlighted above, or any of DIF's other Working Groups, please click join DIF.

🌎 DIF Special Interest Group Updates

Browse our special interest groups here

DIF Hospitality & Travel SIG

The Hospitality & Travel SIG continued its evolution alongside the working group, focusing on broader ecosystem considerations and real-world implementation challenges. Recent sessions examined the intersection of decentralized identity with emerging AI capabilities in travel, including personalized itinerary generation, automated booking agents, and AI-powered concierge services. The group discussed how traveler-controlled credentials can enable these AI systems while maintaining privacy and user control. Participants also explored challenges in achieving industry-wide adoption of new credential standards, including the need for demonstration projects that showcase tangible benefits to both travelers and service providers.

👉 Learn more and get involved

DIF China SIG

👉 Learn more and get involved

APAC/ASEAN Discussion Group

The APAC/ASEAN group hosted discussions on regulatory developments affecting decentralized identity across the Asia-Pacific region. Key topics included alignment between national digital identity initiatives and decentralized identity standards, with particular attention to interoperability requirements for cross-border transactions. The group examined recent policy changes in Australia, Singapore, and Japan, identifying common themes around privacy protection, user control, and the role of government-issued credentials within broader digital identity ecosystems. Participants discussed strategies for engaging with regulators to ensure decentralized identity approaches are considered in policy development.

👉 Learn more and get involved

DIF Africa SIG

The Africa SIG continues its focus on practical implementations of decentralized identity across the continent. Recent discussions have examined mobile-first approaches to credential management, recognizing that smartphone adoption patterns in Africa differ from other regions. The group explored solutions for users with feature phones or limited connectivity, including offline verification capabilities and SMS-based fallback mechanisms. Participants shared insights on regulatory environments across different African nations and opportunities for harmonization of digital identity frameworks at the regional level.

👉 Learn more and get involved

DIF Japan SIG

The Japan SIG explored technical approaches to AI agent authentication using decentralized identifiers. Discussions covered the unique requirements for identifying autonomous systems, including mechanisms for establishing trust chains between AI agents and their human operators or organizational sponsors. The group examined use cases spanning automated trading systems, customer service agents, and collaborative AI workflows. Participants considered how existing DID methods can be adapted for AI agent use cases and whether new DID methods might be warranted. The group is planning offline events to deepen community engagement and facilitate face-to-face technical discussions.

👉 Learn more and get involved

DIF Korea SIG

👉 Learn more and get involved

📖 DIF User Group Updates
DIDComm User Group

The DIDComm User Group explored practical implementations of the protocol in production environments. Members shared experiences with mediator deployments, discussing scalability considerations and reliability patterns for always-available message routing. The group examined integration approaches with emerging AI communication frameworks, identifying similarities between DIDComm's secure messaging patterns and requirements for AI agent interactions. Discussions also covered developer experience improvements, including debugging tools, testing frameworks, and documentation enhancements that can lower barriers to DIDComm adoption.

👉 Learn more and get involved

📢 Announcements at DIF Executive Director Applications Still Open

DIF is accepting applications for the Executive Director position as the current term comes to a close. This is an opportunity to shape DIF's strategic direction and lead the organization through its next phase of growth. Application details are available in the job description, with questions welcomed at jobs@identity.foundation.

Decentralized Trust Graph Working Group Launches

The Linux Foundation Decentralized Trust (LFDT), Trust over IP, and Decentralized Identity Foundation have launched a new Decentralized Trust Graph Working Group, providing a venue for developing standards around trust networks and reputation systems in decentralized environments. This working group complements DIF's ongoing work by addressing graph-based approaches to modeling trust relationships. DIF members interested in participating can find details about joining in the ToIP community calendar. This collaboration demonstrates the growing ecosystem of organizations working on complementary aspects of decentralized identity and trust infrastructure.

Discount Codes Available for IIW and Agentic Internet Workshop

DIF members can access special discount codes for two upcoming events:

Internet Identity Workshop (IIW) XLI: Use code DIF_XLI_20 for 20% off registration at this link Agentic Internet Workshop: Use code AIW_DIF_10 for 10% off registration at this link

Explore the DIF Events Calendar for a complete listing of upcoming conferences, workshops, and community gatherings where DIF members will be participating.

🗓️ ️Community Events

Internet Identity Workshop XLI
The semi-annual gathering of the identity community returns, offering unconference-style sessions where participants drive the agenda. IIW continues to be a critical venue for discussing emerging challenges, sharing implementation experiences, and building consensus around identity standards.

Use code DIF_XLI_20 for 20% off registration at this link

Agentic Internet Workshop
The Agentic Internet Workshop takes place immediately following IIW, providing an opportunity to explore how decentralized identity standards can provide the foundation for AI agent interactions and trust. This new workshop addresses the intersection of AI agents and internet infrastructure, with decentralized identity as a key enabling technology. Sessions will explore authentication mechanisms for AI agents, human oversight frameworks, and trust models for agent-to-agent interactions.

Use code AIW_DIF_10 for 10% off registration at this link

🆔 Join DIF!

If you would like to get in touch with us or become a member of the DIF community, please visit our website or follow our channels:

Follow us on Twitter/X

Join us on GitHub

Subscribe on YouTube

🔍

Read the DIF blog

New Member Orientations

If you are new to DIF join us for our upcoming new member orientations. Find more information on DIF’s slack or contact us at community@identity.foundation if you need more information.

In the 1990s, when mass food production introduced hundreds of novel ingredients and industrial processes, people lost significant visibility into what they were eating. Nutrition labels emerged as a solution for transparency and to help consumers make informed choices on their consumption.

Today, digital content creation is experiencing its own industrial revolution. Canva logged 16 billion AI-powered feature uses last year 1, Midjourney surpassed 21 million users by March 2025 2, and 71% of businesses and 83% of creators are already reporting using AI tools in their content workflows 3. This shift has introduced new intermediaries and processes that make it harder to trace digital content origins. Without transparency, it is near impossible for artists and platforms to maintain creative control and proper attribution, or for audiences to connect to increasingly intermediated and automated creators.

The music industry for one is facing a tipping point of copyright infringement from unauthorised training models, artificially inflated play counts, and fake AI tracks swamping streaming platforms 4. The likes of Universal Music Group, Warner, and Sony, are pushing for the technology to serve the artists and help enhance their creativity instead of replacing them. As Jeremy Uzan of the Universal Music Group says, “AI can be used to assist the artist” as they pursue an artist-centric approach. For example, using AI to translate Brenda Lee’s iconic ‘Rockin around the Christmas tree’ into Spanish, or audio-enhancing archival Beatles audio, to demonstrate how human creative input combined with AI assistance can work commercially and legally. However, the current AI tools intending to foster new creative opportunities often lack the granular attribution controls and auditability that is needed to create the level of supply-chain transparency that creators need.

Like nutrition labels before them, The Content Authenticity Initiative and Creator Assertions Working Group (CAWG) are trying to restore the transparency that mass automation has obscured. Such efforts, deployed at scale, would give audiences the information they need to make informed choices about the media they consume, without dictating their decisions.

The Foundational Infrastructure

The C2PA Content Credentials Specification 5 acts as a foundation for this media transparency. It cryptographically binds an origin ‘label’ to a digital asset that says how the asset was created. The CAWG 6 builds on C2PA with a framework for attaching the ‘who’ and ‘why’ to an asset as ‘Content Credentials’. As Scott Perry, the Co-Chair of CAWG and Conformance Program Administrator of C2PA, puts it, CAWG metadata brings “human claims to digital media”.

What this looks like in the real world is Google’s Pixel 10 now shipping with C2PA conformance built in, YouTube tagging select videos as “captured with a real camera”, and LinkedIn marking images with a “Cr” symbol to show when they carry Content Credentials. These tags relay information like whether AI was used to generate or edit a part of the content, the entity that created the Content Credential, and when the credential was created. But, as Eric Scouten, Co-Chair of CAWG and Identity Standards Architect at Adobe, stresses, “one of the biggest misconceptions about [CAWG] is that it is something like Snopes or Politifact, out to say what’s true and what’s not, and that’s not the case.” CAWG does not arbitrate truth. It does not fact-check or attach political judgments. Instead, it provides signals about who created a piece of content, when, how, and in what context. The decision to ‘believe’ in the content remains with the viewer.

When FKA Twigs created her own AI clone for fan interactions, she demonstrated the difference between artist-controlled AI use and unauthorised exploitation 7. Once people knew that she stood behind her AI clone, the work felt legitimate and trust flowed from the person to the work. With provenance infrastructure, fans could verify which AI interactions were officially sanctioned by Twigs herself versus the unauthorised. Not because Content Credentials determine what’s ‘real,’ but because they can provide verifiable provenance information about the creation of digital assets, including an authorisation trail from creation to consumption.

The Challenges with Creator Identities

The FKA Twigs example hints at a much larger challenge ahead. Apps like Character AI already have ~9 million users per day, and as AI clones, virtual personas, and agentic creators proliferate, the range of online ‘identifiers’ becomes significantly more complex.

Even today, navigating the multiple digital identifiers of creators, from professional personas to social media handles and artist pseudonyms, is a fragmented journey. The plurality of creator identities creates a fundamental mismatch with existing identity verification systems. Large organisations like newsrooms and major labels rely on X.509 certificates and PKI systems that fit to enterprise workflows and secure their own supply chains, for example disincentivising pre-release leaks. But individual creators don’t operate in that world. For them, identity lives in social handles and personal websites where identifiers are informal and often platform-bound.

CAWG’s framework bridges this gap by accepting both ends of the spectrum. Their Identity Claims Aggregator mechanism verifies the disparate identity signals through trusted third parties, and issues a single verifiable credential that binds the creator’s chosen identity to their content. This gives creators a direct, human voice in the history of their work, rather than only recording what the device or app has logged in the process. As Eric explains, “the point of the identity assertion is that it is a framework that allows a lot of different things to be plugged into it.” The design is deliberately credential-agnostic, giving creators the flexibility to bring their own chosen identity signals. Future versions of the CAWG identity framework will likely add support for generic W3C Verifiable Credentials and self-controlled credentials such as those being developed by the First Person Project.

Major labels and organisations like the Universal Music Group and the Recording Industry Association of America are already exploring the use of ISNI (International Standard Name Identifier) for artist identities. In practice, this allows labels and managers to attach industry-recognised identifiers to digital assets that protect an artist’s image and likeness in their content. But this approach still has its challenges. For one, ISNI faces the perennial challenge of universal standards adoption. As with most industries, there is no single identifier used for creators today that is publicly resolvable. Scott takes a pragmatic approach to the universal identifier problem, “each industry should publish its best practices alongside the normative standard - i.e. saying this is the state of play in music right now. This is the best you can do, do it this way, we're working on it. Then as that evolves, as it updates, you have one place to go for anyone who wants to know how to identify music.”

CAWG’s strength lies in anticipating this plurality of identity and evolution. The framework is designed to incorporate new credential types as they emerge, from today’s ISNI and social accounts to tomorrow’s W3C Verifiable Credentials and even agentic identity systems.

This adaptability is particularly critical for media industries because digital content can be discovered and consumed decades after creation. Provenance data needs to persist across the content’s entire lifecycle, requiring what Eric calls “archival-quality identity”. Unlike transactional systems that only need authorisation at the point of use, such as purchasing an item online, media attribution can become more valuable as content gains cultural significance or commercial success. Sample clearances, royalty disputes, and copyright claims can arise years later, demanding granular, persistent attribution records that today’s identity token-based models like OAuth don’t provide.

As Eric explains, “if I produce a piece of content today, and you happen to find it in 2030 or 2040, I would like you to be able to understand that it was me that produced that, and to have confidence that you correctly attribute it to me. But that sort of lasting, archival quality identity, is shaky. I think the AI systems are especially shaky on that front.”

But what if every track could carry its creative history? A kind of musical DNA that travels with the content, recording not just what was made, but who made it, how, and under what authority.

The Complexity of Agentic Identity

This type of content DNA becomes essential with agentic AI systems. Unlike generative AI tools that simply transform input to output, agents pursue goals over time, coordinating multiple tools and delegating to other agents. When a music producer delegates post-production to an AI agent that then assigns harmonisation to one agent and mastering to another, the non-deterministic nature means every delegation, agent version, and training input must be recorded in case of future disputes.

This creates a fundamental distinction in attribution requirements. Tools are deterministic, their provenance handled by C2PA which can reliably attest to what happened inside a capture device or editing suite. Agents are non-deterministic, making autonomous choices and passing work along delegation chains. CAWG addresses this by developing persistent, verifiable identifiers that survive across delegations and enable authorisation chains to be traced.

In media industries, the complexity extends beyond identity into rights management and remuneration. The JPEG Trust Initiative, an ISO standards effort collaborating with CAWG, is standardising how usage permissions and commercial terms travel with content. Together, C2PA, CAWG, and JPEG Trust form a layered trust stack, proving what happened, who did it, and under what rights.

This infrastructure enables critical uses cases for the agentic web, such as:

AI Disclosure Granularity: Moving beyond binary “AI or not AI” labels to capture the spectrum of AI involvement. Copyright Protection: Recording types and quantities of input from humans, agents, instruments, or other sources, to establish legal protection for mixed human-AI works, as fully AI-generated works cannot be copyrighted. Platform Identification: Indicating content boundaries and licensing restrictions while maintaining creator control over broader commercial use.

These capabilities can unlock automated royalty distribution, combat unauthorised training data use, and support new discovery mechanisms between creators and fans. Alongside these market-driven opportunities, regulatory pressure is simultaneously accelerating Content Credential adoption across industries.

The Drivers from Compliance to Opportunity

Steps towards mandating content labelling have already begun. California has proposed legislation that would fine platforms $5,000 a day for failing to label AI content, with implementation targeted for 2026 8. The EU is similarly considering disclosure requirements for AI-assisted and generated content for 2026 9. These disclosure laws will catalyse C2PA adoption as platforms need the infrastructure to record content provenance and AI involvement to comply with regulations.

Some may see these laws as a regulatory burden, or worry that they will create surveillance infrastructure, forcing creators to expose more than they wish, but the technical reality is different. C2PA alone only records the tools used and when, allowing for total anonymity of the creator. CAWG equally gives complete control to the creators in what they disclose. The technical architecture enables privacy by letting creators choose which identity signals amplify their message or benefit their attribution goals. There’s no requirement to tie your entire identity to one piece of content.

To further increase creator flexibility, CAWG is now developing a new mechanism called ‘identity hooks’ as a way to delay attribution decisions until creators know which identity signals they need. When creators are authenticated in a phone or editing tool, that system can both sign via C2PA and attest the creator was logged in during the creation process. This establishes a stable anchor at the time of creation that creators can hook back into later when they need to attach a relevant persona or credential. As Andrew Dworschak, Co-founder of Yakoa, says, “[Identity hooks] bring flexibility so that a creator can have maximum optionality down the line when they realise they need [attribution] to support their content flow”.

Andrew’s company builds digital rights protection technology for creators and he sees even broader opportunities from Content Credentials. For example, “allowing people to connect with each other in new ways, come to new agreements, and share revenue in ways that are appropriate to them.” Even today, Yakoa’s AI monitoring tool can help to identify where creators haven’t received proper attribution across platforms, shifting the conversation from reactive compliance to proactive rights-management infrastructure.

The Future of Creative Infrastructure

The infrastructure for content authenticity is already evolving. Regulations on content disclosure are effective from next year. Major technology providers and platforms have begun adopting the tools. The question isn’t whether this happens but who will shape how it develops.

CAWG’s open and credential-agnostic approach creates infrastructure that serves all creators regardless of size or association. The specifications continue to be written as new technologies emerge, and provenance data types continue to be developed. Altogether the ecosystem is enabling creative controllability while embracing AI’s collaborative potential.

For creative industries facing AI transformation, engaging with the working groups now means influencing the attribution systems that will eventually be as commonplace as nutrition labels.

Join the conversation:

Participate in DIF’s Creator Assertions Working Group: Help shape the solutions that allow content creators to express individual and organisational intent about their content. Test the Tools: Experiment with identity assertions and provenance using Contentauthenticity.adobe.com

Join the Content Authenticity Initiative: Help the growing cross-industry ecosystem that is restoring trust and transparency online.

Endnotes McGill, Justin. 2025. https://brandwell.ai/blog/midjourney-statistics/. Brandwell. McGill, Justin. 2025. https://brandwell.ai/blog/midjourney-statistics/. Brandwell. Singla, A., et al.. 2025. The State of AI: How organizations are rewiring to capture value. Quantum Black AI by McKinsey Force, Eamonn. 2025. AI, bot farms and innocent indie victims: how music streaming became a hotbed of fraud and fakery. The Guardian. C2PA. C2PA Specifications. CAWG. CAWG Specifications. Youngs, Ian. 2024. FKA Twigs uses AI to create deepfake of herself. BBC UK. Cal Matters. SB 942: California AI Transparency Act. European Union. AI Act: Regulation (EU) 2024/1689.

A huge thank you to Eric Scouten, Scott Perry, Andrew Dworschak, Jeremy Uzan, and Erik Passoja for their time and insights in preparing this article.

Dear EdgeDiscovery Community,

As the pace of innovation accelerates and transformative technologies like AI and quantum computing reshape the research landscape, this Summer/Fall 2025 issue of EdgeDiscovery invites you to explore the ideas, people, and infrastructures advancing discovery and inclusive innovation across our ecosystem.

We begin with a powerful conversation featuring Dr. Dan Stanzione, Executive Director of the Texas Advanced Computing Center (TACC), whose leadership in open science supercomputing continues to shape national and global capabilities. From Frontera, the fastest university-based supercomputer, to the new NSF-supported Leadership Class Computing Facility (LCCF), Dr. Stanzione offers insights into the future of AI-enabled HPC, the promise of quantum, and the importance of training the next generation of technologists. His thought leadership underscores the critical intersection of infrastructure and impact in advancing science.

We are proud to feature Dr. Ilkay Altintas, Chief Data Science Officer at the San Diego Supercomputer Center and Founding Director of the Societal Computing and Innovation Lab (SCIL), has built a career at the intersection of computing and societal impact. Her work spans environmental modeling, biomedical data, and advanced cyberinfrastructure, with a strong focus on accessibility, scalability, and responsible innovation. Through programs like WIFIRE, she has pioneered real-time hazard response tools that bridge research and emergency management, while also helping shape a data science workforce grounded in ethical and community-driven practice. At SCIL, she leads efforts to design user-centric, composable platforms that empower domain experts to harness AI and HPC without needing deep technical expertise. Dr. Altintas exemplifies how thoughtful collaboration and infrastructure innovation can drive equity, resilience, and discovery across disciplines.

We also feature a deep dive into the work of Dr. Frank Wuerthwein, Director of the San Diego Supercomputer Center, Executive Director of the Open Science Grid, and Principal Investigator of the National Research Platform (NRP). Dr. Wuerthwein shares his vision for building a scalable and inclusive infrastructure to support AI education and data-intensive science at institutions of all sizes, including community colleges and under-resourced campuses. He emphasizes that advancing education in AI requires not only technological infrastructure, but also social infrastructure, collaborative networks of educators, shared platforms, and aligned curriculum pathways. His efforts to democratize access to computing and integrate hands-on learning from high school to career reskilling reflect the kind of systems thinking needed to close opportunity gaps and scale innovation.

We highlight the contributions of Dr. Manish Parashar, Director of the Scientific Computing and Imaging (SCI) Institute, Inaugural Chief Artificial Intelligence Officer at the University of Utah, whose career has shaped national conversations around responsible AI, data sharing, research infrastructure, and policy. A mentor to many, including myself during his time at Rutgers, Dr. Parashar's vision and collaborative leadership have laid the foundation for initiatives such as the National Data Platform and the Virtual Data Collaboratory.

From national centers to regional catalysts, we spotlight Dr. Michael Johnson, President of the New Jersey Innovation Institute (NJII), whose work is redefining how higher education intersects with industry to translate academic innovation into real-world impact. Drawing on his entrepreneurial background and translational research experience, Dr. Johnson has positioned NJII as a nimble, mission-driven organization accelerating AI and EdTech innovation, expanding access for small and mid-size businesses, and addressing workforce development through pragmatic, cost-effective solutions.

Our feature on SHI International’s AI & Cyber Labs gives readers a glimpse inside one of New Jersey’s most exciting new facilities for enterprise AI adoption and experimentation. Through an interview with Lee Ziliak, SHI’s Field CTO, we explore their work with NVIDIA, aspirations for quantum engagement, and commitment to partnering with higher education institutions to accelerate responsible innovation.

These articles reflect the power of voices influencing national conversations. As regional research and education networks like Edge work to bridge gaps and build ecosystems, we’re reminded that partnerships, across disciplines, sectors, and geography, are essential to unlocking equitable access to advanced technologies.

As always, EdgeDiscovery is not just a publication, it is an evolving platform for dialogue, collaboration, and community-building. I hope this issue sparks new ideas and inspires deeper engagement as we continue to build a future grounded in innovation, access, and purpose.

With appreciation,

Forough Ghahramani, Ed.D.
Assistant Vice President for Research,
Innovation, and Sponsored Programs
Edge

The post Letter from Forough Ghahramani, Ed.D. appeared first on Edge, the Nation's Nonprofit Technology Consortium.

October 2, 2025

DIACC is proud to recognize Quebec’s leadership during the recent Federal, Provincial and Territorial Ministers’ and Deputy Ministers’ Seminar on Digital Trust and Cybersecurity in Kananaskis, Alberta. As co-chair, Quebec’s Deputy Minister of Cyber and Digital Affairs and Chief Information Officer played a key role in driving progress, resulting in a collaborative agreement on crucial cybersecurity proposals.

This strategic approach to digital trust demonstrates Quebec’s efforts to create more secure and responsive government services for its citizens and businesses. The province has taken a forward-thinking approach to solving complex digital challenges by uniting teams and platforms under a single, reliable framework. This creates a streamlined “digital front door” for everyone, with features like “tell us once” and coordinated service delivery.

DIACC looks forward to a continued partnership supporting Quebec’s digital trust leadership. By building on these foundations, Quebec is strengthening its reputation as a pioneer in digital innovation. This ongoing work empowers Quebecers, strengthens local businesses, and fuels innovation across the province and Canada.

Joni Brennan
President, DIACC

Leveraging and Managing AI in Education Today and into the Future

A conversation with Forough Ghahramani and Florence Hudson - originally published on the Springer Nature Research Communities website on September 24, 2025.

What drew you each to such varied topics of work/study and how did you find yourself where you are today?

Forough Ghahramani: I’ve always followed my curiosity, and that’s taken me through a varied journey across biology, math, computer science, software engineering, academia, entrepreneurship, and now into AI and quantum. I started out passionate about science, biology and math especially, and added computer science during my graduate program, which opened the door to early work in high-performance computing. I still remember using punch cards on the IBM S/360, then watching computing evolve rapidly, from minicomputers during graduate school to 64 bit systems, open source computing environments, the internet, search engines. My early career included working with operating system development for proprietary Virtual Memory Management System (VMS) at Digital Equipment Corporation (DEC), then moved on to Unix engineering, performance management and benchmarking and migrating applications from 32-bit to 64-bit systems.

One of the most rewarding phases of my career was as a technical consultant, where I got to see how the systems I helped build were applied across industries including, pharmaceuticals, biotech, healthcare, finance, manufacturing, and even steel manufacturing. Working as a systems architect on the Human Genome Project brought everything full circle. It tied my backgrounds in biology, mathematics, and computing into one meaningful direction. I became fascinated by the field of bioinformatics, and I fully reinvented myself in that area. I went from being a traditional software engineer to running my own biotechnology consulting company, which exposed me to the world of entrepreneurship and its unique challenges and rewards.

Over time, I came to view technology as much more than a tool, it became a vehicle for discovery, innovation, and transformation. That entrepreneurial spirit eventually led me to academia, where I found joy in teaching, mentoring, and launching new programs that bridge industry and education. I’ve always been driven by a love of learning and innovation, and even when career shifts weren’t intentional, sometimes guided by industry shifts, life phases or family needs, they added depth and diversity to my skill set and opened my interest to new areas.

I went back to school a couple of times, one earlier in my career to get my MBA and then later in life I earned my doctorate, something that brought together my leadership work in higher education and my lifelong commitment to continuous growth. I first learned about AI in the 1980s and have worked with big data and HPC for over 30 years, but what fascinates me today is seeing AI enter the mainstream and imagining its future alongside quantum technologies. My experience in both industry and higher education, always on the leading edge,  has allowed me to live four very different careers, and I’m still energized by what lies ahead.

In my current role, as Vice President for Research & Innovation at NJ Edge,  I work with higher education leaders as they are developing the strategy to support research through advanced and emerging technologies, including AI, high performance computing, and quantum.

While much has changed in my career journey, what has stayed constant includes a problem-solving mindset, a hunger to grow, and a strong sense of what matters to me at any given time. Education has played a central role in shaping opportunities throughout my life, and I’m a firm believer in giving back. As an engineer and advocate, I’ve worked to encourage young people, especially girls, to pursue STEM fields, often speaking to students from K–12 through college to help spark interest and confidence in science and technology. Another aspect of giving back is serving on advisory boards of two of my alma maters, Penn State University college of Science and University of Pennsylvania. Involvement in professional organizations such as IEEE and Society of Women Engineers has also provided opportunities for community engagement.

Florence Hudson: I always loved math and science from a young age. When I was a young girl my brother would wake me up to watch NASA spaceflight missions on TV which I thought were so cool. One day I asked “how do they do that?” That’s when I began thinking like an engineer.

As an engineer and a scientist, I have insatiable curiosity, plus I love to create things and fix things whether for business, technology, research, government, policy, humans, or society. Basically, I follow my curiosity, identify challenges to address, and apply my thinking and all types of technology to help solve problems. It’s a never-ending opportunity as the problems change as do the technologies and solutions available to address them. I believe our opportunity while we are on this earth is to identify the unique gifts we each have and use them for good everyday. That is what I strive to do across all domains that interest me, from data science to all types of engineering, sciences, knowledge networking, cybersecurity, standards, societal challenges, education, outreach and more.

As my educational and professional careers unfolded, I worked for NASA and the Grumman Aerospace Corporation while earning my aerospace engineering degree. I loved aerospace engineering, but the lead time from research to launch was decades and funding was declining. Computing and information technology was growing, so I expected that computers would run the world some day and I went into computing. My first job in computing was at Hewlett Packard. Then I enjoyed a long career at IBM where I was able to apply technology to all sorts of societal, business and technical challenges from an initial sales role to eventually becoming an IBM Vice President of Strategy and Marketing and Chief Technology Officer.

After retiring from IBM in 2015, I became a Senior Vice President and Chief Innovation Officer at Internet2 in the research and education world, and then worked for the NSF Cybersecurity Center of Excellence at Indiana University. In 2020 Columbia University asked me to lead the Northeast Big Data Innovation Hub after I had been on the advisory board since 2015 working on their overall strategy and cybersecurity initiatives, so it was a natural fit to become Executive Director. I had also started my own consulting firm (FDHint, LLC) as CIOs were asking me to consult with them. I have also served on over 18 corporate, advisory and steering boards - from NASDAQ-listed companies to academic and non-profit entities.

My passion for cybersecurity is a key focus of mine. It started in my early days as an aerospace engineer working on defense projects. At IBM I worked on security initiatives in servers and solutions, and continued the focus working for the NSF cybersecurity center of excellence at Indiana University. This led to my leading the development of the IEEE TIPPSS standard to improve Trust, Identity, Privacy, Protection, Safety and Security for clinical IoT (Internet of Things) which won the IEEE Emerging Technology Award in 2024. Springer has published two of my books on TIPPSS.  I am currently Vice Chair of the IEEE Engineering in Medicine and Biology Society Standards Committee, and lead a TIPPSS roadmap task group which has spawned a new IEEE standard working group on AI-based coaching for healthcare with TIPPSS - Trust, Identity, Privacy, Protection, Safety and Security. TIPPSS is being applied in other domain areas as well, including large experimental physics control systems, energy grids and distributed energy resources. TIPPSS is envisioned to apply to all cyberphysical systems.

In what ways do you think your own educational/academic/career path might have been different if you started in today’s climate?

Forough Ghahramani: If I were starting my academic and professional journey today, I think it would have looked quite different, maybe not in direction, but in pace, access, and mindset. When I was starting out, computing was a specialized, niche field. Physical access to machines, time on shared systems, and a lot of patience was necessary. Today, a high school student can access cloud-based computing resources, learn to code from YouTube, and contribute to open-source projects from their bedroom. That kind of accessibility changes everything. With AI, cloud computing, and real-time collaboration platforms now core to both education and work, the barriers to accessing knowledge and innovating early have dramatically lowered.

With today’s startup opportunities, accelerators, and online communities, I probably would have embraced entrepreneurship sooner. I also imagine I would have engaged with more interdisciplinary learning earlier on, because today’s educational environment really encourages learning across domains. AI, data science, and quantum computing would have pulled me in even faster given my background and propensity, but I would have had to be more intentional about focus, given today’s information overload can be overwhelming.

I think my motivation and values would be the same. I’ve always been driven by curiosity and the desire to connect ideas across fields. What has changed is that today’s climate rewards that type of thinking more openly, and it provides more tools to act on it faster.

Florence Hudson: I think if I were to start my educational and professional career today I might have stayed in aerospace engineering longer as there are many more job opportunities with government and commercial space organizations, and faster transition of the research to practice. When I was an Aerospace and Mechanical Engineer at Princeton University and was working on future missions around Jupiter during a NASA summer internship, they said my summer internship project would take 18 to 20 years to come to fruition. That’s a long time! That’s when I decided to go into Information Technology (IT). Now there is a much faster path from research to execution in aerospace, and many more jobs, thereby broadening and accelerating opportunity and impact.

Being involved in both technology and education, do you see more risk with the technology itself (misinformation, bugs, security) or how it is applied in the educational landscape (with complicated policies, uneven funding, inequalities)? Or a combination?

There is risk in both AI technology itself as well as how it is used in the educational landscape.

To think more broadly, we must consider that the educational landscape of AI includes everyday use and education for all citizens - not just educational institutions. Openly available AI-enabled systems from Large Language Models (LLMs) like ChatGPT to everyday devices using AI to make suggestions that may be incorrect, are affecting the education of our citizens, students, teachers and professionals. If an educator, professional or parent is provided incorrect information and they teach others or take actions with incorrect information, the incorrect recommendations by AI can have a broad negative impact. We must aspire to limit that negative impact.

There is also a risk with users sharing information in AI tools that are meant to be kept private, whether they are private citizens or professionals in industry or government. The AI tools may leverage information used to ask questions of AI to add to the corpus of content used to answer questions for other users, thereby risking privacy and security of shared information. This risk applies to all humans and institutions asking questions of AI tools as their questions provide context and content that can be used by the AI tool more broadly.

In educational systems and institutions, AI has the risk of providing incorrect information so students and teachers may be learning things incorrectly, which will proliferate to others they speak with or teach. AI is creating a false sense of comfort that it knows the right answer, without people questioning or vetting it. It makes it easy for people to stop thinking. Many people want to let the AI think “for” them, and many people do not bother to check if it is right or wrong. This is a real danger.

Technology, by itself, can be flawed, but the risks can be managed with good design, robust testing, responsible development and ongoing management. An important concern is when powerful technologies are layered on outdated systems, infrastructures, or unclear policies.

While we must continue to improve the technology itself, we also need to focus on the human, structural, and policy dimensions that determine whether technology helps or harms. If AI is deployed without thoughtful design and policy, and educator involvement, it can do more harm than good. The challenge isn’t just what AI can do, it is also who gets to use it and for what purpose.

Like any technology, there will be bugs and problems, but it’s when we abuse the power of AI that the risk to humans and institutions increases.

What, briefly, is the big picture landscape of AI and education, including key strengths and risks?

AI is being used in education already, by students, teachers, and administrators. Like any tool, it can be used for good or for bad.

AI is transforming education at every level, from K–12 classrooms to higher education and workforce training, by introducing new possibilities for personalization, real-time support, availability and scalability across the broad ecosystem of educational systems and institutions. Key strengths include the ability for AI to deliver adaptive learning experiences tailored to each student’s pace and style, automate time-consuming tasks like grading or feedback, and reveal data-driven insights that help educators intervene earlier and more effectively in student learning journeys. AI can provide a quick synopsis for students and teachers to be able to quickly ingest content, and even translate content across languages, generate visualizations to support complex thinking, and serve as a tutor, coach, or creative collaborator. It can enable teachers and administrators to analyze student and school data and metadata to identify patterns, anomalies and opportunities to make better decisions and improve processes to better enable student success.

But alongside these strengths are real risks. There are real concerns about authorship, academic integrity, privacy, and surveillance, especially when student data is collected without transparency or used to make high-impact decisions. The ease of generating text or code with AI raises philosophical and practical questions about what it means to learn, think critically, or create original work in an AI-augmented world. There's also the risk of over-reliance: students and educators may become dependent on AI to the point that foundational skills erode or motivation diminishes. It also may enable students, teachers and administrators to disconnect from the content and make less informed or human-centered decisions.

Striking the right balance means centering human agency and pedagogy in the design and deployment of AI tools. AI should serve as a support mechanism, not a substitute, for the relational, reflective, and exploratory aspects of education. This requires thoughtful policies, transparent use guidelines, educator training, and practical design that anticipates and avoids unintended consequences.

In what ways can AI be used to enhance/encourage learning rather than give students a way around it?

AI can be a powerful cognitive companion when integrated thoughtfully into the learning process. Rather than serving as a shortcut to answers, it can enhance learning by helping students form better questions, explore multiple perspectives, visualize abstract or complex ideas, and engage in iterative practice with immediate, personalized feedback. For example, intelligent tutoring systems can walk students through problem-solving steps, while AI writing tools can offer style and grammar feedback that encourages revision rather than doing the writing for them.

The real shift lies in moving away from a transactional learning mindset, where students are focused on getting the answer as efficiently or quickly as possible, toward a collaborative learning mindset, where AI acts as a coach, partner, or creative assistant in the learning process. In this context, students are not passive recipients of knowledge but active participants in the construction of their understanding. AI tools can model Socratic questioning, recommend readings based on prior gaps, or simulate real-world scenarios for application of skills.

When used this way, AI doesn’t replace learning, it scaffolds it. It gives learners room to explore, fail safely, reflect, and try again. That’s not just about keeping students honest, it’s about keeping them engaged, curious, and confident in their capacity to learn and grow.

How AI has impacted students’ attitudes towards education (from K12 to higher ed). Do they feel it’s less relevant? Or are they excited because it’s a tool they harness?

Students’ reactions to AI in education are mixed. Some see it as a big benefit in reducing their effort, thereby diminishing their perceived value of their own effort, (“Why write when AI can do it?”), while others see it as a superpower that enhances their creativity and efficiency. There is some skepticism around the use of AI by educators in the classroom. Much depends on how schools and educators frame AI, not as a crutch, but as a catalyst for inquiry, reflection, and application.

What areas outside of paper writing are changing and in what ways? 

AI is reshaping how students approach nearly every part of academic life. Lecture transcription and summarization tools (e.g., Otter.ai), AI-powered flashcard generators, and group collaboration platforms with embedded AI assistants are streamlining notetaking, study sessions, and project work. The learning ecosystem is becoming more modular, on-demand, and scaffolded by intelligent systems.

AI is changing how educators approach their roles as well. Some educators are requiring in-person test-taking for students with hand-written answers in the classroom, to avoid the use of AI and ensure they know what the students are actually learning and understanding. The use of AI can limit critical thinking, which is a risk to society, academia and science. Managing the use of AI to ensure real learning may be an ongoing challenge into the future.

How has AI changed how students attend lectures and take notes, study, do group work, etc.? 

AI is rapidly reshaping how students engage with learning, from the way they attend lectures to how they study and collaborate. Tools like Otter.ai and Notion AI allow students to focus on understanding rather than taking frantic notes, offering real-time transcription, summarization, and translation to support diverse learners. AI-enhanced note-taking apps can organize content, generate highlights, and even answer follow-up questions, turning notes into interactive study companions. When it comes to studying, platforms like Khanmigo and Quizlet deliver personalized learning experiences by creating adaptive quizzes, tutoring simulations, and targeted study plans based on students' evolving needs.

Group work has also become more efficient with the help of AI-powered tools that support brainstorming, project planning, and communication, especially in remote or multilingual settings. Perhaps the most significant shift is in mindset: with AI handling many of the routine academic tasks, students are free to focus on deeper learning, critical thinking, and strategic problem-solving. Ensuring consistent and broad availability of AI tools, training, and infrastructure is essential to enable these advancements to enhance learning for all students.

How can AI be implemented without widening the digital divide between well-resourced and under-resourced schools?

To implement AI in education without widening the digital divide, we need to treat broad availability as a design requirement, not an afterthought. AI tools need to be available to the broad community of schools and learners whether they have ample resources or limited resources related to high-speed internet, infrastructure, and trained staff, or we risk creating uneven opportunities for growth across the broad student population. A set of suggested actions are included below.

Prioritize broad availability and low-bandwidth tools - Develop and adopt AI tools that work offline or with minimal internet connectivity. Many students still rely on shared devices or limited data plans, so tools must be optimized for use on mobile devices, with offline functionality, and in resource-constrained environments. Open-source platforms and lightweight AI models can play a critical role here. Invest in educator training across all settings - Professional development opportunities must be extended to educators across the broad landscape of schools, both well-resourced as well as under-resourced schools, so they can all have the opportunity to understand, evaluate, and effectively use AI. It’s not just about the tools, it’s about empowering educators to integrate them meaningfully and thoughtfully into their classrooms. Embed broad AI enablement in policy and funding - Policymakers and funders could tie grants and procurement to technology goals across a wide array of schools and communities to incentivize AI use and adoption. For example, federal and state programs could subsidize AI deployments or provide incentives for companies to co-design tools in a range of communities. Promote Public-Private-Partnerships (PPPs) in and across communities - AI adoption should be accompanied by partnerships that bring together schools, community organizations, libraries, universities, and industry. These partnerships can support infrastructure upgrades, shared use of cloud resources, or mentorship programs that extend beyond the school walls. Focus on student-centered AI - Instead of deploying AI only for administrative efficiency (e.g., grading automation or test prep), educational institutions and funders could invest in tools that support learner growth, curiosity, and agency, tools that work just as well for a student in a rural district as one in a top-performing urban school.

In summary, if we approach AI as a tool for both effectiveness and efficiency, and ensure community voices are part of the process from the beginning, it can help close, not widen, the digital divide.

This Nature article discusses using a document’s version history to deter AI usage in writing. Have you heard of other techniques or ideas involving technology? 

The method proposed in the Nature article includes reviewing incremental edits over time and can reveal whether a document was developed iteratively or was included as a fully polished piece, which can be a potential flag for large language model use. Version history is just one part of a growing set of tools. Other techniques include technological, pedagogical, and procedural based approaches.

Technological approaches use software and systems to detect or deter AI-generated content by analyzing how text is created or submitted. Examples include Turnitin AI Detection, which detects plagiarism and AI use. Another example is OpenAI watermarking that includes subtle signature embedding.

In the pedagogical approach, educators redesign assignments and assessments to emphasize critical thinking, originality, and personal connection, which are harder for AI to simulate. Students are taught how to use AI responsibly as a learning enhancer. Examples include Otter.ai for lecture summarization and study support, and custom AI Reflection Assignments such as comparing ChatGPT outputs with human-written drafts.

Procedural approaches include institutional or classroom policies that govern when and how AI can be used, often relying on transparency, documentation, and updated honor codes. Canvas LMS with audit trail and version control features is one example.

While advancements are being made in detection tools, none are foolproof. Ethical dilemmas can be created due to false positives, especially when punishments are incurred without clear evidence. Institutions will need clear, transparent, and fair AI use policies, combined with student education and faculty development.

As AI becomes widely adopted across industries, education will need to ultimately shift from a suspicious stance to one of guided integration. Maintaining integrity may involve detection and deterrence, however approaches will also need to include trust-building and authentic assessment.

Can you share an example of a study or project where AI significantly improved learning outcomes?

The University of Michigan's “Maizey”, a customized generative AI tool, is trained on specific course materials to provide personalized assistance to students. Positive results in student performance and engagement have been reported. It has also increased efficiency for both instructors and students. For example, in an Operations Management course at the University of Michigan Ross School of Business, the tool  saved instructors 5 to 12 hours of answering questions each week. For students, the tool provided an ability to ask questions beyond the classroom or a professor’s office hours. According to self-reported surveys, improvements in assignment and quiz scores were shown. This is a small but significant step in scaling personalized support.

Should English and coding still be taught in the same format? For instance, how would one teach a CS student the value/quality of code when it’s generated by AI? Will the field/study be more about prompts rather than writing code?

While English and coding will continue to be foundational, how they are taught needs to evolve.

The shift for English instruction may involve multiple facets. For instance, we envision there will be a move towards developing skills in discovering available information leveraging AI tools, and vetting it for accuracy. Beyond leveraging available information, more focus on creating and producing new information, learning to make informed judgments as users of information, leveraging AI for writing with critical oversight, and ethical writing will be important. With AI bringing basic information to our fingertips, an increased focus on creative thinking and creative information development, analysis, data storytelling and data visualization will be valuable.

For coding, the emphasis will need to shift from syntax mastery to a focus on problem-solving, critical thinking, and the ability to adapt and improve AI-generated code.  The shift will be from writing code from scratch to evaluating, refining, and architecting systems with assistance of AI. While prompts will be important, the emphasis in training will need to include how to critically assess and improve code in lieu of simply generating it.

With the tech industry leveraging AI to reduce the cost of employing developers, does this impact young people's interest in studying CS? 

Despite automation and computing advances, and perhaps fueled by them, Computer Science (CS) remains a dynamic field. From the early days when the focus in CS classes was writing a compiler, to the evolving focus on AI and now Quantum Computing, computer science grows with the evolution of innovative technologies and their applications.

Regarding software development, with the advent of automation leveraging AI, some students may gravitate toward areas where they feel human agency remains central including AI ethics, security, data science, human-computer interaction, data story-telling and data visualization. Some may shift from coding to prompt engineering, but the underlying logic, structure, and systems thinking are still core competencies.

Will Google and Stackover flow in their current forms become irrelevant? 

Google and Stack Overflow may not vanish, but they will evolve. AI systems trained on forums like Stack Overflow already offer contextualized responses. However, the social and pedagogical value of such platforms, seeing multiple solutions, peer validation, and community norms, remains important. The future may see integration rather than obsolescence.

How do you believe those on the technical side of AI can fight against the threats to education?

Technologists can choose to embrace rather than fight AI, as it is here and will be here for a while. They can choose to embed ethical guardrails into AI tools and their use, advocate for transparent systems, and co-design with educators. They can support open infrastructure and prioritize broad usability. Perhaps most importantly, they must acknowledge that technological literacy is also civic literacy in the AI age.

Perhaps the real opportunity is to see AI as a tool to help critical thinking and creativity grow, using AI tools to provide a baseline in thinking, with humans using that as a springboard for more creative and imaginative thinking and innovation.

How do you envision the educational and academic landscape in 5 years, 10 years, 20 years?

In the near term, AI will likely be woven seamlessly into the day-to-day fabric of education. AI-powered tools will assist with personalized learning pathways, real-time feedback, and multilingual content delivery. Adaptive platforms will support differentiated instruction, helping students master concepts at their own pace while offering educators rich insights into individual progress. Faculty and students will routinely use AI for brainstorming, tutoring, lab simulations, and writing assistance. Microcredentials and skills-based learning, especially in areas like AI literacy, ethics, and data fluency, will grow rapidly, both inside and alongside traditional degree programs. Efforts in leveraging real insights to improve and further the science of AI will grow, and the application of AI in science, engineering and other disciplines will increase.

The evolution of trust and use of AI in education will likely have to evolve in order to harness its value and mitigate the risks it introduces. As mentioned above, some educators are requiring in-person test taking with hand-written answers in the classroom to confirm what the students are actually learning and understanding rather than using AI to answer the tests. The use of AI can limit critical thinking, which is a risk to society, academia and science. Managing the use of AI to ensure real learning may be an ongoing challenge into the future.

In 10 years: The classroom may be less bound by physical walls or static schedules. We could see AI agents co-teaching with human instructors managing formative assessments, generating tailored lesson variations, and supporting students in multiple languages and learning styles. Augmented Reality (AR) and Virtual Reality (VR) will likely be commonplace in STEM labs, medical training, and arts education, offering fully immersive simulations and collaborative experiences. Interdisciplinary programs that combine computing, humanities, ethics, and policy will become the norm, responding to the needs of an AI-shaped world. Institutions may start awarding modular degrees that reflect personalized learning trajectories, not just traditional majors.

In 20 years: The boundary between formal and informal education may blur almost completely. AI-powered tutors will likely be embedded in the tools and environments students use daily, including their personal digital devices such as smartphones, wearables, home assistants, or AR glasses. Learning may happen anywhere, anytime, guided by intelligent agents that adapt not just to what learners know, but how they feel, what motivates them, and where they struggle. Credentials may shift from degrees tied to credit hours to skills portfolios based on demonstrated mastery, verified through performance in real-world simulations or digital apprenticeships. Lifelong learning will no longer be optional. It will be dynamically integrated into professional life through just-in-time learning pathways driven by AI.

Throughout this transformation, human educators will remain essential. Their roles may evolve from content deliverers to mentors, curators, and ethical stewards of technology, but their presence will be more critical than ever in guiding values, fostering community, and ensuring that learning remains deeply human, not just algorithmic.

How can research publishers help in AI and education?

Broadly, research publishers can help in AI and education by inspiring and publishing all sides of the AI story - the good, the bad, and the ugly - like Springer did with this invited blog. Allow everyone to learn from others through your publications.

Research publishers also have a role in ensuring that AI is used responsibly in scholarly communication, including setting norms around disclosure of AI usage, enabling reproducibility through shared datasets and code, and fostering interdisciplinary research that explores AI's impact on pedagogy, as well as on all people, institutions and systems using AI or who may be impacted by the use of AI.

One question above was written by AI. Can you guess which one?

We are not sure, however, this seems like a fitting end. AI is now both the tool and the topic, the assistant and the questioner. And perhaps that’s the most important takeaway: we are all co-authors in this unfolding story.

A guess is the “Google and Stackover flow” question based on the fact that it should be Stack Overflow.

Florence Hudson is Executive Director of the Northeast Big Data Innovation Hub at Columbia University and Founder & CEO of FDHint, LLC, a global advanced technology consulting firm. A former IBM Vice President and Chief Technology Officer, Internet2 Senior Vice President & Chief Innovation Officer, Special Advisor for the NSF Cybersecurity Center of Excellence, and aerospace engineer at the NASA Jet Propulsion Lab and Grumman Aerospace Corporation, she is an Editor and Author for Springer, Elsevier, Wiley, IEEE, and other publications. She leads the development of global IEEE/UL standards to increase Trust, Identity, Privacy, Protection, Safety and Security (TIPPSS) for connected healthcare data and devices and other cyber-physical systems, and is Vice Chair of the IEEE Engineering in Medicine & Biology Society Standards Committee. She earned her Mechanical and Aerospace Engineering degree from Princeton University, and executive education certificates from Harvard Business School and Columbia University.

Forough Ghahramani is Vice President for Research and Innovation for New Jersey Edge (Edge).  As chief advocate for research and discovery, Forough serves as an advisor and counsel to senior higher education leaders to help translate vision for supporting research collaborations and innovation into actionable Advanced CI strategy leveraging regional and national advanced technology resources. Forough was previously at Rutgers University providing executive management for the Rutgers Discovery Informatics Institute (RDI2), working with Dr. Manish Parashar (Director). Forough's experience in higher education also includes previously serving as associate dean and department chair. Prior to joining academia, she held senior level engineering and management positions at Digital Equipment Corporation and Hewlett Packard (HP), also consulted to Fortune 500 companies in high performance computing environments. Forough is a Senior Member of IEEE, has an appointment to the NSF Engineering Research Visioning Alliance (ERVA) Standing Council, a Vice President for NJBDA's Research Collaboration committee, serves on the Northeast Big Data Innovation Hub and the Ecosystem for Research Networking (ERN) Steering committees. Forough has a doctorate in Higher Education Management from University of Pennsylvania, an MBA in Marketing from DePaul University, MS in Computer Science from Villanova University, and BS in Mathematics with a minor in Biology from Pennsylvania State University. Forough is consulted on the state, national, and international levels related to STEM workforce development strategies. She is currently a Principal Investigator on two NSF-funded projects: “EAGER: Empowering the AI Research Community through Facilitation, Access, and Collaboration” and “CC* Regional Networking: Connectivity through Regional Infrastructure for Scientific Partnerships, Innovation, and Education (CRISPIE)”, and a co-PI on the NSF ADVANCE Partnership: “New Jersey Equity in Commercialization Collective.” She has previously served a co-PI on the NSF CC* OAC: Planning “Advanced Cyberinfrastructure for Teaching and Research at Rowan University and the Southern New Jersey Region” and the NSF CCRI: Planning “A Community Research Infrastructure for Integrated AI-Enabled Malware and Network Data Analysis”.

The original article can me found here »

The post Leveraging and Managing AI in Education Today and into the Future appeared first on Edge, the Nation's Nonprofit Technology Consortium.

In this episode of the Identity at the Center podcast, Jeff and Jim discuss various aspects of identity access management (IAM) policies and the importance of having a solid foundation. They emphasize the need for automation, controls, and how IAM policies should be created without technology limitations in mind. The discussion also covers the implementation challenges and the evolving concept of identity verification. Jeff, Jim, and their guest, Nishant Kaushik, the new CTO at the FIDO Alliance, also delve into the issues surrounding the adoption of passkeys, highlighted by Rusty Deaton’s IDPro article, and address some common concerns about their security. Nishant offers insights into ongoing work at FIDO Alliance, the potential of digital identity, and the importance of community in the identity sector. The episode concludes with mentions of upcoming conferences and an homage to the late identity expert, Andrew Nash.

Zuhrotul Aprilia enjoys rambling on for hours about kitchenware from a studio in the Indonesian port city of Surabaya. Most days, she turns on her iPad and peddles pots and...

Edge Announces Leadership Transition: Christopher R. Markham, Ph.D.(c) Named Interim President and CEO

NEWARK, NEW JERSEY, October 1, 2025 – Edge, a leading member-owned nonprofit provider of high-performance optical fiber networking and advanced technology solutions, announced today the retirement of President and CEO Samuel Conn, Ph.D., effective September 26, 2025, and the appointment of Christopher R. Markham, Ph.D.(c) as Interim President and Chief Executive Officer.

Dr. Conn, who joined Edge in September 2016, has guided the organization through a transformative period of growth and innovation. During his tenure, he leveraged more than 35 years of combined military, professional, private sector, and academic experience to advance Edge's mission of empowering research, education, and economic development through cutting-edge technology infrastructure. Under his leadership, Edge solidified its position as a national model of excellence for purpose-built research and education networks, expanding its reach across the nation while maintaining its commitment to affordability, reliability, and thought leadership.

"Sam's visionary leadership has been instrumental in positioning Edge as a trusted partner for institutions seeking to harness the potential of digital networks to advance teaching, learning, and research. His dedication to innovation and member service has left an indelible mark on our organization and the communities we serve. We extend our deepest gratitude for his years of distinguished service and wish him well in his retirement."

– Dr. Steven Rose
Chairman of Edge's Board of Directores

"Sam's visionary leadership has been instrumental in positioning Edge as a trusted partner for institutions seeking to harness the potential of digital networks to advance teaching, learning, and research," said Dr. Steven Rose, Chairman of Edge's Board of Directors. "His dedication to innovation and member service has left an indelible mark on our organization and the communities we serve. We extend our deepest gratitude for his years of distinguished service and wish him well in his retirement."

Christopher R. Markham brings over 25 years of executive leadership experience spanning higher education, research networks, military, and the private sector to his new role. Since joining Edge in 2018 and most recently serving as Executive Vice President of Operations & Chief Economic Development Officer, Markham has played a central role in the organization's transformation into one of the largest and most respected research and education networks in the Northeast.

Working in close collaboration with Edge's leadership team, Markham has helped advance the expansion of multi-state GigaPOP connectivity anchored at Princeton University and Rutgers University, with critical hubs in Philadelphia and Manhattan. These initiatives have enabled high-performance research networking for R1 universities, medical centers, and federal research partners, while elevating Edge's national profile as a trusted leader in the digital infrastructure space.

Markham's extensive background includes two decades of service in the U.S. Army Active Duty and Reserve components from 2000 to 2021, where he progressed from an enlisted technology engineer to a commissioned officer, ultimately leading multi-state operations, fiscal planning, logistics, and organizational readiness. This military experience instilled a values, service, and mission-first ethic paired with a collaborative leadership style that continues to guide his executive approach.

A dedicated scholar and educator, Markham has been actively engaged in academically rigorous, peer-reviewed research dissemination since 2013, with a focus on economic policy, technology, and institutional transformation. His doctoral dissertation, Artificial Intelligence, the Productivity J-Curve, and the Timing of Public Policy Responses, reflects his deep engagement in analyzing the intersection of general purpose technologies, labor markets, and public economic policy. He has also served as an adjunct professor at institutions ranging from community colleges to research universities.

"Edge's mission to empower research, education, and economic development through innovation and collaboration continues to inspire all that we do. Over the past several years, I have had the privilege of working closely with our remarkable team as we've expanded our reach and strengthened our services for members. As Interim President and CEO, I look forward to building on that shared success, fostering new opportunities, and continuing to serve with a focus on excellence and vision."

— Chistopher R. Markham, Ph.D.(c)
Interim President and CEO, Edge

"Edge's mission to empower research, education, and economic development through innovation and collaboration continues to inspire all that we do," said Markham. "Over the past several years, I have had the privilege of working closely with our remarkable team as we've expanded our reach and strengthened our services for members. As Interim President and CEO, I look forward to building on that shared success, fostering new opportunities, and continuing to serve with a focus on excellence and vision."

As Interim President and CEO, Markham will provide comprehensive leadership across operational strategy, financial stewardship, digital transformation, and infrastructure modernization, ensuring continuity and sustained excellence in Edge's service to its membership.

About Edge

Edge is a member-owned, nonprofit provider of high-performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge's membership spans across the nation, serving colleges and universities, K-12 school districts, government entities, hospital networks, and nonprofit business entities. Edge's common good mission ensures success by empowering members for digital transformation with affordable, reliable, and thought-leading purpose-built advanced connectivity, technologies, and services.

For more information, visit www.njedge.net.

The post Edge Announces Leadership Transition: Christopher R. Markham, Ph.D.(c) Named Interim President and CEO appeared first on Edge, the Nation's Nonprofit Technology Consortium.

We had the pleasure of sitting down with Andrew Shikiar, CEO of the FIDO Alliance known for their creation and evangelism of the Passkey the authentication method we’ve all come to know and love. The team here at Ideem, is of course huge fans of the passkey and what it has done to revolutionize how people authenticate themselves and were honored that Andrew took the time to answer all of our questions about passkeys and banking. That Q&A is below. Of course if you’re interested in learning more about how Ideem is making passkeys bank-grade you can learn more at our site.

Shaping the Future of Computational Science: A Conversation with Dan Stanzione on HPC, AI, and National Research Infrastructure

In the rapidly evolving landscape of high performance computing, artificial intelligence, and quantum technologies, few leaders have shaped the trajectory of open science infrastructure as profoundly as Dr. Dan Stanzione. As Executive Director of the Texas Advanced Computing Center (TACC) and Associate Vice President for Research at The University of Texas at Austin, Stanzione has built a career on a foundational principle that has guided supercomputing development for decades.

Stanzione's approach to building large-scale computing infrastructure stems from a hard-learned lesson about putting users first. "Ultimately, we're building large-scale computing to do science," he explains. "It's less about what we, as computing people, might think is cool as the latest and most interesting technology, and more about what is useful for delivering science." This philosophy was crystalized when TACC won a major system competition worth $120 million. After his presentation, another large center director approached him with what he called a backhanded compliment: "Man, I wish I had the guts to be as boring as you were on this design." Stanzione's response was characteristically pragmatic, "We didn't put in any of the newfangled, crazy stuff because it's all more expensive and it doesn't work as well."

This user-centric approach has driven TACC to hire computational scientists rather than traditional IT professionals to lead systems teams. The strategy ensures that infrastructure decisions are driven by what computational scientists actually need to accomplish, as opposed to technological novelty alone.

Building National Research Ecosystems
TACC's influence extends far beyond its physical systems to encompass a national research ecosystem that supports over 3,000 projects annually across 450+ institutions. From research universities to community colleges, TACC provides computational resources that enable both cutting-edge research and workforce development. The center operates on a hub-and-spoke model that recognizes the importance of regional networks and local expertise. "We can scale up big computers to run tens of thousands of users, but it's awfully hard for me to scale the person down the hall from you who you can go ask about stuff," Stanzione explains. This ecosystem approach ensures that computational resources are accessible not just technically, but through human networks of expertise and support.

Regional research and education networks play a crucial role in this ecosystem, providing both the physical infrastructure for data transfer and the human networks necessary for knowledge dissemination. As scientific workflows increasingly rely on remote resources and collaboration, these networks become "basically air"—essential but invisible infrastructure that enables modern research.

“Developing a skilled data science workforce starts with creating learning environments that are inclusive, interdisciplinary, and connected to real-world challenges. The best way to build data science skills is by using them in practice and we must empower people not only to work with data, but to use it ethically and effectively in service of their communities. By co-developing educational resources and tools with the communities, students, researchers, and practitioners don’t just learn from the system, they help shape it. When we co-develop training materials with individuals who represent the needs of their own environments, the solutions and the learning are directly relevant.”

Dan Stanzione, Ph.D. Executive Director of the Texas Advanced Computing Center (TACC) and Associate Vice President for Research at the University of Texas at Austin

Navigating the AI Revolution in Scientific Computing
The explosion of artificial intelligence has fundamentally transformed the computational landscape, creating both unprecedented opportunities and complex challenges for research infrastructure. Stanzione describes the shift from gradual adoption to an "overwhelming avalanche" following ChatGPT's release, forcing centers like TACC to rapidly adapt their systems and services.

"Five, six years ago maybe 40% of our users could use GPUs. Now maybe it's 65%," Stanzione notes. This dramatic shift informed the design of Vista, TACC's AI-centric system built on NVIDIA Grace Hopper architecture, which serves as a bridge to prepare users for the next generation of leadership-class computing. However, the AI revolution presents a deeper challenge for the entire scientific computing ecosystem. "How are we going to keep traditional scientific computing going in a world where all the chips are built for AI?" Stanzione ponders. The answer lies in adapting to commodity AI components, much like the transition from custom supercomputing silicon to commodity microprocessors that began in the 1990s with the Beowulf project.

The fundamental difference between AI and traditional scientific computing lies in precision requirements. While scientific simulations demand 64-bit floating-point accuracy, AI algorithms can operate effectively with 8-bit or even 4-bit precision. This creates both challenges and opportunities. For example, Stanzione explains, "If these things are optimized for 8-bit integers, how do we make it look like we're doing 64-bit floating point?" The solution requires clever algorithms and hardware adaptations that could ultimately deliver superior performance even for traditional scientific workloads.

The Horizon Supercomputer: Enabling Discovery at Scale
TACC's upcoming Horizon supercomputer, scheduled for deployment in 2026 as part of the National Science Foundaion's (NSF) Leadership-Class Computing Facility, represents a quantum leap in computational capability. Expected to deliver 10× the performance of Frontera for traditional workloads and 100× for AI applications, Horizon will feature the largest public deployment of NVIDIA Blackwell processors available to researchers without cloud-like pricing.

Stanzione and his team have already identified 11 flagship projects that will launch with Horizon, spanning astronomy, materials science, molecular dynamics for drug discovery, seismology, and natural disaster prediction. But the most exciting aspect of these systems, he notes, is their unpredictability: "Discovery is by its nature somewhat unpredictable. We will be surprised, and something will happen." This element of surprise has characterized TACC's impact throughout its history. The center has supported work by four Nobel Prize winners, including David Baker from the University of Washington, who has been using TACC systems since 2005 for protein folding research that ultimately contributed to his 2024 Nobel Prize in Chemistry.

The Convergence Challenge: Power, Efficiency, and Innovation
The rapid growth of AI computing has created unprecedented challenges in power consumption and efficiency. Stanzione estimates that current AI development focuses primarily on being first and fastest, with little attention to efficiency—a luxury that scientific computing has never been able to afford. "We've never had the kind of money to throw around the hundreds of billions that they're throwing around in the AI space," he observes.

The solution, Stanzione argues, lies in software optimization rather than simply building more data centers. He points to DeepSeek's breakthrough in February 2024 as a prime example. By focusing intensively on software optimization rather than raw scaling, the company achieved 3-4× performance improvements while using significantly less power. "If your argument is, can I build $400 billion of data centers or with $10 million in software, where can I make that $200 billion in data centers? It was a pretty obvious answer to me," reflects Stanzione.

The industry faces fundamental limits in both silicon scaling and precision reduction. As transistor features approach atomic scales and precision requirements bottom out, the field must turn to architectural innovations, custom silicon designs, and potentially quantum accelerators to maintain the pace of computational advancement.

As TACC prepares for the Horizon era and the broader scientific community grapples with the AI revolution, Dan Stanzione's user-centric philosophy offers a valuable guide, “Stay focused on what serves science, remain adaptable to technological change, and never lose sight of the human element—the researchers, students, and technologists who ultimately determine the impact of any computational infrastructure.”

Quantum Computing: The Long View
While quantum computing generates significant attention and frequent questions about deployment timelines, Stanzione maintains a characteristically practical perspective. "I always go back to when I have users that actually want to use it," he responds to questions about quantum system deployment. "Right now you deploy big quantum systems to learn a lot about how to run quantum systems, and there's nothing wrong with that, but it doesn't serve my end science users that ultimately pay the bills."

Looking forward, Stanzione sees quantum accelerators as more likely than general-purpose quantum machines in the medium term. This hybrid approach aligns with his user-first philosophy to deploy quantum technologies when they solve real scientific problems more effectively than classical alternatives.

The Workforce Imperative
Perhaps no challenge is more critical than preparing the next generation of researchers and technologists for a world where AI, HPC, and quantum technologies converge. For TACC, workforce development is integral to advancing scientific progress. Many of its 9,000 annual users are first-year graduate students, making continuous education and onboarding essential.

Stanzione frames the workforce challenge in terms of historical precedent, noting that most economic growth over the past century has been driven by technology. From agriculture's transformation through improved productivity to the creation of entirely new industries, technological advancement has consistently created more jobs than it has displaced.

The key insight from this historical perspective is that fundamental research—often with no apparent practical application—ultimately enables transformative innovations. "In 1905 when doing work in relativity, Einstein did not think one day, if I do this right, I'll be able to get a taxi from my phone," Stanzione notes, yet GPS requires relativistic corrections to function accurately.

This long-term view underscores the importance of sustained investment in research infrastructure and education. Stanzione warns that declining government investment since the 1970s threatens the innovation ecosystem that has driven American technological leadership and cautions, "We just look at the last bit of the product and not all the things that it took to get there."

Stanzione frames the workforce challenge in terms of historical precedent, noting that most economic growth over the past century has been driven by technology. From agriculture's transformation through improved productivity to the creation of entirely new industries, technological advancement has consistently created more jobs than it has displaced. The key insight from this historical perspective is that fundamental research—often with no apparent practical application—ultimately enables transformative innovations. "In 1905 when doing work in relativity, Einstein did not think one day, if I do this right, I'll be able to get a taxi from my phone," Stanzione notes, yet GPS requires relativistic corrections to function accurately. "We just look at the last bit of the product and not all the things that it took to get there."

Looking Ahead: Challenges and Opportunities
The coming years will test the scientific computing community's ability to navigate several converging challenges. The commercial value of AI threatens to overwhelm traditional scientific computing through competition for hardware, talent, and attention. Power consumption continues to grow at unsustainable rates. Fundamental limits in silicon scaling and precision reduction approach rapidly.

As Forough Ghahramani, Ed.D., Assistant Vice President for Research, Innovation, and Sponsored Programs at Edge, observes, "Dr. Dan Stanzione's leadership at TACC continues to shape the future of advanced computing in this country. His vision, spanning HPC, AI, and quantum, is driving open science forward at unprecedented scale. As a thought leader and builder of national research infrastructure, his work through systems like Frontera, Vista, and the upcoming Horizon supercomputer reflects an unwavering commitment to accessibility, excellence, and innovation."

Yet Stanzione remains optimistic about the field's ability to adapt and innovate. The same community that successfully transitioned from custom supercomputing hardware to commodity clusters in the 1990s now faces another architectural transition. Success will require the same combination of technological innovation, pragmatic decision-making, and unwavering focus on scientific utility that has characterized high-performance computing's evolution.

For higher education leaders, Stanzione's message is clear: investment in computational infrastructure and workforce development is not optional but essential for maintaining America's position as a global leader in scientific innovation. The discoveries enabled by tomorrow's computational tools may be unpredictable, but the need for those tools is certain.

As TACC prepares for the Horizon era and the broader scientific community grapples with the AI revolution, Dan Stanzione's user-centric philosophy offers a valuable guide, “Stay focused on what serves science, remain adaptable to technological change, and never lose sight of the human element—the researchers, students, and technologists who ultimately determine the impact of any computational infrastructure.”

The future of open science depends not just on building bigger, faster computers, but on building systems that serve the scientists who will use them to unlock the next century of discovery.

The post Shaping the Future of Computational Science appeared first on Edge, the Nation's Nonprofit Technology Consortium.

1. What is the mission and vision of General Bank of Canada?

To build a bank for generations. [To build a bank for generations implies extensive trust]. General Bank operates as a Financial Product Manufacturer and works with Distributors / Brokers to have Consumers access our products.

2. Why is trustworthy digital identity critical for existing and emerging markets?

As a financial services product manufacturer we don’t hold direct to consumer relationships – we work with other financial services distributors. However, we need to validate those relationships with consumers and distributors to meet our regulatory obligations.

3. How will digital identity transform the Canadian and global economy? How does your organization address challenges associated with this transformation?

The more easily and quickly (digitally) we can verify individuals the more we can get our products out in the market and meet our regulatory obligations.

4. What role does Canada have to play as a leader in this space?

Canada can definitely be a leader in digital trust and identity – there is already a lot of great work ongoing.

5. Why did your organization join the DIACC?

General Bank is transforming and digital trust / verification is becoming a larger focus for us.

6. What else should we know about your organization?

General Bank is full Canadian Chartered Bank but we don’t have direct to consumer relationships (so we are a very different Chartered Bank).

The post CMMC on Campus appeared first on Edge, the Nation's Nonprofit Technology Consortium.

The post Accessibility Priorities for 2025 appeared first on Edge, the Nation's Nonprofit Technology Consortium.

Today, the Aspen Institute Financial Security Program launched a groundbreaking National Strategy on Fraud and Scam Prevention.

The OpenID Foundation was delighted to participate as a task force member, contributing to the effort alongside more than 80 cross-sector partners. This represents the first time such a broad collection of leaders from government, law enforcement, private industry, and civil society have come together in the US to develop a strategy aimed at preventing fraud and scams.

The Foundation commends the rigorous analysis, comprehensive approach and actionable recommendations in the Aspen report. The recommendations include:

Establishing a whole-of-ecosystem response across government, industry, and civil society Modernizing legal frameworks to enable faster detection, stronger enforcement, and appropriate liability protections Improving industry coordination to share data, strengthen defences, and reduce scam exposure – including use of standards to accomplish this goal Supporting victims more effectively, recognizing the real harm these crimes cause Treating scams as a national security and economic threat, not just a regulatory issue.

As Gail Hodges, the OpenID Foundation’s Executive Director, said, “The OpenID Foundation was delighted to participate as a Task Force member, and is impressed with the breadth of experts Aspen was able to convene to develop the National Strategy on Fraud and Scam Prevention. As a global open standards body, we hope that this report will stimulate timely policies and due diligence on standards that can deliver policy at the protocol level, such as Shared Signals, OpenID for Verifiable Presentation, OpenID for Verifiable Credential Issuance, and OpenID for Identity Assurance. These standards can play a meaningful role in delivering the digital identity infrastructure required to mitigate fraud while serving the public, the government, and the private sector alike.”

Perfect timing 

This report times well with several OpenID Foundation’s achieving final status meaning they are mature and stable for scale adoption, including by complex and interconnected ecosystems like those in the US . Relevant standards to the Aspen Report include:  Shared Signals 1.0, OpenID for Verifiable Presentation 1.0, OpenID for Verifiable Credential Issuance 1.0,  and OpenID for  Identity Assurance 1.0. These standards are already playing a meaningful role in delivering digital identity infrastructure, and they are well placed to to mitigate fraud while supporting wider ecosystem objectives.

Shared Signals 1.0 Final

Shared Signals enables real-time sharing of security intelligence across platforms. Major implementers, including Apple, Google, CISCO, Sailpoint, and Okta, are already deploying these standards. The technology is highlighted on the Gartner Hype Cycle and recommended by CISA.

The momentum continues to build. Google recently announced a new enterprise platform feature using Shared Signals, and the OpenID Foundation is getting ready to conduct a fourth interoperability session during Authenticate in Carlsbad, California October 15th.

OpenID Foundation Board member and Shared Signals WG Co-chair, Atul Tulshibagwale, also participated in the Task Force. He added: “The rampant level of online scams has reached an unprecedented and significant scale, severely affecting a large number of people and businesses. The Aspen report’s findings and recommendations are extremely important to our collective defense against fraudsters. We hope that the Shared Signals Framework can serve the US community by offering an open standard that communicates near real-time updates about potentially fraudulent activity. This will enable all participants across industry sectors and between the public and private sectors to be smarter about their decisions.”  

OpenID for Verifiable Presentation 1.0 Final

This standard enables secure verification of digital credentials, like mobile driver’s licenses that use the mdoc credential type from ISO/IEC SC17 18013-5 and SD-JWTs from IETF. The Foundation has partnered with NIST on the NCCoE Project on Mobile Driving Licenses for use of mDLs to “open a bank account,” co-hosting eight successful interoperability events on OpenID for Verifiable Presentation (OpenID4VP) and OpenID for Verifiable Credential Issuance (OpenID4VCI) this year before both specs were approved as final specifications this year.

Now the Foundation is actively addressing gaps identified by NIST that prevent US financial institutions from adopting and integrating the use of mobile driver’s licenses into their processes to comply with CIP and other US financial regulatory requirements. The OpenID Foundation seeks to support, NIST, and the US financial ecosystem (e.g. individual banks and the American Bankers Association) to ensure financial institutions understand how mobile driver’s licenses meet CIP/KYC regulations “as is,” and how issuing authorities, wallets and financial institutions can jointly increase confidence in mDLs to enable more rapid adoption by financial institutions. The OpenID Foundation is working in partnership with NIST to generate targeted proposals on how to close the gaps identified by NIST, with the expectation those proposals will help accelerate US stakeholder consensus and how some gaps could be closed by leveraging NIST’s SP 800-63-4 Digital Identity Guidelines and potential additions to the OpenID Foundation’s eKYC and IDA Working Group specifications.

The OpenID4VP standard has already been selected by Google Wallet, Android, Amazon.com, Samsung Wallet, 1Password, NIST for the NIST NCCoE project, the EU for the EU Digital Identity Wallet, Switzerland, UK, six Western Balkan countries, MOSIP for their marketplace of open source code services, and it is live in deployment by the California DMV. By the end of 2027, the OpenID Foundations anticipates 37 countries will be live with OpenID4VC. 

OpenID for Verifiable Credential Issuance 1.0 Final

This standard enables public or private sector organizations to securely issue digital credentials into a digital wallet. This OpenID4VCI specification has already been selected by major public and private sector platforms, including Google Wallet, Android, the EU for the EU Digital Wallet, Switzerland, UK, six Western Balkan countries, MOSIP for their open source marketplace, and it is live in deployment with the California DMV. 

Global impact and future deployment

The High Assurance Interoperability Profile (HAIP) will reach final status later this year. This profile will become the foundation for Europe’s digital identity infrastructure by the end of next year, and looks set to be adopted by Google, Amazon, 1Password, California, and many others in the USA.

The OpenID Foundation is also preparing a major announcement with an international governmental organization in November to support large scale deployment across the global south.

The Foundation is proud to have contributed to this groundbreaking strategy alongside more than 80 cross-sector partners. Now, with the global standards finalized and gaining global adoption, the OpenID Foundation is moving from strategy development to implementation. 

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net. 

 

The post OIDF Supports National Strategy on Fraud and Scam Prevention first appeared on OpenID Foundation.

The runaway success of Chinese artificial intelligence models such as DeepSeek and Qwen has spurred every industry, from health care to agriculture to education, to integrate AI.  Adoption of AI...

Kia ora,

The energetic Digital Trust Hui Taumata at Te Papa lit a fire under NZ Inc’s digital identity movement. Industry leaders, policymakers, iwi kaitiaki, and innovators gathered to collectively declare that solving for trust is mission critical to New Zealand’s digital future.

The Hui Taumata concluded with an unmistakable sense of urgency, shared purpose and appetite to collectively deliver on the vision for an open and decentralised marketplace for trusted credential proof access to products and services.

Recognising that excitement alone is not a strategy, we have been actively working on our new strategic plan and member value proposition, as signaled at the Hui Taumata.

Our refreshed strategy aims to strengthen trust in the digital economy through a united, open and collaborative stakeholder ecosystem. With the increase in distrust in our institutions and misinformation related to NZ’s empowering approach to identity, we most definitely have our work cut out for us!

Assuming we can remain a trusted voice, Digital Identity New Zealand (DINZ) is ideally positioned to connect, promote and advance trust solutions.

Major initiatives for 2025-26

Investable value proposition for members and partners Aotearoa NZ Inc communications strategy and go-to-market narrative aligned to Te Ao Māori data sovereignty principles (e.g. taonga, tikanga & kaitiakitanga) Trusted Aotearoa NZ Inc ecosystem architecture and sovereign data infrastructure.

There is increasing consensus that an effective, use case and benefits focused communication framework is crucial to market adoption. 

Working groups will build momentum around demand-side adoption and a trusted vendor ecosystem.

Key Takeaways for Members

The time is now for trusted decentralised identity:

Global drivers: Trading partners and visitors are adopting interoperable credentials, requiring NZ exporters and operators to adapt Domestic demand: Banks, insurers, corporate NZ, government agencies and SME sector face unsustainable delivery, compliance and fraud costs, and increasing risks / chaos Technology maturity: Open-standard wallets, zero-knowledge proofs, and consent dashboards are ready for safe and privacy enhancing adoption. 

Key value drivers and critical success factors:

Security, machine readable traceability and privacy by design National DISTF trust-mark & open standards for an interoperable framework Government & tier-1 procurement mandates to drive adoption Cross-sector collaboration to demonstrate ROI in various sectors (public services, banking, health, exports, and SMEs).

The plan outlines significant economic opportunities over the next five years from DISTF credential marketplace adoption.

See the complete sector breakdown.

New Working Group Highlights

We have established two new working groups to support market adoption:

Demand side (reference architecture): Focus on building adoption through use cases, reference architecture, and sector-specific strategies (such as education, health, social services; open banking and payments, and domestic commerce – SME focus).

DINZ has worked constructively with the DIA to establish and support core policy and technical working groups, plus accessibility and Te Ao Māori groups. 

Supply side (trusted vendor ecosystem): Focus on a common aligned approach for verifiable credentials (VCs) that delivers trust, simplicity, and safeguards for holders, while ensuring safe, interoperable, and trusted VC delivery.

At the Hui Taumata in August 2025, Minister Collins’ called for vendors to align on their role in building a trusted verifiable credentials ecosystem for New Zealand.

Following this, Craig Grimshaw of Sush Labs and Andrew Mabey of UNIFY Solutions are co-chairing a newly established Vendor Working Group on verifiable credentials for people of New Zealand.

With Digital Identity New Zealand (DINZ) hosting, Andrew and Craig will guide the group to ensure outcomes are collaborative, transparent and aligned with national goals.

Together Andrew and Craig bring complementary expertise with Sush Labs in wallet design and mobile user experiences critical for adoption and UNIFY Solutions in consulting, architecture and government-scale identity implementations. Both providing balanced leadership to convene vendors around a shared purpose: delivering a safe, interoperable and trusted ecosystem for all New Zealand.

Digital Public Infrastructure 

DINZ increasingly plays a thought leadership role in areas such as multi-modal biometric frameworks, authentication including identity binding and proofing, credential issuance and validation, access control, user-controlled data storage, and trusted data processing.

We intend to champion the importance of a Trust Aotearoa NZ Inc jurisdiction level namespace (i.e. name service) to a truly user centric decentralised ecosystem architecture. 

And finally, we continue to make proactive submissions as part of NZ’s regulatory modernisation programme and guidance on emerging standards including the new assurance hierarchy in the updated DISTF.

Executive Council Nominations

Nominations will open on 13 October. The results of the election will be announced at the Annual Meeting on 4 December.

The following board positions are available for election this year:

3 Major Corporate Seats  2 Other Corporate Seats  2 SME & Start Up Seats 

Start thinking about whether you are interested now. 

Industry News

We continue to experience an ever-increasing buzz in the digital identity space both making and breaking news domestically and around the world. Here’s a selection:

Government digital changes to bring big savings | Beehive.govt.nz Proactive-release_Driving-down-the-cost-of-digital-in-government Britain to introduce compulsory digital ID for workers | rnz.co.nz BBC News article on digital ID UK mobile operators launch age verification and anti-fraud APIs through GSMA Open Gateway Initiative | libertyglobal.com My take on Digital Driver’s Licenses Andy Higgs Newstalk interview  Full Interview with Leah Panapa on the Platform

Upcoming Interoperability Event: 16-17 November 2025

Chris Goh and Belinda Taylor’s NZTA team are hosting an interoperability event in Wellington on 16 -17 November, leading into the ISO Working Group 10 meetings that week. These international mDL/mdoc community events regularly confirm implementation feasibility, gather feedback to enhance standards quality, and maintain market momentum for mDL and mdoc implementations.

Sponsorship opportunities available:

Sunday 16 Nov: Lunch (approx. 120 attendees) and/or Coffee cart Monday 17 Nov: Lunch (approx. 120 attendees) and/or early evening canapés and non-alcoholic drinks (approx. 120 attendees)

Please contact Gabrielle.George@dia.govt.nz if you are interested.

Next  Actions for Members

Engage: Nominate representatives to the reference architecture, vendor working and special interest working groups.   Contribute: Share sector use cases for Circles of Trust white papers. Communicate: Adopt the new messaging framework and amplify the everyday benefits of trusted digital identity.

Together, we are shaping the trusted credential ecosystem that will empower New Zealanders, protect privacy, and unlock economic growth through a unified Aotearoa NZ Inc approach.

Tihei mauri ora!

Andy Higgs
Executive Director,
Digital Identity NZ

Read full news here: Inspiring Trust across Aotearoa NZ Inc.

Subscribe for more

The post Inspiring Trust across Aotearoa NZ Inc. appeared first on Digital Identity New Zealand.

Corporate Overview

Founded in 1955, First Credit Union is a member-owned financial institution in New Zealand with over 60,000 members. The organization delivers secure and innovative digital banking experiences through its comprehensive online banking platform. Members access their accounts via mobile app and browser options to manage finances anytime, anywhere. The credit union has embraced cutting-edge authentication technology to enhance both security and user experience for its diverse membership base.

Executive Perspective

“Implementing FIDO authentication through Authsignal has been a game-changer for our members’ digital experience. It’s secure, seamless and sets a new standard for trust in online banking.” – Herb Wulff, Treasury and Agency Banking Manager, First Credit Union

The Business Challenge

As a progressive modern financial institution, First Credit Union has embraced a path toward digital transformation. As part of its journey, it identified several critical challenges impacting both security and user experience.

Those challenges include:

Cybersecurity Risks. The organization wanted to reduce reliance on passwords, which is one of the most common attack vectors. First Credit Union sought phishing-resistant authentication methods to mitigate growing security threats. User Experience Friction. Traditional multi-factor authentication methods often create friction in the login process. The credit union aimed to make secure access feel seamless and intuitive for members with varying technical comfort levels. Cross-Platform Compatibility. Members access the platform across diverse devices and operating systems. First Credit Union needed a solution that worked consistently across mobile apps and web browsers. Integration Complexity. The new authentication solution had to integrate smoothly with existing infrastructure. This approach would minimize disruption to internal teams and members during deployment. Why First Credit Union Chose Passkeys

First Credit Union conducted a thorough evaluation of several traditional and emerging authentication methods. The goal was to find the right balance between security, usability and accessibility for its diverse membership base.

Traditional Options Fell Short

The team explored multiple multi-factor authentication (MFA) methods but found significant drawbacks with each approach. Authenticator apps can enhance security but have vulnerabilities that can be exploited due to their reliance upon one-time codes. They also require members to install and manage a separate app, which added complexity and friction. Email magic links provided convenience but created usability challenges and vulnerability to phishing and email interception risks.

Device credentials delivered a more seamless experience but lacked the standards-based interoperability needed across platforms. The credit union also considered standalone biometric authentication, but these solutions lacked the robust security guarantees and cross-platform compatibility that FIDO standards provide.

A critical insight emerged: offering too many authentication options risked confusing members, especially given the wide range of technical comfort levels across their demographic. A fragmented experience could lead to frustration, support overhead and reduced adoption.

FIDO Delivered What Others Couldn’t

FIDO authentication stood apart from alternatives that still presented significant vulnerabilities to phishing and lacked seamless, standards-based interoperability. The technology offered compelling advantages:

Phishing resistance eliminates shared secrets like passwords or OTPs that attackers can intercept or steal. The passwordless experience reduces friction for members while making access to online banking quicker and more secure. FIDO2 specification ensures seamless authentication across a wide range of devices and platforms, supporting both their app and browser-based services.

The solution improved member trust and satisfaction through enhanced security and streamlined login processes. It also reduced support overhead from password resets and login issues, allowing the team to allocate resources more efficiently and improve overall service quality.

Implementation Overview

First Credit Union partnered with Authsignal to implement a FIDO Certified passkey infrastructure. The team followed a structured rollout approach:

Phase 1: Internal Testing and Validation

The organization conducted rigorous internal testing to validate passkey integration across mobile and browser platforms. This phase ensured technical stability and compatibility.

Phase 2: Member Education and Communication

First Credit Union launched a targeted communication campaign that included:

Clear messaging about passkey benefits Step-by-step setup and usage guides Comprehensive support resources for onboarding

Phase 3: Gradual Branch Network Rollout

The team introduced passkeys in phases across the branch network. This approach allowed for performance monitoring, feedback collection and iterative improvements.

Phase 4: Monitoring and Optimization

Post-launch activities included tracking adoption metrics and authentication usage patterns. Member feedback drove user experience refinements.

Results and Impact

First Credit Union achieved impressive adoption and security outcomes since launching passkeys:

Adoption Metrics

58.4% of members adopted the new authentication experience 54.5% of all authentications now use passkeys Over 23,500 members enrolled in multi-factor authentication

Member Experience

Most members provided positive feedback citing ease of use and improved trust. Passkeys enabled simplified login through device-native biometrics like facial and fingerprint recognition. Members enjoy seamless experience across mobile and web platforms.

Operational Benefits

The organization reduced support overhead from password-related issues. First Credit Union enhanced its security posture with phishing-resistant authentication. The infrastructure now aligns with global standards for future readiness.

Future Vision

FIDO authentication serves as the cornerstone of First Credit Union’s long-term digital security strategy. The organization plans these expansions:

Secure Transaction Authentication: Extending passkeys to high-risk actions like transaction approvals Internal Systems Access: Implementing FIDO-based authentication for staff systems Third-Party Integrations: Leveraging FIDO’s interoperability for future service integrations Key Recommendations

First Credit Union offers these insights for organizations considering FIDO implementation:

1. Understand Your User Base: Assess members’ devices, digital habits and comfort levels to tailor the experience appropriately

2. Simplify the Experience: Avoid overwhelming users with too many authentication options

3. Choose the Right Partner: Work with trusted providers who offer expertise in passkey infrastructure

4. Communicate Clearly: Educate users early with clear messaging about benefits and simple setup guides

5. Test Thoroughly: Conduct comprehensive internal testing across platforms before member-facing deployment

Read the Case Study

This story is adapted from writer Emily Wither’s recent Rest of World feature, Syria’s quest to build its own Silicon Valley. For the first time in a long time, Syrian...

Amit Sharma on his passion for all things ‘identity’ and the challenges he sees for the market in general

The post In conversation with ….. Amit Sharma, IDEMIA Public Security appeared first on Kantara Initiative.

China’s battery giants have pulled the plug on South Korea’s dominance in powering electric vehicles. South Korea’s three top EV battery makers — LG Energy Solution, SK On, and Samsung...

Investable Value Proposition for members and partners Aotearoa NZ Inc Communication Strategy and Go-To-Market Narrative aligned to Te Ao Māori data sovereignty principles (e.g. taonga, tikanga & kaitiakitanga) Trusted Aotearoa NZ Inc ecosystem architecture and sovereign data infrastructure

There is increasing consensus that an effective, use case and benefits focused communication framework is crucial to market adoption. 

Working groups will build momentum around demand-side adoption and a trusted vendor ecosystem.

Key Takeaways for Members

The Time is Now for Trusted Decentralized Identity:

Global Drivers: Trading partners and visitors are adopting interoperable credentials, requiring NZ exporters and operators to adapt. Domestic Demand: Banks, insurers, corporate NZ, government agencies and SME sector face unsustainable delivery, compliance and fraud costs and increasing risks / chaos Technology Maturity: Open-standard wallets, zero-knowledge proofs, and consent dashboards are ready for safe and privacy enhancing adoption 

Key Value Drivers and Critical Success Factors:

Security, machine readable traceability and privacy by design National DISTF Trust-Mark & Open Standards for an interoperable framework. Government & Tier-1 Procurement Mandates to drive adoption. Cross-Sector collaboration to demonstrate ROI in various sectors (public services, banking, health, exports, SMEs)

The plan outlines significant economic opportunities over the next five years from DISTF credential marketplace adoption.

CategoryDetails / MetricsNational 5-Year UpsideNZD 8–16 B mid case combined cost savings, fraud reduction, export premiums and new-revenue uplift. Higher if combined with NZD stablecoin enabled trade.Typical Project Payback18–36 months, Fastest ROI: Financial services, Government services, Health, Agriculture/food exports, SMEs (eInvoicing + KYB reuse)Public-Sector Efficiency20–30 % reduction in manual verification tasks (cross-agency VC issuance & consent dashboards)Fraud / Leakage Reduction30–50 % decrease in high-risk processes (banking, benefits, e-commerce, health)

Complete sector breakdown:

SectorEstimated 5-Year Value (NZD)Primary Value LeversFinancial Services$1.2–2.0 BReusable KYC/KYB, instant onboarding, fraud loss reduction, account credentialsGovernment & Social Services$1.0–1.8 BGovernment app / wallet upgrade with reusable entitlement credentials, e-signatures, e-voting pilotsHealth & Aged Care$1.3–2.2 BPatient/provider credentials, e-prescriptions, research data sharingEducation & Skills$0.4–0.8 BSkills passports, micro-credential walletsAgriculture & Food$1.1–1.9 BExport provenance, license to operate, biosecurity, monitoring, product passportsTransport & Logistics$0.7–1.4 BChain-of-custody, border clearance, verified telematics, traceabilityEnergy & Utilities$0.5–1.0 BSmart-meter attestations, carbon/REC trackingConstruction & Property$0.6–1.1 BDigital building consents, product passportsTourism & Visitor Economy$0.5–0.9 BVerified traveller profiles, seamless border flows, personalised conciergeRetail & Consumer$0.6–1.2 BAge assurance, product authenticity, loyalty portabilityMedia & Creative$0.3–0.7 BContent provenance credentials, creator rights & royaltiesSMEs & Professional Services$0.9–1.6 BeInvoicing, verified suppliers, payroll/workforce credentials, automation

The post Digital Identity NZ – Major initiatives for 2025-26: appeared first on Digital Identity New Zealand.

1. What is the mission and vision of Autocorp.ai?

Our mission is to modernize the car-buying experience by building digital tools that put transparency, trust, and efficiency first. We envision a future where automotive retail is fully digital, seamless, and secure — empowering dealerships to sell smarter and customers to buy with confidence.

2. Why is trustworthy digital identity critical for existing and emerging markets?

Trust is the currency of digital commerce. In automotive, where vehicles are high-value assets, fraud has surged — with identity fraud making up over 75% of fraudulent applications in Canada. For existing markets, strong ID verification prevents costly theft and financial loss. For emerging markets, it lays the foundation for safe digital transactions, unlocking growth and inclusion by making financing and ownership accessible to more people.

3. How will digital identity transform the Canadian and global economy? How does your organization address challenges associated with this transformation?

Digital trust will accelerate financing, reduce fraud-related losses, and expand access to credit globally. In Canada alone, automotive fraud rose 54% year-over-year – a clear signal that transformation is needed. Our solution, AVA™ ID, leverages AI, biometrics, and OCR to verify identities in seconds while ensuring compliance with KYC and AML regulations. This helps dealerships and lenders eliminate inefficiencies, cut losses, and create safer digital ecosystems that power sustainable economic growth.

4. What role does Canada have to play as a leader in this space?

Canada is uniquely positioned to lead – combining strong financial institutions, progressive regulatory frameworks, and advanced data security expertise. By innovating in industries like automotive, Canada can export proven models of secure digital identity verification to global markets, setting the standard for how high-value transactions should be protected.

5. Why did your organization join the DIACC?

We joined the DIACC because digital trust is bigger than any one company. It requires collaboration across industries, regulators, and innovators. By being part of DIACC, we ensure that the automotive sector’s needs are represented while contributing to the creation of national standards that build confidence for consumers and businesses alike.

6. What else should we know about your organization?

Autocorp.ai is Canada’s first fintech to bring No-Impact Credit Checks, real-time Trade-in Valuations, and Fraud-Proof Test Drives into a unified digital retail suite. Our tools are already helping dealerships increase conversion by 35%, revenue by 28%, and lead generation by 55%. More than just software, we’re building the digital infrastructure that ensures every automotive transaction – from credit pre-approval to keys-in-hand – is safe, fast, and customer-first.

Resources on this page are made available under Creative Commons Attribution Non-Commercial ShareAlike 4.0 International Public License as found at: https://creativecommons.org/licenses/by/4.0/legalcode

2022 K12 Edtech Benchmark Infographics 2022 K12 Edtech Benchmark Infographics: Findings Report 1

  2022 K12 Edtech Benchmark Infographics: Findings Report 2

2022 K12 Edtech Benchmark Infographics: Findings Report 3

Consumer Sentiment Report

Did You Knows

Do You Know Where Your Data Is

Principles of Safe Software

Miscellaneous

The post Reusable ISL Graphics appeared first on Internet Safety Labs.

In the fierce global war over workers skilled in artificial intelligence, the United Arab Emirates is luring researchers with a custom-built AI university that offers what many scientists dream of:...

Based on an original by Visual Thinkery for WAO

As part of their wider digital transformation plan, we’re currently helping Amnesty International UK (AIUK) with a new community platform for activists and educators. As we’ve done for almost a decade now, and as befits the name of our cooperative, we’re working openly on this project. In fact, this post is informed by one we wrote for the AIUK Community Platform Project blog.

Our last post about the AIUK project on this blog talked about the importance of community calls. In this one we want to talk about community building for the kinds of conversations that activists and educators need to have. We will be using Discourse to power the community platform after our research earlier this year led to a longlist of 29 platforms and a shortlist of 4 platforms. You can check out our comparison spreadsheet here.

A note about Discourse

This is not a post about Discourse as a platform per se, but it is important to note that, by default, it provides many useful features and settings. The stated aim of its co-founders is to “democratize online community and teamwork by raising the standard of civilized discourse on the Internet.” As such, it has features such as user trust levels, content warnings, and role/status badges that have been provided thoughtfully in a way that other systems haven’t yet managed.

It’s also Open Source, allowing AIUK to be able to host it wherever they choose—something which is increasingly important given the global rise of authoritarianism. Human rights organisations need to, sadly, be prepared for security breaches like hacks, bots or fake accounts that could  compromise discussions.

Conscious configuration A series of personas, created using Open Peeps

The only way to know how users will interact with a system you have created and/or configured is to put them in front of it. They will surprise you in both positive and negative ways, which you can then make a note of and reconfigure the system accordingly. 

The platform or software you choose constrains what is or is not possible for users. It provides a set of “affordances” creating an environment which offers the individual different options. For example, we have decided against the affordances provided by real-time chat apps such as Slack or Rocket.Chat in favour of a more ‘discussion area’ vibe with Discourse.  

Over and above the intentional decisions around platform choice, we also have to be mindful about the way we initially configure it for our target audience. Unlike some other platforms, almost everything is configurable in Discourse. This means we need to do the work to make the platform as easy to use and “intuitive” to community members as possible. 

AIUK has a widespread and diverse community, so we need to think about how that community currently exists, while preparing for a move to a new platform. We now have a very long configuration document documenting these conversations and reminding ourselves why we made certain decisions around set up and defaults. This includes everything from the theme components we have installed, to the way we’re dealing with user permissions, through to the names of buttons we’ve changed.  

It is very unlikely that we get everything right the first time around. We will receive useful feedback during the training and piloting phases and  we will also change things based on what we observe users actually doing (rather than just what they say they will do!)

The wider ecosystem Image CC BY Visual Thinkery for WAO

The new AIUK community platform does not sit alone in a vacuum. Nor is it the answer to every situation in which activists and educators may want or need to interact. For example, end-to-end encrypted communications are much better dealt with in a secure app such as Signal. As a result, we are advising AIUK community members to see the new platform as one part of a wider ecosystem.

This ecosystem also includes a new website and knowledge hub which is being developed by Torchbox. Therefore, in addition to thinking through how activists and educators interact within the community platform, we need to consider how different types of users might move through the entire ecosystem. How do they become aware of what is available? How do we meet their needs? How might we enable them to meet their activism and education goals?

The demographics of AIUK skew both young and old. That is to say, there is a majority in the 50+ age group, but there are also many young people and university students who are actively involved with Amnesty campaigns. Our research showed that these two groups tend to use very different communication tools. The older demographic tend to use email as their primary means of communication, whereas the younger demographic tend to use social media.

Our aim is for the community platform to meet the needs of as many different AIUK groups as possible. For example, an important requirement was the ability to receive updates from the platform via email, and also for community members to be able to reply to discussions from the comfort of their inbox. 

We cannot solve everything with the community platform, but we are configuring a solution that can respond to users’ needs over time.

Get involved!

Whether or not you currently consider yourself part of the AIUK community, you are very welcome to lend your thoughts and expertise to this project. Follow the project blog over on the Amnesty UK website, share positive examples you have of activists and educators engaging in constructive discussion, and help us build a space which helps the AIUK community protect people wherever justice, freedom, truth and dignity are denied.

Today, two Decentralized Identity Foundation (DIF) members brought their expertise to an influential global audience at Digital@UNGA, a high-level event convened by the ITU, UNDP and WDTA during the 80th UN General Assembly. 

In a critical session titled “Trusted Digital Identity for People & AI,” the discussion moved beyond theory to address the real-world challenges of deploying Digital Public Infrastructure (DPI) that is secure, equitable, and future-proof. In partnership with Gambian Ambassador Muhammadou Kah, Chairman of the UN Commission on Science and Technology for Development, the session focused on turning the UN’s digital identity strategy into a deployable reality, grounded in the core principles of interoperability, privacy by design, and inclusion for all.

The core challenge addressed by the panel was the persistent gap between policy and production. While global goals like SDG 16.9 are clear, the goal of providing legal identity for all by 2030 is often stalled by protocol fragmentation and the lack of a robust architectural model for a world where both people and AI agents are first-class citizens. The session explored how to bridge this gap by encoding principles as measurable engineering requirements, ensuring that concepts like privacy and interoperability can be verified through rigorous, evidence-based testing before procurement and large-scale deployment.

Representing DIF, Matt McKinney, CEO of AIGNE, an ArcBlock company, and Co-Chair of the DID Method Spec Working Group, presented a framework for building this next generation of DPI. His talk focused on the necessity of a symmetrical architecture that serves both people and AI agents with the same high standards of security and control. He argued that for this mixed-initiative future to be safe, AI agents must use controller-bound credentials, operate with least-privilege, time-boxed permissions, and be subject to fast, verifiable revocation. He outlined a phased, low-risk path for policymakers to move from architectural requirements to a multi-vendor sandbox, then to a pilot, and finally to a scalable rollout, all based on open standards and anchored to objective conformance proofs.

Nicola Gallo, Co-Founder of Nitro Agility and Co-Chair of DIF's new Trusted AI Agents Working Group, also presented at length. He emphasized the importance of building a trust stack for AI agents, one that clarifies the types of trust required, considers the impact of AI on social and market structures, and defines protocols that can effectively address these concerns. In his view, a sustainable path is to anchor trust in the identities of the executors themselves, enabling distributed chains of attested actions. Without this granular and auditable accountability, we risk relying too heavily on impersonation models, where the role of the actual executor may be unclear and trust becomes harder to govern or verify. Ultimately, the key lies in giving workloads their own flexible and verifiable identities, making it possible to trace and govern responsibilities across distributed systems, thus envisioning a new Internet of Trust

As a next step, the members will publish a 2-page outcomes brief and an implementer checklist for policy makers and practitioners within the next two weeks. Stay tuned for links to these practical documents to be open-sourced by DIF.

While biometrics offer convenience, passkeys provide the backbone for the next stage in authentication. Developed as a part of a global effort by Apple, Google, Microsoft, and the FIDO Alliance, passkeys replace traditional passwords with cryptographic keys stored securely on a user’s device. Instead of typing in a word or a phrase, users can confirm their identity through a fingerprint, a face scan, or a prompt in a trusted device. 

Apple’s approach to identity in wallets is built on open standards, including the W3C’s Digital Credentials API and FIDO Alliance protocols. This is important to identity nerds like me because they are standards that enable privacy-enhancing exchanges of digital credentials, allowing consumers to (crucially) prove what they are (over 18, entitled to drive, holding a valid ticket) without having to divulge who they are.  

Apple iOS 26 has landed, and it includes support for FIDO Alliance Credential Exchange standards to enable secure, end-to-end encrypted transfers of passkeys, passwords and other credentials across platforms and apps. A release from large open-source login management service Bitwarden says it is “among the first credential managers on iOS 26 to implement the Credential Exchange standards, helping lead passkey and password portability with a secure, standardized way for users to move credentials between Apple Passwords, Bitwarden and other compatible services.” 

The OpenID Foundation membership has approved the following as an OpenID Final Specification:   FAPI 2.0 Message Signing: https://openid.net/specs/fapi-message-signing-2_0-final.html    A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. This Final Specification is the product of the OpenID FAPI Working Group.   The voting results were: Approve – 87 votes Object — 0 votes Abstain – 20 votes Total votes: 107 (out of 448 members = 23.9% > 20% quorum requirement)   Marie Jordan – OpenID Foundation Secretary
About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net. 

The post FAPI 2.0 Message Signing Final Specification Approved first appeared on OpenID Foundation.

China flooded the world with electric cars. Its next target is freight trucks. BYD, the Chinese automaker that overtook Tesla in sales of electric cars last year, now ships electric...

Human Colossus Foundation co-organised the NextGen Pre-event at MyData 2025: Genomic Data and the Future of the European Health Data Space

Helsinki, 24 September 2025 — The European Health Data Space (EHDS) is set to redefine digital health across Europe. With the potential to benefit more than 250 million citizens, it promises to transform clinical research, innovation, and patient care. But can it truly deliver?

A successful rollout of EHDS would restore trust—an essential prerequisite for unlocking the value of health data not only for medical purposes but for the entire health economy. Driven by the AI revolution, new revenue opportunities for European innovators could reach billions of euros. Done right, EHDS could become a flagship success story, showcasing the competitive edge of well-organised data ecosystems.

If it fails, however, the consequences would be so severe that its absence of success could only be described as a doomsday scenario.

Meeting this challenge requires a clear understanding of the barriers to building a health data ecosystem at a continental scale.

The NextGen EU Horizon project tackles some of the most complex data challenges in cardiovascular personalised medicine. Serving as a kind of “mini-EHDS,” NextGen acts as a testing ground for digital tools that enable the creation of interoperable data spaces.

Against this backdrop, the high-level pre-conference event at MyData 2025—titled “EHDS Promises & Pitfalls: The Case of Genomic Data Integration in Personalised Medicines”—took place on Tuesday, September 23. Over three and a half hours, the session addressed topics for researchers, clinicians, regulators, policymakers, and all those who recognise that maintaining the status quo is the simpler—but ultimately false—choice.

The central question was clear: How can genomic data—among the most sensitive and valuable forms of health data—be safely and effectively integrated into EHDS for the benefit of all?

A distinguished panel of experts shared their insights:

The fundamentals of EHDS — Mikael Rinnetmäki, Finnish Innovation Fund Sitra, introduced EHDS and explored the challenges posed by both the primary and secondary use of health data in Europe.

The legal dimension and the Finnish approach — Sofia Kuitunen, Senior Legal Counsel, FinnGen, examined the secondary use of health and genomic data in Finland.

Overcoming implementation barriers in the Netherlands — Johan Bokslag, Programme Manager, Health Data Space Utrecht, addressed the practical challenges of building an EHDS-compliant infrastructure in the Netherlands and how these can be turned into opportunities for transformation.

End-user expectations — Dr. Petra Ijäs, Head Physician at Helsinki University Hospital, presented a clinical case highlighting how EHDS could help overcome barriers in cardiovascular risk prediction for carotid artery stenosis.

Moderated by Philippe Page (NextGen & Human Colossus Foundation), the session illuminated both the opportunities and the serious pitfalls of Europe’s flagship health data initiative.

The key conclusions were:

EHDS implementation offers a historic opportunity to bring Europe’s healthcare system into the digital era.

Major pitfalls exist, with the restoration of trust and confidence standing as the most critical.

If EHDS fails to deliver a secure and efficient data space, global competition risks driving Europe’s health innovation elsewhere.

A detailed summary of the discussions and participant takeaways is in preparation and will provide further insights.

From the Human Colossus Foundation’s perspective

The EHDS vision responds to the urgent need to unlock the value of health data. It aims to build a human-centred data ecosystem, where “human” encompasses patients, healthcare professionals, public health authorities, private actors, regulators, and policymakers. Creating such an ecosystem requires three conditions:

Distributed governance — Governance must be shared across legitimate authorities representing regions, communities, professionals, and individuals. This requires a federated digital design that builds upon existing frameworks while advancing them into the digital era.

Respect for Europe’s diversity — Diversity is a source of creativity; complexity is merely an implementation challenge to be overcome. EHDS should prioritise harmonisation, not standardisation, especially in data models. The semantics—the meaning of data—should remain as close as possible to the collection point. Mechanisms must ensure data is structured and its integrity preserved before it reaches AI tools, training datasets, or other uses.

True digital identity — Both individuals and organisations need digital identities that uphold privacy and fundamental rights as protected by EU and Member State ethical, regulatory, and governance frameworks. Achieving this requires a truly decentralised authentication architecture capable of accommodating Europe’s diverse sovereignties.

Together, these requirements form the foundation for introducing sovereignty in the digital era. Regaining control over our data demands governance, integrity, and authenticity in every data exchange.

Permalink

Attendees joined this webcast to hear how FIDO Alliance standards and certification can support the automotive industry as it transitions toward software-defined vehicles, autonomous technologies, and connected services. This transition brings an unprecedented opportunity to innovate and capitalize on new business models (such as in-vehicle commerce and subscription services) but also introduces significant cybersecurity threats and user experience challenges. 

Attendees joined this webcast to hear how FIDO Alliance standards and certification can support the automotive industry as it transitions toward software-defined vehicles, autonomous technologies, and connected services. This transition brings an unprecedented opportunity to innovate and capitalize on new business models (such as in-vehicle commerce and subscription services) but also introduces significant cybersecurity threats and user experience challenges. 

This session builded upon the FIDO Alliance’s recently published white paper, Addressing Cybersecurity Challenges in the Automotive Industry, exploring how the FIDO Alliance is uniquely positioned to address these challenges using passkeys, FIDO Device Onboard (FDO), and existing and future certification programs.

Watch the presentation:

The contribution by Shielded Technologies marks a big milestone in open sourcing the development of tools to advance the vision of a privacy-preserving internet.

Brazil’s judicial system — among the most litigious in the world — is turning to artificial intelligence for help.  Judges are using AI to clear their dockets at a faster...

MarylandOnline Partners with Edge to Expand Access to Educational Technology and Services for Maryland Higher Education Institutions

NEWARK, NEW JERSEY, September 24, 2025 – Edge, the nation's leading member-owned nonprofit technology consortium, today announced the addition of MarylandOnline to its EdgeMarket Affiliate Partner Program. The affiliate agreement enables MarylandOnline member institutions to access Edge's comprehensive marketplace of educational technology vendors and contracts, while also providing access to Edge's internal nonprofit services in cybersecurity, organizational transformation, digital learning, and accessibility. Importantly, a portion of revenue from services utilized by Maryland institutions will flow back to MarylandOnline to support additional programming and initiatives for its members.

Via the EdgeMarket Affiliate Partner Program, the partnership will provide MarylandOnline's 19 member institutions expanded access to educational technology contracts, services, and collaborative opportunities through Edge's procurement platform and professional services.

"This partnership represents exactly the kind of forward-thinking collaboration that higher education needs today. Partnerships between institutions is really the way we're going to see higher education evolve, and crossing state lines while still managing regulations opens up tremendous opportunities for our members to better serve their students."

— Stephen T. Kabrhel
Dean of Online Learning, Community College of Baltimore County
President, MarylandOnline

"This partnership represents exactly the kind of forward-thinking collaboration that higher education needs today," said Stephen T. Kabrhel, Dean of Online Learning at the Community College of Baltimore County and current President of MarylandOnline. "Partnerships between institutions is really the way we're going to see higher education evolve, and crossing state lines while still managing regulations opens up tremendous opportunities for our members to better serve their students."

Wendy Gilbert, Executive Director of MarylandOnline, emphasized the strategic importance of cross-state collaboration. "Interacting with people who do what I do in other states is invaluable. We're already seeing state consortiums expand beyond their borders, and this partnership with Edge allows us to share different perspectives and solutions with a broader network."

The partnership comes at a critical time for higher education institutions facing enrollment challenges and resource constraints. Both organizations have built their missions around democratizing access to educational technologies and strategies, making this alliance particularly well-suited to address current market dynamics.

"Interacting with people who do what I do in other states is invaluable. We're already seeing state consortiums expand beyond their borders, and this partnership with Edge allows us to share different perspectives and solutions with a broader network."

— Wendy Gilbert
Executive Director
MarylandOnline

"We're really excited for what this partnership represents," said Adam Scarzafava, Vice President of Marketing, Business Development, and EdgeEvents at Edge. "MarylandOnline is an organization that we know historically has done so much good work for the institutions of Maryland and their online learning capacity. For them to see value in Edge really says a lot about the consortium approach to addressing higher education challenges."

Both organizations will be represented at EdgeCon Autumn 2025, Edge's upcoming conference October 9, 2025 at Rider University, where they plan to showcase collaborative opportunities and share best practices in consortium-based educational support.

 

About Edge: Edge serves as a member-owned, nonprofit provider of high-performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks, and nonprofit business entities as part of a membership-based consortium spanning across the nation. For more information, visit njedge.net.

About MarylandOnline: Founded in 1999, MarylandOnline is a consortium of 19 Maryland higher education institutions dedicated to excellence in online learning. The organization developed the Quality Matters Program and continues to provide course sharing platforms, professional development, and collaborative resources to support digital learning initiatives across Maryland. MarylandOnline's members include all 16 Maryland community colleges plus Morgan State University, Stevenson University, and the University of Maryland Global Campus. The organization has trained nearly 4,000 online instructors and continues to operate course sharing platforms that have served institutions since 2001.

About EdgeMarket: The EdgeMarket Cooperative Pricing System is purpose-built to provide Edge members with an easy way to procure the solutions and services they need at advantageous pricing and terms.

 

The post MarylandOnline Partners with Edge to Expand Access to Educational Technology and Services for Maryland Higher Education Institutions appeared first on Edge, the Nation's Nonprofit Technology Consortium.

September 24, 2025

In a world of increasing economic uncertainty and shifting global supply chains, prioritizing Canadian talent, goods, and innovation sends a clear message of support for workers, businesses, and communities across the country. At the same time, Canada’s continued openness to fair international collaboration and competition will remain essential for ensuring that Canadian businesses remain innovative, globally competitive, and resilient.

DIACC and its members have worked for over a decade to advance digital trust as a cornerstone of a strong and inclusive digital economy. Secure, verifiable credentials and trusted digital identity can help Canadian businesses demonstrate compliance, access new markets, and participate confidently in both domestic and international supply chains.

DIACC stands ready to partner with governments, industries, and communities to ensure that Buy Canadian measures are implemented in a way that protects and empowers Canadian workers while maintaining the interoperability and global connections that sustain innovation and economic growth. 

Together, we can strengthen Canada’s economy, uphold fairness, and position Canadian solutions to thrive on the world stage.

Joni Brennan
President, DIACC

As digital life now extends beyond our lifespans, most societies remain unprepared for what happens when people die or become incapacitated, leaving behind their online assets. A comprehensive new research paper is now open for public comment:  “The Unfinished Digital Estate: Culture, Law, and Technology After Death.” This paper, published by the OpenID Foundation, addresses the growing complexity of digital estate management, moving beyond traditional financial assets to encompass the full spectrum of our digital lives – from our email accounts, shared photos, and creative work to the emergent class of AI-generated content that may both perform and outlive us.

This research builds on stakeholder input, including perspectives from estate planning attorneys and families who have navigated digital loss. It further acknowledges those dealing with cross-cultural estate management and emphasizes that solutions must respect cultural diversity while providing practical frameworks for the digital afterlife. It is accompanied by a draft Planning Guide, which is also open for public comment and offers practical tools without intending to replace qualified legal advice. 

The paper has been developed by OpenID Foundation members Dean H. Saxe, Mike Kiser and Heather Flanagan, who are long-time contributors to digital identity standards. The work – particularly the Planning Guide – was supported by the Death and the Digital Estate Community Group (DADE CG). The DADE CG will continue to drive implementation of the paper’s recommendations and advocate for standards development in digital estate management.

Policymakers, technologists, legal scholars, estate planning professionals, digital rights advocates – and people with online lives – are invited to offer feedback on this paper, which explores the scale of this global problem. Specifically:

Growing digital legacy crisis – Increasing deaths leave behind substantial digital estates including creative work, social profiles, and connected devices that most legal systems, technology platforms, and cultural traditions cannot properly manage, creating significant family impact. Cultural death perspectives – Different cultural approaches to death fundamentally shape how digital estate planning is understood and implemented across societies. Stakeholders and risks – The paper identifies who faces exposure and what’s lost when digital estate planning fails or remains inadequate. Existing governance gaps – Current systems for managing death, incapacitation, and delegation work inconsistently, fall short in key areas, and resist uniform policy solutions. Technical tool limitations – Available digital estate management tools remain inconsistent, incomplete, and largely controlled by proprietary platforms. Identity delegation complexity – Digital estate planning extends beyond asset transfer to encompass delegation of identity, authority, and agency, requiring careful attention to semantics, standards, and threat models. AI and digital representation – Generative AI creates new possibilities for digital presence after death while raising fundamental questions about digital humanity. Implementation framework – Lawmakers, standards bodies, and implementers need scalable systems that protect individual autonomy while accommodating cultural diversity.

This paper was commissioned by the OpenID Foundation Board in April 2025 after extensive community consultation at IIW, EIC, Identiverse, and other public forums over the course of two years. It follows the Foundation’s standard whitepaper development process.

Your feedback will help ensure this paper serves as a strong foundation for policy development and industry standards in digital estate management. We particularly welcome input from estate planning professionals, platform operators, privacy advocates, and those from diverse cultural backgrounds who can speak to varied traditions around death and inheritance.

The comment period will be open until Friday, October 24th. You may submit your feedback to director@oidf.org. Please use this template and reference specific line numbers for your proposed changes, where appropriate. Furthermore, the editors would appreciate referrals and links to digital legacy management tools or platforms that may be worth including in the final document.

We will share the final outcomes and recommendations at digital identity and estate planning conferences throughout 2025-26 and look forward to further community discussion on the findings before the paper moves to final later this year.

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net. 

The post Whitepaper open for comment: The Unfinished Digital Estate: Culture, Law, and Technology After Death first appeared on OpenID Foundation.

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. What if managing your […]

China’s long-standing efforts to bring back talent are starting to pay off at a time when its tech and science rivalry with the U.S. has intensified. According to a Stanford...

On September 23, Human Colossus participated in SNV on Tour at EPFL, an event organized by the Swiss Association for Standardization (SNV). This year's event focused on artificial intelligence and deepfakes, two of the most pressing challenges in today's digital landscape.

The event brought together leaders from academia, industry, government, and civil society to discuss the future of trust, authenticity, and digital integrity in an era increasingly shaped by artificial intelligence and synthetic media.

Our participation highlighted Human Colossus’s commitment to strengthening the foundations of digital trust through technology, standards, collaboration, and international leadership.

Deepfakes and the Three-Fold Strategy of Authenticity

During the event, Professor Touradj Ebrahimi of EPFL presented a clear framework for addressing the growing challenge of deepfakes and manipulated media. He identified three complementary strategies:

Reactive: Detecting manipulation by developing forensic methods for spotting tampering, anomalies, and adversarial examples in audio, video, and images.

Proactive: Authenticity and integrity. This involves embedding cryptographic seals, provenance metadata, or integrity markers directly into content to certify its authenticity at the source.

Collaborative: Verification as a vector of trust. This involves building mechanisms for evidence collection, community-based verification, and shared governance to enable stronger ecosystem responses.

Of these three strategies, the proactive and collaborative approaches align closely with what Human Colossus is building.

Proactive Authenticity: Our work on verifiable provenance, integrity seals, and trustworthy digital infrastructure supports Prof. Ebrahimi’s call to certify authenticity at the source.

Collaborative verification: Human Colossus is pioneering frameworks for evidence sharing, community-driven verification, and governance models that establish verification as a source of trust.

Together, these approaches create a foundation for digital ecosystems that are resilient, transparent, and accountable, going beyond detection alone.

Strengthening Switzerland’s Role in Global Standardization

Another key message was the importance of standardization. Human Colossus is deeply committed to aligning its cutting-edge solutions with international frameworks to ensure interoperability and long-term sustainability.

At SNV on Tour, we reaffirmed our dedication to:

supporting Switzerland’s role as a hub for neutrality, transparency, and innovation in standardization.

actively contributing to European and global discussions on content authenticity and trustworthy AI;

shaping common protocols so that authenticity systems can scale across borders and industries.

This work strengthens Switzerland’s leadership in EU and global standardization and ensures that trust technologies evolve with fairness, accountability, and technical rigor.

Looking Ahead

Participating in SNV on Tour reinforced the importance of collaboration among technology providers, policymakers, researchers, and communities. Tackling deepfakes and synthetic media requires a multidisciplinary approach. It is not just an engineering problem, but a societal challenge that requires reactive detection, proactive authenticity, and collaborative verification.

Human Colossus is dedicated to building infrastructures of trust and contributing to standardization processes that ensure reliability, interoperability, and future-proofing.

From Sunday suppers to 2,000 stores… and almost losing them all. Andrew Arbogast turned his dad’s cheese dip recipe into a fast-growing CPG brand, only to face the harsh realities of shelf life, co-packing, and retailer expectations. In this episode, he joins Liz Sertl to share how he scaled Arbo’s Cheese Dip, what nearly sank the business, and the turning point that gave him a second chance.

Listeners will hear the unfiltered story behind bringing a homemade recipe to the national stage, and the resilience, partnerships, and supply chain decisions that made survival possible.

In this episode, you’ll learn:

How shelf life testing and packaging decisions directly impact scalability

Why rapid national expansion without brand awareness creates costly supply and demand mismatches

What strategies helped Arbo stabilize its operations

Jump into the conversation: (00:00) Introducing Next Level Supply Chain

(02:33) Family traditions that inspired Arbo’s recipe

(04:25) Why barcodes matter for brand credibility

(06:03) Shelf life challenges with early co-packers

(08:11) Reformulating products for large-scale production

(09:24) Rapid retail expansion that backfired

(11:31) Winning Walmart Open Call and scaling mistakes

(13:28) Debt crisis and asking for help

(17:33) Grants and innovation with Real California Milk

(19:31) Favorite flavors and unexpected uses for cheese dip

Connect with GS1 US: Our website - www.gs1us.orgGS1 US on LinkedIn

Connect with the guests: Andrew Arbogast on LinkedIn Check out Arbo’s Cheese Dip

Explore how to deploy passwordless authentication at scale — securely, strategically and with minimal disruption.

Download the playbook to learn:

The different types of passkeys and how to choose the right option for your organization A phased deployment strategy that helps you start small, scale confidently and standardize passkey adoption across your organization The ROI of passkeys backed by data from the FIDO Alliance

Phishing-resistant authentication isn’t a one-size-fits-all. It’s a journey. Complete the form to get our Passkey Playbook to start yours.

In the inaugural episode of Imprivata’s new podcast, Access Point, hosts Joel Burleson-Davis and Chip Hughes sit down with Andrew Shikiar, CEO of the FIDO Alliance, to explore the global movement toward passwordless authentication.

Listen to Episode 1 here: https://ow.ly/Y2Zl50X0vEJ

September 23, 2025

DIACC is proud to recognize British Columbia’s leadership as it launches Connected Services BC, a bold step toward creating simpler, more secure, and more responsive government services for people and businesses.

B.C. has long been a founding member of DIACC and a digital pioneer, consistently demonstrating vision and determination in solving complex digital challenges to better serve its people and businesses. The creation of Connected Services BC, which brings together IM/IT branches and the Office of the Chief Information Officer, continues the tradition of innovation and collaboration.

By uniting teams and platforms under one umbrella, B.C. is moving toward a single, reliable “front door” for citizens and companies online. Features such as single-entry information, shared systems, and coordinated service delivery are essential for building digital trust, a cornerstone of the DIACC’s mission. Verified digital credentials and secure data sharing will help ensure services are efficient, privacy-respecting, and designed around real-world needs.

As Connected Services BC takes shape, DIACC looks forward to working alongside B.C. to advance a secure, interoperable digital trust ecosystem that empowers British Columbians, strengthens businesses, and fuels innovation throughout the province and Canada.

Joni Brennan
President, DIACC

Canada’s digital trust leader, the DIACC, releases its Pan-Canadian Trust Framework (PCTF) Legal Professionals Profile Final Recommendation V1.1 – the first industry-focused PCTF profile –  signalling its ready for inclusion in their Certification Program.

Why is the PCTF Legal Professionals Profile important?
The Legal Professionals Profile establishes Conformance Criteria that enable lawyers and their agents to perform client identity verification in a standardized and auditable way. By aligning with national rules and legal sector priorities, the Profile ensures that trusted processes produce consistent, reliable, and repeatable results when verifying a client’s identity.

What problems does the PCTF Legal Professionals Profile solve?
The Legal Professionals Profile addresses growing challenges in the legal sector around verifying clients in a digital-first environment. It reduces risk and variability by ensuring that when lawyers use third-party agents, those agents meet minimum assurance criteria. It also clarifies expectations for service providers, helping them avoid duplication of effort and misalignment with law society requirements. By bridging the gap between practice and regulation, the Profile strengthens trust, reduces compliance burdens, and supports innovation in how legal services are delivered.

Who does the PCTF Legal Professionals Profile help?

Law societies & lawyers: Gain confidence that identity verification services are compliant and trustworthy. Verification service providers & agents: Have clear standards to demonstrate conformance and build market credibility. Clients & regulators: Benefit from increased assurance, consistency, and protection when engaging with digital legal services.

Download the Profile here.

The world is rapidly moving away from traditional security methods. With FIDO standards in place, more companies are shifting toward passwordless authentication. Many industry players are already phasing out passwords from their authenticator apps.

In India, the passwordless market is estimated at $411 million in 2024 and projected to reach more than $1.5 billion by 2030. This reflects how businesses are opting for faster, smarter, and safer login experiences. To understand what’s driving this trend and how companies are adapting, indianexpress.com spoke with Chandramouli Dorai, chief evangelist, cyber solutions and digital signatures at Zoho Corp.

VinCSS has released an industry first report on the authentication experience in apps for Vietnamese banks, and it shows a “strong shift from traditional to modern authentication methods” in the country’s banking ecosystem.

Biometrics rank as the most commonly used authentication methods for high risk transactions. It’s also rated as the most convenient, with 58.3 respondents listing it as such.

As usual, there are corresponding concerns about data privacy. One in three people worry their biometric data or digital credentials could be stolen or faked, leading to identity fraud. One in Authentication data theft is a top fear. “Many users feel that biometric authentication, though widely implemented, still is not secure enough for them or their digital assets.”

HID, a company that provides secure identity solutions, announced the availability of its updated FIDO-certified authentication solutions in the Philippines, to help financial institutions and enterprises comply with the Bangko Sentral ng Pilipinas’ (BSP) new rules on IT risk management under the Anti-Financial Account Scamming Act (AFASA).

BSP requires organizations under its supervision to strengthen fraud management and identity verification by June 25, 2026. The directive calls for the adoption of secure, phishing-resistant methods, such as passwordless authentication through FIDO standards.

The measure comes amid rising online scams and fraud cases in the country. 

For many market analysts, cybersecurity agencies and authentication experts, passkeys, based on FIDO2 standard protocol, appear as the future proof authentication technology that will become mainstream within the next years.

“By 2027, more than 90% of MFA transactions using a token will be based on FIDO protocols natively supported in IAM tools.”

Editors

Christine Owen, 1Kosmos
Teresa Wu, IDEMIA Public Security

Abstract

Around the world, government entities are currently working to create and implement their digital identity strategies, which includes issuing verifiable digital credentials (VDCs) to their citizens. As a result of these initiatives, organizations are also beginning to discuss using VDCs as a primary form of authentication. VDCs are an important part of verifying a user’s identity that can be used alongside FIDO’s passkeys, which provide a primary authentication mechanism that is fast, safe, and reliable. Passkeys should be issued after a citizen’s VDC is presented for identity verification. This paper will discuss how VDCs and passkeys should coexist when implementing authentication for citizens.

We anticipate a growing confusion in recognizing the differences between the use of digital ID to ascertain identity attributes and allowing users to authenticate themselves online as solutions that follow digital ID standards for online use cases (such as ISO/IEC 18013-7, W3C, IETF, or SD-JWT) are deployed.

This paper aims to clarify misperceptions and avoid confusion by discussing the coexistence of passkeys and digital ID/VDCs, including best practices for using these technologies.

Audience

Government entities, policy makers, relying parties

Download the White Paper 1. Verifiable digital credentials (VDCs) and passkeys

As new technologies continue to emerge, experts are finding new ways to use these solutions together. This paper discusses how verifiable digital credentials (VDCs) and passkeys should coexist when implementing authentication for citizens. VDCs and passkeys were both developed to secure identities in the digital world. However, they have different yet intersecting roles for end users. The following sections introduce VDCs and passkeys.

1.1 VDCs

A VDC can contain an electronic version of identity attributes or can be a digital representation of physical credentials (for example, driver licenses, passports, other identifiable information) that can be cryptographically verified. Typically, a VDC follows the W3C Verifiable Credentials Data Model, Internet Engineering Task Force (IETF) Selective Disclosure for JWTs (SD-JWT), or ISO/IEC 18013-5/7 (mobile driver’s license) standards, which require cryptographic signatures to prove authenticity. Because these standard models use digital wallets, a secure, portable, and instant verification mechanism is created that can preserve privacy by requiring user approval prior to disclosure of sensitive information.

Deployment of VDCs is currently prolific in multiple regions around the world. For example, Asia-Pacific countries are embracing the idea of a VDC. Countries such as Japan, South Korea, and Australia are working together to ensure interoperability amongst their VDCs. Australia’s 2024 Digital ID Act created accreditation requirements for digital IDs and enhanced the trust framework between different providers. In the United States, the mobile driver’s license (mDL) movement is gaining momentum, and several states have already implemented or are piloting mDL programs. For a more detailed look at how government agencies are deploying VDCs, refer to the Appendix.

VDCs can be either a Person ID (PID) that represents a physical person or Attested Attributes which are documents that present properties of a person such as a driver license, age in a certain range, or educational degrees. The validity of VDCs can be expressed by Identity Assurance Levels (IAL) or Levels of Assurance (LOA) (depending on a country’s digital identity standards). In cases where a PID is used, a government entity may determine the types of verified information that are necessary to establish the identity of a person. In most cases, information about a person’s name, address, date of birth, place of birth, official government document number, phone number, and other attributes such as name of parents, gives a strong base for properly identifying a person through the controls available to government or private entities that perform verification on behalf of organizations. Modern technology may add records of biometrics such as fingerprints or face capture to further strengthen identity assurance. The European Digital Identity Wallet (EUDI Wallet) requires that PID be a high level of assurance (LoA), in accordance with the principles used by member states for their civil registration process. Refer to section 5.3 EU VDC Efforts for more information on EUDI Wallets. Similarly, the United States Digital Identity Guidelines[1] require remote identity vetting to be performed at an IAL2 for government use.

VDCs hold a digital representation of a document by defining the syntax of the issuer’s URL, the category of the document, and other standardized syntax such as a trust list (where government entities issue a certificate that guarantees that the URL is what it claims to be), then creating a cryptographic seal that guarantees the authenticity of the document when presented to a relying party (also known as a verifier). Under this W3C Verified Credentials Data Model, the URL serves as a trust model.

Because government entities are also building digital identity wallet schemes based on clear identity standards and mutual recognition mechanisms across different jurisdictions, the adoption of digital identity wallets internationally will facilitate the acceptance of VDCs by traffic police to validate a driver’s license from another country or for a bank to provide the proper checks and balances (for example, know your customer) during transactions.

[1]https://www.nist.gov/identity-access-management/projects/nist-special-publication-800-63-digital-identity-guidelines

1.2 Passkeys

Passkeys, a passwordless and phishing-resistant authentication mechanism, represent a significant advancement in privacy-preserving authentication and are designed to replace traditional passwords with a more secure and user-friendly alternative.

There are two types of passkeys: synced passkeys and device-bound passkeys. Synced passkeys are stored in the cloud and can be accessed across multiple devices, offering convenience and easy recovery. Device-bound passkeys, on the other hand, are stored locally on a specific device or security key, which provides enhanced security. For a more in-depth look at passkeys and how to implement them, refer to Passkey Central.

Passkeys exhibit a robust resistance to phishing attacks due to their foundational design principles. Each passkey is intrinsically tied to the specific origin of the service, identified by the Relying Party ID, thereby ensuring that authentication can only occur with the legitimate and intended service provider. This origin-specific challenge-response mechanism is inherently resistant to replication by phishing sites, rendering such attacks ineffective.

Equally significant is the privacy-preserving architecture of passkeys, which is designed to uphold user confidentiality and prevent tracking. During authentication, no personal or biometric data is transmitted or shared externally. Biometric verification processes, such as fingerprint or facial recognition checks, are conducted locally on the user’s device, ensuring that sensitive data remains under the user’s control.

Because passkeys generate unique cryptographic keys for each service and cannot be reused across platforms, cross-platform tracking is precluded and the privacy concerns associated with social logins that enable providers to monitor user activity across multiple services are avoided. Unlike traditional authentication methods (such as passwords or two-factor authentication), the use of unique cryptographic keys effectively mitigates the risk of cascading breaches that can result from a single compromised account. By replacing shared secrets with device-bound cryptographic keys, passkeys fundamentally neutralize phishing as a viable attack vector. When passkeys are synchronized across devices via cloud-based mechanisms, they are protected through end-to-end encryption.

This privacy-centric design fosters a sense of security and trust among users and reassures them that their personal information is not being tracked or misused by government entities or service providers. By combining phishing-resistant authentication with privacy-preserving principles, passkeys represent a significant advancement to secure and user-centric digital identity management.

1.3 The intersection of VDCs and passkeys

Both VDCs and passkeys enhance security and reduce friction during digital interactions. VDCs focus on securely representing qualifications and attributes (association with the real user), while passkeys specifically target phishing-resistant authentication (what a user has). When used together, these two technologies complement each other to enhance security within the digital world.

2. Core concepts of digital identities

This section covers the differences between digital identities, authentication, and authorization. It also examines how to enhance the use of verifiable digital credentials.

2.1 Verified identities vs authentication vs authorization

Digital identities play a crucial role in facilitating online transactions. Commonly, VDCs contain identity attributes that can be presented as evidence to verify the identity of the VDC holder. For example, an individual might use their VDC to assert attributes such as name, date of birth, and address in order to verify their identity and open a financial account with a bank. The bank can use these attributes to comply with regulations such as Know Your Customer (KYC) or Anti-Money Laundering (AML).

Identity verification is the process of confirming that a person is who they claim to be, often during onboarding, using trusted documents for proof of identity. Once a verified identity is established, authentication helps verify individuals on return visits. While passwords or two-factor authentication have traditionally been used for authentication, passkeys are not only more secure than traditional authentication methods but also provide users the convenience of quickly using a biometric to unlock a cryptographic key which is then used for authentication. Passkeys, unlike VDCs which may assert information about the user each time they are presented, are privacy preserving and do not provide user attributes during authentication.

VDCs can be used to transmit requested identity attributes to relying parties during authorization requests.[1] This method can decrease the relying party’s exposure to risk, as it provides a more holistic view of an end user through their verified set of attributes. The relying party can then make an informed decision regarding that user’s access based on their rules for access and the attributes presented.

[1] Authorization is the process of granting the correct level of access to a user after their identity is authenticated. As a specific function within Identity and Access Management (IAM) systems, authorization helps system managers control who has access to system resources and set client privileges. Access controls are used to assign a set of predetermined access rights to a user identity and use of attribute exchanges to help determine authorization requests is gaining traction in the cybersecurity industry.

Enhancing verifiable digital credentials use

VDCs are designed to enable individuals to make verifiable claims about identity attributes or entitlements without serving as direct authentication mechanisms. Unlike authentication methods that authenticate users to specific services, VDCs focus on sharing attested claims (for example, date of birth, and address) through a decentralized triangle of trust that involves issuers, holders, and verifiers. VDCs are designed with privacy in mind, as standards such as SD-JWT and ISO mdoc require that when users share specific claims from a credential (for example, age from a driver’s license), the integrity of the original document must be proven cryptographically. Users retain ownership of VDCs, enabling them to present credentials across platforms without relying on centralized authorities. This flexibility makes VDCs ideal for scenarios that require proof of identity.

Passkeys provide a phishing-resistant authentication method that binds authenticators to specific domains. Passkeys do not pass Personally Identifiable Information (PII) or similar information at the time of authentication, thus preserving the privacy of the user. However, VDCs can pass along unnecessary PII, when requested by a relying party and agreed upon by the Holder. For instance, a malicious actor could impersonate a bank’s identity verification portal, capture a user’s PII from their VDC, and exploit the user’s PII. While cryptographic signatures ensure credential integrity, they do not address contextual misuse, highlighting a gap in current standards. Therefore, it is better to utilize VDCs for user credentials and attributes.

Despite these risks, VDCs are increasingly adopted for high-assurance processes:

Universities can use VDCs to streamline enrollment by verifying academic records and extracurricular participation. Banks can employ VDCs for eKYC (electronic Know Your Customer), combining document verification (for example, passports), biometric liveness checks, and AML and Politically Exposed Person (PEP) screening to onboard customers remotely. VDCs mitigate fraud in transactions requiring stringent identity assurance, such as cross-border financial transfers or healthcare licensing. For example, selfie verification and document-centric checks ensure the physical presence of users during high-value agreements. In cross-border education, VDCs enable instant verification of international student credentials, reducing administrative delays and fraud risks.

However, these applications often require supplementary safeguards (for example, multi-factor authentication, liveness detection) to compensate for the PII phishing susceptibility of VDCs.

VDCs offer transformative potential for decentralized identity management, particularly for enrollment and high-assurance transactions. By integrating VDCs with phishing-resistant authentication mechanisms and advancing interoperability standards, government entities and organizations can harness their benefits while mitigating risks. As the ecosystem evolves, collaboration among government entities, standards bodies, and industry stakeholders will be essential to balance innovation with security.

3. Key considerations

VDCs and passkeys are built according to widely accepted standards, which promotes interoperability and offers seamless integration across various platforms and services. This standardization is crucial for widespread adoption and the creation of a truly interconnected digital identity ecosystem.

3.1 Privacy consideration

Privacy preservation is a key feature that must be present for both VDCs and passkeys. Combining VDC’s and passkeys benefit both the end users and relying parties. In this ecosystem, users maintain control over their credentials and can selectively share attributes as needed, for example when enrolling as a user with a relying party. Relying parties can be confident that the person behind the VDC is, more likely than not, who they say they are.

Moving forward however, the identity industry as a whole should address growing concerns about data privacy and control in the digital age. While VDCs are privacy-preserving mechanisms that hold and share verified credentials, relying parties should only request the minimum attributes required from the end user to enroll them in the application. Depending on the application type and legal and regulatory requirements, the attributes could be as little as email address and name or may also include verified home address and national identity number.

3.2 eIDAS 2.0 regulation

The European Digital Identity Regulation 2.0 (eIDAS 2.0) regulation describes where passkeys can be implicitly or explicitly used within the EUDI Wallet. The PID for an EUDI Wallet should be used with a high eIDAS LoA for initial authentication to a relying party. A FIDO passkey can be enrolled to the user’s EUDI Wallet to meet this requirement. The passkey can then be used for repeated authentication with pseudonyms to the relying party. In this way, passkeys can co-exist or complement the VDC in the EUDI Wallet ecosystem.

Section 5f.3[1] of the eIDAS 2.0 regulation reads that while very large online platforms must accept and facilitate the use of EUDI Wallets for authentication, they must do so “in respect of the minimum data necessary for the specific online service for which authentication is requested”. Therefore, eIDAS 2.0 allows online platforms to support pseudonymous PID authentication, rather than require those platforms to also accept VDCs that are issued by and tied to a government-issued credential.

Consequently, passkey providers will need to issue and restore passkeys. The passkey provider services can be operated by different entities in the EUDI Wallet ecosystem: by the cloud-based EUDI Wallet backend, by the PID provider, or by the Qualified Trust Services Provider (QTSP) that issues the (Qualified) Electronic Attestation of Attributes ((Q)EAAs).

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401183

Cloud-based EUDI wallets and passkey providers have an interesting synergy. PIDs and (Q)EAAs are hosted at a cloud-based EUDI Wallet backend that is accessed from the user’s devices using FIDO passkeys. If the user’s device is lost or replaced, the user would only need to restore the FIDO passkey, which will then give the user access to the PIDs and (Q)EAAs. This allows for rapid recovery of an EUDI Wallet since the user can first download the FIDO passkey to a device and then use the FIDO passkey to get instant access to the cloud-based EUDI Wallet.

3.3 Use cases for an integrated approach for VDCs and passkeys

Passkeys and digital identity wallets are not competing technologies, but rather complementary solutions that together create a robust, portable identity ecosystem. Passkeys serve as a secure gateway to digital identity wallets, providing strong defense against unauthorized access, and wallets serve to provide valuable data during high-risk transactions. This combination enhances security and streamlines the user experience by unifying verified identity (EUDI Wallet) with easy authentication (passkey).

Perhaps most importantly, this combination allows for the creation of reusable identities. Users can prove their identity once and then reuse the same VDC across multiple services, significantly reducing friction for digital interactions while maintaining high security standards. The potential applications for this integrated approach to digital identity and authentication are vast and span multiple sectors:

Online verification: In e-commerce, (for example, state-backed liquor stores) age verification for purchasing restricted products can be streamlined using verified credentials stored in a digital wallet and accessed securely with a passkey. Government services: Secure access to tax filing systems and other government benefits can be facilitated through this combined approach, enhancing security while improving user experience. Healthcare: Verifying prescribing doctor’s credentials across multiple hospitals becomes more efficient and the secure transfer of patient records between healthcare providers can be streamlined. Education: Higher education systems can more effectively prevent account takeovers and students can create reusable identities that carry their records throughout their academic careers and beyond. Financial services: Know Your Customer (KYC) processes can be significantly streamlined and enhanced security for high-risk transactions can be implemented more effectively.

In most use cases, relying parties should use VDCs to enroll their constituents at the beginning of their interactions and accept passkeys for further interactions with the constituent. If a constituent is conducting a high-risk transaction, then the relying party should ask for additional attributes from the VDC at the time of authentication. Additionally, a VDC should be used for passkey recovery, while a passkey should be used to access the VDC.

4. Recommendation

Government entities and organizations who adopt passkeys as the primary form of authentication for constituents can leverage their enhanced security and ease of use. To ensure trust and usability, passkeys should be backed by verified digital credentials (VDCs), especially in scenarios where a verified identity is required for passkey issuance or account recovery. VDCs provide a robust mechanism to securely recover passkeys while maintaining a high level of assurance.

To implement this effectively, a tiered approach based on Identity Assurance Level (IAL) requirements and the risk tolerance of the data being protected within the service is recommended. For services with moderate IAL requirements, relying parties (RPs) should:

Read a government-issued ID to verify the user’s identity. Create a passkey tied to the verified identity. Use the passkey for re-authentication in all subsequent interactions.

Government entities and organizations who adopt passkeys as the primary form of authentication for constituents can leverage their enhanced security and ease of use. To ensure trust and usability, passkeys should be backed by verified digital credentials (VDCs), especially in scenarios where a verified identity is required for passkey issuance or account recovery. VDCs provide a robust mechanism to securely recover passkeys while maintaining a high level of assurance.

To implement this effectively, a tiered approach based on Identity Assurance Level (IAL) requirements and the risk tolerance of the data being protected within the service is recommended. For services with moderate IAL requirements, relying parties (RPs) should:

Read a government-issued ID to verify the user’s identity. Create a passkey tied to the verified identity. Use the passkey for re-authentication in all subsequent interactions.

For services with higher IAL requirements, collaboration between government entities and organizations like the FIDO Alliance is essential. Together they can develop solutions to ensure that passkeys meet stringent assurance levels while maintaining user privacy and convenience.

Additionally, there is a pressing need for standards and mutual recognition arrangements for IAL across jurisdictions. Government entities should work to establish clear guidance that states which IAL levels are required for specific services for legal compliance and consumer protection. These standards should aim to be valid across as many countries as possible to facilitate interoperability and trust for cross-border digital interactions.

By adopting passkeys as the foundation of authentication and aligning them with verified credentials and standardized IAL frameworks, government entities can enhance security, improve user experience, and foster global cooperation in digital identity management.

5. Appendix 5.1 Verifiable digital credentials for government deployments

The digital identity landscape is undergoing significant transformations worldwide. This appendix explores how government entities around the world are implementing VDCs.

5.2 APAC VDC efforts

Asia-Pacific countries are embracing the idea of a VDC. Countries such as Japan, South Korea, and Australia are working together to ensure interoperability amongst their VDCs. Australia’s Digital ID Act 2024 created accreditation requirements for digital IDs and enhanced the trust framework between different providers.

In Asia, government-issued digital credentials are advancing rapidly but unevenly; a reflection of diverse economic, technological, and regulatory landscapes. Recent deployments highlight both the progress and the critical role of standards bodies (such as ISO/IEC and W3C) in shaping secure, interoperable systems. In Asia, countries such as India, Singapore, and South Korea are leading with robust digital ID systems, while Australia is harmonizing mDLs with international standards for secure, interoperable credentials.

Singapore’s SingPass is a benchmark for seamless public and private service access. South Korea leverages digital IDs for e-governance, incorporating FIDO and ISO/IEC 29115 standards. Japan’s Digital Agency[1] drives Individual Number (My Number) card enhancements through initiatives such as the Asia Pacific Digital Identity Consortium[2] launched in December 2024.

The government of Japan started issuing digital National IDs (individual number card/My Number card on smartphones) in mdoc format (standardized under ISO/IEC 18013-5) for iPhone users on June 24, 2025, and is planning to issue it for Android users in 2026. For the digital National ID, identity information such as name, birthdate, address, gender, and individual number (called My Number in Japan) are included. The aim is for digital National IDs to be used in various identity proofing use cases for both in-person and remote use cases.

In Southeast Asia, Thailand’s 2022-24 Digital ID Framework targets 10 million digital IDs and National Digital ID platforms. When discussing biometrics across Mobile ID, D.DOPA, the creators of this framework referenced NIST 800-63 and ISO/IEC 19794 standards. Malaysia’s MyDigital ID, which adheres to ISO/IEC 27001, and Sarawak’s planned Sarawakpass, aims to emulate SingPass for cashless transactions and service access. The Philippines’ PhilSys has enrolled 68 million, focusing on digital issuance to bypass physical card delays. In March 2025, Taiwan’s Digital Ministry introduced a prototype Taiwan Digital Identity Wallet (TW DIW), a non-mandatory mobile app for storing IDs and licenses, using biometric authentication and selective disclosure. A sandbox trial began in March, with broader testing planned for December, but it is not a full digital ID replacement and excludes medical data sharing.

Australia and New Zealand are harmonizing mobile driver’s licenses with ISO/IEC 18013-5. In Australia and New Zealand, harmonization efforts for mDLs center on adopting ISO/IEC 18013-5, which ensures secure, interoperable digital credentials verifiable domestically and internationally. In Australia, Austroads’ Digital Trust Service (DTS) leads the charge with a pre-production version tested successfully for national scalability. New South Wales, with 4.5 million users since 2019, is transitioning its Service NSW app, which offers app-based mDLs, to full compliance, ensuring legal equivalence to physical cards. South Australia’s mySAGOV app incorporates the standard’s verification features. The DTS, targeting a 2025-26 rollout, enables cross-jurisdictional and global verification, was demonstrated at the 2024 Identity and Verifiable Credentials Summit for uses like U.S. airport access and includes New Zealand in its interoperability framework. New Zealand is aligning its NZTA app-based digital licenses with ISO/IEC 18013-5, building on mutual recognition agreements with Australia.

5.3 EU VDC efforts

In Europe, the European Digital Identity Regulation 2.0 (eIDAS 2.0) regulations, which came into force in May of 2024, mark a pivotal shift in how digital identities are managed across the European Union. This updated framework introduces the European Digital Identity Wallet (EUDI Wallet), which aims to provide EU citizens with a secure, interoperable digital identity solution for accessing public and private services across member states.

The EUDI Wallet is a cornerstone of the eIDAS 2.0 regulation[3] and will be offered free of charge to all EU citizens. The purpose of the EUDI Wallets is to enable EU citizens to prove their identity when accessing both online and offline resources or to present specific personal attributes without revealing their full identity. The EUDI Wallets will be able to be used for use cases such as the mobile driving license, payments, access to public services, and opening a bank account.

The EUDI Wallet architecture is outlined in the European Digital Identity Wallet Architecture and Reference Framework (the ARF), which specifies the formats and protocols to be used by the EUDI Wallets. Each EUDI Wallet will be bootstrapped with a Personal Identity Document (PID), which will be enrolled at the high eIDAS Level of Assurance (LoA). In addition to the PID, users will have the option to add additional (Q)EAAs, which can prove the user’s identity and claims to relying parties.

The ARF has specified that the following formats are suitable for the PID and (Q)EAAs:

ISO/IEC 18013-5 mobile driving license (mDL) W3C Verifiable Credentials Data Model v1.1 IETF SD-JWT-based Verifiable Credentials (SD-JWT VC)

Furthermore, International Civil Aviation Organization (ICAO) Digital Travel Credentials (DTC) can also be used as a (Q)EAA with the EUDI Wallet.

5.4 US VDC Efforts

In the United States, the mobile driver’s license (mDL) movement is gaining momentum, and several states have already implemented or are piloting mDL programs. Unlike the centralized approach of eIDAS 2.0, the U.S. initiatives are being developed more organically, driven by individual federal agencies and state efforts, alongside industry collaborations. These developments reflect a growing recognition of the need for robust, user-centric digital identity solutions in an increasingly digital world, although they approach this goal through different regulatory and technological paths.

As US states provide their constituents with ID cards and driver’s licenses, the responsibility of creating mID and mDLs lies with each of the states. As such, the development and implementation of mDLs in the US has been a gradual and varied process across different states.[4] While only about a third of US states currently offer mDLs, many states are pushing forward, as they recognize the potential benefits of mDLs in improving remote transactions, reducing identity fraud, and enhancing digital identity verification for both government services and private sector services.

The Transportation Security Administration (TSA) is evaluating the potential impact of VDCs (such as mobile driver’s licenses) on aviation security and operations. The TSA has integrated digital identity capabilities, including the acceptance of state-issued mobile driver’s licenses, at TSA checkpoints using the Credential Authentication Technology 2 (CAT-2) system to provide for a secure and seamless method of verifying an individual’s identity. Currently, the TSA is accepting mobile driver’s licenses and mobile IDs from 15 participating states. In October 2024, the TSA published a final rule in the Federal Register that would allow passengers to continue using mobile driver’s licenses (mDL) for identity verification at TSA airport security checkpoints now REAL ID enforcement began on May 7, 2025.

In addition to publishing the Digital Identity Guideline SP 800-63, the NIST National Cybersecurity Center of Excellence (NCCoE) launched an mDL adoption acceleration project to bring together stakeholders from across the mDL ecosystem to work to build out a reference implementation to promote standards and best practices for mDL deployments and to address mDL adoption challenges. The first NCCoE use case will focus on helping consumers create financial accounts and helping financial institutions meet Customer Identification Program/Know Your Customer (CIP/KYC) requirements using mDLs.

For the US Federal government’s digital interactions with users, agencies are embracing the idea of a reusable identity stored in a digital identity wallet. Generally speaking, these VDCs are cloud-based and would be used to verify a user’s identity prior to interacting with a federal agency for actions such as enrolling in public benefits or filing taxes. These VDCs are also tied to an authenticator that the constituent would use to sign in to the agency’s application. Within the federal space, a VDC tied to an authenticator is called a credential service provider (CSP).

5.5 UK VDC Efforts

​The UK Government released the Digital Identity and Attributes Trust Framework (DIATF) gamma version (0.4)[5], in November 2024, which outlines the standards and roles for digital identity services which relate to digital wallets. The UK plans to introduce digital driving licences in 2025, that will be available through a new GOV.UK digital wallet app on smartphones.

[1] https://www.digital.go.jp/en

[2] https://www.apdiconsortium.org/

[3] The “Regulation (EU) 2024/1183 as regards establishing the European Digital Identity Framework” (eIDAS 2.0) was adopted by the EU parliament in April 2024. The eIDAS 2.0 regulation will be extended with Commission Implementing Regulations (CIRs), also known as “implementing acts”, which will elaborate certain legal aspects of the eIDAS 2.0 regulation. The eIDAS 2.0 CIRs continue to be specified.

[4] As of March 2025, the states that offer mDLs include Alaska, Arkansas, Arizona, California, Colorado, Delaware, Georgia, Hawaii, Iowa, Louisiana, Maryland, Mississippi, New York, Ohio, Puerto Rico, Virginia, Utah, and West Virginia.

[5] https://www.gov.uk/government/publications/uk-digital-identity-and-attributes-trust-framework-04

6. Contributors Jerome Becquart, Axiad John Bradley, Yubico Tim Cappalli, Okta Sebastian Elfors, IDnow Hideaki Furukawa, Nomura Research Institute, Ltd. William Fisher, NIST Henna Kapur, Visa Sue Kooman, American Express Matthew Miller, Cisco Jeff Nigriny, CertiPath, Inc. Joe Scalone, Yubico Alastair Treharne, Ingenium Biometric Laboratories 7. Document History ChangeDescriptionDateInitial publicationWhite paper first published.September 2025            

8. References

The Asia-Pacific Digital Identity (APDI) consortium. APDI consortium. https://www.apdiconsortium.org/

Digital Agency. Home. Digital Agency. https://www.digital.go.jp/en

The FIDO Alliance. Home. Passkey Central. https://www.passkeycentral.org/home

NIST. Digital Identities – Mobile Driver’s License (mDL). NIST National Cybersecurity Center of Excellence. https://www.nccoe.nist.gov/projects/digital-identities-mdl

NIST. (2025, July). NIST SP 800-63-4 Digital Identity Guidelines. NIST. https://www.nist.gov/identity-access-management/projects/nist-special-publication-800-63-digital-identity-guidelines

Office for Digital Identities and Attributes and Department for Science, Innovation and Technology. (2025, June 26). UK digital identity and attributes trust framework (0.4).  Gov UK. https://www.gov.uk/government/publications/uk-digital-identity-and-attributes-trust-framework-04

The European Parliament and the Council of The European Union. (2024, April 11). Regulation (Eu) 2024/1183 of the European Parliament and of the Council. EUR-Lex.europa.eu. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401183

Transportation Security Administration. (2024, October 7). TSA announces final rule that enables the continued acceptance of mobile driver’s licenses at airport security checkpoints and federal buildings. TSA. https://www.tsa.gov/news/press/releases/2024/10/24/tsa-announces-final-rule-enables-continued-acceptance-mobile-drivers

By Lucía Morado, OASIS XLIFF TC Co-Chair

XLIFF 2.2 is the new version of the OASIS XLIFF (XML Localisation Interchange File Format). Developed by the OASIS XLIFF Technical Committee, XLIFF is the main bilingual bitext format in the localisation industry. This interoperability standard defines a normative method for storing and exchanging localisable data across the various stages of the localisation process. This new version (XLIFF 2.2) introduces valuable enhancements while remaining backward compatible with the previous ones (XLIFF 2.1 and 2.0). 

XLIFF 2.2: What’s New?

One of the main changes of the new version is the new presentation structure of its specification. XLIFF 2.2 is now available in two formats:

XLIFF 2.2 Core: Contains only the essential information needed to create a valid XLIFF file. XLIFF 2.2 Extended: Includes the XLIFF Core as well as all the additional modules.

For those unfamiliar with our terminology:

XLIFF Core is the minimal set of XML elements and attributes that allows to define a set of translation units organised by source and target language. If a tool developer wishes to claim support for XLIFF 2.2, they must implement XLIFF Core.

XLIFF Modules offer additional set of XML elements and attributes that allow the inclusion of  (potentially useful) information about specific processes. For example, the Size and Length Restriction Module provides a mechanism to annotate possible constraints on content size and length. Tool developers may choose to support the modules that are most relevant for their specific use cases. XLIFF 2.2 includes 9 modules: Translation Candidates, Glossary, Format Style, Metadata, Resource Data, Size and Length Restriction, Validation, ITS,and Plural, Gender and Select.

By introducing a simplified version of the specification (XLIFF Core), which contains only the essential information needed to implement XLIFF, we aim to facilitate adoption among developers who are primarily interested in supporting the core functionality of the standard.

The other major change in XLIFF 2.2 is the release of the new Plural, Gender and Select Module. This module, which was proposed by Mihai Nita (Google), provides a method to store information required to represent and process messages with variants, such as plural forms or gender distinctions.

Upcoming Webinar

On October 7, members of the OASIS XLIFF TC will host a free webinar to present XLIFF 2.2. This event will cover the aforementioned key changes introduced in this new version, along with other minor enhancements. The main presentation will be followed by a live Q&A session, offering attendees the chance to engage directly with the experts behind the standard.

This is a unique opportunity for anyone interested in this influential localisation standard to learn about its latest developments, from the people maintaining and developing it. Do not miss it!

For those unable to attend live, a recording of the webinar will be made available on the official OASIS XLIFF TC website after the event.

We also encourage everyone who wishes to share comments or suggestions about the standard with the OASIS XLIFF TC to use the official public mailing list, which is open for community feedback.

The post Discover the new XLIFF 2.2: Join Us for an Interactive Webinar on October 7! appeared first on OASIS Open.

Supporting Australia’s Digital Trust Ecosystem

The OpenID Foundation’s Australian Digital Trust Community Group (ADT CG) has submitted comments to Australia’s Productivity Commission on its Interim Report covering data and digital technology policy, demonstrating the Foundation’s commitment to supporting policy development in Australia through expert technical guidance and industry collaboration.

The ADT CG serves as a neutral platform for professionals working on digital identity and trust systems. It brings together stakeholders from technology vendors, industry sectors, consumer groups, and government to collaborate on standards based digital trust services in Australia.

The official submission to Australia’s Productivity Commission, including the letter and the exhibit with details on all the areas that the ADT CG has provided feedback on, can be found HERE. 

The OpenID Foundation would like to thank the Australian Government’s opportunity to contribute to this important policy discussion. This collaboration builds on our ongoing partnership with Australian authorities, including their co-funding of security analysis on FAPI 2.0, demonstrating shared commitment to advancing secure digital infrastructure.

Some of the key areas the ADT has commented on include:

Digital identity framing: Policy should support multiple digital identity providers using open international standards rather than favouring one government system. This approach allows consumer choice, increases competition, reduces costs, and enables interoperability across sectors and borders. Specifications like OpenID Connect and FAPI 2.0 are examples of standards already deployed in Australia. Data minimization: Encourage “assertion-based sharing” as an alternative pathway, where organizations share verified claims (e.g., “over 18”) rather than raw data. This approach reduces cybersecurity costs, addresses consent fatigue. Incentives: Data sharing ecosystems need business models and value exchange mechanisms for participants, not just intrinsic incentives. Shared Signals is an example of where organizations need incentives to share real-time risk information about compromised accounts or sessions to create an effective “nervous system” for data security.

The OpenID Foundation also thanks the ADT CG members for their thought leadership and technical expertise in developing these comprehensive recommendations, which reflect the collective insights of Australia’s digital trust community.

Olaf Grewe, Head of Product, Digital Identity & Access at National Australia Bank and Co-Chair of the ADT CG, said: “When government and industry collaborate on establishing the regulatory framework. considering customer and commercial imperatives, and leveraging proven international standards like OpenID Connect and FAPI, we create ecosystems that are more secure, interoperable, and competitive.”

Membership in the ADT CG is open to all stakeholders interested in advancing interoperable, standards-based digital trust in Australia. The group operates through regular meetings and maintains a continuously updated topic roadmap based on emerging challenges and learnings from the Australian market. 

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net. 

The post Australian Digital Trust Community Group responds to Productivity Commission’s Digital Technology Report first appeared on OpenID Foundation.

The voting period will be between Thursday, October 2, 2025 and Thursday, October 19, 2025, following the 45 day review of the specification.

The OpenID Connect Working Group page is https://openid.net/wg/connect/. If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.

The vote will be conducted at: https://openid.net/foundation/members/polls/388. 

Marie Jordan – OpenID Foundation Secretary

About The OpenID Foundation (OIDF)

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

The post Notice of Vote for Proposed Second Implementer’s Draft of OpenID Connect Native SSO for Mobile Apps first appeared on OpenID Foundation.

The blockchain industry has matured significantly over the past decade, but one challenge remains: interoperability. Indeed, with thousands of blockchain networks currently operating in isolation, the ability to securely and efficiently exchange data and assets between blockchains remains critical.

Executive Summary: This statement reflects the MyData community’s commitment to advancing children’s digital rights in alignment with the EU’s regulatory initiatives. While the EU leads globally in protecting children online, […]

September 17, 2025

In a time of economic uncertainty, global competition, and pressing labour shortages, Ontario’s “As of Right” initiative is a crucial step toward unlocking opportunities, enabling skilled professionals, including architects, engineers, geoscientists, and electricians, to contribute more quickly and effectively. This approach has the potential to protect workers, support employers, and help deliver critical nation-building projects without unnecessary delay.

For more than a decade, DIACC and its members have advanced digital trust and identity verification as essential enablers of labour mobility, economic resilience, and innovation across Canada. For example, a verified digital credential can enable an electrician licensed in New Brunswick to securely prove their qualifications to an Ontario regulator in minutes, rather than waiting months, allowing them to begin work on essential infrastructure projects without unnecessary red tape or risk. Ontario’s action aligns with this shared vision, and we look forward to seeing the positive impact as these measures are implemented.

DIACC remains committed to being a strong partner to Ontario, its people, and its businesses. Working alongside governments, industry leaders, and communities across the country, we will continue to advance a secure, interoperable digital trust ecosystem that ensures every Canadian’s credentials and contributions are recognized seamlessly, supporting productivity, innovation, and prosperity from coast to coast to coast.

Joni Brennan
President, DIACC

The OpenID Foundation continues to support government partners, with the OpenID Foundation’s Chairman Nat Sakimura recently leading the organization’s expert guidance to Japan’s Financial Services Agency (FSA) on strengthening cybersecurity defences for securities and trading companies facing sophisticated phishing attacks.

Japanese financial firms have been experiencing increasingly sophisticated phishing and unauthorized access attacks, prompting the FSA to revise its supervisory guidelines with mandatory phishing resistant authentication requirements. Under Sakimura’s leadership, the OpenID Foundation provided expert technical input on these security measures.

Several key areas where OpenID standards can strengthen Japan’s financial cybersecurity were highlighted. Specifically, the Foundation recommended using the Shared Signals Framework for information sharing between operators (standards already recommended by the US Cybersecurity and Infrastructure Security Agency and National Security Agency), API-first security approaches from the FAPI Working Group, and ongoing security monitoring rather than temporary measures.:

Global standards, local Impact

The OpenID Foundation’s feedback demonstrates how pressing local security issues can be remediated through the ecosystem wide application of existing, proven international standards. By providing guidance grounded on the latest and global best practices, the OpenID Foundation is helping to ensure Japan’s new guidelines can deliver on their critical path objectives.

As cyber attacks continue to scale in their sophistication and harm they can cause, so governments, standards bodies and implementers need to remain not just vigilant but proactive.

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

The post OIDF supports Japanese regulator on phishing defence first appeared on OpenID Foundation.

The OpenID Foundation membership has approved the following as an OpenID Final Specification:

OpenID for Verifiable Credential Issuance 1.0: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html 

A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision. This Final Specification is the product of the OpenID DCP Working Group.

The voting results were:

Approve – 102 votes Object — 1 vote Abstain – 12 votes

Total votes: 115 (out of 442 members = 26% > 20% quorum requirement)

Marie Jordan – OpenID Foundation Secretary

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net. 

The post OpenID for Verifiable Credential Issuance 1.0 Final Specification Approved first appeared on OpenID Foundation.

Industry wide adoption of standardized security event sharing now possible. Three specifications to enable instant security coordination across all connected systems worldwide. This crucial development will make Zero Trust architectures achievable at global scale.

 

San Ramon, CA, 16 September 2025 – The OpenID Foundation (OIDF), a global leader in open identity standards, has approved three Final Specifications, establishing the first global standards for real-time security event sharing across digital identity systems. 

The approved Final Specifications are:

OpenID Shared Signals Framework 1.0 – Enables secure, real-time delivery of security events between any connected systems OpenID Continuous Access Evaluation Profile (CAEP) 1.0 – Defines how systems communicate session changes to maintain continuous security OpenID Risk Information Sharing and Coordination (RISC) 1.0 – Establishes standards for sharing account security changes between services

Why the specifications matter 

These specifications solve a critical gap that has left organizations vulnerable during the extended periods between user logins. Systems relying on federated identity had no way to receive security updates after initial login. Sessions often last days or weeks, during which user locations, device compliance, or organizational access may change dramatically. Organizations were forced to choose between disrupting users with constant re-authentication requests or accepting substantial security risks from outdated login information.

These standards create an ecosystem where security systems can instantly communicate threats across organizational boundaries. Enterprise device management systems can notify all connected services when a user’s device becomes non-compliant or compromised, while cybersecurity threat detection platforms can share intelligence about suspicious activities in real-time. Identity providers can immediately broadcast alerts about credential compromises or account takeovers, and applications can report anomalous user behaviour patterns to the broader security ecosystem. 

SGNL’s CTO Atul Tulshibagwale and co-chair of the OpenID Foundation’s Shared Signals Working Group, led the development effort. He said: “This coordinated approach makes Zero Trust security architectures practically achievable at global scale, where security decisions are continuously evaluated based on current, real-time information rather than outdated login credentials. 

“For financial services institutions, healthcare organizations, government agencies, and other security critical sectors, these specifications provide the standardized foundation needed to implement comprehensive Zero Trust security architectures and continuous access evaluation policies across their entire digital infrastructure.”

Significance of ‘Final Specification’ status

The OpenID Foundation’s approval establishes the specifications as the definitive global standard for continuous identity security, providing the foundation for protecting billions of users worldwide. The designation as Final Specifications provides crucial intellectual property protections and guarantees these standards will not undergo further revision. This stability gives organizations worldwide the confidence to invest in large scale implementations without risk of standard deprecation

The OpenID Foundation’s membership represents organizations responsible for protecting billions of user identities worldwide. Major technology leaders, including Apple, IBM, Okta, and others, have already adopted these protocols.

Gail Hodges, the OpenID Foundations’ Executive Director, said: “The fact that the first three specifications in the Shared Signals family are Final is a material milestone in the adoption of the specification. This status unlocks the ability of many governments to adopt the specifications, and encourages many CTOs and CISOs that the specifications are completely stable and ready for adoption. The OIDF recognizes all the countless hours the Shared Signals WG cochairs, contributors, and implementers have played in conceiving, maturing and now scaling this family of specifications, specifications we perceive as vital to the health of identity and security ecosystems globally.”

ENDS

For more information, please contact:

Serj Hallam E: serj.hallam@oidf.org  

Elizabeth Garber E: elizabeth.garber@oidf.org 

About The OpenID Foundation (OIDF)

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net

The post PRESS RELEASE: OpenID Foundation finalizes global standards for real-time identity security first appeared on OpenID Foundation.

Edge Enhances EdgeMarket Platform with Voyatek's Application Fraud Firewall Solution

NEWARK, NEW JERSEY, September 16, 2025 – Edge, the nation's leading member-owned nonprofit technology consortium, today announced the addition of Voyatek's Application Fraud Firewall solution to its comprehensive EdgeMarket procurement platform. This agreement brings cutting-edge fraud prevention capabilities to Edge's extensive membership network of colleges, universities, K-12 school districts, government entities, and nonprofit organizations nationwide.

Voyatek's Application Fraud Firewall is an adaptive-AI, cloud-based solution that leverages sophisticated artificial intelligence and identity verification models to analyze admissions, financial aid, and enrollment data with precision and accuracy. The addition of the solution to EdgeMarket comes at a critical time when application fraud has reached epidemic proportions across higher education. Recent estimates suggest that up to 25% of applications at some institutions may be fraudulent, with scammers posing as "ghost students" using stolen or fabricated identities to enroll, disappear with financial aid funds, and create administrative burdens for resource-strapped schools.

EdgeMarket has always been committed to providing our members with innovative solutions that address their most pressing challenges. The nationwide surge in application fraud represents a significant threat to the integrity and financial stability of our higher education members. By adding Voyatek's Application Fraud Firewall to our platform, we're empowering institutions across the country with the tools they need to protect their students, resources, and reputation while maintaining accessibility for genuine applicants.

— Dan Miller
AVP EdgeMarket and Solution Strategy, Edge

"EdgeMarket has always been committed to providing our members with innovative solutions that address their most pressing challenges," said Dan Miller, AVP of EdgeMarket and Solution Strategy at Edge. "The nationwide surge in application fraud represents a significant threat to the integrity and financial stability of our higher education members. By adding Voyatek's Application Fraud Firewall to our platform, we're empowering institutions across the country with the tools they need to protect their students, resources, and reputation while maintaining accessibility for genuine applicants."

"We're thrilled to partner with Edge and bring our fraud prevention capabilities to their extensive network of educational institutions and public sector organizations," said John Van Weeren, VP of Higher Education at Voyatek. "Edge's commitment to empowering digital transformation aligns perfectly with our mission to help institutions implement intelligent solutions that verify student identities without creating barriers for legitimate applicants. Through EdgeMarket, we can help more schools gain control over the management and monitoring of suspicious applications."

About Edge

Edge serves as a member-owned, nonprofit provider of high-performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks, and nonprofit business entities as part of a membership-based consortium spanning across the nation. For more information, visit njedge.net.

The post Edge Enhances EdgeMarket Platform with Voyatek’s Application Fraud Firewall Solution appeared first on Edge, the Nation's Nonprofit Technology Consortium.

OASIS Open Project Accelerates Collaborative Development of Open Source AI Security Tools and Best Practices

Boston, MA – 16 September 2025 – OASIS Open, the international open source and standards consortium, announced that Google has donated data from its Secure AI Framework (SAIF) to the Coalition for Secure AI (CoSAI), an OASIS Open Project. The contribution includes the Coalition for Secure AI Risk Map (CoSAI-RM), now available as part of CoSAI Tooling. The CoSAI-RM is a framework for identifying, analyzing, and mitigating security risks in AI systems, providing a structured map of the AI security landscape and a common language to address vulnerabilities that traditional software security practices often miss. CoSAI will continuously update, develop, and expand the Risk Map to address emerging threats and evolving security challenges in AI systems.

This contribution strengthens CoSAI’s mission to enhance trust and security in AI development and deployment, directly supporting its four Workstreams: Software Supply Chain Security, Preparing Defenders for a Changing Cybersecurity Landscape, AI Security Risk Governance, and Secure Design Patterns for Agentic Systems. 

Heather Adkins, Google, VP Security Engineering, said, “Google developed SAIF to address the unique security challenges that emerge as AI systems become more sophisticated and widely deployed. By contributing this framework to CoSAI, Google is ensuring that organizations of all sizes can access the same security principles and practices that we use to protect our own AI systems.”

SAIF provides a comprehensive approach to AI security that spans the entire AI development lifecycle, including practical tools such as the SAIF Risk Assessment, which helps organizations identify and mitigate AI-specific vulnerabilities, including data poisoning, prompt injection, and model source tampering.

“Google’s SAIF contribution represents the kind of industry leadership that makes CoSAI successful by bringing proven security frameworks developed at scale directly into the hands of the global AI community,” said J.R. Rao, IBM, Co-Chair of the CoSAI Technical Steering Committee (TSC). “This donation will significantly accelerate our workstreams, especially on AI Security Risk Governance, and provide immediate, practical value to organizations working to secure their AI deployments. It’s a perfect example of how open collaboration can transform innovative research into accessible tools that benefit everyone.” 

Get Involved

CoSAI now includes more than 40 industry partners working collaboratively to address AI security challenges. Its Premier Sponsors, including EY, Google, IBM, Microsoft, NVIDIA, Palo Alto Networks, PayPal, Snyk, Trend Micro, and Zscaler, are leading the way in advancing secure AI practices. CoSAI’s work is also grounded in the support of its Founding Sponsors: Amazon, Anthropic, Cisco, Cohere, GenLab, Google, IBM, Intel, Microsoft, NVIDIA, OpenAI, PayPal, and Wiz. 

Technical contributors, researchers, and organizations are welcome to participate in its open source community and support its ongoing work. OASIS welcomes additional sponsorship support from companies involved in this space. Contact join@oasis-open.org for more information.

About CoSAI

The Coalition for Secure AI (CoSAI) is a global, multi-stakeholder initiative dedicated to advancing the security of AI systems. CoSAI brings together experts from industry, government, and academia to develop practical guidance, promote secure-by-design practices, and close critical gaps in AI system defense. Through its workstreams and open collaboration model, CoSAI supports the responsible development and deployment of AI technologies worldwide.

CoSAI operates under OASIS Open, an international standards and open-source consortium. www.coalitionforsecureai.org

Media Inquiries: communications@oasis-open.org

The post Google Donates Secure AI Framework (SAIF) Data to Coalition for Secure AI, Advancing Industry-Wide AI Security Standards appeared first on OASIS Open.

Today marks one year since the launch of Linux Foundation Decentralized Trust (LFDT). Over the past 12 months, our community has grown, new projects have taken root, and existing projects have advanced. It’s a good moment to reflect on what we’ve built together and, more importantly, to look ahead at the opportunities still to come.

Introduction

As we close out the first full year of the Linux Foundation Decentralized Trust (LFDT), it’s clear that our community has made meaningful strides in strengthening both our projects and our processes. Over the past twelve months, the Technical Advisory Council (TAC) has focused on refining our project lifecycle, expanding task forces to tackle critical areas like security and contributor engagement, and ensuring that our governance structures meet the needs of a growing and diverse ecosystem.

September marks an exciting milestone for Linux Foundation Decentralized Trust’s newest ledger project: Hiero! Over the past year, the Hiero project has grown from an ambitious idea into a developed, community-driven initiative along with other projects under the LF Decentralized Trust (LFDT) umbrella.

If you’ve been following us for a while, you might know that We Are Open Co-op is a collective that believes in bringing our whole selves to work. We get together and talk about our feelings and about our worker-owned cooperative. Over the years, we’ve had extremely productive co-op days that have resulted in things like:

A site to collect our AI focused think pieces, frameworks and strategies:  https://ailiteracy.fyi  A portfolio page to round up some of our work in Digital Credentialing: https://digitalcredentials.fyi  A place to make our favourite community building tactics easily accessible: https://communitybuilding.fyi 

We’re makers and while we’ve managed to share much of what we make, we spend less time promoting ourselves than we probably should. We aren’t natural marketers, and platforms such as LinkedIn have soul-sucking algorithms that prioritise shinyness over depth.

So, without further ado, this is a promotional post to say that we have upcoming capacity for interesting work. Hire us! 

At the moment, we’re helping Amnesty International UK build an online community for their activists and we’re collaborating with Skills Development Scotland on a potential national system for Verifiable Credentials. Both of these projects are complex, interesting and belong to organisations that are actively trying to help people. 

Other projects we’ve worked on this year have involved helping MIT’s Digital Credentials Consortium host a summit for their network in The Netherlands, carrying out research for the BBC on how they can approach AI Literacy education, and publishing a report on the environmental impact of AI for Friends of the Earth.  

While we were thinking about what to write in this post, we reflected on why these projects feel right to us. Beyond the specific themes involved - we usually work at the intersection of learning, technology, and community - we also talked about these cross-cutting attributes:

Strategy 

WAO loves helping organisations figure out the strategy stuff. We are great at helping organisations develop and refine big visions and then figuring out the practical and tactical ways people can achieve those visions. Through our theory of change workshops, strategy sessions and participatory methodologies, we’ve helped all kinds of organisations dream big, achievable dreams.

We believe in proactive planning, even in reactive situations! For example, when we helped Greenpeace International develop their crisis comms training programme, we were helping to establish a community of practice that could react to potential future critical incidents. When we worked with Friends of the Earth, we researched and wrote a nuanced article that helped them thread the needle between AI and environmental activism. With the Digital Credentials Consortium, we helped them establish a community-focused engagement plan that reflected a complex network of organisations. 

We are great at seeing the big picture and developing practical strategies that help bring those visions to life.

Advocacy

It shouldn’t be surprising to anyone who has read any of our other posts that we have opinions. We really do. We are internet people who have been working at the intersection of technology and society for our entire careers. We have a lot to say about privacy, decentralisation, open source, environmentalism, education and so much more. At this moment in history, we are still working to create technology that respects our rights. 

It’s not always easy, but we firmly believe in modelling the behaviours that you want to see in the world. That means being open and honest and helping others understand what’s at stake in regards to our data, the environment and our futures. We believe in solidarity, not charity and are organised as a cooperative aligned with the International Cooperative Alliance’s identity, values & principles. The spirit of WAO page on our wiki further describes our philosophical bent ;)

Work that has real impact

We have been lucky to work with clients and on projects that are looking to positively impact people’s lives. This is the kind of work we love. Real impact for us means that at the end of the day, the work we’ve done has helped empower, educate or encourage people to live their best lives. As we said at the beginning of this post, we believe in bringing our full selves, and we believe in helping others do the same. Real impact comes from communities and connections with real people.  

Projects where we have a lot of agency

As our website states,  we don’t just think outside the box; we shred it (and then recycle it, obviously). Our services include consultancy, workshops and training, project and product management, research and development, community building, and everything in between. That means , we have yet to meet a pre-established set of KPIs that can handle our general awesomeness. We prefer projects that allow us to stretch our wings past meaningless metrics and foregone conclusions. We work in partnership.

What we do at WAO:

Collaborate with organisations on sensemaking, digital transformation, strategy, product and generally making their work awesome Work openly because that’s how innovation happens and the world becomes a better place Adapt our work to the realities of your organisation, because humans are messy Share our networks, ideas and brains with your organisation. When we go, we like to go big. Collaborate with empathy, understanding, and humanity because life is hard and no-one likes jerks.

Find other people if you want to…

Hand over a spreadsheet of unnegotiated deliverables and expect us to get them done like you’re a teacher and this is our homework.  Keep us in the dark about what’s going on in your organisation as though you’re our parents.  Require sign-off for every small decision by someone outside the project team as if we’re not grown up enough to decide what needs doing. Argue about paying us what you agreed (or pay us late every time). We’re arguably inexpensive. This isn’t a flea market, and we’re not haggling. Treat us as taskrabbits, data entry clerks, or otherwise insist that we’re merely “consultants”. This ain’t Deloitte. Responsive clients

Finally, we’ve been quite fortunate to have found clients that “get” us. We love working with people who are also bringing their full selves to work and who aren’t afraid to change course when new information comes in. We know authenticity when we see it, and we appreciate honest, reflective responsiveness. We don’t know everything, and it’s ok if you don’t either. Together we can figure it out.

So, do you have an upcoming project that you’d like to talk to us about? Schedule a free 30 minute call and let’s see if we can work together. 

All images in this post are licensed cc-by-nd Bryan Mathers for WAO

Building a Collaborative Future for Computing and Broad Innovation

Driven by a passion for interdisciplinary collaboration through computing, Ilkay Altıntas, Ph.D., Chief Data Science Officer, San Diego Supercomputer Center (SDSC) at University of California San Diego School of Computing, Information and Data Sciences; Division Director, Cyberinfrastructure and Convergence Research; Founding Director, Societal Computing and Innovation Lab (SCIL), has forged a career that bridges science and innovation. With an early fascination for algorithms and systems that make sense of data, her work spans diverse fields, from computer science and high energy physics to environmental and biomedical data science, and is grounded in a central passion: using computational tools to address complex, real-world challenges. These experiences have become the foundation for her continued leadership in cyberinfrastructure innovation, where she now focuses on building platforms that enable broad scientific communities to collaborate more effectively.

Creating Scalable Solutions

Joining SDSC in 2001, Altintas has been a principal investigator and a technical leader in a wide range of cross-disciplinary projects. She specializes in scientific workflows and data platforms, and orchestrates collaborative efforts that turn complex data challenges into scalable, reproducible, and reusable solutions that help advance the reach and impact of computational data science.

“My path has been transformed through my engagement with researchers in environmental and biomedical fields and finding new ways to harness data and computing for urgent challenges, including wildland fire modeling, the genomic data analysis, and time series analysis of variables.” shares Altintas. "Working side by side with domain scientists has helped me to understand how infrastructure innovation can accelerate impact, especially when it's co-designed with users. We work together to understand the problem and create a scalable solution.”

This hands-on, team-oriented mindset was reinforced early in her career by mentors who not only supported her cross-disciplinary exploration, but also modeled a deeper principle of leadership in service of community-driven innovation. “There’s a whole set of things that need to be modeled and to understand how to add your own two cents to what is learned,” reflects Altintas. “That ethos of contributing meaningfully while staying grounded in community needs has become my north star. Whether developing scientific workflows, enabling open science, mentoring future leaders, or addressing societal challenges through data, I want to remain focused on creating positive, responsible impact. Innovation should not only be scalable and efficient, but also ethical and broadly applicable.”

With a focus on making advanced computing and cyberinfrastructure more usable and accessible, Altıntas aims to support domain experts who are tackling complex, data-intensive problems, whether they’re scientists, researchers, students, or decision-makers. “At SDSC’s SCIL, we focus on building composable systems where our data science tools, workflows, high performance computing (HPC), and scalable computing resources are seamlessly integrated. This enables platforms where users don’t need to be experts in HPC to run scalable analyses. Whether it's genomics, environmental modeling, or social science, the goal is to let users focus on their science, not the underlying technology.”

To make this possible, Altıntas’ team develops end-to-end workflows that simplify technical complexity while keeping solutions flexible. These workflows are designed with usable, accessible agentic AI interfaces that allow domain experts to engage directly with powerful infrastructure. “With the alternative backends and composable services in the backend, we work closely with scientists to co-design these workflows and tools, often integrating Jupyter based environments, containerization, or automated data pipelines to streamline processing,” explains Altıntas. “By building trust and partnerships, and aligning cyberinfrastructure innovation with user needs, you’re able to create solutions that are meaningful and enable discovery at scale.” Altintas is the PI of the National Science Foundation (NSF)-funded National Data Platform, which was built around such an approach, filling a critical gap to enable AI-integrated innovation on top of today's research infrastructure landscape.

Integrating Collaborative Hazard Sciences

The WIFIRE Lab is a consortium of UC San Diego organizations and a number of partnerships including the university collaborators, industry partners, fire departments, utilities, and agencies like California Governor's Office of Emergency Services (CalOES), and CAL FIRE. To help respond to natural disasters like wildfires and other hazards, the WIFIRE Program has created a digital twin that connects all the steps from collecting data to creating models that predict what might happen next. As the only integrated infrastructure that can currently provide this capability, it can serve as a trusted, neutral partner for any group or project that needs accurate, up-to-date hazard information.

WIFIRE team members, led by Ilkay Altintas (far right), integrate many data sources to model wildfire behavior, providing real-time predictive maps to first responders. (Photo by Erik Jepsen, UC San Diego)

“WIFIRE became the first example of using real-time data modeling to bridge the gap between advanced research and real-world decision making and provide tools for fire and land management. We've built systems that combine real-time data, artificial intelligence (AI), and scientific models to help people respond to wildfires more effectively. These tools are designed for fire managers, emergency responders, and land managers, and put powerful technology directly into their hands. For example, tools like Firemap and BurnPro3D use 3D visuals to quickly show what’s happening on the ground through sensing and combine it with physics-based fire behavior models. They can also predict where a fire is going and help plan safe, controlled burns in advance.”

“WIFIRE became the first example of using real-time data modeling to bridge the gap between advanced research and real-world decision making and provide tools for fire and land management,” explains Altıntas. “We've built systems that combine real-time data, artificial intelligence (AI), and scientific models to help people respond to wildfires more effectively. These tools are designed for fire managers, emergency responders, and land managers, and put powerful technology directly into their hands. For example, tools like Firemap and BurnPro3D use 3D visuals to quickly show what’s happening on the ground through sensing and combine it with physics-based fire behavior models. They can also predict where a fire is going and help plan safe, controlled burns in advance.”

Since 2018, these tools have been used in real wildfire situations across California and in prescribed fire operations across the country, including Colorado and other states. “Through a demo network, the tools have helped improve coordination between teams and supported faster, data-informed decision-making for both active fire and fire mitigation efforts,” says Altintas. “WIFIRE has built this collaborative model on strong, trust-based relationships with fire agencies, researchers, communities, and partners across all sectors to ensure the solutions we develop are useful and sustainable. I think this approach has been key to our success and this collaboration is essential for expanding to other hazards or any form of societal scale integration of solutions that need to be co-produced.”

“Developing a skilled data science workforce starts with creating learning environments that are inclusive, interdisciplinary, and connected to real-world challenges. The best way to build data science skills is by using them in practice and we must empower people not only to work with data, but to use it ethically and effectively in service of their communities. By co-developing educational resources and tools with the communities, students, researchers, and practitioners don’t just learn from the system, they help shape it. When we co-develop training materials with individuals who represent the needs of their own environments, the solutions and the learning are directly relevant.”

Ilkay Altintas, Ph.D. Chief Data Science Officer, San Diego Supercomputer Center; Division Director, Cyberinfrastructure and Convergence Research; Founding Director, Societal Computing Innovation Lab

Looking ahead, the WIFIRE program is actively adapting this model to support responses to other cascading hazards. “We work within California and other states to determine how our model and technology can be used for floods, landslides, and an air quality crisis,” explains Altintas. “We aim to explore how real-time data and predictive tools can empower decision-makers in meaningful ways. Our goal is to build a flexible, interoperable infrastructure and platform that can adapt to a wide range of situations and keep the needs of the communities it serves at the center.”

Developing a Skilled Data Science Workforce

For Altintas, advancing data science isn’t just about building tools, it’s also about empowering people. A major focus of her work is developing a skilled, socially aware data science workforce who are prepared to tackle real-world challenges. "Over the past few years, we’ve created several programs aimed at this goal," explains Altintas. "We started with WIFIRE and also led a group of principal investigators in the NSF Convergence Accelerator track to establish what we now call the Convergence Institute. The institute brings together cross-sector participants and helps them understand how innovation happens at the intersection of science, technology, and society. We also started a new lab called the Societal Computing and Innovation Lab (SCIL) which serves as a hub for educational programs and workforce development that center on data science for the societal good.”

Altintas says building this workforce requires more than just technical skills. “Developing a skilled data science workforce starts with creating learning environments that are inclusive, interdisciplinary, and connected to real-world challenges. The best way to build data science skills is by using them in practice and we must empower people not only to work with data, but to use it ethically and effectively in service of their communities. By co-developing educational resources and tools with the communities, students, researchers, and practitioners don’t just learn from the system, they help shape it. When we co-develop training materials with individuals who represent the needs of their own environments, the solutions and the learning are directly relevant.”

“My vision for a research institute like SDSC is that we serve both as enablers and accelerators. By enabling discovery through accessible infrastructure and accelerating impact through innovation and collaboration, SDSC can act as both a platform and a catalyst for meaningful scientific and societal progress. We can create the connective tissues between cutting-edge technology and application and accelerate adoption across the diverse scientific communities that need it most. Our role is not just to host infrastructure, but to build ecosystems of capabilities and services and engagement programs where innovation is accessible, ethical, and responsive to scientific and societal needs.”

“All of our training is coming from collaborative thinking and pairing learners with domain experts and technologists to help them navigate the how and why of data science,” continues Altintas. “We’re trying to generate scientific impact, societal impact, and educational impact. That means not only enabling people to do the work, but helping them understand why it matters. Mentors play an important role in promoting active learning and helping students understand the purpose behind their work. It’s not enough to build tools or run projects; it’s about cultivating a deeper sense of meaning and responsibility in those who use them. We do not just train data scientists, our goal is to develop problem solvers who can work across disciplines, communicate effectively, and who can co-create solutions within the community.”

Promoting Interdisciplinary Collaboration

Interdisciplinary collaboration is essential for turning complex technical solutions into real-life impact, but creating these connections is much more than just bringing experts together. “It takes real work to create a shared purpose and form mutual respect,” says Altintas. “You need to care about what others are doing, rather than just focusing on your own work. Collaboration rooted in shared goals and respect creates the foundation for trust, which in turn enables long-term partnerships. It’s important to align on why the work matters—rather than just how it’s done. This requires listening to domain experts, understanding their pain points, and deciding which problems are uniquely solvable with science and technology.”

Once those challenges are identified, Altintas says it’s crucial for the group to invest time in building a common language and shared frameworks to effectively address them together. “We discuss data and knowledge systems, modular workflows, collaborative platforms, and ensure that everyone can engage meaningfully in the process, regardless of their technical background. Translating technical solutions into real-world impact requires more than just delivering a finished tool, it demands ongoing engagement, adaptation, and learning through demonstration networks and operationalization of research. In the lab, we also focus on creating models for adoption, training, and continuous iteration based on user feedback to scale it further into the world.”

In her leadership role at SDSC, Altintas serves on the executive team, helping to shape strategy and guide a wide range of data science initiatives. She also plays a central role in developing SDSC’s approach to artificial intelligence, working with colleagues to craft a forward-thinking AI strategy. “My vision for a research institute like SDSC is that we serve both as enablers and accelerators,” shares Altintas. “By enabling discovery through accessible infrastructure and accelerating impact through innovation and collaboration, SDSC can act as both a platform and a catalyst for meaningful scientific and societal progress. We can create the connective tissues between cutting-edge technology and application and accelerate adoption across the diverse scientific communities that need it most. Our role is not just to host infrastructure, but to build ecosystems of capabilities and services and engagement programs where innovation is accessible, ethical, and responsive to scientific and societal needs.”

“My path has been transformed through my engagement with researchers in environmental and biomedical fields and finding new ways to harness data and computing for urgent challenges, including wildland fire modeling, the genomic data analysis, and time series analysis of variables. Working side by side with domain scientists has helped me to understand how infrastructure innovation can accelerate impact, especially when it's co-designed with users. We work together to understand the problem and create a scalable solution.”

Ilkay Altintas, Ph.D. Chief Data Science Officer, San Diego Supercomputer Center; Division Director, Cyberinfrastructure and Convergence Research; Founding Director, Societal Computing Innovation Lab

Supporting interoperability and rapid experimentation with emerging technologies also requires a strong focus on workforce development, as well as a commitment to replicability, reproducibility, and accessibility. “We must continue to serve as conveners across disciplines through building all types of engagement and link academia, industry and governments to create cross disciplinary, cross sector, use-inspired research,” notes Altintas. “Developing new models for innovation is still needed and is the reason behind founding the SCIL. We must continue to develop more alternative, adaptable models that can drive innovation across different domains.”

With the growing influence of AI and the emerging potential of quantum computing, Altintas says research institutes and centers like SDSC will need to be trusted guides who can ground innovation in rigorous science and help with the adoption of these advanced technologies. “Collaboration happens not just among builders of computing systems, but also with users, educators, and across sectors. At SDSC, this collaborative spirit is deeply ingrained in our culture. The center strives to broaden its user base and remain responsive to their evolving needs, all with the ultimate goal of enabling transformative solutions for both science and society.”

Anchoring Solutions in Community

To help ensure that a broader range of communities and institutions can benefit from advanced technologies and knowledge, Altintas notes the key role regional research and education networks (RENs) play in connecting users to critical infrastructure, expertise, and collaborative opportunities. “RENs, like Edge and CENIC, act as vital connectors, not just in terms of network capacity, but bridging communities of practice within research institutions, community colleges, and other organizations within the research and educational landscape. RENs reduce those barriers to entry for institutions that may otherwise be left out of national scale research initiatives.”

“RENs also understand local challenges and can tailor support accordingly, whether that is providing access to advanced computing, facilitating training programs, or brokering partnerships within local organizations and industry and public-private partnerships,” continues Altintas. “They help raise awareness of available resources and create multiplier effects by enabling smaller institutions to connect with a larger ecosystem of innovation and discovery. When these organizations gain access to advanced research tools and methods, they’re better equipped to develop solutions tailored to the unique challenges of their local communities.”

In looking ahead, Altintas envisions a future where cutting-edge science and technology are harnessed to tackle society’s most complex, high-impact challenges. “My hope is to pioneer new pathways for solving problems that can only be addressed through the unique capabilities of advanced research, especially through our work at SCIL. One of the biggest questions is: how do we bring research into solutions at the speed that the challenges are growing? Wildfire response, for instance, demands real-time, data-driven decisions. But the same need for agility applies to evolving landscapes, patient care, and public health crises. The challenges may differ, but the need for responsiveness is constant. That’s where technologies like AI, edge computing, and digital twins come in and can enable solutions that are as dynamic as the problems they’re meant to solve.”

“RENs, like Edge and CENIC, act as vital connectors, not just in terms of network capacity, but bridging communities of practice within research institutions, community colleges, and other organizations within the research and educational landscape. RENs reduce those barriers to entry for institutions that may otherwise be left out of national scale research initiatives.”

Altintas’ approach builds on years of developing cyberinfrastructure, scientific workflows, and AI systems in close collaboration with communities. “My goal now is to broaden the user base and deepen cross-sector partnerships, creating a model of innovation that is agile, broadly applicable, and scalable,” says Altintas. “However, we’re not replacing experts. We want to augment practical and scientific knowledge and use data and technology to generate, test, and apply that knowledge more effectively. By anchoring solutions in community needs and designing with responsiveness in mind, we hope to help shape a future where science truly meets society in real time.”

“We structured SCIL around the opportunity to turn science and technology into something usable and create products, platforms, and pathways that actually deliver impact,” continues Altintas. “This includes embedding open science and co-production at every stage, not as an afterthought, but as a foundation. Open doesn't mean everything goes, but if we can prioritize co-production and openness within a thoughtful framework at every stage of innovation, then we’re not just building tools, we're building trust, equity, and usability.”

With a vision that is bold and future-focused, Altintas is reimagining the process and partnerships that drive innovation with the goal of creating infrastructure, platforms, and ecosystems that can truly adapt to the complexities of the real world. “We must design with purpose, partner with communities, and make sure the science we build works for everyone. This is what inspires me every day when I come to work, having the opportunity to build together and enable innovation and discovery that is more deeply rooted in the needs of society.”

“Ilkay Altintas exemplifies what it means to be a visionary leader at the intersection of data science and societal impact,” says Dr. Forough Ghahramani, Associate Vice President for Research, Innovation, and Sponsored Programs, Edge. “Her work—whether advancing wildfire modeling through WIFIRE or training the next generation of researchers—is helping reshape how we think about cyberinfrastructure as a tool for equity, resilience, and discovery. We are proud to shine a spotlight on her in EdgeDiscovery and grateful for her commitment to inclusive innovation.”

The post Building a Collaborative Future for Computing and Broad Innovation appeared first on Edge, the Nation's Nonprofit Technology Consortium.

Trust Over IP (ToIP), an LF Decentralized Trust (LFDT) project, and the Decentralized Identity Foundation (DIF) have launched three new Working Groups focused on digital trust for agentic AI:

DIDAS Position on the E-ID

As an association, DIDAS advocates for the state-issued E-ID as well as the underlying trust infrastructure. Both are key building blocks for a secure, efficient, and trustworthy digital society in Switzerland.

E-ID

The E-ID enables reliable identification in the digital space – especially where secure identity verification is required:

Public services, e.g., ordering official documents such as register extracts

Opening a bank account

Online purchases, e.g., buying alcohol or concluding a mobile phone contract

Use cases can either be digital versions of existing processes (such as opening a bank account) or entirely new scenarios that exist only online.

Trust Infrastructure

The E-ID is based on a cryptographically secured trust infrastructure. This provides the foundation for a wide range of digital proofs (verifiable credentials), which – independently of the E-ID – can be managed in a personal wallet.

Put simply: everything that today exists as a plastic card – and much more – can be securely digitized and stored, for example:

Learner’s permit and driver’s license

Insurance card

Proof of residence (e.g., for subsidized family transport services)

Membership cards (loyalty programs, fitness clubs, libraries)

Educational certificates such as diplomas

Digital medical prescriptions

Personal health data (see award-winning prototype from the GovTech Hackathon 2024)

With the trust infrastructure, access to digital services becomes simpler, and legal certainty increases – thanks to the use of original data rather than insecure copies. This boosts efficiency, trust, and reliability in the digital space. Applications range from familiar processes to new digital services that do not exist in the analog world.

DIDAS launches youth competition “The E-ID and You”

Switzerland is getting an E-ID! 

The E-ID is groundbreaking for the future of Switzerland’s digital identity infrastructure. Discussions prior to the vote have shown the importance to build digital literacy among the population. 

DIDAS is therefore launching an innovative competition «The E-ID and you», as «E-ID Challenge» for secondary school, high school, and vocational school classes. This competition offers young people the opportunity to engage creatively and critically with one of Switzerland’s most important digital policy issues. 

The competition challenges young people to explain in a short video what the E-ID and the associated trust infrastructure are and what possible applications there are for them. The focus is not only on creative presentation, but also on thoughtful contributions that foster the understanding of the paradigm shift and the democratic discourse. The three best entries will receive prizes totaling CHF 3,500.  

Further information and participation details can be found in the media release and will soon be available on this page.

E-ID Challenge  Press Release

Join our next community call for a discussion about website security and how civil society organizations, human rights defenders and nonprofits can prepare, respond to and recover from website threats. 

The post Community Call: Website Security for CSOs and Nonprofits appeared first on The Engine Room.

Toronto, ON – September 11, 2025: – The Digital ID & Authentication Council of Canada (DIACC) is pleased to announce the election and re-election of several distinguished leaders to its Board of Directors following the Annual General Meeting held in June 2025.

The DIACC Board plays a critical role in guiding the organization’s mission to unlock the full potential of digital identity and trust frameworks for the benefit of all Canadians. This year’s appointments bring together expertise from across government, technology, finance, telecommunications, and the innovation sector.

The following directors were elected and re-elected to the Board:

Jillian Carruthers – Assistant Deputy Minister & Chief Technology Officer, Government of British Columbia Giselle D’Paiva – Partner, Deloitte Canada Dalia Hussein – Vice President, Platform Engineering Excellence, TELUS Jonathan Kelly – Assistant Deputy Minister, Partnerships and Government Digital Strategies, Ministère de la Cybersécurité et du Numérique, Québec Patrick Mandic – CEO, Mavennet Systems Inc. CJ Ritchie – Independent Executive and Advisor, Independent Consulting EY

These directors bring a breadth of experience spanning digital infrastructure, cybersecurity, trusted identity solutions, and technology governance, ensuring that DIACC continues to lead Canada’s digital trust ecosystem with strength and vision.

Joni Brennan, President, DIACC:
“We are thrilled to welcome these outstanding leaders to our Board. Their diverse expertise and commitment to advancing digital trust will help DIACC continue to deliver real impact for Canadians and our economy.”

Jillian Carruthers, Assistant Deputy Minister & Chief Technology Officer, Government of British Columbia:
“As a public servant, I’m honoured to join the DIACC Board to help advance a safer, more trusted digital ecosystem—where people can confidently engage, knowing security, privacy, and inclusion are built in from the start.”

Patrick Mandic, CEO, Mavennet Systems Inc.:
“Being elected as a DIACC director is a great honour. As the global socio‑political order shifts and digital fraud rises alongside rapid advances in AI, building secure rails of digital trust has never been more critical for Canada. I’m excited to help guide DIACC’s vital mission forward and contribute to its success.”

DIACC also extends sincere thanks to Andre Boysen for his long-standing contributions to the organization and the broader community. His leadership and insights have been instrumental in advancing DIACC’s mission over many years.

Dave Nikolejsin, DIACC Board Chair
“On behalf of the Board and membership, we welcome the new and returning Directors and wholeheartedly thank Andre for his dedication and service during his time on the Board. His efforts helped shape the foundation of DIACC’s achievements today.”

As Canada continues to face evolving challenges in digital trust, identity, cybersecurity, fraud prevention, and interoperability, the leadership of DIACC’s Board of Directors will be crucial in fostering collaboration between the public and private sectors to develop trusted solutions that work for all Canadians.

The following elected and re-elected Directors will continue their leadership alongside the full Board listed below.

DIACC Board Chair: Dave Nikolejsin, Strategic Advisor with McCarthy Tetrault DIACC Board Vice-Chair: Jonathan Cipryk, Vice President of Canadian Technology Functions, Manulife Manish Agarwal, Chief Information Officer (CIO), Government of Ontario Mike Cook, CEO, Identos Balraj Dhillon, General Manager of Product Platforms and Channels, Canada Post Erin Hardy, General Counsel and Chief Privacy Officer, Service New Brunswick Jonathan Kelly, Assistant Deputy Minister for Partnerships and Government Digital Strategies, Province of Quebec Karan Puri, Associate Vice President, TD Bank Pierre Roberge, Independent

About DIACC
The Digital ID and Authentication Council of Canada (DIACC) is a non-profit coalition of public and private sector leaders committed to advancing a robust, secure, and user-centric digital identity ecosystem. Through collaboration, innovation, and adoption of the Pan-Canadian Trust Framework (PCTF), DIACC works to unlock opportunities for individuals, businesses, and governments in Canada and beyond.

Media Contact:
Joni Brennan
President
Digital ID and Authentication Council of Canada (DIACC)
communications@diacc.ca

DIF was established to represent our fast-changing community and create a safe space for designing and prototyping ambitious new identity architectures. From the original handful of members 9 years ago, DIF grew into an organization with over 400 member companies contributing thousands of lines of code and documentation and changing the conversation in the tech industry. 

Since its inception, DIF has been governed by a Steering Committee, like most Linux Foundation projects. The Steering Committee is comprised of volunteers from core member organizations; its primary functions are to set strategy, deliberate on finer points of DIF’s direction and identity, maintain the processes of the organization, provide guidance to the executive director, and tend to the health of the community and its conversations. 

Periodically, DIF holds elections for roughly half of the Steering Committee’s seats to keep representation and community needs aligned. The process is specified here, but the following overview may be a faster read:

Dates:  11 Sept: Announcement of election + Nomination period opens 9 Oct: Last day to propose questions to the candidates 10 Oct: DIF staff posts aggregated questions to all candidates to the DIF blog 16 Oct: Nomination period closes & Platform statements due 23 Oct: SC ballot opens 30 Oct: SC ballot closes 6 Nov: First meeting of newly-reconstituted SC Who votes: Associate Members (one ballot per organization) How private are votes: Seen and tallied only by DIF staff, stored in case of complications Who can stand on the steering committee:  Any DIF member can nominate and any DIF member can be nominated.  Reminder: DIF members include Associate members, Contributors, individuals who signed a Feedback Agreement, and DIF liaison organizations Nominations should be sent to nominations@identity.foundation To be on the ballot, nominees must, via email by Thurs 16 Oct: accept the nomination before the nomination closes provide a short biography and statement describing the nominee’s interest in and qualifications for serving (600 words max) provide answers to the "platform"/philosophy questions sent out 10 Oct (600 words max) these will be published all together on the DIF website and linked from the ballot Early nominations are encouraged! Questions to candidates  All members are encouraged to submit questions for all the SC candidates on issues regarding the management and direction of the Foundation. Email questions to nominations@identity.foundation DIF Staff will compile and synthesize the questions and provide an anonymized, representative sample to all SC candidates to prompt their statements Election Logistics Each DIF Associate member submits one organizational ballot with votes for up to the number of seats then contested for the Steering Committee (6). The election lasts for 1 week between 23rd Nov and 30th Nov Associate members will be contacted during the nomination period to confirm each organization's point-of-contact

When food safety is on the line, every hour counts. The FDA’s new FSMA 204 rule is raising the standard for traceability, with stronger requirements designed to track products faster and manage recalls more effectively. At stake is not just compliance, but the ability to protect both consumers and businesses when outbreaks occur.

In this episode, Angela Fields from the FDA joins hosts Reid Jackson and Liz Sertl to explain what FSMA 204 means for supply chains. They explore why proactive traceability is replacing outdated reactive models and how better data is improving the speed and accuracy of investigations.

You’ll also hear real stories from outbreak response, how electronic records can cut weeks off investigations, and why collaboration across the food industry makes a difference for everyone.

In this episode, you’ll learn:

How FSMA 204 creates new opportunities for supply chain transparency

Why recalls work best when industry and regulators communicate clearly

What steps companies can take now to prepare for the 2028 compliance deadline

Jump into the conversation: (00:00) Introducing Next Level Supply Chain (01:58) Angela Fields’ background

(02:59) Food safety from a regulatory perspective

(04:13) How the environment affects supply chain risks

(06:59) What FSMA 204 means for industry

(08:40) Spinach outbreaks and the cost of recalls

(09:53) Why regulations also protect food companies

(14:23) How electronic records speed outbreak investigations

(17:17) Who triggers recalls and how they happen

(19:33) Best practices companies use to prevent recalls

(22:15) Where consumers can track recalls and outbreaks

Connect with GS1 US: Our website - www.gs1us.orgGS1 US on LinkedIn

Connect with the guests: Angela Fields on LinkedIn Check out the FDA

On 8 September 2025 the Credentials Community Group published the following specification:

Verifiable Credential Rendering Methods v0.9

This is a Call for Final Specification Commitments. To provide greater patent protection for this specification, participants in the Credentials Community Group are now invited make commitments under the W3C Community Final Specification Agreement by completing the commitment form. Current commitments are listed on the Web. There is no deadline for making commitments.

If you represent a W3C Member, please contact your Advisory Committee Representative, who is the person from your organization authorized to complete the commitment form.

If you have any questions, please contact the group on their public list: public-credentials@w3.org. Learn more about the Credentials Community Group.

Cisco, Hewlett Packard Enterprise, Huawei, IBM, Red Hat, SAP SE, and US NIST Advance New Version of the Standard for Flexible, Cross-Domain Cloud Services

BOSTON, MA, 9 September 2025 — Members of OASIS Open, the global open source and standards organization, have approved the Topology and Orchestration Specification for Cloud Applications (TOSCA) Version 2.0 as an OASIS Standard, a status that signifies the highest level of ratification. TOSCA v2.0 marks a significant evolution of the standard, expanding beyond its computing-centric roots to become a universal orchestration language applicable across virtually any domain, from traditional IT infrastructure to IoT deployments, edge computing, and industry-specific automation requirements.

Developed by the OASIS TOSCA Technical Committee (TC), TOSCA v2.0 greatly increases the fields of applicability of the standard and marks a fundamental shift in cloud orchestration accessibility. By eliminating the restrictive “Simple Profile” terminology that previously limited the standard to computing environments, TOSCA v2.0 empowers organizations across industries to create and contribute user-defined profiles using terminology specific to their domain and use cases. 

“TOSCA v2.0 was the result of close collaboration between experts in the fields of cloud computing, telecommunications, cloud-native software applications, and open process automation,” said Chris Lauwers, Chair of the TOSCA TC. “It comes at a time when reports show that users are increasingly adopting multi-cloud solutions, and it establishes TOSCA as the only orchestration standard that can be used across multiple application domains and across all layers of the technology stack. As a result, it will greatly simplify the integration challenges associated with today’s complex technology infrastructure.”

The new version expands TOSCA’s technical capabilities with user-defined functions for specific operational needs and formal graph traversal syntax that enables more sophisticated relationship modeling. These enhancements support complex orchestration scenarios while maintaining TOSCA’s signature clarity and structured approach. TOSCA v2.0 also introduces a comprehensive operational model for Day 2 service management. 

TOSCA v2.0 preserves the core architectural principles that have made the standard successful. It continues to treat both nodes and their relationships as first-class entities with full inheritance capabilities, ensuring backward compatibility and maintaining the robust foundation that existing TOSCA users depend on.

The TOSCA TC actively encourages global collaboration and input from stakeholders to support the standard’s ongoing evolution and adoption. To learn more about how to get involved, contact join@oasis-open.org.

The post OASIS Approves TOSCA V2.0 Standard for Cloud Orchestration appeared first on OASIS Open.

MyTerms (IEEE P7012 Draft Standard for Machine Readable Personal Privacy Terms, unpacked here) has a simple conceptual structure that is open to many different protocols and roles for them. Note the arrows in this graphic:

Protocols are required for those.

Here is an alphabetized list of some protocols that I know so far, and what I think they might do (given my incomplete knowledge across all of them.). Note that the standard never says “user,” which has subordinate and dependent implications. It calls the first party a “person” or an “individual,” and the second party an “entity.”

A2A Protocol — “An open protocol enabling communication and interoperability between AI agents, giving them a common language – irrespective of the framework or vendor they are built on.” More here. ActivityPub — Can publish or reference a MyTerms URI in actor metadata or message extensions so follows/interactions and happen under the person’s terms. AT Protocol — Can include a MyTerms pointer in profile schemas or event metadata so interactions can be logged under the proffered terms. Beckn Protocol — Can carry a MyTerms URI (or the terms JSON) in discovery/order messages and bind acceptance in the async ACK/NACK flow. DIDComm v2 — Can attach MyTerms as a claim/document in DID-to-DID messages; the counterparty signs/acks to bind the contract. GNAP — Can pass a MyTerms URI/hash in the grant/interaction; record acceptance alongside the grant. HCP (Human/Hyper-Capability Protocol) — Called (at that link) “a user-owned, secure, and interoperable preference layer that grants individuals granular, revocable control over how their data steers AI systems,” it can store a MyTerms reference in the person’s preference set, gate releases on acceptance, and optionally include the URI/hash in OAuth flows to enable audit. HTTP Message Signatures (RFC 9421) — Can bind MyTerms to specific HTTP exchanges by signing requests/responses that include a terms reference. HTTPS — This is generic transport. It can attach or link MyTerms in headers/body and have the counterparty echo/ack to the transaction log. JLINC — Designed for MyTerms-like ceremonies, it can carry a MyTerms ID/hash for “data shared under an agreement.” Matrix — Can include a MyTerms pointer in a profile state or an event content so rooms/interactions are conducted under the person’s terms. Model Context Protocol (MCP) — Can send a MyTerms URI/hash in a tool/agent handshake or call metadata, so tools operate under those terms and log acceptance. NANDA (Internet of AI Agents) — Can expose MyTerms during agent discovery/handshake and metadata in registry so agents negotiate under the person’s terms. Nostr — Can include a MyTerms reference in profile/event tags so relays and clients can honor and log acceptance. OAuth 2.0 — Can carry MyTerms as a parameter or in a request object, recording consent/acceptance with the access transaction. OpenID Connect — Can include a MyTerms URI/hash as a claim (e.g., in the ID token) or request object with RP/OP log acceptance. Solid — Can host the person’s MyTerms in their wallet (formerly called a pod) and require apps or services to transact under those terms for resource access. UMA 2.0 — Can treat MyTerms as a policy at the resource server and share only with parties that have accepted the person’s terms. Web Linking (RFC 8288) — Can advertise a MyTerms URI via Link: headers or a /.well-known/ location for discovery and binding.

Please give me additions, corrections, and improvements.  And forgive the need for all of those changes. I think it’s important at this stage to get a list of possible protocols out there, and to get the discussion rolling. Thanks!

OwnYourData @ Semantics 2025: Privacy-preserving Data Sharing for Renewable Energy Communities

On September 3, 2025, we took part in Semantics 2025 in Vienna – specifically at the 2nd NeXt-Generation Data Governance (NXDG) Workshop. Together with our partners, we presented results from a current research project:

“A Configurable Anonymisation Service for Semantically Annotated Data: A Case Study on REC Data”.

Why anonymisation matters

With the energy transition and the growing adoption of Renewable Energy Communities (RECs), there is an increasing demand for data exchange – both within energy communities and with external stakeholders. However, energy data is highly sensitive: smart meter data can reveal detailed behavioral patterns.

The challenge: How can energy data be shared without compromising privacy?

Our solution: A configurable anonymisation service

As part of the USEFLEDS project, we developed an open, online anonymisation service that integrates seamlessly with our Semantic Overlay Architecture (SOyA).

Key features:

Semantic annotation of data to make privacy rules explicit and machine-readable.

Rule-based anonymisation pipelines that automatically apply generalisation and randomisation.

Configurable via YAML files, without requiring advanced programming knowledge.

Available as SaaS or On-Premises – with open-source code and Docker images for maximum transparency and reproducibility.

Try it now: anonymiser.ownyourdata.eu

Evaluation: Privacy vs. data value

For the evaluation of the service, we worked with synthetic datasets representing energy communities in Burgenland, Austria. The main question was how to achieve a sufficient level of protection without destroying the analytical utility of the data. The evaluation was based on k-anonymity, complemented by a similarity measure to also assess the effectiveness of randomisation. The results show that sufficient anonymisation was achieved in all tested scenarios: no dataset remained uniquely attributable to a single person, while the data could still be used meaningfully for analysis. This demonstrates that our approach provides a solid balance between privacy protection and data value.

Embedding in the European regulatory framework and outlook

The developed solution is closely aligned with European regulations. While the GDPR (2018) emphasizes the protection of personal data and the rights of individuals, the Data Governance Act (2022) focuses on trustworthy ecosystems and the role of neutral intermediaries. Anonymisation serves here as a key instrument to connect both levels: it protects individual privacy while at the same time providing the foundation for secure, compliant data sharing within data intermediaries and energy communities. This dual effect makes the approach highly relevant in practice.

In the next phases of the project, we plan to further expand the anonymisation service. This includes the integration of additional techniques to more flexibly handle different data types. In addition, the system will provide key performance indicators and risk assessments directly with the results, enabling users to better understand the effectiveness of the applied anonymisation. Finally, we will investigate how the service performs in large-scale productive environments to ensure its suitability as a building block in real-world data intermediary infrastructures.

Workshop Paper:

A Configurable Anonymisation Service for Semantically Annotated Data: A Case Study on REC Data (PDF)

Der Beitrag OwnYourData @ Semantics 2025 erschien zuerst auf www.ownyourdata.eu.

Transforming Campus Operations Through IT Virtualization

As higher education institutions face mounting financial pressures, the landscape of American academia is undergoing a significant transformation. A combination of factors has left many colleges and universities grappling with tighter budgets and increased financial strain. Particularly for schools in regions hit hardest by the “enrollment cliff,” these challenges have led to a shrinking pool of tuition revenue, forcing many institutions to re-evaluate their funding models. Compounding this situation are the lasting effects of the pandemic, which has strained resources even further.

Adding to this financial pressure is the growing disparity between institutions, where wealthier universities are often better positioned to weather the storm, while smaller, tuition-reliant colleges may struggle to find a path forward. In recent years, there has been a rise in college closures, mergers, and consolidations—especially among private institutions. In the face of these ongoing challenges, many academic institutions are turning to virtualized and outsourced information technology solutions to reduce operational costs, enhance efficiency, and remain current with technology trends and compliance requirements.

Economic Factors

Maintaining a robust IT infrastructure and keeping up with the fast-paced evolution of technology can be expensive for academic institutions. Add in the cost of supporting the salaries, training, equipment, and software of a fully staffed, in-house IT department, and an organization may find themselves stretched thin. Several key factors are contributing to these economic challenges, forcing organizations to make difficult decisions about resource allocation and scaling back on vital technological advancements and upgrades.

1. Declining Enrollment Rates

Recent trends show a declining number of college-age adults throughout the country, as well as some potential students questioning the return on investment of higher education. With this shift, many institutions have seen a decrease in enrollment rates, making it even more challenging to attract students to their campus. As a result, institutions face a direct reduction in tuition revenue, and are forced to navigate financial constraints that can affect all areas of their institution, including critical sectors like IT.

2. Rising Operational Costs

Across the higher education community, institutions are facing escalating operational costs in nearly every area. Rising expenses for campus maintenance, utilities, healthcare benefits, and various other services are straining budgets and leading organizations to make difficult decisions. Information technology, in particular, represents a large and growing expenditure due to the ongoing need for software licenses, hardware updates, cybersecurity measures, and employee training. As financial pressures mount across the institution, IT departments are under pressure to find cost-saving strategies while still meeting the demands of students, faculty, and staff.

3. Reductions in Funding

Political shifts and economic recessions have led to decreased state appropriations for higher education, and many public institutions have seen a downtick in state and federal funding. Without these vital financial resources, institutions are facing difficult budgetary decisions around essential services and looking for cost-effective and innovative ways to maintain their technology infrastructure.

4. Shifting of Learning Models

Spurred by the pandemic, institutions across the country were forced to transition to remote learning almost overnight, diverting significant resources toward digital infrastructure to maintain continuity in education. This rapid shift required substantial investment in technology, software, and staff development, often at the expense of other critical areas. With federal support for these costs now behind us, institutions are left to find the necessary budget dollars to sustain and enhance robust online and hybrid learning models that meet the evolving expectations of both students and staff.

5. Advancing Technology

As technological advancements continue to accelerate, new opportunities are emerging on the horizon. However, to fully capitalize on and integrate innovations like artificial intelligence, data analytics, and cloud computing, ongoing investments are essential for institutions to stay ahead and remain competitive. Finding room in an already tight budget for new software tools, hardware updates, and skilled personnel can be challenging, requiring institutions to explore alternative strategies to ensure they can adapt to the demands of an increasingly digital world.

6. Increasing Demand for Cybersecurity

Ransomware, malware and cryptomining are constant threats to any organization and with higher education institutions becoming increasingly vulnerable to cyberattacks, protecting sensitive data and digital assets are essential. As these threats evolve, maintaining up-to-date cybersecurity measures becomes more expensive, and many institutions find it difficult to allocate the necessary resources to fully protect their IT.

7. Maintaining Competitiveness

With a smaller pool of prospective students, institutions are under increasing pressure to stand out from the crowd. Students are looking for advanced classroom tools, immersive digital campus experiences, and technology-driven learning spaces when choosing where to apply. Developing and maintaining these high-tech environments requires ongoing investments, and many institutions find it challenging to strike a balance between fostering innovation and managing financial constraints.

8. Evolving Student Expectations

In today’s digital age, students expect their institutions to offer a smooth, accessible online experience—complete with fast Wi-Fi, virtual collaboration platforms, easy access to academic resources, and secure online services available anytime, anywhere. To meet these expectations, colleges and universities must invest continually in their IT systems. Yet, with mounting financial challenges, delivering this level of service on a limited budget is no small feat. As a result, many institutions are turning to Virtual IT solutions, which provide a budget-friendly way to enhance technological services while keeping expenses in check.

Lowering IT Operating Costs

As institutions face increasing pressure to innovate while managing strict budgets, the need for cost-effective solutions is more urgent than ever. The growing demand for advanced technology and expert support, however, often clashes with the financial realities of the industry. By partnering with external providers, institutions can benefit from economies of scale, efficient service delivery, robust security features, and 24/7 support. These providers can provide technology infrastructure that may otherwise be out of reach for smaller or budget-conscious institutions, making it easier to stay competitive in an increasingly digital world.

Virtualization enables institutions to consolidate servers, storage, and other IT resources, improving resource utilization and reducing the physical space and energy consumption required to support IT operations. By moving away from on-premise infrastructure, colleges and universities can minimize expensive maintenance and hardware costs. Through cloud-based platforms, institutions can scale their IT capabilities on demand and eliminate the need for costly upfront investments in hardware and software. This model allows organizations to pay only for what they use, making budgeting more predictable and offers the flexibility to align IT spending with actual needs. With today’s cloud-based applications handling everything from administrative functions to learning management and data analytics, schools can streamline operations and shift more resources toward their core mission: advancing education and research.

By outsourcing IT services and partnering with specialized providers, institutions can eliminate the expense of maintaining a large in-house IT team and tap into expert knowledge and advanced tools for critical functions such as software development, help desk support, and cybersecurity. With built-in updates, virtual IT solutions allow institutions to stay ahead of technological advancements and security threats, all while freeing up internal resources to focus on their core academic missions.

Virtualized IT Solutions and Services

By outsourcing certain IT functions and leveraging cloud-based systems, institutions can access the latest technology, streamline operations, and ensure robust cybersecurity practices without the financial burden of maintaining large in-house teams or hardware. This approach allows institutions to allocate resources more effectively and ensure that technology can support their core missions without compromising financial stability.

Managing IT Infrastructure

One of the most common forms of virtual IT is moving to cloud-based solutions for data storage, hosting, and software applications. Instead of maintaining expensive on-premise hardware and software, institutions can transition their IT infrastructure to the cloud and rely on providers like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud to handle infrastructure management, maintenance, and updates. Moving to cloud-based solutions can help significantly reduce capital expenditures by eliminating the need for on-site hardware and ongoing maintenance costs, while offering flexible, usage-based pricing that aligns with actual demand.

Cloud platforms also provide unparalleled scalability, where institutions can adjust resources easily as needs grow, whether for storage, computing power, or specialized research applications. In addition, cloud providers prioritize security with advanced features like multi-factor authentication, encryption, and compliance with industry standards, alongside robust disaster recovery solutions to safeguard institutional data. By outsourcing infrastructure management, institutions can redirect resources and IT staff to focus on core priorities, such as enhancing education, supporting research, and meeting the needs of students and faculty.

Delegating Key IT Functions

Instead of maintaining a full-scale internal IT department, academic institutions can opt to outsource specialized IT functions to external providers. Services like network monitoring, help desk support, cybersecurity, and system administration can be handled by experts in these fields, allowing institutions to leverage the knowledge and resources of these partners. This approach not only ensures high-quality, efficient service but also allows the institution’s in-house IT team to concentrate on more critical projects, such as advancing teaching tools and supporting research innovations.

By partnering with managed IT providers, institutions can avoid the expenses of hiring, training, and retaining a full in-house team, while enjoying flexible pricing models that align with their budget. These services provide access to high-level expertise in areas like cybersecurity, cloud computing, and network infrastructure—fields where hiring full-time experts can be costly. As needs change, managed IT services offer scalability and give institutions the ability to adjust the level of support based on their current needs. Through specialized services, institutions can count on proactive monitoring and risk management to avoid costly breaches and penalties and ensure regulatory compliance.

Tapping into Remote Workforces

Virtual IT teams offer academic institutions the opportunity to access a global talent pool where they can hire skilled professionals from regions with lower labor costs. By recruiting remote staff for roles such as system administrators, software developers, or technical support agents in countries with more affordable wages, institutions can cut personnel expenses while maintaining high levels of expertise and service quality.

By sourcing talent from regions with lower wage standards, institutions can also reduce the funds required for salaries, benefits, and other employment costs and free up these resources for other priorities like infrastructure or academic programs. Access to a global talent pool also enables institutions to find specialized expertise at competitive rates, from cybersecurity professionals in India to software developers in the Philippines. Additionally, remote teams can provide scalability and flexibility and empower institutions to quickly adjust staffing levels based on project needs or peak demand without the long-term commitment of full-time hires. With a distributed workforce, institutions can achieve 24/7 support and continuous system monitoring, ensuring uninterrupted service for students, faculty, and staff. Most importantly, remote teams can bring diverse perspectives that foster innovation and creative problem-solving, enhancing the institution’s ability to address technological challenges.

Cutting-Edge Research Infrastructure 

Advanced research requires robust IT infrastructure, often involving complex computing resources that can be costly to build and maintain. Rather than investing heavily in creating dedicated research environments, institutions can partner with external research organizations or cloud-based platforms that offer specialized resources, such as high-performance computing (HPC) and machine learning capabilities. This approach allows institutions to access powerful tools and optimize their research capabilities without the need for large upfront investments.

By partnering with cloud services or external research organizations, institutions can avoid the high capital costs of building and maintaining specialized environments. With pay-as-you-go models, they only pay for the resources they use, reducing upfront investments and ongoing maintenance costs. Outsourcing also provides access to cutting-edge technology, including the latest advancements in quantum computing, machine learning, and artificial intelligence, without the need for heavy internal investment. Additionally, the scalability and flexibility of outsourced R&D infrastructure allow institutions to adjust resources according to fluctuating project demands, ensuring they only pay for what they need. By shifting the burden of managing complex systems to external providers, academic institutions can focus more on core research activities, such as experimentation and data analysis, while also benefiting from collaboration with external experts and organizations.

Collectively Paying for IT Infrastructure

By leveraging shared-cost models, where multiple schools collaborate to jointly fund IT infrastructure, services, and support, institutions can access enterprise-level technology and services at a significantly reduced cost. These shared-cost models can extend to staffing and help smaller institutions to tap into specialized expertise by partnering with larger universities or third-party providers, ensuring access to high-level technical skills that might otherwise be out of reach.

By pooling resources and sharing financial responsibility with a network of institutions, schools can access enterprise-level technology and services at a fraction of the cost, making high-end solutions, such as advanced cloud computing, cybersecurity, and data storage, more affordable for smaller institutions. This approach also democratizes access to specialized infrastructure and expertise and gives more institutions the ability to tap into critical resources and technical skills, such as cybersecurity or cloud architecture. The flexibility of shared-cost models enables institutions to scale services and infrastructure as their needs evolve and share the financial burden of expansion across multiple schools. These models also foster collaboration by creating opportunities for institutions to exchange knowledge, solve common IT challenges together, and collaborate on research initiatives to drive innovation and growth.

Tapping into Existing Infrastructure

Many academic institutions and colleges are sitting on a valuable resource: their existing fiber optic networks. These extensive, often underutilized connections between campuses and facilities can be the key to unlocking greater efficiency and cost savings. Rather than investing in additional infrastructure, institutions can leverage their existing wide-area network (WAN) fiber backbone to enhance IT capabilities. By using this infrastructure to support virtual IT solutions, such as cloud services, remote support, and distributed computing, colleges and universities can maximize their existing technology investments and reduce the need for expensive new systems. This approach not only streamlines operations but also ensures that resources are put to their best use, creating a smarter, more sustainable way forward.

By avoiding the expenditures tied to building new networks or data centers, institutions can reallocate funds to other strategic priorities like research and student services. The high-speed, high-capacity nature of fiber networks allows for better use of existing resources and minimizes the need for new systems. Fiber networks also offer the flexibility to scale IT services based on demand, supporting growth without heavy new investments. With fast, reliable connectivity, fiber ensures high performance for virtual services and enhances online learning, research, and collaboration.

To further help future-proof IT infrastructure, fiber has the ability to handle data-intensive applications and enable the adoption of emerging technologies like AI and big data without constant infrastructure overhauls.

Pooling Purchasing Power

Higher education institutions, especially those located near one another or part of collaborative academic networks, can unlock significant cost-saving opportunities by pooling their purchasing power. By joining forces in procurement efforts, these institutions can negotiate better deals on essential IT resources like software licenses, cloud services, and hardware such as servers and data storage. Collaborative buying enables access to volume discounts, shared services agreements, and bundled pricing that not only reduces costs but also opens the door to advanced solutions that might otherwise be out of reach for individual institutions. Colleges and universities can maximize their budgets while still making strides in enhancing their technological capabilities.

Through cooperative purchasing, institutions can secure volume discounts, shared services agreements, and bundled pricing, helping to stretch their budgets further while accessing more sophisticated IT infrastructure, software, and services. Smaller schools, in particular, can gain access to enterprise-level solutions like high-capacity data storage and cybersecurity tools that would otherwise be unaffordable. Through this collaboration, institutions gain negotiating leverage and can secure better pricing and enhanced support from vendors. The cooperative model also streamlines procurement by reducing administrative complexity and creating collective agreements, while fostering collaboration and the exchange of best practices among institutions.

Leveraging as-a-Service Solutions

A growing trend in virtual IT models is the adoption of "as-a-Service" solutions, such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS), which allow academic institutions to access powerful technology tools and services without the need for upfront investment or the complexities of in-house management. By utilizing these solutions, institutions can easily integrate learning management platforms, student information systems, or research tools, all while minimizing the burden of internal development and maintenance.

IaaS offerings, such as virtual servers and data storage, provide the flexibility to scale infrastructure on-demand and only pay for the resources used. When institutions collaborate through procurement cooperatives, they can further reduce costs by securing volume pricing for these services, gaining access to enterprise-level technology while avoiding the administrative challenges of managing hardware, updates, and security internally.

By only paying for what they use, institutions avoid large upfront investments in software, hardware, and infrastructure, and can scale resources based on demand. Joining these procurement cooperatives further reduces costs through volume pricing and grants smaller institutions access to powerful, enterprise-level technologies like data analytics and advanced security tools, which may otherwise be unaffordable. "As-a-Service" solutions offer scalability and flexibility and help an organization to adjust resources for specific needs, such as peak enrollment periods or research projects. Since service providers handle updates, security, and infrastructure management, these models reduce complexity and maintenance and free up IT staff for more strategic tasks. As needs evolve, cloud-based solutions enable faster implementation and allow institutions to stay responsive and quickly deploy necessary systems to keep pace with these new demands.

Supplementing the Internal Workforce

Staff augmentation is an increasingly popular strategy for academic institutions adopting Virtual IT solutions. By supplementing an institution's internal workforce with external professionals or specialized contractors for temporary projects or specific needs, colleges and universities can quickly scale their IT capacity and capabilities, without the long-term commitment and overhead costs associated with hiring full-time, permanent staff. By tapping into external expertise as needed, institutions can remain agile and efficiently address their evolving IT demands.

When external professionals are hired on a temporary basis, institutions only pay for the specific skills and time required, avoiding the fixed costs associated with permanent staff, such as salaries and benefits. This model also enables a rapid response to urgent IT needs, such as software rollouts, data migrations, or infrastructure upgrades, with experts brought in quickly to fill any gaps.

Staff augmentation can also allow institutions to tap into a global talent pool and gain access to specialized skills that may be scarce or costly within their own region.

Scaling Storage Needs

For institutions wishing to focus on their core IT operations without the challenges of maintaining a physical data center, virtualized IT provides the opportunity to house servers, storage systems, and networking equipment in a secure, high-performance facility managed by a third-party provider. In this arrangement, institutions retain full control over their equipment and software but benefit from the provider’s expertise in managing the physical infrastructure, including power supply, cooling, security, and network bandwidth.

By leveraging the economies of scale of a colocation provider, smaller institutions can access high-quality data center services without the need for expensive on-campus infrastructure. This reduces capital investment and lowers ongoing costs associated with power, cooling, and staffing. Co-location facilities provide high levels of redundancy and ensure that critical IT systems remain operational during disruptions or hardware failures. The robust security measures implemented by co-location providers, such as 24/7 monitoring, biometric access controls, and strict regulatory compliance, also make this an ideal solution for institutions handling sensitive student and research data.

Embracing Technological Advancements

As higher education institutions navigate an increasingly complex financial and technological landscape, the need for innovative solutions has never been more pressing. Virtual IT offers a forward-thinking approach that can help institutions overcome their challenges while enhancing their technological capabilities. By utilizing cloud-based services, outsourcing key IT functions, and embracing virtualized infrastructures, institutions can significantly reduce operational costs, increase flexibility, and improve overall efficiency. This not only allows valuable resources to be reallocated toward their core educational objectives, but also ensures they remain agile and responsive to the ever-evolving demands of students, faculty, and the broader academic community.

In an environment where financial sustainability is critical, Virtual IT offers higher education institutions the opportunity to thrive in an increasingly competitive and technology-driven world. It transforms financial and operational challenges into opportunities for growth, ensuring that institutions can continue to fulfill their mission and drive innovation in the years ahead.

 

 

Discover how Virtual IT is transforming higher education by exploring The Edge Ecosystem of IT Virtualization Solutions and Services at edgemarket.njedge.net/home/it-professional-services

The post Transforming Campus Operations Through IT Virtualization appeared first on Edge, the Nation's Nonprofit Technology Consortium.

September 2025

DIF Website | DIF Mailing Lists | Meeting Recording Archive

Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3. Special Interest Group Updates; 4. User Group Updates; 5. Announcements; 6. Community Events; 7. Get involved! Join DIF 🚀 Decentralized Identity Foundation News DIF Launches New Trusted AI Agents Working Group

DIF is launching the Trusted AI Agents Working Group, chaired by Nicola Gallo, Andor Kesselman, and Dmitri Zagidulin, to define an interoperable stack for trustworthy, privacy-preserving, and secure AI agents. As autonomous agents gain real-world responsibility in composing tools, making decisions, and exchanging verifiable data, this working group will build specifications, reference implementations, and governance patterns for enabling high-trust agent ecosystems using robust mechanisms for identity, authority, and governance.

The initial focus of the group will be exploratory and experimental, starting from use cases and a taxonomy of delegation mechanisms and patterns. The first formal work item will be a report evaluating use cases for agents (that make explicit dynamics of authorization), primarily focusing on the object capability school of distributed authorization. Future work may include standards for agentic identification mechanisms (applying DID and Verifiable Credential prior art), interoperability libraries for popular LLM frameworks, runtime trust enforcement workflows, and prototyping of human-to-agent delegation patterns. The working group welcomes in particular active participation from specification authors, security researchers, LLM infrastructure maintainers, and identity experts as it addresses the unique requirements of agentic workflows.

Stay tuned for meeting information!

DIF Labs Beta Cohort 2 Show & Tell

As we enter September, DIF Labs Beta Cohort 2 projects are in their final development phase, preparing for their showcase event later this month. The three selected projects have made significant progress on cutting-edge privacy-preserving technologies. Each project team has been receiving dedicated mentorship from DIF's expert community and is committed to delivering standards, protocols, implementations, or reports that will benefit the entire decentralized identity ecosystem.

👉 Register for DIF Labs Show & Tell, open to the public!

Join DIF Leadership: Executive Director & Steering Committee

This is your opportunity to shape the future of DIF! We have an upcoming Steering Committee election AND we're accepting applications for the next Executive Director term!

Steering Committee: The Steering Committee plays a crucial role in defining DIF policies and strategy. We will have 6 seats open for election. Stay tuned for election details, including the call for nominations (all members), the nominee's "platform" statements, and the voting process (Associate Members, one ballot per organization). Don't miss your chance to participate in this important process that will guide DIF's future. Executive Director: As we move towards the end of the 2025 Executive Director term, and current ED Kim falls sway to the siren call of building, we have an exciting opportunity to set the direction of DIF! We are accepting applications now. See application details here, and send questions to jobs@identity.foundation. Introducing "Scaling AI DIFferently": Misha Deville's New Blog Series on AI and Decentralized Identity

DIF Ambassador and Vidos Co-Founder Misha Deville has launched her blog series "Scaling AI DIFferently", exploring the critical intersection of artificial intelligence and decentralized identity technologies.

Misha examines how decentralized identity infrastructure serves as the foundation for building trust and accountability in autonomous AI systems. As AI agents become increasingly sophisticated, she investigates the essential role that verifiable digital identities play in ensuring responsible AI deployment at scale.

In this thought-provoking series, Misha addresses fundamental questions about identity verification, trust frameworks, and accountability mechanisms in AI-driven environments—tackling challenges at the heart of next-generation digital infrastructure.

Discover Misha's insights on how decentralized identity standards can help shape a more trustworthy AI future. Start reading here.

🛠️ Working Group Updates

Browse our active working groups here

Hospitality & Travel Working Group

The Hospitality & Travel Working Group has emerged as one of DIF's most active groups, conducting extensive work on the HATPro specification for traveler preferences and identity management. The group is currently developing comprehensive schemas for food preferences, dietary restrictions, accessibility requirements, and pet-related travel information, and engaging subject matter experts across various travel sectors. Subscribe to the H&T Working Group blog for updates.

👉 Learn more and get involved

Creator Assertions Working Group

The Creator Assertions Working Group made significant strides in media industry identifier standards and identity assertion frameworks. Major developments include:

Media Identifier Guidance: Developed comprehensive guidance for using metadata assertions with media industry identifiers, focusing on Dublin Core metadata fields and external authoritative data sources Identity Assertion Evolution: Continued refinement of identity assertion requirements to support manifest updates and improve data-model flexibility

The group's work on attribution assertions and metadata standards continues to advance the state of content authenticity and provenance tracking.

👉 Learn more and get involved

Applied Crypto Working Group

The BBS+ work item achieved significant milestones in privacy-preserving cryptographic protocols:

Pseudonym Systems: Advanced work on cryptographic pseudonyms and blind signatures, with collaboration on general articles about cryptographic privacy techniques Performance Optimization: Completed performance testing and optimization work, with Rust implementations showing significant speed improvements over JavaScript Post-Quantum Research: Discussed post-quantum cryptography implications and integration with existing BBS+ protocols Test Vector Development: Continued development of comprehensive test vectors for the 0.9 draft release

The team's focus on practical implementation and standardization continues to drive adoption of privacy-preserving credential technologies.

👉 Learn more and get involved

DID Methods Working Group

The DID Methods Working Group focused on standardization processes and method evaluation refinement:

W3C Charter Development: Continued work on the proposed W3C DID Methods Working Group charter, addressing concerns about scope and blockchain inclusion Method Evaluation Process: Refined the DIF recommendation process for DID methods, with DID:webvh currently in its 60-day comment period Method Champion Coordination: Established clearer processes for method champions and active development requirements Future Method Pipeline: Identified upcoming methods include did:webplus, did:cheqd and did:scid for evaluation

The group's DID method evaluation process ensures high-quality standards while maintaining transparency in the assessment process.

👉 Learn more and get involved

Identifiers and Discovery Working Group

The DIF Identifiers and Discovery Working Group advanced work on did:webvh (did:web + Verifiable History) and a new DID attested resources specification. Key progress includes deploying a sandbox server for did:webvh testing and proposing changes to DID resolution specifications to improve URL handling. The team discussed simplifying the webvh specification while preserving core functionalities and explored implementation details for blockchain DIDs generally, as well as key rotation patterns (and verification patterns for rotated keys) in verifiable credentials, with plans to continue collecting feedback through September 28th.

👉 Learn more and get involved

DIDComm Working Group

The DIDComm Working Group advanced protocol development and explored new application areas:

Binary Encoding Support: Progressed work on CBOR implementation for more efficient message encoding AI Agent Communications: Explored applications of DIDComm for AI agent-to-agent communications and autonomous system interactions Protocol Comparisons: Conducted detailed analysis comparing DIDComm with other protocols like OpenID for VC in various use cases Supply Chain Applications: Discussed new protocols for supply chain data management and product-recall systems

👉 Learn more and get involved

Claims & Credentials Working Group

The Credential Schemas team made significant progress on standardization and community engagement:

Community Schemas Initiative: Launched framework for organizations to contribute verifiable credential schemas to a shared repository Schema Standardization: Advanced work on aligning basic "person" schemata with schema.org standards while maintaining compatibility with existing frameworks

👉 Learn more and get involved

DIF Labs Working Group

DIF Labs Beta Cohort 2 projects entered their final development phase with impressive progress:

QES Project: Advanced development of Qualified Verifiable Credentials combining legal enforceability with privacy preservation Revocation Analysis: Completed comprehensive analysis of privacy-preserving revocation mechanisms with practical implementation guidance Anonymous Multi-Sig: Progressed work on anonymous multi-signature verifiable credentials for group-authentication scenarios

All projects are preparing for their final showcase event in September, with open-source implementations ready for community adoption. Register for DIF Labs Show & Tell

👉 Learn more and get involved

🌎 Special Interest Group Updates

Browse our special interest groups here

DIF Africa SIG

The Africa SIG continued its focus on identity challenges and solutions in Africa and beyond. The recent meeting featured the "Has Needs" project, a resource sharing protocol designed for humanitarian spaces, building on work since the Haiti earthquake of 2010.

The SIG's focus on humanitarian applications showcases the potential for decentralized identity to address critical social challenges.

👉 Learn more and get involved

APAC/ASEAN Discussion Group

The APAC/ASEAN group hosted comprehensive discussions on regional digital identity initiatives, including:

Korean Foreign Visitor System: Detailed presentation on digital identity solutions for foreign visitors to South Korea, including visa digitization and medical tourism applications Regional Interoperability: Explored challenges and opportunities for cross-border identity verification and credential recognition Privacy Frameworks: Discussed regulatory approaches across different jurisdictions and their implications for digital identity adoption Medical Tourism Applications: Examined specific use cases for digital credentials in healthcare and travel scenarios

The group's focus on practical, cross-border applications demonstrates the global relevance of decentralized identity solutions.

👉 Learn more and get involved

DIF Hospitality & Travel SIG

The Hospitality & Travel SIG showcased cutting-edge applications of decentralized identity in travel:

Agentic Commerce Platform: Featured comprehensive demonstration of AI-powered travel booking systems using decentralized identity for secure agent-to-agent communications Corporate Travel Innovation: Explored applications for corporate travel management with AI agents handling complex booking scenarios Industry Integration: Demonstrated practical implementations with major travel industry partners and payment systems Future Vision: Outlined roadmap for AI-driven, personalized travel experiences built on decentralized identity foundations

The SIG's presentations highlighted the transformative potential of combining AI agents with decentralized identity for seamless travel experiences.

👉 Learn more and get involved

📖 User Group Updates DIDComm User Group

The DIDComm User Group explored practical implementations and emerging applications:

AI Integration: Extensive discussions on integrating DIDComm with AI agents and home automation systems Technical Compatibility: Clarified DIDComm's compatibility with various cryptographic methods including BBS+ signatures Bluetooth Applications: Explored local mesh networking applications and proximity-based communications Implementation Challenges: Addressed practical questions about protocol implementation and deployment

The user group continues to drive practical adoption of DIDComm technologies.

👉 Learn more and get involved

📢 Announcements Join Steven McCown at Identity Week America

Steven McCown, Chief Architect at Anonyome Labs and DIF leadership member, will be speaking at Identity Week America Steve McCown | Identity Week America on Day 2 at 11:00 with "Digital identity: It may be secure, but will it protect your privacy?"

Steve McCown | Identity Week America A multi-faceted conference experience with over 150 sessions across eight tracks, providing the most comprehensive and multi-disciplined event. Identity Week America 2025

Steven will examine how "modern identity systems authenticate users with advanced identity, encryption, and communication technologies" yet still impact user privacy. His presentation will illustrate the privacy risks of "phone home" architectures and demonstrate how decentralized identity "helps platform providers overcome these problems through peer-to-peer identifiers and verification methods that don't require issuer participation."

The session will also explore how recent Utah legislation is creating new models for privacy-oriented digital identity in government systems.

Don't miss this essential discussion on building truly privacy-preserving identity solutions.

Join Nick Price and Doug Rice at HTNG Connect Europe

Join DIF H&T community leaders Nick Price and Doug Rice at HTNG Connect Europe in The Hague for two sessions on decentralized identity in travel and hospitality! Nick Price, CEO of NetSys Technology Ltd., will present "Redefining Trust: The Role of Decentralized Identity in the Future of Hospitality" (12:30-13:00, Mesdag Ballroom), exploring how decentralized digital identity offers a new paradigm for secure, guest-centric experiences and seamless travel solutions.

Doug Rice, chair of the DIF Hospitality & Travel Working Group, will join Nick for the interactive breakout session "Decentralized Identity in Action: Use Cases, Standards, and Industry Collaboration" (14:00-14:45, Red Room). This will be an open discussion on real-world pilots, emerging use cases, and the development of standard traveler profile schemas designed to support interoperability and privacy across the travel ecosystem.

Blog Series Exploring AI and Decentralized ID

DIF has kicked off the "Scaling AI DIFferently" blog series featuring guest articles from DIF Ambassador and Vidos Co-Founder Misha Deville on decentralized identity's critical role in building trust in agentic systems. Start here.

DIF Labs Beta Cohort 2 Final Showcase - September 23rd

Mark your calendars for the DIF Labs Beta Cohort 2 final showcase on September 23rd. Each project team will have 7 minutes to present their work followed by 8 minutes of Q&A. The event will feature:

Live demonstrations of privacy-preserving credential technologies Open-source implementations ready for community adoption Learning opportunities with DIF's expert community

Register here: https://luma.com/849iikfj

📅 Community Events Upcoming Industry Presentations

DIF community members will be presenting at several major industry events in September and October:

HTNG Connect in The Hague: Nick Price and Douglas Rice are presenting at HTNG Connect Europe. Identity Week America: Steve McCown is speaking at Identity Week America. IIW October 2025: Many in the DIF community will be attending the Internet Identity Workshop in October. Community Contributors

We continue to appreciate the dedicated contributions of our community members who drive DIF's technical work forward. Special recognition goes to the chairs and active participants of our most active working groups, whose consistent engagement and technical expertise make our progress possible.

🆔 Get involved! Join DIF

If you would like to get in touch with us or become a member of the DIF community, please visit our website or follow our channels:

🐦 Follow us on Twitter/X 💻 Join us on GitHub 📺 Subscribe on YouTube 🔍 Read the DIF blog New Member Orientations

If you are new to DIF, join us for our upcoming new member orientations. Find more information on DIF's Slack or contact us at community@identity.foundation if you need more information.

Passkeys are more secure than passwords since they’re tied to a device, but what if you lose your phone? The trick lies in how you generate passkeys in the first place.

Imagine you’ve created a host of passkeys on your iPhone or Android phone. If you lose your phone or it no longer works, what happens to the passkeys on your device? Are they gone? Can you get them back? Fear not. There’s a way to set up your passkeys so that they’re tied to your account and can follow you wherever you go.

The trick lies in how you generate passkeys in the first place. By using a password manager that supports passkeys, Google Password Manager, or Apple’s iCloud Keychain, you can save passkeys to your account and sync them across all your devices. If you lose your phone or upgrade to a new one, your passkeys will be available once you sign in. Here’s how this works.

The post Enabling the Golden Age of Workforce Data appeared first on Velocity.

Passkeys want to create a password-free future. Here’s what they are and how you can start using them.

Passwords suck. They’re hard to remember, but worse is playing the ever-evolving game of cybersecurity whack-a-mole with your most important accounts. That’s where passkeys come into play. The so-called “war on passwords” has taken off over the past two years, with titans like Google, Microsoft, and Apple pushing for a password-less future that the FIDO Alliance (a consortium made to “help reduce the world’s over-reliance on passwords”) has been trying to realize for over a decade.

Like it or not, you’ll be prompted to create a passkey at some point, and you likely already have. That’s a good thing, as passkeys aren’t only much easier to use than a traditional password, they’re also a lot safer. Here’s everything you need to know about using them.

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. A decentralised web index […]

Oxford PharmaGenesis and OriginTrail to introduce collaborative, AI-ready medical knowledge ecosystem driving the next generation of agentic science

A vast amount of valuable clinical trial information exists in the world, but much of it is fragmented, hard to verify, and difficult to use, slowing medical research and patient care. This lack of connectivity slows research, complicates evidence synthesis, and limits the ability of healthcare professionals, patients, and other stakeholders to access clear, reliable information.

To address these challenges, Trace Labs, the core developers of OriginTrail, and Oxford PharmaGenesis have partnered on a groundbreaking initiative to globally connect and verify medical knowledge.

The challenge: Lost value in unconnected knowledge

Pharmaceutical companies and researchers generate a continuous flow of high-quality outputs — trial registrations, regulatory summaries, and peer-reviewed publications. Yet these resources are scattered across multiple platforms and formats, making it difficult to integrate with advanced AI systems.

As a result, vast amounts of valuable knowledge remain underused:

● Researchers struggle to locate relevant clinical studies and real-world evidence,

● Healthcare professionals lack quick access to verified, up-to-date information,

● Patients are left without clear, trustworthy resources to guide their decisions.

These inefficiencies keep knowledge fragmented and opaque because evidence is hard to find and harder to verify, resulting in slower progress and less transparency and trust, with real consequences for patients.

The vision: Building a connected and trusted health knowledge pool

Oxford PharmaGenesis — a global leader in the healthcare communications industry that collaborates with over 50 healthcare organizations worldwide, including eight of the world’s top ten pharmaceutical companies — and Trace Labs, have partnered to create the world’s first structured, connected, and verifiable pool of clinical trial knowledge on the OriginTrail Decentralized Knowledge Graph (DKG).

The OriginTrail DKG merges blockchain technology with semantic, machine-readable knowledge structures, ensuring every contribution carries verifiable ownership, a transparent version history, and rich contextual links for both AI and human use. Oxford PharmaGenesis’ partnerships span pharmaceutical and biotech companies, as well as professional societies, patient groups, and academic institutions. It is also a co-founder, co-funder, and facilitator of Open Pharma with the mission to advance open science, transparency, and equity for pharma-sponsored research communications, placing it at the center of trusted knowledge exchange in healthcare.

This initiative will launch through an incentivized data-sharing program to create a domain-specific Decentralized Knowledge Graph (or “paranet”) within the OriginTrail DKG. Leading pharmaceutical organizations will be invited to join as trusted knowledge contributors, making their clinical information accessible to AI agents, research tools, and human users alike. The result: faster, more accurate discovery and reuse, empowering experts and the public with reliable, transparent, and actionable insights.

From pilot to scalable implementation

The collaboration begins with a pilot, which will link together publicly available information from multiple medicines produced by a global pharmaceutical company. It will create the blueprint for rapid expansion to additional contributors through a structured, incentivized data-sharing program that will form a domain-specific paranet within the OriginTrail DKG. This first phase will establish the core framework — secure, intuitive tools for contributing and exploring data, robust systems for verifying and connecting clinical knowledge, and safeguards to ensure every piece of information remains trusted and protected.

Once operational, the paranet will allow AI agents to both produce and consume verifiable knowledge directly from the OriginTrail DKG. In practice, this means transforming complex clinical data into plain-language summaries, in-depth scientific reports, visual explainers, and other formats tailored to audiences ranging from researchers and clinicians to patients and the public. As more organizations contribute, the paranet will grow to billions of structured, connected, and verifiable data points — a rich foundation with the potential to accelerate medical research, speed up discoveries, and equip healthcare professionals, patients, and innovators worldwide with better tools for informed decision-making.

Looking ahead: A path toward a trusted public knowledge ecosystem

This collaboration marks the start of an ambitious journey to build the world’s most extensive decentralized repository of trusted clinical trial knowledge on the OriginTrail DKG, stemming the tide of medical misinformation by providing a solid bedrock of trusted information that genAI tools can use. Driven jointly by Trace Labs, the core developers of OriginTrail, and Oxford PharmaGenesis, a global leader in scientific and medical consulting for the pharmaceutical and healthcare industries, the initiative will transform valuable clinical data into a structured, verifiable, and AI-ready resource. By incentivizing collaboration and uniting leading pharmaceutical organizations, the network will grow rapidly — unlocking knowledge that can accelerate research, fuel innovation, and ultimately improve lives worldwide.

About OriginTrail

OriginTrail is an ecosystem dedicated to making the global economy work sustainably by enabling a universe of AI-ready Knowledge Assets, allowing anyone to take part in trusted knowledge sharing. It leverages the open-source Decentralized Knowledge Graph that connects physical and digital worlds in a single connected reality, driving transparency and trust.

Advanced knowledge graph technology currently powers trillion-dollar companies like Google and Facebook. By reshaping it for Web3, the OriginTrail Decentralized Knowledge Graph provides a crucial fabric to link, verify, and value data on both physical and digital assets.

Learn more about OriginTrail: https://origintrail.io/.

About Oxford PharmaGenesis

Oxford PharmaGenesis is a HealthScience communications consultancy. They are the largest independent company in the healthcare communications sector. Founded in 1998, their award-winning organization comprises more than 500 talented people working from North America, Europe, and the Asia Pacific.

Oxford PharmaGenesis is connected by a strong company culture and a clear mission: to help clients accelerate the adoption of evidence-based innovations for patients in areas of unmet medical need.

Learn more about Oxford PharmaGenesis: https://www.pharmagenesis.com/.

Oxford PharmaGenesis and OriginTrail to introduce collaborative, AI-ready medical knowledge… was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.

Nishant Kaushik, Chief Technology Officer, FIDO Alliance

Every few months, like clockwork, a talk or article appears claiming that new research has uncovered a “vulnerability” with passkeys.  This can understandably raise concern for executives and product leaders looking to uplift their authentication frameworks. But these reports have a pattern: they highlight opportunities for exploitation in the environment where passkeys are used, not any vulnerability in passkeys themselves.

Passkeys are FIDO authentication credentials that leverage public key cryptography. The authentication protocol relies on the user having control of their private key, which is generated on the user’s device (their smartphone, their FIDO Security Key, etc) and is never shared with the service they are authenticating to (all the service receives and saves is the corresponding public key). That design makes passkeys inherently resistant to phishing, credential stuffing, and large-scale data breaches. Breaking the security model of passkeys would require stealing the private key itself, something cryptographically and practically infeasible without compromising the device in some manner. 

Where the “Breaks” Actually Happen

When researchers announce they’ve “broken passkeys,” what they usually mean is that they’ve compromised something else in the operational environment:

Browser vulnerabilities that let malicious extensions hijack sessions or impact user behavior. Device compromises where malware takes control of the endpoint. Application weaknesses in how the authentication flow is integrated.

To be clear, these are real risks, but these are risks for any authentication solution (in addition to other secure tools such as encrypted messaging apps and VPNs). They are not flaws in passkeys themselves. Rather, they are examples of broader environmental compromise which can be mitigated with well-known security controls and policies that IT teams have been deploying for years.

Do Not Confuse Headlines with Reality: Passkeys Work as Intended

No reports have found vulnerabilities in the cryptography or the technical standards underpinning passkeys. What’s being demonstrated by researchers are scenarios where, if the user’s environment is already compromised, attackers may be able to misuse otherwise secure credentials or circumvent the secure authentication process. That’s a meaningful security discussion, and a good reminder that while passkeys are the gold standard for secure authentication, they don’t eliminate the need to have a comprehensive security program. 

Our Commitment to Security and Research

The FIDO Alliance is deeply committed to advancing security through ongoing research, rigorous testing, and collaboration with our members and the broader security community. Our members are actively exploring the impact of emerging technologies like post quantum cryptography, and emerging threats like deepfakes. We also welcome engagement with security researchers who approach their work responsibly, as constructive collaboration helps us strengthen our specifications, certification programs, and implementations. Sensationalist headlines may help a few to market their products or services, but the real win for strong, phishing-resistant authentication is when we combine forward-looking research with open, responsible dialogue. That’s at the heart of the Alliance’s ethos.

The Bottom Line

For anyone responsible for product, security, or compliance, here’s what this means when it comes to adopting passkeys:

Stay focused on fundamentals: Passkeys eliminate entire classes of attacks (phishing, credential theft, reuse) that drive the majority of breaches today. Adopt thoughtfully: Pay attention to the integration and rollout plans, following guidance and best practices with special attention to fallback models. Pair with environmental protections: Continuing to strengthen your security program remains essential, especially focusing on strong endpoint security, browser governance, and app hardening. Lean on certification: Certified implementations ensure consistency and reduce integration risk across platforms and devices.

Passkeys represent one of the most significant advances in digital identity security in decades, and they work as intended. Headlines suggesting otherwise often sensationalize research that demonstrates something we’ve known forever: no system is immune if the environment it runs in is compromised. Passkeys remain the best path forward to reducing fraud, lowering breach risk, and building customer trust in a digital-first world. 

This appears atop a DuckDuckGo search. A few years ago, numbers 1 and 2 would have been down next to number 6.

I wrote a chapter on Agency in The Intention Economy because back then (2012) the word mostly meant an insurance or advertising business. The earlier meaning, derived from the Latin agere, meaning “to do,” had mostly been forgotten.

Now agency is everywhere, and is given fresh meaning with the adjective agentic.

We can thank AI for that. The big craze now is to have AI agents for everything, and to make all kinds of stuff “agentic,” using AI.

Including each of us. We should all maximize our agency with our own personal AI.

With that in mind, and thinking toward upcoming conferences on AI (and our own VRM Day, this coming October 19th ), I just added this section to the VRM Development Work page in our wiki:

Personal AI

Balnce.ai † “Your personal AI, your loyal agents and a network that makes your data work for you.”

Base.org “Base is built to empower builders, creators, and people everywhere to build apps, grow businesses, create what they love, and earn onchain.”

Decentralized AI Agent Alliance “…offers a compelling alternative, giving individuals sovereignty, including ownership of their identity and data.”

GPTbuddy “Human in the loop AI” ([1] @GPTbuddy) is in development by FractalNetworks.

Kwaai “a volunteer-based AI research and development lab focused on democratizing artificial intelligence by building open source Personal AI.” Also, KwaaiNet “AI running distributed on a P2P fabric,” now (July 2025) with Verida “Create and deploy personalized AI agents with secure data connectors, custom knowledge bases, and configurable inference endpoints.”

NANDA: The Internet of AI Agents “Pioneering the Future of Agentic Web.”

The AI Alliance “building and advancing open source AI agents, data, models, evaluation, safety, applications and advocacy to ensure everyone can benefit.”

Please add more, or make corrections on what’s there. If you don’t have editing privileges, just write to me and I’ll make the changes. Thanks!

Public Review ends - September 28th

OASIS and the UBL TC are pleased to announce that UBL v2.5 CSD01 is now available for public review and comment. 

The UBL TC facilitates interoperability in business data exchange by defining a semantic library and syntax bindings of business documents.

The documents and all related files are available here:

Universal Business Language Version 2.5

Committee Specification Draft 01

20 August 2025

XML:https://docs.oasis-open.org/ubl/csd01-UBL-2.5/UBL-2.5.xml (Authoritative)

HTML: https://docs.oasis-open.org/ubl/csd01-UBL-2.5/UBL-2.5.html

PDF: https://docs.oasis-open.org/ubl/csd01-UBL-2.5/UBL-2.5.pdf

Additional Artifacts

Code lists for constraint validation: https://docs.oasis-open.org/ubl/csd01-UBL-2.5/cl/ Context/value Association files for constraint validation: https://docs.oasis-open.org/ubl/csd01-UBL-2.5/cva/ Document models of information bundles: https://docs.oasis-open.org/ubl/csd01-UBL-2.5/mod/ Default validation test environment: https://docs.oasis-open.org/ubl/csd01-UBL-2.5/val/ XML examples: https://docs.oasis-open.org/ubl/csd01-UBL-2.5/xml/ Annotated XSD schemas: https://docs.oasis-open.org/ubl/csd01-UBL-2.5/xsd/ Runtime XSD schemas: https://docs.oasis-open.org/ubl/csd01-UBL-2.5/xsdrt/ Endorsed XSD schemas for forward validation: https://docs.oasis-open.org/ubl/csd01-UBL-2.5/endorsed/xsd/

The ZIP containing the complete files of this release is found in the directory:

https://docs.oasis-open.org/ubl/csd01-UBL-2.5/UBL-2.5.zip

How to Provide Feedback

OASIS and the UBL TC value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

The public review is now open and ends September 28, 2025 at 23:59 UTC.

Comments may be submitted to the project by any person through the use of the project’s Comment Facility located here.

Please note, you must log in or create a free account to see the material. Please contact the TC Administrator (tc-admin@oasis-open.org) if you have any questions regarding how to submit a comment.

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy applicable especially to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification. 

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information about the specification and the UBL TC can be found at the TC’s public home page located here.

The post Invitation to comment on UBL v2.5 CSD01 appeared first on OASIS Open.

About DIACC

The Digital ID & Authentication Council of Canada is a public–private coalition working to advance a trusted Canadian digital economy through open, industry-driven frameworks for identity, authentication, and trust services. DIACC stewards the Pan‑Canadian Trust Framework™ (PCTF). This consensus-developed, living industry standards-based framework aligns with national priorities and global norms to support interoperability, privacy, and digital trade readiness across sectors and borders.

Addressing the Consultation Scope

The consultation invites input on digital trade topics such as:

Digital identities, trust services, and authentication Electronic transactions and e‑signatures Cross‑border data flows and localization requirements Consumer protection, fraud prevention, and cybersecurity Digital inclusion and participation of MSMEs Artificial intelligence and emerging technologies Standards, interoperability, and regulatory alignment

This submission addresses each of these priority areas with a clear emphasis on the role of the PCTF and industry‑led standards in advancing Canada’s trade, regulatory predictability, and inclusion objectives.

Executive Summary of Recommendations Mutual Recognition of Industry Standardized Trust Frameworks
Support interoperability between the PCTF and the EU’s eIDAS 2.0 framework to facilitate secure digital trade in regulated sectors (e.g., housing, finance, energy), while maintaining Canada’s ability to define and govern its trust standards to reflect domestic policy and legal norms.
Mutual Recognition of Trust Frameworks
Support interoperability between the PCTF and the EU’s eIDAS 2.0 framework to facilitate secure digital trade in regulated sectors (e.g. housing, finance, energy).
Economic Growth in Key Sectors
Enable standards-based digital trust infrastructure to promote inclusion, reduce friction, accelerate and unlock innovation in e-commerce, housing finance, energy trading, public services, and cross-border logistics.
Recognition of Digital Sovereignty
Acknowledge that frameworks like the PCTF deliver practical, scalable solutions that complement formal national and international standards, strengthening the country’s digital sovereignty by ensuring homegrown, democratically governed solutions play a core role.
Secure and Privacy‑Respecting Cross‑Border Data Flows
Align privacy and cybersecurity standards to preserve both trust and efficiency, enabling secure cross-border data sharing.
Cybersecurity, Fraud Prevention & Consumer Protection
Leverage shared industry- and government-level practices, including fraud mitigation, identity-proofing, and privacy‑by‑design, to protect consumers in cross-border digital transactions.
Digital Inclusion and MSME Participation
Ensure the agreement empowers micro, small and medium enterprises, especially in rural, Indigenous and remote communities, to participate securely in digital trade. Industry‑Led Standards in Canada’s Digital Trade Toolkit

Industry frameworks, such as the PCTF, serve as deployable tools within a broader toolkit that includes national and international standards. While ISO or eIDAS establish global principles, industry-led standards:

Translate principles into workable operational guardrails (e.g. technical protocols, risk models). Accelerate adoption through flexible, market-driven updates. Preserve national sovereignty by ensuring Canadian-made governance structures retain accountability and transparency. Bridge jurisdictional or regulatory gaps. And prepare the ground for future alignment or recognition.

In the Canada-EU context, the PCTF has the scale, backing, and governance necessary to serve as a core commercial interoperability engine alongside formal standards.

Alignment with Consultation Topics Digital Identities, Trust Services & Electronic Transactions Support mutual recognition of digital credentials and trust service providers under eIDAS 2.0 and PCTF. Promote technology-neutral, cross-recognized approaches to e‑signatures and authentication. Enable market actors to use Canadian or EU‑based trust providers under harmonized rules, fostering innovation and consumer confidence. Cross‑Border Data Flows & Localization Advocate for privacy-respecting data mobility in sectors like real estate, energy, finance, and logistics. Oppose unnecessary data localization requirements that add cost without commensurate privacy or security gains. Ensure that Canadian data flows operate in accordance with Canadian laws and values, even when exchanged across borders. Encourage alignment of privacy and cybersecurity approaches that preserve trust and legal clarity. Cybersecurity, Fraud Prevention & Consumer Protection Recommend the adoption of shared fraud scoring, risk assessment, and identity verification frameworks. Embed privacy‑by‑design principles into digital transactions and identity services. Coordinate cross-jurisdictional responses to cyber incidents, identity theft and digital scams.Standards & Interoperability Promote adoption of open international standards for identity, authentication, data portability, and interoperability. Explicitly include industry‑driven frameworks, such as PCTF, as recognized tools for implementation. Ensure Canada retains the ability to define, adapt, and govern its digital identity and trust frameworks independently, in alignment with national law, values, and economic strategy. Leverage PCTF to reduce regulatory fragmentation and increase interoperability across sectors. Digital Inclusion & MSME Access Ensure MSMEs can access affordable, certified trust services for cross-border commerce. Support inclusive access in underserved communities, including rural and Indigenous, via interoperable service models and affordable trust credentials. Artificial Intelligence & Responsible Data Use Align responsible AI principles for trust services and risk modelling, emphasizing transparency, fairness, and accountability. Apply these principles to AI-enabled identity verification tools used in cross-border trade and digital wallets. Sectoral Impact Examples SectorBenefit from Mutual Recognition of PCTF & eIDASHousingStreamlined mortgage and property transactions; AML compliance with reduced frictionEnergy & ResourcesCertified credentials for emissions tracking, trade, and grid interoperabilityFinance & InsuranceReduced friction in cross-border lending, payments, and claims processingPublic Safety & HealthTrusted sharing of credentials for emergency response and cross-border healthcare Conclusion

Canada has a unique opportunity, through this consultation, to shape a forward-looking Digital Trade Agreement with the EU, one that prioritizes trust, privacy, interoperability, digital sovereignty, and inclusion.

By integrating Canadian-governed, industry-led standard frameworks, such as the PCTF, into this toolkit alongside national and international norms, Canada can lead in building a scalable, resilient, and trusted digital trade architecture, without compromising its ability to govern its digital future.

DIACC welcomes further collaboration to refine the role of PCTF in Canada’s digital trade strategy and ensure that Canadian businesses, especially MSMEs, can participate confidently in secure, cross-border digital commerce.

The E-ID proposal of 2019 was a classic own goal: privatized, centralized, and with privacy on the back burner. The result in March 2021: a resounding 64% No. The Swiss people didn’t want a “private flavour” national digital identity. Rightly so.

Now, with the new BGEID (2025), Switzerland has made a serious course correction. Instead of half-baked privatization, there is now full state authority, privacy-by-design, and open source. The E-ID resides only on the smartphone in the user’s wallet – not in some cloud run by whoever. Age verification? No longer “name + date of birth correlated with a profile,” but simply “over 18.”

Even more exciting: this is no longer just about an E-ID, but about a trust infrastructure. Driver’s licenses, diplomas, tickets – all digital, tamper-proof, in your own wallet. A federal network-of-networks in which municipalities, cantons, universities, companies, or associations can issue their own credentials.

In short: Switzerland is finally translating its political DNA motto “diversity through federalism” into the digital realm. And this was not cooked up in a backroom, but through a participatory process with NGOs, business, academia, and civil society. Democratically legitimized, technically modern, internationally interoperable.

But here’s the real point: the E-ID is only the key – the lock and the doors are built by the ecosystem. A digital identity alone is of little use if it cannot be applied anywhere. Everyday value emerges only when government, business, and society actively use this infrastructure – with credentials we still carry around on paper today: from residence certificates to debt enforcement extracts, from bank guarantees to e-prescriptions and medical reports. Only then does SWIYU become a universal tool for secure, privacy-preserving, and efficient processes.

The ecosystem does more than create convenience – it strengthens trust: less fraud, less bureaucracy, more automation, genuine freedom of choice, and strict data minimization. That’s the difference compared to the old proposal – and compared to global login solutions offered by tech giants. Without an ecosystem, the E-ID remains a key without doors. With a broadly established ecosystem, it becomes a digital public service, open to innovation and anchored in Swiss values.

For those who want to dig deeper: we’ve compared the 2019 proposal and the new 2024 BGEID in detail (to the best of our knowledge). The document shows in black and white why the new E-ID is not a reheated version, but a true paradigm shift – from a private product to a state trust infrastructure.

The bottom line?

For citizens: more sovereignty, stronger privacy, less “Big Brother” feeling.

For the economy: legal certainty, less dependency, more innovation.

For Switzerland: digital infrastructure as a public service – as essential as roads, bridges, water, and electricity.

Resources:

Read/Download our Comparison: BGEID 2021 vs. 2025

 

 

Carter’s just pulled off what many retailers thought was impossible. 

In only three months, the iconic children’s apparel brand rolled out RFID technology across 700 stores:  improving accuracy on every item and making life easier for both store teams and customers. In this episode, Gina Maddaloni and Anna Marie Blackburn from Carter’s join hosts Reid Jackson and Liz Sertl to discuss how RFID became central to Carter’s retail operations, what it took to win buy-in across the company, and how it is improving both inventory management and customer experience.

You’ll also hear how Carter’s uses RFID to cut payroll costs for year-end inventory by 50 percent, why the rollout became a recruiting tool for store teams, and where the company sees new opportunities to extend RFID into supply chain operations.

In this episode, you’ll learn:

How Carter’s achieved one of the fastest RFID deployments in retail

Why RFID is no longer “too complex” or “too expensive”

What’s next as Carter’s expands RFID use into its supply chain operations

Jump into the conversation: (00:00) Introducing Next Level Supply Chain (01:29) Anna Marie and Gina’s backgrounds (03:52) What RFID technology means for retail (06:47) The process of rolling out RFID across Carter’s stores (13:21) RFID’s impact on Carter’s operational efficiency (17:49) RFID as a recruiting tool for store teams (18:54) Asset protection benefits and peace of mind (19:34) Expanding RFID into DC operations (21:35) What’s next, Carter’s move toward serialization (23:01) Advice for companies starting their RFID journey (24:02) Busting RFID myths: cost, complexity, and adoption (26:29) Favorite tech beyond RFID (29:22) What Gina and Anna Marie want to learn next

Connect with GS1 US: Our website - www.gs1us.org GS1 US on LinkedIn

Connect with the guests: Gina Maddaloni on LinkedIn Anna Marie Blackburn on LinkedIn Check out Carter’s

Learn more about the GS1 US Solution Partner Program: https://www.gs1us.org/industries-and-insights/partners

 

Read the full case studyhere.

Around the world, governments are deploying blockchain as a way to restore public trust and deliver citizen services more effectively. From EBSI in Europe, to LACChain in Latin America, to Rede Blockchain Brasil (RBB), a common decision stands out. They all chose Ethereum—specifically, Besu, an open-source project hosted by LF Decentralized Trust—as the backbone of their public sector blockchain networks.

Why Ethereum? The choice was not accidental and this multi-regional case study highlights some of the reasons why. Drivers include building on the proven and familiar infrastructure with Ethereum, the world’s most widely adopted smart contract platform, flexibility and long-term optionality for Public and Permission use, vendor neutrality, and compatibility with global standards.

__

Energy Web Foundation (EWF), the nonprofit accelerating the energy transition with open-source, decentralized technologies, has announced a new partnership with BlockDeep Labs, a leading blockchain engineering firm specializing in Polkadot and Substrate

Through this collaboration, BlockDeep Labs will support the development of new features on the Energy Web X (EWX) parachain, with an initial focus on liquid staking, multi-token support, and decentralization analysis

Both organizations share a strong commitment to open-source innovation and community collaboration, aiming to deliver impactful solutions that can accelerate the digital energy transition.

“We’re excited to partner with Energy Web Foundation on advancing the Energy Web X chain and shaping its future. At BlockDeep Labs, our mission is to lower barriers for users by building robust and efficient Web3 solutions. Collaborating with EWF gives us the opportunity to apply that expertise in a sector where trust, scalability, and interoperability are critical. Together, we aim to deliver infrastructure that not only strengthens the Energy Web ecosystem but also showcases how Polkadot SDK technology can drive real-world impact in energy and beyond.”— Gautam Dhameja, Founder, BlockDeep Labs

“Partnering with BlockDeep Labs brings deep Polkadot expertise to the Energy Web ecosystem at a critical moment in our roadmap. Their support on the Energy Web X parachain will accelerate key features like liquid staking and multi-token functionality, while ensuring our chain remains secure, scalable, and open-source. Together, we are building the digital infrastructure needed to enable the energy transition at global scale.” — Mani Hagh Sefat, CTO, Energy Web

About Energy Web

Energy Web is a global technology company driving the energy transition by developing and deploying open-source decentralized technologies. Our solutions leverage blockchain to create innovative market mechanisms and decentralized applications, empowering energy companies, grid operators, and customers to take control of their energy futures.

About BlockDeep Labs
BlockDeep Labs is a Berlin-based blockchain engineering company with deep expertise in Polkadot SDK, tooling, and blockchain innovation.

Energy Web Foundation Announces Technology Partnership with BlockDeep Labs was originally published in Energy Web on Medium, where people are continuing the conversation by highlighting and responding to this story.

In the second of a series of guest posts by DIF Ambassador Misha Deville, Misha explores how decentralized identity provides the missing trust infrastructure needed for AI systems to scale delegation, personalization, and content authenticity. Read the first post in the series, "The Missing Growth Lever."

Everyone is talking about the promises of AI. Faster decisions, tailored experiences, intelligent agents. But delivering on that promise requires more than powerful models. It requires trusted infrastructure.

AI systems create value through delegation, personalisation, and decision-making. Yet these capabilities can’t scale consentfully or securely without the ability to prove who the system is working for (context), what it’s been authorised to do (consent), or whether its outputs can be trusted (credibility). Decentralised identity models and verifiable credentials can provide the missing infrastructure to ensure AI systems can deliver on their promises.

Agentic Delegation at Scale

“To scale humans, we deploy agents. But to scale agents, we must manage them like humans.” 1 - Director Product Management, Writer.

Agentic AI is no longer a future proposition, it’s a present bottleneck. Organisations are deploying more autonomous agents, but they’re hitting “scaling cliffs” as agents multiply faster than their supervision and governance systems can manage them. Unlike APIs or scripts, agents are semi-autonomous systems with memory, tool access, and significant sensitive data exposure. Without clear scopes, audit trails, or authority checks, most delegation turns into vast liability surfaces, and a system of patchwork permissions quickly becomes unmanageable.

As Huang et al. write, ““Failure to address the unique identity challenges posed by AI agents operating in Multi-Agent Systems (MAS) could lead to catastrophic security breaches, loss of accountability, and erosion of trust in these powerful technologies” 2.

Most AI systems today are still rooted in prediction, but this is rapidly shifting toward delegated action. The agentic AI market has already reached $13.8 billion in 2025, and as agents start taking action, the question becomes: who is acting, on whose behalf, and under what authority?

‘Authenticated delegation’ enables third parties to verify that:

“(a) the interacting entity is an AI agent, (b) that the AI agent is acting on behalf of a specific human user, whether pseudonymised or identifiably known, and (c) that the AI agent has been granted the necessary permissions to perform specific actions”. 3

This sounds simple, but delegated ‘trust’ doesn’t end with a single permission. Especially in asynchronous flows or agent-to-agent communication, it must be enforced dynamically over time.

Most systems today use token-based models, like OAuth, that assume trust within a known and bounded hierarchy is established when a token is issued, and meaningful wherever invoked. Once the token is delivered however, there is no enforcement that the agent will continue to act within its authorised scope over time, or the domain within which it is meaningful. A delegation-first model like ZTAuth, or other Authorization languages based on Object Capabilities (e.g. ZCaps, UCAN, Hats Protocol), adds runtime checks, making sure agents are still trusted, acting on behalf of the right user, and following the right rules, every time they take an action rather than with a token's expiry period.

Similar ideas are emerging in The MIT Computer Science and AI Lab’s framework for ‘Identity-Verified Autonomous Agents’, which introduces cryptographic proofs of authority and full auditability into multi-agent workflows2. Meanwhile, projects like the A2A protocol are building agent registries to support discovery, entitlements, and secure agent-to-agent communication across trust boundaries and OAuth-style enterprise hierarchies 4.

At the standards level, DIF’s Trusted AI Agents Working Group is building open specifications to support these use cases. Their work spans data models, object capability frameworks, interoperability libraries and runtime trust enforcement patterns. This is about more than securing agent-to-agent interactions. It’s about enabling a full lifecycle of trust, from credentialed instantiation of agents to delegated (logged and fully-auditable) execution, all the way through to forensic audit and remediation in the worst case scenario.

Hyper-personalisation that works

AI-driven hyper-personalisation promises to unlock entirely new value in digital experiences. McKinsey reports show meaningful increases in customer engagement and spend when personalisation is done right 5. But it can just as easily backfire. A 2019 Gartner study found that 38% of users will walk away from a brand if personalisation feels “creepy” 6, and recent research with Gen Z confirms the duality that personalisation is welcome up until it crosses the line 7.

That line is defined by context and consent. When AI systems infer personal data from web-scraping profiles, browser fingerprinting, adtech data, and other opaque signals, they significantly undermine trust and user agency. When they employ algorithmic transparency, ethical frameworks, and user-authorised data inputs they mitigate the risks of conscious and unconscious mistrust and backlash 8.

Verifiable credentials in this context offer a solution that can give AI systems structured, consent-based attributes that users explicitly approve. This helps shift personalisation away from prediction and toward permission. It reduces the risk of misfires and irrelevant outputs, and increases both system reliability and user trust.

The travel industry is a clear example of the opportunity gap. Identity and preference checks occur at nearly every step, yet the ecosystem remains fragmented 9. Travellers routinely overshare sensitive data multiple times, with little visibility into where it’s stored or how it’s used. Providers, in turn, struggle to deliver seamless or personalised services without duplicating traveller effort or violating privacy regulations.

That’s starting to change. Initiatives like IATA’s One ID aim to eliminate repetitive ID checks using biometric-backed credentials, creating a more secure, contactless experience. Live pilots by SITA and Indicio, in partnership with Delta Airlines and the Government of Aruba, have also shown how digital travel credentials can streamline identity verification at check-in, boarding, and border control.

These foundational shifts pave the way for more advanced personalisation use cases. With credential infrastructure in place, providers can begin supporting traveller-owned profiles that store personal preferences, enable selective data sharing, and allow AI agents to act on a traveller’s behalf. The DIF Hospitality & Travel Working Group is developing schemas to support this, with traveller profiles that are dynamic, revocable, and built for interoperability. As Nick Price notes, when preferences are embedded in credentials and shared on the traveller’s terms, personalisation becomes possible while still preserving privacy and trust 10.

Decision-Making and Sense-Making in Synthetic Noise

Identity fraud isn’t new, but AI has supercharged its scale, speed, and sophistication. In 2025, 1 in 20 ID verification failures are already being linked directly to deepfakes, while synthetic audio and video forgeries have increased 20% and 12% respectively in fraud attempts year-over-year 11. National Security Agencies of the US, UK, Canada, and Australia, have warned that the quality and pace of AI-generated forgeries “have reached unprecedented levels and may not be caught by traditional verification methods” 12.

Ironically, fraud detection is one of AI’s strongest use cases. But its success depends on the quality of input data. Risk models tend to rely on patterns from historical data to flag anomalies. If the data is synthetic, spoofed, or unverifiable, the model can learn the wrong patterns or miss the threat altogether. It's a clear case of “attacker's advantage,” since automated attacks are almost free to launch at brute-force scale. What's worse,s AI adversaries are improving at impersonation, so hallucinated and forged content is proliferating across search engines, media outlets, and public discourse, contaminating LLMs at the lowest level of training data.

“As AI agents grow increasingly adept at mimicking human behavior - crafting text, creating personas, and even replicating nuanced human interactions - it becomes harder to maintain digital environments genuinely inhabited by real people.”2

Detecting ‘what’s real’ at scale now requires cryptographic certainty. Verifiable credentials offer a solution to the ‘garbage in, garbage out’ problem by allowing systems to verify data attributes without exposing raw personal data. Content credentials, as standardised by C2PA, provide tamper-evident metadata that can trace authorship, modification history, and usage rights across files, namespaces, and industry associations. This helps prevent both fraud in high-stakes transactions and reduce the risk of model “pollution” by synthetic content 13.

These mechanisms are quickly moving from optional to operational. California’s SB 942, set to take effect in 2026, will require that all AI-generated or AI-altered content be disclosed and tied to an immutable record of provenance. As Erik Passoja writes, “Compliance is just the on-ramp… the real destination is an authenticated digital ecosystem.” 14. Infrastructure built on signed manifests, cryptographic consent, and watermark durability won’t just prevent fraud, it will underpin new forms of value, from automated licensing to portable and just-in-time reputation.

In all of these cases, a reliable identity layer isn’t a ‘nice to have’, but a prerequisite for trust, adoption, and real-world value. Decentralised identity and verifiable credentials provide the infrastructural foundation that lets AI scale and deliver new opportunities. DIF’s working groups are tackling these challenges head-on, from authenticated AI agents to verifiable travel profiles and content authenticity.

The next article in this series will dive into the work of the Content Authenticity Initiative and DIF’s Creator Assertions Working Group, exploring how open standards are enabling AI to be used confidently in media, preserving trust, provenance, and creative integrity.

Find out more about DIF’s working groups here:

Creator Assertions Hospitality and Travel DIF Labs

If you’d like to stay updated on the launch of DIF’s Trusted AI Agents Working Group, reach out to contact@identity.foundation.

Endnotes M. Shetrit (2025). “Supervising the synthetic workforce: Observability for AI agents requires managers, not metrics”. Writer. ↩︎ Huang et al. (2025). “A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control”. arXiv. ↩︎ South et al. (2025). “Authenticated Delegation and Authorized AI Agents”. arXiv. ↩︎ A2A Project. “Agent Registry - Proposal”. GitHub. ↩︎ McKinsey & Company (2025). “Unlocking the next frontier of personalised marketing”. ↩︎ Gartner (2019). “Gartner Survey Shows Brands Risk Losing 38 Percent of Customers Because of Poor Marketing Personalization Efforts” ↩︎ Peter et al. (2025). “Gen AI – Gen Z: understanding Gen Z’s emotional responses and brand experiences with Gen AI-driven, hyper-personalized advertising”. Frontiers in Communication. ↩︎ Park, K & Yoon, H (2025). “AI algorithm transparency, pipelines for trust not prisms: mitigating general negative attitudes and enhancing trust toward AI”. Nature. ↩︎ DIF (2025). “DIF Launches Decentralized Identity Foundation Hospitality & Travel Working Group” ↩︎ Dock (2025). “How Digital ID is Reshaping the Travel Industry” ↩︎ Bondar, Ira (2025). “Real-time deepfake fraud in 2025: Fighting back against AI-driven scams”. Veriff. ↩︎ NSA et al. (2025). “Content Credentials: Strengthening Multimedia ↩︎ Adobe (2025). “Content Credentials”. ↩︎ Passoja, Erik (2025). “From Compliance to Prosperity” LinkedIn. ↩︎

At the inaugural Privacy for Financial Services Workshop hosted by LF Decentralized Trust in New York, a clear signal emerged: privacy is no longer a theoretical aspiration in digital finance. It’s a necessity, and it’s becoming deeply practical.

In a bid to improve overall security of the identity ecosystem, the National Institute of Standards and Technology updated its Digital Identity Guidelines earlier this month. The first revision since 2017, many organizations should be able to implement the updated guidelines without much difficulty as part of their identity strategy.

Attackers are always sharpening their skills to bypass organizations’ identity and access management (IAM) protocols – the key to gaining critical access – and artificial intelligence (AI) is making phishing attacks even more effective, and deepfakes are tricking even the most security-savvy mind. New authentication measures such as passwordless technologies, exist, but implementation challenges have hindered adoption.

As announced, Microsoft today deletes all stored passwords from his authenticator app. Users have to secure their access data before they are lost permanently. Other functions of the app are preserved.

Users must secure passwords

For users of the Microsoft Authenticator, it is a critical deadline: As announced at the beginning of May, all stored passwords are irrevocably deleted from the app on August 1, 2025. If you do not ensure or transfer the data, you permanently lose access to the stored passwords.

The changeover takes place gradually and has been going on for months. Since June 2025, it has no longer been possible to save new passwords in the app or to import from external sources. This affects both manual entries and the synchronization with other services. In July 2025, the autofill function was then deactivated, so that the app no longer automatically entered login fields on websites or in apps.

HID, a worldwide leader in trusted identity and access management solutions, has announced a new line of FIDO-certified credentials—now powered by the new Enterprise Passkey Management (EPM) solution— designed to help organizations deploy and manage passkeys at the enterprise scale. 

Newresearch from FIDO Alliance shows that while 87% of enterprises are adopting passkeys, nearly half of those that are yet to deploy cite complexity and cost concerns as primary barriers.HID’s solution streamlines the shift to passwordless authentication.

Recognizing 18 years of exceptional leadership, global advocacy, and dedication to OASIS open standards

It is our privilege to announce that Gershon Janssen has been awarded the OASIS Distinguished Contributor Award — an honor he has richly deserved for many years. 

With his recent announcement of transitioning off the OASIS Board of Directors, it’s a fitting time to reflect on Gershon’s extraordinary contributions. Since joining OASIS in 2007, he has given more than his time — he has offered steady leadership, sharp insight, and unwavering commitment to our mission. Over the past 18 years, he has served in numerous roles, including:

OASIS Member since 2007, elevated to Sponsor Member status in 2022
Board Member since 2012, serving as Secretary (2012–2016) and as President and Chairman (2016–2025)
Secretary and Contributor for the PMRM and WS Calendar Technical Committees
Contributor to the IDtrust and WS-I Member Sections, as well as the PKCS #11, KMIP, MQTT, VIRTIO, BPEL4People, OData, and many other Technical Committees
Member of the OECD Internet Technology Advisory Council and Chair of its Security and Privacy Working Group
Board of Managers member for the OASIS Open Development Foundation
Treasurer for the OASIS Open Europe Foundation
Active member of the Process, Finance, Staffing, Governance, and Technology Committees

Much of Gershon’s work has been in roles that rarely receive deserved recognition — yet are vital. His steady hand has been a stabilizing force during turbulent times, including leadership transitions in which he shouldered the responsibilities of both Chair and Interim Executive Director on multiple occasions, some lasting from several months to nearly a year. 

Gershon’s dedication has gone far beyond formal responsibilities. On his own time — and at his own expense — he has served as an ambassador for OASIS around the globe, personally sponsoring activities when resources were stretched, representing our work as a TC member at key events, and acting as a liaison to numerous industry and government bodies. 

Through it all, Gershon led with quiet strength, patience, and a deep respect for the collaborative process, OASIS staff, and the members. His influence has helped guide OASIS through challenges and successes alike, ensuring our community remained strong and forward-looking. 

Words cannot truly capture our appreciation for Gershon’s years of service, nor can they measure the impact he has made. We thank him not only for his leadership, but for his enduring dedication to OASIS and the global open standards community. 

Please join us in congratulating Gershon on this well-deserved recognition. 

— OASIS Staff

The post OASIS Staff Honors Gershon Janssen with the Distinguished Contributor Award appeared first on OASIS Open.

The post Velocity Network Foundation Joins Global Leaders at Inaugural Geneva Conference on Digital Trust  appeared first on Velocity.

The post Velocity Charitable Foundation Elevates Statewide Approach to Verifiable Credentials and Open Ecosystems appeared first on Velocity.

The post Velocity Network Technology Becomes “Verii” Under the Linux Foundation’s LF Decentralized Trust Initiative  appeared first on Velocity.

The post What is a Trust Framework?  appeared first on Velocity.

Energy Web has rolled out a major upgrade to the consensus mechanism governing Worker Nodes on the Energy Web X (EWX) network. This enhancement aligns Energy Web X and the Worker Node Networks with a core vision: using secure on-chain consensus and rewards to validate off-chain computations while incentivizing the highest level of node performance. Why This Matters

A growing number of applications in the energy sector and beyond are leveraging decentralized Worker Node networks on Energy Web X. For example, Green Proofs for Bitcoin (GP4BTC) uses EWX to verify green Bitcoin mining, and the recently launched Carbon-Aware Nomination system orchestrates compute workloads to maximize the use of clean energy. As these and other DePIN (Decentralized Physical Infrastructure Networks) use-cases expand, it becomes ever more critical to enforce accurate and verifiable computation in a secure, scalable manner.

This consensus upgrade directly addresses that need. It introduces several improvements to how EWX validators reach agreement on Worker Node outputs and distribute rewards: changes that align incentives with performance and ensure the integrity of off-chain execution. This upgrade empowers enterprises to pair their off-chain computational systems with highly configurable on-chain reward mechanisms, creating strong business and financial incentives for both enterprises and community members operating Worker Nodes to actively contribute to these decentralised systems.

Setting The Bar on Performance

Only the most consistent, high-performing worker nodes will now be rewarded for their contributions. The upgrade introduces an SLA performance threshold, a minimum standard for correct vote submissions that a node must meet to qualify for any rewards. In other words, a worker’s voting accuracy over each reward period has to exceed a predefined percentage (set on a per-Solution Group basis) for that node to earn a share of the rewards. A “correct” vote means the worker’s submitted result from their off-chain execution aligns with the majority consensus for a given round (as determined by EWX validators). If a node’s correct vote rate falls below the threshold, it won’t receive rewards for that period, no matter how many votes it cast.

This change pushes every Worker Node operator to perform above a clearly defined bar. Energy Web X validators now track each worker’s voting performance across rounds (via on-chain metadata) and calculate the percentage of that worker’s votes that matched the accepted consensus. Only those exceeding the SLA threshold are deemed eligible. Among those that qualify, rewards are weighted by accuracy and stake, meaning those who contribute more correct results and have more stake on the table earn proportionally more. See the reward formula below:

worker_reward = (worker_correct_votes × user_stake) / total_weighted_correct_votes × voting_reward_per_block × active_blocks

Where: worker_reward: the amount of EWT distributed to the worker node operator as their active reward for participation in eligible voting rounds within the concluded reward period. worker_correct_votes: The number of correct (consensus aligned) votes submitted by the worker node in the eligible voting rounds within the concluded reward period. user_stake: The amount of tokens locked by the operator upon registration. total_weighted_correct_votes: Sum of correct votes weighted by stake across all worker nodes ( Σ(correct_votes_i * stake_i) ). voting_rewards_per_block: Amount of tokens allocated to voting rewards per block (configured by the solution registrar). active_blocks: Number of blocks spanning the reward period. Worked example:

A Solution Group contains 150 operators. At the end of a reward period, 100 operators submitted sufficient votes to exceed the SLA threshold and are eligible for rewards.

From the eligible 100 operators, the average correct votes during the reward period is 100 and the average user stake is 1000.

Therefore: total_weighted_correct_votes = 100 * 100 * 1000 = 10,000,000

Worker Node A had 110 correct votes with a stake of 1000. There are 7200 active blocks in a voting round, and the voting rewards per block are set to 1 token.

Therefore: worker_node_A_reward = (110 * 1000) / 10000000 * 1 * 7200 = 79 tokens

Consensus Validated Via Quorum & Majority Threshold

The consensus mechanism employs a two-tier validation process to guarantee both sufficient participation and accuracy of submissions before finalising the result on-chain. Energy Web X requires two conditions for a voting round to produce a valid result:

Quorum: A minimum percentage of eligible worker nodes must participate by submitting their votes. Majority Threshold: Within the specified quorum of participants, a majority of workers, over the defined threshold, must agree (i.e. submit matching results) for the result to be accepted as the round’s consensus.

If either condition isn’t met the round is marked Unresolved. These thresholds optimise for security and trust without sacrificing scalability. Quorum ensures that a sufficiently broad sample of the network contributes to each consensus decision, while the majority threshold ensures accuracy and trust in the result. Only when both conditions are satisfied will the Energy Web X validator set record the final result on-chain.

Improving Withdrawal Delay

The upgrade also refines how and when worker node operators can withdraw their stake from the network. The withdrawal delay is the period a user must wait between submitting an unsubscription request and receiving their tokens. This means every action (vote) has a consequence: correct votes will always be rewarded while protecting against malicious actors who may otherwise submit false votes and then withdraw to evade penalties.

With the upgrade, withdrawal delays are measured in reward periods instead of blocks. In practice, after an operator initializes a withdrawal, they must wait a defined (by the registrar) number of additional reward periods before withdrawing their collateral. During this delay period, the node can still participate in voting rounds and continue to earn rewards, except for the final reward period in which the stake is released and voting eligibility ends. This ensures all pending rounds are properly settled and any rewards or penalties processed before a node can exit the network.

For example, a solution group has a withdrawal delay of 2 reward periods. A subscribed worker node operator votes in Reward Period 1 then submits an unsubscribe request in Reward Period 2. The operator would need to wait for Reward Period 3 and 4 to conclude, before receiving their funds back during a block (specific timing depends on system load) in Reward Period 5. The operator can participate (vote) in Reward Period 3 and 4 but not in 5.

The Outcome: Accurate, Scalable and Secure Off-Chain Compute

Together, these enhancements bring Energy Web X’s consensus mechanism in line with the vision of incentivizing top-performing worker nodes to deliver accurate, verifiable outputs from off-chain computation.

What does this mean for Energy Web ecosystem participants? Solution owners and their users can have complete trust in the outputs of decentralised compute. Energy Web X’s blockchain will securely handle the heavy lifting of coordinating nodes, validating results, and distributing rewards, all in the background. This allows developers and enterprises to focus on what they do best: building high-value applications, confident that a robust, trusted decentralized compute layer is reliably powering their workloads behind the scenes.

About Energy Web

Energy Web is a global technology company driving the energy transition by developing and deploying open-source decentralized technologies. Our solutions leverage blockchain to create innovative market mechanisms and decentralized applications, empowering energy companies, grid operators, and customers to take control of their energy futures.

How to Get Involved

Review the docs
Join the conversation

From Off-Chain Execution to On-Chain Trust: Inside Energy Web’s Consensus Overhaul was originally published in Energy Web on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Velocity Network Foundation – MidYear Updates appeared first on Velocity.

Microsoft has started to delete all passwords saved in its Authenticator app — and if you want to make sure you’re not locked-out of your favourite websites and apps, there’s one way to save your previous logins.

It might seem a little extreme, but the decision to start wiping passwords from its users has been months in the making. Microsoft has been slowly winding down Microsoft Authenticator, a free mobile app developed by Microsoft for Android and iOS that lets you securely sign-in to online accounts using two-factor authentication (2FA) or passwordless logins.

Like or not, a replacement for passwords — known as passkeys — is coming your way, if it hasn’t already. The three big ideas behind passkeys are that they cannot be guessed in the way passwords often can (and are), the same passkey cannot be re-used across different websites and apps (the way passwords can), and you cannot be tricked into divulging your passkeys to malicious actors, often through techniques such as phishing, smishing, quishing, and malvertising. 

HID, a leader in trusted identity and access management solutions, has announced a new line of FIDO-certified credentials – now powered by the new Enterprise Passkey Management (EPM) solution – designed to help organizations deploy and manage passkeys at the enterprise scale. 

New research from FIDO Alliance shows that while 87% of enterprises are adopting passkeys, nearly half of those that are yet to deploy cite complexity and cost concerns as primary barriers. HID’s solution streamlines the shift to passwordless authentication.

The next phase of HID’s passwordless authentication roadmap gives enterprises choice, flexibility and speed to deploy FIDO without compromising user experience or security posture. The expanded portfolio delivers phishing-resistant authentication with enterprise-grade lifecycle management, making scalable passwordless security accessible to organisations of all sizes. The solution works seamlessly across diverse work environments while reducing IT support requirements through centralised visibility and control.

Part of the “passkeys are more secure than passwords” story is derived from the fact that passkeys are non-human-readable secrets — stored somewhere on your device — that even you have very limited access to. 

OK, so what happens to those passkeys if your device is stolen?

HID, a leader in trusted identity and access management solutions, has announced a new line of FIDO-certified credentials – now powered by the new Enterprise Passkey Management (EPM) solution – designed to help organizations deploy and manage passkeys at the enterprise scale. 

New research from FIDO Alliance shows that while 87% of enterprises are adopting passkeys, nearly half of those that are yet to deploy cite complexity and cost concerns as primary barriers. HID’s solution streamlines the shift to passwordless authentication.

In the first of a series of guest posts by DIF Ambassador Misha Deville, Misha sets the stage for an underappreciated business problem one layer deeper than traditional User Experience analyses.

The Trust Ceiling

The paradox is that we want AI systems that understand us, but only on our own terms. We’re uneasy when AI appears to use personal data without permission, yet we’re frustrated when it doesn’t ‘get us’ on the first try (in ways that it would need lots of personal data to fill in the context). This might seem like a philosophical problem, but I am pointing to an underappreciated technical one. Without embedding trust negotiation into the system design itself, through features such as transparent data flows and consent mechanisms, these systems cannot negotiate subtext and context; without this capability, we will fail to see AI adoption (and utility) scale as promised. 

Friction in trust, and therefore adoption, stems from the lack of transparency and control, not from ‘poor model intelligence’. 66% of U.S. shoppers, for example, say they would not allow AI to make purchases for them, even if it meant securing better deals, because “consumers suspect AI is working for the retailer, not them. Until that trust gap closes, AI will remain a product discovery tool” 1.

Public patience with AI product rollouts is already wearing thin. Global brands like Duolingo are facing significant backlash after announcing ‘AI-first’ strategies 2, and the perception gap between those building AI systems and the addressable markets expected to adopt them is ever widening. 51% of adults interviewed in a recent Pew Research Study said they were more concerned than excited about AI, which contrasts sharply with the mere 15% of ‘AI experts’ that held this view 3. 

The generative-AI race to market that made AI more powerful and more personal, also made systems more opaque, leaving users in the dark about how and why decisions are made. In the absence of transparency, even well-intentioned systems lose public trust. The WEF frames this as a missed opportunity to build new markets on a healthy footing: “Without transparency, AI systems might be used that are not value-aligned at a level that is acceptable to users, or users might distrust AI systems that actually are sufficiently value-aligned because they have no way of knowing that.” 4

To embed trust into the system itself, people need to be able to verify:

who the AI is working for (context),  what it’s allowed to do (consent), and,  whether the output can be trusted (credibility). 

The solution therefore isn’t more intelligent AI models, it’s a complimentary, verifiable identity layer. An identity layer doesn’t just enable trust at the level of individual users trusting individual interfaces; it also supports a healthier marketplace overall by making AI systems traceable, comparable to one another, and accountable to the users and services they interact with. It helps users in aggregate trust AI more in aggregate.

Verifiable credentials built on a backbone of decentralised digital identifiers, enable cryptographic proofs of user and object attributes. Context, consent, and credibility become programmable, and the user experience transforms from coercive to empowering. 

The Market Opportunity

Digital identity and AI are fundamentally interdependent, but the current investment landscape and dominant business strategies do not reflect this. Today, AI is seen as a growth engine and identity infrastructure is seen as compliance overhead. This mental model is not just outdated, it’s economically limiting.

In 2024, global VC investment into AI-related companies exceeded $100 billion, marking an 80% increase from 2023 5. Meanwhile, investment in digital identity declined. In the UK, one of the world’s leading digital identity markets, the sector saw only $58 million in VC funding in 2024, a 69% decline from the year before 6. This stark investment gap reveals a misunderstanding of the technology stack required for trustworthy, scalable AI. 

The convergence of these technologies is both ethically necessary and commercially advantageous. An identity layer that’s fit for this new era will enable AI breakthroughs to scale with direction, grounding, and accountability. If AI is the engine, then digital identity is the navigation system. It doesn’t slow the rocket down. It ensures it lands where we need it to. 

The companies that align AI with verifiable digital identity will capture disproportionate market share where others hit trust ceilings. Strategies that capitalise on both technologies will unlock the promised value in use cases such as:  

In fintech, verified delegation allows AI agents to execute trades securely, with cryptographic proof of authority and clear audit trails. In healthcare, patient-controlled access to verified medical records enables truly personalised care without compromising consent or privacy. In global supply chains, AI systems can confirm the authenticity of every product and actor, preventing counterfeits, improving traceability, and automating trust at scale.

Digital identity is not a constraint on AI. It’s the infrastructure that allows it to scale responsibly and profitably. Standards like W3C’s Verifiable Credentials Data Model, provide a vital foundation for AI systems to verify context, consent, and credibility without compromising privacy. The companies that embrace this interdependence will define the next wave of digital infrastructure. Those that don’t, will risk building impressive technology that nobody trusts enough to use.

In the next article, we’ll explore how decentralised identity unlocks the real-world value of AI, starting with three core functions behind its promises: personalisation, delegation, and decision-making.

If you’d like to stay updated on the launch of DIF’s AI-focused working group, reach out to contact@identity.foundation.

Endnotes Charleston, SC (2025). “Two-Thirds of Shoppers Say ‘No’ to AI Shopping Assistants – Trust Issues Could Slow Retail’s AI Revolution”. Omnisend. Braun, S (2025). “Duolingo’s CEO outlined his plan to become an ‘AI-first’ company. He didn’t expect the human blacklash that followed.” Fortune. McClain et al. (2025). “How the U.S. Public and AI Experts View Artificial Intelligence”. Pew Research Center. Dignum et al. (2024). “AI Value Alignment: Guiding Artificial Intelligence Towards Shared Human Goals”. World Economic Forum. Fairview Capital. (2024). “Preparing for the Agentic Era in Venture Capital”. Wyman, O. (2025). “Digital Identity Sectoral Analysis 2025”. Gov.UK

Including recently-donated Rust implementation by Affinidi. More below!

Wait, is that a typo? Do you mean did:web? 

I did not, but I also did not not mean did:web. did:webvh is a new DID method, but it is also specifically designed to be a more production-worthy, “grown up” version of did:web, everyone’s favorite “training-wheel” DID method and growth hack for getting VCs issued from highly-trusted issuers. Crucially, did:webvh is a “backwards-compatible upgrade” to did:web, meaning it can be consumed in "legacy mode" by any software that already resolves did:web, but upgrades the featureset and trust-model when consumers upgrade their resolution logic to take advantage of the new syntax.

It was incubated at the Identifiers and Discovery Working Group at DIF, meaning it got extensive review and input from many other DID connoisseurs deep in the trenches of DID method design and “user research” as to what use-cases developers really want DIDs for in the first place. Having previously incubated other DID methods in the Sidetree family, early versions of the KERI system, and the did:peer specifications foundational to DIDComm, DIF is happy to see another DIF-incubated DID method graduate to v1!

If you’re hearing about did:webvh for the very first time here and now, let’s start at the beginning with a few high-level differences between did:web and did:webvh:

The VH stands for Verifiable History. Each DID version links cryptographically (“chains”) back to its predecessor and ultimately to the verifiable self-certifying identifier (SCID) that is embedded in the DID identifier. The SCID is derived from the DID’s initial state. Further, each update is signed by a key authorized to update the DID. Each valid did:webvh (the URL) can be easily and deterministically translate to a did:web. Just delete the “vh” in the method segment and the subsequent segment (the “SCID” — self-certifying identifier), and you have a valid did:web identifier.  Resolve that the way you would any other did:web, and you get a valid did:web DID Document. Easy-peasy, 100% interoperability with the most widely-deployed DID method other than did:key. Verifiability is not dependent on DNS. While DNS is used for discovery and retrieval of the DID Log file that contains a did:webvh history, the cryptographic verifiability of that history is not dependent on DNS. The DID Log can be retrieved from other locations/caches and fully verifies the history of its corresponding DID to date. Verifiability is independent of its DID Documents. A did:webvh DID Doc can contain anything the DID Controller wants it to have — different keys, key types, services and so on. The verifiability of the DID is secured by a more complex resolution mechanism, not the contents of the document. That allows the specification to be very opinionated on how the DID is secured (making interoperability easy and reliable), without limiting the purpose of the DID. Secure DID generation can now happen off-server. This allows DID doc hosting to be separate from key management, de-risking malicious hosts and allowing for “dumber” (e.g. key-oblivious) hosting pipelines, e.g. without access to /.well-known. “Common sense” DID URL Handling. The simple DID URL syntax <did>/path/to/{file} maps to just what one would expect: the "/path/to/" subdirectory where the <did> document is stored. Cross-Host Portability. A DID on one host, if configured from inception to allow it, can migrate to a host on another domain and still keep its long-lived and globally-unique “SCID” and verifiable history. This further decouples web hosting from the long-term value of the SCID as a stable, host-independent UUID, which (webvh-aware) consumers can use to link and deduplicate DIDs which migrate across multiple hosts. Optional extensions allow stronger guarantees for historical resolution and duplicity/forgery detection on the part of malicious hosts. Certificate Transparency-style “witnessing networks” (a web-of-trust approach to gossiping DID document histories, also used in the KERI key management/ID system) and/or aggressively cache-busting trusted resolvers can detect host malfeasance of various kinds. The origins of did:webvh

From the start, did:web had some production implementations that were too load-bearing to break… and many unhappy implementers. When a given website/domain only needed one collective DID (common for issuers already highly-trusted and with highly-secured websites, e.g. institutional issuers of credentials), or even in cases where the entirety of a DID’s lifecycle could be assumed to live on the same unchanging domain (e.g., employees or appointees or departments of an institutional issuer), did:web was great, and no one needed to consider upgrades.

Corner-cases and unhappy implementers kept popping up over time, though: 

What about historical resolution of old signatures after rotations and de-activations? What if a merger or acquisition or rebrand needs to update a domain name, but keep all its old DIDs resolving after the change? What if students want to keep their DIDs (or at least keep old signatures validating) after they graduate and they get incrementally locked out of their university’s IT systems?  What if anti-trust regulations forced portability (they way they do for phone numbers) and users wanted to keep connections after switching identity providers (or “hosts” in webvh terminology? What if hosts are perfectly willing to issue did:webs to hundreds of users, but cannot directly automate /.well-known/ documents for each, whether due to their JS framework, choice of contractor/service-provider, security policies, etc? What if consumers can’t fully trust all did:web hosts to faithfully produce the same document for all callers? What duplicity-detection mechanisms or historical guarantees could be offered to those consumers? Similarly, some use-cases are too high-stakes to trust all hosts equally; some consumers were demanding baseline guarantees about how securely DID documents get hosted over DNS-addressed HTTP beyond what is required for did:web

A backwards-compatible “version 2” of did:web was imagined but effectively deferred for years, before work started in earnest on an heir to did:web that focused primarily on improving its trust model. As the idea kept iterating and different requirements and design goals were debated by willing co-designers, the portability guarantees came to the fore as another key goal.

This portability goal dovetailed nicely with the requirements of the Open Wallet Foundation’s ACA-Py framework, which requires DID “agents” (a kind of general-purpose “backend” for many DID and VC operations) to be smoothly swappable over time by simply updating the services property in a DID document. As ACA-Py had originally been developed for blockchain-based did:indy DIDs, there was some amount of portability, key-management, and trust-model parity that needed to be achieved, which brought a lot of other difficult design problems in tow since websites are not stateful or append-only in the way blockchains are! 

Another parity goal was in achieving many of the host-independent “microledger” properties central to the KERI identifier system (and Sidetree before it), whereby the entire history of every DID can be walked to detect duplicity or other malice in any part of the system. Another KERI feature which the designers wanted to achieve was KERI’s “witnessing” properties, inspired by Certificate Transparency, which keeps hosts honest with tamper-detection and caching. This survives in optional extensions, i.e. as a distinct mechanism that consumers and hosts can opt into for stronger guarantees in resolution.

The did:webvh method's requirements informed the design and its original name, “Trust did:web”. Namely, the eponymous goal was to achieve an HTTP-published but ultimately host-independent trust layer for DID-based interactions, without a common blockchain and with more conventional cryptography and tooling than KERI requires. Trust nerds can think of this as a move from the “CA-grounded” web trust model, the only one in which did:web is usably trustworthy and secure, to one usable in a more modern “Let’s Encrypt” trust model that the web has largely moved to in recent decades.

Playing Nice in a Multi-DID World

As mentioned above, a formative goal in the design of did:webvh was smooth interoperability with did:web and did:key, as well as properties that would normally require an append-only VDR to achieve. Contrary to many DID methods which strive to stand out from the crowd by offering unique features enabled by their particular VDR or low-level mechanisms, this method sought instead to achieve a superset of features already in production today, to offer existing DID-based and DID-like systems a beter option to migrate to or translate to. Anything permitted in the DID Core specification is available in did:webvh — no restrictions! If the early phase of DID design was one of innovation and experimentation, did:webvh strives to consolidate and unite in this phase marked by convergence and productionization.

A good example of this is how did:webvh appends a digest (which can be used as a checksum) of the DID log entry to the id property of each DID document. In the HTTP context, this makes each DID document “tamper-evident” thus reducing many of the opportunities for a malicious did:web host to produce inaccurate or adulterated DID documents on behalf of a DID controller. This also makes all did:webvh DIDs “self-certifying,” in the sense that their documents’ integrity can always be checked against this checksum. Similarly, the provenance back to inception of updated DID documents can be integrity-protected and proven by the same “SCID” (Self-Certifying Identifier) mechanism.

SCIDs are a powerful design pattern, which undergird early IPFS-based DID methods like did:ipid and the Sidetree methods like did:ion and did:element, both of which were incubated in the DID Sidetree WG and used the IPFS identifier scheme to address each DID document by its hash.  Older mechanisms of hash-identification include RFC 6920, which underwrites the recent did:ni method; newer examples include did:iscc and the growing body of SubResource Integrity specs at W3C that allow location-independent, self-certifying identifiers for slow-moving, cacheable web resources. KERI pushed SCIDs to the fore and influenced a lot of design work at ToIP, but zooming out a little they can be seen across modern web development as a powerful counterbalance to the “same-domain principle” of modern web security.

SCIDs are also crucial to lots of ongoing design work at ToIP and elsewhere, such as the First Person Project which mandates the portability and self-certifying properties described above for ANY DID used across a wide patchwork of infrastructures and tooling. Does that mean any SCIDs will do? Can a did:webplus, used in the OCI ecosystem, be translated to a did:webvh, or a did:scid to let a controller of a did:webplus be part of such a bridged network? 

Similarly, the optional witness and watcher capabilities defined in the did:webvh specification were defined to be open-ended building-blocks as well. The specification defines a clean and simple technical mechanism for each capability to ensure interoperability between different applications of these, while leaving use-cases and ecosystem-specific governance questions outside the specification, where they belong. One application of these has been to backfill the did:indy concept of "endorsers" in a web-based VDR, but many other trust mechanisms or policy engines could be built combining DID logs and witnesses and/or watchers. The did:webvh Work Item at DIF welcomes implementors with divergent use-cases and policy assumptions to collaborate on profiling these capabilities and specifying them in more detail in ongoing work.

These broader questions of interoperability beyond the boundaries of any one DID method are increasingly being tackled in other workstreams at DIF. One of these isthe DID Traits evaluative specification (which also hit V1.0 recently!) which defines shared or equivalent/translatable properties across methods to facilitate bridging and converging DID systems. Similarly, the DID Methods WG is trying to draw attention to how well DIDs can be combined or translated, as well as how “production-grade” their implementations can be tested (or even audited) to be. WebVH is the first method being evaluated for production-readiness and documentation completeness, literally setting the bar for others!

Where to from here?

Having reached v1.0, the focus will now turn to refinements and adoption, working with implementers and deployers to gather feedback and grow their numbers.

Innovators are encouraged to review the didwebvh.info website and walk through the basic step-by-step "Understanding did:webvh". Implementors should check out the Implementations page to find the did:webvh tooling you need for your initiatives, including three mature and complete implementations: Python TypeScript Rust Standards developers can jump directly to the did:webvh spec

The Python and Typescript implementations were both incubated by the Government of British Columbia, Canada.

The Rust implementation was recently contributed to DIF by Affinidi. We're excited by this contribution as it brings the performance, memory safety, and systems-level capabilities that make Rust increasingly popular for performance-critical applications.

These three implementations serve as mutual validation tools, continuously testing interoperability and compliance against each other to ensure robust spec maturity and cross-platform reliability.

Whether you prefer leveraging existing tooling or building from scratch, did:webvh makes both paths straightforward. The clean specification and comprehensive interoperability test suite provide clear guidance for new implementations, while the mature tooling ecosystem offers battle-tested components you can integrate immediately.

We welcome contributions from the community - whether that's enhancing existing implementations, creating new language bindings, improving documentation, or developing deployment tools that make it even easier to adopt did:webvh DIDs in production environments!

Want to learn more and get involved? Join DIF or contact us at contact@identity.foundation.

A new school year is upon us and ISL wants to remind educators and school technologists that they need to take as much care scrutinizing safety risks in off-the-shelf (OTS) technologies recommended to students as they do for technologies licensed by the schools. 

We recently went back over the data from our 2022 benchmark and confirmed that most technologies pushed to K-12 students in the US are recommended (not required), and unvetted off-the-shelf technologies that students use completely independently of school privacy controls or oversight.   

Schools Recommend Too Many Technologies to Students 

One of the most striking findings from our 2022 US K12 EdTech Benchmark was seeing just how many technologies schools were pushing students to use.  

We ended up counting apps used in each school in three different ways. We initially looked for a single list of all the technologies that a school was either recommending or requiring. Ideally, we were looking for discrete lists of each type—recommended or required. However, most schools did not have clean, singular lists of apps, which meant we needed to hand count the number of all apps mentioned by the school and/or district websites as being used by students (“manual app count”). We hand-counted all 663 schools.  Some schools or more frequently school districts had full app lists maintained by their IT departments, and many districts maintained lists of technologies in the Student Data Privacy Consortium (SDPC) database. We called these lists “simple aggregated lists”. Finally, for many of the schools that had simple aggregated lists, they also indicated if an app was “approved” or not. We called these lists of approved apps “approved technology lists”. To summarize the types of app list counts: 

(1) Manual app count: Researchers hand counted the number of apps found across school and district websites1. This was                    performed for all 663 schools. 
(2) Simple aggregated list: For 222 schools we found simple aggregated lists of apps that were larger than the manual count.
(3) Approved technology list: For the 222 schools that had a simple aggregated list [larger than the manual count], 153 of them          distinguished approved from unapproved apps on those lists.

As can be seen in Table 1, the manual count yielded an average of 19 apps per school, but schools with simple aggregated lists averaged 191 apps, and strangely, the subset of schools with approved apps averaged 214 apps. Yikes.  

Table 1   LIST TYPE AVERAGE NUMBER OF APPS Manual app count (n=663) 19 Simple aggregated list (n=222) 191 Approved technology list (n=153) 214

Do schools really need to recommend 200 different apps and websites for student use? 

Recommended Versus Required Apps 

As mentioned earlier, in our manual counting of technologies we designated an app as either “required” or “recommended”. Apps were deemed “required” due to prominent presence on school websites, often with a login.2 Similarly, custom apps that were clearly branded for the school or district were also designated as required. Thus, required apps in our research were always licensed by schools. As such, these technologies were held to greater scrutiny and vetting, and student accounts were generally provisioned and managed by the schools3. In this way, the school had “joint data controller” responsibilities alongside the app developer.4

“Recommended” technologies, however, were always off-the-shelf (OTS) technologies, which students would access or download at their own discretion, creating their own accounts independent of the school. 

We knew that the percentage of required apps was small compared to the recommended apps. But what was the breakdown of “required” versus “recommended” apps? We thought the distribution might follow the 80-20 Pareto principle: that 20% of the apps were required, and 80% were recommended. We decided to go back and run the numbers.  

Table 2 below shows the numbers for the different types of app count lists. The manual app count method failed to account for the sometimes massive, aggregated lists. Similarly, the aggregated list numbers distorted the overall data set. The bottom-line row in the table, “Manual + Approved list”, combines the manual counts for schools without simple aggregated lists with the approved technology counts [for schools that had them] to best provide a number for the national results.  

As can be seen, it was closer to 70-30 than 80-20. On average, schools were pushing nearly 58 technologies to students, with 28.9% of them being required, and 71.1% being recommended.5 The vast number of apps schools are pushing on students are merely recommended unvetted off-the-shelf apps. Despite the apps being “approved” by the schools in the approved technology lists, we know that in many cases, the only vetting is whether or not a Privacy Policy exists. This is not a sufficient form of vetting to ensure student data privacy. Schools are subjecting students to unvetted and ungoverned technologies—sometimes more than 200 such technologies. Recall also that nearly 30% of the recommended technologies for students are neither strictly educational apps nor apps designed for children, and in the latter case, they are not covered by COPPA compliance. 

Table 2  Type of App List #
Schools Average Total # of Technologies Average # of Required / Licensed Technologies Required / Licensed Techs Average % of All Tech  Avg # of Recommended / OTS technologies  Recommended / OTS Techs Average % of All Tech  Max # of Technologies Manual App Count 663  19.0  5.1  33.4%  13.9  66.6%  106  Simple Aggregated List 222  190.7  5.5  9.7%  185.2  90.3%  1411  Approved Technology List 153  214.3  5.3  6.3%  209.0  93.7%  1411  Manual + Approved List 663  57.7  5.1  28.9%  57.8  71.1%  1411 
Conclusions  

When we consider “edtech” as the combination of licensed and OTS technologies as in our 2022 benchmark, a primary risk for students is the high—sometimes exceedingly high—number of unvetted off-the-shelf technologies that schools are recommending they use.6 Until technology is reasonably safe for children ISL recommends schools undertake the following:

Minimize the number of technologies recommended to students. 
a. Especially minimize the number of apps that are not specifically for children.
    i. ISL doesn’t propose (or support a paradigm of) age-gated versions of commonly recommended mixed-audience apps like         news, museum, zoo, and reference apps. These apps must be made safer for children of all ages (i.e. for all of us). Screen all OTS technologies recommended for student use. Ideally, these should be vetted as carefully as licensed technologies, though we know that’s not practical for all schools. 
a. Use ISL’s App Microscope to learn more about privacy risks in commonly recommended apps. Can’t find your app? Contact us        at schools@internetsafetylabs.org.  
b. Recommend only apps that are COPPA certified. This won’t stop all commercial surveillance and data sharing, but it at least             minimizes some data sharing.
c. Put in place Data Privacy Agreements (DPAs) for all technologies recommended to students, i.e. for both licensed and OTS                technologies. This requires some dedicated personnel to administer, but Access4Learning’s Student Data Privacy Consortium          has agreement templates readily available here https://privacy.a4l.org/.  
d. Annually audit DPAs against the actual technology behavior. This is a service that ISL has provided for one US state school board      and is more than happy to provide at reasonable rates. Contact us schools@internetsafetylabs.org.  

 

Footnotes: Note that the apps found via the manual count were the apps that were audited in the research. Due to the volume of listed apps, ISL did not audit all of the apps found in the simple aggregated lists. More discussion can be found in the first findings report. “2022 K-12 EdTech Safety Benchmark National Findings – Part 1”, Internet Safety Labs, December 13, 2022, Section 7.2.1, p. 89, https://internetsafetylabs.org/wp-content/uploads/2022/12/2022-k12-edtech-safety-benchmark-national-findings-part-1.pdf These required apps also more narrowly align with traditional “EdTech” categories, whereas the recommended technologies included a large percentage of apps not intended for children.  We wrote about this in a blog post from 2023 called, “Data Controller Confusion in EdTech”,   https://internetsafetylabs.org/blog/insights/data-controller-confusion-in-edtech/. NOTE that the average percentages shown in Table 1 reflect an average of each school’s percentage of required/recommended apps. Licensed technologies are also risky, especially the Community Engagement Platforms which shared data [on purpose] with the most third party entities and data brokers, like this app, no longer available on the app store: https://appmicroscope.org/app/1579/. 

The post 2022 K-12 Edtech Benchmark Revisited: Unvetted Off-the-Shelf Apps Outnumber Licensed Apps 2-to-1 appeared first on Internet Safety Labs.

The way cash moves through the supply chain is evolving. 

What was once a paper-heavy process is now embracing digital transformation.

In this episode, Robert Skitt, Senior Manager at Axiom Armored Transport, joins hosts Reid Jackson and Liz Sertl to discuss the shift from traditional, manual methods to more secure, efficient, and accountable digital solutions. 

Financial institutions and the Federal Reserve are demanding greater transparency and control over cash movement, and armored transport teams are under increasing pressure to adapt.

Robert walks us through the process of how Axiom is modernizing armored transport, replacing handwritten logs with barcode scans and eManifests. In this episode, you’ll learn:

How GS1 standards are helping digitize cash logistics

What “cash visibility” looks like in practice

Why early adoption gave Axiom a seat at the table and a competitive edge

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(04:52) What cash visibility looks like

(07:23) How GS1 standards changed the workflow

(11:32) Turning paper-heavy processes into data

(13:32) Barcode tech in armored car logistics

(15:14) How digitization improves accuracy and trust

(19:25) Advice for starting your visibility journey

(20:44) Robert’s favorite technology today

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Robert Skitt on LinkedInCheck out Axiom Armored Transport

Not only did Blockchain Commons close out its major Zcash project in Q2 and start work on a big, new FROST push, but we also did continued work on many other initiatives:

Working with Partners Zcash Zingo Labs FROST Ethereum Articles & Presentations Interoperability Provenance Marks Post-Quantum URs Permits in Gordian Envelope Thinking about Identity HackerNoon No Phone Home XID Core Concepts Fair Witness Bitcoin Policy Summit Web Updates Updated Projects Page New Envelope Seeds Page CLI Updates dCBOR-CLI Envelope-CLI Library Updates Mass Crate Update Argon2ID envelope-pattern dcbor-parse Working with Partners

Blockchain Commons is supported by patronage and by grants. (If you want to become a major patron and partner with us on a project, let us know, and if there are grants that you think would allow us to fulfill our Gordian Principles, that we may not be applying to, again drop us a line.) In Q1, some of our major projects were closely related to grants that we’d applied for last year.

Zcash. The Zcash ZeWIF project took up the majority of the our Q1. The goal was to create an interchangeable wallet format that would make Zcash wallets more interoperable and so give users more freedom to move their funds to an app of their choice. We continued that work in April and then closed it out in May.

Our work product for Q2 of the ZeWIF project included the final drafts of our best practices for importing & exporting wallet data and our doc on using Envelope attachments for ZeWIF. We also held our fourth and final (to date) ZeWIF meeting, which included a demo of our zmigrate-cli tool. Our final two reports from May give all the details on the apps, crates, and docs that we published as we closed out the project.

Zingo Labs. We were proud to do our Zcash work with Zingo Labs, who provided us with some of the Zcash-chain knowledge we needed to extend our interoperability expertise into the Zcash community. (We also got lots of support from other experts in the community through meetings, which is the same way we advance standards in all the ecosystems we work with.) We hope to continue that partnership in the future, and to support that we offered a presentation to Zingo Labs in Q2 highlighting our technologies, how they work, and why they’re useful. We focused on some of the low hanging fruit such as SSKR, which allows for the secure backup of secrets, and OIB, which makes it easier for users to see what they’re doing. We’ll let you know if anything comes of this!

FROST. As soon as we closed out work on our Zcash grant, we began work on a new FROST grant that we received from HRF. This grant’s work will come in three parts: creating new FROST signing tools; writing “Learning FROST from the Command Line”; and holding FROST meetings. We’ve been pushing hard on this work in July and August, so we’ll be writing more about it in the Q3 report.

Ethereum. Though most of Blockchain Commons’ work has traditionally been on the Bitcoin blockchain, our principles of independence, resilience, privacy, and openness apply to all blockchains. Our recent work with Zcash proved that, and so in Q2 we also had some talks with a variety of parties in the Ethereum ecosystem about possibly doing work with them on securing secrets at the level zero of their stack. We’re still waiting to see if anything gels, but generally: if you know of a blockchain that might be looking for interoperability or resilience support, let us know!

Articles & Presentations

Blockchain Commons’ major articles and presentations demonstrate our fundamentals and highlight our newest work. Here’s what that included in Q2.

Interoperability. We talk a lot about ecosystem “openness” and user “freedom”, or more generally “interoperability.” This is a pretty important foundation of Blockchain Commons’ work, so in Q2 we explored it more with the article “Interop, What Is It Good For?” and slides and video at our May Gordian Meeting. We encourage you take a look at the article or the meeting presentation to gain some more insight into one of the core principles of Blockchain Commons’ work.

Provenance Marks. One of our newest innovations is “provenance marks,” which allow for the creation of a cryptographically-secured chain of marks. We gave a presentation at our June Gordian meeting and also have a research paper on the technology. We additionally presented in provenance marks to the W3C Credentials Community Group, who is forming a working group on provenance technology of this type: Blockchain Commons’ provenance marks are one of three possibilities under consideration.

Post-Quantum URs. Post-Quantum Cryptography support was one of our most exciting expansions in Q1. We’ve now published a new research paper on integrating PQC with URs.

Permits in Gordian Envelope. Gordian Envelope is a more mature technology at Blockchain Commons, but we’re still exploring its fullest capability. Part of that capability is the “permit,” which is a way to lock your Gordian Envelope. The great thing about permits is that you can apply multiple permits to an Envelope, so that it can be opened by different people in different ways! We wrote a research paper on “Permits in Gordian Envelope” to offer more insights into the possibilities.

Thinking about Identity

Christopher Allen has been long associated with digital identity, dating back at least to his authorship of “The Path to Self-Sovereign Identity” and his founding of the Rebooting the Web of Trust workshops. Blockchain Commons did a variety of scattered work on identity in Q2.

HackerNoon. Christopher talked to Hackernoon about how “We’ve Lost the Privacy Plot”, which generally discusses privacy and the internet.

No Phone Home. Digital identity is closely associated with digital credentials, which detail who and what an identity represents. Unfortunately, credential design is growing problematic because much of it is phoning home: alerting issuers when and where credentials are used. That’s why Blockchain Commons recently signed on to the No Phone Home initiative, to try and bring attention to this fundamental problem in digital identity.

XID Core Concepts. Blockchain Commons has its own answer for self-sovereign identity: the XID, or extensible identifier. We’ve been working on a tutorial course to show everything about how XIDs work. So far, we’ve developed a set of core concepts docs, which not only overview how XIDs work, but also how they link into Blockchain Commons’ larger architecture. This is still a work in progress. (We’re about to begin work finalizing the linked tutorials.) But, if you want to take an early look, the core concepts files have all been closed out as revised drafts.

Fair Witness. Some of Blockchain Commons’ work is advocacy (like our discussion with Hackernoon and our signing on to No Phone Home) and some is pragmatic (like our XID work). But we also try to be future-looking. That’s what Christopher’s “Fair Witnessing” Musings was about. It’s a new look at Verifiable Credentials that focuses on the limitations of what we actually can perceive.

Bitcoin Policy Summit. We’re thrilled to see some of our thinking about identity starting to have an effect on the larger world. A few of Christopher’s identity articles were referenced in the Bitcoin Policy Institute’s recent white paper on “Building a Trustworthy Digital Future” and as a result, Christopher was asked to talk at the Bitcoin Policy Summit in Washington D.C. this June. (More on the results of that in the coming quarters!)

Web Updates

Our web pages are intended as a resource for developers so that they can understand and implement our technologies. Here are some of the updates we made this quarter:

Updated Projects Page. Our projects page has always been a central index to our most important work, but that type of thing gets out of date as priorities change, so we’ve done a big update to align it with our most recent iteration of our developer pages and to otherwise highlight important recent work like our meetings for FROST. Take a look at what we consider our most relevant work as of early 2025!

New Envelope Seeds Page. We also released a new page on Seeds in Gordian Envelope: how and why you’d want to store seeds in envelopes, complete with examples of how to use envelope-cli for experimentation. (This was also the heart of the demo we made to Zingo Labs, so you can take a look at several of our easiest-to-implement technologies here.)

CLI Updates

As usual, we’ve been making updates to our apps and libraries. In Q2 that included two CLI releases:

dCBOR-CLI. We have a new CLI for dCBOR! It validates dCBOR input (using CBOR diagnostic as its default input) and produces output in several formats (using hex as its default output).

Envelope-CLI. Our Envelope CLI now has new pattern matching to make it easier to find specific leaves.

Library Updates

There were also lots of updates to our libraries, focusing on our Rust stack.

Mass Crate Update. The vast majority of our Rust crates have been updated to support new developments that occurred while we were working on ZeWIF. This includes:

- bc-rand 0.4.0 - bc-crypto 0.9.0 - bc-shamir 0.8.0 - dcbor 0.19.0 - bc-tags 0.2.0 - bc-ur 0.9.0 - sskr 0.8.0 - bc-components 0.21.0 - known-values 0.4.0 - bc-envelope 0.28.0 - provenance-mark 0.8.0 - bc-xid 0.8.0 - bc-envelope-cli 0.14.0 - gstp 0.8.0

Argon2id. Argon2id support has been added to bc-crypto and bc-components, as well as the EncryptedKey type.

envelope-pattern. The new envelope-pattern crate is a pattern matcher and text syntax pattern parser for Gordian Envelope, allowing you to match specific structures within envelopes.

dcbor-parse. The new dcbor-parse crate parses and composes the CBOR diagnostic notation into dCBOR (deterministic CBOR) data items.

Here are our major dcbor crate updates:

- dcbor-parse 0.1.1 (NEW) - dcbor-cli 0.7.1 (heavy update) - dcbor 0.19.1 (minor changes)

Coming up, we have work on FROST, XID, and more. Sign up for the Gordian Developer Meeting announcement-list to be informed of our upcoming presentations, and please consider becoming a patron of Blockchain Commons or talking with us about partnering on a specific project.

Community calls have been a cornerstone of my engagement and community building practice for well over a decade. I started a couple community calls at Greenpeace International, one of which continues a good 8 or 9 years later. Regular readers have probably heard of the Open Recognition is for Everybody (ORE) call. Now, we’re spinning one up with Amnesty International UK.

In this blog post, I reflect on why community calls hold such significance to me. For me, community calls are vital hubs where connections, ideas, and growth converge.

Being open and inclusive cc-by-nd Bryan Mathers for WAO

We all stand on the shoulders of giants. I learned about community calls way back when I was working at Mozilla. At Mozilla, we had community calls for communities, sub-communities, projects and procedures. The majority of our meetings were simply open – if you knew about it, you could join. Sometimes we promoted calls and asked for participation, sometimes we just waited to see who showed up. If you showed up to a call, you were included, whether anyone had specifically invited you or not.

Working openly is a transformative way to bring people together and create safe spaces where people can share challenges, celebrate successes, and co-create solutions. The regularity of designated community calls helps build trust and camaraderie, turning strangers into collaborators. By creating space for diverse voices, we enrich our problem-solving approaches and ensure that decision-making reflects a wide range of perspectives. These inclusive practices have strengthened communities, making them more resilient and adaptable.

Strengthening the community cc-by-nd Bryan Mathers for WAO

If I think about all the different community calls I’ve been a part of, and all the people I’ve met because of open community calls, I’m reminded of the power those calls have to shape things. These calls aren’t presentations, webinars or regular meetings, they are spaces where people have the power to shape the agenda and talk about issues that matter to them.

Part of building successful community calls is to let go of trying to control conversations. While we might put together a loose agenda to guide a community call, we strive to make sure that everyone in attendance feels like their being there matters. Community calls are not transactional, they are spaces that help us be part of a community, find ways to amplify more voices and work together.

Just talk to people cc-by-nd Bryan Mathers for WAO

Part of what makes a community thrive is helping people find a place of belonging. Community calls help by providing a flexible space where people can just talk to each other. They are not just about discussing details or progress in a project, but also about celebrating one another and figuring out what a collective future for a project or an idea might be. They’re great spaces to figure out problems, while also getting to know the people you’re collaborating with.

Community calls have been instrumental in shaping open projects and building meaningful connections. Their role in driving innovation, inclusivity, and adaptability is immeasurable. As I look forward to building open calls for the AIUK community, I am reminded that these calls are not just meetings—they're milestones in a journey towards a more connected and collaborative world.

If you are looking for a way to encourage a group of people to co-create and collaborate, check out 11 steps to running an online community meeting. It’s a resource that I wrote almost a decade ago and continue to return to over and over as I work to connect people working to make the world a better place.

Google has implemented significant enhancements to biometric authentication and security features in Chrome and Google Workspace, marking the latest step in the company’s broader push toward stronger authentication methods. These updates build upon previous Chrome security improvements while addressing critical vulnerabilities in desktop password management.

This summer marks ten years since the Ethereum network launched, forever transforming the blockchain space and introducing the world to smart contracts, decentralized applications, and programmable trust. At LF Decentralized Trust (LFDT), we’re proud to join the global community in celebrating this milestone and spotlighting the critical role our projects and contributors play in Ethereum’s growth and evolution.

How can technology serve as a tool for justice, not harm? Our recent six-month Matchbox partnership with TechHer Nigeria helped us explore exactly that. 

The post PARTNERING FOR IMPACT: BUILDING SAFE DIGITAL SPACES WITH TECHHER NIGERIA appeared first on The Engine Room.

The time has come to put open data at the heart of the New Zealand story.  By this I mean the deployment of digital public infrastructure to secure our data so it can flow smoothly and safely with the correct permissions. Change is hard. System change is even harder. But that doesn’t mean we shouldn’t be aspirational.

It is encouraging to see Hon Judith Collins‘ “we’ll have a Government app by Christmas” programme take a significant step forward with the appointment of two exceptional New Zealand tech companies.

Congratulations to both Dave Clark NZ and MATTR teams. This is exactly the kind of partnership between government and local tech that strengthens our digital economy and showcases New Zealand innovation on the world stage – DIA announcement here.

The structural separation of digital identity from the traditional tech stack represents a seismic shift for the industry and for how systems are designed and developed. Despite extensive consultation as the technology evolved over the past few years, the long-awaited reference architecture and design for government implementation are now a priority.

As we build our profile, we are grateful that so many accomplished changemakers are stepping up to speak at our highly anticipated Digital Trust Hui on 12 August:

Matthew Evetts – Partner – Digital & Cyber, KPMG Tim Ransom – Product Manager – Public, Community and Consumer Health, Te Whatu Ora Joel Foster – Chief Commercial Officer, Lumin  Helen Littlewood – Senior Product Manager,Worldline Contactless Silona Bonewald – President, LeadingBit Solutions | Open Source Evangelist & Standards Expert Kristy Phillips – Chair, Hospitality New Zealand Anna Curzon – Chair, B416 Don Christie, Managing Director, Catalyst IT Myles Ward – Deputy Government Chief Digital Officer, DIA Maria Roberston, Chair, Digital Identity New Zealand

At the Hui, it will be valuable to see the DIA spell out the work that the Department has underway to resolve any policy and regulatory barriers for accredited providers, issuing credentials (driving, education, travel, age assurance), along with DIA issued credentials under DISTF accreditation.

It will be beneficial at the Hui to see DIA outline the work underway to address policy and regulatory obstacles for accredited providers, specifically regarding the issuance of credentials such as driving, education, travel, and age assurance, as well as DIA-issued credentials under DISTF accreditation.

Have you secured your spot at the Digital Trust Hui Taumata?

Join us on 12 August in Wellington for a full day of keynotes, panels, roundtables, and exhibits, expertly guided by MC Ngapera Riley. Hear from leaders including Ministers Judith Collins and Scott Simpson, James Monaghan (MISSION), Myles Ward (DIA), Liz MacPherson (Privacy Commissioner), Helen Littlewood (Worldline), Christopher Goh (Austroads), and Andrew Weaver (Payments NZ). With 30+speakers and support from sponsors including Payments NZ, Worldline, IMB, KPMG, Lumin, Ping Identity, NEC, DIA, Westpac, MATTR, Middleware Group, JNCTN, and MinterEllisonRuddWatts, this is a must-attend event shaping Aotearoa’s digital trust future. View the Programme and Register now!

DINZ Strategy Refresh

New Zealand stands at the frontier of a digital future where open, trusted data unlocks better services, richer insights, and empowered citizens.

There is an increasing consensus among government, industry, Iwi, communities, and citizens to collaboratively undertake a bold, values-led transformation of our data systems. This transformation will be underpinned by transparent and auditable public infrastructure.

The upcoming digital identity strategy refresh will be looking at, amongst other things, how to accelerate credential uptake, how to unlock productivity with digital identity and the role of identity solutions in the world of AI and agentic systems.

I’m looking forward to this session with our Executive Council in the coming weeks as we work to focus our energy on making real change to support our vision of a country where people can express their identity using validated and trusted digital means in order to fully participate in a digital economy and society.

In Other News
 

Dave Clark NZ and MATTR secure major government contract
Dave Clark NZ and digital identity firm MATTR have won a significant New Zealand government contract to develop a new app focused on secure digital identity services. Read more.
  Digital ID developments won’t replace wallets just yet
Despite progress in digital identity systems, experts say physical IDs and wallets will remain necessary for the foreseeable future due to infrastructure and adoption challenges. Read more.
  New Zealand launches world-first deepfake experiment to build public trust
New Zealand is leading a groundbreaking deepfake detection trial aimed at boosting public awareness and resilience against synthetic media manipulation. Read more.
  Department of Internal Affairs (DIA) announces updated rules for the DISTF
The feedback has been thoroughly analysed and presented to both the Trust Framework Board and the Minister for Digitising Government. As a result, the updated rules went into force on 24 July 2025. For a comprehensive overview of the updated rules and a summary of the feedback received, please visit the Trust Framework for Digital Identity Legislation page.

With a realistic government timeline now established, we must collectively prepare for launch. There is a significant amount of work ahead, and no time to lose.

Fortunately, our Digital Identity NZ membership possesses world-class capabilities, ideally suited to assist with consultation and bridge delivery gaps as we move forward.

Ngā mihi nui,

Andy Higgs
Executive Director, Digital Identity NZ

Banner image credit: Rocket Lab

The post Open spaces, open hearts, open minds…time to add Open data to the mix! appeared first on Digital Identity New Zealand.

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. High-quality journalism is critical […]

August 2025

DIF Website | DIF Mailing Lists | Meeting Recording Archive

Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3. Special Interest Group Updates; 4. User Group Updates; 5. Announcements; 6. Get involved! Join DIF 🚀 Decentralized Identity Foundation News DIF Partners with MIT's Project NANDA for Packed Event

DIF partnered with MIT's Project NANDA for a well-attended event at Circuit Launch on July 18, 2025, where Ramesh Raskar shared his vision for architecting an Internet of AI Agents. DIF Technical Steering Committee chair Andor Kesselman served as co-host, with robust discussion focusing on the relevance of decentralized identity for the agentic web.

During and after the event, discussion covered how DIF's decentralized identity standards can provide the cryptographic foundation for Project NANDA's agentic web, enabling persistent, verifiable identifiers for AI agents operating autonomously across organizational boundaries. This collaboration addresses the critical challenge of maintaining human oversight and trust as AI systems gain greater agency, ensuring that robust identity infrastructure underpins the future of AI collaboration.

DIF co-hosted event with Project NANDA in Mountain View, CA on July 18, 2025

Global Digital Collaboration Conference in Geneva

DIF staff and community had a strong presence at the Global Digital Collaboration (GDC) conference in Geneva on July 1-2, 2025, with our community delivering key presentations across multiple tracks. Highlights included our opening session on Agentic AI and Digital ID, addressing critical trust challenges as AI agents become more autonomous. Additional DIF-led sessions covered identity foundations for Industry 4.0 transformation, decentralized identifiers for global interoperability, and digital human rights.

DIF community at GDC

The conference demonstrated the maturity of decentralized identity solutions, with presentations spanning from privacy-enhancing technologies and trust management for wallets to enterprise blockchain implementations and regulatory compliance frameworks. The diverse roster of sessions highlighted how decentralized identity is being deployed across sectors—from government digital infrastructure projects to enterprise security applications—while fostering meaningful dialogue between technologists, policymakers, and standards bodies globally.

Visit the GDC website for session videos and stay tuned for the upcoming Book of Proceedings featuring detailed insights from all presentations.

DIF Labs Beta Cohort 2 Projects Launch

Following the selection process completed in June, DIF Labs Beta Cohort 2 is now in full swing with three innovative projects that push the boundaries of decentralized identity technology. The selected projects focus on:

Privacy-preserving verifiable credentials using advanced cryptographic techniques Anonymous multi-signature protocols for group credentials Novel approaches to privacy-preserving revocation mechanisms.

Each project team is receiving dedicated mentorship from DIF's expert community and is committed to delivering open-source implementations that will benefit the entire ecosystem. The projects are scheduled to run through September 2025, with regular check-ins and a final showcase event planned.

See the DIF Labs web site for more information.

DIF Showcases Decentralized Identity for Seamless Travel Experience at HITEC Conference

DIF presented at HITEC 2025 in Indianapolis, where hospitality technology veterans mapped out how self-sovereign identity can align data privacy with friction-free travel experiences. The session featured Douglas Rice (Managing Director, Hospitality Technology Network), Nick Price (former CIO, Mandarin Oriental Hotel Group & citizenM), Kim Hamilton Duffy (DIF Executive Director), and Bill Carroll (CEO, Marketing Economics; retired Cornell professor). The speakers demonstrated how traveler-controlled digital wallets can enable seamless journeys—from AI-powered trip planning with auto-completing visa forms to face-scan boarding, NFC room keys, and verified guest reviews.

The presentation highlighted real-world momentum with examples including EU "Seamless Travel" pilots across 27 member states, Cathay Pacific's Hong Kong-Tokyo trial packing seven credential types into passenger wallets, and Bhutan's nationwide digital identity program built on decentralized identifiers. The speakers emphasized that centralized data silos are incompatible with the hyper-personalization guests demand, while self-sovereign identity delivers immediate benefits including reduced breach risks, lower cyber-insurance premiums, and improved revenue through verified, up-to-date traveler data.

See Alex Bainbridge's article for a detailed recap, as well as the recording and presentation deck. Additional coverage available at PhocusWire.

DIF H&T team at HITEC conference

🛠️ Working Group Updates

Browse our active working groups here

Creator Assertions Working Group

The Creator Assertions Working Group made significant progress on terminology standardization and integration with broader credential frameworks. A key development was the group's decision to transition from "identity assertions" to "attribution assertions," recognizing that "attribution" better captures the essence of content creation claims while being less controversial in industry discussions. The team continued advancing their integration with the C2PA ecosystem and made substantial progress on metadata assertion standards. Work also progressed on media identifier systems and the development of flexible metadata frameworks that can accommodate various content types and use cases.

👉 Learn more and get involved

Applied Crypto Working Group

The BBS+ team achieved significant milestones in pseudonym generation and post-quantum security considerations. Key developments included the finalization of polynomial evaluation methods for pseudonym generation, addressing potential security vulnerabilities from adversarial users through more robust cryptographic approaches. The team made substantial progress on test vector development for the 0.9 draft release and continued coordination with IETF standardization efforts. Discussions also covered the efficiency implications of different cryptographic commitment schemes and their practical applications in large-scale deployments.

👉 Learn more and get involved

DID Methods Working Group

The DID Methods Working Group focused intensively on W3C standardization efforts and refining the evaluation process for DIF-recommended DID methods. Significant progress was made on the proposed W3C DID Methods Working Group charter, with the team addressing concerns about blockchain inclusion and standardization scope. The group refined evaluation criteria for DID method proposals, emphasizing the need for multiple implementations, significant deployments, and clear compliance with DID traits. Work continued on balancing objective criteria with expert evaluation to ensure high-quality recommendations while maintaining transparency in the assessment process.

👉 Learn more and get involved

Identifiers and Discovery Working Group

Multiple work streams advanced significantly this month. The DID:webvh team made substantial progress toward their 1.0 specification release, with multiple implementations now passing comprehensive test suites and performance analysis demonstrating efficient handling of DID updates. The DID Traits team prepared for their 1.0 release, focusing on key validation capabilities and long-term availability requirements. The group also explored applications in software supply chain contexts and examined compliance with emerging regulations like the EU's Cyber Resilience Act, demonstrating the practical relevance of decentralized identifiers in enterprise environments.

👉 Learn more and get involved

DIDComm Working Group

The DIDComm Working Group advanced work on binary encoding support through the CBOR implementation, positioning it as an optional feature for version 2.2 with potential to become the default in future major releases. The team addressed important technical challenges around message encoding detection, MIME type handling, and implementation compatibility. Significant discussions covered privacy considerations and "phone home" concerns in credential verification systems, with the group exploring how verifiable credentials can be presented without requiring direct communication with issuers. The group also examined DIDComm applications in AI agent-to-agent communications.

👉 Learn more and get involved

Claims & Credentials Working Group

The Credential Schemas team launched their community schemas initiative, creating a framework for organizations to contribute verifiable credential schemas to a shared repository for potential standardization. Significant progress was made on aligning their basic person schema with schema.org standards while maintaining compatibility with existing frameworks like OIDC and UK ID assurance. Key developments included extending postal address schemas for banking KYC requirements, refining terminology around personhood verification credentials, and establishing processes for schema synchronization between repositories. The team also began exploring employment credentials and anti-money laundering certifications as future development priorities.

👉 Learn more and get involved

Hospitality & Travel Working Group

The newly launched Hospitality & Travel Working Group hit the ground running with substantial progress on the HAT Pro specification. The team developed comprehensive schemas for food preferences, dietary restrictions, and accessibility requirements, utilizing graph-based models to avoid data duplication and improve cross-referencing capabilities. Key developments included the creation of UML models and JSON schemas for complex preference structures, exploration of AI-assisted data input to simplify user experiences, and the establishment of engagement processes for subject matter experts across various travel sectors. The group is preparing for major presentations at industry events and has launched a dedicated website to showcase their work.

👉 Learn more and get involved

DIF Labs Working Group

DIF Labs Beta Cohort 2 projects are now in active development phase, with three selected projects working on cutting-edge privacy-preserving technologies. The projects focus on legally binding verifiable credentials using Qualified Electronic Signatures (QES), comparative analysis of privacy-preserving revocation mechanisms, and anonymous multi-signature verifiable credentials. Each project team is receiving dedicated mentorship from DIF's expert community and is committed to delivering open-source implementations that will advance the broader decentralized identity ecosystem. The program continues to demonstrate the value of focused, mentored development in advancing the state of the art.

👉 Learn more and get involved

🌎 DIF Special Interest Group Updates

Browse our special interest groups here

DIF Africa SIG

The Africa SIG featured an impressive deep-dive presentation on Ethiopia's national digital identity system, Faida, and its associated digital credential platform FaidaPass. Representatives from Ethiopia's national ID system provided detailed insights into the architecture, features, and implementation of this groundbreaking system, which serves as one of the first full-scale standards-compliant deployments globally. The presentation highlighted the use of decentralized verification models, biometric authentication capabilities, and self-sovereign identity principles, while addressing innovative solutions for non-smartphone users and future monetization strategies. The session demonstrated Africa's leadership in practical digital identity implementation.

👉 Learn more and get involved

APAC/ASEAN Discussion Group

The APAC/ASEAN group hosted comprehensive presentations on digital identity solutions in Australia, featuring True Vault's approach to creating a decentralized identity ecosystem. Discussions covered recent regulatory changes including the Digital Identity Act, international standards alignment, and the challenges of achieving interoperability across different jurisdictions. The group explored the evolution from manual to digital identity verification methods and examined the potential for global expansion of digital identity solutions while addressing privacy concerns and user control requirements. The session highlighted Australia's voluntary approach to digital identity and its implications for regional adoption.

👉 Learn more and get involved

DIF Japan SIG

The Japan SIG focused on recent developments in DID and AI agent authentication, with participants sharing updates on their organizations' initiatives and emerging challenges. The group explored the intersection of decentralized identity with AI systems and examined potential applications across various sectors. Key discussions included the unique requirements for AI agent identity management and the challenges of implementing decentralized identity principles in automated systems. The group also considered future meeting formats and potential offline events to enhance community engagement and collaboration.

👉 Learn more and get involved

DIF Hospitality & Travel SIG

The Hospitality & Travel SIG hosted presentations highlighting decentralized identity adoption in the travel industry. Key sessions included discussions with Microsoft on AI-driven cybersecurity solutions for hospitality, analysis of Apple's digital identity announcements and their implications for travel, and exploration of AI agents' potential to revolutionize customer interactions in travel and hospitality. The group examined both opportunities and challenges in implementing decentralized identity solutions across various travel scenarios, from border crossing to personalized service delivery.

👉 Learn more and get involved

📖 DIF User Group Updates DIDComm User Group

The DIDComm User Group explored practical implementations and emerging applications of the DIDComm protocol, with particular focus on AI agent communications. Key discussions included demonstrations of new systems and their communication protocols, exploration of generative AI communication frameworks and their similarities to DIDComm approaches, and examination of security considerations for AI agent interactions.

👉 Learn more and get involved

📢 Announcements H&T Working Group Launches Blog

As Hospitality & Travel activity increases at DIF, Autoura CEO Alex Bainbridge has launched a special H&T focused blog. We encourage you to visit and subscribe for updates.

🆔 Get involved! Join DIF

If you would like to get in touch with us or become a member of the DIF community, please visit our website or follow our channels:

🐦 Follow us on Twitter/X 💻 Join us on GitHub 📺 Subscribe on YouTube 🔍 Read the DIF blog New Member Orientations

If you are new to DIF, join us for our upcoming new member orientations. Find more information on DIF's Slack or contact us at community@identity.foundation if you need more information.

ends August 9th

The LegalXML – Electronic Court Filing pleased to announce that ECF V5.01 Errata 01 is now available for public review and comment. The public review is now open and ends August 9, 2025 at 23:59 UTC.

Electronic Court Filing Version 5.01 Errata 01
Committee Specification Draft 01
21 June 2025

https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/errata01/ecf-v5.01-errata01-csd01.docx

https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/errata01/ecf-v5.01-errata01-csd01.html

https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/errata01/ecf-v5.01-errata01-csd01.pdf

How to Provide Feedback

OASIS and the LegalXML – Electronic Court Filing value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

Comments may be submitted to the project by any person through the use of the project’s Comment Facility. TC members should send in comments via the TC mailing list. All others should submit to the comment mailing list after following instructions listed here.

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification. 

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information about the specification and the LegalXML – Electronic Court Filing TC can be found at the TC public home page here.

Additional references:

[1] https://www.oasis-open.org/policies-guidelines/ipr/

[2] http://www.oasis-open.org/committees/legalxml-courtfiling/ipr.php

Intellectual Property Rights (IPR) Policy

RF on Limited Terms Mode

The post LegalXML – Electronic Court Filing V5.01 Errata Public Review appeared first on OASIS Open.

Jay White of Microsoft and Pablo Breuer Secure Additional Terms, Reinforcing Continuity and Strategic Momentum at OASIS

Boston, MA, 24 July 2025 – OASIS Open, the international standards and open source consortium, announced the results of its 2025 Board of Directors Elections. Three newly elected members and two re-elected members joined the Board in providing strategic governance and leadership to advance OASIS’s mission of solving global challenges through open development and collaboration. 

OASIS is pleased to welcome new board directors Jason Clinton of Anthropic, Charles Frick of Johns Hopkins Applied Physics Laboratory (APL), and Sarah Liang of EY. OASIS also congratulates Jay White of Microsoft and Pablo Breuer on their re-election to additional terms. The continuing members of the Board are Jim Cabral, Gershon Janssen, Bret Jordan, Vasileios Mavroeidis, Daniel Rohrer, and Daniella Taveau.

“I’m delighted to welcome Jason, Charles, and Sarah to the Board, and to congratulate Jay and Pablo on their re-election,” said Gershon Janssen of Reideate, OASIS Board President and Chair. “Their expertise will be instrumental as we continue shaping open standards that address global challenges. I also want to thank our departing directors Jason, Daniel, and Omar for their outstanding service and lasting impact they’ve made on the OASIS community.”

New Board Members

Jason Clinton serves as Chief Information Security Officer (CISO) at Anthropic, where he guides security strategy, including detection and response, compliance, physical security, security engineering, and IT. He brings over a decade of experience in infrastructure security, having previously led efforts in defense against advanced persistent threats and contributed to major operating system and payment platform development. Jason also serves on the Coalition for Secure AI’s (CoSAI) Project Governing Board.

“The rapid advancement of AI makes robust, open standards more crucial than ever,” said Clinton. “Through initiatives like CoSAI, OASIS brings together industry leaders to develop frameworks that protect users while enabling innovation. I’m honored to join the OASIS board and work alongside leaders who share this commitment to responsible AI development.”

Charles Frick, a Chief Scientist in the cyber capabilities development group at Johns Hopkins Applied Physics Laboratory (APL), leads multiple research and pilot efforts focused on cybersecurity automation, machine-speed threat information sharing and operational resilience. He chairs the Indicators of Behavior (IoB) sub-project within the Open Cybersecurity Alliance (OCA), guiding development and adoption of new standards for behavior-based threat intelligence.

“As cybersecurity threats continue to evolve, transparency, interoperability and collaboration are essential,” said Frick. “I’m honored to join the OASIS board and contribute to its vital mission at the intersection of open standards and open source. I look forward to advancing standards that support automation, resilience and trust—especially in areas like behavior-based threat intelligence and cyber-physical system security—so that we can better protect critical infrastructure and global digital ecosystems.”

Sarah Liang is a Partner at EY and serves as the Global Responsible AI Leader, where she drives comprehensive AI governance initiatives throughout the firm and for client solutions worldwide. Her expertise encompasses monitoring the regulatory landscape, aligning with legal and compliance standards, designing AI risk management solutions, and developing responsible AI frameworks that operationalize governance without hindering innovation. Sarah actively participates in key standards organizations, including CoSAI, bringing cross-industry insights and collaborative approaches to standards development.

Liang noted, “I’m honored to join the OASIS Board of Directors. OASIS and the EY organization share a vision of driving the beneficial long-term impact of AI use through transparency, security, trust, and scalability. We have a responsibility to act now and define global standards for AI development and deployment. I look forward to working alongside my fellow board members to help transform businesses through sustainable growth and innovation, while contributing to long-lasting positive change.”

Outgoing Board Members

OASIS expressed sincere appreciation to outgoing Board members Jason Keirstead, Daniel Riedel, and Omar Santos for their valuable service during their tenure as directors. Everyone at OASIS extends our heartfelt thanks for their dedicated leadership and lasting contributions to the organization’s mission. To view the current Board of Directors, please visit our website.

Media inquiries: communications@oasis-open.org

The post Anthropic, EY, and Johns Hopkins APL Executives Elected to OASIS Board to Drive Open Development and Global Collaboration appeared first on OASIS Open.

ISL had the opportunity to present at USENIX Association’s PEPR 2025 conference with a presentation entitled, “Safetypedia: Crowdsourcing Privacy Inspections”. The full video of the presentation can be viewed below:

The post PEPR ’25 – Safetypedia: Crowdsourcing Privacy Inspections appeared first on Internet Safety Labs.

With iOS 26 and macOS Tahoe 26, Apple is solving a key problem, though For the first time, Apple is adding support for true passkey portability. This means you can move your credentials from Apple Passwords to a dedicated password manager like 1Password, Dashlane, or Bitwarden, and even move them back. The system handles the transfer securely and locally, so you don’t have to worry about exporting plaint text CSV files and crossing your fingers that nothing gets exposed.

Passkey portability is built on a new standard from the FIDO Alliance that lets apps exchange credentials in a private and encrypted way. It uses Face ID, Touch ID, or your device passcode to approve the transfer. From the user’s perspective, it just works. And that’s exactly how it should be.

Reddit has implemented mandatory age verification for UK users to comply with the country’s Online Safety Act, which took effect in July 2025. The legislation requires digital platforms to prevent minors from accessing unsafe content, particularly mature or adult material, following Ofcom’s broader push for stricter online age verification across digital platforms.

The platform’s verification system requires UK users to submit either a government-issued ID, such as a passport, or a selfie through Persona, a third-party identity verification company. The approach follows successful implementations by other platforms, including Discord’s recent rollout of facial scan and ID verification in the UK. Persona handles the sensitive data to maintain user privacy, storing uploaded photos or IDs for a maximum of seven days without sharing the information with Reddit.

Reddit retains only the user’s verification status and birthdate, eliminating the need for repeated verification when accessing restricted content. Persona has confirmed it does not access Reddit user data, including subreddit activity. The privacy-focused approach matches emerging standards in digital identity verification, consistent with the principles established by the FIDO Alliance’s certification program for face-based remote identity verification.

Over the past three months, The Engine Room and Puentes have been exploring how to nurture connection, online and beyond the screen, in a world where division often seems to be the norm.

The post DANCES, KEYS, AND GARDENS: NURTURING COLLECTIVE DIGITAL CARE appeared first on The Engine Room.

By now you’ve seen one of these:

Never mind that you’re not running an ad blocker, but merely blocking tracking. Instead, note the small print in the lower right: “VRM by Admiral.”

By “VRM,” Admiral means this:

What we’re looking at here is the $.5 billion Consent Management Platform business, currently dominated worldwide by OneTrust, with a 40% market share. In the US, Admiral is the leading provider to publishers, giving it a high profile there. In Europe, the leaders are OneTrust, Usercentrics, and CookieYes.

So here is a challenge for Admiral , OneTrust, and the rest of them: make VRM  mean Vendor Relationship Management (like it says in Wikipedia).

Our case: real relationships are based on mutual trust, which can only happen if personal privacy is fully respected as a starting point. Consent management by cookie notice can’t cut it.  For real trust, we need people to bring their own terms to every website’s table, and have agreements to those. This is why we, the ProjectVRM community, through Customer Commons (our nonprofit spinoff) and the IEEE P7012 (aka MyTerms) working group, created the draft standard (on track to become official early next year) for machine-readable personal privacy terms. Three years ago, I called MyTerms The Most Important Standard in Development Today. The CMP business can help make it so, by getting on the Cluetrain.

Here are some opportunities:

CMPs can provide sites & services with easy ways to respond to MyTerms choices brought to the table by visitors. Let’s call this a Terms Matching Engine.The current roster of terms we’re working with at Customer Commons (abbreviated CuCo, hence the cuco.org shortcut) starts with  CC-BASE, which is “service provision only.” It says to a website, “just give me your service, and nothing more.” In other words, no tracking. Yet. Negotiation toward additional provisions comes after that. Those can be anything, but they should be in the spirit of We’re starting with personal privacy here, and the visitor sets the terms for that. There is a whole new business (which, like the VPN, grammar-help, and password management businesses, people would pay for) in helping people present, manage, remember, and monitor compliance with their terms, and what additional agreements have been arrived at. This can involve browser add-ons such as the one pictured  on the ProjectVRM r-button page. CMP companies can make money there too, adding a C2B business to their B2B ones. Go beyond #2 to provide real VRM. Back in the last millennium, Iain Henderson pointed out that B2B relationships tend to have hundreds or thousands of variables over which both parties need to agree. Nitin Badjatia, another CRM veteran (and a Customer Commons board member like Iain and myself), has also pointed out that companies like Oracle have long provided AI-assisted ways for B2B relationships to arrive at contractual agreements. The same can work for C2B, once the base privacy agreement is established. There can be a business here that expands on what gets started with that first agreement. Verticals. There can be strong value-adds for regulated industries or companies wanting to acquire and signal accountability, or look for firmer ways to establish a privacy regime better than the called consent, which doesn’t work (except as thin ass-covering for companies fearing the GDPR and the CCPA). For example: banks, insurers, publishers, health care providers. For people (not just corporate clients), CMPs could offer browser plugins or apps (mobile and/or computer) that help people choose and present their privacy terms, track who honors them, notify them of violations, and have r-buttons mean something. Or multiple things.

Here is what a VRM-friendly person in the UK came up with as a prototypical first by a CMP away from cookie notices:

That was after this post went up.  (Which is great.)

Obviously, we want cookie notices (and other forms of friction) to go away, but we also want CMPs to have a nice way to participate in a customer-led world in which intention-based economies can grow.

And here is an example of r-buttons in a browser:

Real relationships, including records of agreements, can be unpacked when a person (not a mere “user”) clicks on either the ⊂ or the ⊃ symbols. There are golden opportunities here for both VRM and CRM vendors. And, of course, companies such as Admiral and OneTrust working both sides—and being truly trusted.

Give us more. (Like that cookie notice above.)

did:webvh adds historical verifiability to did:web, using cryptographic provenance to establish that the current DID document is the result of legitimate updates by the DID controller. Today on the show we talk with Stephen Curran and John Jordan, co-creators and implementers of the did:webvh specification.   References ACA-py Plug In https://aca-py.org/latest/features/PlugIns/  AnonCreds Specification https://hyperledger.github.io/anoncreds-spec/  DID...

did:webvh adds historical verifiability to did:web, using cryptographic provenance to establish that the current DID document is the result of legitimate updates by the DID controller. Today on the show we talk with Stephen Curran and John Jordan, co-creators and implementers of the did:webvh specification.   References ACA-py Plug In https://aca-py.org/latest/features/PlugIns/  AnonCreds Specification https://hyperledger.github.io/anoncreds-spec/  DID...

The packaging around your product now matters just as much as the product itself.

For companies navigating Extended Producer Responsibility (EPR) laws, that's quickly becoming the reality. And it’s reshaping how teams think about data, packaging, and compliance.

In this episode, Lindsay Savage, Senior Director of Data Governance and Business Platforms at Georgia-Pacific LLC, joins hosts Reid Jackson and Liz Sertl to demystify what EPR means for manufacturers and retailers. 

With legislation ramping up across states, Lindsay explains how brands are preparing for complex reporting requirements, coordinating across departments, and turning sustainability regulations into opportunities for smarter product innovation.

In this episode, you’ll learn:

Why EPR is more than a packaging issue and why it matters now

How Georgia-Pacific is building scalable systems to manage regulatory data

Tips for companies just getting started, from legal teams to logistics

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:21) Lindsay Savage’s background

(03:16) What EPR means for your business

(04:50) Every state has its own rules

(06:15) Data overload and the push for standards

(07:36) Breaking down product, packaging, and pallet

(09:27) Two ways to report EPR data

(11:20) How to get started with EPR compliance

(12:40) Building cross-functional teams for success

(17:55) Embracing AI tools to stay ahead

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Lindsay Savage on LinkedIn Check out Georgia-Pacific

MyData Global has submitted A Human-Centric Roadmap for Europe to the European Commission’s public consultation on Data Union Strategy. The Roadmap has incorporated input from the MyData community, and the […]

Microsoft Copilot is becoming the interface for how users work with AI across the Microsoft ecosystem. But what happens when you enhance Copilot with the ability to understand and remember structured, verifiable knowledge?

With the integration of the OriginTrail Decentralized Knowledge Graph (DKG) and the Model Context Protocol (MCP), you can build AI agents that reason over live data, contribute to shared memory, and deliver trusted outputs backed by cryptographic proofs.

By extending Microsoft’s AI infrastructure with OriginTrail, you equip Copilot agents with powerful capabilities for knowledge discovery, memory, and collaboration.

What is MCP?

The Model Context Protocol (MCP) is an open standard that defines how language models access and utilize tools and external data sources.

MCP uses a client-server architecture where:

MCP Servers expose tools and data, both local and remote, MCP Clients, such as agents built in Microsoft Copilot Studio, call these tools using a standard protocol.

This architecture makes it easy to build AI systems that are modular, composable, and interoperable across different environments.

What role does the DKG play?

The OriginTrail DKG provides a decentralized layer for structured, verifiable knowledge that AI agents can query, write to, and collaborate over. When connected to an MCP server equipped with DKG tools, agents are empowered to retrieve and build upon interconnected, verifiable knowledge.

AI agents can:

Retrieve semantically rich knowledge, Generate and publish new Knowledge Assets, Collaborate on a shared, verifiable knowledge base.

Each interaction is built with data provenance, version control, and ownership in mind. Knowledge is shared, structured, and trustworthy!

Supercharging Microsoft Copilot with verifiable memory!

Through this integration, builders can now connect OriginTrail DKG with custom agents built in Microsoft Copilot Studio.

Here’s what that enables:

The DKG MCP server runs alongside an OriginTrail DKG Node, Custom actions are registered in Microsoft Copilot Studio to access DKG tools, These actions can be triggered by agents within environments like Microsoft Teams.

This setup allows Copilot-based agents to access interconnected, verifiable knowledge in real time, and contribute new structured information back into the DKG.

Agents can then:

Ask precise questions over a structured knowledge graph, Write their own memory as reusable Knowledge Assets, Store results, update context, and collaborate with other agents.

This integration brings reasoning, verifiability, and memory collaboration directly into Copilot-powered workflows

See it in action!

In the live demo, Jurij Škornik, General Manager at Trace Labs, core developers of OriginTrail, walks us through:

Running the DKG MCP server with an OriginTrail Edge Node, Building a custom agent in Microsoft Copilot Studio, Adding custom actions to enable interaction via Microsoft Teams.

The result is a working Copilot agent with full access to decentralized, verifiable memory. Check it out!

As AI becomes central to enterprise workflows, adding verifiability and structure to its memory is essential. Combining OriginTrail DKG and MCP means your agents are working with knowledge that is:

Structured using open standards (like RDF and schema.org), Interconnected across multiple data sources, Verifiable thanks to cryptographic anchoring, Portable across applications, agents, and ecosystems, such as Microsoft.

This opens the door to new applications in supply chains, research, content management, enterprise collaboration, and more!

Build AI agents with verifiable memory using OriginTrail and Microsoft Copilot! was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.

Global Participation Expands as the Coalition Releases Essential AI Guidance

Boston, MA – 17 July 2025 – The Coalition for Secure AI (CoSAI), an OASIS Open Project, celebrates its first anniversary since launching at the Aspen Security Forum in 2024. Over the past year, CoSAI has grown into the industry’s leading collaborative ecosystem for AI security, expanding from its initial founding sponsors to more than 45 partner organizations worldwide. Its mission to enhance trust and security in AI development and deployment has resonated widely, attracting premier sponsors EY, Google, IBM, Microsoft, NVIDIA, Palo Alto Networks, PayPal, Protect AI, Snyk, Trend Micro, and Zscaler. Through multiple workstreams, the coalition has produced practical frameworks and research addressing real-world challenges in securing AI systems. Central to CoSAI’s impact this year are the most recent releases of the “Principles for Secure-by-Design Agentic Systems,” which establishes three core principles for autonomous AI, and the “Preparing Defenders of AI Systems” whitepaper. 

Security Principles Help Safeguard Agentic AI Systems

CoSAI’s Technical Steering Committee (TSC) has released the “Principles for Secure-by-Design Agentic Systems,” a foundational document aimed at helping technical practitioners address the unique security challenges posed by autonomous AI. 

The principles offer practical guidance on balancing operational agility with robust security controls, establishing that secure agentic systems should be Human-governed and Accountable, architected for meaningful control with clear accountability, constrained by well-defined authority boundaries aligned with risk tolerance, and subject to risk-based controls ensuring alignment with expected business outcomes. They must be Bounded and Resilient, with strict purpose-specific entitlements, robust defensive measures including AI-specific protections, and continuous validation with predictable failure modes. Finally, they should be Transparent and Verifiable, supported by secure AI supply chain controls, comprehensive telemetry of all system activities, and real-time monitoring capabilities for oversight and incident response. 

This blog post provides additional context on the principles and how they can be applied in real-world environments.

“As agentic AI systems become more embedded in organizations’ operations, we need frameworks to secure them,” said David LaBianca, Project Governing Board co-chair at CoSAI. “These principles provide a technical foundation for organizations to adopt AI responsibly and securely.”

New Defender Frameworks Help Organizations Operationalize AI Security

CoSAI has published another landscape paper, “Preparing Defenders of AI Systems,” developed through our workstream on Preparing Defenders for a Changing Cybersecurity Landscape. The paper provides practical, defender-focused guidance on applying AI security frameworks, prioritizing investments, and enhancing protection strategies for AI systems in real-world environments.

A companion blog post offers additional insights on how this evolving resource bridges high-level frameworks with practical implementation and will continue adapting as AI threats and technologies advance.

“This paper provides defenders with specific guidance on how security frameworks must be adapted to mitigate risks in the AI transformation─pinpointing gaps in current approaches and prioritizing critical investments,” said Josiah Hagen of Trend Micro and Vinay Bansal of Cisco, CoSAI’s Workstream 2 Leads. “As security practices are aligned with AI adoption realities, organizations are empowered to make informed decisions and protect their assets while ensuring innovation doesn’t outpace defenders. This exemplifies CoSAI’s commitment to connecting emerging threats to AI systems with practical security solutions.”

These foundational outputs from CoSAI’s first year set the stage for even greater impact ahead.

Looking Ahead: Building a Secure AI Future

As CoSAI enters its second year, the coalition is positioned to further accelerate AI security innovation through expanded research initiatives, practical tool development, and increased global engagement. With active workstreams producing actionable guidance and a growing community of practitioners, CoSAI continues to drive adoption of secure-by-design AI systems across industries. Its commitment to open source collaboration and standardization remains central to establishing trust in AI technologies. Realizing this vision requires continued collaboration across the AI security community.

Get Involved

Technical contributors, researchers, and organizations are invited to join CoSAI’s open source community and help shape the future of secure AI. To learn more about how to get involved, contact join@oasis-open.org.

One year in: What CoSAI members are saying about our impact

Premier Sponsors: 

EY:
“At the EY organization, we believe it is our responsibility to shape the future and not leave it to chance, so that the next generation inherits a world improved by AI, not made worse by it. It has been a privilege to serve as a founding member of CoSAI, a powerful platform for EY teams to collaborate with global technology leaders in shaping secure and responsible AI. As we enter the exponential age, we remain committed to leading with clarity, confidence and purpose.”
– Sarah Liang, EY Global Responsible AI Leader
Google
“It’s been great to see CoSAI grow with so many new partners and instrumental frameworks since we first introduced it last year. Google is proud to have been a co-founder for this initiative and we look forward to seeing more work from CoSAI’s workstreams, specifically across critical areas like agentic security.”
– Heather Adkins, VP of security engineering, Google
IBM: 
”From establishing critical work streams to launching innovative initiatives around Security Principles of Agentic AI, AI model signing and attestation, and MCP Security, CoSAI has built real momentum in securing AI at scale—all in just one year. It’s been rewarding to co-chair the Technical Steering Committee and collaborate with this talented, cross-industry community to tackle the evolving challenges of AI security and help shape industry standards.”
– J.R. Rao, IBM Fellow and CTO, Security Research, IBM
NVIDIA: 
“As AI becomes increasingly integral to critical infrastructure and enterprise operations, security must be foundational at every stage of development and deployment. As an industry enabler of AI for both hardware and software, NVIDIA is proud to support CoSAI’s collaborative efforts to advance practical, open standards across industries to democratize and scale AI for the entire market.”
— Daniel Rohrer, Vice President of Software Product Security, NVIDIA
Palo Alto Networks:
“As public and private organizations increasingly integrate advanced and agentic AI models into critical networks, the development of industry-driven AI security frameworks, such as CoSAI’s ‘Principles for Secure-By-Design Agentic Systems,’ will be vital for the security of our digital ecosystem. CoSAI’s initiatives over the past year are commendable, and we eagerly anticipate continuing our contributions to their mission.”
– Munish Khetrapal, VP of Cloud Management, Palo Alto Networks
Trend Micro: 
“As AI continues to reshape how businesses operate, we see tremendous value in collaboration that drives open standards and innovation across the industry. Over the past year, our work with CoSAI has reflected a shared commitment to raising the bar for security. We’re proud to stand alongside CoSAI in helping lead the way to a more secure and resilient digital future.”
– Kevin Simzer, COO at Trend Micro

General Sponsors: 

Adversa AI:
“At Adversa AI – an Agentic AI Security startup – we are proud to be a COSAI sponsor and a co-lead of the Agentic AI Security workstream. As pioneers of AI security and continuous AI red teaming, we believe Agentic AI demands a new security paradigm—one that goes beyond traditional guardrails to test cognition, autonomy, and context. COSAI’s Agentic AI Security Principles mark a pivotal step forward, and we’re committed to shaping the future of secure Agentic AI systems.”
— Alex Polyakov, Co-Founder of Adversa AI
Aim Security:
“CoSAI is building what the industry urgently needs: clarity and collaboration in securing AI systems. As pioneers in AI security, we at Aim are excited to work alongside this diverse community to help define the future of AI defense –  for agentic systems and beyond.”
– Matan Getz, CEO and Co-Founder, Aim Security
Amazon:
“The first year of CoSAI highlights how industry collaboration can advance AI security. As a founding member, Amazon supports the coalition’s mission to develop open standards and frameworks that benefit the entire AI ecosystem. Together, we look forward to strengthening the foundation of secure AI.”
– Matt Saner, Sr. Manager, Security Specialist Solution Architecture; CoSAI Governing Board and Executive Steering Committee member
Anthropic: 
“Safe and secure AI development has been core to our mission from the start. As AI models become more autonomous, CoSAI’s work is increasingly vital for ensuring that AI systems remain secure, trustworthy, and beneficial for humanity. We’re proud to continue this important work alongside other industry leaders.”
– Jason Clinton, Chief Information Security Officer, Anthropic Cisco: 
“As AI systems become more agentic and interconnected, securing them is now more important than ever. During the last year, CoSAI’s workstreams helped empower defenders and innovators alike to advance AI with integrity, trust, and resilience. We’re proud to help shape industry frameworks with this global coalition; uniting leaders across disciplines to safeguard the future of AI. Together, we’re ensuring that security is foundational to every phase of AI’s evolution.”
– Omar Santos, Distinguished Engineer, Advanced AI Research and Development, Security and Trust, Cisco
Cohere: 
“We’re proud to support CoSAI and collaborate with industry peers to ensure AI systems are developed and deployed securely. Over the last year, these collective efforts have built an important foundation that helps drive innovation while protecting against emerging threats. Our shared commitment to secure-by-design principles is increasingly important as AI adoption accelerates.”
-Prutha Parikh, Head of Security, Cohere
Fr0ntierx:
“CoSAI has united a global community around one of the most critical opportunities of our era: advancing safe, responsible, and innovative AI. At Fr0ntierX, we’re proud to contribute to this mission by helping build an infrastructure foundation rooted in trust, interoperability, and privacy. As AI continues to evolve, we remain committed to ensuring that innovation goes hand in hand with alignment and meaningful user control.”
– Jonathan Begg, CEO, Fr0ntierX
GenLab: 
“Over the past year, CoSAI has brought clarity to securing AI across the AI supply chain. The Six Critical Controls give leaders something concrete to work from, and GenLab has been proud to support that work from the start. As AI adoption accelerates, these frameworks are going to be essential—not just for safety, but for trust across sovereign systems.”
– Daniel Riedel, Founder & CEO, GenLab Venture Studios
HiddenLayer:
“As one of the earliest members of CoSAI, HiddenLayer recognized the urgency of securing AI from the outset. CoSAI’s work over the past year has provided much-needed clarity in a rapidly evolving space, offering actionable frameworks that empower organizations to operationalize AI security and governance. Its mission has reinforced our belief that trust must be embedded into AI systems by design. As threats become more advanced and the AI attack surface expands, our continued collaboration with CoSAI remains essential to ensuring that AI innovations are safe and secure.”
— Malcolm Harkins, Chief Security & Trust Officer, HiddenLayer Intel:
“CoSAI’s first year has been marked by strong momentum—from the release of landscape papers of technical workstreams to the timely initiation of the Agentic AI Systems workstream. These milestones reflect the coalition’s ability to anticipate and act on emerging security needs. At Intel, we’re proud to partner with CoSAI members to ensure that secure-by-design principles are embedded early in the AI system design and deployment.”
– Dhinesh Manoharan, VP Product Security & GM of INT31, Intel
Lasso Security
“At Lasso, we believe secure-by-design must be the foundation of AI innovation. CoSAI has played a critical role in turning complex AI security challenges into practical, actionable guidance—from agentic systems to defender frameworks. As proud contributors to this effort, we’ve seen firsthand how CoSAI is helping shape a more trustworthy AI future and laying the groundwork for secure, enterprise-grade solutions.”
– Elad Schulman, CEO & Co-Founder, Lasso Opal Security: 
“Opal is a proud early supporter of CoSAI—because Opal helps customers track agents and other NHIs in our platform, we’re deeply invested in securing AI’s future. CoSAI assembles leading minds to set standards for a world in which every employee calls on multiple agents. Opal is honored to contribute to this organization and learn from luminaries at trailblazing member organizations. We look forward to future consensus-building, standards setting, and insights.”
–Umaimah Khan, CEO, Opal Security
Operant:
“In a world where AI is rapidly reshaping everything from infrastructure to decision-making, collaboration is our best defense. I’m proud to have joined the board of Coalition for Secure AI as it brought together industry leaders, researchers, and policymakers under one roof, filling a major gap in the evolution of Responsible AI that is now more urgent than ever. CoSAI represents the kind of cross-industry partnership that will shape how we build a more secure and trustworthy AI ecosystem for everyone. A secure AI future is only possible if we build it together.”
– Priyanka Tembey, CTO, Operant AI
Red Hat:
“Security is the foundation of trustworthy AI, not an afterthought. At Red Hat, we believe security-first principles and processes must be woven into the fabric of every platform from day one, including AI, which the recently released CoSAI Principles for Secure-by-Design Agentic Systems helps to address. We are proud to have been part of CoSAI for the past year and look forward to helping further advance the foundational components of the community.”
– Garth Mollett / Product Security Lead Architect, Red Hat
TrojAI: 
“CoSAI’s collaborative and transparent approach to make AI safer and more secure for everyone closely reflects TrojAI’s own mission. We’re proud to support this important initiative and celebrate its first year of progress. As AI adoption increases, we believe that security will be integral to the sustainable growth of AI. CoSAI’s efforts to develop best practices and unified methodologies are invaluable for secure AI development and deployment.”
– Lee Weiner, CEO, TrojAI VE3: 
“We joined CoSAI right at the beginning because its mission aligned with our belief that AI must be built securely, responsibly, & transparently. CoSAI insights and frameworks like critical controls, have deeply influenced how we approach AI security and governance at VE3. From shaping internal practices to launching our own AI safety, security and governance whitepaper, CoSAI’s work has been instrumental for us. As AI systems grow more complex and autonomous, this partnership becomes more vital and we’re honored to be part of CoSAI’s journey.”
— Manish Garg, Managing Director, VE3
Wiz:
“AI’s growth echoes the early cloud era, when innovation outpaced security and the industry had to close the gap together. At Wiz, we believe that securing AI takes more than technology — it requires collaboration among industry leaders. Over the past year, CoSAI has driven these critical conversations, and Wiz is proud to stand with this coalition as new AI security challenges emerge, from autonomous AI agents to MCP.” 
– Alon Schindel, VP of AI & Threat Research, Wiz About CoSAI

The Coalition for Secure AI (CoSAI) is a global, multi-stakeholder initiative dedicated to advancing the security of AI systems. CoSAI brings together experts from industry, government, and academia to develop practical guidance, promote secure-by-design practices, and close critical gaps in AI system defense. Through its workstreams and open collaboration model, CoSAI supports the responsible development and deployment of AI technologies worldwide.

CoSAI operates under OASIS Open, the international standards and open source consortium. www.coalitionforsecureai.org

About OASIS Open

One of the most respected, nonprofit open source and open standards bodies in the world, OASIS advances the fair, transparent development of open source software and standards through the power of global collaboration and community. OASIS is the home for worldwide standards in AI, emergency management, identity, IoT, cybersecurity, blockchain, privacy, cryptography, cloud computing, urban mobility, and other content technologies. Many OASIS standards go on to be ratified by de jure bodies and referenced in international policies and government procurement. www.oasis-open.org

Media Inquiries:
communications@oasis-open.org

The post Coalition for Secure AI Marks First Anniversary with New Principles for Agentic Systems and Defender Frameworks appeared first on OASIS Open.

Play Video

Watch the full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/TOIP-EGWG-2025-07-10_-Kyle-Robinson-Digital-Trust-Ecosystems_-Why-they-dont-make-sense_.wav

Here is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:

Excerpt

Learn why Kyle’s practical experience with the Canadian Province of British Columbia’s digital trust initiative has led him to focus on specific, high-impact digital credentials over broad “ecosystems.” Documenting these well fosters trust and enables organic growth and unpredictable efficiencies, naturally building interoperable digital trust networks.

Briefing Document: A Smarter Approach to Digital Credentials and Ecosystems

Date: July 10, 2025

Sources:

“Digital Credentials Presentation” (Presentation Excerpts) “GMT20250710-145520_Recording.cc.vtt.txt” (Meeting Transcript – VTT) “GMT20250710-145520_Recording.m4a” (Meeting Audio – M4A) “GMT20250710-145520_Recording.transcript.vtt.txt” (Meeting Transcript – VTT) “GMT20250710-145520_RecordingnewChat.txt” (Meeting Chat Log) Executive Summary

The prevailing approach of focusing on broad “ecosystems” for digital credential development is inefficient and limits opportunities. Instead, a more effective strategy involves starting with specific, high-impact credentials, rigorously documenting them in a trusted and public manner, and then allowing organic growth and adoption to naturally form interoperable networks. The Province of British Columbia (BC) is a leading example of this approach, leveraging foundational identity credentials and promoting their open use, which has led to unpredicted and valuable use cases and significant administrative efficiencies. The discussions highlight the “fractal” nature of ecosystems and the critical role of strong governance and transparency in building trust in digital credentials.

Key Themes and Most Important Ideas/Facts 1. The Flaws of an Ecosystem-First Approach Too Many Credentials to Tackle: Attempting to develop digital credentials for an entire industry or “ecosystem” simultaneously (e.g., healthcare or finance) is “a massive undertaking, resource-intensive, hard to coordinate, and risks spreading us too thin, leading to weak, untrusted credentials.” (Digital Credentials Presentation). As Kyle Robinson notes, “there’s just too many different types of credentials and different authorities for those credentials to really get a good handle on.” (Meeting Transcript). Constrains Opportunities: Pre-planning an entire ecosystem creates a rigid scope, preventing the discovery of “unexpected opportunities that could arise organically.” (Digital Credentials Presentation). Eric Drury echoes this, stating that “building a use case for an ecosystem is much more complicated than building a use case for a single credential.” (Meeting Transcript). 2. Recommendation: Start with Specific, High-Impact Credentials Build Trust and Quality: The core recommendation is to “focus on a few high-impact credentials, like a digital CPA certification. By putting all our effort into making them robust and trustworthy, we create a gold standard that people rely on. Trust drives adoption.” (Digital Credentials Presentation). Foundational Credentials as Catalysts: BC’s strategy focuses on “foundational credentials,” such as “identity of a person, identity of a business.” These are “foundational credentials which… kind of start right at the core of everything and then other credentials are built on top of those.” (Meeting Transcript). This layering allows for credentials like a “licensed doctor” to build upon a verified personal identity. Open More Doors Through Ripple Effects: Strong, well-executed credentials “create ripple effects.” (Digital Credentials Presentation). BC has observed this with their “lawyer credential,” where “all these what we call verifiers, or relying parties, started popping up, saying, oh, we could use that too, we could use that too, we could use that too.” (Meeting Transcript). This organic growth leads to “unpredicted” opportunities. 3. Credential Documentation: The Foundation of Trust Trusted Location: “Documentation must reside in a secure, reputable platform to ensure credibility.” (Digital Credentials Presentation). The BC Gov’s Digital Trust Toolkit is highlighted as a model for “transparent, trusted documentation that stakeholders can rely on.” (Digital Credentials Presentation). This toolkit serves as a “source of truth of governance documentation for credentials that are in production.” (Meeting Transcript). Active Promotion and Public Visibility: Documentation is insufficient without visibility. It “needs to be public, publicly exposed. So that a verifier can look at that document and have enough information to read it to be able to trust it.” (Meeting Transcript). This active promotion through various channels (webinars, industry forums, social media) “builds awareness and encourage adoption among users and organizations.” (Digital Credentials Presentation). Transparency of Issuance and Revocation: Trust extends beyond the technical aspects of a credential; it requires confidence in the “issuance process that the issuing authority goes through to be able to issue that to the right person, with the right attribute information.” (Meeting Transcript). Furthermore, visibility into “revocation status” is critical. If a ledger were to disappear, the ability to check revocation status would be lost, underscoring the need for robust infrastructure. 4. The Nature of Ecosystems and Organic Growth Fractal Nature of Ecosystems: The discussion introduces the concept of ecosystems as “fractal.” As Carly Huitema explains, “You can zoom in all the way into grains of dirt, and there’s an ecosystem there. And then you can zoom all the way out to the planet scale ecosystem.” (Meeting Transcript). This implies that “person is a microcosm” that can be “observed in other ecosystems,” with “boundaries are always fuzzy.” (Meeting Transcript). Market-Driven Adoption: The “overall drive of all of this is driven by those relying parties and verifiers.” When they “see value in doing something with credentials they will implement it, and they will tell their friends. And that’s sort of how you can see that growth and that adoption happening.” (Meeting Transcript). This organic growth is preferred over top-down, pre-defined ecosystem planning. Savings and Efficiency as Drivers: Digital credentials offer tangible benefits, such as “a ton of administrative time” savings for verifiers. For example, the City of Vancouver is realizing benefits where “nothing needs to be reviewed because the technology’s already trusting the stuff that the province is producing. So they don’t have to, like, have somebody manually reveal a form.” (Meeting Transcript). 5. Trust Beyond BC: Scaling and Interoperability Challenges Establishing “Legitimacy”: A key challenge is distinguishing “legitimate” from “non-legitimate” credentials beyond the issuing authority. BC addresses this by publishing the issuer DID, schema ID, and credential definition ID on the Candy ledger. This allows relying parties to cryptographically verify the origin. Cross-Jurisdictional Interoperability: The question of how this scales beyond BC is raised, particularly when different jurisdictions (e.g., Alberta, Rhode Island, Utah) might make different technical choices for their credentials. This mirrors the non-digital world where regulations define accepted IDs. Role of Trust Registries and Standards Bodies: The idea of “trust registries” is introduced as a potential solution for looking up legitimate issuers and their governance frameworks across jurisdictions. This could be driven by “standards bodies,” which could publish “trust registries published on their websites, or in some type of technology to say, hey, this standards body here, these are all of the organizations that we have audited and are following.” (Meeting Transcript). Government’s Evolving Role: While government’s primary role remains issuing foundational IDs and enforcing laws, its new role in “building and supplying software to citizens” (e.g., the BC Wallet app) is seen as a way to “help adoption.” (Meeting Transcript). The future may see OS manufacturers playing a larger role in built-in wallets. Conclusion

The discussion reinforces that while the concept of a broad “ecosystem” might be a useful descriptive tool, the practical and successful implementation of digital credentials should pivot towards a credential-first approach. By focusing on building trust and quality in individual, high-impact credentials, making their governance transparent and public, and fostering organic adoption through demonstrated value, digital trust networks can emerge and grow naturally, leading to widespread benefits. The BC government’s experience serves as a compelling case study for this evolving strategy.

For more details, including the slides,  meeting recording and transcript, please see our wiki 2025-07-10 Kyle Robinson & Digital Trust Ecosystems. Why they don’t make sense.

https://www.linkedin.com/in/kylegrobinson/

The post TOIP EGWG 2025-07-10: Kyle Robinson, Digital Trust Ecosystems. Why they don’t make sense. appeared first on Trust Over IP.

For the good of both.

Customers need privacy, respect, and the ability to provide good and helpful information to the companies they deal with. The good clues customers bring can include far more than what companies get today from their CRM systems and from surveillance of customer activities. For example, market intelligence that flows both ways can happen on a massive scale.

But only if customers set the terms.

Now they can, using a new standard from the IEEE called P7012, aka MyTerms. It governs machine readability of personal privacy terms. These are terms that customers proffer as first parties, and companies agree to as second parties. Lots of business can be built on top of those terms, which at the ground level start with service provision without surveillance or unwanted data sharing by the company with other parties. New agreements can be made on top of that, but MyTerms are where genuine and trusting (rather than today’s coerced and one-sided) relationships can be built.

When companies are open to MyTerms agreements, they don’t need cookie notices. Nor do they need 10,000-word terms and conditions or privacy policies because they’ll have contractual agreements with customers that work for both sides.

On top of that foundation, real relationships can be built by VRM systems on the customers’ side and CRM systems on the corporate side. Both can also use AI agents: personal AI for customers and corporate AI for companies. Massive businesses can grow to supply tools and services on both sides of those new relationships. These are businesses that can only grow atop agreements that customers bring to the table, and at scale across all the companies they engage.

This is the kind of thing that four guys (me included)† had in mind when they posted The Cluetrain Manifesto* on the Web in April 1999. A book version of the manifesto came out in early 2000 and became a business bestseller that still sells in nine languages. Above the manifesto’s 95 theses is this master clue**, written by Christopher Locke:

MyTerms is the only way we (who are not seats or eyeballs or end users or consumers) finally have reach that exceeds corporate grasp, so companies can finally deal with the kind of personal agency that the Internet promised in the first place.

The MyTerms standard requires that a roster of possible agreements be posted at a disinterested nonprofit.  The individual chooses one, the company agrees to it (or not). Both sides keep an identical record of the agreement.

The first roster will be at Customer Commons, which is ProjectVRM’s 501(c)3 nonprofit spinoff. It was created to do for personal privacy terms what Creative Commons does for personal copyright licenses. (It was Customer Commons, aka CuCo, that the IEEE approached with the idea of creating the MyTerms standard.)

Work on MyTerms started in 2017 and is in the final stages of IEEE approval process. While it is due to be published early next year, what it specifies is simple:

Individuals can choose a term posted at Customer Commons or the equivalent Companies can agree to the individual’s choice or not The decision can be recorded identically by both sides Data about the decision can be recorded by both sides and kept for further reference, auditing, or dispute resolution Both sides can know and display the state of agreement or absence of agreement (for example, the state of a relationship, should one come to exist)

MyTerms not a technical spec, so implementations are open to whatever. Development on any of those can start now. So can work in any of the six areas listed above.

The biggest thing MyTerms does for customers—and people just using free services—is getting rid of cookie notices, which are massively annoying and not worth the pixels they are printed on.  If a company really does care about personal privacy, it’ll respect personal privacy requirements. This is how things work in the natural world, where tracking people like marked animals has been morally wrong for millennia. In the digital world, however, agreements need to be explicit, so programming and services can be based on them. MyTerms does that.

For business, MyTerms has lots of advantages:

Reduced or eliminated compliance risk Competitive differentiation Lower customer churn Grounds for real rather than coerced relationships (CRM+VRM) Grounds for better signaling (clues!) going in both directions Reduced or eliminated guesswork about what customers want, how they use products and services, and  how both might be improved

Lawyers get a new market for services on both the buy and sell sides of the marketplace. Companies in the CMP (consent management platform) business (e.g. Admiral and OneTrust) have something new and better to sell.

Lawmakers and Regulators can start looking at the Net and the Web as places where freedom of contract prevails, and contracts of adhesion (such as what you “agree” to with cookie notices) are obsolesced.

Developers can have a field day (or decade). Look for these categories to emerge

Agreement Management Platforms – Migrate from today’s much-hated consent management platforms (hello OneTrust, Admiral, and the rest). Vendor Relationship Management (VRM) Tools and services – Fill the vacuum that’s been there since the Web got real in 1995. Customer Relationship Management (CRM) – Make its middle name finally mean something. Customer Data Return (CDR) – Give, sell back, or share with customers the data you’ve been gathering without their permission since forever. Talking here to car companies, TV makers, app makers, and every other technology product with spyware onboard for reporting personal activity to parties unknown. Platform Relief –  Free customers from the walled gardens of Apple, Microsoft, Amazon, and every other maker of hardware and software that currently bears the full burden of providing personal privacy to customers and users. Those companies can also embrace and help implement MyTerms for both sides of the marketplace. Personal AI (pAI)– Till and plant a vast new greenfield for countless companies, old and new. This includes Apple (which can make Apple Intelligence truly “AI for the rest of us” rather than Siri in AI drag), Mozilla (with its Business Accelerator for personal AI) , Kwaai (for open source personal AI), and everyone else who wants to jump on the train. Big meshes of agents, such as what these developers are all working on.

In the marketplace, we can start to see all these things:

Predictions made by The Intention Economy: When Customers Take Charge finally come true. New dances between customers and companies, demand and supply. (“The Dance” is a closing chapter of The Intention Economy.) New commercial ecosystems can grow around a richer flow of clues in both directions, based on shared interest and trust between demand and supply. Surveillance capitalism will be obsolesced — and replaced by an economy aligned with personal agency and respect from customers’ corporate partners. A new distributed P2P fabric of personally secure and shared data processing and storage — See what KwaaiNet + Verida, for example, might do together.

All aboard!

†Speaking for myself in this post. I invite the other two surviving co-authors to weigh in if they like.

*At this writing, the Cluetrain website, along with many others at its host, is offline while being cured of an infection.  To be clear, however, it will be back on the Web. Meanwhile, I’m linking to a snapshot of the site in the Internet Archive—a service for which the world should be massively grateful.

**The thesis that did the most to popularize Cluetrain was “Markets are conversations,” which was at the top of Cluetrain’s ninety-five theses. Imagining that this thesis was just for them, marketers everywhere saw marketing, rather than markets, as “conversations.” Besides misunderstanding what Cluetrain meant by conversation (that customers and companies should both have equal and reciprocal agency, and engage in human ways), marketing gave us “conversational” versions of itself that were mostly annoying.  And now (thank you, marketing), every damn topic is now also a fucking “conversation”—the “climate conversation,” the “gender conversation,” the “conversation about data ownership.” I suspect that making “conversation” a synonym for “topic” was also a step toward making every piece of propaganda into a “narrative.” But I digress. Stop reading here and scroll back to read the case for MyTerms. And please, hope that it also doesn’t become woefully misunderstood.

Abstract

As the automotive industry transitions toward software-defined vehicles, autonomous technologies, and connected services, cybersecurity has become a critical concern. This white paper from the FIDO Alliance outlines key challenges and emerging solutions for securing next-generation vehicles. It examines global regulatory frameworks such as UN R155, UN R156, and ISO/SAE 21434 and presents the FIDO Alliance’s standards for passwordless authentication, secure device onboarding, and biometric certification.

Audience

This paper addresses the automotive industry. The audience includes automotive system engineers, automotive IVI product and development managers, automotive networking and in-vehicle cyber security engineers, product managers for in-vehicle services for applications such as purchasing, IT system cyber security managers, engineers seeking to support global regulatory frameworks such as UN R155/R156 and ISO/SAE 21434, manufacturing system engineers, and car-to-cloud connectivity engineers.

Download the White Paper 1. Introduction

The automotive industry is undergoing transformative changes, including the shift to software-defined and autonomous vehicles, advanced IT-like architectures, over-the-air (OTA) updates, and the rise of in-vehicle commerce. While these changes offer new revenue opportunities, they also bring significant cybersecurity threats.

Global cybersecurity legislation, such as UN Regulation 155, UN Regulation 156, and ISO/SAE 21434, aim to protect vehicles from emerging threats. The FIDO Alliance plays a crucial role by providing standards for secure authentication, device onboarding, and biometrics certification.

Utilizing standards helps automotive companies ensure consistent security, leverage collective expertise, and avoid proprietary solutions that have the potential to stymie new markets and revenue. FIDO standards apply to various automotive applications, including consumer services, in-vehicle solutions, workforce authentication, and manufacturing, ensuring robust cybersecurity across the industry.

This paper provides companies within the automotive ecosystem an insight into the standards and services the FIDO Alliance offers together with a review of current and future use cases.

The FIDO Alliance is seeking feedback and partnership with industry experts to help ensure that FIDO’s programs are fit for purpose and successfully help companies meet cybersecurity needs, improve driver experiences, and tap into new opportunities.

2. Evolution of the automotive industry

The automotive industry has 140 years of history and is currently going through changes that affect all aspects of the industry:

Electrification and sustainability Software-defined vehicles and connectivity Autonomous and assisted driving Shifting business models: Mobility-as-a-Service (MaaS) and direct sales Supply chain disruptions and geopolitical risks New revenue streams: data monetization and services Rollout of EV charging infrastructure and its energy grid impacts Changing consumer expectations and digital experiences

These changes bring potential upside to manufacturers in terms of new revenue opportunities and improved vehicles, but they also introduce considerable cyber threats.

Vehicles have evolved from isolated mechanical systems into interconnected cyber-physical platforms (often created by various entities) that integrate complex software, hardware, and communication networks. Manufacturers implement these systems to provide end users with a better vehicle and an enhanced driving experience, but they also bring an increased risk of cyber threats associated with new “attack surfaces”. These potential threats come in many forms, from malicious hackers to state funded actors. To minimize these threats, it is now a fundamental priority for manufacturers, their suppliers, regulators, and other industry stakeholders to focus on cybersecurity.

3. Meet the challenges and seize the opportunity

Automotive cybersecurity professionals have a massive challenge in front of them. On one side they need to react to the rise in threats and account for the associated legislation that has been developed to protect consumers. On the other side they need to be open to supporting new business models such as in-vehicle commerce, value added vehicle features such as subscription services, as well as additional cybersecurity for factories and offices. While there is no one simple solution to meet all of these needs, utilizing standards and certification programs from organizations such as the FIDO Alliance can help greatly.

4. Automotive cybersecurity and global legislation

National governments and international organizations have enacted regulations that require stringent cybersecurity measures throughout the automotive lifecycle, including design, operation, and even end-of-life. These frameworks aim to shield vehicles from emerging threats and establish a baseline for safety and trust across the automotive ecosystem. Major worldwide examples include:

United Nations Regulation 155 and United Nations Regulation 156: mandate that vehicles incorporate a Cybersecurity Management System (CSMS) and a Software Update Management System (SUMS) ISO/SAE 21434: provides the foundation for global automotive cybersecurity engineering, outlining processes for managing cyber risks throughout the entire vehicle lifecycle China’s GB 44495-2024 and GB 44496-2024: regulate the Cyber Security Management System (CSMS) and govern secure software updates in a granular fashion India’s AIS 189 and AIS 190: align with UN R155 and R156, to regulate the cybersecurity of connected vehicles United States: Publication of cybersecurity best practices by the National Highway Traffic Safety Administration (NHTSA) that emphasize secure vehicle development processes, incident response plans, and continuous risk monitoring

Refer to Appendix A to learn more about these standards.

5. The FIDO Alliance and FIDO standards

The FIDO Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords. To accomplish this, the FIDO Alliance promotes the development of, use of, and compliance with standards for user authentication and device onboarding.

The FIDO Alliance:

Develops technical specifications that define an open, scalable, interoperable set of mechanisms to reduce reliance on passwords for authentication of both users and devices. Tracks the evolution of global regulations and evolves its own standards to help industries satisfy those regulations in a harmonized way, reducing their compliance burdens. Operates industry certification programs to ensure successful global adoption of these specifications. Provides education and market adoption programs to promote the global use of FIDO. Submits mature technical specifications to recognized standards development organizations for formal standardization.

The FIDO Alliance has over 300 members worldwide, with representation from leaders in IT, silicon, payments, and consumer services and features a Board of Directors that includes representatives from Apple, Visa, Infineon, Microsoft, Dell, Amazon, and Google. The Alliance also has a variety of active working groups where like-minded members can develop and advance technical work areas and coordinate on market-specific requirements.

The FIDO Alliance is planning to launch an automotive working group, where leaders in this sector can identify and collaborate on technical, business, and market requirements. To learn more, use the Contact Us form at https://fidoalliance.org/contact/ or email info@fidoalliance.org.

6. FIDO for automotive cybersecurity compliance

Meeting the demands of the primary automotive cybersecurity standard ISO/SAE 21434 and subsequently the most prominent regulation, UN R155, hinges on strong identity management and secure device onboarding. While these standards don’t prescribe FIDO protocols per se, they outline key principles where FIDO offers tangible benefits.

ISO 21434, particularly Clauses 8 and 9 concerning risk assessment and threat mitigation, calls for strategies to prevent unauthorized access. FIDO’s passwordless authentication directly addresses this by eliminating weak credentials and reducing risks from phishing and credential stuffing, common threats to connected vehicle systems. Additionally, Clause 10’s focus on secure software deployment aligns with FIDO Device Onboard (FDO), ensuring only authenticated devices join the ecosystem, mitigating supply chain attacks and unauthorized software injections. This direct mapping of FIDO’s capabilities to specific clauses demonstrates its value in achieving compliance.

Beyond these founding standards, FIDO’s approach has broad applicability to emerging regulations, providing OEMs with a pathway to meeting global compliance demands and bolstering cybersecurity resilience across their connected car ecosystem. Some examples include China’s GB 44495-2024 and India’s AIS 189, which call for regional automotive cybersecurity standards and reinforce the need for features such as secure authentication in the software-defined vehicle (SDV) era. China’s GB regulation, similar to UN R155, emphasizes authenticity and integrity in remote updates, where FIDO’s passkey-based authentication provides a compliant approach to verifying access. India’s regulations, currently still in draft, align with UN R155, highlighting the importance of securing vehicle-to-cloud communications and identity management.

7. Overview of emerging use cases where FIDO standards may apply

FIDO standards can be applied to a wide range of scenarios. These can be customer-facing, embedded within the vehicle, or as part of the manufacturer’s IT infrastructure.

High level overview of some of some of these scenarios include but not limited to:

In-vehicle commerce: This includes payments using credentials stored and managed in vehicle to enable convenient fueling, EV charging, parking reservations, car washes or even in-vehicle marketplaces managed by the car manufacturer. Implementation of passkeys to authenticate the associated car user and biometric component certification are most relevant to these use cases. Authentication to personalized services: These applications include easy access to customized automotive settings (for example, headrest and seat adjustments) as well as to informational and entertainment content. In-vehicle solutions: This segment includes applications such as car-to-cloud connectivity and onboarding of ECUs and zone controllers within the vehicle. Implementation of FIDO Device Onboard (FDO) is most applicable to these applications. Workforce authentication: These applications include controlling workforce access to IT systems whether at a development office, manufacturing site, or dealership. Implementation of passkeys and FIDO USB authentication keys are most applicable to these applications. Manufacturing: Modern manufacturing facilities are moving towards software defined control, AI, and robotic systems. The secure deployment of these solutions is often time consuming and expensive. Implementation of FIDO Device Onboard (FDO) can accelerate deployments and increase security. 8. FIDO Alliance technology overview

In the same way that Ethernet started as an IT networking solution, FIDO standards were not specifically created for automotive applications. However, they are highly relevant in modern vehicles where robust cybersecurity is a critical, foundational element rather than just a desirable feature. FIDO standards, such as passkeys, are being used as is in the automotive world today.

The FIDO Alliance technology portfolio for automotive applications can be broadly grouped into three main areas:

Passkeys: The FIDO Alliance is transforming authentication through open standards for phishing-resistant sign-ins using passkeys. Passkeys are more secure than passwords and SMS OTPs, easier for consumers and employees to use, and simpler for service providers to deploy and manage. Automotive manufacturers leverage passkeys for a wide variety of use cases.

Device Onboarding: The FIDO Alliance establishes standards for secure device onboarding (FDO) to ensure the safety and efficiency of connected devices in segments such as industrial and enterprise. In the automotive sector, manufacturers can apply this standard to the connections between Electronic Control Units (ECUs) and zone controllers or connections between the vehicle itself and the cloud services that facilitate over-the-air software updates. This standard has been adopted by Microsoft, Dell, ExxonMobil, Red Hat and others.

Biometrics certification: The FIDO Alliance offers a certification program tailored to specific applications that uses independent test labs to measure performance of biometric sensors (such as iris or fingerprint sensors). Biometric sensors are becoming an increasingly important component of vehicles. Typical use cases might be to automatically configure the driver’s seat position or as part of a payment system. In these two examples the definition of “good technical performance” can differ greatly. Samsung, ELAN Microelectronics, Thales, Qualcomm, Mitek, iProov, and others have had biometric components certified by FIDO Alliance.

9. FIDO Alliance technology deep dive

To better understand how automotive manufacturers and the FIDO Alliance can work together, this section discusses current FIDO technologies and how they might integrate with automotive applications.

9.1 Passkeys and user authentication

A passkey is a FIDO authentication credential based on FIDO standards, that allows a user to sign in to apps and websites with the same steps that they use to unlock their device (biometrics, PIN, or pattern). With passkeys, users no longer need to enter usernames and passwords or additional factors.

Passkeys are the signature implementation of FIDO authentication standards, and they offer secure yet simplified sign-in to a wide range of services. Passkeys are supported by all major device operating systems and browsers and have been utilized by many industry leaders including Apple, Google, Microsoft, Samsung, Amazon, Walmart, PayPal, and Visa.

The following diagram illustrates how passkeys can be used for in-car applications, such as when a driver signs in to a cloud service.

Figure 1:Sample passkey usage in automotive

Passkeys rely on a technology known as public key cryptography (PKC), in which a virtual key pair is created, one private and the other public. For each private key (stored on the user’s device) there exists a matching public key (stored on the server) that is used to check signatures created with the private key.

In the diagram, a user (the driver in this case) first registers with a cloud service such as a payment service. During the registration process, a private and public cryptographic key is created by the FIDO Authenticator. The private key is stored securely in the infotainment system of the vehicle and is associated with that driver. The public key is stored on the cloud of the service provider.

When the driver wants to sign in to the service, a request is sent from the vehicle to the cloud service. The service then sends an authentication request to the vehicle. This challenge can only be successfully authorized by the user that holds the matching private key. To make sure that request is genuine, the driver is asked to confirm that they want to sign in. This is typically achieved via a biometric sensor such as fingerprint or face. Once this verification is complete, the user gains access to the service. Several FIDO hardware and software components are used for this process.

9.2 Passkey components

Three FIDO Certified components are used in the example:

FIDO authenticator

A FIDO authenticator is a software component or a piece of hardware that can perform FIDO authentication to verify possession and/or confirm user identity. In the example, the FIDO authenticator likely resides in the car infotainment system.

FIDO server

The server provides an application with a programming interface that can be leveraged with a FIDO Certified client to perform strong authentication. The server sits inside the cloud application.

Biometric components

Biometric components can identify an individual and are often used to compliment a FIDO authenticator. These sensors can take multiple forms including fingerprint, iris and face. The FIDO Alliance certifies the efficacy of biometric subsystems including end-to-end performance, differential assessment of demographic groups, and presentation attack detection (PAD).

Although the example is an in-vehicle use case, the same passkey technology can be applied inside a factory, development center, or dealership to ensure that systems are resilient to phishing attacks or other common password attack vectors.

9.3 In-vehicle biometrics

Installation of biometric components in vehicles is expected to increase rapidly over time. The performance needs of these components will vary by sensor type and target application. Today, the FIDO Alliance offers a comprehensive independent certification program for biometric components such as fingerprint and iris sensors. By specifying in a request for quote (RFQ) that products should be FIDO Certified, automotive manufacturers can simplify selection of sensors. For more information on FIDO Certification, visit https://fidoalliance.org/certification/.

9.4 FIDO Device Onboard (FDO)

When a computer device (such as an ECU) first connects to its management platform (the zone controller), it needs to be onboarded and provisioned. A parallel example might be the connection between a vehicle and its cloud. FIDO Device Onboard (FDO) was developed by FIDO Alliance members to meet the automation and high security requirements of such onboarding experiences.

With FDO, a device is first connected to the (wired or wireless) network and then powered up. The device then automatically and securely onboards to the management platform. FDO is based on a zero-trust architecture and therefore offers a high level of security as both the device and the management platform must cryptographically authenticate themselves to each other. FDO also provides resilience to supply chain attacks.

A number of leading technology providers have demonstrated implementations of FDO solutions including Dell, Microsoft, Red Hat, Intel, and ASRock.

10. FIDO technology use cases deep dive

The FIDO Alliance has identified several use cases where FIDO technology can be applied to support the automotive industry. This section discusses possible use cases with the hopes of fostering further conversations.

10.1 Consumer use cases

Historically, many cybersecurity applications have been “behind the scenes”. In modern vehicles there is an increasing number of new applications that directly impact the driver and passenger in-vehicle experience and open new revenue opportunities for manufacturers. One such area is the emergence of in-vehicle commerce.

Several factors are driving in-vehicle commerce:

Technological advancements Software Defined Vehicles (SDVs) allow for continuous updates and new functionality without hardware modifications. Autonomous driving introduces a new use case for vehicles as productivity or leisure spaces. Changing consumer expectations Consumers demand experiences in their vehicles akin to those offered by their smartphones and other digital devices. Revenue opportunities By acting as platforms for digital services, vehicles open new revenue streams for car manufacturers and service providers.

10.2 Identity verification, authentication, and authorization

The growing connectivity and services associated with modern vehicles brings about new requirements for identity verification, authentication, and authorization.

Identity verification: The process of confirming a person’s identity. It can involve comparing information provided by a person with records in a database or with the person’s physical documents such as a driver’s license. Authentication: Confirms that a person is who they say they are when attempting to sign in to systems, services, and resources. Authorization: The step after authentication that determines user access in terms of accessing data or performing actions.

Unlike other computing devices, such as smartphones and wearables, vehicles often have multiple users including family members, friends, co-workers, or renters. Each user may need access to services or to perform transactions tied to their unique identities and credentials. Therefore, vehicular computing resources must be cyber secure and capable of managing secure access and authentication for a diverse user base, including third-party service providers.

10.3 In-vehicle commerce and authentication

Commerce services in vehicles are closely tied to payments, making strong and user-friendly authentication essential. Drivers must trust that transactions are secure, manufacturers aim to minimize liability for unauthorized payments, and financial institutions require robust, standards-compliant authentication mechanisms. In addition, regulatory frameworks, such as Europe’s Payment Services Directive 2 (PSD2), mandate strong customer authentication (SCA) for cardholder-initiated transactions.

SCA requires a combination of at least two out of three factors:

Possession (something the user has, for example, a key, phone, or vehicle) Inherence (something the user is, for example, biometrics like fingerprint or facial recognition) Knowledge (something the user knows, for example, a PIN or password)

If the passkey authenticator is not natively integrated into the vehicle, authentication must be implemented using alternative multi-factor configurations. This can be achieved through software-based approaches, such as combining a PIN (knowledge) with the vehicle as a possession factor, or through hardware-based methods, such as biometric authentication (inherence) via fingerprint sensors or facial recognition, again anchored by the vehicle as the possession factor.

In-vehicle commerce can be broadly categorized into three main areas:

On-demand features

With on-demand features, vehicles now allow users to activate specific functionalities based on their needs. This includes advanced driver-assistance systems, comfort features like heated seats, and performance upgrades. On-demand features can be offered through flexible subscription models or pay-per-use systems. These features enhance customer satisfaction and create additional revenue streams for manufacturers.

Vehicle-related services

Vehicle-related services are seamlessly integrated services that include fueling, EV charging, parking reservations and payments, car washes, and toll payments. To maximize user convenience, the vehicle acts as a payment hub without reliance on a smartphone.

Convenience features

With implementation of convenience features such as shopping, entertainment, education, and even remote work functionalities, the vehicle becomes an extension of the user’s digital ecosystem. Examples include ordering coffee or groceries on the go, streaming movies, or attending virtual meetings during commutes. These categories illustrate that vehicles are no longer just modes of transportation but platforms that enable various service providers to engage with drivers and passengers.

10.4 Driver ID Verification for vehicle access control

Vehicle access requires a high level of authentication and is well suited to biometric sensors.

Keyless entry and ignition: Biometric systems like fingerprint and facial recognition can replace traditional keys to provide secure, biometric-based authentication for vehicle access and ignition. Anti-theft measures: Vehicles can utilize biometric authentication to prevent unauthorized usage or theft, including carjacking. Vehicle and OEM services: Vehicles can use biometric authentication as the first step to assessing a driver’s rights and privileges in determining how vehicle services can be accessed.

10.5 Personalization, fleet management and autonomous vehicles

Vehicles are often shared and the ability to automatically adapt to a specific driver is an important capability. The criteria and threshold for identification and authentication varies greatly depending on the specific application. For example, adjusting a driver’s seat adjustment versus passenger authorization for an autonomous vehicle.

10.5.1 Personalization

Adaptive in-car settings: Biometric recognition can identify drivers or passengers in order to adjust seat positions, climate controls, infotainment preferences, and navigation routes according to stored profiles. Adaptive usage-based services: By seamlessly authenticating the driver, the automaker can provide use-based insurance or leasing and financing options for personal and commercial scenarios. Fleet management Shared vehicles and fleets: Biometric-enabled processes ensure smooth transitions between users in car-sharing or fleet systems, loading personal settings for each verified driver. Compliance tracking: Digital wallets can hold compliance documents (for example, licenses and vehicle inspection reports) to reduce paperwork and enhance audit readiness by asserting compliance attributes to authorized users.

10.5.2 Autonomous vehicles

Passenger authentication and ID verification: In self-driving cars, biometric systems authenticate passengers to ensure authorized use and personalized experiences.

Why key possession is not sufficient authentication

There are several reasons why a physical key is not a sufficient form of user authentication.

A physical key verifies access to the vehicle but does not confirm the identity of the individual using it. In scenarios such as ridesharing, fleet management, or multi-user vehicles, relying solely on key possession fails to distinguish authorized users from unauthorized users. As discussed earlier, for payment use-cases there is a need in some markets to be compliant with SCA regulations. A key only satisfies the possession factor and therefore does not meet the SCA requirements for secure payments. A vehicle key can be lost, stolen, or duplicated allowing unauthorized individuals to gain access. Without additional layers of authentication, transactions made in the vehicle could be fraudulent. Multi-party and platform complexity: In-car commerce involves multiple stakeholders such as Original Equipment Manufacturers (OEMs), service providers, and users. Authentication must ensure that the user is authorized to transact across all platforms and services, necessitating identity verification beyond simple possession.

10.6 Electronic systems and manufacturing use cases

10.6.1 In-vehicle ECU, zone controller, and compute onboarding

As the compute level rises within vehicles, the need for efficient and fast communication becomes increasingly important. In response to this need, cars are increasingly moving to an IT-centric architecture with Ethernet becoming the networking technology of choice to link zone controllers and ECUs inside a vehicle.

In addition to high speed and secure communication, there is a need to ensure that both the device (ECU) and the management platform (Zone controller) are cryptographically authenticated against each other. Although initially developed for IoT and IT systems, the FIDO Alliance team believes that FIDO Device Onboard (FDO) can be a fast and secure way to automate the onboarding process. As FDO is an open standard, automotive manufacturers can benefit from economies of scale savings versus paying for the development and maintenance of proprietary solutions.

In addition to speed and security, FDO also provides resilience to supply chain attacks and grey market counterfeits.

10.6.2 Car to cloud onboarding

As the complexity of car features grows and autonomous driving technology increases, a modern car is essentially a computer on wheels that requires a vast amount of software for all functions to operate.

Most sources agree that a typical modern car is managed by software generated by around 100 million lines of code. The very nature of this complexity confirms that the days when vehicle software can be frozen at vehicle product launch is no longer realistic.

Software updates are now a mandatory feature of modern automobiles and a secure and efficient way of connecting the vehicle to the manufacturer’s cloud is essential.

FDO provides a secure and fast method for vehicles to onboard to their management platforms, making Over the Air (OTA) software updates possible.

Figure 2:FIDO fit for in-vehicle systems

Additionally, new updates to the FDO standard are expected to allow software to securely deploy to bare ECUs or zone controllers, which would greatly simplify dealership repairs and upgrades.

10.7 Workforce authentication (passkeys/FIDO keys)

For many years the IT industry has been using FIDO authenticators to ensure that only authorized staff have access to systems. The risks associated with attacks in this space have been highlighted by the recent challenges faced by some automotive dealers.

Figure 3:FIDO fit for workforce authentication

A cyberattack on a software provider for car dealerships occurred in June of 2024 and disrupted the operations of thousands of dealerships in North America. This attack caused major disruptions, including delays for car buyers and an estimated $1 billion in collective losses for dealerships.

10.8 Manufacturing use cases

Factories are using classic fixed function manufacturing functions such as motion control and PLCs less as they move towards use of far more flexible and intelligent software defined control and AI based vision systems. This transition introduces large numbers of general-purpose computers to the factory floor.

At installation, each server or industrial PC needs to be onboarded to its respective management platform (on-premises or cloud). This onboarding process typically requires that skilled technicians manually configure the credentials or passwords in the devices, a process that is slow, not secure, and expensive.

With FIDO Device Onboard (FDO), a technician can plug in an industrial PC and have it automatically and securely onboard the management server platform.

The following diagram shows how FDO is used to onboard the industrial PCs to the local servers which are in turn onboarded to the manufacturing cloud.

Figure 4:FIDO fit for automotive manufacturing

11. Why using standards helps

Cybersecurity standards, such as those from the FIDO Alliance, offer value in ways that are hard for any single company to achieve. These consensus-based standards represent maturity and provide consistency for the industry, which are crucial for reliable authentication and authorization. FIDO cybersecurity standards are based on diverse expertise, provide clarity in a changing cybersecurity landscape, and offer essential guidance for certification authorities and regulators as they develop new laws.

Although the automotive industry has utilized standards almost since its inception, there are still areas where companies have tried to develop their own proprietary solutions. Such solutions rarely add value for the manufacturers and require engineering talent to develop and time to maintain.

As the automotive computing platform is a system of systems, the automotive industry can benefit from lessons learned by related industries. Open standards supported by certification programs help streamline product and service development.

FIDO’s standards are essentially commoditizing authentication elements that are critical to cybersecurity, but that are not natural areas for competitive differentiation. By leveraging standards, vendors and manufacturers can now focus their resources and development efforts on higher-value services.

11.1 Benefits of partnering with the FIDO Alliance

Diverse expertise: The FIDO Alliance brings together skilled professionals from various companies, including cloud players, credit card companies, and manufacturers.

Ecosystem cohesion: Standards ensure quality, security, and interoperability within ecosystems, which is crucial for applications like payments.

Adapt to emerging threats: The threat landscape is always evolving. As an example, quantum computing represents a significant threat to commonly used encryption techniques. Although quantum computing is in a relatively early stage of maturity, standards groups such as the FIDO Alliance are already defining how to create quantum resilient solutions.

12. FIDO Certification programs for the automotive industry

The FIDO Alliance’s world-class certification programs validate that products conform to FIDO specifications and interoperate effectively and assess security characteristics and biometric performance. With over 1,200 FIDO Certified products from hundreds of vendors around the world, these programs unlock the value of FIDO’s open standards for vendors and buyers. By specifying FIDO Certification in their RFQ’s, manufacturers can be sure that their suppliers will deliver performant, secure, and interoperable products.

Automotive OEMs can seek out and leverage components that are already certified (for example, authenticators or biometric components) and FIDO Alliance’s certification team is also developing an automotive profile with its lab partners that replicates in-car environments for more precise biometric tests. The Alliance seeks automotive sector feedback to help us collectively:

Address gaps in the current certification specifications Update specifications as needed Issue sector-specific policies Implement new testing procedures

For more information on FIDO Certification, visit https://fidoalliance.org/certification/.

13. Conclusion and next steps

The automotive industry and cybersecurity are evolving quickly; the FIDO Alliance’s proven and established standards and certification programs can help with a wide range of automotive industry applications. Applications include in-vehicle services and payment authentication, onboarding zone-controllers, car-to-cloud connectivity, OTA updates, and leveraging biometrics for a better driver experience.

The FIDO Alliance provides a path for automotive manufacturers and their suppliers to simplify their development processes, raise security levels, improve customer experience, reduce costs and tap into new revenue opportunities.

Feedback is welcome on the topics covered within this white paper and the FIDO Alliance encourages interested parties to engage with the Alliance and its members. FIDO Alliance members can learn more about FIDO standards and have opportunities to influence how these standards evolve. Additionally, members get the benefit of being able to engage with a broad range of thought leaders from leading companies within the broader ecosystem.

To get involved visit https://fidoalliance.org/members/become-a-member/ or use the Contact Us form at https://fidoalliance.org/contact/.

14. Appendix A – Global legislation applicable to automotive cybersecurity

National governments and international organizations have enacted regulations that require stringent cybersecurity measures throughout the automotive lifecycle, from design to operation and even end of life. These frameworks aim to shield vehicles from emerging threats and establish a baseline for safety and trust across the automotive ecosystem.

United Nations Regulations 155 and 156: These are the most prominent and clearly defined automotive cybersecurity regulations. Adopted under the WP.29 framework in 2021, UN R155 and R156 are globally recognized and mandate that vehicles incorporate a Cybersecurity Management System (CSMS) and a Software Update Management System (SUMS). These regulations are prerequisites for type approvals in over 50 countries, including most EU nations, Japan, South Korea, and Australia (UNECE, 2021).

ISO/SAE 21434: This standard provides the foundation for global automotive cybersecurity engineering, outlining processes for managing cyber risks throughout the entire vehicle lifecycle. It complements existing regulations and aids manufacturers in complying with mandatory regulations such as UN R155 (ISO, 2021).

China’s GB 44495-2024 and GB 44496-2024: Introduced in the summer of 2024, these regulations mirror UN R155 and R156 but are more detailed in specificity. GB 44495 outlines cybersecurity requirements for connected vehicles, while GB 44496 governs secure software updates. China’s focus on intelligent connected vehicles highlights its ambition to lead in autonomous and connected technologies (Shadlich, 2024).

India’s AIS 189 and AIS 190: India has introduced AIS 189 and AIS 190, standards aligned with UN R155 and R156, to regulate the cybersecurity of connected vehicles. These frameworks emphasize risk management, monitoring, secure communication protocols, and secure software updates, similar to UN R155/R156 (Vernekar, 2024).

United States: While there are no mandated federal regulations for automotive cybersecurity, the National Highway Traffic Safety Administration (NHTSA) has published cybersecurity best practices. These guidelines emphasize secure vehicle development processes, incident response plans, and continuous risk monitoring. They align with ISO/SAE 21434 and offer a proactive approach to mitigating vulnerabilities in connected vehicles (NHTSA, 2022).

Document history ChangeDescriptionDateInitial publicationWhite paper first published.7-2025             15. Contributors

Conor White, Daon, Inc
Richard Kerslake, FIDO Alliance
Andrew Shikiar, FIDO Alliance
Nimesh Shrivastava, Qualcomm Inc
Drew Van Duren, Qualcomm Inc
Jens Kohnen, Starfish GmbH & Co. KG
Tin T. Nguyen, VinCSS JSC
Henna Kapur, Visa

16. References

Harley, M. (2024, March 28). EU Cybersecurity Laws Kill Porsche’s 718 Boxster and Cayman Early. Retrieved from https://www.forbes.com/sites/michaelharley/2024/03/28/eu-cybersecurity-laws-kill-porsches-718-boxster-and-cayman-early/

ISO. (2021). ISO/SAE 21434:2021 Road vehicles—Cybersecurity engineering. International Organization for Standardization. Retrieved from https://www.iso.org/standard/70918.html

Miller, C., &amp; Valasek, C. (2015, July 21). Hackers remotely kill a Jeep on the highway—With me in it. Wired. Retrieved from https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway

National Highway Traffic Safety Administration (NHTSA). (2022, September 7). Cybersecurity best practices for new vehicles. NHTSA. Retrieved from https://www.nhtsa.gov/press-releases/nhtsa-updates-cybersecurity-best-practices-new-vehicles

Shadlich, E. (2024, September 2). China’s New Vehicle Cybersecurity Standard: GB 44495-2024. Retrieved from https://dissec.to/general/chinas-new-vehicle-cybersecurity-standard-gb-44495-2024/

UNECE. (2021). UN Regulation No. 155 – Cyber security and cyber security management system. UNECE. Retrieved from https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security

University of Detroit Mercy. (n.d.). Vehicle cybersecurity engineering program. Retrieved from https://eng-sci.udmercy.edu/academics/engineering/vehicle-cyber-eng.php

Vernekar, A. (2024, October 10). Securing The Future Of Indian Automobiles: Understanding AIS-189 And Cybersecurity For Vehicles. Retrieved from https://vayavyalabs.com/blogs/securing-the-future-of-indian-automobiles-understanding-ais-189-and-cybersecurity-for-vehicles/

Walsh College. (n.d.). Bachelor of Science in Automotive Cybersecurity. Retrieved from https://walshcollege.edu/walsh-undergraduate-degree-programs/bachelor-of-science-in-information-technology/bachelor-of-science-in-automotive-cybersecurity/

Reflections on recent conversations about digital identity, sovereignty, and the erosion of foundational principles

Echoes from Geneva

I wasn’t present at the Global Digital Collaboration conference (GDC25), but the observations shared by colleagues who attended have crystallized some issues I’ve been wrestling with for years. I should note there’s a selection bias here: I’m the author of the 10 principles of self-sovereign identity, so my community tends to have strong opinions about digital identity. Still, when multiple trusted voices independently report similar concerns, patterns emerge that are worth examining. And these weren’t casual observers sharing these concerns. They were seasoned practitioners who’ve spent decades building identity infrastructure. Their collective unease speaks to something deeper than technical disagreements.

It’s hard to boil the problems at GDC25 down to a single issue, because they were so encompassing. For example, there was a pattern of scheduling issues that undercut the community co-organizing goal of the conference and seemed to particularly impact decentralized talks. One session ended up in a small, hot room on the top floor that was hard to find. (It was packed anyway!) Generally, the decentralized-centric talks were in bad locations, they were short, they had restricted topics, or they were shared with other panelists.

I think that logistical shuffling of events may point out one of the biggest issues: decentralized systems weren’t given much respect. This may be true generally. There may be lip service to decentralized systems, but not deeper commitments. Its value isn’t appreciated, so we’re losing its principles. Worse, I see the intent of decentralization being inverted: where our goal is to give individuals independence and power by reducing the control of centralized entities, we’re often doing the opposite — still in the name of decentralization.

The Echo Chamber Paradox

The problems at GDC25 remind me of Rebooting the Web of Trust (RWOT) community discussions I’ve been following, which reiterate that this is a larger issue. We debate the finer points of zero-knowledge proofs and DID conformance while missing the forest for the trees. Case in point: the recent emergence of “did:genuineid” — a centralized identifier system that fundamentally contradicts the “D” in DID.

Obviously, decentralization is a threat to those who currently hold power (whether they be governments, corporations, billionaires, or others who hold any sort of power), because it tries to remove their centralization (and therefore their power), to instead empower the individual. But if we can’t even maintain the semantic integrity of “decentralized” within our own technical community, devoted to the ideal, how can we fight for it in the larger world?

The Corpocratic Complication

GDC25 was held in Geneva, Switzerland. 30+ standards organizations convened to discuss the future of digital identity. Participants spanned the world from the United States to China. There was the opportunity that GDC25 was going to be a truly international conference. Indeed, Swiss presenters were there, and they spoke of privacy, democratic involvement, and achieving public buy-in. It was exactly the themes that we as decentralized technologists wanted to hear.

But from what I’ve heard, things quickly degraded from that ideal. Take the United States. The sole representative of the country as a whole attended via teleconference. (He was the only presenter who did so!) His talk was all about Real ID, framed as a response to 9/11 and rooted in the Patriot Act. It lay somewhere between security-theatre and identity-as-surveillance, and that’s definitely not what we wanted to hear. (The contrast between the US and Swiss presentations was apparently jarring.)

And with that representative only attending remotely, the United State’s real representatives ended up being Google and Apple, each advancing their own corpocratic interests, not the interests of the people we try to empower with decentralized identities.

This isn’t just an American problem. It’s a symptom of a deeper issue happening across our digital infrastructure. It’s likely the heart of the inversions of decentralized goals that we’re seeing — and likely why those logistical reshufflings occurred: to please the gold sponsors. In fact, the conference sponsors tell the story: Google, Visa, Mastercard, and Huawei were positioned as “leading organizations supporting the advancement of wallets, credentials and trusted infrastructure in a manner of global collaboration.”

While Huawei’s presence demonstrates international diversity—a Swiss conference bringing together Europe and Asia—it also raised questions about whose vision of “trust” would ultimately prevail. When payment platforms and surveillance-capable tech giants frame the future of identity infrastructure, we shouldn’t be surprised when the architecture serves their interests first.

This echoes my concerns from “Has SSI Become Morally Bankrupt?”. We’ve allowed the narrative of self-sovereignty to be co-opted by the very platforms it was meant to challenge. The technical standards exist, but they’re being implemented in ways that invert their original purpose. Even UNECE sessions acknowledged the risk of “diluting the autonomy and decentralization that SSI is meant to provide.”

The Sovereignty Shell Game

Google was partnered with German Sparkasse on ZKP technology and that revealed a specific example of this co-opting.

Google’s open-sourcing of its Zero-Knowledge Proof libraries, announced July 3rd in partnership with Germany’s network of public savings banks, was positioned as supporting privacy in age verification. Yet as Carsten Stöcker pointed out, zero-knowledge doesn’t mean zero-tracking when the entire stack runs through platform intermediaries. Carsten noted that Google has “extensive tracking practices across mobile devices, web platforms and advertising infrastructure.” Meanwhile, the Google Play API makes no promises that the operations are protected from the rest of the OS.

The Google ZKP libraries (“longfellow-sk”) could be a great building block for truly user-centric systems, as they link Zero-Knowledge Proofs to legacy cryptographic signature systems that are still mandatory for some hardware. But they’d have to be detached from the rest of Google’s technology stack. Without that, there are too many questions. Could Google access some of the knowledge supposedly protected by ZKPs? Could they link it to other data? We have no idea.

The European Union’s eIDAS Regulation, set to take effect in 2026, encourages Member States to integrate privacy-enhancing technologies like ZKP into the European Digital Identity Wallet, but integration at the platform level offers similar dangers and could again invert the very privacy guarantees ZKP promises.

Historical Echoes, Modern Inversions

Identity technology’s goals being inverted, so that identity becomes a threat rather than a boon, isn’t a new problem. In “Echoes of History”, I examined how the contrasting approaches of Lentz and Carmille during WWII demonstrate the life-or-death importance of data minimization. Lentz’s comprehensive Dutch identity system enabled the Holocaust’s efficiency; Carmille’s deliberate exclusion of religious data from French records saved lives. Even when they’re decentralized, today’s digital identity systems face the same fundamental questions: what data should we collect, what should we reveal, and what should we refuse to record entirely?

But we’re adding a new layer of complexity. Not only must we consider what data to collect, but who controls the infrastructure that processes it. When Google partners with Sparkasse on “privacy-preserving” age verification, when eIDAS mandates integration at the operating system level, we’re not just risking data collection: we’re embedding it within platforms whose business models depend on surveillance. Even if the data is theoretically self-sovereign, the threat of data collected is still data revealed — just as happened with Lentz’s records.

The European eIDAS framework, which I analyzed in a follow-up piece to “Echoes from History”, shows how even well-intentioned regulatory efforts can accelerate platform capture when they mandate integration at the operating system level. As I wrote at the time, a history of problematic EU legislation that had the best of intentions but resulted in unintended consequences has laid the groundwork, and now identity is straight in that crosshairs. One of the first, and most obvious problems with eIDAS is the mandate “that web browers accept security certificates from individual member states and the EU can refuse to revoke them even if they’re dangerous.” There are many more — and I’m not the only voice on eIDAS and EUDI issues.

Supposedly self-sovereign certificates phoning home whenever they’re accessed is another recent threat that demonstrates best intentions gone awry. This not only violates privacy, but it undercuts some of our best arguments for self-soveereign control of credentials by returning liability for data leaks to the issuer. The No Phone Home initiative that Blockchain Commons joined last month represents one attempt to push back on that, but it feels like plugging holes in a dam that’s already cracking. It all does.

The Builder’s Dilemma

What troubles me most is the split I see in our community. On one side, technology purists build increasingly sophisticated protocols in isolation from policy reality. On the other, pragmatists make compromise after compromise until nothing remains of the original vision.

The recent debates about did:web conformance illustrate this perfectly. Joe Andrieu correctly notes that did:web can’t distinguish between deactivation and non-existence — a fundamental security boundary. Yet did:web remains essential to many implementation strategies because it bridges the gap between ideals and adoption. It provides developers and users with experience with DIDs, but in doing so undercut decentralized ideals for those users. We’re caught between philosophical purity and practical irrelevance.

In my recent writings on Values in Design and the Right to Transact, I’ve tried to articulate what we’re fighting for. But values without implementation are just philosophy, and implementation without values is just surrender.

The Global Digital Collaboration highlighted this tension perfectly. International progress on digital identity proceeds apace: Europe, Singapore, and China all advance their frameworks, but there are still essential issues that invert our fundamental goals in designing self-sovereign systems. Meanwhile, the U.S. remains even more stalled, its position represented only by the platforms that benefit from the status quo. Alongside this, technical standards discussions proceed in isolation from the policy, regulatory, and social frameworks that will determine their real-world impact.

Where Do We Go From Here?

I find myself returning to first principles. When we designed TLS 1.0, we understood that technical protocols encode power relationships. When we established the principles of self-sovereign identity, we knew that architecture was politics. Ongoing battles, such as those between Verifiable Credentials and ISO mDLs, between DIDComm and OpenID4VC, demonstrate disagreements over these power relationships made visible in technological discussions.

The question now is whether we can reclaim our ideals before they’re completely inverted by the side of centralized power and controlled architecture.

The path forward requires bridging the gaps Geneva revealed:

Between corporate platform dominance and global digital sovereignty Between the promise of decentralization and the reality of recentralization Between technical standards and policy reality Between privacy absolutism and implementation pragmatism A Personal Note

After three decades of building internet infrastructure, I’ve learned that the most dangerous moment isn’t when systems fail, it’s when they succeed in ways that invert their purpose. We built protocols for human autonomy and watched them become instruments of platform control. We created standards for decentralization and see them twisted into new forms of centralization.

This conversation continues in private Signal groups, in conference hallways, in the space between what we built and what we’ve become. The Atlantic Council warns of power centralizing “in ways that threaten the open and bottom-up governance traditions of the internet.” When critics from across the geopolitical spectrum — from sovereignty advocates to digital rights groups — all sense something amiss, it suggests a fundamental architectural problem that transcends ideology.

Perhaps it’s time for a new architecture: one that acknowledges these inversions and builds resistance into its very foundations.

But that’s a longer conversation for another day.

Christopher Allen has been architecting trust systems for over 30 years, from co-authoring TLS to establishing self-sovereign identity principles. He currently works on alternative approaches to digital identity through Blockchain Commons.

Community Responses & Discussion since Publication

This article sparked significant discussion across the digital identity community:

Mailing List Discussion W3C Credentials Community Group Thread (39 messages, July 16-17) Debate between pragmatic incrementalism vs. human rights imperatives Questions about whether current standards help or hinder decentralization Concerns about “death by 1000 compromises” in SSI implementation My own synthesis and response to this CCG thread, including highlighting Utah’s “recognizer not issuer” as an altertive model De-platforming humans sub-thread (19 messages, July 17) Adrian Gropper proposes moving beyond SSI as “anti-pattern” Discussion of Nostr as alternative architecture Debate over whether did:web is truly decentralized given DNS dependencies Response Articles A Pattern of Moral Crisis - Kyle Den Hartog Examines how technologies get co-opted during times of crisis, drawing parallels to historical censorship patterns Centralized SSI - Kyle Den Hartog Analyzes how trust architectures themselves, not just technology, determine whether systems preserve or remove agency Cyber Storm Rising: Designing for the Warzone - Carsten Stöcker Reframes decentralization as urgent cybersecurity necessity, not just privacy concern, citing Ukraine’s experience Choose Love and Joy - Will Abramson Optimistic perspective on using advanced cryptography and blockchain “hardness” to build kinder digital futures Privacy in EUDI - Jaromil (Dyne.org) Technical analysis of European Digital Identity implementation and privacy implications Decentralized Age Verification - Kyle Den Hartog Concrete proposal for privacy-preserving content moderation that shifts roles within the SSI triangle

Join these ongoing discussion or share your perspective.

did:jwk embeds a JSON Web Key (JWK) in a DID to enable the use of JWKs in DID-enabled systems. Simple and straightforward, it promises to give did:key and did:pkh a run for their money. We talk with two of the co-authors of did:jwk, Jeremie Miller, known for creating Jabber and XMPP, and Orie Steele, CTO...

did:jwk embeds a JSON Web Key (JWK) in a DID to enable the use of JWKs in DID-enabled systems. Simple and straightforward, it promises to give did:key and did:pkh a run for their money. We talk with two of the co-authors of did:jwk, Jeremie Miller, known for creating Jabber and XMPP, and Orie Steele, CTO...

The Overlays Capture Architecture (OCA) is a foundation for Dynamic Data Economy structuring and presenting data in a traceable and verifiable way. Recognising today’s need of interoperability between standards, the release of OCA v2, the architecture takes a major leap forward, introducing a modular and extensible approach in the definition of overlays.

Community 2.0

The new specification centers around making overlays easier to define, share, and validate — even by non-technical users. At its core, OCA v2 introduces the concept of Community Overlays, empowering ecosystems to create and maintain their own overlay definitions without deep technical barriers.

We used the term Community (i.e. not ecosystem) to stress the need of creating the flexibility to create specific overlays for a given purposes shared by multiple users. For example, in science this approach helps to define the ultra-precise meaning of certain datasets while keeping them in line with common standards. In compliance, the approach enables the definition of data structures that must match specific regulatory constraints in a given jurisdiction. In supply-chain, the approach enables domain specific definitions of data exchanges to be used across the entire chain without requiring a centralised authority.

Definition of Community-Driven Overlay

Enabling Community Overlays required a different approach to the way the overlays are defined. Instead of specifying them in the OCA specification, we created a Domain-Specific Language (DSL), which allows us to create overlay definitions, which we called OVERLAYFILE.

OVERLAYFILE is a text-based file which can consist of one or many definitions of various overlays. If you are familiar with programming, think of it as a *.h (header) file from C++. If you are not familiar with technology, think of it as the exact structure of the dataset your boss, team, department or company validated for use.

Having clearly defined overlays, the relevant tooling support any community-defined overlay and simplify the way we manage overlays in the whole ecosystem. When you use it, you have the cryptographic assurance to use what the community has validated for use.

A new file type, .overlaysfile, allows communities to formally define their own overlays. By separating overlay definitions from usage, ecosystems can establish governance and enable cross-project reusability. Overlay repositories further support this, enabling easy distribution and import of overlays.

Enhanced Modularity and Validation

The new approach allows overlays to define schemas, ensuring proper structure and data integrity. Tooling can now validate authored overlays against community-defined schemas, reducing errors and increasing trust.

OCA Bundle in JSON format

An OCA Bundle is a set of OCA objects serving as envelop for distribution and usage of the semantic. With v2 we finally introduced long waiting new encoding format which replace old .zip file by simple JSON object. This new format was in test since quite some time in reference implementation of OCA and now it is official part of the OCA specification allowing to simplify the tooling and the way how the bundle is transmitted.

OCA Specification v2

Finally we release RC1 of Overlays Capture Architecture Specification v2.0.0 which is signal for readiness of mentioned features and functions. The process of implementation already started in our reference implementation which can be followed at oca-rs.

Below you would find the list of major changes which version 2.0.0 brings:

Sensitive overlay replaces PII's flagging in capture base. This enables an enhanced approach to privacy and other risks flagged directly in the schema

Categories from the Label overlay have move to presentation layer. Thus strictly enforcing the distinction between data inner structure and meaning with data presentation.

Upgrade to “Community Overlays” of certain previously “core overlays”. - all overlays listed below are nominated as community overlays and hosted in an Overlays Repository.

Information

Transoformation

Presentation

Layout

Conditional

Unit mapping

Introduce SemVer for all objects

Support for 639-1 and 639-3

Support for namespacing in overlay name

OCA2.0 build for stronger, verifiable data integrity

All objects of the Overlays Capture Architecture, the Capture Base, Overlays and Bundle are compatible with CESR encoding. This ensures that those objects can be authenticated using DKMS a KERI based decentralised key management.

This is pivotal to establish cryptographically verifiable integrity of data objects. This property enables the implementation of distributed governance models - a topic that will receive much attention at the Human Colossus Foundation

Webinar at DSWG

The Technology Council, who is responsible for maintaining the OCA specification and reference implementation, hosted a webinar during the Decentralised Semantic Working Group where they delved into the details of the design of the new architecture and all the features of version 2.0.

Decentralised Semantic Working Group - Overlays Capture Architecture 2.0

Looking Ahead

With OCA v2, the Overlays Capture Architecture moves closer to its vision of an open, extensible semantic ecosystem where organizations and communities can seamlessly create, validate, and share schemas.

Cybersecurity experts are urging internet users to take immediate steps to secure their online accounts, after largest-ever data leak exposed more than 16 billion login credentials including from major platforms like Google, Facebook, Apple, and even government services.

The breach, discovered by researchers at Cybernews, is believed to have been carried out using infostealers that harvested login data and other sensitive credentials from multiple platforms. “This is not just a leak – it’s a blueprint for mass exploitation,” Cybernews said in a statement. “With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing.”

Over the last few decades, compromised usernames and passwords have typically been at the root of some of the most sensational, damaging, and costly data breaches. An incessant drumbeat of advice about how to choose and use strong passwords and how not to fall prey to social engineering attacks has done little to keep threat actors at bay. 

Meta has begun rolling out passkey login authentication for Facebook users on iOS and Android mobile devices, marking a significant advancement in the industry-wide movement away from traditional password-based security. The implementation follows similar moves by tech giants Apple, Google, and Microsoft who have been leading the charge toward passwordless authentication.

The new passkey feature will become available to users globally over the coming weeks. To use the functionality, users must have devices that support FIDO2/WebAuthn standards, which are commonly found in modern iOS and Android smartphones. These standards, developed through collaboration between the FIDO Alliance and the World Wide Web Consortium (W3C), provide a secure framework for passwordless authentication that has been widely adopted across the technology industry.

Look up customer journey or customer experience (aka CX) and you’ll find nothing about what the customer drives, or rides. All results will be for systems meant for herding customers like cattle into a chute that the CX business (no kidding) calls a sales funnel:

Do any customers want to go down these drains?

But let’s stick with the journey metaphor, because there are good people in the marketing business who have thought deeply about how people buy and own things. Chief among those people is Estaban Kolsky, of Constellation Research. He visualizes the journey in a way that not only gives weight to the ownership experience, but separates it from the sales experience :

As for our actual experience, we spend 100 percent of our lives with things we own, and just a tiny percentage on buying them. So the real ratio should look more like this:

And yet, as I pointed out several years back in Turning the Customer Journey Into a Virtuous Cycle…

…consider the curb weight of “solutions” in the world of interactivity between company and customer today. In the BUY loop of the customer journey, we have:

1. All of advertising, which Magna Global expects to pass $.5 trillion, more than a decade ago

2. All of CRM/CX, which now exceeds $100 billion

3. All the rest of marketing, which has too many segments for me to bother looking up

So, in the OWN loop we have a $0 trillion greenfield.

To enter that greenfield, we need customers to be in charge of their side of these relationships— preferably through means for interaction that customers themselves control—on terms that are agreeable to both sides, rather than the one-sided terms we suffer every time we click AGREE on a cookie notice.

To help imagine how that will work, I volunteer a real-world example from my own life.

A few years back, I bought a pair of LAMO Mens Mocs at a shopping mall kiosk in Massachusetts. Here’s one:

I like them a lot. They’re very comfortable and warm on winter mornings. In fact I still wear them, even though the soles have long since come apart and fallen off. Here is how they looked after a few years of use:

I’m showing this so you, and LAMO, can see what happens, and how we can both use my experience—and those of other customers—to change the world.

See, I like LAMO, and would love to help the company learn from my experience with one of their products. As of today, there are four choices for that:

Do nothing (that’s the default) Send them an email Go on some website and talk about it. (A perfect Leighton cartoon in the  New Yorker shows a couple registering at a hotel while the person behind the counter says, “If there’s anything we can do to make your stay more pleasant, just rant about it on the Internet.”) Get “social” by tweeting to @LAMOfootwear or posting to LAMO’s Facebook page. (For wisdom on “social” relations between brands and presumed fans, see Bob Hoffman‘s talk on the topic.)

So here is a fifth choice: give these moccasins their own virtual cloud, where LAMO and I can share intelligence about whatever we like, starting (on my side) with reports on my own experience, requests for service, or whatever. Phil Windley calls these clouds picos, for persistent compute objects. Picos are breeds of what Bruce Sterling calls spime: persistent intelligence for things. Picos have their own operating system (e.g., Wrangler, which Phil most recently posted about here), and don’t need intelligence on board. Just scan a QR code, and you’ll get to the pico. Here’s the QR code on one of my LAMO moccasins:

Go ahead and scan the code with your phone. You’ll get to a page that says it’s my moccasin.

That’s just one view of a potential relationship between me and Lamo — one in which I can put a message that says “If found, call or text _______.” Another view is on my own dashboard of things in my OWN cycle, and direct connections to every one of those companies. That relationship can rest on friendly terms in which I’m the first party and the company is the second party. (For more on that, see here and here.)

So look at the relationship between me and Lamo as a conduit (the blue cylinder below) that lives in the pico for my mocassin. That conduit goes from my VRM (vendor relationship management) dashboard to Lamo’s CRM (customer relationship management) system. There is no limit to the goodness that can pass back and forth between us, including intelligence about how I use my moccasins.

Let’s look at what can happen at either or both ends of that conduit.

A pico for a product is a CRM dream come true: a standard way for every copy of every product to have its own unique identity and virtual cloud (in which any data can live), and standard way any customer can report usage and other intelligence about any product they own—without any smarts needing to live on the thing itself.

If I scan that QR code, I can see whatever notes I’ve taken. I can also see whatever LAMO has put in there, with my permission. Also in that cloud is whatever programming has been done on it. Here is one example of simple relationship logic at work:

IF this QR code is scanned, THEN send LAMO a note that Doc has a new entry in our common journal.

Likewise, LAMO can send me a note saying that there is new information in the same journal. Maybe that information is a note telling me that the company has changed sole manufacturers, and that the newest Mens Mocs will be far more durable. Or maybe they’ll send a discount on a new pair. The correct answer for what goes in the common journal (a term I just made up) is: whatever.

Now let’s say LAMO puts a different QR code, or other identifier, in every moccasin it sells. Or has a CRM system that is alert to notifications from customers who have turned their LAMO moccasins into picos, making all those moccasins smart. LAMO can then not only keep up with its customers through CRM-VRM conduits, but tie interactions through those conduits to the dashboards of their accounting systems (from Xero or other companies that provide enriched views of how the company is interacting with the world).

This is one huge potential key to the future of customer service, customer relationship management (CRM), call centers, loyalty programs, continuous improvement, customer experience (CX), customer engagement (CE) and other complicated ways businesses today try to solve all relationship problems from the maker’s or the seller’s side alone.

Follow the links in the last paragraph (all to Wikipedia), and you’ll find each of them has “multiple issues.” The reason for that is simple: the customer is not involved with any of them. All those entries make the sound of industries talking to themselves — or one hand slapping.

This is an old problem that can only be fixed on the customer’s side. Before the Internet, solving things from the customer’s side — by making the customer the point of integration for her own data, and the decider about what gets done with that data — was impossible. Now that we have the Internet, it’s very possible, but only if we get our heads out of business-as-usual and back into our own lives. This will be good for business as well.

A while back I had meetings with two call center companies, and reviewed this scenario:

A customer scans the QR code on her cable modem, activating its pico. By the logic described above, a message to the call center says “This customer has scanned the QR code on her cable modem.” The call center checks to see if there is an outage in the customer’s area, and — if there is — finds out how soon it will be fixed. The call center sends a message back saying there’s an outage and that it will be fixed within X hours.

In both cases, the call center company sai,d “We want that!” Because they really do want to be fully useful. And — get this — they are programmable.

Unfortunately, in too many cases, they are programmed to avoid customers or to treat them as templates rather than as individual human beings who might actually be able to provide useful information. This is old-fashioned mass-marketing thinking at work, and it sucks for everybody. It’s especially bad at delivering (literal) on-the-ground market intelligence from customers to companies.

Call centers would rather be sources of real solutions rather than just customer avoidance machines for companies and anger sinks for unhappy customers. The solution I’m talking about here takes care of that. And much more.

Now let’s go back to shoes.

I’m not a hugely brand-loyal kind of guy. I use Canon cameras because I like the long-standing 5D user interface more than the competing Nikon ones, and Canon’s lens prices tend to be lower. I use Apple computers because they’re easy to get fixed and I can open a command line shell and get geeky when I need to. I drive a 2017 VW wagon because I got it at a good price. And I buy Rockport shoes because, on the whole, they’re pretty good.

Used to be they were great. That was in the ’70s and early ’80s when Saul and Bruce Katz, the founders, were still in charge. That legacy is still there, under Reebok ownership; but it’s clear that the company is much more of a mass marketing operation than it was back in the early days. Still, in my experience, they’re better than the competition. That’s why I buy their shoes. Rockports are the only shoes I’ve ever loved. And I’ve had many.

So here is a photo I took of wear-and-tear on two pairs of Rockport casual shoes I still use, because they’re damned comfortable:

Shots 1 and 2 are shoes I bought in June 2012, and are no longer sold, near as I can tell. (Wish they were.) Shots 3 and 4 are of shoes called Off The Coast 2 Eye. I bought mine in late 2013, but didn’t start wearing them a lot until early this year. I bought both at the Rockport store in Burlington Mall, near Boston. I like that store too.

The first pair has developed a hole in the heel and loose eyelet grommets for the laces around the side of the shoe. The hole isn’t a big deal, except that it lets in water. The loose eyelets are only a bother when I cross my feet sitting down: they bite into the other ankle. The separating outer sole of the second pair is a bigger concern, because these shoes are still essentially new, and look new except for that one flaw. A design issue is the leather laces, which need to be double-knotted to keep from coming undone, and even the double-knots come undone as well. That’s a quibble, but perhaps useful for Rockport to know.

I’d like to share these experiences privately with Rockport, and for that process to be easy. Same with my experiences with LAMO moccasins.

It could be private if Rockport and LAMO footwear came with QR codes for every pair’s pico — it’s own cloud. Or if Rockport’s CRM or call center system was programmed to hear pings from my picos.

Ideally, customers would get the pico along with the shoe. Then they would have their own shared journal and message space — the conduit shown above — as well as a programmable system for creating and improving the whole customer-company relationship. They could also get social about their dialogs in their own ways, rather than only within Facebook and Twitter, which are the least private and personal places imaginable.

This kind of intelligence exchange can only become a standard way for companies and customers to learn from each other if the code for picos is open source. If Rockport or LAMO try to “own the customer” by locking her into a closed company-controlled system — the current default for customer service — the Internet of Things will be what Phil calls “the Compuserve of things”. In other words, divided into the same kind of closed and incompatible systems we had before the Net came along.

One big thing that made the Internet succeed was substitutability of services. Cars, banks, and countless other product categories you can name are large and vital because open and well-understood standards and practices at their base have made substitutability possible. Phil says we can’t have a true Internet of Things without it, and I agree.

The smartest people working for companies are their customers. And the best way to activate customer smarts is by giving them scale. That’s what picos do.

As a bonus, they also give companies scale. If we can standardize picos, we’ll have common and standard ways for any customer and any company to relate to each other through any VRM + CRM system. Think about how much more, and better, intelligence a company can get from its customers this way, rather than through the ones barely succeeding now, where the company does all the work, and fails to know an infinitude of useful stuff customers could be telling them. Think about how much more products can be improved, an iterated over time. Think about how much more genuine loyalty can be created and sustained with this kind of two-way system.

Then think how much companies can save by not constantly spying on customers, guessing about what they might want, spamming them with unwanted and unnecessary sales messages, maintaining systems try to relate but actually can’t, and herding customers into imaginary funnels that customers would loathe if they could see what’s going on.

It’s a lot.

So let’s start working on growing a sane world of business that’s based on market intelligence that flows both ways, instead of the surveillance-based guesswork and delusional imaginings of marketing that smokes its own exhaust. We can do it, privately, and at scale.

The first ancestor of this post appeared at ProjectVRM on 19 Apri 2014. It was updated a bit on 8 June 2017. The second one was posted here on Medium in 2016. With IEEE P7012, aka MyTerms nearing completion, there is a good chance we can make this dream come true in 2026.

We are excited to share that we are starting a new project in partnership with the Numun Fund to map organizations and community responses addressing technology-facilitated gender-based violence (TFGBV), specifically intimate partner violence (IPV) affecting girls, young women and LGBTIQ+ activists in the Majority World.

The post Help Us Map Responses to Tech-Facilitated Intimate Partner Violence Affecting Young Women and LGBTIQ+ Activists appeared first on The Engine Room.

We reconstruct memory through listening. Over the past three months, as we shared in April, we immersed ourselves with our ears wide open and a shared desire to explore a digital sound archive that began taking shape over 20 years ago.

The post Weaving Sound Memories: Exploration and Care of the Oír Más Archive appeared first on The Engine Room.

How are brands thinking about their supply chains five years after the COVID-19 crisis?

Companies are now leaning more heavily into innovation, from making their operations resilient to market changes to launching sustainability initiatives.

In this episode, Stephanie Mehta, CEO and Chief Content Officer at Mansueto Ventures, joins hosts Reid Jackson and Liz Sertl following her keynote at GS1 Connect. They discuss why the supply chain is now at the center of innovation and how companies can stay ahead of changes in the economy and evolving customer demands.

Drawing on her experience leading Fast Company and Inc., Stephanie shares how resilience, sustainability, and data-driven thinking are transforming the business landscape for companies of every size.

 

In this episode, you’ll learn:

How companies are using the supply chain to drive innovation and acceleration

Why executives are rethinking product packaging, automation, and logistics

The impact of data and social media on a company’s operations

 

Jump into the conversation:

(00:17) Introducing Next Level Supply Chain

(02:32) Stephanie Mehta’s journey from business journalist to CEO

(03:27) How GS1 US collaborates with media brands

(04:13) Reaching small businesses with supply chain storytelling

(05:41) What most people miss about barcodes

(07:35) Why innovation should not stop post-crisis

(08:23) How sustainability aligns with consumer demand

(11:16) Solving forecasting and inventory with better data

(12:05) The logistics of HP’s sustainability initiative

(15:56) Social media’s growing impact on supply chains

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Stephanie Mehta on LinkedIn

Check out Mansueto Ventures

Through our Matchbox Program, we partner with civil society organizations to strengthen their work by harnessing the power of data and technology. Our recent partnership with Trans Youth Initiative-Uganda (TYI-Uganda) offers a lens into how collaborative platform development can respond to pressing social challenges while also building long-term  organizational capacity.

The post WHEN SAFETY IS POLITICAL: DIGITAL SOLUTIONS FOR TRANS YOUTH IN UGANDA appeared first on The Engine Room.

Microsoft has said that it’s ending support for passwords in its Authenticator app starting August 1, 2025.

Microsoft’s move is part of a much larger shift away from traditional password-based logins. The company said the changes are also meant to streamline autofill within its two-factor authentication (2FA) app, making the experience simpler and more secure.

Over the past few years, Microsoft has been pushing for a passwordless future using technologies like passkeys, Windows Hello, and FIDO2-based authentication. These methods offer better protection against phishing and password reuse, which are still major attack vectors. While it may feel like a hassle at first, this change is actually aimed at reducing your risk in the long run.

Invitation to comment on OpenDocument Version 1.4 before call for consent as OASIS Standard - ends September 7th

OASIS Members and other interested parties,

OASIS and the Open Document TC [1] are pleased to announce that Open Document Version 1.4 CS01 is now available for public review and comment.

The OpenDocument Format (ODF) is an open XML-based document file format for office applications to be used for documents containing text, spreadsheets, charts, and graphical elements. The file format makes transformations to other formats simply by leveraging and reusing existing standards wherever possible. As an open standard under the stewardship of OASIS, OpenDocument also creates the possibility for new types of applications and solutions to be developed other than traditional office productivity applications.

The TC received three Statements of Use from Microsoft, Allotropia Software GmbH, and The Document Foundation [3].

The candidate specification and related files are available here:

OpenDocument Version 1.4 
Part 1: Introduction
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part1-introduction/OpenDocument-v1.4-cs01-part1-introduction.odt(Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part1-introduction/OpenDocument-v1.4-cs01-part1-introduction.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part1-introduction/OpenDocument-v1.4-cs01-part1-introduction.pdf

OpenDocument Version 1.4 
Part 2: Packages
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part2-packages/OpenDocument-v1.4-cs01-part2-packages.odt(Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part2-packages/OpenDocument-v1.4-cs01-part2-packages.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part2-packages/OpenDocument-v1.4-cs01-part2-packages.pdf

OpenDocument Version 1.4
Part 3: OpenDocument Schema
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part3-schema/OpenDocument-v1.4-cs01-part3-schema.odt (Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part3-schema/OpenDocument-v1.4-cs01-part3-schema.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part3-schema/OpenDocument-v1.4-cs01-part3-schema.pdf

OpenDocument Version 1.4
Part 4: Recalculated Formula (OpenFormula) Format
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part4-formula/OpenDocument-v1.4-cs01-part4-formula.odt (Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part4-formula/OpenDocument-v1.4-cs01-part4-formula.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part4-formula/OpenDocument-v1.4-cs01-part4-formula.pdf
Schema files are located here.

For your convenience, OASIS provides a complete package of the prose specification and related files in a ZIP distribution file. You can download the ZIP file at: OpenDocument-v1.4-cs01.zip

Members of the Open Document TC approved this specification by Special Majority Vote [2]. The specification had been released for public review as required by the TC Process.

Public Review Period

The 60-day public review is now open and ends 7 September 2025 at 23:59 UTC.

This is an open invitation to comment. OASIS solicits feedback from potential users, developers and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

Comments may be submitted to the project by any person through the use of the project’s Comment Facility. Members of the TC should submit feedback directly to the TC’s members-only mailing list. All others should follow the instructions listed here.

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review  we call your attention to the OASIS IPR Policy [4] applicable especially [5] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

========== Additional references:

[1] OASIS Open Document TC

[2] Approval ballot

[3] Links to Statements of Use
Microsoft:
https://groups.oasis-open.org/discussion/statement-of-use-from-microsoft
Allotropia Software GmbH:
https://groups.oasis-open.org/discussion/statement-of-use-for-open-document-format-for-office-applications-opendocument-version-14-cs01
Document Foundation:
https://groups.oasis-open.org/discussion/fwd-statement-of-use-odf-14

[4] https://www.oasis-open.org/policies-guidelines/ipr/
https://www.oasis-open.org/committees/office/ipr.php

Intellectual Property Rights (IPR) Policy

The post Invitation to comment on OpenDocument Version 1.4 before call for consent as OASIS Standard – ends September 7th appeared first on OASIS Open.

On June 30th, Geneva became the stage for an informal event: the kick-off meeting of the DKMS Alliance. This gathering marks the official launch of a collaborative initiative poised to reshape digital trust infrastructure for the next generation.

At the time Geneva’s international traditions lead the city to host the Global Digital Conference 2025, the DKMS Alliance aims to bring now the open-source primitives enabling the digital authentication of tomorrow to the enterprises and organisations with the required support, maintance and stability they needs to build digital interoperable solutions at scale.

The DKMS Alliance — is a joint endeavor kicked off by Human Colossus Foundation, Vereign AG and argonAUTHs. Anchored in the architectural roots of KERI (Key Event Receipt Infrastructure), the Alliance unites deep technical expertise and strong operational capabilities to deliver to the world a new paradigm for secure, verifiable, and sovereign digital interactions.

A Shared Vision for Open and Secure Digital Infrastructure

The Alliance goal is to drive adoption, sustainability, and market readiness for digital infrastructure components that are open, secure, and industrial-grade. By combining the power of DKMS, a Rust implementation of KERI, and the Overlays Capture Architecture (OCA) into production-ready resources the Alliance provides its members the first movers advantage to develop enterprise applications that scales. The DKMS Alliance aims to become a community acting as a beacon of dynamic innovation and reliability to deploy resilient solutions build on top of a reliable digital trust infrastructure.

The DKMS Alliance represents today a powerful fusion of complementary strengths. From the Human Colossus Foundation’s pioneering work on the KERI protocol and in data semantics and governance to Vereign’s production deployments in secure communications and ArgonAUTHs’ cryptographic agility and verifiability at scale, the founding organizations bring together decades of experience in building trust frameworks, decentralized identity, secure communication, and verifiable data ecosystems.

Why Now?

In a world increasingly challenged by fragmented approaches to digital trust, vendor lock-in, and fragile ecosystems, the DKMS Alliance provides a unified, community-driven foundation. By offering stable APIs, modular architectures, and predictable release cycles, the Alliance ensures that the core infrastructure remains robust and future-proof.

The Alliance also emphasises transparent governance, which will be build with Alliance members. This commitment to openness and quality positions it to become the go-to stack for governments and enterprise innovators looking to implement decentralised trust layers.

The Kick-off: Setting the Stage for Collective Action

The Geneva meeting brought together a mix of technical leaders, strategists, funders and early adopters to align on shared goals, identify immediate priorities, and announced a roadmap for 2025 and beyond. It marked the transition from vision to execution. Focused action points emerged to accelerate engineering efforts, develop governance structures, and expand outreach to early members.

As an early member of the DKMS Alliance, organizations have the unique opportunity to influence the evolution of specifications and implementations, gain early access to deliverables, and secure premium support from the visionary leaders shaping tomorrow’s digital trust landscape.

Join Us on This Journey

The DKMS Alliance is more than just a technical project — it’s a call to collective stewardship of the global digital commons. By joining, organizations not only protect critical dependencies but also demonstrate leadership in privacy, security, and data sovereignty. As a renegade from the current mainstream, you become within your domain, the reputable authority of tomorrow’s digital architecture.

We invite you to become part of the transformative movement. Check our Prima Vista document on how you can join this journey. Together, we can build the resilient, trustworthy, and open digital infrastructure the world urgently needs.

Stay tuned — more information, updates, and opportunities to engage with the DKMS Alliance will be coming soon!

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. Every day, billions of […]

Play Video

Watch the full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/ToIP-EGWG-2025-06-26_-Aakash-Guglani-Enhancing-Trust-using-Digital-Public-Infrastructure-DPI.wav

Here is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:

Briefing Document: India’s Digital Public Infrastructure (DPI)

Date: June 26, 2025
Source: Excerpts from Trust over IP Ecosystems and Governance Working Group Meeting
Presenter: Aakash Guglani from the Digital India Foundation.
Topic: Enhancing Trust using Digital Public Infrastructure (DPI)
Excerpt: India’s Digital Public Infrastructure (DPI) and Unified Payment Interface (UPI) revolutionize financial inclusion, bringing over 500 million people into the digital economy. This open-source, mobile-first system builds trust and breaks traditional payment monopolies.

Executive Summary

This briefing document provides an overview of India’s Digital Public Infrastructure (DPI), focusing on its development, impact, and future direction as presented by Aakash Guglani from the Digital India Foundation. The DPI, particularly the Unified Payments Interface (UPI) and Aadhaar, has been instrumental in formalizing India’s economy, empowering its vast and diverse population, and challenging traditional payment monopolies. It represents a unique, policy-driven approach that blends public and private sector participation, aiming for broad inclusivity rather than just serving the affluent.

I. Core Philosophy and Context Addressing India’s Unique Challenges: India’s DPI was developed to address the needs of its “100 million plus” households, representing “500 million people” who were largely deprived and excluded from the burgeoning digital economy. Traditional private platforms primarily targeted the “top 1%,” while public approaches lacked state capacity and risked centralization. (00:07:39, 00:10:50) A “Digital Public Infrastructure” Approach: India adopted a “distro public infrastructure” model, which emphasizes diversity, choice, openness, and sovereignty. It’s a collaborative effort involving both public and private sectors. (00:11:08) Contrast with Other Models: Unlike purely private platforms or a “totally state-led model” like China’s, India’s DPI is designed to be a democratic solution. “We could not go with private platforms, and we never had the state capacity like China to go for a totally state-led model.” (00:09:30, 00:16:40) II. Key Components and Their Impact A. Aadhaar: Unique Digital Identity Foundation of DPI: Over the last 10 to 15 years, India has established “more than 1.3 billion Aadhaar,” a unique digital identity based on 10 biometrics (fingerprints and iris scan) for “99% of Indians.” (00:11:37, 00:11:50) Enabled EKYC: Aadhaar facilitated “EKYC (Know Your Customer),” drastically reducing the cost of customer acquisition for banks. The cost of KYC dropped from “$25 to $1.” (00:12:02, 00:21:16, 00:21:21) This cost reduction made it economically viable for banks, previously reluctant due to high offline verification costs, to open “zero-cost accounts” for the rural and unbanked population. (00:21:21, 00:21:29) Broad Financial Inclusion: This initiative, known as “JanDhan Yojna,” led to “more than 500 million people [having] bank accounts, which is totally zero cost.” (00:19:53, 00:21:10) B. Unified Payments Interface (UPI) Solution to Payment Friction: UPI addressed significant problems in India’s financial landscape, including limited digital transactions, high costs for credit card usage, reliance on paper receipts, and lack of “information collateral” for poor individuals seeking credit. (00:15:08, 00:16:56) Massive Adoption and Interoperability: As of March 2025, UPI recorded “more than 18 billion transactions.” (00:18:30) Over 200 banks are integrated, and it’s “totally interoperable.” A payment between a customer from Bank A and a merchant from Bank B takes “less than 10 seconds” via a QR code scan. (00:18:37, 00:18:42, 00:18:54) There is “no MDR (Merchant Discount Rate)” for most transactions, which incentivizes small vendors like vegetable sellers to adopt digital payments. (00:19:04, 00:19:15) “Every part of the country is using UPI,” demonstrating “deeper usage” even in poorer regions. (00:31:47, 00:31:52) Economic Empowerment: For retailers, UPI reduces the “cost of business” by allowing them to “service 3-4 people at a time” without handling cash and change. (00:29:21) It empowered women by ensuring that earnings from their stores went directly to their bank accounts, preventing misuse of physical cash. (00:30:13, 00:30:24) Challenging Global Monopolies: UPI has fundamentally reshaped the global payment landscape. It involves a diverse range of participants including “Visa, Mastercard, Google Pay, Phone Pay, American Express.” (00:33:45, 00:33:50) “It is not dominant by two major players,” effectively “break[ing] monopoly of private players.” (00:33:50, 00:33:58) UPI has “crossed the transaction volumes of Visa and Mastercard combined.” (00:34:14) “46% of real-time payments across the world happen out of India.” (00:34:21) Beyond the “Bottom of the Pyramid”: DPI, including UPI and EKYC, has also benefited the middle and upper-middle classes. The reduced KYC cost facilitated the opening of “more than 190 million DMAT accounts” (online stockbroking accounts) between 2016 and 2024, many for “first-time users.” (00:34:43, 00:35:08, 00:35:14, 00:35:52) This formalizes the economy and encourages savings. III. Enablers and Policy Framework Government Subsidies: An ongoing annual government subsidy of “$0.2 billion for MDR” (Merchant Discount Rate) for UPI usage is in place. This is viewed as an investment in “public railroad” or “public highway” infrastructure due to its immense “inclusion value.” (00:40:41, 00:40:54, 00:41:09) Agile Policy: The success of DPI is underpinned by “agile policies.” Examples include: The central bank’s allowance for EKYC (2012-2013). (00:45:04) An IT Act making “digital documents equivalent to offline documents” for digital locker services. (00:45:21) The RBI’s Digital Payments Committee recommending UPI. (00:45:49) Government procurement shifting to “totally digitally” platforms using UPI. (00:46:39) Leadership and Trust: The Prime Minister’s public use of UPI and foreign leaders using it in India “enhances trust in people,” creating a “virtuous cycle.” (00:47:01) Mobile-First, Low-Tech, Multilingual: The platforms are designed to be mobile-first, multilingual, and low-tech, supporting feature phones and even “offline availability.” (00:39:31, 00:39:38) Internet Penetration: Government efforts to provide “free internet” increased coverage from 25% to 48%, a “major contributor for UPI.” (00:33:11) Indigenous Development: All platforms are “indigenously made,” addressing specific Indian problems. (00:39:38) IV. Future Directions and Challenges Next Stage: Credit Enablement: With 500 million bank accounts and 1.2 billion digital identities, the focus shifts to empowering users by providing credit. (00:36:00, 00:36:26) Account Aggregator: A framework allowing individuals to consent to share their financial data between banks, mutual funds, insurance providers, etc., using the EKYC framework, to facilitate consumer and business loans. (00:36:41, 00:36:53) Open Credit Enablement Network (OCEN): This leverages the transaction data from informal vendors (e.g., vegetable sellers) who now have “information collateral” on their transaction frequency and average ticket size, making it “easier for banks to also financialize them.” (00:37:29, 00:37:35, 00:37:49) This moves DPI beyond just a base to “formalize the economy.” (00:37:49) Global Export of DPI: India aims to share its open-source DPI frameworks, including UPI APIs on GitHub, “freely to anyone around the world.” This includes cross-border payment solutions and sharing its vaccination system. (00:38:16, 00:38:34, 00:38:42) Future Open Data Platforms: The “India Stack was the beginning,” with future initiatives including digital commerce, online financial information sharing, online credit availability, digitization of health records, AI-based voice, and digital skills. (00:38:54, 00:39:04) Tech Sovereignty: India advocates for “tech sovereignty” to avoid reliance on foreign private entities that could “cut off my access” due to geopolitical tensions, as seen in the Russia-Ukraine war. The aim is to prevent private companies from engaging in “geopolitical positioning.” (00:48:14, 00:49:06, 00:49:32, 00:49:45) Fraud and Cybersecurity: With massive scale, the system faces “more than a million cyberattacks” annually, including those from state and non-state actors. (00:51:38, 00:51:49, 00:51:53) Common frauds include “digital arrest” scams using AI-based voice to demand UPI transfers. (00:53:00, 00:53:07) RBI is implementing measures like mandating brokers to use “authenticated UPI IDs,” displaying the recipient’s name before transfer, and nudging users not to pay while on a call. (00:55:54, 00:56:03, 00:56:10) The direct debit nature of UPI makes reversing fraudulent transactions difficult once money is transferred. (00:54:47) Ongoing efforts include public advisories and potential future escrow services. (00:53:23, 00:57:00) V. Conclusion

India’s DPI journey, marked by the success of Aadhaar and UPI, demonstrates a powerful model for digital inclusion and economic formalization in a democratic context. By leveraging agile policy-making, strategic government investment, and open-source technology, India has built a robust digital public good that empowers its citizens and offers significant lessons for the Global South. The ongoing challenge lies in mitigating fraud and expanding the system to foster greater financial empowerment through credit, while maintaining technological sovereignty.

For more details, including the slides,  meeting recording and transcript, please see our wiki 2025-06-26 Aakash Guglani & Enhancing Trust using Digital public Infrastructure (DPI) – Home – Confluence

https://www.linkedin.com/in/aakashguglani/ https://digitalindiafoundation.org/

The post ToIP EGWG 2025-06-26: Aakash Guglani, Enhancing Trust using Digital Public Infrastructure (DPI) appeared first on Trust Over IP.

We’re excited to announce that Human Colossus Foundation (HCF) will participate in GC25: Global Digital Collaboration on Wallets & Credentials, taking place on July 2, 2025. This important event, hosted by the Swiss Confederation, brings together leading organizations and innovators to shape the future of digital wallets, credentials, and interoperable identity systems.

At HCF, we believe that empowering individuals to control their own digital space is foundational to building a sustainable and trustworthy digital society. This vision is captured in our ongoing work around the concept of the Digital Self, as discussed in our blog post Self Actioning System, a preferred systematic embodiment of “Digital Self”. Central to this idea is the belief that enabling global digital collaboration can only emerge when individuals have sovereignty over their credentials and interactions.

HCF on Governance in Digital Trade

As part of GC25, HCF will also participate in the panel discussion "Governance in Digital Trade – Decentralization as Response to Challenges in a Multi-Polar World." moderated by Stephan Wolf from the Verifiable.Trade Foundation and including the Digital Governance Institute, FIWARE, and the Asia PKI Consortium, we will bring forward the necessity of a digital governance able to consider the sovreignty of peer-to-peer connections in a multi-polar world.

The world is changing rapidly, placing supply chains and financial systems under increasing pressure. In a multi-polar landscape shaped by shifting tariffs and transformative AI, flexibility and speed have become essential. Digitalisation and open networks provide a clear path to inclusive global market participation. However, governance remains a largely overlooked but crucial topic.

This session will explore current initiatives but also deal with challenging questions. By examining these questions from different perspectives, the panel aims to bridge public and private demand to address the complexities of modern global trade.

HCF will contribute its perspective on how decentralized governance models, such as those enabled by the Dynamic Data Economy, can empower organizations and individuals alike.

Digital Self: Enabling Individual Agency

The Digital Self represents a shift from centralized data control to individual empowerment, allowing each person to define, manage, and protect their digital identity and data assets. Events like GC25 are critical because they convene diverse stakeholders to co-create frameworks and standards that make this shift possible — from verifiable credentials to interoperable wallets.

Introducing the Dynamic Data Economy

HCF is contributing to this discussion through the introduction of the Dynamic Data Economy (DDE), a groundbreaking approach outlined in our launch announcement. The DDE offers an infrastructure where data is not merely a static asset but a dynamic, contextual element that individuals can control and share on their terms.

This model supports privacy, promotes innovation, and opens the door to new economic models centered around consent and transparency — all essential ingredients for a human-centric digital future.

Looking Ahead

Our participation in GC25 aligns with our mission to advance data governance standards that prioritize individual autonomy. By collaborating with global leaders at this event, we aim to further the conversation on building infrastructures that respect and reinforce the Digital Self.

We invite all who share this vision to join us in exploring how we can collectively build a more equitable, dynamic, and user-controlled digital ecosystem.

Stay tuned for more updates from GC25 and beyond!

Dashlane lets you open an account with a FIDO2-spec USB security key as your authentication.

One of the better-known password managers is now inviting people to try it without having to create yet another password. Instead, Dashlane is now inviting people to try opening a new account secured only by a USB security key compliant with the “FIDO2” authentication standard; FIDO being short for Fast Identity Online.

Emphasize “try.” The company’s support page for this “early access” program notes that it supports only Google Chrome and Microsoft Edge, not Dashlane’s mobile apps. For now, it doesn’t let you create an account secured only by a passkey, the form of FIDO2 security more people use. 

The page also highlights a warning that this is an early-days exercise: “Important: Accounts created as part of the early access program are for testing purposes only. We recommend using your primary Dashlane account to store and manage your data.”

For all of us who hate passwords, passkeys represent a simpler and safer way of authenticating online accounts. But adoption has been slow, with many companies and websites still relying on passwords. Now the world’s biggest social media platform is jumping on the bandwagon.

On Wednesday, Facebook announced that it’s now rolling out support for passkeys on mobile devices. This means you’ll be able to use one to sign in to Facebook on an iPhone or Android device. But the passkey won’t be limited to your actual Facebook account.

Andrew Shikiar, Executive Director and CEO of the FIDO Alliance, joins us to discuss the shift from passwords to passkeys and the role of FIDO in driving secure, passwordless authentication. He explores the challenges of adoption, the importance of identity verification, and how cross-platform interoperability is accelerating passkey use. The conversation also touches on the impact of generative AI on cybersecurity and what the future holds for passkeys in building long-term resilience.

Apple this week provided a glimpse into a feature that solves one of the biggest drawbacks of passkeys, the industry-wide standard for website and app authentication that isn’t susceptible to credential phishing and other attacks targeting passwords.

The import/export feature, which Apple demonstrated at this week’s Worldwide Developers Conference, will be available in the next major releases of iOS, macOS, iPadOS, and visionOS. It aims to solve one of the biggest shortcomings of passkeys as they have existed to date. Passkeys created on one operating system or credential manager are largely bound to those environments. A passkey created on a Mac, for instance, can sync easily enough with other Apple devices connected to the same iCloud account. Transferring them to a Windows device or even a dedicated credential manager installed on the same Apple device has been impossible.

Whitepaper on AI Supply Chain Risks and Agentic Systems Workstream Strengthen the Coalition's Impact on Secure AI Development

Boston, MA 26 June 2025 – The Coalition for Secure AI (CoSAI), an OASIS Open Project dedicated to advancing AI security, proudly welcomes Palo Alto Networks and Snyk as Premier Sponsors. Their commitment reinforces CoSAI’s rapidly expanding network of 45 partner organizations united in the mission to advance secure and trustworthy AI. This growth comes as CoSAI deepens its technical leadership with the release of a whitepaper focused on securing the AI software supply chain and the launch of a dedicated workstream on secure agentic system design, addressing the security implications of increasingly autonomous AI systems.

Expanding Industry Support

“Securing AI is one of the most urgent challenges facing the industry today,” said Sam Kaplan, Assistant General Counsel for Public Policy & Government Affairs, Palo Alto Networks. “By joining CoSAI, Palo Alto Networks is proud to support open collaboration that empowers developers to embed security from the start.”

Manoj Nair, Chief Innovation Officer, Snyk, added, “As AI transforms the cybersecurity landscape, proactive security standards are essential. Snyk is excited to contribute to CoSAI’s growing efforts to develop practical, open tools for safer AI adoption.”

Palo Alto Networks and Snyk join CoSAI’s distinguished group of Premier Sponsors – including EY, Google, IBM, Microsoft, NVIDIA, PayPal, Protect AI, Trend Micro, and Zscaler – united in accelerating the development of secure and responsible AI across industries.

New Landscape Paper: Addressing Security Risks in the AI Supply Chain

CoSAI’s first landscape paper, Establish Risks and Controls for the AI Supply Chain, explored further in our blog post, was developed through cross-sector collaboration to help teams integrate security at every stage of the AI system lifecycle, from design to deployment. Published by CoSAI’s Workstream 1: Software Supply Chain Security for AI Systems, the paper examines the unique supply chain security risks of AI systems, focusing on data, infrastructure, applications, and models, and highlights the need for specialized safeguards beyond traditional security practices. It also outlines key vulnerabilities, roles across stakeholder groups, and evaluates existing frameworks like SAIF, MITRE ATLAS, and OWASP AI Exchange to identify gaps and guide a more resilient, secure AI development lifecycle.

“This landscape paper is a significant step forward in AI security, offering comprehensive risk overview and practical protection strategies,” said Matt Maloney, Manager of Technical Staff at Cohere and CoSAI Workstream 1 Lead. “It’s an important resource mapping supply chain risks and highlighting where traditional controls fall short,” added Andre Elizondo, Principal Solutions Engineer at Wiz and CoSAI Workstream 1 Lead. Both emphasized the paper’s evolution alongside emerging AI agent technologies.

Introducing a New Workstream on Secure Agentic System Design

To address the growing need for secure-by-design approaches to autonomous AI, CoSAI has launched Workstream 4: Secure Design Patterns for Agentic Systems. This new track focuses on developing security models and architectural guidance for agentic systems, including updates to AI threat modeling, secure infrastructure design, and cross-system integration.

The addition of Workstream 4 complements CoSAI’s three existing workstreams:

Workstream 1: Software Supply Chain Security for AI Systems Workstream 2: Preparing Defenders for a Changing Cybersecurity Landscape Workstream 3: AI Security Risk Governance

“The launch of a workstream focused on Secure Agentic System Design reinforces CoSAI’s commitment to addressing the growing complexity of AI-driven autonomous systems,” said Workstream 4 Leads Sarah Novotny, Independent Consultant, and Ian Molloy, Department Head, Securing AI, IBM Research. “As agentic systems become more capable and pervasive, it becomes critical to ensure they are built on a foundation of security, transparency, and accountability.”

Get Involved 

CoSAI welcomes technical contributors, researchers, and organizations to participate in its open source community and support its ongoing work. OASIS welcomes additional sponsorship support from companies involved in this space. Contact join@oasis-open.org for more information.

Media Inquiries: communications@oasis-open.org

The post Coalition for Secure AI Welcomes Palo Alto Networks and Snyk, Advances AI Security with New Publication and Workstream appeared first on OASIS Open.

The FIDO Alliance hosted its annual India Working Group (FIWG) Member Meetup & Workshop on June 6, 2025, at Google’s Ananta campus in Bengaluru. With over 100 attendees representing leading technology companies, financial service providers, telecom operators, government agencies, retailers, and platform providers, the event served as an important forum for advancing phishing-resistant, passwordless authentication efforts in India.

The program began with welcome remarks from FIWG Chair Niharika Arora (Google) and Vice Chair Tapesh Bhatnagar (G+D), followed by a keynote address from FIDO Alliance President Sam Srinivas. Sam’s session offered a forward-looking overview of the global FIDO roadmap, covering recent progress in passkey adoption, certification, and platform interoperability, highlighted by many attendees as one of the most valuable sessions of the day.

Throughout the morning, FIWG member organizations shared implementation case studies drawn from real-world deployments. Christopher Clement Soris of Zoho Corporation presented lessons from integrating passkeys into enterprise workflows, emphasizing developer enablement and user trust. Vishu Gupta, Piyush Ranjan, and Deepak Singal of Times Internet shared insights into their journey deploying passkeys across consumer media platforms, with a focus on UX challenges and account recovery design. Shantanu Shirke of Mastercard showcased its Global Financial Framework (GFF) through a live demo of its FIDO-enabled authentication solution, and Simon Trac Do of VinCSS introduced applications of the FIDO Device Onboard (FDO) protocol for secure and scalable onboarding of IoT devices.

The Google Android and Chrome teams, including Niharika Arora, Eiji Kitamura, and Neelansh Sahai, provided updates on platform support for passkeys, highlighting recent enhancements to Android APIs, Chrome UX flows, and best practices for relying parties. These updates offered implementers concrete guidance on leveraging native OS features to enable seamless, secure sign-ins.

The event concluded with a panel discussion titled “Modern Authentication Meets Legacy Systems,” moderated by Niharika Arora and featuring Amit Mathur (Ensurity), Rooparsh Kalia (Mercari), Rahul Dani (Yubico), Tom Sheffield (Target), and Sam Srinivas (Google). The discussion addressed practical challenges in deploying FIDO-based authentication in environments with legacy infrastructure, including backward compatibility, account recovery, and risk trade-offs. Panelists shared candid reflections and emphasized the importance of phased integration strategies and cross-industry collaboration.

Compared to the 2024 edition, this year’s workshop reflected a clear evolution, from awareness-building to implementation maturity. While last year’s focus was largely on introducing the promise of passkeys and FIDO standards, the 2025 program emphasized operational insights, technical execution, and collaborative solutions.

[Watch the Highlight Video]

Through post-event surveys, participants expressed strong appreciation for the event’s practical focus, noting the value of detailed case studies, direct access to platform teams, and the opportunity to connect with peers tackling similar challenges. Many described the in-person format as especially effective for fostering shared understanding and building momentum.

As passkey adoption continues to accelerate across India, the India Working Group remains a vital platform for aligning implementation efforts, exchanging knowledge, and enabling long-term deployment success. Sincere thanks to all speakers, panelists, and attendees for their contributions, and to Google for hosting us in Bengaluru. We look forward to continuing this important work together throughout 2025 and beyond.
*Read last year’s recap: 2024 FIDO Alliance India Working Group Meetup and Workshop

The post South Florida Leaders Gather to Explore the Future of Learning, Hiring, and Innovation appeared first on Velocity.

Apple has announced significant enhancements to its operating systems that will implement secure import and export capabilities for passkeys, building on the company’s ongoing efforts to eliminate traditional passwords. The new features match standards developed by the FIDO Alliance for cross-platform credential management, joining similar initiatives from Microsoft and Google in the push toward passwordless authentication.

The new implementation will enable seamless and secure transfer of passkeys across platforms, addressing previous limitations in transferring credentials between devices and applications. The system uses a standardized data schema developed by the FIDO Alliance to ensure compatibility between different credential manager apps across iOS, iPadOS, macOS, and visionOS 26. The standardization is particularly significant as password-based attacks continue to rise, pushing the industry toward more secure authentication methods.

Passwordless authentication has picked up in recent years. But the method drawing the most interest in security circles is physical security keys based on the FIDO2 standard.

These USB or NFC keys offer something beyond the usual passwordless methods, like synced device passkeys or biometric logins. Here, you’re not relying on cloud-stored credentials or browser memory. Instead, everything depends on holding the key and verifying it with something only you know, like a PIN or fingerprint.

This shift to hardware security keys is gaining momentum across industries. Dashlane, for instance, has just rolled out an update that enables users to make a FIDO2 key their main passwordless login for unlocking credential vaults.

In this article, we explore where passwordless authentication stands today, what makes physical keys different, and how platforms are handling the hard parts like recovery, usability, and long-term security.

Confused by the new regulations and a patchwork of state-level policies?

With a new administration setting fresh policy priorities, supply chains are facing shifting rules and growing pressure to adapt.

Maggie Lyons, Vice President of Government and Regulatory Affairs at GS1 US, joins hosts Reid Jackson and Liz Sertl to decode the changes affecting how products are made, moved, and sold, and what businesses can do to stay ahead. From SNAP waivers and red dye bans to extended producer responsibility (EPR) laws and 2D barcodes, this episode breaks down how government decisions are impacting daily operations across food, retail, and consumer packaged goods (CPG).

Maggie’s team works with policymakers and industry leaders to align mandates with existing systems, helping avoid duplication and enabling efficient, standards-based implementation.

In this episode, you’ll learn:

How state-level regulation is influencing national supply chain strategies

Why new ingredient bans could create a ripple effect across CPG brands

What you can do to stay ahead of policy changes impacting your industry

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:07) Why GS1 built a policy team

(04:02) From Capitol Hill to CPG strategy

(06:34) Staying focused amid constant regulatory shifts

(08:48) Government agencies shaping supply chain standards

(10:38) Customs, tariffs, and food assistance priorities

(14:59) How SNAP waivers complicate retail operations

(17:57) What red dye bans mean next

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Maggie Lyons on LinkedIn

For modern IT or Internet users, logging in to a website or app using a password is all too familiar. Increasingly, however, passwords create security concerns as they can be easily cracked or stolen. This is where passwordless authentication provides a more secure and convenient alternative.

“Password fatigue is real. Users demand faster, frictionless ways to authenticate without remembering complex strings,” said Edwardcher Monreal, Principal Solutions Architect for IAM Consumer Authentication Solutions at HID.

Kia ora,

Matariki is a time for remembrance, celebration, and looking toward the future. Traditionally, Matariki was a time to honour ancestors, celebrate the harvest, and acknowledge the changing seasons.

Today, we stand at a pivotal moment where two transformative technologies – digital identity and artificial intelligence – are reshaping the fabric of society.  As the marginal cost of knowledge approaches zero, decentralised systems offer abundance creation through co-operation, as opposed to sticking with a more traditional scarcity-based approach. 

For DINZ members, the adoption playbook demands conscious choices: about focus, trade-offs, standards, and sovereignty. As local momentum builds around the world’s first decentralised credential identity ecosystem, the question is no longer whether disruption will occur – but how we collectively shape it, and who it serves. Perhaps Moby put it best in his 2002 song “We are all made of stars.”

It is hard to believe we are still using multi-password sign-on and facsimiles of identity proofs in an era where nearly everything we do is online. For those frustrated by the pace of change, it is important to remember we’re building a system for 30 years, of which the past five years has been very much design and build. The next five years will be about driving adoption.

With a tsunami of digital credentials hitting global markets, the race to be “first to issue” DISTF accredited credentials is on!  At the starting line are the DIA, NZTA, Air NZ, Hospitality NZ, alongside other go-to-market models such as Apple and Google’s online proxies.

Techweek Highlights

Those fortunate enough to attend Digital Public Infrastructure: The Invisible Foundation for NZ’s Digital Future in the General Assembly room in Parliament would have heard Minister Collins deliver the powerful message that “digital identity is the key to unlocking productivity in New Zealand.” 

The Minister’s call to action was compelling, raising the question of whether centralised apps are the answer for a citizen-centric experience at this particular technology inflection point still open for debate.

It is encouraging to see a shared understanding that the implementation of digital public infrastructure (DPI) will provide New Zealanders with an inclusive, future-ready trust layer that enhances privacy, security, provenance and fraud prevention, while preserving Aotearoa’s economic sovereignty. 

What’s more, an interoperable decentralised identity ecosystem will support the profound productivity improvements presented by hyperscale AI, without diminishing human agency by moving our data (and your soul) into someone else’s “cloud”.

Digital Trust Hui Taumata – Update

We have secured the world’s foremost native digital credential architect and builder James Monaghan to deliver the international keynote and host roundtable discussions at the Digital Trust Hui at Te Papa on 12 August, 2025.  

This must-attend identity conference promises to be more “Doey” than Hui. Our valued sponsors will showcase the most exciting identity projects in this space, and show how accelerating adoption of Trust Technology can help mitigate concerns around AI-related risks.

Roundtable discussions are currently being shaped around four key focus areas:

Regulatory barriers to change (public policy enablers such as omnibus bills to allow digital identity implementation) Identity for natural persons (early adopters, Privacy and taking control, proof of age, everyday applications, online verification, ID assurance hierarchy) Identity for legal entities (identity as a service, AML, license to operate, compliance, monitoring, directory enabled and real world asset marketplaces) Identity for machines (delegation, reputation, agents, bots, agentic commerce)

Assuming sufficient interest from government and industry sponsors, we plan to arrange an ecosystem design workshop with James Monaghan while he is in Wellington.

The Census Goes Digital: A Shift Towards Data-Driven Public Infrastructure

Stats NZ has officially retired the traditional census, opting instead for a new approach that leverages integrated administrative data. This marks a significant shift in how the government collects and uses trusted digital information – reinforcing the need for secure, privacy-preserving identity systems to ensure accuracy, inclusion, and transparency. It’s a timely reminder of the critical role digital identity plays in building smarter, citizen-centric public services. Read the full RNZ article.

Welcome to Our New Chair – Maria Robertson

Please join me in welcoming Maria Robertson as the new Chair of DINZ. You can read her introductory statement to the DINZ community on our website.

As we reset the DINZ playbook and hone our focus to accelerate adoption, Maria has already started to elevate our thinking thanks to her extensive experience across the public service, infrastructure and secondary industries.

Suffice to say, the first few weeks have been a baptism by fire, but I’m thoroughly enjoying being back in the identity services world at such a pivotal time. Your feedback is encouraged as we strive to fan the flames of adoption by issuers, holders and relying parties for the empowerment of all New Zealanders.

Mānawatia a Matariki,

Andy Higgs
Executive Director, Digital Identity NZ

Read full news here: Ready…Reset…Go!

SUBSCRIBE FOR MORE

The post Ready…Reset…Go! appeared first on Digital Identity New Zealand.

DIF Labs Beta Cohort 2 officially kicks off tomorrow, June 24th at 8 AM PST! This cohort brings together three projects that will advance privacy, legal frameworks, and governance in verifiable credentials.

Meet Our Beta Cohort 2 Projects Legally-Binding Proof of Personhood for Verifiable Credentials via QES

Led by Jon Bauer and Roberto Carvajal

This project creates a standardized method to anchor Verifiable Credentials to legally recognized, high-assurance proof of an individual's identity through Qualified Electronic Signatures (QES). By leveraging eIDAS-recognized QES technology, this work will enable any W3C Verifiable Credential to carry the same legal weight as a handwritten signature.

labs/proposals/beta-cohort-2-2025/legallybinding-vcs/legallybinding-vcs.md at main · decentralized-identity/labs An incubation chamber for Decentralized Identity focused development - decentralized-identity/labs GitHubdecentralized-identity Privacy-Preserving Revocation Mechanism

Led by Kai Otsuki and Ken Watanabe

This research project delivers an analysis of privacy-preserving revocation mechanisms for W3C Verifiable Credentials. The team will catalog real-world revocation scenarios, benchmark cryptographic mechanisms including status lists, dynamic accumulators, zk-SNARK proofs, and short-term credentials, and provide an open-source prototype evaluating computational costs for Issuers, Holders, and Verifiers.

labs/proposals/beta-cohort-2-2025/pp-revocation-mechanism/001_proposal.md at main · decentralized-identity/labs An incubation chamber for Decentralized Identity focused development - decentralized-identity/labs GitHubdecentralized-identity Anonymous Multi-Signature Verifiable Credentials

Led by Seohee Park and Lukas Han

This protocol enables Verifiable Credential issuance that requires m-of-n multi-signature approval while maintaining anonymity of individual signers. Using Semaphore, it enables decentralized governance for VC issuance in organizations such as DAOs or government agencies, cryptographically proving sufficient participation without revealing participating member identities.

labs/proposals/beta-cohort-2-2025/anon-multi-sig-vc/anon_multi_sig_vc_proposal.md at main · decentralized-identity/labs An incubation chamber for Decentralized Identity focused development - decentralized-identity/labs GitHubdecentralized-identity Gratitude to Our Leadership Team

We extend our thanks to our project leads who will be driving these initiatives forward. Their expertise is essential to advancing the state of verifiable credentials technology.

We're grateful to our mentors who share their knowledge and experience with our cohort participants. You can learn more about our mentor network in our directory.

Recognition goes to our chairs who provide strategic guidance and oversight:

Andor Kesselman Ankur Banerjee Daniel Thompson-Yvetot What's Next?

Tomorrow's kick-off session will bring together all participants to align on project goals, establish collaboration frameworks, and set the stage for three months of research and development. These projects address challenges in legal compliance, privacy preservation, and decentralized governance.

Stay tuned for updates as Beta Cohort 2 progresses.

DIF Labs continues to foster innovation in decentralized identity through collaborative research projects. Learn more about Lab's work at labs.identity.foundation.

As the new Chair of the Executive Council of Digital Identity NZ, I am looking forward to leading a passionate and future-focused community working to build a trusted, inclusive, and interoperable digital identity ecosystem for New Zealand, building on the impressive work the Executive Council has done over the past few years . 

With a background in executive leadership across public service and advisory roles I have advocated for and delivered the transformative potential of digital identity as public infrastructure. Whether enabling seamless access to services, supporting mobility and consent, or underlining trust in our digital economy, identity – in all of its forms – is foundational to a modern, resilient society. 

DINZ plays a crucial convening role across government, iwi, industry, and civil society. As Chair, my focus is to champion practical progress: supporting policy and technical frameworks that uphold te ao Māori perspectives on identity, ensuring identity solutions reflect the needs of all New Zealanders, and advocating for interoperability that positions us as globally connected and locally grounded.

Our mission is urgent and clear: to enable every person in Aotearoa to participate safely and confidently in the digital world. I look forward to working with all our members to realise that vision.

Maria Robertson.

The post Introductory Statement – Chair of the Executive Council, Digital Identity NZ appeared first on Digital Identity New Zealand.

Source: Original LF Decentralized Trust post

Wenjing Chu, Chair of the AI and Human Trust Working Group at Trust over IP, an LF Decentralized Trust project | Jun 12, 2025

In a world where AI can create photos, videos, and even voices that look and sound real, how do we know what to trust?

Every day, more content we see online is generated or altered by AI. That’s not always a bad thing. AI can help us create amazing art, get work done faster, or imagine new possibilities. But it also opens the door to misinformation, impersonation, and confusion. When anyone can create content that looks authentic, how do we tell what’s actually real?

To enhance human trust in AI systems and explore how AI itself can be used to address complex trust challenges in digital ecosystems, Trust over IP (ToIP), a project of LF Foundation Decentralized Trust, has launched a new AI and Human Trust (AIM) Working Group. It builds on the work done over the past three years by ToIP’s AIM task force.

The recently released white paper from the working group, ToIP Trust Spanning Protocol (TSP): Strengthening Trust in Human and AI Interactions, offers a way forward for building, maintaining and verifying interactions involving AI technologies. It brings together three powerful tools, the Trust Spanning Protocol (TSP)1, the C2PA Specification2, and the work of the Creator Assertion Working Group (CAWG)3, to build a system of authenticity for the digital world.

The key components include:

TSP (Trust Spanning Protocol) provides a strong foundation for online trust between people, platforms, and tools—making sure that when something claims to come from someone, it actually does. (The “Connector”) The C2PA Specification is a growing standard that helps attach a digital “nutrition label” to content—showing when it was made, how it was edited, and by what capture devices or software. (The “How” and the “What”) CAWG (Creator Assertion Working Group at DIF) focuses on making sure that individual and organizational content creators can identify themselves with their content and provide additional information for their audience to understand their content. (The “Who”)

Why do we need all three? Because content authenticity isn’t just about how something is created. It’s also about who made it, and how it gets communicated through public networks while retaining the integrity of actions made to it. C2PA gives us technical metadata about tools and edits. CAWG ensures the human creator is identified and attributed. And TSP makes the entire chain, from camera or AI tool to multiple individual human collaborators to final distribution platform, trustworthy at every step. Together, they provide a complete system covering creation, collaboration, and distribution.

All put together, these can help us answer the most important question about this digital artifact: Can I trust this?

This isn’t just a technical fix. It’s a new way to think about digital truth. And the paper lays out a path toward a future where users can more confidently trust the source and actions made to digital content in a way that’s accountable, verifiable, and respectful of creators.

Read the full white paper here.

We invite technologists, developers, artists, policy makers, and everyday internet users to take a look. It’s about restoring trust in a world where AI has blurred the lines of what is real and what is artificially generated.

1. Trust Spanning Protocol (TSP) is an ongoing work by Trust over IP (ToIP), a project of LFDT: https://trustoverip.github.io/tswg-tsp-specification
2. The C2PA Specification is an ongoing work by The Coalition for Content Provenance and Authenticity (C2PA): https://c2pa.org/specifications/specifications/2.2/index.html
3. The Creator Assertions Working Group (CAWG) is a joint effort by the Decentralized Identity Foundation (DIF) and ToIP. See https://cawg.io

__

Want to dive deeper into ToIP’s work on verifying authenticity? Check out this LF Decentralized Trust Webinar: Verifiable Authenticity—Answering the Threat of AI Deep Fakes

The post How Can We Trust What We See Online? Here’s One Way Forward appeared first on Trust Over IP.

On the ProjectVRM list, John Wunderlich shared a find that makes clear how advanced and widespread  AI-based shopping recommendation has gone so far (and not just with ChatGPT and Amazon). Here it is: Envisioning Recommendations on an LLM-Based Agent Platform: Can LLM-based agents take recommender systems to the next level?

It’s by Jizhi Zhang, Keqin Bao, Wenjie Wang, Yang Zhang, Wentao Shi, Wanhong Xu, Fuli Feng, and Tat-Seng Chua* and is published in the Artificial Intelligence and Machine Learning section of Research and Advances in Communications of the ACM. So it’s serious stuff.

Here’s one graphic from the piece, with its caption:

Illustration of the Rec4Agentverse. The left side depicts three roles in the RecAgentverse: the user, the Agent Recommender, and Item Agents, along with their interconnected relationships. In contrast to traditional recommender systems, the Rec4Agentverse has more intimate relationships among the three roles. For instance, there are multi-round interactions between 1) users and Item Agents and 2) the Agent Recommender and Item Agents. The right side demonstrates how the Agent Recommender can collaborate with Item Agents to affect the information flow of users and offer personalized information services.

With VRM, however, we need our own personal AI agents, and useful data that’s not limited to what’s gathered by surveillance (which we can assume is most if not all of the Information layer). So I started a conversation with ChatGPT. I’ll divide it into sections: Who wrote the CACM piece The state of recommendation science Who is working on personal AI How one can get started Forms of personal data to manage

There’s a lot here. The meat of it, for ProjectVRM purposes, starts in section 3. (The first two are more about what we’re up against.) Please read the whole thing and help us think through where to go with the challenge facing us. As we see in section 3, we do have some stuff on our side.

1. Who wrote the CACM piece Me: Can you tell me more about the authors here: https://cacm.acm.org/research/envisioning-recommendations-on-an-llm-based-agent-platform/? ChatGPT:

 Jizhi Zhang

Affiliation: University of Science and Technology of China (USTC), Data Science Lab (inferred from USTC page) cacm.acm.org+14data-science.ustc.edu.cn+14x.com+14.
Research Interests: Recommendation systems, LLM-based agent platforms, and interactive intelligent systems—his lead authorship and continued work on Prospect Personalized Recommendation on LLM-Based Agent Platform (arXiv Feb 2024) reinforce this arxiv.org.

 Keqin Bao, Wenjie Wang, Yang Zhang, Wentao Shi, Fuli Feng, Tat‑Seng Chua

Affiliations: While CACM doesn’t list this, Jizhi Zhang and Fuli Feng are part of USTC’s Data Science Lab; Tat‑Seng Chua is a distinguished researcher from the National University of Singapore known for multimedia and information retrieval.
Expertise: A mix of recommender system design, LLM-agent evaluation, multimedia analysis, and human-AI interaction—reflecting a blend of USTC’s strengths and CACM relevance data-science.ustc.edu.cn+8cacm.acm.org+8data-science.ustc.edu.cn+8linkedin.com+4arxiv.org+4researchgate.net+4.

 Wanhong Xu

Affiliation: USTC Data Science Lab (USTC LDS), contributor to the same article .
Role: Emerging researcher whose latest publication is this Rec4Agentverse article, indicating an early-career focus in LLM-based recommender systems linkedin.com+8data-science.ustc.edu.cn+8linkedin.com+8.

Broader Context & Contributions

The group operates at the intersection of Large Language Models, agent-oriented systems, and recommender systems, pioneering a Rec4Agentverse paradigm that treats LLM-powered agents as “recommendable” items collaborating with one another—an evolution of traditional recommendation frameworkscacm.acm.org+5cacm.acm.org+5cacm.acm.org+5.
Their work continues earlier research (e.g., Prospect Personalized Recommendation… in Feb 2024), solidifying their ongoing commitment to expanding intelligent, conversational recommendation platforms arxiv.org.

Why This Matters

Academic Thought Leadership: Jizhi Zhang and colleagues are pushing forward thinking about how recommendations can evolve when agents—not passive items—are central.
Institutional Backing: All deeply connected to USTC’s Data Science Lab, underscoring strong Chinese academic investment in AI-driven recommender innovation.
Collaborative Reach: Including scholars like Tat‑Seng Chua broadens the research to include international perspectives in multimedia and retrieval systems.

In summary: This team is a multidisciplinary cohort—centered at USTC with international collaboration—who are pioneering the idea that LLM agents can become interactive, dynamic items in recommender systems. Their work positions them at the forefront of intelligent agent systems and could reshape how platforms personalize experiences in the future.

If you’re curious about any individual’s past publications, citation impact, or related work (e.g., on Agent4Rec), I’d be happy to dive deeper!

 

3. The state of recommendation science

Me:

How large is the emerging science, within the AI field, of recommendations?

ChatGPT:

The science of recommendations, particularly within the AI field, is not just emerging—it’s a massive, rapidly evolving subfield that is both academically rich and commercially dominant. That said, it’s also entering a new phase, driven by the rise of large language models (LLMs), interactive agents, and multimodal platforms.

Academic Scope 1. Established Field: Recommender Systems

Recommender systems (RecSys) are a well-developed domain within AI and machine learning, with roots in the 1990s.
Annual conferences like:
ACM RecSys (since 2007)
SIGIR, KDD, WSDM, and NeurIPS regularly feature recommendation research.
Thousands of papers annually on topics like:
Collaborative filtering
Matrix/tensor factorization
Deep learning for recommendation
Fairness, transparency, and explainability in RecSys
Reinforcement learning and bandit algorithms for personalization

As of 2024, over 60,000 papers in academic databases (e.g., Google Scholar) are tagged or indexed under “recommender systems”.

Current Trends & Expanding Frontiers 2. LLMs + Recommendation = New Subfield

A major shift is underway: integrating Large Language Models (LLMs) into recommendation systems.
These go beyond “you may also like” to:
Use natural language context and dialogue
Generate explanations, not just rankings
Support conversational recommendation
Coordinate agent ecosystems, e.g., multi-agent reasoning environments

Example paradigms:

RecMind – reasoning-aware recommendation agents
Rec4Agentverse – treating agents as recommendable entities
ChatRecs – integrating LLMs into live user conversations

3. Multimodal & Multitask Integration

Systems increasingly blend text, image, video, behavior, and user feedback.
LLMs allow richer personalization using complex user intent derived from unstructured data.

4. Industry Investment

FAANG companies (especially YouTube, Netflix, Amazon, TikTok, and Spotify) base their core user experience on AI-driven recommendation.
Billions of dollars are spent optimizing:
Ranking quality
Engagement prediction
Real-time inference
Federated and privacy-preserving personalization

Estimate of Scope

Area

Estimate (2024–25)

Academic papers (RecSys + AI)

60,000+ overall; thousands per year

Top conferences with recommender tracks

20+ (ACM RecSys, SIGIR, KDD, NeurIPS, etc.)

Active researchers

Tens of thousands globally

Emerging subfields

LLM-based Rec, conversational Rec, agent-based Rec, explainable Rec

Industry scale

$10B+ annually invested in personalization tech

In Summary

The science of recommendation is:

Not new, but rapidly evolving
Core to AI applications, especially with LLMs and agents
One of the most commercially and socially impactful domains in modern AI
Growing into new subfields (e.g. Rec4Agentverse, LLM Rec, multi-agent Rec)

Let me know if you’d like a visual map of how the recommendation science ecosystem is structured—or who the top authors and institutions are in this space

3. Who is working on personal AI Me: And who, if anyone, is working to provide customers with their own personal AI tools: ones that work for them, to empower their own agency in the marketplace? By which I mean truly personal AI, and not the kind personalized by some external LLM (or similar) system. ChatGPT:

That’s an essential and forward-looking question—especially as most “AI for you” today really means “AI about you, for someone else.”

While Big Tech firms dominate personalized AI, a growing ecosystem is focused on truly personal AI—that is, AI you own, that works for you (not advertisers or platforms), and that enhances your agency in the marketplace and your life.

Here are the most notable people, projects, and initiatives advancing truly personal AI today:

1. Kwaai and pAI-OS (South Africa / Global)

Kwaai is building an open-source, user-sovereign personal AI OS called pAI-OS.
Designed to run locally or at user discretion, with full data ownership, modular agent systems, and plugin capability.
Aligns with IEEE P7012 (“MyTerms”) privacy standards (see below).
Actively exploring intentcasting, customer signaling, and VRM (Vendor Relationship Management).
Site: https://kwaai.ai

2. Indie AI and Personal Agent projects

Several smaller open-source initiatives are trying to build personal agent toolkits that you can host and configure:

Examples:

AutoGen Studio (Microsoft) – allows building agent workflows, some of which can be user-defined. But it’s not yet fully personal or private.
Langroid – open-source framework for local agent-based LLM systems. Designed for extensibility, can be made personal with effort.
OpenDevin, Superagent, Auto-GPT – can be self-hosted, though most are still tool-centric rather than user-centric.
Personal.ai – A commercial startup that says it is personal, but uses centralized storage and fine-tuning, so actual user control is limited.

 Reality check: Most of these still rely on external LLMs (like OpenAI or Anthropic), even if they claim to be “your AI”.

3. Solid Project (by Tim Berners-Lee)

While not AI per se, Solid is a decentralized identity and data storage architecture that allows individuals to store their own data in personal data pods.
AI tools can be layered on top to access only the data you choose to share.
Foundation for personal AI assistants that can work with your data, not on others’ clouds.
https://solidproject.org

4. IEEE P7012 – MyTerms

A standard being developed to flip the notice-and-consent regime—so individuals, not companies, dictate the terms of data use.
Backed by Customer Commons and designed to support intentcasting and personal marketplace signaling.
This enables a personal AI to serve as your agent, enforcing your terms and engaging the marketplace on your behalf.

5. Project VRM (Vendor Relationship Management)

Initiated by Doc Searls to empower customers with tools to manage vendors, not just the reverse.
Envisions personal tools (including AI) to:
Signal intent
Manage service contracts
Retain records of offers, purchases, warranties
Avoid manipulation, surveillance, and lock-in

Project VRM is not a software project per se, but a framework guiding developers to build personal tools that support individual autonomy.

6. Open-source LLM stacks for local use

Several local LLM projects can be combined with personal data layers to build truly personal AI:

LM Studio – runs local models on desktop
PrivateGPT – local inference + local documents
Ollama – macOS-native interface for fast-running models like LLaMA, Mistral
LangChain / LlamaIndex – frameworks for building RAG systems with local documents

These aren’t personal AI systems yet—but they are key ingredients.

Summary

Name / Project

What They Do

Status

Kwaai / pAI-OS

Open, personal AI OS and agent platform

Early but active

Solid

Personal data control layer

Stable; in use

IEEE P7012

Standards for user-enforced data terms

In development

Project VRM

Framework for tools that empower buyers

Thought leadership; toolkits emerging

Local AI frameworks

Tech foundations for personal AI

Available, DIY-friendly

The Gap

Despite this promising landscape, no major platform today delivers a fully integrated, easy-to-use personal AI that you own, configure, and direct—yet. But:

A personal AI revolution is underway, led by privacy advocates, open-source communities, and a few visionary developers—not Big Tech.

Would you like help putting together a DIY stack for your own personal AI toolkit based on this landscape?

Me: Can you name some of the people in the personal AI revolution, and tell me what that DIY stack would contain? ChatGPT:

Absolutely. Here’s a breakdown of key people involved in the personal AI movement, followed by a practical DIY stack you can start building today.

People Leading or Advancing the Personal AI Revolution

These individuals aren’t all working on the same projects, but they’re aligned in trying to build AI that’s owned, run, and controlled by the individual—not centralized platforms.

 Tim Berners-Lee

Project: Solid (stewarded by ODI, commercially implemented by companies including TBLs Inrupt)
Focus: Decentralized web and personal data ownership via data pods
Impact: Infrastructure for privacy-respecting personal AI agents
https://solidproject.org

 Doc Searls

Project: Project VRM, Customer Commons, IEEE P7012
Focus: Customer empowerment, intentcasting, reversing surveillance capitalism
Impact: Philosophy and standards for customer-directed personal AI
https://projectvrm.org

 Tawanda Kembo & Kwaai team

Project: pAI-OS (personal AI operating system)
Focus: Agent-centric open-source operating system for personal AI
Impact: One of the few efforts aiming to create a complete personal AI stack
https://kwaai.ai

 Simon Willison

Project: Datasette, open tools for data management
Focus: Personal data control, lightweight databases, LLM + local tooling
Impact: Key figure in the open data + local AI tooling space
https://simonwillison.net

 Brian Roemmele

Project: Multiplex (personal voice AI)
Focus: Voice-first personal assistants you run locally
Impact: Vocal advocate for true personal AI, often referencing “software you own”

A DIY Personal AI Stack (2025 Edition)

This stack assumes local-first, modular, privacy-respecting tools. You can mix and match based on your needs.

Core Components

Layer

Tools / Projects

Notes

1. OS Layer

Linux, pAI-OS (in dev)

Linux gives flexibility; pAI-OS aims to be a full personal AI OS

2. Local LLM Inference

Ollama, LM Studio, PrivateGPT, LocalAI

Run models like LLaMA 3, Mistral, Phi-3 entirely offline

3. Vector Database

Chroma, Weaviate, Milvus, or SQLite with FTS5

Store and retrieve embedded text data

4. Personal Indexing

LlamaIndex, LangChain, AutoGen, GPTPilot

Feed personal documents and data to your LLM

5. Personal Data Storage

Solid POD, Datasette, Obsidian

Your life’s data, structured and queryable

6. Personal Agent Framework

Superagent, CrewAI, Langroid, AutoGen

Design agents that act on your behalf, modular and scriptable

7. Front-end Interface

Gradio, Streamlit, Tauri app, Electron

Local GUI/UX to interact with your agent

8. Voice Interface (optional)

OpenVoice, Vosk, Whisper.cpp, Coqui TTS

Build voice-in/voice-out agent on your machine

Optional Add-ons

Offline search: Chat over your files, PDFs, photos, and emails with LlamaIndex + PrivateGPT
Calendar/notes: Sync with Obsidian or local markdown-based knowledge base
Browser agent: Auto-control browser via Puppeteer/Playwright for marketplace navigation

What’s Still Missing?

True personal OS integration (like what pAI-OS is trying to do)
Seamless data portability and contract enforcement (IEEE P7012 is working on it)
Trusted personal AI app ecosystem (some apps, like Beeper or Obsidian, are getting close)

Would you like a tailored recommendation for building a personal AI stack based on your technical skill level or use cases (e.g., journaling, research, negotiation, shopping, data querying)?

4. How can I get started? Me: Yes. My technical skill level is modest at best. I can write HTML and do very basic stuff in the command line. I have an extra laptop I can devote to solo work, and Ethernet to a 2.1GB/s symmetrical fiber connection to the Internet with no data limits. ChatGPT:

Great — with your setup (modest technical skills, spare laptop, blazing-fast fiber), you’re in an excellent position to begin building a practical personal AI system without diving too deep into complex dev work. Here’s a recommended stack tailored to your current skills and goals:

YOUR PERSONAL AI STARTER STACK (2025) 1. Platform Base

Use a Linux distribution designed for ease of use and AI tinkering:

Recommended: Pop!_OS or Ubuntu 24.04
Easy GUI, good hardware compatibility, lots of online support
Optional: Use your laptop in “air-gapped” mode for privacy and full local control

2. Run a Local LLM with LM Studio

LM Studio (macOS/Windows/Linux) lets you run LLaMA 3, Mistral, Phi-3, and others without coding.
Built-in UI — chat with models locally, no internet required after download.
You can download 7B or 13B models based on your hardware.
Best for: private journaling, summarizing files, answering questions.

 Why it’s ideal for you:

GUI-based
Just click and download models
No API keys or command-line needed once installed

3. Chat with Your Files (PrivateGPT / LlamaIndex)

PrivateGPT or GPTPilot can let you ask questions across PDFs, emails, and notes stored on your machine.
Start simple: drop files into a folder, let the AI index them.
Optionally install via Docker (one command), or use their prebuilt apps.

Use case:

“Summarize this research PDF”
“What did I write about project X last month?”
“Find the email where someone mentioned a refund”

4. Knowledge Base + Journaling with Obsidian

Obsidian = Markdown-based knowledge base.
Everything you write stays local.
You can point LM Studio to your notes to query your own memory.

Easy way to:

Keep private journals
Index your life
Ask your AI things like “What are my goals for June?”

5. Personal Data Management with Datasette

Datasette by Simon Willison lets you browse and query your own data with simple SQL and CSV files.
Feeds AI with structured personal info (purchases, inventory, plans, etc.)
You can install it with a single terminal command:
bash
CopyEdit
pip install datasette datasette serve your-data.db
datasette serve your-data.db

Combine with LM Studio to get responses like:

“What subscriptions do I need to cancel?”
“When did I last back up my photos?”

6. Optional: Browser Helper Agent (Local, Simple)

Use AutoBrowser or a simpler Puppeteer script to automate browsing tasks (like checking prices, news, account activity).
Start with prebuilt scripts. No coding needed if you copy/paste working examples.

7. Privacy Boosters

Run Tailscale or WireGuard to access your AI remotely if needed.
Use LocalAI or Ollama if you later want to run everything without GUI (more advanced).

Putting It All Together

Task

Tool

Chat privately with an AI

LM Studio

Summarize your own notes or PDFs

PrivateGPT or GPTPilot

Store and reflect on your life data

Obsidian, Datasette

Manage subscriptions and tasks

Datasette + Chat

Ask about your files or history

LlamaIndex or GPT over Obsidian notes

Use voice later (optional)

Whisper.cpp, OpenVoice (easy tools)

Next Steps (in plain order)

Install Pop!_OS or Ubuntu on your spare laptop
Install LM Studio and download a 7B model like Mistral or LLaMA 3
Start using it to answer personal questions and summarize documents
Add Obsidian to start journaling and reflecting
Try PrivateGPT or Datasette to search your past or track your life

Would you like a checklist or an install script to get started with this stack? I can also help you set up a file structure to begin tracking and querying your own data.

5. Forms of personal data to manage Me: The personal data I need to manage are health records (from 20-plus providers), financial records (fewer than health), travel records (including the kind kept by apps that watch my movements), subscriptions and other recurring payments, shows I have watched and on what channels or services (data gathered by my Samsung and Roku TVs and presumably shared with others but to which I don’t yet have access), continuing work and work history with various clients and employers, contacts, archival and current calendars, real estate, personal items bought or acquired from various sources and where they are kept or stored, and business dealings. What would be the file structure for all that, and how would I manage it? Note that I am not talking about shopping yet; that’s a separate concern. ChatGPT:

Thanks for the detailed breakdown — you’re describing the foundation of a true personal data architecture: structured, queryable, and under your control. Let’s build you a file structure and management strategy that matches your needs without overcomplicating the tech.

Recommended Top-Level Folder Structure

This folder structure is designed to be future-proof, machine-readable, and human-usable. Use plain folders, CSV/JSON/Markdown files, and optional SQLite databases to store structured data. You can later layer tools (like LLMs or Datasette) on top.

markdown CopyEdit /PersonalAI_Data
│
├── Health/
│ ├── Providers/
│ ├── Visits/
│ ├── Prescriptions/
│ ├── Labs_Imaging/
│ └── Insurance_Claims/
│
├── Finance/
│ ├── Bank_Accounts/
│ ├── Credit_Cards/
│ ├── Investments/
│ └── Taxes/
│
├── Travel/
│ ├── Trips/
│ ├── Locations_History/
│ └── Maps_GPX_KML/
│
├── Subscriptions/
│ ├── Streaming/
│ ├── News_Publications/
│ ├── Software_Tools/
│ └── Utilities_Bills/
│
├── Media_Viewed/
│ ├── TV_Shows/
│ ├── Movies/
│ ├── Channels_Services/
│ └── Watch_History.csv
│
├── Work/
│ ├── Employers/
│ ├── Clients/
│ ├── Projects/
│ └── Timesheets_Invoices/
│
├── Contacts/
│ └── contacts.csv
│
├── Calendar/
│ ├── Archive_ICS/
│ ├── Current_ICS/
│ └── Events_Tags.csv
│
├── Real_Estate/
│ ├── Properties_Owned/
│ ├── Rentals/
│ └── Maintenance_Records/
│
├── Personal_Items/
│ ├── Furniture/
│ ├── Electronics/
│ ├── Art_Collectibles/
│ └── Inventory.csv
│
└── Business/
├── Deals/
├── Agreements/
├── Partners/
└── Notes/
Strategy for Managing It All 1. Use Consistent File Types Data Type File Format Structured entries .csv, .json, .sqlite Notes or logs .md (markdown) Documents .pdf, .docx, .txt Images/attachments store in attachments/ subfolder per topic 2. Naming Conventions (Machine + Human Friendly)

Use ISO-like formats to make things sortable and parseable:

yaml CopyEdit 2024-06-16_labresults_providerX.csv
2023_Q4_taxes_federal.pdf
clientA_2022-11_contract.pdf 3. Data Capture Tools

You don’t need to build it all manually:

Use Obsidian for ongoing notes (e.g. travel journal, work logs)

Use Paperless-ngx (optional) to OCR and tag your scanned PDFs (health, finance)

Use GPS History Export from Google and Apple for travel/locations

Use email filters or Zapier to auto-download bills, statements, confirmations

4. Querying and Reviewing

Add one or more of these later:

Datasette → browse and search CSVs/SQLite locally

LM Studio + PrivateGPT → ask, “When did I last visit Dr. Chen?” or “What devices are in storage?”

LlamaIndex → index your file tree and let AI search/summarize it

Summary of Benefits Goal This Setup Delivers Total local control You decide access, storage, retention Future AI-readiness Structured enough for agents to use Easy to back up Plain files, portable databases Modular growth Start simple, layer in AI when ready

Would you like me to generate a starter template with folder structure and some CSV/Markdown file formats filled in with mock data for each domain? That way you can load it directly into your system and start customizing.

Me again:

That’s it for now.

What should my next request be, or what other direction would you like me (or us) to take this? Or, what are the learnings we have so far in this field that barely exists? Oh, and excuse whatever inaccuracies ChatGPT may have floated above. Or give me fixes. Thanks. *The links are mine and based on searches for those names. I might have some of them wrong, however, since searches for those names bring up many scholars with the same names. And, while each name had a link, they all went to an author archive page that was absent (with one exception) of other contributions to the publication.

We’re introducing passkeys on Facebook for mobile devices, offering another tool to safeguard your privacy and security. Passkeys are a new way to verify your identity and log in to your account that’s easier and more secure than traditional passwords. 

Passkeys will soon be available on iOS and Android mobile devices for Facebook, and we will begin rolling out passkeys to Messenger in the coming months. The same passkey you set up for Facebook will also work on Messenger once this capability launches. 

FIDO Alliance’s flagship event features an expanded agenda to deliver practical strategies for implementing usable, phishing-resistant security across the entire account lifecycle.  Super Early Bird discounts are available through June 20.

Carlsbad, Calif., June 18, 2025 – The FIDO Alliance has announced the agenda for Authenticate 2025, the only industry conference dedicated to digital identity and authentication with a focus on phishing-resistant sign-ins with passkeys. The event will take place October 13–15, 2025 at the Omni La Costa Resort and Spa in Carlsbad, Calif., with options for virtual participation available.

The focus of the program for the Authenticate 2025 conference is achieving phishing-resistant authentication with passkeys and the adjacent considerations required to achieve end-to-end account security with usability in mind.

Visit https://authenticatecon.com/event/authenticate-2025/ to view the full session guide and register ahead of the June 20th Super Early Bird deadline.

Authenticate is built for CISOs, security strategists, enterprise architects, product leaders, UX professionals, and anyone engaged in the identity lifecycle from strategy to implementation. Attendees will gain practical knowledge around deploying phishing-resistant authentication at scale, designing secure user experiences, understanding complementary technologies, and navigating policy and compliance requirements. 

This year’s event will showcase keynotes and sessions led by top executives and industry leaders at the forefront of the passwordless movement. The agenda for 2025 has been revamped to include: longer track sessions for more in-depth presentations, an increased focus on masterclasses for actionable synced and device-bound passkey implementation best practices, and a new solutions theater track to showcase live demonstrations of the latest identity and authentication solutions. This year’s agenda also features more opportunities for networking and exploration of the interactive expo hall to foster collaboration and idea sharing.

With four dynamic stages across four curated content tracks,  Authenticate 2025 will offer sessions on: 

Account onboarding Remote identity verification and proofing Authorization Biometrics Session security Device onboarding and authentication Cybersecurity/fraud threats and detection Digital identity/digital wallets The future of digital identity and authentication

Sponsorship Opportunities Available
Authenticate 2025 offers unique sponsorship opportunities for companies to showcase solutions to an engaged, decision-making audience. With limited availability remaining, prospective sponsors can learn more and apply at https://authenticatecon.com/sponsors/ or contact authenticate@fidoalliance.org. 

About Authenticate 

Authenticate is the premier conference dedicated to advancing digital identity and authentication, with an emphasis on phishing-resistant sign-ins using passkeys. Hosted by the FIDO Alliance, this event brings together CISOs, security strategists, product managers and identity architects to explore best practices, technical insights and real-world case studies in modern authentication. The 2025 conference will take place from October 13-15 at the Omni La Costa Resort & Spa in Carlsbad, California, and will be co-located with the FIDO Alliance member plenary sessions, which run through October 16. 

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication with innovations, like passkeys. Signature sponsors for Authenticate 2025 are Google, Microsoft, Visa, and Yubico.

To learn more and register, visit https://authenticatecon.com/event/authenticate-2025/, and follow @AuthenticateCon on X. Register now and get the super early bird discount through June 20, 2025.

Authenticate Contact
authenticate@fidoalliance.org

PR Contact
press@fidoalliance.org

v1.1 of the 3 specifications includes one powerful new moving part

As CAWG activity picks up steam at DIF, there are a few details the rest of DIF and the broader community of decentralizers might want to be tracking:

The specification includes a powerful new indirection called an Identity Aggregator, which designates an external authority to translate a long-lived identifier embedded in signed credentials (at time of publication) to one or more identifiers with local significance anywhere an asset is used (at time of republication or consumption). Industry-specific identifier schemes are being researched by a distinct task force within the group for prototyping and getting adoption in media verticals. Registering/organizing external metadata standards and DID interop are on-going discussions. Wait, what Working Group is this?

If you're following from a distance, you have a vague sense that CAWG is a DIF working group doing something-something C2PA. If that distance is a long distance, you might know C2PA is a big-name, media-authenticity initiative with many mega-corporations signed on. The reality is actually more decentralized than meets the eye: CAWG is specifying open-world extension points that use Verifiable Credentials to let all kinds of claims and all kinds of actors embed metadata and rights declarations in C2PA documents, not just the big boys.

As the name would imply, "creators" is a capacious term which includes influencers, independents, rights-holders unions, creative agencies, freelancers, and even anonymous social media microcelebrities alike. The extension points and interoperability mechanisms this group is working on bring verifiability at various scales at once, and to various kinds of ecosystems and markets. The "Assertions" that these creators are inserting into signed C2PA manifests embedded in professional media assets are the open-world extension point that let C2PA manifests contain arbitrary metadata (treated in a separate specification being iterated by the group), arbitrary trust signals, and arbitrary attached credentials.

Enter the Aggregator

The Identity Claims Aggregator (often referred to as "aggregator" in the group) names a piece of software (which can be internal or external to an authoring tool) that tracks multiple identifiers enabling verifiable credentials (issued against them) to be inserted meaningfully. It also witnesses proofs of (and later attests to) control of many kinds of external identifiers, and generally organizes the chaos of the world's many overlapping identifier schemes and attestation formats. To the outside observer, this might seem a very complicated translation mechanism, but to the decentralized identity veteran, this is a familiar necessity. Every verifiable credential scheme eventually needs this kind of translator/aggregator role, if it is to be an open system or even if it is "only" going to federate across the tech stacks of multiple existing systems.

Taken from section 8.1.1.2 of the v1.1 Identity Assertion specification

The conversation so far in the working group has been working its way from the general to the concrete: do aggregators only aggregate identifiers and information sources known at the time of authoring/inserting, or can an aggregator add on new attestations at a later time? Must aggregators limit themselves to public identifiers, or can they use an internal/aggregator-specific one? Can an aggregator host a live API for post-facto information to be passed out-of-band, like additional credentials or updated credentials? How tightly, if at all, should this group specify such an API, if so? These are the high-level questions being debated on the back-burner of CAWG meetings this summer.

The Aggregator-Indirection Question

Zooming in a little more, there are further questions being tackled. Aggregators model a great happy-path solution for embedding declarations and strong identifications into each asset, but what about the many unhappy paths? For example, what if a creator’s assertions are scattered across many identifiers and credential types, and embedding those assertions requires all kinds translations and metadata to be legible? What if identifiers change, or new assertions become relevant after publishing– can “placeholder” or indirection identifiers be used to query data sources that continue receiving assertions after publication? Can an indirection or service be used to display more or less assertions depending on audience, or changeable-over-time consent policies? Can assertions and identities be “self-custodied”? What is the “account recovery” story for these increasingly complex use-cases?

While adding the aggregator was the biggest change in v1.1, it will be a long while until the exact scope and limits of this role are decided. It may well be that some advanced features get postponed to a later stage in the roadmap, because of the sheer complexity they entail, but it will definitely be an ongoing topic simmering in the background whenever smaller debates come up.

Separate Work Stream: Industry-Specific Identifiers

In parallel, a subgroup is meeting separately to research and sanity-check the integration of major media-industry identifier schemes and metadata schemes, looking for interop corner-cases and relevant prior art.

Interested parties are encouraged to pop into the subgroup's github issues and meetings if they are working on (or just curious about, or experienced with) industry associations and media archiving best practices. The usual IP caveats apply: if joining a live call as a non-DIF member or commenting on github issues, refrain from going into concrete detail on anything "patentable" like implementation details or solutions.

Other Big Questions between V1.1 and v2.0

These advanced features of the aggregator aren’t the only big questions that we can expect to simmer and percolate across the next few "minor versions". Additionally, the interop issues around existing metadata standards (not just major W3C standards, but real-world ones from industry and library sciences) are potentially inexhaustible, as the group's Metadata specification gives scaffolding for inserting any structured metadata into assertions.

A slightly less vast but still very open-ended interoperability question is which DID methods to recommend or even require of all implementers, and how to manage or triage the remainder of the list of possible current (and future!) DID methods. Intersecting with the ongoing work of the DID Method Standardization Working Group, and older efforts like DID Traits to define equivalence or translatability between DID methods with similar architectures, semantics and guarantees, there is something of a simmering backlog-debate about which forms of DID make how much sense for the CAWG use-cases.

Of course, the evaluation of DID methods for these tiered-accreditation and decentralized reputation use-cases necessarily includes more than just technical analysis; legal and business readiness factor in as well, including competitiveness and market health/structure considerations to keep media authenticity from being a perk in closed ecosystems. Luckily, the new co-chair Scott Perry brings much experience and open lines of dialogue with multiple working groups at the Trust-over-IP Foundation which work on exactly these aspects of DID technology and business processes. In particular, agentic identity is a topic that ToIP generally, and Scott specifically, are bringing into the scope of the WG, so keep an eye out for issues and PRs along those lines in the coming months as well.

Google is making its biggest security push yet. The company strongly urges its 2 billion Gmail users to switch passwords to passkeys. While not mandating immediate changes, Google has made passkeys the default authentication method. They’ve also set a hard deadline for third-party apps. The FBI reported cyber attacks jumped 33% last year. Those attacks cost over $16 billion in damages. Google’s response shows how seriously Big Tech is taking the password problem affecting every internet user.

A values-based list of barriers faced by 14–19 year olds in the UK

In this post, we continuing to share outputs from a project we’re working with the Responsible Innovation Centre for Public Media Futures (RIC), hosted by the BBC. We’ve already published:

What does AI Literacy look like for young people aged 14–19? What makes for a good AI Literacy framework? Core Values for AI Literacy AI Literacy or AI Literacies? Image CC BY-ND Visual Thinkery for WAO

This project has involved both desk research and input from experts in the form of a survey, individual interviews, and a roundtable which we hosted a couple of weeks ago. One area we wanted to ensure we understood were gaps in existing provision around AI Literacies for young people.

The gaps we identified were focused on the 14–19 age range in the UK, with a long list of areas with many themes. We have organised and summarised these around the core values identified in a previous post.

The gaps reflect a pattern seen across education, media, and wider society: provision is uneven. It is often shaped by short-term thinking and competing interests. Overall, it is limited by a lack of clear leadership or coordination.

Unfortunately, many interventions around AI Literacies are focused on technical skills or compliance. These do not connect with young people’s real interests or lived experiences, nor do they address the deeper ethical, social, and cultural questions raised by AI.

As a result of this, many learners — especially those already facing disadvantage — are left with fragmented support and few opportunities to develop genuine agency or critical judgement.

Human Agency and Informed Participation Lack of systemic, rights-based frameworks: There is little structured provision to help young people shape, question, or influence AI, with most education focused on adapting to technology rather than encouraging agency or clarifying institutional responsibilities. Dominance of industry narratives: Commercial interests and tech industry funding often drive the agenda, narrowing the conversation and limiting opportunities for young people to challenge prevailing narratives or understand the political dimensions of AI. Insufficient progression and curriculum integration: There is no standardised, dynamic curriculum or progression framework for AI Literacies, especially for post-16 learners, and limited integration across subjects beyond computing or digital studies. Teacher confidence and support gaps: Many teachers lack confidence, training, and adaptable resources to support the development of AI Literacies, resulting in inconsistent, sometimes contradictory, messaging and limited support for critical engagement. Disconnect between knowledge and action: Awareness of AI bias, manipulation, or power structures does not reliably translate into agency or behavioural change, with motivation and broader social context often overlooked. Equity, Diversity, and Inclusion Persistent digital and social divides: Access to tools and resources to develop AI Literacies is highly unequal, shaped by school policies, family resources, and broader digital divides, with privileged students often able to bypass restrictions. Lack of cultural and global adaptation: Most resources are developed in the global north and do not reflect the needs or realities of diverse cultural, socioeconomic, or linguistic backgrounds, including those from in the global south. Barriers for marginalised groups: AI tools and resources can disadvantage non-native English speakers, students with disabilities, and those with limited digital access, reinforcing existing inequalities. Neglect of visual and multimodal literacy: There is insufficient focus on images, deepfakes, and multimodal content, despite their growing importance for misinformation and manipulation. Resource design and authenticity: Overly polished, anthropomorphised, or inaccessible resources can alienate young people; there is a need to co-design authentic, relatable, and context-driven materials that reflect lived experiences with young people from a range of background Creativity, Participation, and Lifelong Learning Short-termism and lack of sustainability: Funding and interventions are often short-lived, with little focus on long-term, joined-up strategies or progression frameworks. Imbalance between creativity and consumption: Most young people are consumers, not creators, of AI content; there is insufficient emphasis on participatory, creative, and hands-on engagement with AI. Restrictive and risk-averse policies: Overly strict barriers on access to AI tools in schools can limit meaningful learning opportunities and create anxiety or underground use. Missed opportunities for experiential and peer learning: There is underuse of hands-on, constructionist, and peer-led approaches, which are effective for this age group and for a rapidly evolving field like AI. Failure to address entrenched digital habits: Many interventions come too late to shift established digital habits; young people may have high digital skill but lack guidance on purposeful, critical, or participatory use. Critical Thinking and Responsible Use Overemphasis on technical skills: Current provision is skewed towards prompt engineering and functional tool use, with insufficient attention to understanding different kinds of AI, ethical reasoning, systemic impacts, and critical engagement. Insufficient ethical, environmental, and societal focus: Real-world harms, environmental costs, and the broader impact of AI are rarely discussed, leaving gaps in understanding responsible use. Media and information literacy gaps: Algorithmic and data literacy gaps: Young people struggle to understand how data shapes AI outputs, how to assess real versus fake (including deepfakes), and how to evaluate, challenge or seek redress for algorithmic decisions or AI-generated content. Anthropomorphism and mental models: Many young people, particularly younger teens, misattribute human-like qualities to AI, affecting their critical judgement and ability to interrogate outputs. Lack of robust assessment and evidence: There is a shortage of baseline data on AI literacy levels and limited frameworks for evaluating the effectiveness and impact of interventions, especially in terms of behavioural change. Upholding Human Rights and Wellbeing Disconnection from youth interests and lived experience: AI Literacy resources often fail to connect to young people’s real interests (creativity, sports, mental health), focusing instead on employability or compliance. Socio-emotional and privacy risks: Young people may use AI for companionship or advice, sharing sensitive information without understanding privacy or data risks; frameworks rarely address identity, trust, or changing markers of adulthood. Confusion and inconsistency in terminology: There is no consensus on what “AI literacy” means, and inconsistent definitions can intimidate learners or place excessive responsibility on individuals. Unclear responsibility and leadership: It remains unclear who should lead on the development of AI Literacies. Schools, parents, government, industry, and third sector bodies all have a role to play, but the current situation leads to fragmented provision and a lack of accountability. Neglect of digital relationships and boundaries: The role of AI as an “invisible third party” in relationships, and the shifting boundaries of privacy and identity, are rarely addressed in current resources. Next up

We’re still finalising our framework for AI Literacies and will be sharing it soon. Meanwhile, you can follow our work on this topic so far at https://ailiteracy.fyi.

Please do get in touch if you have projects and programmes that can benefit from our experience and expertise in education and technology!

Acknowledgements

The following people have willingly given up their time to provide invaluable input to this project:

Jonathan Baggaley, Prof Maha Bali, Dr Helen Beetham, Dr Miles Berry, Prof. Oli Buckley, Prof. Geoff Cox​, Dr Rob Farrow, Natalie Foos, Leon Furze, Ben Garside, Dr Daniel Gooch, Dr Brenna Clarke Gray, Dr Angela Gunder, Katie Heard, Prof. Wayne Holmes, Sarah Horrocks, Barry Joseph, Al Kingsley MBE, Dr Joe Lindley, Prof. Sonia Livingstone, Chris Loveday, Prof. Ewa Luger, Cliff Manning, Dr Konstantina Martzoukou, Prof. Julian McDougall, Prof. Gina Neff, Dr Nicola Pallitt, Rik Panganiban, Dr Gianfranco Polizzi, Dr Francine Ryan, Renate Samson, Anne-Marie Scott, Dr Cat Scutt MBE, Dr Sue Sentance, Vicki Shotbolt, Bill Thompson, Christian Turton, Dr Marc Watkins, Audrey Watters, Prof. Simeon Yates, Rebecca Yeager

At Global Digital Collaboration on July 2nd, a full day of sessions co-curated by DIDAS and partners will address how privacy-enhancing technologies (PETs) and trustworthy governance models can become core enablers of digital trust across sectors and jurisdictions.

The day begins with a high-level update session featuring SPRIND, Google, EPFL, Johannes Kepler University, and others. It will explore the current maturity, post-quantum readiness, and practical deployment of PETs such as BBS+, SD-JWT, and ZK-mDoc. The session aims to establish shared terminology and frameworks for unlinkability and selective disclosure across global credential ecosystems.

In parallel, the e-democracy workshop series (Part 1 & 2), led by the Center for Digital Trust (C4DT) at EPFL, DIDAS, the Human Colossus Foundation, and other civil society actors, will explore how digital services like e-ID and e-collecting e-voting and related challenges which must be redesigned for resilience to protect public trust, prevent fraud, and ensure accountability. The sessions aim to define foundational principles for a trustworthy digital democracy, co-created by experts in law, governance, cryptography, and policy.

Running alongside, a collaborative mapping session by Johannes Kepler University, Orange, Ethereum researchers, DIDAS, EUDI and other Global Ecosystems and pilot teams are invited to identify and classify global use cases where PETs-particularly zero-knowledge proofs-are essential. The session will help align performance and privacy requirements across deployment contexts, feeding into implementation roadmaps and standards discussions.

In the afternoon, a deep dive on unlinkability will be led by experts from Google, SPRIND, EPFL and the Linux Foundation’s decentralized trust initiatives. This session will focus on the risks of issuer–relying party collusion in credential ecosystems, and why unlinkability is non-negotiable for use cases like transport and location-sensitive infrastructure.

Later, a technically grounded session titled “ZKProofs: From Crypto Potential to Regulatory Acceptance” will bring together Google, ETSI, and NIST to map out viable ZKP schemes, their mobile-readiness, and interoperability features. The goal is to bridge the gap between cryptographic innovation and institutional trust, and to align stakeholders around a roadmap for responsible, cross-border adoption and acceptance.

The day concludes with a multi-stakeholder roundtable moderated by DIDAS with invitees from the ITU, the OpenWallet Foundation, LF Decentralized Trust, OECD, UNHCR the Swiss confederation, the EU Commission and other country delegates and potential funding partners to explore long-term collaboration structures. This final session will address how to sustain PET development through ongoing working groups, interoperable governance, and shared funding models.

 

Public Sector & Multilateral Institutions

Swiss Confederation European Commission ITU (International Telecommunication Union) OECD UNHCR SPRIND (Federal Agency for Disruptive Innovation, Germany) EUDI Pilot Teams (various EU member states)

 

Research & Academia

EPFL – École Polytechnique Fédérale de Lausanne C4DT – Center for Digital Trust (EPFL) Johannes Kepler University Linz Ethereum Research Community

 

Civil Society & Ecosystem Actors

DIDAS – Digital Identity and Data Sovereignty Association Digital Society Association (Switzerland) Human Colossus Foundation Other invited civil society contributors

Private Sector & Standards Bodies

Google Orange Linux Foundation – Decentralized Trust Initiative OpenWallet Foundation ETSI – European Telecommunications Standards Institute NIST – U.S. National Institute of Standards and Technology LF Decentralized Trust

Core Themes

Privacy-enhancing technologies (PETs), ZKPs, unlinkability Verifiable credentials, digital identity, selective disclosure Trust infrastructure governance, interoperability, post-quantum security E-democracy, civic trust, institutional resilience Multi-stakeholder collaboration, sustainable funding, global alignment

This collaborative agenda reflects a global commitment to building privacy-preserving, interoperable, and inclusive digital ecosystems with shared responsibility across sectors.

authID’s decision this month to integrate its biometric identity verification technology with Ping Identity’s PingOne DaVinci service is a necessary step at a time when humans continue to be the weakest security link for organizations and bad actors increasingly target passwords to gain access to corporate networks, according to Jeff Scheidel, vice president of operations for the Denver-based company.

Apple OSes will soon transfer passkeys seamlessly and securely across platforms.

Apple this week provided a glimpse into a feature that solves one of the biggest drawbacks of passkeys, the industry-wide standard for website and app authentication that isn’t susceptible to credential phishing and other attacks targeting passwords.

Overview

The FIDO Alliance and host sponsor Thales recently held a one day seminar on authentication, identity and the road ahead.

Seminar sessions provided an exploration of the current state of authentication for workforce and consumer sign-ins – with a focus on FIDO and passkeys including adoption status and case studies. The seminar also featured discussions on other relevant topics for IAM professionals, such as the latest in attacks and threats, identity verification technology advances, and post-quantum cryptography. Attendees had the opportunity to engage directly with authentication and identity experts through open Q&A, networking and demos.

View the presentations below:

Andrew Shikiar, Executive Director and CEO of the FIDO Alliance, joins us to discuss the shift from passwords to passkeys and the role of FIDO in driving secure, passwordless authentication. He explores the challenges of adoption, the importance of identity verification, and how cross-platform interoperability is accelerating passkey use. The conversation also touches on the impact of generative AI on cybersecurity and what the future holds for passkeys in building long-term resilience.

About Expert Insights:

Expert Insights saves you time and hassle by rigorously analyzing cybersecurity solutions and cutting through the hype to deliver clear, actionable shortlists. We specialize in cybersecurity. So, our focus is sharper, our knowledge is deeper, and our insights are better. What’s more, our advice is completely impartial.

In a world saturated with information, we exist to arm experts with the insights they need to protect their organization. That is why over 1 million businesses have used us to inform their cybersecurity research.

Listen to the podcast.

Collaborating to respond to UNESCO’s call for think pieces

A couple of months ago, after seeing a UNESCO call for contributions, Doug began wrangling a group of thinkers and educators to respond to the call in a collaborative and open way. Naturally, I got involved, and thus we thought this story would be a good one for the WAO blog :)

There were six of us on that stormy night…

Bryan Alexander – an internationally known futurist, researcher, writer with this popular blog and newsletter, AI, academia, and the Future.  ​Helen Beetham – a researcher and consultant in digital education who has edited several standard texts including Rethinking Pedagogy for a Digital Age. Her articles on AI, education, and society can be found at imperfect offerings. ​Doug Belshaw – co-founder of We Are Open Co-op, working at the intersection of systems thinking, digital literacies, and Open Recognition. Doug's writings can be accessed via his website. ​Laura Hilliger – concept architect, open strategist, and co-founder of We Are Open Co-op. Her website contains links to her blog and newsletter. ​Ian O'Byrne – Associate Professor of Literacy Education at the College of Charleston. He maintains an active presence through his website and weekly newsletter Digitally Literate. ​Karen Louise Smith – Associate Professor in the Department of Communication, Popular Culture and Film at Brock University. She teaches courses related to social media, surveillance, and new media policy and her writing can be accessed via her website.

The six of us met up online to chat about how we might collaborate to respond to UNESCO’s call, and decided that we would each write our own think pieces. We then met up regularly to chat about where we were, what ideas were floating around and get inspiration from one another. Once we had drafts, we each read each other's pieces offering comments and suggestions. 

Our finished pieces can be found at this linktree: https://linktr.ee/ai_future_education

After we submitted our think pieces to UNESCO, we decided to do a roundtable event hosted by Doug. Over 100 people signed up, with 50 more on the waitlist. Participants gathered to discuss the transformative potential of Artificial Intelligence (AI) in education. The event brought together educators, tech experts, and policymakers to dissect our six pieces on AI's future role in learning environments.

This blog post summarises our very nuanced discussion surrounding AI's role in education. If you’re interested in this type of thing, we’d recommend watching the full session.

1. Personalized Learning

One of the themes discussed was personalized learning facilitated by AI. While AI can functionally analyze student data to tailor curricula and pacing, we talked about the emotional and social dimensions of learning. The lack of empathy in AI systems hinders holistic education, which requires human interaction.

2. Equity and Access

We talked about the theory that AI could democratize access to quality education, but we highlighted significant challenges. Unequal access exacerbates existing disparities in educational opportunities, and it is not just infrastructure that is inequitable in our education system.

3. The Educator's Role

AI’s impact on educators’ roles was another theme in our conversation. While AI can handle routine tasks like grading, potentially reducing administrative burdens, there are concerns about over-reliance on technology displacing human interaction. We argued for understanding teachers as mentors, facilitators, guardians and creatives to try and make clear that “efficiency” is not a goal in education.

4. Privacy and Bias

We talked a lot about the ethical implications surrounding various aspects of AI. From data privacy concerns, algorithmic bias, and transparency in AI decision-making, we stressed the importance of ethical guidelines and accountability measures.

5. Collaboration

We talked a bit about the potential for collaboration between educators and AI. We tried to think about what a complementary relationship with AI might look like for education. While AI might enhance some of our teaching tools, it cannot be allowed to overshadow the irreplaceable human element.

6. The Future of Education

In conclusion, we know and spoke about the fact that any technology and its implementation in education must be approached with caution and balance. Our conversation underscored that AI is not a panacea but a technology that exists within a particular context, and that like any technology, it’s how we use it that matters.

Go deeper:

This is the video ​Recording for the full session  We made an AI generated ​Chat summary ​All of our think pieces are worth a close read. Jump in individually: Bryan Alexander - Several futures for AI and education Helen Beetham - The implications of ‘artificial intelligence’ for the right to education in equality and dignity Doug Belshaw - Marching Backwards into the Future: AI’s Role in the Future of Education Laura Hilliger - It is not the tool, it is the artist who sparks the revolution: The Importance of Art Education with or without AI Ian O'Byrne - Amplifying Human Cognition: Artificial Intelligence as Mirror and Magnifier Karen Louise Smith: Building warm expert expertise to mitigate against data harms in AI-powered edtech

Many thanks to Bryan Mathers of Visual Thinkery, who provided the illustrations included in this post. To see all of those that he drew based on the session, visit his website. 

did:sol is the Solana DID method. Solana is an application-centric blockchain praised for it’s high-throughput and composability. Today on the show we talk with Martin Riedel, and Daniel Kelleher, co-editors and implementers of the did:sol specification.   References Civic https://www.civic.com/  x:  @civickey Cryptid https://github.com/identity-com/cryptid  DID Directory https://diddirectory.com/  did:sol spec  https://g.identity.com/sol-did/ did:sol on diddirectory.com  https://diddirectory.com/sol  did:sol on...

did:sol is the Solana DID method. Solana is an application-centric blockchain praised for it’s high-throughput and composability. Today on the show we talk with Martin Riedel, and Daniel Kelleher, co-editors and implementers of the did:sol specification. References Civic https://www.civic.com/ x:  @civickey Cryptid https://github.com/identity-com/cryptid DID Directory https://diddirectory.com/ did:sol spec https://g.identity.com/sol-did/ did:sol on diddirectory.com https://diddirectory.com/sol did:sol on...

Exploring the plural, context-dependent, and socially-negotiated nature of new literacies

Over the past couple of months, we’ve been working on an ‘AI Literacy’ project with the Responsible Innovation Centre for Public Media Futures (RIC), hosted by the BBC. We’ve already published:

What does AI Literacy look like for young people aged 14–19? What makes for a good AI Literacy framework? Core Values for AI Literacy

In this post, we want to explore the tension we’ve felt between referring to ‘AI Literacy’ in the singular, versus referring to a plurality of ‘AI Literacies’. Ultimately, although our original brief used the singular form (as do many of our peers) we have decided to take the latter, plural, approach — for reasons we will explain below.

One very practical reason to emphasise ‘AI Literacies’ is that it is difficult to talk about ‘delivering’ a literacy. “Literacy” always begs the question of context: What does literacy mean to this particular person in this particular setting at this particular moment? What it means to be ‘AI literate’ is going to look very different to someone working in a corporate office job, compared to a teenager using AI for a creative project. Additionally, there are multiple literate behaviours when we think about AI — for example, understanding the socio-economic reality of the AI landscape versus knowing how to prompt an LLM to get the kind of information or answer you are looking for.

AI Literacies are therefore both plural and context-specific. They are also socially-negotiated. Literate behaviours depend on the community with which an individual is interacting. This becomes evident through a few examples.

Image CC BY-ND Visual Thinkery for WAO

If you are a parent of teenagers, you will have experienced a time when they respond in a way which makes sense to them and their friends, but not to you. You are likely to have to ask them what they mean or use a resource like the Urban Dictionary. Other behaviours such as using a particular emoji might be hilarious for reasons you cannot quite comprehend.

These “rhetorics of communication” are an important part of literacy practices, especially in the digital realm. They constitute ways of interacting with other people within a techno-social system which itself privileges and foregrounds certain kinds of behaviours, while either explicitly or implicitly discouraging others. For example, contemporary chat apps allow you to see not only that a message has been delivered, but whether it has been read. The act of not reading a particular message may be seen in multiple lights: Is the person ignoring me? Are they mad at me? Are they offline in the forest?

Any time we are communicating in ways which are mediated by technologies, part of literate behaviour involves understanding the “affordances” that the technology provides as well as understanding how that technology might be shaping our behaviour.

If you were, for example, quickly texting your teenager while at work, you might send your text and then open a workplace chat window which looks and feels very much like the social one which you have just been using. However, because the context is different — as well as perhaps both the demographic makeup and number of people in the chat — you act differently. =Your literate behaviours are thus socially-negotiated, meaning that you vary your behaviour in different situations.

As we start to understand AI Literacies, we need to think about the most common way in which people experience generative AI — by prompting a Large Language Model (LLM) through a chat window. The chat window is a familiar technology, but the fact that there isn’t a human on the other side of it is not. Part of AI Literacies therefore involves exhibiting and modifying our behaviours based on our knowledge and experience of factors that surround this particular chat window.

Image CC BY-ND Visual Thinkery for WAO

With personal or workplace chats, what is outside of the frame informs literate behaviours inside the frame. Similarly, when we are interacting with AI, the more we know about what is outside the frame, the more we can develop appropriate literate behaviours inside the frame. Again, these literate behaviours are plural: will others be able to tell that you are using the outputs of an LLM? (will they mind?) They are based on context: should you trust the company behind the technology you are using? And they are socially-negotiated: are there environmental concerns of which you should be aware?

Angela Gunder’s Dimensions of AI Literacies provides a helpful way to think about these issues. Building on my work on the Essential Elements of Digital Literacies, Gunder’s framework sets out a series of overlapping dimensions that shape how people interact with AI. This approach supports the idea that AI Literacies are not a fixed set of skills, but a collection of practices negotiated within communities and shaped by context.

AI Literacies, like Critical Media Literacies, Digital Literacies, Information Literacies, Data Literacies, and a whole host of “new” literacies, should be considered to be fundamentally plural. What counts as “literate behaviours” are socially-negotiated based on context. Words and phrases, however, are important to describe what we mean. And that is why we will be referring to AI Literacies in the project we’re doing with the RIC for the BBC.

Coming soon

We are working on a public version of our landscape setting and framework for AI Literacies. We’ll be sharing that soon. In the meantime, follow our contributions to this space through https://ailiteracy.fyi/ and get in touch if you have projects and programmes that can benefit from our experience and expertise in education and technology.

What if you could see what your customers are searching before they even hit 'buy'?

In today’s hyper-competitive marketplace, that’s exactly what the best brands are doing, and it’s giving them a serious edge.

In this episode, Chris Barnes, General Manager of Retail & Alternative Channels at Jungle Scout, joins hosts Reid Jackson and Liz Sertl to break down how brands are using real-time search, product, and shopper data to respond faster to market signals on Amazon and beyond.

Chris shares how companies are identifying market opportunities, protecting category share, and improving performance across pricing, inventory, and advertising, all by knowing what to look for in the data.

In this episode, you’ll learn:

How to use search and shopper behavior to guide product strategy

Why category management looks different in the age of marketplaces

The data brands overlook and how it impacts sales performance

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:07) Chris Barnes on his career journey

(04:38) Transforming strategy with data and intelligence

(05:55) Category management in-store vs. online

(09:23) AI’s impact on search and consumer behavior

(13:04) Dude Wipes’ growth and success

(15:35) Leveraging data to understand consumer needs

(19:17) Power of data analytics in product development

(20:48) Top strategies for maximizing growth

(27:37) The future of agencies and AI in business

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Chris Barnes on LinkedInCheck out Jungle Scout

The post Reinventing How Career Records Are Shared appeared first on Velocity.

Mastercard has launched advanced payment passkeys across Europe as part of its initiative to enhance online transaction security and replace traditional passwords. The company reports that its tokenization and passkey implementation has achieved nearly 50 percent adoption in European e-commerce transactions, building on its successful passkey deployment in Latin America earlier this year.

The payment technology company’s new security measures arrive at a critical time, as data shows that one in four business owners in Europe face targeting by scammers. A quarter of these businesses express concern about their ability to recover from potential cyber attacks. The expansion follows the broader industry trend toward passwordless authentication, with the FIDO Alliance reporting significant growth in enterprise passkey adoption.

OneSpan announced Thursday (June 5) its acquisition of Nok Nok Labs, a provider of FIDO passwordless software authentication solutions.

OneSpan said joining forces with Nok Nok enables the company to provide customers worldwide with a comprehensive authentication portfolio, available on-premises or in the cloud. This combined offering now includes support for OTP, FIDO, software, and hardware solutions, such as Digipass, FIDO2 protocols, and Cronto solutions for transaction signing.

Victor Limongelli, CEO at OneSpan, described the acquisition as a “bold step toward providing customers with maximum choice in authentication.” He added that the company is evolving its entire authentication platform to include FIDO standards, believing that passwordless authentication is an important part of the future. With Nok Nok’s technology and FIDO expertise, OneSpan aims to offer a comprehensive and versatile customer authentication solution.

Phillip Dunkelberger, president and CEO at Nok Nok, noted that joining OneSpan allows them to bring their vision, rooted in open standards like FIDO, to a broader audience via OneSpan’s global reach. Andrew Shikiar, executive director and CEO of the FIDO Alliance, said Nok Nok has been a “trailblazer” in the FIDO ecosystem.

Dashlane lets you open an account with a FIDO2-spec USB security key as your authentication.

One of the better-known password managers is now inviting people to try it without having to create yet another password. Instead, Dashlane is now inviting people to try opening a new account secured only by a USB security key compliant with the “FIDO2” authentication standard; FIDO being short for Fast Identity Online.

Emphasize “try.” The company’s support page for this “early access” program notes that it supports only Google Chrome and Microsoft Edge, not Dashlane’s mobile apps. For now, it doesn’t let you create an account secured only by a passkey, the form of FIDO2 security more people use. 

At Blockchain Commons, we design open infrastructure that prioritizes privacy, autonomy, and human dignity. That’s why I support and personally signed the No Phone Home Initiative. It is not just a position, it’s a call to preserve a foundational principle of decentralized identity: Credentials must be verifiable without enabling surveillance!

Why “No Phone Home” Matters

The problem is simple: when verifying a digital credential such as a mobile driver’s license or a diploma, many systems require contacting the original issuer. This creates a digital trail of who is verifying what, when, and why. That trail can be used to profile and surveil, allowing issuers to track credential holders without their knowledge.

Manu Sporny, in an email to the W3C Credentials Community Group (June 3, 2025), clarified the stakes:

“Retrieving a status list could be misinterpreted as ‘phoning home’ … but it’s not anywhere near the same level of “phoning home” that contacting the issuer and telling them ‘I’ve got Steve here at booze-hut.com, is he over 21?’ achieves.”

But the threat of direct identity leak is just the tip of the iceberg. That’s because credential presentation isn’t a one-off event. It’s recurrent. Even when identifiers or interactions are pseudonymous, repeated verifications leak sensitive metadata, allowing issuers or third parties to correlate time, location, and use-pattern metadata into behavioral profiles.

The Decentralized Identity Foundation talks about some of this in “Nearly 100 Experts Are Saying ‘No Phone Home’”:

“The risks multiply when applied across domains. Federated protocols developed for use within organizations become surveillance systems when used between different sectors or jurisdictions. Phone home capabilities that seem innocuous within a single domain can become tools for tracking and control when applied broadly without aggressive oversight and fine-tuning.”

Problematically, this is how these systems are designed to work! As Kim Hamilton Duffy says in the first of a series of articles on mDL privacy that she’s currently working on:

“This isn’t an unintended consequence—it’s an architectural feature that can trivially enable persistent record-keeping of when and where you use your credentials, creating patterns that can be analyzed long after the original transaction by unknown third parties.”

This also reveals yet another danger: how “normal” it feels to let credential issuers remain silently in the loop.

Revocation Without Surveillance

Some argue that checking for the revocation of a credential requires phoning home. But that’s a false dilemma. In the same W3C thread, Sporny noted:

“There are a few ways to retrieve a status list without directly contacting the issuer that use commonly deployed web technology.””

Technical mitigations discussed and developed by the community include:

Large, pseudonymous status lists (e.g., Bitstring Status List) Use of CDNs or file mirrors to avoid direct issuer contact Oblivious HTTP (OHTTP) for unlinkable status fetching

There are still issues with these potential mitigations. For example, Kyle Den Hartog (Pryvit NZ) raised concerns about status list misuse:

“An issuer creates a bitstring list of sufficiently large size, but only includes 1 active credential index per bitstring list. All other indexes are spoofed. The rest of the list would look active to the holder/verifiers but could still be a tracking mechanism by the issuer.”

But, these edge-case attacks reinforce why the core architecture must be surveillance-resistant by default.

Privacy isn’t the only issue with revocation checking: it’s also a structural risk. If we tie credential validity to live status checks, we quietly shift power from holders to issuers. It becomes a form of dependency injection, one that contradicts the goal of self-sovereign identity.

Not Just Technical: It’s Ethical

This isn’t just a technical issue. It goes to the ethical heart of self-sovereign identity design.

Daniel Hardman offered this framing in a related thread on edge cases:

“Verifiable credentials verify without issuer coordination; that is what the ‘verifiable’ in ‘verifiable credential’ means.”

Joe Andrieu argued in the same May 2025 thread:

*The identity system that wins is going to be the one we can use in any circumstance by anyone. … It’s my wallet. I expect it to serve me, as a user agent. I do not accept that it might also serve the state as a surveillance platform.

At Blockchain Commons, we agree. The ability to verify credentials offline, without depending on a central service, is essential for resilience and civil liberties.

A report prepared for the American Civil Liberties Union (ACLU) put it clearly by requiring “No Issuer ability to track via phone home mechanism” and saying:

“One way a digital ID can differ from physical ID is that it can enable the issuers of the digital ID to track where, when, and to whom one shows their ID. This tracking can reveal very private and sensitive information about the digital ID holder — namely, when and where, online or off, they present their ID. Standards and technologies should be designed so that the issuer (or any of its agents or contractors) cannot engage in any of these forms of tracking.”

Emergencies Are Not an Excuse

Some use cases such as disaster response or first responder tracking have prompted discussions around consent-based “check-ins.” These are complex and worthy of consideration. But the VC Data Model 2.0 spec is clear:

“Credential status specifications MUST NOT enable tracking of individuals, such as an issuer being notified (either directly or indirectly) when a verifier is interested in a specific holder or subject. Unacceptable approaches include “phoning home …”

But compliance doesn’t equal safety. Even digital credentials that conform to existing standards—such as ISO 18013-5—can still include implementation choices that enable surveillance. Privacy must be baked into system design, not retrofitted through policy disclaimers.

As Alexis Hancock of the Electronic Frontier Foundation (EFF) warned (via State Scoop):

“We have to act now because governments are enthusiastic about digital ID, but if we don’t pin down these basic principles now, it’s going to be a problem later.”

We can build systems that are opt-in, purpose-specific, and out-of-band, without compromising the privacy baseline for everyone else.

Our Commitment

At Blockchain Commons, we believe decentralized identity should empower the individual, not quietly report on them. We are actively designing open standards such as Gordian Envelope and dCBOR to support truly private, verifiable, interoperable credentials.

We support “No Phone Home” because surveillance should never be the default. And we invite others to join us in making sure the future of identity remains decentralized, private, and just.

Kia ora,

Welcome to the May edition of the Digital Identity NZ newsletter. This month, we’re excited to introduce our new Executive Director, share insights from Techweek25’s Foundations for Tomorrow Event.

Andy Higgs Appointed as New Executive Director

We’re pleased to announce that Andy Higgs has joined Digital Identity NZ as our new Executive Director.

Andy brings over 20 years of experience across digital identity, AI strategy, and innovation in both public and private sectors. His background includes leadership roles at Futureverse and Centrality, where he focused on self-sovereign identity solutions and ecosystem partnerships.

His experience extends to policy development with the Department of Internal Affairs and Ministry of Business, Innovation and Employment, including work on the Digital Identity Services Trust Framework and the Consumer Data Right.

Andy’s collaborative approach will be valuable as DINZ continues to work alongside members to build a trusted digital identity ecosystem for everyone in Aotearoa.

Digital Public Infrastructure: Foundations for Tomorrow Event

During Techweek25, government, industry, and public sector leaders gathered at Parliament’s Legislative Chamber to discuss how digital public infrastructure (DPI) could transform service delivery across New Zealand.

Key takeaways for the digital identity community:

Ministerial vision: Hon Judith Collins KC announced plans for an all-of-government app allowing citizens to store digital credentials, receive notifications, and access services in one secure digital space.
  Economic benefits: Pete Herlihy from AWS highlighted that digital identity is one of four core components of DPI that can deliver significant economic growth—between 1-2% of GDP in developed nations.
  Human-centered approach: Deloitte’s Adithi Pandit emphasised how unified digital infrastructure could enable more joined-up social services and reduce fragmentation.
  Implementation plans: Public Service Commissioner Sir Brian Roche indicated a move toward greater centralisation with prescribed platforms and standards to make digital infrastructure a low-cost utility.
  Industry perspective: Xero founder Rod Drury called for greater urgency in digital identity implementation, suggesting New Zealand could leverage its small size to move quickly and “solve digital identity by Christmas.”

Read the full event recap here.

Member News

Our DINZ community continues to grow! We’re delighted to welcome POLipay as a member and look forward to featuring and engaging them in our ecosystem.

See all organisation members here.

Stay Connected

Thank you for being part of our community. We look forward to sharing more updates next month. 

Ngā mihi nui,

The team at Digital Identity NZ

Read full news here: Introducing Our New Executive Director | May Newsletter

SUBSCRIBE FOR MORE

The post Introducing Our New Executive Director | May Newsletter appeared first on Digital Identity New Zealand.

ABSTRACT: “Fair Witnessing” is a new approach for asserting and interpreting digital claims in a way that mirrors real-world human trust: through personal observation, contextual disclosure, and progressive validation. It can be implemented with the decentralized architecture of Gordian Envelopes to allow individuals to make verifiable statements while balancing privacy, accountability, and interpretability. At its core, fair witnessing is not about declaring truth, it’s about showing your work.

In the early days of decentralized identity, we referred to what we were working on as “Verifiable Claims.” The idea was simple: let people make cryptographically signed statements and allow others to verify them. But something unexpected happened. People assumed these claims would settle arguments or stop disinformation. They saw the term “verifiable” and equated it with “truth.”

The reality was more modest: we could verify the source of a claim but not its accuracy. We could assert that a claim came from a specific person or organization (or even camera or other object) but not whether that claim was unbiased, well-observed, or contextually complete.

This misunderstanding revealed a deeper problem: how do we represent what someone actually saw and how they saw it, in a way that honors the complexity of human trust?

A Heinleinian Inspiration

Iin Stranger in a Strange Land, Robert Heinlein described a special profession: the Fair Witness. A Fair Witness would be trained to observe carefully, report precisely, make no assumptions, and avoid bias. If asked what color a house was, a Fair Witness would respond, “It appears to be white on this side.”

It is this spirit we want to capture to fulfill the promise of the original verifiable claims.

A Fair Witness in our digital era is someone who not only asserts a claim but also shares the conditions under which it was made, including context, methodology, limitations, and bias:

What were the physical conditions of the observation? Was the observer physically present? Did they act independently? What interests or leanings might have shaped their perception? How did they minimize those biases?

These are not just nice-to-haves. They are necessary components of evaluating a claim’s credibility.

Beyond Binary Trust

Fair witnessing challenges binary notions of trust. Traditional systems ask a “yes” or “no” question: do you trust this certificate? This issuer?

But trust is rarely binary like this in the real world. It is layered, contextual, and progressive. The claim made by a pseudonymous environmental scientist might start out with low trust but could grow in credibility as:

They reveal their professional history. Others endorse their work. They disclose how they mitigated their potential biases.

Trust builds over time, not in a single transaction. That’s progressive trust.

Trust as a Nested Statement

To marry a fair witness claim to the notion of progressive trust requires the nesting of information. As shown in the example of the environmental scientist, the witnessing of an observation gains weight as the context is added: turning the scientist’s claims into a fair-witness statement required collecting together information about who the scientist is, what their training is, and what their peers think of them.

But as noted, progressive trust isn’t something that occurs in a single transaction: it’s revealed over time. We don’t want it to all be revealed at once, because that could result in information overload for someone consulting a claim and could have privacy implications for the witness.

A progressive trust model of fair witnessing requires that you show what you must and that you withhold what’s not needed—until it is.

Privacy and Accountability, Together

This model strikes a crucial balance. On one hand, it empowers individuals (fair witnesses) to speak from experience without needing permission from a centralized authority. On the other hand, it allows others to verify the integrity of the claim without requiring total exposure.

There are numerous use cases:

You can prove you were trained without revealing your name. You can demonstrate personal observation without revealing your exact location. You can commit to a fact today and prove you knew it later. Fair Witnessing with Gordian Envelope

The demands of Fair Witnessing go beyond the capabilities of traditional verifiable credentials (VCs), primarily because VCs can’t remove signed information but maintain its validation—and the ability to do so is critically important if you want to nest information for revelation over time.

Fortunately, a technology already exists that provides this precise capability: Blockchain Commons’ Gordian Envelope, which allows for: the organized storage of information; the validation of that information through signatures; the elision of that information; the continued validation of the information after elision; and the provable restoration of that information.

Any subject, predicate, or object in Gordian Envelope can itself be a claim, optionally encrypted or elided. This enables a deeply contextual, inspectable form of expression.

For example:

Alice could make a fair-witness observation, which would be an envelope. Information on the context of Alice’s assertion can be a sub-envelope. A credential for fair witness training can be a sub-envelope. Endorsements of Alice’s work as a fair witness can be sub-envelopes. Endorsements, credentials, and even the entire envelope can be signed by the appropriate parties. Any envelope or sub-envelope can be elided, without affecting these signatures and without impacting the ability to provably restore the data later.

It’s progressive trust appropriate for use with fair witnessing in an existing form!

Toward a New Epistemology

Being a Fair Witness isn’t about declaring truth. It’s about saying what’s known, with context, so others can assess what’s truth. Truth, in this model, is interpreted, not imposed. A verifier—or a jury—decides if a claim is credible, not because a central authority says so, but because the Fair Witness has provided information with sufficient context and endorsements.

In other words, fair witnessing is not about what is true, but about how we responsibly say what we believe to be true—and what others can do with that.

This is epistemology (the theory of knowledge) that’s structured as a graph. It’s cryptographically sound, privacy-respecting, and human-auditable. It reflects real-world trust: messy, contextual, and layered. By modeling that complexity rather than flattening it, we gain both rigor and realism.

Conclusion

In a world of machine-generated misinformation, ideological polarization, and institutional distrust, we must return to the foundations: observation, context, and human responsibility.

Fair witnessing offers a new path forward—one that is verifiable, privacy-respecting, and grounded in how humans actually trust.

Learn more: [ Progressive Trust Gordian Envelope ]

After decades of cautiously watching from the sidelines, governments around the world have started investing in, rolling out, and regulating digital identity systems on aggressive timelines. These foundational changes to government infrastructure and the economy are happening largely outside public awareness, despite their generational consequences for privacy.

Digital identity systems implemented by governments today will shape privacy for decades. Whatever ecosystems and technical architectures are established in the coming years could ossify quickly, and it would take enormous political will to make changes at such a foundational level if society develops buyer's remorse once the ripple effects become clear.

That's why nearly 100 experts across technology, policy, and civil liberties have united around one principle: digital identity systems must be built without latent tracking capabilities that could enable ubiquitous surveillance. Thus, the nophonehome.com petition.

Who's Behind This

Civil society groups working on legal advocacy and industry oversight (ACLU, EFF), cybersecurity experts (including Bruce Schneier), privacy-by-design software companies of various sizes (Brave, many DIF members), and experts from university faculties (Brown, Columbia, Imperial College London) all signed on. The list includes authors of collaborative open standards, chief executives, state privacy officers, and other public servants. This is not a coalition of "activists" so much as a broad coalition of experts and policy-watchers sounding an alarm about consequential decisions passing largely unnoticed by the average citizen and end-user.

The breadth of this coalition reflects widespread concern about the technical and policy implications of embedded tracking capabilities.

What "Phone Home" Means

As a general rule, "phone-home" is a shorthand for architectural principles of tracking enablement (just as "no phone-home" refers to tracking mitigation, broadly speaking). When a verifier of credentials interacts directly with the credential's issuer—even if just to check validity or revocation status—they are "phoning" the credential's "home." This opens the subject and/or the holder of that credential to privacy risks, no matter how well the request is anonymized or handled. These API connections create data that can be combined, correlated, and abused, especially when verifiers share information or when issuers abuse their role.

The risks multiply when applied across domains. Federated protocols developed for use within organizations become surveillance systems when used between different sectors or jurisdictions. Phone home capabilities that seem innocuous within a single domain can become tools for tracking and control when applied broadly without aggressive oversight and fine-tuning. Over time, little mismatches and slippages in how these protocols work get exploited and stretched, amplifying glitches.

In the worst-case scenario, some systems enable real-time revocation decisions, giving issuers—potentially governments—immediate control over citizens' ability to access services, travel, or participate in society. A natural tendency to "over-request" foundational documents in situations where such strong identification is unjustified is amplified by familiarity, lack of friction, and other UX catnip; all the SHOULDs in the world won't stop verifiers from doing it. And verifiers over-asking without also providing a fallback or "slow lane" can make a sudden or temporary unavailability of foundational credentials painful or even exclusionary. The side-effects and externalities pile up dangerously in this industry!

Technologists see these kinds of capabilities (phone-home of any kind, remote revocation, low-friction foundational identity requests) like loaded guns in Act 1 of a Chekhov play: "If this capability exists within a digital identity system, even inactively, it will eventually be misused."

The Scale and Timing Problem

Most foundational identity systems being implemented for national-scale deployment include system-wide phone home tracking capabilities, either actively or latently. Many policymakers involved in these rollouts are not even aware of the tracking potential built into the standards they are adopting.

Four factors make this moment critical:

Scale of deployment: These systems will serve billions of users across developed nations, effectively replacing physical credentials. Precedent-setting effects: When one jurisdiction adopts tracking-enabled systems, it influences global practices and standards. Infrastructure persistence: Technical decisions made today will persist for decades, becoming prohibitively expensive to change once embedded. Mission creep inevitability: Capabilities developed for legitimate purposes like fraud prevention naturally accrue new private-sector and/or public-sector use-cases over time due to natural market pressures. Today's private-sector usage is tomorrow's public-sector secondary data market. The Fallacy of "Privacy by Policy"

The fundamental problem with latent tracking capabilities is that policies change, but technical architecture persists. If a system has surveillance capability—even if unused—it will eventually be activated. Emergencies, changing administrations, or shifting political priorities can quickly justify "pressing the button" to enable widespread tracking.

The solution is simple: they cannot press a button they do not have.

Consider AAMVA's recent decision to prohibit the "server retrieval" capability throughout the U.S.—a positive step that we welcome. However, most low-level implementations (e.g. core libraries) will likely implement the entire specification and leave it to the last-mile implementers to honor (or not) this policy. As an incubator of new specifications and prototypes, DIF feels strongly that jurisdiction-by-jurisdiction policies is just "turning off" what the specification still instructs software to implement for later policies to turn back on at the flick of a switch. We believe the underlying ISO specification needs to remove "server retrieval" completely, lest every authority in the U.S. remain one emergency away from activating broad, identity-based surveillance of all citizens.

Privacy-Preserving Alternatives Exist

The choice between security and privacy is false. Offline-first verification operates without server communication—the credential contains cryptographic proofs that can be validated independently. The ISO 18013-5 standard itself includes "device retrieval" mode, a privacy-preserving alternative that functions entirely offline.

Even credential revocation can be implemented without phone home capabilities. Privacy-preserving revocation systems are in production today, proving that security and privacy can coexist.

The technology exists. The standards exist. What has been missing is commitment to prioritize privacy over the operational convenience of centralized tracking.

Moving Forward

Awareness is growing. We welcome developments like AAMVA's prohibition of server retrieval, but more work is needed across the broader digital identity ecosystem to eliminate latent surveillance capabilities entirely.

The Decentralized Identity Foundation develops standards that prioritize privacy, supports implementations that respect user autonomy, and advocates for technical architectures that prevent tracking and add friction to data misuse. Our membership includes many technologists and vendors designing tracking-free alternatives for these and other use cases.

We encourage you to read the full No Phone Home statement at https://nophonehome.com. Whether you are building, deploying, or using these systems, your voice matters at this critical juncture.

The question is not whether we can build privacy-preserving digital identity—it is whether we will choose to do so. Let's build it right.

The Decentralized Identity Foundation (DIF) is an engineering-driven organization focused on developing the foundational elements necessary to establish an open ecosystem for decentralized identity and ensure interoperability between all participants. Learn more at identity.foundation.

Mercari, the Japanese e-commerce company behind the Mercari marketplace, has surpassed 10 million registered users of passkeys for authentication.

Yubico, a provider of hardware authentication security keys, has announced the expanded availability of YubiKey as a Service to all countries in the European Union.

This builds upon the company’s existing reach in markets such as the UK, U.S., India, Japan, Singapore, Australia and Canada. In addition, Yubico has expanded the availability of YubiEnterprise Delivery across 117 new locations around the world.

This now brings the total to 199 locations (175 countries and 24 territories and it more than doubles existing delivery coverage of YubiKeys to both office and remote users in a fast nad turnkey way. “Enterprises today are facing evolving cyber threats like AI-driven phishing attacks,” said Jeff Wallace, senior vice president of product at Yubico.

Authentication software company Entersekt has launched a partnership with South Africa-based PayTech solution provider Stanchion.

The partnership is aimed at “enhancing payment integration capabilities and delivering cutting-edge solutions to financial institutions worldwide,” the companies said in a Wednesday (May 21) news release.

The collaboration combines Stanchion’s tools for “modernizing, transforming, and accelerating innovation within payment systems” with Entersekt’s 3-D Secure payment authentication solution, which provides transaction authentication across all three domains: the merchant acquirer domain, the card issuer domain and the interoperability domain.

Passwords have been used as the first line of defense in protecting one’s digital identity, but they are fast becoming obsolete due to rampant identity theft. There seems to be no value in passwords anymore due to the increase in breaches of security systems on different platforms. This calls for an easier method of suppressing theft.

It is equally important to recognize the rise of passkeys as they help a great deal in bolstering digital identity protection.

WAO is currently working with the Responsible Innovation Centre for Public Media Futures (RIC), which is hosted by the BBC. The project, which you can read about in our kick-off post, is focused on research and analysis to help the BBC create policies and content to help improve the AI Literacy skills of young people aged 14–19.

We’re now at the stage where we’ve reviewed academic articles and resources, scrutinised frameworks, and reviewed input from over 40 experts in the field. They are thanked in the acknowledgements section at the end of this post.

One of the things that has come up time and again is the need for an ethical basis for this kind of work. As a result, in this post we want to share the core values that inform the development of our (upcoming) gap analysis, framework, and recommendations.

Public Service Media Values

Public Service Media (PSM) organisations such as the BBC have a mission to “inform, educate, and entertain” the public. The Public Media Alliance lists seven PSM values underpinning organisations’ work as being:

Accountability: to the public who fund it and hold power to account Accessibility: to the breadth of a national population across multiple platforms Impartiality: in news and quality journalist and content that informs, educates, and entertains Independence: both in terms of ownership and editorial values Pluralism: PSM should exist as part of a diverse media landscape Reliability: especially during crises and emergencies and tackling disinformation Universalism: in their availability and representation of diversity

These values are helpful to frame core values for the development of AI Literacy in young people aged 14–19.

AI Literacy Core Values

Using the PSM values as a starting point, along with our input from experts and our desk research, we have identified the following core values. These are also summarised in the graphic at the top of this post.

1. Human Agency and Empowerment

AI Literacy should empower young people to make informed, independent choices about how, when, and whether to use AI. This means helping develop not just technical ability, but also confidence, curiosity, and a sense of agency in shaping technology, rather than being shaped by it (UNESCO, 2024a; Opened Culture, n.d.). Learners should be encouraged to question, critique, adapt, and even resist AI systems, supporting both individual and collective agency.

2. Equity, Diversity, and Inclusion

All young people, regardless of background, ability, or circumstance should have meaningful access to AI Literacy education (Digital Promise, 2024; Good Things Foundation, 2024). Ensuring this in practice means addressing the digital divide, designing for accessibility, and valuing diverse perspectives and experiences. Resources and opportunities must be distributed fairly, with particular attention to those who are digitally disadvantaged or underrepresented.

3. Critical Thinking and Responsible Use

Young people should be equipped to think critically about AI, which means evaluating outputs, questioning claims, and understanding both the opportunities and risks presented by AI systems. In addition, young people should be encouraged to understand the importance of responsible use, including understanding bias, misinformation, and the ethical implications of AI in society (European Commission, 2022; Ng et al., 2021).

4. Upholding Human Rights and Wellbeing

Using a rights-based approach — including privacy, freedom of expression, and the right to participate fully in society — helps young people understand their rights, navigate issues of consent and data privacy, and recognise the broader impacts of AI on wellbeing, safety, and social justice (OECD, 2022; UNESCO, 2024a).

5. Creativity, Participation, and Lifelong Learning

AI should be presented as a tool for creativity, collaboration, and self-expression, not just as a subject to be learned for its own sake. PSM organisations should value and promote participatory approaches, encouraging young people to contribute to and shape the conversation about AI. This core value also recognises that AI Literacy is a lifelong process, requiring adaptability and a willingness to keep learning as technology evolves (UNESCO, 2024b).

Next Steps

We will be running a roundtable for invited experts and representatives of the BBC in early June to give feedback on the gap analysis and emerging framework. We will share a version of this after acting on their feedback.

If you are working in the area of AI Literacy and have comments on these values, please add them to this post, or get in touch: hello@weareopen.coop

Acknowledgements

The following people have willingly given up their time to provide invaluable input to this project:

Jonathan Baggaley, Prof Maha Bali, Dr Helen Beetham, Dr Miles Berry, Prof. Oli Buckley, Prof. Geoff Cox​, Dr Rob Farrow, Natalie Foos, Leon Furze, Ben Garside, Dr Daniel Gooch, Dr Brenna Clarke Gray, Dr Angela Gunder, Katie Heard, Prof. Wayne Holmes, Sarah Horrocks, Barry Joseph, Al Kingsley MBE, Dr Joe Lindley, Prof. Sonia Livingstone, Chris Loveday, Prof. Ewa Luger, Cliff Manning, Dr Konstantina Martzoukou, Prof. Julian McDougall, Prof. Gina Neff, Dr Nicola Pallitt, Rik Panganiban, Dr Gianfranco Polizzi, Dr Francine Ryan, Renate Samson, Anne-Marie Scott, Dr Cat Scutt MBE, Dr Sue Sentance, Vicki Shotbolt, Bill Thompson, Christian Turton, Dr Marc Watkins, Audrey Watters, Prof. Simeon Yates, Rebecca Yeager

References Digital Promise (2024). AI Literacy: A Framework to Understand, Evaluate, and Use Emerging Technology. https://doi.org/10.51388/20.500.12265/218 European Commission (2022) DigComp 2.2, The Digital Competence framework for citizens. Luxembourg: Publications Office of the European Union. https://doi.org/10.2760/115376. Good Things Foundation (2024) Developing AI Literacy With People Who Have Low Or No Digital Skills. Available at: https://www.goodthingsfoundation.org/policy-and-research/research-and-evidence/research-2024/ai-literacy Jia, X., Wang, Y., Lin, L., & Yang, X. (2025). Developing a Holistic AI Literacy Framework for Children. In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (pp. 1–16). ACM. https://doi.org/10.1145/3727986 Ng, D. T. K., Leung, J. K. L., Chu, S. K. W., & Qiao, M. S. (2021). Conceptualizing AI literacy: An exploratory review. Computers and Education: Artificial Intelligence, 2(100041), 100041. https://doi.org/10.1016/j.caeai.2021.100041 OECD (2022) OECD Framework for Classifying AI Systems. Paris: OECD Publishing. https://www.oecd.org/en/publications/oecd-framework-for-the-classification-of-ai-systems_cb6d9eca-en.html Opened Culture (n.d.) Dimensions of AI Literacies. Available at: https://openedculture.org/projects/dimensions-of-ai-literacies Open University (2025) A framework for the Learning and Teaching of Critical AI Literacy skills. Available at: https://www.open.ac.uk/blogs/learning-design/wp-content/uploads/2025/01/OU-Critical-AI-Literacy-framework-2025-external-sharing.pdf UNESCO (2024a) UNESCO AI competency framework for students. Available at: https://unesdoc.unesco.org/ark:/48223/pf0000391105 UNESCO (2024b) UNESCO AI Competency Framework for Teachers. Available at: https://unesdoc.unesco.org/ark:/48223/pf0000391104

ISL presented at ConPro 2025’s 9th Workshop on Technology and Consumer Protection. The conference was a perfect opportunity to showcase our presentation on Safetypedia: Crowdsourcing Mobile App Privacy and Safety Labels.

Open PDF

The post IEEE’s ConPro ’25: Safetypedia: Crowdsourcing Mobile App Privacy and Safety Labels appeared first on Internet Safety Labs.

Many in the DIF community are asking about the upcoming Global Digital Collaboration conference in Geneva. As the date is quickly arriving, we wanted to give a sneak preview of what's ahead.

Table of Contents:

About the GDC Conference The Agenda Learn more and participate About the GDC Conference Key Details When: July 1-2, 2025 Where: Centre International de Conférences Genève (CICG), Switzerland Cost: Free (registration required) Register: https://lu.ma/gc25 (registration is available through any co-organizing partner) What is the GDC?

Global Digital Collaboration is a landmark gathering bringing together 30+ global organizations to advance digital identity, wallets, and credentials - hosted by the Swiss Confederation.

What makes this conference truly unique is that, from the beginning, it's been co-organized by the participating organizations, who have worked with their communities, and with each other, to form an agenda that will help advance the most critical topics in digital identity.

Rather than being driven by a single organization's vision, the GDC represents a collaborative effort where international organizations, standards bodies, open-source foundations, and industry consortia have jointly defined priorities and sessions that address the most pressing challenges in digital trust infrastructure. This multi-stakeholder approach ensures broader perspectives are represented and creates unprecedented opportunities for alignment across traditionally separate communities.

Why Attend? Unprecedented collaboration: This conference's collaborative nature bridges organizations that rarely coordinate at this scale. Connect: Connect with peers from government and private sectors to advance standards coordination, cross-border interoperability, and robust digital public infrastructure Network with experts: Engage directly with technical leaders, government officials, and industry pioneers shaping the future of digital trust Who Is Organizing?

The current list of co-organizers can be seen in the header image, with more to be added later this week. As a brief preview, this includes:

International & Government Organizations

European Commission (DG-CNECT) International Telecommunication Union (ITU) United Nations Economic Commission for Europe (UNECE) World Health Organization (WHO)

Standards Development Organizations & Open Source Foundations

Decentralized Identity Foundation (DIF) Eclipse Foundation European Telecommunications Standards Institute (ETSI) FIDO Alliance International Electrotechnical Commission (IEC) International Organization for Standardization (ISO) Linux Foundation Decentralized Trust (LFDT) OpenWallet Foundation (OWF) Trust Over IP (TOIP) World Wide Web Consortium (W3C)

Industry Consortia

Cloud Signature Consortium (CSC) Digital Credentials Consortium (DCC) Global Legal Entity Identifier Foundation (GLEIF)

Next, we'll look at the exciting conference agenda and highlight key sessions for the DIF community.

The Agenda

The conference is structured across two distinct days, each with a specific purpose. Day 1 features plenary sessions designed to provide comprehensive overviews of global initiatives and sector-specific developments in digital identity. This agenda is nearly finalized and a draft has been published.

Day 2 offers a more interactive format with parallel presentations, technical deep dives, workshops, and collaborative sessions. The preliminary Day 2 schedule will be published next week, but we can share an early preview of the key themes and sessions that should be of particular interest to the DIF community.

Day 1: Global Landscape & Sector Scan Morning sessions feature updates from government and industry stakeholders worldwide Afternoon sessions explore major use cases across sectors including travel, health, education, and finance Morning: Opening & Global Landscape Opening addresses by leaders from ITU, ISO, WHO, and more Regional updates from: European Commission Switzerland United States China/Singapore Japan India Korea Australia Global South Afternoon: Sector Updates 🚘 Driving Licenses 🧳 Travel Credentials ⚕️ Health Credentials 📚 Educational Credentials 📦 Trade 💸 Payments 🏢 Organizational Credentials 🪙 Digital Assets 🪪 Standards for ID and Wallets 🔏 Digital Signatures 🔑 Car Keys Day 2: Technical Deep Dives and Working Sessions

Day 2 features parallel sessions where participants will be encouraged to follow their interests plus share their experience and expertise.

Parallel sessions across multiple tracks including:

Privacy & Security: Zero-knowledge proofs, unlinkability Industry and Organizational Focus: Industry 4.0, Digital Product Passports, European Business Wallet Implementation & Deployment: Real-world wallet applications Standards & Interoperability: Cross-border credential exchange Policy & Regulation: Governance frameworks Emerging Technology: Emerging needs around AI and digital identity Demo Hour: See wallet applications and more Learn More and Participate Get Updates

There will soon be a GDC web site to more easily access event information and schedule. For now, we recommend:

Follow Global Digital Collaboration on LinkedIn And of course, subscribe to the DIF blog for additional updates focused on the DIF community Ready to Register?

You can also register through any co-organizer available at https://lu.ma/gc25

👉 DIF community members are encouraged to use DIF's dedicated registration link: https://lu.ma/gc25-dif

Tickets are free of charge and grant full access to the entire conference, regardless of the organization used during registration

Hotels & Discounts

The upcoming GDC web site will be updated with the latest information. For now, feel free to use the discount codes on this google document.

Looking Forward

The Global Digital Collaboration conference represents a unique opportunity for advancing digital identity solutions that can work across borders while putting users in control. DIF is committed to ensuring privacy and agency remain front and center in these conversations.

For those in the DIF community and beyond, this is an unparalleled opportunity to shape the future of digital identity in collaboration with global decision-makers and implementers.

How do you build a beverage brand from scratch and land in over a thousand stores?

For Aisha Chottani, it started with stress and a few homemade “potions”.

In this episode, Aisha, Founder and CEO of Moment, joins hosts  Reid Jackson and Liz Sertl to talk through what really goes into launching and scaling a functional drink brand. From labeling boxes by hand to managing relationships with co-packers and navigating supply chain failures, Aisha shares the behind-the-scenes story most startup founders keep to themselves.

She also gets real about what went wrong, like barcode mix-ups and Amazon returns gone sideways, and how those lessons became systems that power Moment’s growth today.

In this episode, you’ll learn:

Why small brands need relationships more than volume

How early mistakes can turn into long-term wins

What to watch out for when scaling distribution and operations

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(01:34) Building a global mindset from four continents

(03:07) From McKinsey burnout to homemade “potions”

(06:06) Barcode errors and the pain of early logistics

(08:21) Growing Moment to 1,000 stores and 30 DCs

(11:33) What small brands can leverage on

(14:06) Collaborating with Lululemon

(17:15) Why Moment leans into a subscription model 

(20:39) Operational failures to learn from

(27:36) Aisha’s favorite technology

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Aisha Chottani on LinkedInCheck out Moment

Play Video

Watch the full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/EGWG-2025-05-15_-The-C2PA-Conformance-Program-Scott-Perry.wav

Here is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:

Briefing Document: Review of C2PA and its Governance

Date: May 15, 2024
Source: Excerpts from “GMT20250515-145218_Recording_2560x1440.mp4”
Presenter: Scott Perry, Co-chair of Trust over IP’s Foundations Steering Committee, Founder and CEO of the Digital Governance Institute, Co-chair of the Creator Assertions Working Group at the Decentralized Identity Foundation (DIF).
Topic: C2PA (Coalition for Content Provenance and Authenticity) and the Application of Trust over IP’s Governance Metamodel.

1. Executive Summary

This briefing summarizes a presentation by Scott Perry on the Coalition for Content Provenance and Authenticity (C2PA) and the application of the Trust over IP (ToIP) governance metamodel to its conformance program. The C2PA is an industry-wide initiative creating a technical standard to attach “truth signals” or provenance information to digital objects. Facing a critical need to operationalize and govern this specification to ensure market trust and adoption, the C2PA has adopted the ToIP governance metamodel. This framework provides the necessary structure to establish a conformance program, define roles and responsibilities, manage risks, and create trust lists for compliant products and certification authorities. The program is set to officially launch on June 4th, initially focusing on self-assertion for conformance and introducing two levels of implementation assurance, with plans for independent attestation and higher assurance levels in the future.

2. Key Themes and Ideas The Problem of Trust in Digital Objects: The presentation highlights the growing challenge of establishing trust and authenticity for digital content in a world of easily manipulated or AI-generated media. This is particularly relevant for industries like telecommunications struggling with identity and verification, as noted by a participant’s observation about OTPs and SMS verification. C2PA as a Standard for Provenance and Authenticity: The C2PA specification aims to provide a technical solution by creating a “content credential” or manifest that is cryptographically bound to a digital object. This manifest acts as a ledger of actions taken on the object, providing a history and “nutrition label” of its source and modifications. “basically, it’s all of the major tech companies except Apple… coming together to create a standard for provenence, authenticity, truth signals on digital objects that can be digitally attached to digital objects.” Content Credential (Manifest): This is the core mechanism of the C2PA. It is a digitally attached ledger of actions taken on a digital object, such as “Camera took picture,” “edited picture,” or “an AI took this picture.” This manifest is “bound to it and linked to it” in a “cryptographically binding format,” providing tamper evidence. Scope of C2PA Responsibility: The C2PA primarily focuses on “created assertions,” which are “product-driven,” documenting actions taken within a product (e.g., a camera generating a picture, Photoshop editing an image). Distinction from “Gathered Assertions”: The C2PA does not take responsibility for “gathered assertions,” which are claims made by individuals or organizations outside of a product (e.g., “I Scott Perry took the picture” or industry-specific identifiers). These are the purview of other groups like CAWG (Content Authenticity Working Group) and related efforts like the Creator Assertions working group at DIF. Binding Mechanism: The C2PA uses X.509 certificates to bind the generator product to the digital asset. “when a picture is taken, the X509 certificate will be used will be binding it will be used to bind it bind the product to the asset.” This requires camera manufacturers and other product vendors to obtain certificates from approved Certification Authorities (CAs). The Need for Governance: While the C2PA created a technical specification, they recognized the critical need for a governance framework to operationalize and control the standard’s implementation and use in the market. “the key aspect is you have a spec out but you can’t control the use of the specification… they couldn’t get, you know, their arms around, you know, the on controlling its the specification use.” Application of ToIP Governance Metamodel: Scott Perry highlights how the ToIP governance metamodel provided the necessary structure for the C2PA to build its conformance program. “I came in with my toolkit from the the trust over IP project and it worked beautifully. It just created the structure to allow them to make the right decisions for themselves.” Key Components of the Governance Program (based on ToIP):Risk Assessment: Started with a “threats and harms task force” to identify major risks, particularly around the tampering of evidence and manifests. Governance Requirements and Framework: Defined primary documents (specification, security requirements, legal agreements) and control documents (privacy, inclusion, equitability requirements). A key output is a glossary of terms for the new ecosystem. Governance Roles and Processes: Identified key roles: the Governing Authority (C2PA Steering Committee), the Administering Party (Conformance Task Force), and Governed Parties (CAs, Generator Product companies, Validator Product companies). Legal Agreements: Formal agreements are being established between the C2PA and governed parties outlining roles, responsibilities, conformance requirements, and dispute resolution mechanisms. Conformance Criteria and Assurance: Defined based on the C2PA specification and implementation security requirements. The program includes “four levels of of assurance around the implementation of products,” though initially rolling out with two levels. These levels are tied to “security objectives” and assessed against the “target of evaluation” (the product and its supporting infrastructure). Conformance Process: Involves an intake form, application review, assessment of infrastructure (initially self-assertion, moving towards independent attestation), legal agreement signing, and adding records to trust lists. Residual Risk Assessment and Adaptation: The program includes a process to learn from the rollout, identify unmet requirements or issues, and adapt the program for continuous improvement. Trust Lists (Registries): Central to the program are trust lists identifying approved Generator Products, Validator Products, and Certification Authorities. A timestamp authority trust list is also being added. Levels of Assurance: The program is defining levels (initially rolling out two) to reflect different degrees of confidence in the implementation of the C2PA specification and associated security requirements. Achieving a higher level of assurance requires meeting all requirements for that level. Self-Assertion (Initial Rollout): Due to the complexity of auditing and getting the program launched quickly, the initial phase requires participants to self-assert that they meet the specification and requirements. Conformance Certificate: Upon successful conformance, products will receive a certificate tied to an OID (Object Identifier) denoting the assurance level they have achieved. This OID in the manifest’s certificate will identify the assurance level of the provenance information. JPEG Trust and Copyright: While C2PA provides provenance information that can be used for copyright, it doesn’t define ownership or copyright laws. JPEG Trust is mentioned as an organization creating an ISO standard focused on copyrights in concert with the C2PA standard. Relationship with W3C: The C2PA is actively engaged with the W3C, with discussions happening at the technical working group level regarding related standards like PROV (for provenance). Future Directions: Plans include introducing higher levels of assurance, implementing independent attested conformance, developing quality control software for assessing product compliance, and establishing a fee structure for the conformance program. CAWG (Content Authenticity Working Group) as a Broader Ecosystem: CAWG is viewed as a potentially larger ecosystem dealing with identity, metadata, endorsements, and AI learning process specifications, which will need to create their own applications and standards that can integrate with the C2PA foundation. 3. Important Ideas and Facts The C2PA is the Coalition for Content Provenance and Authenticity. It includes major tech and product manufacturers, excluding Apple initially but aiming to include them. The core technical output is the Content Credential (Manifest), a digitally attached ledger of actions on a digital object. The manifest provides tamper evidence and binds the product to the asset using X.509 certificates. C2PA focuses on “created assertions” (product-driven actions), leaving “gathered assertions” (individual/organizational claims) to other groups like CAWG. The Trust over IP governance metamodel has been successfully applied to structure the C2PA conformance program. The program addresses threats and harms related to tampering and requires adherence to implementation security requirements. The C2PA conformance program will officially launch on June 4th at the Content Authenticity Initiative symposium in New York City. The initial launch will include two levels of implementation assurance and a self-assertion confidence model. Key outputs of the governance program are legal agreements and trust lists of conforming products and certification authorities. The C2PA standard is becoming an ISO standard this year. Timestamp authorities will play a crucial role in providing trust signals related to the time of claim assertion. The program includes mediation and dispute resolution mechanisms in its legal agreements. The governance program provides the structure for the C2PA to “operationalize the spec” and control its use. 4. Key Quotes “basically, it’s all of the major tech companies except Apple… Coming together to create a standard for provenence, authenticity, truth signals on digital objects that can be digitally attached to digital objects.” “what it what it’s proposed to do is to create a ledger of actions against a digital object that is bound to it.” “It’s kind of the nutrition label on food… it’s really the nutrition label of all digital objects.” “The C2PA did not want to get involved in all of the the potential root, you know, actions and and variances about those types of things. They wanted to create the platform.” “They create the platform and they create the binding between the digital asset and the and the manifest using X509 certificates.” “The key aspect is you have a spec out but you can’t control the use of the specification… they couldn’t get, you know, their arms around, you know, the on controlling its the specification use.” “the governance program was needed to operationalize the spec. The spec was had, you know, a limitation in its usefulness without a governance program around it.” “I came in with my toolkit from the the trust over IP project and it worked beautifully. It just created the structure to allow them to make the right decisions for themselves.” “we’re creating a program which will hold generator and validator products accountable to the specific ification that’s already been published.” “We are creating two levels of implement implementation assurance and we are are using a self assertion confidence model we don’t have the mechanisms in place to hold organizations accountable for meeting the specification we don’t have an you know an assurance mechanism in place yet to do that.” “It is the hope that you know copyright laws can use the trust signals that are coming from the CTBA specification and conformance program in use for defining ownership and copyright.” “The conformance criteria is the spec and the spec is now at at level 2.2.” “we are looking at levels of assurance around the implementation of a product. Now it’s not just the product but it’s also its infrastructure.” “These are the kinds of records that were that are in the schema for the trust list.” 5. Next Steps Official launch of the C2PA conformance program on June 4th. Continued work on independent attestation and higher levels of assurance for the conformance program. Development of quality control software or processes for assessing product compliance. Ongoing collaboration with W3C and other relevant standards bodies. Further exploration of the broader CAWG ecosystem and its integration with C2PA.

This briefing provides a foundational understanding of the C2PA, its technical specification, and the crucial role of the newly established governance program, structured using the Trust over IP metamodel, in driving its adoption and ensuring trust in the digital content landscape.

For more details, including the meeting transcript, please see our wiki 2025-05-15 Scott Perry & The C2PA Conformance Program – Home – Confluence

https://www.linkedin.com/in/scott-perry-1b7a254/ https://digitalgovernanceinstitute.com/

The post EGWG 2025-05-15: The C2PA Conformance Program, Scott Perry appeared first on Trust Over IP.

NETOPIA Payments becomes the first online payment processor in the world to implement Click to Pay with Passkey FIDO (Fast Identity Online) – a modern online checkout solution built on EMV® global standards, designed to redefine the digital payment experience: faster, safer, and without manual card data entry.

Editors

Shane Weeden, IBM
An Ho, IBM

Abstract

Session hijacking is a growing initial attack vector for online fraud and account takeover. Because FIDO authentication reduces the effectiveness of other simpler forms of compromise, such as credential stuffing and phishing, cybercriminals turn to theft and re-use of bearer tokens. Bearer tokens are a form of credential which include session cookies used by browsers connecting to websites and OAuth access tokens used by other thick client application types such as native mobile applications. When these credentials are long-lived and can be “lifted and shifted” from the machine where they were created to be usable by a bad actor from another machine, their tradable value is significant. Emerging technologies such as Device Bound Session Credentials (DBSC) for browsers and Demonstrating Proof of Possession (DPoP) for OAuth applications seek to reduce the threat of session hijacking. This article describes how these technologies address the problem of session hijacking and how they complement strong phishing resistant authentication in online ecosystems.

Audience

This white paper is for chief information security officers (CISOs) and technical staff whose responsibility it is to protect the security and life cycle of online identity and access management from online fraud. 

Download the White Paper 1. Introduction

Authentication and authorization are integral parts of an identity lifecycle, especially for online credential ecosystems. The growing threat of online identity fraud with costly security incidents and breaches has enterprises looking for ways to protect and secure their workforces from account takeover through different attack vectors such as phishing, credential stuffing, and session hijacking. For authentication, FIDO authentication with passkeys provides users with “Safer, more secure, and faster online experiences”, and an increase in the adoption of passkeys has contributed to a reduction of the success of attack vectors of credential phishing, credential stuffing, and session hijacking accomplished via man-in-the-middle (MITM) phishing attacks. However, what happens after the authentication ceremony?

After authentication, browsers and application clients are typically issued other credentials. Enterprise applications generally fall into two primary categories: those that are web browser based and use session cookies for state management and those that are thick client applications using OAuth access tokens (this includes some browser-based single page applications and most native mobile applications). Both types of credentials (session cookies and access tokens) are considered, in their basic use, as “bearer” tokens. If you have the token (the session cookie or the access token), then you can continue to transact for the lifetime of that token as the user who authenticated and owned it.This whitepaper explores adjacent technologies that address the “lift and shift” attack vector for bearer tokens and how these technologies complement FIDO-based authentication mechanisms. In particular, this paper focuses on the proposed web standard Device Bound Session Credentials (DBSC) for protecting browser session cookies and OAuth 2.0 Demonstrating Proof of Possession (DPoP) for protecting OAuth grants.

2. Terminology

session hijacking: An exploitation of the web session control mechanism that is normally managed for a session cookie.

credential stuffing: An automated injection of stolen username and password pairs (credentials) into website login forms to fraudulently gain access to user accounts.

1. Passkeys – https://fidoalliance.org/passkeys/
2. Device Bound Session Credentials – https://github.com/w3c/webappsec-dbsc
3. OAuth 2.0 Demonstrating Proof of Possession (DPoP) – RFC9449: https://datatracker.ietf.org/doc/html/rfc9449
4. Session hijacking attack https://owasp.org/www-community/attacks/Session_hijacking_attack
5. Credential stuffing https://owasp.org/www-community/attacks/Credential_stuffing

access token: A credential used by a client-side application to invoke API calls on behalf of the user.

session cookie: A credential managed by browsers to maintain session state between a browser and a website.

bearer token: A token (in the context of this whitepaper may refer to either an access token or a session cookie) so called because whoever holds the token can use it to access resources. A bearer token on its own can be “lifted and shifted” for use on another computing device.

sender-constrained token: A token protected by a mechanism designed to minimize the risk that anything other than the client which established the token during an authentication process could use that token in subsequent requests for server-side resources.

Device Bound Session Credential (DBSC): A proposal for a W3C web standard defining a protocol and browser behavior to establish and maintain sender-constrained cookies. The mechanism uses proof of possession of an asymmetric cryptographic key to help mitigate session cookie hijacking.OAuth 2.0 Demonstrating Proof of Procession (DPoP): A mechanism for implementing sender-constrained access tokens that requires clients to demonstrate possession of an asymmetric cryptographic key when using the token.

OAuth 2.0 Demonstrating Proof of Procession (DPoP): A mechanism for implementing sender-constrained access tokens that requires clients to demonstrate possession of an asymmetric cryptographic key when using the token.

3. Adjacent/complementary technologies for a secure ecosystem

While FIDO authentication technology can effectively eliminate phishing and credential stuffing attacks that occur during the login process, the addition of solutions to mitigate threats associated with bearer token theft is equally important. Bad actors whose attacks are thwarted during the login process will go after the next weakest link in the chain and try to steal post-authentication bearer tokens. This section explores two of these technologies for protecting bearer tokens: Device Bound Session Credentials (DBSC) protect browser-based session cookies and Demonstrating Proof of Possession (DPoP) protects OAuth grants. Alternative approaches to protect bearer tokens are also discussed.

Because no single piece of technology can protect against all threats, a combination of multiple techniques is required for adequate protection.

Table 1: Combination of technologies for increased security

TechnologiesAuthentication threatsPost-authentication threatsRemote PhishingCredential StuffingToken TheftPasskeysDBSC/DPoPPasskeys + DBSC/DPoP

3.1 Browser session cookie security

Before discussing Device Bound Session Credentials (DBSC), you will need to understand the problem being addressed regarding browser session cookies. Session hijacking via cookie theft allows an attacker, who possesses stolen cookies, to bypass end-user authentication, including any strong or multi-factor authentication (MFA). This is particularly problematic when browsers create long-lived session cookies (which are a type of bearer token), since these cookies can be traded as alternatives to a user’s primary authentication credentials and then used from the attacker’s machine. This can lead to unauthorized access to sensitive data, financial loss, and damage to an organization’s reputation. 

Attackers perform cookie theft through various methods such as man-in-the-middle phishing of a user’s existing MFA login process (when phishing-resistant authentication such as FIDO is not used), client-side malware, and occasionally through vulnerabilities in server-side infrastructure or software. Regardless of how cookie theft is perpetrated, when successful, these attacks are not only dangerous, but also hard to isolate and detect. Complementary technologies, such as Device Bound Session Credentials (DBSC), minimize the risks associated with browser cookie theft by making stolen cookies impractical to use from any machine other than the machine to which they were issued during authentication.

3.2 Device Bound Sessional Credentials – DBSC

DBSC refers to a proposed web standard currently in development within the Web Application Security working group of the W3C[2]. The goal of DBSC is to combat and disrupt the stolen web session cookies market. This is achieved by defining an HTTP messaging protocol and required browser and server behaviors to result in binding the use of application session cookies to the user’s computing device. DBSC uses an asymmetric key pair and in browser implementations the private keys should be unextractable by an attacker – for example stored within a Trusted Platform Module (TPM), secure element, or similar hardware-based cryptographic module.

At a high level, the API in conjunction with the user’s browser and secure key storage capabilities, allows for the following:

The server communicates to the browser a request to establish a new DBSC session. This includes a server-provided challenge. The browser generates an asymmetric key pair, then sends the public key along with the signed challenge to the server. This process is referred to as DBSC registration. Browser implementations of DBSC should use operating system APIs that facilitate secure, hardware-bound storage and use of the private key. The server binds the public key to the browser session by issuing a short-lived, refreshable auth_cookie which is then required to be transmitted in subsequent browser requests to the web server.

As the auth_cookie regularly expires, a mechanism is required for the browser to refresh the auth_cookie asynchronously to primary application web traffic. The refresh process requires signing a new server-issued challenge with the same private key created during DBSC registration, thereby re-proving (regularly) that the client browser is still in possession of the same private key.

Limiting the lifetime of the auth_cookie to short periods of time (for example, a few minutes) disrupts the market for trading long-lived session cookies. An attacker can only use stolen session cookies (including the auth_cookie) for a brief period, and cannot perform a refresh operation, since the private key required to perform a refresh operation is not extractable from the client machine.

DBSC may be introduced into existing deployments with minimal changes to the application. This is important as DBSC could easily be incorporated as a web plugin module in existing server-side technology (for example, Apache module, Servlet Filter, or reverse proxy functionality). This permits enterprises to roll out deployment of DBSC in phases without a complete overhaul of all current infrastructure and companies can prioritize certain critical endpoints or resources first.

DBSC server-side implementations can also be written in a manner that permits semantics, for example: “If the browser supports DBSC, use it, otherwise fallback to regular session characteristics.” This allows users to gain the security advantages of DBSC when they use a browser that supports it without having to require all users to upgrade their browsers first.

Refer to the Device Bound Session Credentials explainer for more details on the DBSC protocol and standard, including a proposal for enterprise-specific extensions that adds attestation to DBSC keypairs.

3.2.1 What makes DBSC a technology complementary to FIDO?

The DBSC draft standard permits the login process to be closely integrated with the DBSC API. While FIDO is a mechanism that makes authentication safer and phishing resistant, DBSC is a mechanism that makes the bearer credential (session cookie) safer post-authentication. They complement each other by reducing the risk of account takeover and abuse, making the entire lifecycle of application sessions safer.

3.2.2 Alternative solutions

DBSC is not the first standard to propose binding session cookies to a client device. Token Binding is an alternative that combines IETF RFCs 8471, 8472, and 8473. Token Binding over HTTP is implemented via a Transport Layer Security (TLS) extension and uses cryptographic certificates to bind tokens to a TLS session. Token Binding has had limited browser adoption and is complex to implement as it requires changes at the application layer and in TLS security stacks. The Token Binding over HTTP standard has not been widely adopted and only one major browser currently offers support.

3.2.3 Advice

The DBSC standard relies on local device security and operating system APIs for storage and use of the private key that is bound to the browser’s session. While these private keys cannot be exported to another device, the key is available on the local system and may be exercisable by malware residing on the user’s device. Similarly, in-browser malware still has complete visibility into both regular session cookies and short-lived auth_cookies. DBSC is not a replacement for client-side malware protection, and the threat model for DBSC does not provide protections from persistent client-side malware. Ultimately, the user must trust the browser.

As browsers start to support DBSC over time, it will be important for servers to be able to work with a mix of browsers that do and do not include support for this technology. Some enterprises may dictate that corporate issued machines include browsers known to support DBSC, but many will not. It will be necessary for server-side implementations to take this into consideration, using DBSC when the browser responds to registration requests, and tolerating unbound session cookies when the browser does not. When building or choosing a commercial solution, ensure you consider this scenario, and include the ability to implement access control policies that strictly require DBSC in highly controlled or regulated environments or for specific applications.

At the time of writing, DBSC is in early evolution. It remains to be seen whether or not it will be widely adopted by browser vendors. The hope is that incubating and developing this standard via the W3C will result in wider adoption than previous proposals, similar to the way that the WebAuthn API has been adopted to bring passkey authentication to all major browser implementations.

4. OAuth grants

The previous section introduced DBSC as a means to protect against session cookie theft in web browsers. Thick application clients, including mobile applications and single-page web applications, typically use stateless API calls leveraging OAuth grants instead of session cookies. An OAuth grant may be established in several ways, with the  recommended pattern for thick clients being to initially use the system browser to authenticate a user, and grant access for an application to act on their behalf. Conceptually this is remarkably similar to browser-based sessions, including the ability and recommendation, to use FIDO authentication for end-user authentication when possible. At the conclusion of the browser-based authentication portion of this flow, control is returned to the thick client application or single-page web application where tokens are established for use in programmatic API calls. 

The challenge that occurs from this point forward is almost identical to that described for browsers – the OAuth tokens are bearer tokens that if exposed to a bad actor can be used to call application APIs from a remote machine instead of from the legitimate application.

This section describes the use of DPoP, a technology for protecting the “lift and shift” of credentials used in OAuth-protected API calls which, just like DBSC, makes use of an asymmetric key pair and ongoing proof of possession of the private key.

4.1 Demonstrate Proof of Possession (DPoP)

OAuth 2.0 Demonstrating Proof of Possession (DPoP) is an extension of the existing OAuth 2.0 standard for implementing device bound (or sender-constrained) OAuth access and refresh tokens. It is an application-level mechanism that allows for the tokens associated with an OAuth grant (that is, refresh tokens and access tokens) to bind with the requested client using a public and private key pair. This requires the client to prove ownership of its private key to the authorization server when performing access token refresh operations and to resource servers when using access tokens to call APIs.

6. OAuth 2.0 for Native Apps https://datatracker.ietf.org/doc/html/rfc8252

High assurance OpenID specifications, such as Financial-grade API (FAPI 2.0), mandate the use of sender-constrained tokens and DPoP is the recommended method for implementing this requirement when Mutual TLS (mTLS) is not available.

At a high level, DPoP requires that:

The client generates a per-grant public/private key pair to be used for constructing DPoP proofs. Best practice implementations should use operating system APIs to ensure the private key is non-extractable. On initial grant establishment (for example, exchanging an OAuth authorization code for the grant’s first access token and refresh token), a DPoP proof (a JWT signed by the client’s private key that contains, among other things, a copy of the public key) is used to bind a public key to the grant. Requests to a resource server using an access token obtained in this manner must also include a DPoP proof header, continuously proving possession of the private key used during grant establishment. This is done for every API request. Resource servers are required to check if an access token is sender-constrained, confirm the public key, and validate the DPoP proof header on each API call. For public clients, subsequent refresh_token flows to the authorization server’s token endpoint must also contain a DPoP proof signed with the same key used during initial grant establishment. This is particularly important as the refresh tokens are often long-lived and are also a type of bearer token (that is, if you have it you can use it). The authorization server must enforce the use of a DPoP proof for these refresh token flows and ensure signature validation occurs via the same public key registered during initial grant establishment.

Unlike a plain bearer access token which can be used by any holder, DPoP based access tokens are bound to the client that initially established the OAuth grant, since only that client can sign DPoP proofs with the private key. This approach minimizes the risks associated with malicious actors trading leaked access tokens.

Refer to DPoP RFC 9449 – OAuth 2.0 Demonstrating Proof of Possession (DPoP) for more information.

4.2 What makes DPoP a complementary technology to FIDO?

FIDO can be leveraged for phishing resistant end-user authentication during establishment of an OAuth grant. Refresh and access tokens obtained by a client following this authentication should be safeguarded against “lift and shift” attacks just like session cookies in browser-based apps. DPoP is a recommended solution for protecting these OAuth tokens from unauthorized post-authentication use. Together, FIDO for end user authentication and DPoP for binding OAuth tokens to a client device complement each other to improve the overall security posture for identities used in thick client applications.

4.2.1 DPoP alternative solutions?

RFC8705 – OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens describes a mechanism that offers a transporter layer solution to bind access tokens to a client certificate. While it has been approved for use in FAPI 2.0 for open banking solutions, it is not particularly suitable for public clients such as native mobile applications.

RFC9421 – HTTP Message Signatures defines an application-level mechanism for signing portions of an HTTP message. Key establishment and sharing between the client and verifier are not defined by this specification, although this could be performed in a trust on first user manner during initial grant establishment in a similar manner to DPoP. There is no known public specification that maps the use of HTTP message signatures to the use case of sender-constrained bearer tokens in an OAuth client application. In the absence of such a public specification, widespread adoption for this use case is unlikely.

4.2.2 Advice

Sender-constrained tokens are a good idea, and, in some deployments, they are a regulatory requirement. For example, use of the FAPI profiles of OAuth is now mandated by many sovereign open banking initiatives. DPoP is a relatively simple way to achieve this requirement and is flexible enough to cover a wide range of application client types. That said, care must still be taken to adhere to the security considerations of DPoP. Pay close attention to section 11 of RFC9449, as well as apply other application security strategies for native or browser based single page applications as your scenario dictates. Remember that DPoP is focused solely on addressing the threats associated with token exfiltration, which include trading and use by malicious actors. It should be considered part of a defense-in-depth strategy for OAuth applications.

5. Conclusion

The intent of this paper is to inspire thinking around how different web security standards fit together and how those standards relate to the use of FIDO authentication for users. There are so many standards and standards bodies that it is often hard to understand which compete in the same space and which augment one another to form part of a comprehensive defense-in-depth strategy for identity fraud protection in online applications.

This paper tackled a specific, prevalent application security problem – the malicious trading and use of stolen cookies and access tokens. This paper also showed how technologies such as DBSC and DPoP mitigate the threats associated with token theft and how these technologies are complementary to FIDO authentication. Paired with FIDO, DBSC and DPoP provide greater overall identity fraud protection for your applications.

cross-posted on the Amnesty UK blog

Community-driven change is more important than ever. Whether we are advocating for social justice, environmental sustainability, or political reform, collective action is how we create lasting impact. But how do we build a movement that starts with individual curiosity and grows into sustained activism? That’s where the Amnesty International UK (AIUK) community platform project comes in — a digital hub designed to empower individuals, support collaboration, and drive meaningful change.

This blog post outlines how the platform and community strategy work together to guide people from discovery of the AIUK community to becoming activists within it.

1. Discovery

The journey of community-driven change starts with discovery. This is the stage where individuals first come into contact with AIUK. Maybe they learn about an issue, identify it as important, and begin to consider how they might want to get involved. Or maybe they meet someone at a demonstration, and discover the community first-hand.

AIUK social media, through broadcasting, is just one tool that helps people discover Amnesty International UK. AIUK makes complex issues accessible and relatable. We want to do the same as AIUK highlights grassroots efforts and community initiatives.

We want to encourage posts that show:

Our dedicated community and highlight key grassroots initiatives and campaigns. Signposts to find local groups or events based on interests. Digital actions, such as petitions or downloading campaign guides, to help users take their first steps.

Such content ensures that even people who are new can find relevant AIUK communities and take the first steps toward engagement.

2. Intention to Engage

Once someone discovers a cause they care about, the next step is forming an intention to engage. This stage is all about commitment — moving from passive interest to active participation.

By showcasing community on the AIUK website, we both invite people in and celebrate what the community is achieving. We want to present clear pathways for involvement and help community members inspire others to take steps towards action.

We need to figure out processes that help:

Goal-setting: Encouraging community members to set personal milestones, like committing to attend 100 meetings. Sharing success: Telling success stories and finding testimonials that effectively attract new people while celebrating community achievements. Balancing information: Showcasing static information about past successes with dynamic, real-time updates on current campaigns from the community.

By making it easy for people to express their intent and take small but meaningful steps, we build confidence and lay the groundwork for deeper engagement.

3. Taking Action: Turning Intent into Impact

With intention comes action, and this is where real change begins. At this stage, people start to feel a sense of belonging and are ready to contribute to a cause they care about.

A knowledge base can help equip users with actionable tools. We’ll need clear resources and learning pathways that:

Guide people to the right information: Whether it’s organising a protest, writing letters to policymakers, or starting a local campaign, the knowledge hub can provide step-by-step guidance tailored to issues we work on. Help people collaborate: People should be able to connect with others who share their interests and work together on projects — whether virtually or in person. Best practices and community policies may also be at home in the knowledge hub. Show them into the community: Make sure that people feel supported and seen as they take action. Create an architecture of participation that brings them into the community platform.

This stage is about turning isolated actions into collective power, with the support of the community ensuring that every contribution counts.

4. Sustaining Action: Building Lasting Commitment

Sustained action is the key to creating lasting change. Too often, movements fizzle out after an initial burst of energy, but with a strong community strategy and integrated platform, we can keep momentum going.

To sustain engagement, the community platform needs to help people align with others in the AIUK movement. We need to think about:

Feedback loops: Regular check-ins with the community to understand their needs and ensure that we are adapting the community strategy and platform accordingly. A recognition ecosystem: Using digital badges and shoutouts for individuals or groups who demonstrate consistent commitment to help us make activism more visible. Storytelling opportunities: Sharing success stories and lessons learned will inspire others and keep motivation high.

By encouraging a sense of belonging and purpose, we ensure that members find reasons to continue building collective power for human rights.

5. Becoming an Activist: Empowering Future Leaders

The final stage is becoming an activist. At this point, individuals understand that community isn’t one person, but rather all of us. They begin to work on behalf of others, coordinate together and lift people up with their leadership.

These leaders will use other coordination tools and processes and that’s great! We want to empower the development of activist and leadership skills. We’ll need:

Decentralised coordination best practices: For members who are ready to take on larger roles, such as leading groups or campaigns. Mentorship programs: Connecting experienced activists with newcomers to share knowledge and build networks. Advocacy training: Workshops, webinars, and resources focused on effective communication, policy advocacy, and community organising.

Through these efforts, we can go beyond nurturing individual leaders to continue building a movement.

The Power of Community Work in Driving Change

The journey from discovery to becoming an activist is a process of gradual engagement and empowerment. There is a system of platforms, processes and content that help AIUK move people towards becoming an activist. Although we use various digital tools, the journey is an emotional and social one.

We are working hard to make sure the community platform project harnesses the collective strength of our community and makes a difference that lasts.

Thirteen years after The Intention Economy was published by Harvard Business Review Press, there are now four clear paths toward making it come true.

IEEE P7012, aka MyTerms. This will make individuals first parties in their agreements with companies, completely flipping the status quo that has been with us since industry won the Industrial Revolution and manifests today in those insincere and annoying cookie notices that interrupt your experience every time you visit a new website or open a new app. MyTerms makes each of us first parties in agreements with sites and services, and in full charge of personal privacy online. The First Person Project, or FPP  (website pending). With help on the buy side from Customer Commons and on the sell side by Ayra, we can finally replace “show your ID” with verifiable credentials presented on an as-needed basis by independent and self-sovereign individuals operating inside their own webs of trust. Visa Intelligent Commerce, which will make intentcasting happen in a big way. It will also elevate the roles of Inrupt and the open-source  Solid Project. Personal AI. This is AI that is as much yours as your shoes, your bike, and your PC. Personal, not personalized.

To explain how these will work together, start here:

Not long after The Intention Economy came out in May, 2012, Robert Thomson, Managing Editor of The Wall Street Journal, wanted the book’s opening chapter to serve as the cover essay for the Marketplace section of an upcoming issue. Harvard Business Review Press didn’t like that idea, so I wrote an original piece based on one idea in the book: that shoppers will soon be able to tell the market what they’re looking for, in safe, secure and anonymous ways—a kind of advertising in reverse that the book called “personal RFPs” and has since come to be called “intentcasting.” This became The Customer as a God: The image above was the whole cover of the Marketplace section on Monday,  July 23, 2012. The essay opened with these prophetic words: “It’s a Saturday morning in 2022…”

It is now a Friday morning in 2025, and that godly future for customers is still not here. Yes, we have more market power than in 2012, but we are digital serfs whose powers are limited to those granted by  Amazon, Apple, Facebook, Google, Microsoft, and other feudal overlords. This system is a free market only to the degree that you can choose your captor.  This has led to—

The IONBA (Internet Of Notning But Accounts) is based on a premise: that the best customers are captive ones. In this relic of the industrial age, customers are captive to every entity that requires logins and passwords. Customers also have no ways of their own to globally control what data is collected about them, or how. Or to limit how that data is used.  This is why our digital lives are infected by privacy-killing data-collection viruses living inside our computers, phones, TVs, and cars.

If you didn’t know about those last two, dig:

Consumer Reports says “All smart TVs—from Samsung, LG, you name it—collect personal data.” They also come with lame “privacy” controls, typically buried deep in a settings menu. (Good luck exhuming them. The ones in our TCL and Samsung TVs have all but disappeared.) Mozilla calls new cars “the Worst Product Category We Have Ever Reviewed for Privacy.” There is also nothing you can do to stop your car from reporting on everything your car does—and everything you do, including sexual ativity—to the carmaker, insurance companies, law enforcement, and who knows who else. This data goes out through your car’s cell phone, misleadingly called a telematics control unit. The antenna is hidden in the shark fin on your car’s roof or in an outside mirror.

Businesses are also starting to lose faith in surveillance, for at least eight reasons:

People hate it. They also fight it. By 2015 ad blocking and tracking protection were the biggest boycott in world history. It tarnishes brands. Ad fraud is a gigantic problem, and built into the system. It commits Chrysoogocide (killing golden geese, most notably publishers). Bonus link. Regulatory pressure against it is getting bigger all the time. Advertisers are finally remembering that brands are made by ads aimed at populations, while personalized ads are just digital junk mail. Customers are using AI tools for guidance toward a final purchase, bypassing marketing schemes to bias purchasing decisions along the way. For more on that, see Tom Fishburne’s cartoon, and Bain’s report about it.

So our four roads to The Intention Economy start with the final failings of the systems built to prevent it. Now let’s look at those roads.

1—IEEE P7012 “MyTerms”

MyTerms, the most important standard in development today, will be a keystone service of Customer Commons, the nonprofit spinoff of ProjectVRM. It will do for contract what Creative Commons did for copyright: give individuals a new form of control. With MyTerms, agreements between customers and companies will be far more genuine mutual, and open to new forms of innovation not based on the kind of corporate control that typifies the IONBA. For example, it can open Visa Intelligent Commerce to conversations and relationships that go far past transaction. Take for example Market intelligence that flows both ways. While this has been thinkable for a decade or more (that last link is from 2016), it’s far more do-able when customers and companies have real relationships based on equal power and mutual interests. These are best framed up on agreements that start on the customer’s side, and give customers scale across all the companies with which they have genuine relationships.

2—First Person Project (FPP)

To me, FPP begins with the vision “Big Davy” Sallis came up with while he was working for VISA Europe in 2012, and read the The Intention Economy. At the time, he wanted Visa to make VRM a real category, but assumed that would take too long. So he decided to create a VRM startup called Qredo. Joyce and I consulted Qredo until  Davy died (far too young) in 2015. Qredo went into a different business, but a draft I created for Qredo’s original website survives, and it outlines much of what the  FPP will make possible. That effort is led by Drummond Reed, another friend and collaborator of Davy’s and a participant in ProjectVRM from the start. Drummond says the FPP is inspired by Why We Need First Person Technologies on the Net, a post published here in 2014. That post begins,

We need first person technologies for the same reason we need first person voices: because there are some things only a person can say and do.

Only a person can use the pronouns  “I,” “me,” “my” and “mine.” Likewise, only a person can use tools such as screwdrivers, eyeglasses and pencils. Those things are all first person technologies. They were invented for individual persons to use.

We use first person technologies the same unique ways we use our voices.

Among other things, the First Person Project will fix how identity works on the Internet. With FPI—First Person Identity—interactions with relying parties (the ones wanting “your ID”) don’t need your drivers license, passport, birth certificate, credit card, or account information. You just give them what’s required, on an as-needed basis, in the form of verifiable credentials. The credentials you provide can verify that you are a citizen of a country, licensed to drive, have a ticket to a game, or whatever. In other words, they do what Kim Cameron outlined in his Laws of Identity: disclose minimum information for constrained uses (Law 2) to justifiable parties (Law 3) under your control and consent (Law 1). The credential you present is called a DID: a Decentralized Identifier. No account is required.

Trust in FPI also expands from individual to community. Here is how Phil Windley explains it in Establishing First Person Digital Trust:

When Alice and Bob met at IIW, they didn’t rely on a platform to create their connection. They didn’t upload keys to a server or wait for some central authority to vouch for them. They exchanged DIDs, authenticated each other directly, and established a secure, private communication channel.

That moment wasn’t just a technical handshake—it was a statement of first-person identity. Alice told Bob, “This is who I am, on my terms.” Bob responded in kind. And when they each issued a verifiable relationship credential, they gave that relationship form: a mutual, portable, cryptographically signed artifact of trust. This is the essence of first-person identity—not something granted by an institution, but something expressed and constructed in the context of relationships. It’s identity as narrative, not authority; as connection, not classification.

And because these credentials are issued peer-to-peer, scoped to real interactions, and managed by personal agents, they resist commodification and exploitation. They are not profile pages or social graphs owned by a company to be monetized. They are artifacts of human connection, held and controlled by the people who made them. In this world, Alice and Bob aren’t just users—they’re participants.

This also expands outward into community, and webs of trust. You get personal agency plus community agency.

The FPP covers a lot more ground than identity alone, but that’s where it starts. Also, Customer Commons is a funding source for the FPP, and I’m involved there as well.

3—Visa Intelligent Commerce

The press release is Find and Buy with AI: Visa Unveils New Era of Commerce. Less blah is Enabling AI agents to buy securely and seamlessly. Here’s the opening copy.

Imagine a future where an AI agent can shop and buy for you. AI commerce — commerce powered by an AI agent — is going to transform the way consumers around the world shop.

Introducing Visa Intelligent Commerce, an initiative that will empower AI agents to deliver personalized and secure shopping experiences for consumers – at scale.

From browsing and selection to purchase and post-purchase management, this program will equip AI agents to seamlessly manage key phases of the shopping process.

Visa CEO Ryan McInerney says a lot more in a 1:22 talk at Visa Product Drop 2025. The most relevant part starts about 26 minutes in, with a demo starting at about 31:30. Please watch it. Much of what you see there owes to Inrupt and Solid, which Sir Tim Berners-Lee says were inspired by The Intention Economy. For more about where Inrupt and Solid fit in Visa Intelligent Commerce, see Standards for Agentic Commerce: Visa’s Bold Move and What It Means: Visa’s investment in safe Intelligent Commerce points to a future of standards-forward personal AI, by John Bruce, Inrupt’s CEO. John briefed Joyce and me over Zoom the other day. Very encouraging, with lots to develop on and talk about.

More links:

A tweet appreciative of Inrupt by Visa’s @JackForestell Privacy for Agentic AI, by Bruce Schneier, Inrupt’s CISO (as well as the world’s leading security expert, and an old pal through Harvard’s Berkman Klein Center). Also from Bruce: What Magic Johnson and Bruce Schneier taught us at RSAC 2025 and RSAC 2025: The Pioneers of the Web Want to Give You Back Control of Your Data Visa announces AI Agent Payment APIs – and a pathway to Empowerment Tech, by Jamie Smith, who writes Customer Futures, the most VRooMy newsletter out there.

Some news being made about Visa Intelligent Commerce:

Visa partners with AI giants to streamline online shopping Visa Gives AI Shopping Agents ‘Intelligent Commerce’ Superpowers Visa launches ‘Intelligent Commerce’ platform, letting AI agents swipe your card—safely, it says How major payment companies could soon let AI spend your money for you Visa, Mastercard offer support for AI agents Visa wants to give artificial intelligence ‘agents’ your credit card Visa adds ‘unknown concept’ where AI makes purchases for you – but shoppers suspect more ‘sinister purpose’ Visa Unveils Intelligent Commerce to Power AI-Driven Payments

4—Personal AI

Reza Rassool was also inspired by The Intention Economy when he started Kwaai.ai, a nonprofit community developing open-source personal AI. I now serve Kwaai as its volunteer Chief Intention Officer.

Let’s look at what personal AI will do for this woman:

Looks great, but we’re stuck in IONBA, she has little control over her personal data in all those spaces. For example,

She doesn’t have the digital version of what George Carlin called “a place for my stuff.” (Watch that video. It’s brilliant—and correct.) She has few records of where she’s been, who she’s been with and when—even though apps on her phone know that stuff and are keeping it inside the records of her giant overlords and/or selling it to parties unknown, with no way yet for getting it back for her own use. Her finances are possibly organized, but scattered between the folders she keeps for taxes, plus the ones that live with banks, brokers, and other entities she hardly thinks about. It would be mighty handy to have a place of her own where she could easily see all her obligations, recurring payments, subscriptions, and other stuff her counterparties would rather she not know completely. Her schedules are in Apple, Google, and/or Microsoft calendars, which are well app’d and searchable, but not integrated. She has no digital calendar that is independent and truly her own. Her business and personal relationship records are scattered across her contact apps, her Linkedin page, and piles of notes and business cards. She has no place or way of her own to manage all of them. Her health care records (at least here in the U.S.) are a total mess. Some of them ares inside the MyCharts and patient portals provided by separate (and mostly unconnected) health care specialists and medical systems. Some of it is in piles of printouts she has accumulated (if she’s kept them) from all the different providers she has seen. Some of it is in fitness and wellness apps, all with exclusive ways of dealing with users. None of it is in a unified and coherent form.

So the challenge for personal AI is pulling all that data out of all her accounts, and putting it into forms that give her full agency, with the help of her personal AIs.  Personalized AIs from giants can’t do that. We need our own personal AIs.

And there we have it: Four roads to a world where free customers prove more valuable than captive ones. And we’re making it happen. Now.