Organizations | Identosphere Blogcatcher

China is good at making things and is getting better. Since launching economic reforms in the early 1980s, it has become the world’s hub for producing everything from toys to...

This appears atop a DuckDuckGo search. A few years ago, numbers 1 and 2 would have been down next to number 6.

I wrote a chapter on Agency in The Intention Economy because back then (2012) the word mostly meant an insurance or advertising business. The earlier meaning, derived from the Latin agere, meaning “to do,” had mostly been forgotten.

Now agency is everywhere, and is given fresh meaning with the adjective agentic.

We can thank AI for that. The big craze now is to have AI agents for everything, and to make all kinds of stuff “agentic,” using AI.

Including each of us. We should all maximize our agency with our own personal AI.

With that in mind, and thinking toward upcoming conferences on AI (and our own VRM Day, this coming October 19th ), I just added this section to the VRM Development Work page in our wiki:

Personal AI

Balnce.ai † “Your personal AI, your loyal agents and a network that makes your data work for you.”

Base.org “Base is built to empower builders, creators, and people everywhere to build apps, grow businesses, create what they love, and earn onchain.”

Decentralized AI Agent Alliance “…offers a compelling alternative, giving individuals sovereignty, including ownership of their identity and data.”

GPTbuddy “Human in the loop AI” ([1] @GPTbuddy) is in development by FractalNetworks.

Kwaai “a volunteer-based AI research and development lab focused on democratizing artificial intelligence by building open source Personal AI.” Also, KwaaiNet “AI running distributed on a P2P fabric,” now (July 2025) with Verida “Create and deploy personalized AI agents with secure data connectors, custom knowledge bases, and configurable inference endpoints.”

NANDA: The Internet of AI Agents “Pioneering the Future of Agentic Web.”

The AI Alliance “building and advancing open source AI agents, data, models, evaluation, safety, applications and advocacy to ensure everyone can benefit.”

Please add more, or make corrections on what’s there. If you don’t have editing privileges, just write to me and I’ll make the changes. Thanks!

Chinese automakers are imitating not to flatter but to profit. Companies such as Chery, Xiaomi, and Zeekr appear to be drawing heavily from premium Western car designs, banking on familiar...

About DIACC

The Digital ID & Authentication Council of Canada is a public–private coalition working to advance a trusted Canadian digital economy through open, industry-driven frameworks for identity, authentication, and trust services. DIACC stewards the Pan‑Canadian Trust Framework™ (PCTF). This consensus-developed, living industry standards-based framework aligns with national priorities and global norms to support interoperability, privacy, and digital trade readiness across sectors and borders.

Addressing the Consultation Scope

The consultation invites input on digital trade topics such as:

Digital identities, trust services, and authentication Electronic transactions and e‑signatures Cross‑border data flows and localization requirements Consumer protection, fraud prevention, and cybersecurity Digital inclusion and participation of MSMEs Artificial intelligence and emerging technologies Standards, interoperability, and regulatory alignment

This submission addresses each of these priority areas with a clear emphasis on the role of the PCTF and industry‑led standards in advancing Canada’s trade, regulatory predictability, and inclusion objectives.

Executive Summary of Recommendations Mutual Recognition of Industry Standardized Trust Frameworks
Support interoperability between the PCTF and the EU’s eIDAS 2.0 framework to facilitate secure digital trade in regulated sectors (e.g., housing, finance, energy), while maintaining Canada’s ability to define and govern its trust standards to reflect domestic policy and legal norms.
Mutual Recognition of Trust Frameworks
Support interoperability between the PCTF and the EU’s eIDAS 2.0 framework to facilitate secure digital trade in regulated sectors (e.g. housing, finance, energy).
Economic Growth in Key Sectors
Enable standards-based digital trust infrastructure to promote inclusion, reduce friction, accelerate and unlock innovation in e-commerce, housing finance, energy trading, public services, and cross-border logistics.
Recognition of Digital Sovereignty
Acknowledge that frameworks like the PCTF deliver practical, scalable solutions that complement formal national and international standards, strengthening the country’s digital sovereignty by ensuring homegrown, democratically governed solutions play a core role.
Secure and Privacy‑Respecting Cross‑Border Data Flows
Align privacy and cybersecurity standards to preserve both trust and efficiency, enabling secure cross-border data sharing.
Cybersecurity, Fraud Prevention & Consumer Protection
Leverage shared industry- and government-level practices, including fraud mitigation, identity-proofing, and privacy‑by‑design, to protect consumers in cross-border digital transactions.
Digital Inclusion and MSME Participation
Ensure the agreement empowers micro, small and medium enterprises, especially in rural, Indigenous and remote communities, to participate securely in digital trade. Industry‑Led Standards in Canada’s Digital Trade Toolkit

Industry frameworks, such as the PCTF, serve as deployable tools within a broader toolkit that includes national and international standards. While ISO or eIDAS establish global principles, industry-led standards:

Translate principles into workable operational guardrails (e.g. technical protocols, risk models). Accelerate adoption through flexible, market-driven updates. Preserve national sovereignty by ensuring Canadian-made governance structures retain accountability and transparency. Bridge jurisdictional or regulatory gaps. And prepare the ground for future alignment or recognition.

In the Canada-EU context, the PCTF has the scale, backing, and governance necessary to serve as a core commercial interoperability engine alongside formal standards.

Alignment with Consultation Topics Digital Identities, Trust Services & Electronic Transactions Support mutual recognition of digital credentials and trust service providers under eIDAS 2.0 and PCTF. Promote technology-neutral, cross-recognized approaches to e‑signatures and authentication. Enable market actors to use Canadian or EU‑based trust providers under harmonized rules, fostering innovation and consumer confidence. Cross‑Border Data Flows & Localization Advocate for privacy-respecting data mobility in sectors like real estate, energy, finance, and logistics. Oppose unnecessary data localization requirements that add cost without commensurate privacy or security gains. Ensure that Canadian data flows operate in accordance with Canadian laws and values, even when exchanged across borders. Encourage alignment of privacy and cybersecurity approaches that preserve trust and legal clarity. Cybersecurity, Fraud Prevention & Consumer Protection Recommend the adoption of shared fraud scoring, risk assessment, and identity verification frameworks. Embed privacy‑by‑design principles into digital transactions and identity services. Coordinate cross-jurisdictional responses to cyber incidents, identity theft and digital scams.Standards & Interoperability Promote adoption of open international standards for identity, authentication, data portability, and interoperability. Explicitly include industry‑driven frameworks, such as PCTF, as recognized tools for implementation. Ensure Canada retains the ability to define, adapt, and govern its digital identity and trust frameworks independently, in alignment with national law, values, and economic strategy. Leverage PCTF to reduce regulatory fragmentation and increase interoperability across sectors. Digital Inclusion & MSME Access Ensure MSMEs can access affordable, certified trust services for cross-border commerce. Support inclusive access in underserved communities, including rural and Indigenous, via interoperable service models and affordable trust credentials. Artificial Intelligence & Responsible Data Use Align responsible AI principles for trust services and risk modelling, emphasizing transparency, fairness, and accountability. Apply these principles to AI-enabled identity verification tools used in cross-border trade and digital wallets. Sectoral Impact Examples SectorBenefit from Mutual Recognition of PCTF & eIDASHousingStreamlined mortgage and property transactions; AML compliance with reduced frictionEnergy & ResourcesCertified credentials for emissions tracking, trade, and grid interoperabilityFinance & InsuranceReduced friction in cross-border lending, payments, and claims processingPublic Safety & HealthTrusted sharing of credentials for emergency response and cross-border healthcare Conclusion

Canada has a unique opportunity, through this consultation, to shape a forward-looking Digital Trade Agreement with the EU, one that prioritizes trust, privacy, interoperability, digital sovereignty, and inclusion.

By integrating Canadian-governed, industry-led standard frameworks, such as the PCTF, into this toolkit alongside national and international norms, Canada can lead in building a scalable, resilient, and trusted digital trade architecture, without compromising its ability to govern its digital future.

DIACC welcomes further collaboration to refine the role of PCTF in Canada’s digital trade strategy and ensure that Canadian businesses, especially MSMEs, can participate confidently in secure, cross-border digital commerce.

The E-ID proposal of 2019 was a classic own goal: privatized, centralized, and with privacy on the back burner. The result in March 2021: a resounding 64% No. The Swiss people didn’t want a “private flavour” national digital identity. Rightly so.

Now, with the new BGEID (2025), Switzerland has made a serious course correction. Instead of half-baked privatization, there is now full state authority, privacy-by-design, and open source. The E-ID resides only on the smartphone in the user’s wallet – not in some cloud run by whoever. Age verification? No longer “name + date of birth correlated with a profile,” but simply “over 18.”

Even more exciting: this is no longer just about an E-ID, but about a trust infrastructure. Driver’s licenses, diplomas, tickets – all digital, tamper-proof, in your own wallet. A federal network-of-networks in which municipalities, cantons, universities, companies, or associations can issue their own credentials.

In short: Switzerland is finally translating its political DNA motto “diversity through federalism” into the digital realm. And this was not cooked up in a backroom, but through a participatory process with NGOs, business, academia, and civil society. Democratically legitimized, technically modern, internationally interoperable.

But here’s the real point: the E-ID is only the key – the lock and the doors are built by the ecosystem. A digital identity alone is of little use if it cannot be applied anywhere. Everyday value emerges only when government, business, and society actively use this infrastructure – with credentials we still carry around on paper today: from residence certificates to debt enforcement extracts, from bank guarantees to e-prescriptions and medical reports. Only then does SWIYU become a universal tool for secure, privacy-preserving, and efficient processes.

The ecosystem does more than create convenience – it strengthens trust: less fraud, less bureaucracy, more automation, genuine freedom of choice, and strict data minimization. That’s the difference compared to the old proposal – and compared to global login solutions offered by tech giants. Without an ecosystem, the E-ID remains a key without doors. With a broadly established ecosystem, it becomes a digital public service, open to innovation and anchored in Swiss values.

For those who want to dig deeper: we’ve compared the 2019 proposal and the new 2024 BGEID in detail (to the best of our knowledge). The document shows in black and white why the new E-ID is not a reheated version, but a true paradigm shift – from a private product to a state trust infrastructure.

The bottom line?

For citizens: more sovereignty, stronger privacy, less “Big Brother” feeling.

For the economy: legal certainty, less dependency, more innovation.

For Switzerland: digital infrastructure as a public service – as essential as roads, bridges, water, and electricity.

Resources:

Read/Download our Comparison: BGEID 2021 vs. 2025

 

The two-week voting period will be between Wednesday, September 10, 2025 and Wednesday, September 24, 2025, once the 60 day review of the specification has been completed.

The FAPI working group page:  https://openid.net/wg/fapi. If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/benefits-members/.

The vote will be conducted at https://openid.net/foundation/members/polls/379 

Marie Jordan – OpenID Foundation Secretary

About The OpenID Foundation (OIDF)

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

The post Notice of Vote to Approve Proposed FAPI 2.0 Message Signing Final Specification first appeared on OpenID Foundation.

In her tiny sunlit Seoul apartment, Kim Jeong-ran sat on her bed, talking affectionately to a cloth doll perched on her lap.  “Hyodol, you’re my lovely granddaughter,” the 81-year-old said,...

Carter’s just pulled off what many retailers thought was impossible. 

In only three months, the iconic children’s apparel brand rolled out RFID technology across 700 stores:  improving accuracy on every item and making life easier for both store teams and customers. In this episode, Gina Maddaloni and Anna Marie Blackburn from Carter’s join hosts Reid Jackson and Liz Sertl to discuss how RFID became central to Carter’s retail operations, what it took to win buy-in across the company, and how it is improving both inventory management and customer experience.

You’ll also hear how Carter’s uses RFID to cut payroll costs for year-end inventory by 50 percent, why the rollout became a recruiting tool for store teams, and where the company sees new opportunities to extend RFID into supply chain operations.

In this episode, you’ll learn:

How Carter’s achieved one of the fastest RFID deployments in retail

Why RFID is no longer “too complex” or “too expensive”

What’s next as Carter’s expands RFID use into its supply chain operations

Jump into the conversation: (00:00) Introducing Next Level Supply Chain (01:29) Anna Marie and Gina’s backgrounds (03:52) What RFID technology means for retail (06:47) The process of rolling out RFID across Carter’s stores (13:21) RFID’s impact on Carter’s operational efficiency (17:49) RFID as a recruiting tool for store teams (18:54) Asset protection benefits and peace of mind (19:34) Expanding RFID into DC operations (21:35) What’s next, Carter’s move toward serialization (23:01) Advice for companies starting their RFID journey (24:02) Busting RFID myths: cost, complexity, and adoption (26:29) Favorite tech beyond RFID (29:22) What Gina and Anna Marie want to learn next

Connect with GS1 US: Our website - www.gs1us.org GS1 US on LinkedIn

Connect with the guests: Gina Maddaloni on LinkedIn Anna Marie Blackburn on LinkedIn Check out Carter’s

Learn more about the GS1 US Solution Partner Program: https://www.gs1us.org/industries-and-insights/partners

 

Read the full case studyhere.

Around the world, governments are deploying blockchain as a way to restore public trust and deliver citizen services more effectively. From EBSI in Europe, to LACChain in Latin America, to Rede Blockchain Brasil (RBB), a common decision stands out. They all chose Ethereum—specifically, Besu, an open-source project hosted by LF Decentralized Trust—as the backbone of their public sector blockchain networks.

Why Ethereum? The choice was not accidental and this multi-regional case study highlights some of the reasons why. Drivers include building on the proven and familiar infrastructure with Ethereum, the world’s most widely adopted smart contract platform, flexibility and long-term optionality for Public and Permission use, vendor neutrality, and compatibility with global standards.

__

In the dead of a cold December night in 2023, at a dump near Delhi, hundreds of men huddled around small bonfires, clutching paper cups of tea. They tossed plastic...

In the second of a series of guest posts by DIF Ambassador Misha Deville, Misha explores how decentralized identity provides the missing trust infrastructure needed for AI systems to scale delegation, personalization, and content authenticity. Read the first post in the series, "The Missing Growth Lever."

Everyone is talking about the promises of AI. Faster decisions, tailored experiences, intelligent agents. But delivering on that promise requires more than powerful models. It requires trusted infrastructure.

AI systems create value through delegation, personalisation, and decision-making. Yet these capabilities can’t scale consentfully or securely without the ability to prove who the system is working for (context), what it’s been authorised to do (consent), or whether its outputs can be trusted (credibility). Decentralised identity models and verifiable credentials can provide the missing infrastructure to ensure AI systems can deliver on their promises.

Agentic Delegation at Scale

“To scale humans, we deploy agents. But to scale agents, we must manage them like humans.”[1] - Director Product Management, Writer.

Agentic AI is no longer a future proposition, it’s a present bottleneck. Organisations are deploying more autonomous agents, but they’re hitting “scaling cliffs” as agents multiply faster than their supervision and governance systems can manage them. Unlike APIs or scripts, agents are semi-autonomous systems with memory, tool access, and significant sensitive data exposure. Without clear scopes, audit trails, or authority checks, most delegation turns into vast liability surfaces, and a system of patchwork permissions quickly becomes unmanageable.

As Huang et al. write, ““Failure to address the unique identity challenges posed by AI agents operating in Multi-Agent Systems (MAS) could lead to catastrophic security breaches, loss of accountability, and erosion of trust in these powerful technologies”[2].

Most AI systems today are still rooted in prediction, but this is rapidly shifting toward delegated action. The agentic AI market has already reached $13.8 billion in 2025, and as agents start taking action, the question becomes: who is acting, on whose behalf, and under what authority?

‘Authenticated delegation’ enables third parties to verify that:

“(a) the interacting entity is an AI agent, (b) that the AI agent is acting on behalf of a specific human user, whether pseudonymised or identifiably known, and (c) that the AI agent has been granted the necessary permissions to perform specific actions”.[3]

This sounds simple, but delegated ‘trust’ doesn’t end with a single permission. Especially in asynchronous flows or agent-to-agent communication, it must be enforced dynamically over time.

Most systems today use token-based models, like OAuth, that assume trust within a known and bounded hierarchy is established when a token is issued, and meaningful wherever invoked. Once the token is delivered however, there is no enforcement that the agent will continue to act within its authorised scope over time, or the domain within which it is meaningful. A delegation-first model like ZTAuth, or other Authorization languages based on Object Capabilities (e.g. ZCaps, UCAN, Hats Protocol), adds runtime checks, making sure agents are still trusted, acting on behalf of the right user, and following the right rules, every time they take an action rather than with a token's expiry period.

Similar ideas are emerging in The MIT Computer Science and AI Lab’s framework for ‘Identity-Verified Autonomous Agents’, which introduces cryptographic proofs of authority and full auditability into multi-agent workflows2. Meanwhile, projects like the A2A protocol are building agent registries to support discovery, entitlements, and secure agent-to-agent communication across trust boundaries and OAuth-style enterprise hierarchies[4].

At the standards level, DIF’s Trusted AI Agents Working Group is building open specifications to support these use cases. Their work spans data models, object capability frameworks, interoperability libraries and runtime trust enforcement patterns. This is about more than securing agent-to-agent interactions. It’s about enabling a full lifecycle of trust, from credentialed instantiation of agents to delegated (logged and fully-auditable) execution, all the way through to forensic audit and remediation in the worst case scenario.

Hyper-personalisation that works

AI-driven hyper-personalisation promises to unlock entirely new value in digital experiences. McKinsey reports show meaningful increases in customer engagement and spend when personalisation is done right[5]. But it can just as easily backfire. A 2019 Gartner study found that 38% of users will walk away from a brand if personalisation feels “creepy”[6], and recent research with Gen Z confirms the duality that personalisation is welcome up until it crosses the line[7].

That line is defined by context and consent. When AI systems infer personal data from web-scraping profiles, browser fingerprinting, adtech data, and other opaque signals, they significantly undermine trust and user agency. When they employ algorithmic transparency, ethical frameworks, and user-authorised data inputs they mitigate the risks of conscious and unconscious mistrust and backlash[8].

Verifiable credentials in this context offer a solution that can give AI systems structured, consent-based attributes that users explicitly approve. This helps shift personalisation away from prediction and toward permission. It reduces the risk of misfires and irrelevant outputs, and increases both system reliability and user trust.

The travel industry is a clear example of the opportunity gap. Identity and preference checks occur at nearly every step, yet the ecosystem remains fragmented[9]. Travellers routinely overshare sensitive data multiple times, with little visibility into where it’s stored or how it’s used. Providers, in turn, struggle to deliver seamless or personalised services without duplicating traveller effort or violating privacy regulations.

That’s starting to change. Initiatives like IATA’s One ID aim to eliminate repetitive ID checks using biometric-backed credentials, creating a more secure, contactless experience. Live pilots by SITA and Indicio, in partnership with Delta Airlines and the Government of Aruba, have also shown how digital travel credentials can streamline identity verification at check-in, boarding, and border control.

These foundational shifts pave the way for more advanced personalisation use cases. With credential infrastructure in place, providers can begin supporting traveller-owned profiles that store personal preferences, enable selective data sharing, and allow AI agents to act on a traveller’s behalf. The DIF Hospitality & Travel Working Group is developing schemas to support this, with traveller profiles that are dynamic, revocable, and built for interoperability. As Nick Price notes, when preferences are embedded in credentials and shared on the traveller’s terms, personalisation becomes possible while still preserving privacy and trust[10].

Decision-Making and Sense-Making in Synthetic Noise

Identity fraud isn’t new, but AI has supercharged its scale, speed, and sophistication. In 2025, 1 in 20 ID verification failures are already being linked directly to deepfakes, while synthetic audio and video forgeries have increased 20% and 12% respectively in fraud attempts year-over-year[11]. National Security Agencies of the US, UK, Canada, and Australia, have warned that the quality and pace of AI-generated forgeries “have reached unprecedented levels and may not be caught by traditional verification methods”[12].

Ironically, fraud detection is one of AI’s strongest use cases. But its success depends on the quality of input data. Risk models tend to rely on patterns from historical data to flag anomalies. If the data is synthetic, spoofed, or unverifiable, the model can learn the wrong patterns or miss the threat altogether. It's a clear case of “attacker's advantage,” since automated attacks are almost free to launch at brute-force scale. What's worse,s AI adversaries are improving at impersonation, so hallucinated and forged content is proliferating across search engines, media outlets, and public discourse, contaminating LLMs at the lowest level of training data.

“As AI agents grow increasingly adept at mimicking human behavior - crafting text, creating personas, and even replicating nuanced human interactions - it becomes harder to maintain digital environments genuinely inhabited by real people.”2

Detecting ‘what’s real’ at scale now requires cryptographic certainty. Verifiable credentials offer a solution to the ‘garbage in, garbage out’ problem by allowing systems to verify data attributes without exposing raw personal data. Content credentials, as standardised by C2PA, provide tamper-evident metadata that can trace authorship, modification history, and usage rights across files, namespaces, and industry associations. This helps prevent both fraud in high-stakes transactions and reduce the risk of model “pollution” by synthetic content[13].

These mechanisms are quickly moving from optional to operational. California’s SB 942, set to take effect in 2026, will require that all AI-generated or AI-altered content be disclosed and tied to an immutable record of provenance. As Erik Passoja writes, “Compliance is just the on-ramp… the real destination is an authenticated digital ecosystem.”[14]. Infrastructure built on signed manifests, cryptographic consent, and watermark durability won’t just prevent fraud, it wil

l underpin new forms of value, from automated licensing to portable and just-in-time reputation.

In all of these cases, a reliable identity layer isn’t a ‘nice to have’, but a prerequisite for trust, adoption, and real-world value. Decentralised identity and verifiable credentials provide the infrastructural foundation that lets AI scale and deliver new opportunities. DIF’s working groups are tackling these challenges head-on, from authenticated AI agents to verifiable travel profiles and content authenticity.

The next article in this series will dive into the work of the Content Authenticity Initiative and DIF’s Creator Assertions Working Group, exploring how open standards are enabling AI to be used confidently in media, preserving trust, provenance, and creative integrity.

Find out more about DIF’s working groups here:

Creator Assertions Hospitality and Travel DIF Labs

If you’d like to stay updated on the launch of DIF’s Trusted AI Agents Working Group, reach out to contact@identity.foundation.

M. Shetrit (2025). “Supervising the synthetic workforce: Observability for AI agents requires managers, not metrics”. Writer. ↩︎ Huang et al. (2025). “A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control”. arXiv. ↩︎ South et al. (2025). “Authenticated Delegation and Authorized AI Agents”. arXiv. ↩︎ A2A Project. “Agent Registry - Proposal”. GitHub. ↩︎ McKinsey & Company (2025). “Unlocking the next frontier of personalised marketing”. ↩︎ Gartner (2019). “Gartner Survey Shows Brands Risk Losing 38 Percent of Customers Because of Poor Marketing Personalization Efforts” ↩︎ Peter et al. (2025). “Gen AI – Gen Z: understanding Gen Z’s emotional responses and brand experiences with Gen AI-driven, hyper-personalized advertising”. Frontiers in Communication. ↩︎ Park, K & Yoon, H (2025). “AI algorithm transparency, pipelines for trust not prisms: mitigating general negative attitudes and enhancing trust toward AI”. Nature. ↩︎ DIF (2025). “DIF Launches Decentralized Identity Foundation Hospitality & Travel Working Group” ↩︎ Dock (2025). “How Digital ID is Reshaping the Travel Industry” ↩︎ Bondar, Ira (2025). “Real-time deepfake fraud in 2025: Fighting back against AI-driven scams”. Veriff. ↩︎ NSA et al. (2025). “Content Credentials: Strengthening Multimedia ↩︎ Adobe (2025). “Content Credentials”. ↩︎ Passoja, Erik (2025). “From Compliance to Prosperity” LinkedIn. ↩︎

Competition has been steep for Jumia, Africa’s largest e-commerce platform, especially from major Chinese companies like Temu and Shein.  Jumia is now using the same playbook its Chinese rivals have...

Silicon Valley firms are rushing to train artificial intelligence models with tens of thousands of graphics processing units, and offering multimillion-dollar salaries to star researchers. Meanwhile, in Mongolia, Badral Sanlig...

Amid an intense battle for supremacy, artificial-intelligence companies are forging alliances across industries and regions to help gather real-world data that can’t be scraped from the internet. Over the past...

The OpenID Foundation is pleased to announce the completion of a comprehensive security analysis of OpenID for Verifiable Presentations (OpenID4VP) when used over the Digital Credentials API (DC API). This represents the first security analysis of OpenID4VP and DC API together, which allowed potential security vulnerabilities to be detected and mitigated before the spec went to final in July. 

Conducted by researchers from the Institute of Information Security at the University of Stuttgart using the proven Web Infrastructure Model (WIM) methodology, this analysis builds on a track record of rigorous, mathematical security modelling of OIDF protocols, and a two way exchange between the researchers and the OIDF work groups to ensure the protocols deliver the expected security properties.  It has also been used to analyse other OpenID Foundation standards, including OpenID Connect, FAPI 1.0 and FAPI 2.0, as well as OAuth 2.0.

This approach has previously uncovered potential attack vectors allowing for proactive mitigation of the vulnerability, such as a recent responsible disclosure that impacted several spec families. 

As part of the scope of this study, the University of Stuttgart presented a formal model of the OpenID4VP specification in conjunction with the Digital Credentials API, identified and formalized relevant security properties, and completed formal proofs for those security properties successfully. 

These proofs confirm the security of the protocol within the bounds of the mathematical assumptions and formal modelling. Importantly, no new vulnerabilities were identified during the verification process.

Analysis scope and objective

The primary goal was to demonstrate that using OpenID4VP over the DC API delivers a fundamental security guarantee, that of a ‘claims unforgeability’. Put simply, this means proving that attackers cannot trick honest verifiers into accepting false claims that appear to come from legitimate issuers for genuine users with credentials issued to honest wallets.

The analysis takes a focused approach to protocol level security, deliberately excluding attack vectors like Cross-Site Scripting or cryptographic implementation vulnerabilities. These fall outside the scope of protocol specifications and are typically addressed through other security measures.

Rigorous methodology

The WIM analysis follows a systematic three step process that ensures thorough coverage. First, researchers create a detailed mathematical model covering all possible protocol executions not explicitly prohibited by the specifications. This model accounts for arbitrary numbers of participants with varying trust relationships, running multiple protocol instances simultaneously across all possible interaction patterns.

Next, they formulate precise security properties based on goals stated in the specifications. Finally, they provide mathematical proofs showing these security properties hold true across every conceivable protocol execution scenario..

Continuing a commitment to security

This work follows the OpenID Foundation’s first comprehensive security analysis of OpenID for Verifiable Credentials completed in October 2023 with the goal of increasing confidence in these critical specifications. That previous study used the same WIM methodology. 

The Digital Credentials Protocols Working Group (DCP WG) has accepted this security report on OpenID4VP+DC API, continuing the collaborative approach between academic researchers and standards development. As demonstrated with previous analyses, the DCP WG incorporates relevant feedback into current specification versions, ensuring robust security foundations for implementers.

The complete report is available here on the DCP WG homepage for review by implementers and the broader community.

Expert perspectives

The team of academic researchers from the University of Stuttgart, said: “We thank the OpenID Foundation for another fruitful collaboration and look forward to further joint efforts in analyzing high-impact standards.”

Kristina Yasuda, Co-Chair of the OpenID Foundation’s DCP WG, said: “Proactive security analysis is critical in identifying potential gaps before they impact implementers and End Users. Collaborating closely with academic researchers allows us to validate our specifications against rigorous formal models, strengthen the protocol’s security guarantees, and ensure that OpenID4VP and the DC API deliver the trust and reliability that the ecosystem depends on.”

Daniel Fett, founder of the OAuth Security Workshop, said: “It’s great to see the OpenID Foundation adopting formal analysis of web protocols as a standard tool. Beyond the usual expert review, formal analysis has repeatedly proven to be an effective means of uncovering hidden vulnerabilities and challenging underlying assumptions.”

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net. 

 

The post OIDF receives security analysis of OpenID for Verifiable Presentations first appeared on OpenID Foundation.

Errata to the following specification have been approved by a vote of the OpenID Foundation members:

JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) – This specification was created to bring some of the security features defined as part of OpenID Connect to OAuth 2.0

An Errata version of a specification incorporates corrections identified after the Final Specification was published. This specification is a product of the OpenID FAPI Working Group.

The voting results were:

Approve – 79 votes Object – 0 votes Abstain – 17 votes

Total votes: 96 (out of 420 members = 22.9% > 20% quorum requirement)

The specification incorporating the errata is available at the standard locations as well as:

https://openid.net/specs/oauth-v2-jarm-errata1.html 

See the Introduction section of the specification for the link to the previously approved version.

Marie Jordan – OpenID Foundation Secretary

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net. 

The post Errata Corrections to JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) Approved first appeared on OpenID Foundation.

At the inaugural Privacy for Financial Services Workshop hosted by LF Decentralized Trust in New York, a clear signal emerged: privacy is no longer a theoretical aspiration in digital finance. It’s a necessity, and it’s becoming deeply practical.

1. What is the mission and vision of Giesecke+Devrient (G+D)?

We shape trust in a digital world.

We create innovative security solutions for reliable protection of highly critical sectors. We engineer customized security technologies with passion and precision.

2. Why is trustworthy digital identity critical for existing and emerging markets?

Trustworthy digital identity is foundational to the secure functioning of both existing and emerging markets. As digital interactions become integral to daily life, ensuring the authenticity and security of these interactions is critical. Reliable digital identities enable secure access to services, protect against fraud, and foster user confidence. In emerging markets, they are instrumental in promoting financial inclusion and enabling access to essential services, thereby driving economic growth and social development.

3. How will digital identity transform the Canadian and global economy? How does your organization address challenges associated with this transformation?

Digital identity is poised to revolutionize the Canadian and global economy by streamlining access to services, enhancing security, and fostering innovation. It enables seamless interactions across sectors such as finance, healthcare, and government services, reducing friction and building trust in digital transactions.

Giesecke+Devrient (G+D) addresses the challenges of this transformation by offering secure, user-centric digital identity solutions. Our technologies ensure data privacy, comply with international standards, and are adaptable to various regulatory environments. By focusing on interoperability and scalability, we support the development of robust digital identity infrastructures that can evolve with the changing needs of societies and economies.

4. What role does Canada have to play as a leader in this space?

Canada is uniquely positioned to lead in digital identity and trust services due to its strong regulatory frameworks, commitment to privacy, and collaborative approach among public and private sectors. By investing in secure digital infrastructures and fostering innovation, Canada can be a leader in setting global standards for digital identity solutions that are inclusive, secure, and user-friendly. G+D supports these initiatives by providing technologies that align with Canada’s vision for a trustworthy digital ecosystem.

5. Why did your organization join the DIACC?

G+D joined the Digital ID & Authentication Council of Canada (DIACC) to collaborate with industry leaders in shaping the future of digital identity. We recognize the importance of a unified approach to developing secure, interoperable, and user-centric identity solutions. Through our membership, we aim to contribute our global expertise in security technologies to support DIACC’s mission of advancing digital identity innovation in Canada.

6. What else should we know about your organization?

Our organization, G+D, has a rich global history of being a pioneer in the industry, achieving numerous milestones that have set standards worldwide. In addition to our Canadian firsts, G+D has been a leader in innovation on a global scale, consistently demonstrating our commitment to advancing security technology and improving user convenience across various markets.

Globally, G+D was one of the first companies to introduce banknote processing equipment back in the early 20th century, revolutionizing how financial institutions handled currency. This innovation laid the groundwork for our later advancements in secure currency technologies. We were also pioneers in developing and implementing smart card technologies, which have become fundamental in today’s digital security applications, including telecommunications, banking, and government identity systems.

In the realm of telecommunications, G+D was instrumental in the development and widespread adoption of SIM cards, which transformed the mobile phone industry by enabling secure and personalized services. This innovation not only advanced mobile technology but also significantly enhanced security and functionality for mobile device users worldwide.
Moreover, G+D has been a leader in the development of secure identity solutions, providing governments and organizations with advanced technologies for passports, national IDs, and other secure documents. Our innovations in biometric and encryption technologies have helped shape global standards for identity verification and data protection.

Our commitment to sustainability is also evident on a global scale. We have been involved in developing eco-friendly technologies and materials for our products, significantly reducing the environmental impact of our manufacturing processes and end products.
By highlighting these global achievements alongside our Canadian firsts, it is clear that G+D’s legacy of innovation spans not only decades but also diverse industries and markets. Our forward-thinking approach and investments in new technologies continue to drive our mission of making people’s lives more secure and convenient, while also respecting our planet. As we move forward, G+D remains dedicated to being a leader in digital identity and authentication, setting new benchmarks for excellence and sustainability worldwide.

1. What is the mission and vision of NOETRONIQ Strategic Initiatives?

Mission:
To empower organizations with trusted, interoperable identity solutions by delivering expert architectural guidance rooted in privacy, security, and open standards.

Vision:
To shape a resilient digital future where individuals and institutions interact with confidence, enabled by transparent, decentralized identity ecosystems and intelligent trust frameworks.

2. Why is trustworthy digital identity critical for existing and emerging markets?

Digital trust and identity verification are foundational to securing interactions in today’s global digital economy. In both mature and emerging markets, they underpin everything from financial access to cross-border compliance and fraud prevention. But as the threat landscape evolves, driven by increasingly sophisticated actors and accelerated by AI, traditional security models are no longer sufficient. Verifiable identity becomes the anchor for ensuring accountability, protecting privacy, and enabling secure, scalable systems. In a world of rapid digital and AI-driven transformation, strong identity infrastructure is not just about access; it’s about resilience, governance, and trust at every layer of interaction.

3. How will digital identity transform the Canadian and global economy? How does your organization address challenges associated with this transformation?

Digital trust and identity verification will redefine how value, services, and decisions flow across both the Canadian and global economies. As digital interactions become more decentralized, cross-border, and mediated by AI, trusted identity is the linchpin for enabling secure access, protecting user autonomy, and ensuring compliance at scale. In Canada, this transformation supports economic inclusion, public service modernization, and global interoperability through frameworks like the PCTF. Globally, it empowers new markets, mitigates fraud, and creates the foundation for verifiable, privacy-respecting ecosystems.

NOETRONIQ Strategic Initiatives addresses these challenges by offering expert architectural guidance to help organizations align with evolving standards, integrate verifiable credentials, and future-proof their identity infrastructure. Our focus is on building resilient, interoperable systems that embed trust by design. Bridging policy, technology, and security in a rapidly shifting digital and AI-enhanced landscape.

4. What role does Canada have to play as a leader in this space?

Canada is well-positioned to lead in digital trust and identity verification by advancing inclusive, privacy-respecting, and interoperable frameworks. With the Pan-Canadian Trust Framework and a strong tradition of public-private collaboration, Canada offers a model for securing digital ecosystems that scale across borders. As global trade and digital services expand, Canada’s leadership in trustworthy identity infrastructure strengthens its role as a reliable partner in international commerce. By prioritizing security, accountability, and user control, Canada can shape the standards and governance models that underpin a resilient, globally connected digital economy.rust services, across many industries, including Auto Finance.

5. Why did your organization join the DIACC?

NOETRONIQ Strategic Initiatives joined the DIACC to contribute to and align with the collaborative development of Canada’s digital identity and trust ecosystem. As a firm specializing in identity architecture, verifiable credentials, and privacy-first design, we see DIACC as a critical forum for shaping interoperable, standards-based solutions that serve both national interests and global alignment. Participation in DIACC enables us to engage with leading experts, support the evolution of the Pan-Canadian Trust Framework, and ensure our clients’ solutions are future-proof and policy-aware. We believe that trusted identity is foundational to a resilient digital economy—and that collaboration is key to getting it right.

6. What else should we know about your organization?

NOETRONIQ Strategic Initiatives brings deep expertise in digital identity architecture, cybersecurity, and verifiable credentials, with a focus on building systems that are both technically robust and aligned with emerging governance models. We operate with the precision and foresight of a strategic partner, helping clients navigate complexity at the intersection of policy, privacy, and technology. We’re especially attuned to the shifting landscape brought on by AI, decentralized infrastructure, and evolving trust frameworks. Our mission is to help shape a digital future where identity is secure, user-controlled, and interoperable by design.

Artificial intelligence chatbots are starting to take over from low-wage workers, known as “chatters,” who impersonate OnlyFans stars in direct messaging with fans. The adult website’s creators rely on these...

Brazilian President Luiz Inácio Lula da Silva traveled to China in May, where he signed several deals including a five-year $1 billion commercial agreement with Wang Xing, the co-founder and...

This is a notice of the upcoming vote to approve OpenID for Verifiable Credential Issuance 1.0 as a Final Specification.

The two-week voting period will be between Monday, September 1, 2025 and Monday, September 15, 2025, once the 60 day review of the specification has been completed.

The Digital Credentials Protocols (DCP) working group page:  https://openid.net/wg/digital-credentials-protocols/. If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/benefits-members/.

The vote will be conducted at https://openid.net/foundation/members/polls/376.

Marie Jordan – OpenID Foundation Secretary

About The OpenID Foundation (OIDF)

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

The post Notice of Vote to Approve OpenID for Verifiable Credential Issuance 1.0 Final Specification first appeared on OpenID Foundation.

American tech giants have increased spending on artificial intelligence tools designed to resolve some of the world’s most pressing problems.  Since 2020, Google has spent $200 million on AI-driven social...

In a bid to improve overall security of the identity ecosystem, the National Institute of Standards and Technology updated its Digital Identity Guidelines earlier this month. The first revision since 2017, many organizations should be able to implement the updated guidelines without much difficulty as part of their identity strategy.

Attackers are always sharpening their skills to bypass organizations’ identity and access management (IAM) protocols – the key to gaining critical access – and artificial intelligence (AI) is making phishing attacks even more effective, and deepfakes are tricking even the most security-savvy mind. New authentication measures such as passwordless technologies, exist, but implementation challenges have hindered adoption.

As announced, Microsoft today deletes all stored passwords from his authenticator app. Users have to secure their access data before they are lost permanently. Other functions of the app are preserved.

Users must secure passwords

For users of the Microsoft Authenticator, it is a critical deadline: As announced at the beginning of May, all stored passwords are irrevocably deleted from the app on August 1, 2025. If you do not ensure or transfer the data, you permanently lose access to the stored passwords.

The changeover takes place gradually and has been going on for months. Since June 2025, it has no longer been possible to save new passwords in the app or to import from external sources. This affects both manual entries and the synchronization with other services. In July 2025, the autofill function was then deactivated, so that the app no longer automatically entered login fields on websites or in apps.

HID, a worldwide leader in trusted identity and access management solutions, has announced a new line of FIDO-certified credentials—now powered by the new Enterprise Passkey Management (EPM) solution— designed to help organizations deploy and manage passkeys at the enterprise scale. 

Newresearch from FIDO Alliance shows that while 87% of enterprises are adopting passkeys, nearly half of those that are yet to deploy cite complexity and cost concerns as primary barriers.HID’s solution streamlines the shift to passwordless authentication.

The post Velocity Network Foundation Joins Global Leaders at Inaugural Geneva Conference on Digital Trust  appeared first on Velocity.

The post Velocity Charitable Foundation Elevates Statewide Approach to Verifiable Credentials and Open Ecosystems appeared first on Velocity.

The post Velocity Network Technology Becomes “Verii” Under the Linux Foundation’s LF Decentralized Trust Initiative  appeared first on Velocity.

The post What is a Trust Framework?  appeared first on Velocity.

Singapore is known for channelling its best talent into the public sector and with GovTech it’s no different. The government aims to staff the agency with the same calibre of...

Energy Web has rolled out a major upgrade to the consensus mechanism governing Worker Nodes on the Energy Web X (EWX) network. This enhancement aligns Energy Web X and the Worker Node Networks with a core vision: using secure on-chain consensus and rewards to validate off-chain computations while incentivizing the highest level of node performance. Why This Matters

A growing number of applications in the energy sector and beyond are leveraging decentralized Worker Node networks on Energy Web X. For example, Green Proofs for Bitcoin (GP4BTC) uses EWX to verify green Bitcoin mining, and the recently launched Carbon-Aware Nomination system orchestrates compute workloads to maximize the use of clean energy. As these and other DePIN (Decentralized Physical Infrastructure Networks) use-cases expand, it becomes ever more critical to enforce accurate and verifiable computation in a secure, scalable manner.

This consensus upgrade directly addresses that need. It introduces several improvements to how EWX validators reach agreement on Worker Node outputs and distribute rewards: changes that align incentives with performance and ensure the integrity of off-chain execution. This upgrade empowers enterprises to pair their off-chain computational systems with highly configurable on-chain reward mechanisms, creating strong business and financial incentives for both enterprises and community members operating Worker Nodes to actively contribute to these decentralised systems.

Setting The Bar on Performance

Only the most consistent, high-performing worker nodes will now be rewarded for their contributions. The upgrade introduces an SLA performance threshold, a minimum standard for correct vote submissions that a node must meet to qualify for any rewards. In other words, a worker’s voting accuracy over each reward period has to exceed a predefined percentage (set on a per-Solution Group basis) for that node to earn a share of the rewards. A “correct” vote means the worker’s submitted result from their off-chain execution aligns with the majority consensus for a given round (as determined by EWX validators). If a node’s correct vote rate falls below the threshold, it won’t receive rewards for that period, no matter how many votes it cast.

This change pushes every Worker Node operator to perform above a clearly defined bar. Energy Web X validators now track each worker’s voting performance across rounds (via on-chain metadata) and calculate the percentage of that worker’s votes that matched the accepted consensus. Only those exceeding the SLA threshold are deemed eligible. Among those that qualify, rewards are weighted by accuracy and stake, meaning those who contribute more correct results and have more stake on the table earn proportionally more. See the reward formula below:

worker_reward = (worker_correct_votes × user_stake) / total_weighted_correct_votes × voting_reward_per_block × active_blocks

Where: worker_reward: the amount of EWT distributed to the worker node operator as their active reward for participation in eligible voting rounds within the concluded reward period. worker_correct_votes: The number of correct (consensus aligned) votes submitted by the worker node in the eligible voting rounds within the concluded reward period. user_stake: The amount of tokens locked by the operator upon registration. total_weighted_correct_votes: Sum of correct votes weighted by stake across all worker nodes ( Σ(correct_votes_i * stake_i) ). voting_rewards_per_block: Amount of tokens allocated to voting rewards per block (configured by the solution registrar). active_blocks: Number of blocks spanning the reward period. Worked example:

A Solution Group contains 150 operators. At the end of a reward period, 100 operators submitted sufficient votes to exceed the SLA threshold and are eligible for rewards.

From the eligible 100 operators, the average correct votes during the reward period is 100 and the average user stake is 1000.

Therefore: total_weighted_correct_votes = 100 * 100 * 1000 = 10,000,000

Worker Node A had 110 correct votes with a stake of 1000. There are 7200 active blocks in a voting round, and the voting rewards per block are set to 1 token.

Therefore: worker_node_A_reward = (110 * 1000) / 10000000 * 1 * 7200 = 79 tokens

Consensus Validated Via Quorum & Majority Threshold

The consensus mechanism employs a two-tier validation process to guarantee both sufficient participation and accuracy of submissions before finalising the result on-chain. Energy Web X requires two conditions for a voting round to produce a valid result:

Quorum: A minimum percentage of eligible worker nodes must participate by submitting their votes. Majority Threshold: Within the specified quorum of participants, a majority of workers, over the defined threshold, must agree (i.e. submit matching results) for the result to be accepted as the round’s consensus.

If either condition isn’t met the round is marked Unresolved. These thresholds optimise for security and trust without sacrificing scalability. Quorum ensures that a sufficiently broad sample of the network contributes to each consensus decision, while the majority threshold ensures accuracy and trust in the result. Only when both conditions are satisfied will the Energy Web X validator set record the final result on-chain.

Improving Withdrawal Delay

The upgrade also refines how and when worker node operators can withdraw their stake from the network. The withdrawal delay is the period a user must wait between submitting an unsubscription request and receiving their tokens. This means every action (vote) has a consequence: correct votes will always be rewarded while protecting against malicious actors who may otherwise submit false votes and then withdraw to evade penalties.

With the upgrade, withdrawal delays are measured in reward periods instead of blocks. In practice, after an operator initializes a withdrawal, they must wait a defined (by the registrar) number of additional reward periods before withdrawing their collateral. During this delay period, the node can still participate in voting rounds and continue to earn rewards, except for the final reward period in which the stake is released and voting eligibility ends. This ensures all pending rounds are properly settled and any rewards or penalties processed before a node can exit the network.

For example, a solution group has a withdrawal delay of 2 reward periods. A subscribed worker node operator votes in Reward Period 1 then submits an unsubscribe request in Reward Period 2. The operator would need to wait for Reward Period 3 and 4 to conclude, before receiving their funds back during a block (specific timing depends on system load) in Reward Period 5. The operator can participate (vote) in Reward Period 3 and 4 but not in 5.

The Outcome: Accurate, Scalable and Secure Off-Chain Compute

Together, these enhancements bring Energy Web X’s consensus mechanism in line with the vision of incentivizing top-performing worker nodes to deliver accurate, verifiable outputs from off-chain computation.

What does this mean for Energy Web ecosystem participants? Solution owners and their users can have complete trust in the outputs of decentralised compute. Energy Web X’s blockchain will securely handle the heavy lifting of coordinating nodes, validating results, and distributing rewards, all in the background. This allows developers and enterprises to focus on what they do best: building high-value applications, confident that a robust, trusted decentralized compute layer is reliably powering their workloads behind the scenes.

About Energy Web

Energy Web is a global technology company driving the energy transition by developing and deploying open-source decentralized technologies. Our solutions leverage blockchain to create innovative market mechanisms and decentralized applications, empowering energy companies, grid operators, and customers to take control of their energy futures.

How to Get Involved

Review the docs
Join the conversation

From Off-Chain Execution to On-Chain Trust: Inside Energy Web’s Consensus Overhaul was originally published in Energy Web on Medium, where people are continuing the conversation by highlighting and responding to this story.

China’s electric-vehicle revolution just engaged reverse gear. The world’s largest EV producer is flooding international markets with plug-in hybrid electric vehicles that run both on batteries and gasoline. Chinese hybrid...

The post Velocity Network Foundation – MidYear Updates appeared first on Velocity.

Microsoft has started to delete all passwords saved in its Authenticator app — and if you want to make sure you’re not locked-out of your favourite websites and apps, there’s one way to save your previous logins.

It might seem a little extreme, but the decision to start wiping passwords from its users has been months in the making. Microsoft has been slowly winding down Microsoft Authenticator, a free mobile app developed by Microsoft for Android and iOS that lets you securely sign-in to online accounts using two-factor authentication (2FA) or passwordless logins.

Like or not, a replacement for passwords — known as passkeys — is coming your way, if it hasn’t already. The three big ideas behind passkeys are that they cannot be guessed in the way passwords often can (and are), the same passkey cannot be re-used across different websites and apps (the way passwords can), and you cannot be tricked into divulging your passkeys to malicious actors, often through techniques such as phishing, smishing, quishing, and malvertising. 

HID, a leader in trusted identity and access management solutions, has announced a new line of FIDO-certified credentials – now powered by the new Enterprise Passkey Management (EPM) solution – designed to help organizations deploy and manage passkeys at the enterprise scale. 

New research from FIDO Alliance shows that while 87% of enterprises are adopting passkeys, nearly half of those that are yet to deploy cite complexity and cost concerns as primary barriers. HID’s solution streamlines the shift to passwordless authentication.

The next phase of HID’s passwordless authentication roadmap gives enterprises choice, flexibility and speed to deploy FIDO without compromising user experience or security posture. The expanded portfolio delivers phishing-resistant authentication with enterprise-grade lifecycle management, making scalable passwordless security accessible to organisations of all sizes. The solution works seamlessly across diverse work environments while reducing IT support requirements through centralised visibility and control.

Part of the “passkeys are more secure than passwords” story is derived from the fact that passkeys are non-human-readable secrets — stored somewhere on your device — that even you have very limited access to. 

OK, so what happens to those passkeys if your device is stolen?

HID, a leader in trusted identity and access management solutions, has announced a new line of FIDO-certified credentials – now powered by the new Enterprise Passkey Management (EPM) solution – designed to help organizations deploy and manage passkeys at the enterprise scale. 

New research from FIDO Alliance shows that while 87% of enterprises are adopting passkeys, nearly half of those that are yet to deploy cite complexity and cost concerns as primary barriers. HID’s solution streamlines the shift to passwordless authentication.

In the first of a series of guest posts by DIF Ambassador Misha Deville, Misha sets the stage for an underappreciated business problem one layer deeper than traditional User Experience analyses.

The Trust Ceiling

The paradox is that we want AI systems that understand us, but only on our own terms. We’re uneasy when AI appears to use personal data without permission, yet we’re frustrated when it doesn’t ‘get us’ on the first try (in ways that it would need lots of personal data to fill in the context). This might seem like a philosophical problem, but I am pointing to an underappreciated technical one. Without embedding trust negotiation into the system design itself, through features such as transparent data flows and consent mechanisms, these systems cannot negotiate subtext and context; without this capability, we will fail to see AI adoption (and utility) scale as promised. 

Friction in trust, and therefore adoption, stems from the lack of transparency and control, not from ‘poor model intelligence’. 66% of U.S. shoppers, for example, say they would not allow AI to make purchases for them, even if it meant securing better deals, because “consumers suspect AI is working for the retailer, not them. Until that trust gap closes, AI will remain a product discovery tool”1.

Public patience with AI product rollouts is already wearing thin. Global brands like Duolingo are facing significant backlash after announcing ‘AI-first’ strategies2, and the perception gap between those building AI systems and the addressable markets expected to adopt them is ever widening. 51% of adults interviewed in a recent Pew Research Study said they were more concerned than excited about AI, which contrasts sharply with the mere 15% of ‘AI experts’ that held this view3. 

The generative-AI race to market that made AI more powerful and more personal, also made systems more opaque, leaving users in the dark about how and why decisions are made. In the absence of transparency, even well-intentioned systems lose public trust. The WEF frames this as a missed opportunity to build new markets on a healthy footing: “Without transparency, AI systems might be used that are not value-aligned at a level that is acceptable to users, or users might distrust AI systems that actually are sufficiently value-aligned because they have no way of knowing that.”4

To embed trust into the system itself, people need to be able to verify:

who the AI is working for (context),  what it’s allowed to do (consent), and,  whether the output can be trusted (credibility). 

The solution therefore isn’t more intelligent AI models, it’s a complimentary, verifiable identity layer. An identity layer doesn’t just enable trust at the level of individual users trusting individual interfaces; it also supports a healthier marketplace overall by making AI systems traceable, comparable to one another, and accountable to the users and services they interact with. It helps users in aggregate trust AI more in aggregate.

Verifiable credentials built on a backbone of decentralised digital identifiers, enable cryptographic proofs of user and object attributes. Context, consent, and credibility become programmable, and the user experience transforms from coercive to empowering. 

The Market Opportunity

Digital identity and AI are fundamentally interdependent, but the current investment landscape and dominant business strategies do not reflect this. Today, AI is seen as a growth engine and identity infrastructure is seen as compliance overhead. This mental model is not just outdated, it’s economically limiting.

In 2024, global VC investment into AI-related companies exceeded $100 billion, marking an 80% increase from 20235. Meanwhile, investment in digital identity declined. In the UK, one of the world’s leading digital identity markets, the sector saw only $58 million in VC funding in 2024, a 69% decline from the year before6. This stark investment gap reveals a misunderstanding of the technology stack required for trustworthy, scalable AI. 

The convergence of these technologies is both ethically necessary and commercially advantageous. An identity layer that’s fit for this new era will enable AI breakthroughs to scale with direction, grounding, and accountability. If AI is the engine, then digital identity is the navigation system. It doesn’t slow the rocket down. It ensures it lands where we need it to. 

The companies that align AI with verifiable digital identity will capture disproportionate market share where others hit trust ceilings. Strategies that capitalise on both technologies will unlock the promised value in use cases such as:  

In fintech, verified delegation allows AI agents to execute trades securely, with cryptographic proof of authority and clear audit trails. In healthcare, patient-controlled access to verified medical records enables truly personalised care without compromising consent or privacy. In global supply chains, AI systems can confirm the authenticity of every product and actor, preventing counterfeits, improving traceability, and automating trust at scale.

Digital identity is not a constraint on AI. It’s the infrastructure that allows it to scale responsibly and profitably. Standards like W3C’s Verifiable Credentials Data Model, provide a vital foundation for AI systems to verify context, consent, and credibility without compromising privacy. The companies that embrace this interdependence will define the next wave of digital infrastructure. Those that don’t, will risk building impressive technology that nobody trusts enough to use.

In the next article, we’ll explore how decentralised identity unlocks the real-world value of AI, starting with three core functions behind its promises: personalisation, delegation, and decision-making.

If you’d like to stay updated on the launch of DIF’s AI-focused working group, reach out to contact@identity.foundation.

1 Charleston, SC (2025). “Two-Thirds of Shoppers Say ‘No’ to AI Shopping Assistants – Trust Issues Could Slow Retail’s AI Revolution”. Omnisend.
2 Braun, S (2025). “Duolingo’s CEO outlined his plan to become an ‘AI-first’ company. He didn’t expect the human blacklash that followed.” Fortune.
3 McClain et al. (2025). “How the U.S. Public and AI Experts View Artificial Intelligence”. Pew Research Center.
4 Dignum et al. (2024). “AI Value Alignment: Guiding Artificial Intelligence Towards Shared Human Goals”. World Economic Forum.
5 Fairview Capital. (2024). “Preparing for the Agentic Era in Venture Capital”.
6 Wyman, O. (2025). “Digital Identity Sectoral Analysis 2025”. Gov.UK

On July 14, 2025, OpenID Foundation’s Executive Director Gail Hodges was delighted to moderate the ‘Voices from the Future’ panel at the Federal Mobile Driver’s License (mDL) Industry Day | GSA, which included leaders from five US States and the American Association of Motor Vehicle Administrators (AAMVA) on the use cases driving mDL adoption and ‘happiness’ in their states.

State officials delivering on the promise of digital identity in the USA

The panelists included state officials on the leading edge of mDL issuance and adoption:  

Christine Nizer – Administrator, Maryland Department of Transportation Motor Vehicle Administration and Governor’s Highway Safety Representative    Ajay Gupta – Chief Digital Transformation Officer, California Department of Motor Vehicles Brett Young – Assistant Deputy Commissioner of Innovation and Technology, Georgia Department of Driver Services Lori Daigle –  Program Manager, Outreach and Education Identity Management, American Association of Motor Vehicle Administrators Ashley Hall – Senior Project Manager, Virginia Department of Motor Vehicles David Knigge – Modernization Director, Arizona Department of Transportation, Motor Vehicle Division

In the US, states play a pivotal role in the issuance of digital identity credentials. These states are on the leading edge of creating great user experiences for their state residents, and they appreciate the power of robust digital identity infrastructure.

Compelling use cases and future roadmaps 

The state and AAMVA panelists brought their experience from the ‘front row seat’ as issuers of the mDL/mID credentials. They shared a wide range of use cases that are already resonating within their communities, way beyond mDL presentation at a TSA checkpoint to travel:

Login and step up authentication for access to state website and benefits   Skippie Enforcement acceptance to save officers and residents time (a 15-20 minute roadstop reduced to 5 minutes; the prospect of saving lives by getting people and officers back on the road swiftly) Event venue acceptance (e.g. Merryweather post pavilion in Maryland, first few LA arenas accepting mDLs, prospect of Olympics 2028 in Los Angeles 2028) Financial services use cases, such as opening a bank account with an mDL, as demonstrated by the NIST NCCoE Mobile Driving Licenses project and their first delivery phase. 

The panelists were collectively optimistic about the prospect of mDL acceptance accelerating, and accelerating across a wide range of use cases as merchants, government departments, and the public become progressively comfortable with the technology and experience it in their everyday lives. 

As one speaker said: “We see ‘happiness’ – happy residents delighted with the prospect of using their mDL.” Some of that ‘happiness’ can be measured in app scores where apps, such as the CA DMV Wallet app, has 4.8/5 stars (85k users) in the Apple App store.

Tangible adoption and issuance underway in US states  

The panelists highlighted that there is real momentum on mDLs, the technology is ‘already here’ and growing rapidly now, up the adoption curve:

5 million+ mDLs have been issued to date (AAMVA) 18 US states are issuing standards-compliant mobile driving licenses as of July 2025, with many more expected to launch later this year   40% of US residents live in a state that offers their residents a mDL   TSA has enabled over 250 priority airports for mDL acceptance, with more airports scheduled to come

The OpenID Foundation’s Executive Director, Gail Hodges, said: “These expert panelists are at the coal face working on the safe issuance of mobile driving licenses in their states, and ensuring that this new technology works for their residents and all Americans. The OpenID Foundation is delighted to work with market leading issuers and thought leaders like these panelists, and to ensure our global open standards meet their exacting requirements for security, interoperability, and both national and global scale.”

Market context: The urgency of the work

Gail’s opening remarks as moderator set the stage for the stakes facing the global  community.  

According to Vasu Jakkal, Microsoft Global Head of Security, $9.2 trillion is the value of the global cybercrime industry. “How much is it costing our world?” This is the equivalent to the third largest country by GDP and growing faster than any country.  US GAO estimate of US Federal Government annual losses to fraud is $233-$521 billion, as estimated based on 2018-2022 data. “No area of the federal government is immune to fraud….given the scope of this problem, a government-wide approach is required to address it.”   US financial institutions reported suspicious activity worth $212 billion – from US FINCEN analysis of identity-related suspicious activity, or financial crime related to weaknesses in our identity infrastructure.  

The hope is that digital identity infrastructure, including mobile driving licenses, can play a material role to mitigate these persistent and growing attacks, and better protect US residents and businesses. 

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net. 

 

About the panelists

Christine Nizer was appointed Administrator of the Maryland Department of Transportation Motor Vehicle Administration (MVA) and Governor’s Highway Safety Representative in August 2015. Prior to that appointment, Ms. Nizer served as the MVA’s Chief Deputy Administrator and Deputy Administrator for Central Operations and Safety Programs for over eight years. She also held management positions at the Maryland Public Service Commission, the Maryland General Assembly and the Office of Homeland Security. 

Ashley Hall is a Senior Project Manager at the Virginia Department of Motor Vehicles (DMV), where she leads the state’s groundbreaking Mobile ID initiative. With more than two decades of project management experience at the DMV and a PMP certification, Ashley has overseen a wide range of innovative efforts—from the development of Mobile Service Units to the implementation of Photoless Identification Cards.

Ashley holds a Bachelor of Arts from Virginia Tech and a Master of Public Administration from Virginia Commonwealth University. Since 2022, she has also served as a member of the AAMVA Joint Mobile Driver’s License Subcommittee, helping to shape national standards and best practices for digital identity.

Virginia’s Mobile ID is currently in a soft launch phase, with a full public rollout anticipated later this summer. The launch will include five key use cases: TSA checkpoints, Virginia DMV services, Virginia ABC stores, Virginia State Police and local law enforcement, and select casinos—bringing secure, convenient digital identification to Virginians across the state.

Ajay Gupta was appointed Chief Digital Transformation Officer in February 2020. Gupta leads business and technology transformation effortsfor the DMV to become a modern enterprise. Gupta has served as a special advisor to the DMV Director since 2019.

Before joining state service, Gupta worked as a managing director at KPMG, where he led the delivery of legacy transformation, technology innovation, and managed services for State departments nationally. Gupta brings more than 27 years of public sector experience to the DMV. He served state departments in California, Texas and Hawaii while working for CGI Inc., Visionary Integration Professional Inc., Deloitte LLP, and Tata Consulting Services.

Gupta has a B.E. in Electrical Engineering from Delhi College of Engineering and an MBA in Marketing and Information Technology from UC Davis. Gupta is also certified as a PMP, CSPO, Cloud Practitioner, and Enterprise Architect.

Assistant Deputy Commissioner of Innovation & Technology, Georgia Department of Driver Services, Brett Young has been with the Department of Driver Services since 2001 and has served in several roles. Brett is currently the Assistant Deputy Commissioner of Innovation & Technology leading the Information Technology, Innovation & Strategy and Program Management work units.

He has previously served as the Director for the Program Management Office. His experience includes managing regulated programs, defining the processes and procedures for operating the agency’s programs, establishing driver program vision and leading efforts to continuously improve the process of the Department’s Driver License Issuance System. He has previously led the Department through a Modernization Project, Card Production Procurement and placed Georgia’s License in three Digital Wallets.

Brett is currently a member of the AAMVA Card Design Standard Subcommittee and previously served on the AAMVA Autonomous Vehicle Best Practices Working Group.

Mr. Knigge has more than 40 years of experience in the technology field with a diverse range of experience from executive to consultant to IT project delivery roles.  For over two decades, he has worked primarily in the Motor Vehicle Industry with an exclusive focus on the DMV business.

Currently, Mr. Knigge is the Motor Vehicle Modernization Director leading the IT organization focused on technology support for the Arizona Department of Transportation, Motor Vehicle Division (AZ MVD).  AZ MVD has fully deployed an in-house, contemporary, cloud based modernized solution including comprehensive core internal systems, portals, identity solutions and related technologies.

AZ MVD developed technology includes mDL/digital identity capabilities and many features leveraging artificial intelligence functionality.

Lori Daigle joined the AAMVA (American Association of Motor Vehicle Administrators) Identity Management Team in November of 2023 as a Program Specialist. Her current role is Program Manager, Outreach & Education focusing on the mDL ecosystem and working to enhance Relying Party outreach and engagement. Lori has presented at the Identiverse Conference (2024), the International Association of Police Chiefs Mid-Year Conference (2024), the UL Payment Summit (2024), the Identity and Access Forum (2024), the Mortgage Brokers Association Conference (2024), the Identity and Payments Summit (2025), the Fime Innovation Days (2025) as well as several AAMVA Regional Conferences. She is also an active member in the numerous Jumpstart mDL working groups with the Secure Technology Alliance.

Prior to her current role, she spent nearly nine (9) years with the Colorado Department of Motor Vehicles (DMV) and served as the Director of the Driver License section. She has also led two nonprofits: the Northern Colorado AIDS Project and the Alliance for Suicide Prevention and taught high school Marketing, Management, and Psychology at Pinewood Preparatory School in Summerville, South Carolina where she was named Teacher of the Year.

The post Adoption now and ahead: mDL Day ‘Voices of the Future’ panel first appeared on OpenID Foundation.

Including recently-donated Rust implementation by Affinidi. More below!

Wait, is that a typo? Do you mean did:web? 

I did not, but I also did not not mean did:web. did:webvh is a new DID method, but it is also specifically designed to be a more production-worthy, “grown up” version of did:web, everyone’s favorite “training-wheel” DID method and growth hack for getting VCs issued from highly-trusted issuers. Crucially, did:webvh is a “backwards-compatible upgrade” to did:web, meaning it can be consumed in "legacy mode" by any software that already resolves did:web, but upgrades the featureset and trust-model when consumers upgrade their resolution logic to take advantage of the new syntax.

It was incubated at the Identifiers and Discovery Working Group at DIF, meaning it got extensive review and input from many other DID connoisseurs deep in the trenches of DID method design and “user research” as to what use-cases developers really want DIDs for in the first place. Having previously incubated other DID methods in the Sidetree family, early versions of the KERI system, and the did:peer specifications foundational to DIDComm, DIF is happy to see another DIF-incubated DID method graduate to v1!

If you’re hearing about did:webvh for the very first time here and now, let’s start at the beginning with a few high-level differences between did:web and did:webvh:

The VH stands for Verifiable History. Each DID version links cryptographically (“chains”) back to its predecessor and ultimately to the verifiable self-certifying identifier (SCID) that is embedded in the DID identifier. The SCID is derived from the DID’s initial state. Further, each update is signed by a key authorized to update the DID. Each valid did:webvh (the URL) can be easily and deterministically translate to a did:web. Just delete the “vh” in the method segment and the subsequent segment (the “SCID” — self-certifying identifier), and you have a valid did:web identifier.  Resolve that the way you would any other did:web, and you get a valid did:web DID Document. Easy-peasy, 100% interoperability with the most widely-deployed DID method other than did:key. Verifiability is not dependent on DNS. While DNS is used for discovery and retrieval of the DID Log file that contains a did:webvh history, the cryptographic verifiability of that history is not dependent on DNS. The DID Log can be retrieved from other locations/caches and fully verifies the history of its corresponding DID to date. Verifiability is independent of its DID Documents. A did:webvh DID Doc can contain anything the DID Controller wants it to have — different keys, key types, services and so on. The verifiability of the DID is secured by a more complex resolution mechanism, not the contents of the document. That allows the specification to be very opinionated on how the DID is secured (making interoperability easy and reliable), without limiting the purpose of the DID. Secure DID generation can now happen off-server. This allows DID doc hosting to be separate from key management, de-risking malicious hosts and allowing for “dumber” (e.g. key-oblivious) hosting pipelines, e.g. without access to /.well-known. “Common sense” DID URL Handling. The simple DID URL syntax <did>/path/to/{file} maps to just what one would expect: the "/path/to/" subdirectory where the <did> document is stored. Cross-Host Portability. A DID on one host, if configured from inception to allow it, can migrate to a host on another domain and still keep its long-lived and globally-unique “SCID” and verifiable history. This further decouples web hosting from the long-term value of the SCID as a stable, host-independent UUID, which (webvh-aware) consumers can use to link and deduplicate DIDs which migrate across multiple hosts. Optional extensions allow stronger guarantees for historical resolution and duplicity/forgery detection on the part of malicious hosts. Certificate Transparency-style “witnessing networks” (a web-of-trust approach to gossiping DID document histories, also used in the KERI key management/ID system) and/or aggressively cache-busting trusted resolvers can detect host malfeasance of various kinds. The origins of did:webvh

From the start, did:web had some production implementations that were too load-bearing to break… and many unhappy implementers. When a given website/domain only needed one collective DID (common for issuers already highly-trusted and with highly-secured websites, e.g. institutional issuers of credentials), or even in cases where the entirety of a DID’s lifecycle could be assumed to live on the same unchanging domain (e.g., employees or appointees or departments of an institutional issuer), did:web was great, and no one needed to consider upgrades.

Corner-cases and unhappy implementers kept popping up over time, though: 

What about historical resolution of old signatures after rotations and de-activations? What if a merger or acquisition or rebrand needs to update a domain name, but keep all its old DIDs resolving after the change? What if students want to keep their DIDs (or at least keep old signatures validating) after they graduate and they get incrementally locked out of their university’s IT systems?  What if anti-trust regulations forced portability (they way they do for phone numbers) and users wanted to keep connections after switching identity providers (or “hosts” in webvh terminology? What if hosts are perfectly willing to issue did:webs to hundreds of users, but cannot directly automate /.well-known/ documents for each, whether due to their JS framework, choice of contractor/service-provider, security policies, etc? What if consumers can’t fully trust all did:web hosts to faithfully produce the same document for all callers? What duplicity-detection mechanisms or historical guarantees could be offered to those consumers? Similarly, some use-cases are too high-stakes to trust all hosts equally; some consumers were demanding baseline guarantees about how securely DID documents get hosted over DNS-addressed HTTP beyond what is required for did:web

A backwards-compatible “version 2” of did:web was imagined but effectively deferred for years, before work started in earnest on an heir to did:web that focused primarily on improving its trust model. As the idea kept iterating and different requirements and design goals were debated by willing co-designers, the portability guarantees came to the fore as another key goal.

This portability goal dovetailed nicely with the requirements of the Open Wallet Foundation’s ACA-Py framework, which requires DID “agents” (a kind of general-purpose “backend” for many DID and VC operations) to be smoothly swappable over time by simply updating the services property in a DID document. As ACA-Py had originally been developed for blockchain-based did:indy DIDs, there was some amount of portability, key-management, and trust-model parity that needed to be achieved, which brought a lot of other difficult design problems in tow since websites are not stateful or append-only in the way blockchains are! 

Another parity goal was in achieving many of the host-independent “microledger” properties central to the KERI identifier system (and Sidetree before it), whereby the entire history of every DID can be walked to detect duplicity or other malice in any part of the system. Another KERI feature which the designers wanted to achieve was KERI’s “witnessing” properties, inspired by Certificate Transparency, which keeps hosts honest with tamper-detection and caching. This survives in optional extensions, i.e. as a distinct mechanism that consumers and hosts can opt into for stronger guarantees in resolution.

The did:webvh method's requirements informed the design and its original name, “Trust did:web”. Namely, the eponymous goal was to achieve an HTTP-published but ultimately host-independent trust layer for DID-based interactions, without a common blockchain and with more conventional cryptography and tooling than KERI requires. Trust nerds can think of this as a move from the “CA-grounded” web trust model, the only one in which did:web is usably trustworthy and secure, to one usable in a more modern “Let’s Encrypt” trust model that the web has largely moved to in recent decades.

Playing Nice in a Multi-DID World

As mentioned above, a formative goal in the design of did:webvh was smooth interoperability with did:web and did:key, as well as properties that would normally require an append-only VDR to achieve. Contrary to many DID methods which strive to stand out from the crowd by offering unique features enabled by their particular VDR or low-level mechanisms, this method sought instead to achieve a superset of features already in production today, to offer existing DID-based and DID-like systems a beter option to migrate to or translate to. Anything permitted in the DID Core specification is available in did:webvh — no restrictions! If the early phase of DID design was one of innovation and experimentation, did:webvh strives to consolidate and unite in this phase marked by convergence and productionization.

A good example of this is how did:webvh appends a digest (which can be used as a checksum) of the DID log entry to the id property of each DID document. In the HTTP context, this makes each DID document “tamper-evident” thus reducing many of the opportunities for a malicious did:web host to produce inaccurate or adulterated DID documents on behalf of a DID controller. This also makes all did:webvh DIDs “self-certifying,” in the sense that their documents’ integrity can always be checked against this checksum. Similarly, the provenance back to inception of updated DID documents can be integrity-protected and proven by the same “SCID” (Self-Certifying Identifier) mechanism.

SCIDs are a powerful design pattern, which undergird early IPFS-based DID methods like did:ipid and the Sidetree methods like did:ion and did:element, both of which were incubated in the DID Sidetree WG and used the IPFS identifier scheme to address each DID document by its hash.  Older mechanisms of hash-identification include RFC 6920, which underwrites the recent did:ni method; newer examples include did:iscc and the growing body of SubResource Integrity specs at W3C that allow location-independent, self-certifying identifiers for slow-moving, cacheable web resources. KERI pushed SCIDs to the fore and influenced a lot of design work at ToIP, but zooming out a little they can be seen across modern web development as a powerful counterbalance to the “same-domain principle” of modern web security.

SCIDs are also crucial to lots of ongoing design work at ToIP and elsewhere, such as the First Person Project which mandates the portability and self-certifying properties described above for ANY DID used across a wide patchwork of infrastructures and tooling. Does that mean any SCIDs will do? Can a did:webplus, used in the OCI ecosystem, be translated to a did:webvh, or a did:scid to let a controller of a did:webplus be part of such a bridged network? 

Similarly, the optional witness and watcher capabilities defined in the did:webvh specification were defined to be open-ended building-blocks as well. The specification defines a clean and simple technical mechanism for each capability to ensure interoperability between different applications of these, while leaving use-cases and ecosystem-specific governance questions outside the specification, where they belong. One application of these has been to backfill the did:indy concept of "endorsers" in a web-based VDR, but many other trust mechanisms or policy engines could be built combining DID logs and witnesses and/or watchers. The did:webvh Work Item at DIF welcomes implementors with divergent use-cases and policy assumptions to collaborate on profiling these capabilities and specifying them in more detail in ongoing work.

These broader questions of interoperability beyond the boundaries of any one DID method are increasingly being tackled in other workstreams at DIF. One of these isthe DID Traits evaluative specification (which also hit V1.0 recently!) which defines shared or equivalent/translatable properties across methods to facilitate bridging and converging DID systems. Similarly, the DID Methods WG is trying to draw attention to how well DIDs can be combined or translated, as well as how “production-grade” their implementations can be tested (or even audited) to be. WebVH is the first method being evaluated for production-readiness and documentation completeness, literally setting the bar for others!

Where to from here?

Having reached v1.0, the focus will now turn to refinements and adoption, working with implementers and deployers to gather feedback and grow their numbers.

Innovators are encouraged to review the didwebvh.info website and walk through the basic step-by-step "Understanding did:webvh". Implementors should check out the Implementations page to find the did:webvh tooling you need for your initiatives, including three mature and complete implementations: Python TypeScript Rust Standards developers can jump directly to the did:webvh spec

The Python and Typescript implementations were both incubated by the Government of British Columbia, Canada.

The Rust implementation was recently contributed to DIF by Affinidi. We're excited by this contribution as it brings the performance, memory safety, and systems-level capabilities that make Rust increasingly popular for performance-critical applications.

These three implementations serve as mutual validation tools, continuously testing interoperability and compliance against each other to ensure robust spec maturity and cross-platform reliability.

Whether you prefer leveraging existing tooling or building from scratch, did:webvh makes both paths straightforward. The clean specification and comprehensive interoperability test suite provide clear guidance for new implementations, while the mature tooling ecosystem offers battle-tested components you can integrate immediately.

We welcome contributions from the community - whether that's enhancing existing implementations, creating new language bindings, improving documentation, or developing deployment tools that make it even easier to adopt did:webvh DIDs in production environments!

Want to learn more and get involved? Join DIF or contact us at contact@identity.foundation.

A new school year is upon us and ISL wants to remind educators and school technologists that they need to take as much care scrutinizing safety risks in off-the-shelf (OTS) technologies recommended to students as they do for technologies licensed by the schools. 

We recently went back over the data from our 2022 benchmark and confirmed that most technologies pushed to K-12 students in the US are recommended (not required), and unvetted off-the-shelf technologies that students use completely independently of school privacy controls or oversight.   

Schools Recommend Too Many Technologies to Students 

One of the most striking findings from our 2022 US K12 EdTech Benchmark was seeing just how many technologies schools were pushing students to use.  

We ended up counting apps used in each school in three different ways. We initially looked for a single list of all the technologies that a school was either recommending or requiring. Ideally, we were looking for discrete lists of each type—recommended or required. However, most schools did not have clean, singular lists of apps, which meant we needed to hand count the number of all apps mentioned by the school and/or district websites as being used by students (“manual app count”). We hand-counted all 663 schools.  Some schools or more frequently school districts had full app lists maintained by their IT departments, and many districts maintained lists of technologies in the Student Data Privacy Consortium (SDPC) database. We called these lists “simple aggregated lists”. Finally, for many of the schools that had simple aggregated lists, they also indicated if an app was “approved” or not. We called these lists of approved apps “approved technology lists”. To summarize the types of app list counts: 

(1) Manual app count: Researchers hand counted the number of apps found across school and district websites1. This was                    performed for all 663 schools. 
(2) Simple aggregated list: For 222 schools we found simple aggregated lists of apps that were larger than the manual count.
(3) Approved technology list: For the 222 schools that had a simple aggregated list [larger than the manual count], 153 of them          distinguished approved from unapproved apps on those lists.

As can be seen in Table 1, the manual count yielded an average of 19 apps per school, but schools with simple aggregated lists averaged 191 apps, and strangely, the subset of schools with approved apps averaged 214 apps. Yikes.  

Table 1   LIST TYPE AVERAGE NUMBER OF APPS Manual app count (n=663) 19 Simple aggregated list (n=222) 191 Approved technology list (n=153) 214

Do schools really need to recommend 200 different apps and websites for student use? 

Recommended Versus Required Apps 

As mentioned earlier, in our manual counting of technologies we designated an app as either “required” or “recommended”. Apps were deemed “required” due to prominent presence on school websites, often with a login.2 Similarly, custom apps that were clearly branded for the school or district were also designated as required. Thus, required apps in our research were always licensed by schools. As such, these technologies were held to greater scrutiny and vetting, and student accounts were generally provisioned and managed by the schools3. In this way, the school had “joint data controller” responsibilities alongside the app developer.4

“Recommended” technologies, however, were always off-the-shelf (OTS) technologies, which students would access or download at their own discretion, creating their own accounts independent of the school. 

We knew that the percentage of required apps was small compared to the recommended apps. But what was the breakdown of “required” versus “recommended” apps? We thought the distribution might follow the 80-20 Pareto principle: that 20% of the apps were required, and 80% were recommended. We decided to go back and run the numbers.  

Table 2 below shows the numbers for the different types of app count lists. The manual app count method failed to account for the sometimes massive, aggregated lists. Similarly, the aggregated list numbers distorted the overall data set. The bottom-line row in the table, “Manual + Approved list”, combines the manual counts for schools without simple aggregated lists with the approved technology counts [for schools that had them] to best provide a number for the national results.  

As can be seen, it was closer to 70-30 than 80-20. On average, schools were pushing nearly 58 technologies to students, with 28.9% of them being required, and 71.1% being recommended.5 The vast number of apps schools are pushing on students are merely recommended unvetted off-the-shelf apps. Despite the apps being “approved” by the schools in the approved technology lists, we know that in many cases, the only vetting is whether or not a Privacy Policy exists. This is not a sufficient form of vetting to ensure student data privacy. Schools are subjecting students to unvetted and ungoverned technologies—sometimes more than 200 such technologies. Recall also that nearly 30% of the recommended technologies for students are neither strictly educational apps nor apps designed for children, and in the latter case, they are not covered by COPPA compliance. 

Table 2  Type of App List #
Schools Average Total # of Technologies Average # of Required / Licensed Technologies Required / Licensed Techs Average % of All Tech  Avg # of Recommended / OTS technologies  Recommended / OTS Techs Average % of All Tech  Max # of Technologies Manual App Count 663  19.0  5.1  33.4%  13.9  66.6%  106  Simple Aggregated List 222  190.7  5.5  9.7%  185.2  90.3%  1411  Approved Technology List 153  214.3  5.3  6.3%  209.0  93.7%  1411  Manual + Approved List 663  57.7  5.1  28.9%  57.8  71.1%  1411 
Conclusions  

When we consider “edtech” as the combination of licensed and OTS technologies as in our 2022 benchmark, a primary risk for students is the high—sometimes exceedingly high—number of unvetted off-the-shelf technologies that schools are recommending they use.6 Until technology is reasonably safe for children ISL recommends schools undertake the following:

Minimize the number of technologies recommended to students. 
a. Especially minimize the number of apps that are not specifically for children.
    i. ISL doesn’t propose (or support a paradigm of) age-gated versions of commonly recommended mixed-audience apps like         news, museum, zoo, and reference apps. These apps must be made safer for children of all ages (i.e. for all of us). Screen all OTS technologies recommended for student use. Ideally, these should be vetted as carefully as licensed technologies, though we know that’s not practical for all schools. 
a. Use ISL’s App Microscope to learn more about privacy risks in commonly recommended apps. Can’t find your app? Contact us        at schools@internetsafetylabs.org.  
b. Recommend only apps that are COPPA certified. This won’t stop all commercial surveillance and data sharing, but it at least             minimizes some data sharing.
c. Put in place Data Privacy Agreements (DPAs) for all technologies recommended to students, i.e. for both licensed and OTS                technologies. This requires some dedicated personnel to administer, but Access4Learning’s Student Data Privacy Consortium          has agreement templates readily available here https://privacy.a4l.org/.  
d. Annually audit DPAs against the actual technology behavior. This is a service that ISL has provided for one US state school board      and is more than happy to provide at reasonable rates. Contact us schools@internetsafetylabs.org.  

 

Footnotes: Note that the apps found via the manual count were the apps that were audited in the research. Due to the volume of listed apps, ISL did not audit all of the apps found in the simple aggregated lists. More discussion can be found in the first findings report. “2022 K-12 EdTech Safety Benchmark National Findings – Part 1”, Internet Safety Labs, December 13, 2022, Section 7.2.1, p. 89, https://internetsafetylabs.org/wp-content/uploads/2022/12/2022-k12-edtech-safety-benchmark-national-findings-part-1.pdf These required apps also more narrowly align with traditional “EdTech” categories, whereas the recommended technologies included a large percentage of apps not intended for children.  We wrote about this in a blog post from 2023 called, “Data Controller Confusion in EdTech”,   https://internetsafetylabs.org/blog/insights/data-controller-confusion-in-edtech/. NOTE that the average percentages shown in Table 1 reflect an average of each school’s percentage of required/recommended apps. Licensed technologies are also risky, especially the Community Engagement Platforms which shared data [on purpose] with the most third party entities and data brokers, like this app, no longer available on the app store: https://appmicroscope.org/app/1579/. 

The post 2022 K-12 Edtech Benchmark Revisited: Unvetted Off-the-Shelf Apps Outnumber Licensed Apps 2-to-1 appeared first on Internet Safety Labs.

The way cash moves through the supply chain is evolving. 

What was once a paper-heavy process is now embracing digital transformation.

In this episode, Robert Skitt, Senior Manager at Axiom Armored Transport, joins hosts Reid Jackson and Liz Sertl to discuss the shift from traditional, manual methods to more secure, efficient, and accountable digital solutions. 

Financial institutions and the Federal Reserve are demanding greater transparency and control over cash movement, and armored transport teams are under increasing pressure to adapt.

Robert walks us through the process of how Axiom is modernizing armored transport, replacing handwritten logs with barcode scans and eManifests. In this episode, you’ll learn:

How GS1 standards are helping digitize cash logistics

What “cash visibility” looks like in practice

Why early adoption gave Axiom a seat at the table and a competitive edge

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(04:52) What cash visibility looks like

(07:23) How GS1 standards changed the workflow

(11:32) Turning paper-heavy processes into data

(13:32) Barcode tech in armored car logistics

(15:14) How digitization improves accuracy and trust

(19:25) Advice for starting your visibility journey

(20:44) Robert’s favorite technology today

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Robert Skitt on LinkedInCheck out Axiom Armored Transport

Not only did Blockchain Commons close out its major Zcash project in Q2 and start work on a big, new FROST push, but we also did continued work on many other initiatives:

Working with Partners Zcash Zingo Labs FROST Ethereum Articles & Presentations Interoperability Provenance Marks Post-Quantum URs Permits in Gordian Envelope Thinking about Identity HackerNoon No Phone Home XID Core Concepts Fair Witness Bitcoin Policy Summit Web Updates Updated Projects Page New Envelope Seeds Page CLI Updates dCBOR-CLI Envelope-CLI Library Updates Mass Crate Update Argon2ID envelope-pattern dcbor-parse Working with Partners

Blockchain Commons is supported by patronage and by grants. (If you want to become a major patron and partner with us on a project, let us know, and if there are grants that you think would allow us to fulfill our Gordian Principles, that we may not be applying to, again drop us a line.) In Q1, some of our major projects were closely related to grants that we’d applied for last year.

Zcash. The Zcash ZeWIF project took up the majority of the our Q1. The goal was to create an interchangeable wallet format that would make Zcash wallets more interoperable and so give users more freedom to move their funds to an app of their choice. We continued that work in April and then closed it out in May.

Our work product for Q2 of the ZeWIF project included the final drafts of our best practices for importing & exporting wallet data and our doc on using Envelope attachments for ZeWIF. We also held our fourth and final (to date) ZeWIF meeting, which included a demo of our zmigrate-cli tool. Our final two reports from May give all the details on the apps, crates, and docs that we published as we closed out the project.

Zingo Labs. We were proud to do our Zcash work with Zingo Labs, who provided us with some of the Zcash-chain knowledge we needed to extend our interoperability expertise into the Zcash community. (We also got lots of support from other experts in the community through meetings, which is the same way we advance standards in all the ecosystems we work with.) We hope to continue that partnership in the future, and to support that we offered a presentation to Zingo Labs in Q2 highlighting our technologies, how they work, and why they’re useful. We focused on some of the low hanging fruit such as SSKR, which allows for the secure backup of secrets, and OIB, which makes it easier for users to see what they’re doing. We’ll let you know if anything comes of this!

FROST. As soon as we closed out work on our Zcash grant, we began work on a new FROST grant that we received from HRF. This grant’s work will come in three parts: creating new FROST signing tools; writing “Learning FROST from the Command Line”; and holding FROST meetings. We’ve been pushing hard on this work in July and August, so we’ll be writing more about it in the Q3 report.

Ethereum. Though most of Blockchain Commons’ work has traditionally been on the Bitcoin blockchain, our principles of independence, resilience, privacy, and openness apply to all blockchains. Our recent work with Zcash proved that, and so in Q2 we also had some talks with a variety of parties in the Ethereum ecosystem about possibly doing work with them on securing secrets at the level zero of their stack. We’re still waiting to see if anything gels, but generally: if you know of a blockchain that might be looking for interoperability or resilience support, let us know!

Articles & Presentations

Blockchain Commons’ major articles and presentations demonstrate our fundamentals and highlight our newest work. Here’s what that included in Q2.

Interoperability. We talk a lot about ecosystem “openness” and user “freedom”, or more generally “interoperability.” This is a pretty important foundation of Blockchain Commons’ work, so in Q2 we explored it more with the article “Interop, What Is It Good For?” and slides and video at our May Gordian Meeting. We encourage you take a look at the article or the meeting presentation to gain some more insight into one of the core principles of Blockchain Commons’ work.

Provenance Marks. One of our newest innovations is “provenance marks,” which allow for the creation of a cryptographically-secured chain of marks. We gave a presentation at our June Gordian meeting and also have a research paper on the technology. We additionally presented in provenance marks to the W3C Credentials Community Group, who is forming a working group on provenance technology of this type: Blockchain Commons’ provenance marks are one of three possibilities under consideration.

Post-Quantum URs. Post-Quantum Cryptography support was one of our most exciting expansions in Q1. We’ve now published a new research paper on integrating PQC with URs.

Permits in Gordian Envelope. Gordian Envelope is a more mature technology at Blockchain Commons, but we’re still exploring its fullest capability. Part of that capability is the “permit,” which is a way to lock your Gordian Envelope. The great thing about permits is that you can apply multiple permits to an Envelope, so that it can be opened by different people in different ways! We wrote a research paper on “Permits in Gordian Envelope” to offer more insights into the possibilities.

Thinking about Identity

Christopher Allen has been long associated with digital identity, dating back at least to his authorship of “The Path to Self-Sovereign Identity” and his founding of the Rebooting the Web of Trust workshops. Blockchain Commons did a variety of scattered work on identity in Q2.

HackerNoon. Christopher talked to Hackernoon about how “We’ve Lost the Privacy Plot”, which generally discusses privacy and the internet.

No Phone Home. Digital identity is closely associated with digital credentials, which detail who and what an identity represents. Unfortunately, credential design is growing problematic because much of it is phoning home: alerting issuers when and where credentials are used. That’s why Blockchain Commons recently signed on to the No Phone Home initiative, to try and bring attention to this fundamental problem in digital identity.

XID Core Concepts. Blockchain Commons has its own answer for self-sovereign identity: the XID, or extensible identifier. We’ve been working on a tutorial course to show everything about how XIDs work. So far, we’ve developed a set of core concepts docs, which not only overview how XIDs work, but also how they link into Blockchain Commons’ larger architecture. This is still a work in progress. (We’re about to begin work finalizing the linked tutorials.) But, if you want to take an early look, the core concepts files have all been closed out as revised drafts.

Fair Witness. Some of Blockchain Commons’ work is advocacy (like our discussion with Hackernoon and our signing on to No Phone Home) and some is pragmatic (like our XID work). But we also try to be future-looking. That’s what Christopher’s “Fair Witnessing” Musings was about. It’s a new look at Verifiable Credentials that focuses on the limitations of what we actually can perceive.

Bitcoin Policy Summit. We’re thrilled to see some of our thinking about identity starting to have an effect on the larger world. A few of Christopher’s identity articles were referenced in the Bitcoin Policy Institute’s recent white paper on “Building a Trustworthy Digital Future” and as a result, Christopher was asked to talk at the Bitcoin Policy Summit in Washington D.C. this June. (More on the results of that in the coming quarters!)

Web Updates

Our web pages are intended as a resource for developers so that they can understand and implement our technologies. Here are some of the updates we made this quarter:

Updated Projects Page. Our projects page has always been a central index to our most important work, but that type of thing gets out of date as priorities change, so we’ve done a big update to align it with our most recent iteration of our developer pages and to otherwise highlight important recent work like our meetings for FROST. Take a look at what we consider our most relevant work as of early 2025!

New Envelope Seeds Page. We also released a new page on Seeds in Gordian Envelope: how and why you’d want to store seeds in envelopes, complete with examples of how to use envelope-cli for experimentation. (This was also the heart of the demo we made to Zingo Labs, so you can take a look at several of our easiest-to-implement technologies here.)

CLI Updates

As usual, we’ve been making updates to our apps and libraries. In Q2 that included two CLI releases:

dCBOR-CLI. We have a new CLI for dCBOR! It validates dCBOR input (using CBOR diagnostic as its default input) and produces output in several formats (using hex as its default output).

Envelope-CLI. Our Envelope CLI now has new pattern matching to make it easier to find specific leaves.

Library Updates

There were also lots of updates to our libraries, focusing on our Rust stack.

Mass Crate Update. The vast majority of our Rust crates have been updated to support new developments that occurred while we were working on ZeWIF. This includes:

- bc-rand 0.4.0 - bc-crypto 0.9.0 - bc-shamir 0.8.0 - dcbor 0.19.0 - bc-tags 0.2.0 - bc-ur 0.9.0 - sskr 0.8.0 - bc-components 0.21.0 - known-values 0.4.0 - bc-envelope 0.28.0 - provenance-mark 0.8.0 - bc-xid 0.8.0 - bc-envelope-cli 0.14.0 - gstp 0.8.0

Argon2id. Argon2id support has been added to bc-crypto and bc-components, as well as the EncryptedKey type.

envelope-pattern. The new envelope-pattern crate is a pattern matcher and text syntax pattern parser for Gordian Envelope, allowing you to match specific structures within envelopes.

dcbor-parse. The new dcbor-parse crate parses and composes the CBOR diagnostic notation into dCBOR (deterministic CBOR) data items.

Here are our major dcbor crate updates:

- dcbor-parse 0.1.1 (NEW) - dcbor-cli 0.7.1 (heavy update) - dcbor 0.19.1 (minor changes)

Coming up, we have work on FROST, XID, and more. Sign up for the Gordian Developer Meeting announcement-list to be informed of our upcoming presentations, and please consider becoming a patron of Blockchain Commons or talking with us about partnering on a specific project.

Submitted by: Joni Brennan, President

List of recommendations:

Recommendation 1: That the government fund and deploy an interoperable, reusable digital credentials login solution for federal services modeled after widely-used single sign-on tools in the private sector. Recommendation 2: That the government invest in Canadian-based trust infrastructure, including domestic cloud and data centres, to support AI-readiness, digital sovereignty, and economic resilience. Recommendation 3: That the government advance interoperability to unleash digital trade and labour mobility.

Introduction

Thank you for the opportunity to provide input in advance of Budget 2025. In a time of economic, technological, and geopolitical uncertainty, Canada must act with urgency to reinforce the foundation of a strong, secure, and competitive digital economy: trust.

Whether enabling interprovincial labour mobility, reducing fraud in real estate and finance, or ensuring AI tools are used responsibly, verifiable trust infrastructure is central to our countryʼs economic stability and resilience. Trust is not just a principle, it is the experience citizens have when interacting with government services that are as seamless, secure, and intuitive as private-sector platforms. Without secure and scalable identity verification, Canadian businesses face rising fraud costs, compliance burdens, and lost consumer confidence. Citizens and professionals are delayed in accessing critical services or moving where they are needed most. And governments are challenged to keep pace with accelerating threats in an AI-driven world.

Now is the time to deliver trust through experience by investing in practical tools and Canadian infrastructure that protect citizens, unlock innovation, and future-proof our economy.

About DIACC

The Digital Identification and Authentication Council of Canada (DIACC) is a non-profit public–private coalition created following the federal Task Force for the Payments System Review. DIACCʼs mission is to accelerate digital trust adoption by enabling privacy-respecting, secure, and interoperable identity systems.

DIACC is the steward of the Pan-Canadian Trust Framework (PCTF) — an industry-developed, standards-based, technology-neutral framework designed to enable scalable, certifiable digital trust infrastructure that meets the needs of governments, businesses, and individuals.

The PCTF has been developed in collaboration with experts from federal, provincial, and territorial governments as well as industry and civil society. It supports verifiable credentials, authentication services, fraud prevention, and information integrity across the Canadian digital economy.

Canadaʼs Urgent Trust Deficit

Canada faces a growing trust deficit that threatens economic growth, competitiveness, and national resilience. Three converging challenges demand action:

AI-accelerated misinformation and identity theft – Generative AI tools are enabling the rapid creation and dissemination of fake identities, fraudulent documentation, and disinformation. Without robust authentication systems and verifiable credentials, the authenticity of people, data, and services becomes harder to determine—eroding consumer confidence and legal certainty. Rising fraud and its impact on the economy – Many of Canadaʼs key sectors are increasingly subject to fraud. The real estate sector, for example, is increasingly experiencing impersonation and illicit financial flows, especially in transactions involving unrepresented parties. Mortgage fraud, title theft, and manipulated documentation are rising, yet identity verification practices remain outdated and fragmented. Barriers to labour mobility and seamless trade – Many professionals face long delays and duplicative processes when seeking to work across provinces or internationally. Businesses struggle to comply with evolving regulatory requirements and to compete globally without recognized, verifiable credentials.

Recommendations

DIACC offers three core recommendations to address these threats and seize the opportunity to lead globally in trusted digital innovation.

Recommendation 1: That the government fund and deploy an interoperable, reusable digital credentials login solution for federal services modeled after widely-used single sign-on tools in the private sector.

The Government of Canada should develop and implement a digital credentials login solution that enables citizens to access federal services with one secure, consistent experience — similar to how they use Google or Apple sign-in options across the internet. For example, with a trusted credential, Canadians could log into a real estate registry, file taxes, or access health records using one verified identity, reducing friction and fraud risk while improving convenience and access.

These credentials should be certified against open standards such as the PCTF, enabling individuals to verify their identity once and reuse it securely across services. The government is also encouraged to take a longer-term view by building compatibility across federal, provincial, and municipal digital credentials systems.

Recommendation 2: That the government invest in Canadian-based trust infrastructure, including domestic cloud and data centres, to support AI-readiness, digital sovereignty, and economic resilience.

Verification and authentication tools are essential infrastructure in an AI-driven economy. As AI-generated content, synthetic identities, and manipulated documents become increasingly sophisticated, the ability to verify the provenance and traceability of information and data becomes even more vital.

DIACC recommends that the government:

Recognize authentication and verification tools as critical components of Canadaʼs AI strategy and cybersecurity agenda. Fund the adoption and certification of privacy-respecting, standards-based solutions, such as the PCTF. Prioritize collaborative development of tools that verify identity, documentation, and information authenticity while preserving user privacy. Ensure data residency through investment in Canadian-based private cloud and hardware services.

A proactive, standards-aligned approach will support:

Responsible AI deployment across sectors. Secure digital service delivery. Reduced liability for businesses and professionals relying on verified information. Greater resilience against misinformation and fraud in elections, commerce, and public discourse.

Recommendation 3: That the government advance interoperability to unleash digital trade and labour mobility.

Interoperability is key to reducing friction, unlocking economic opportunity, and ensuring Canada remains globally competitive. DIACC recommends that the government:

Support cross-government and cross-border interoperability by recognizing frameworks such as the PCTF in legislation, procurement, and policy. Advance mutual recognition of trust frameworks with international partners (e.g., between PCTF and the EUʼs eIDAS 2.0 framework). Enable the use of verified credentials for regulatory compliance, licensure, and interprovincial labour mobility. Accelerate digital transformation across public services using certifiable trust services.

This approach will help:

Enable professionals and skilled workers to move between provinces without redoing verification processes. Simplify cross-border regulatory compliance for Canadian exporters and importers. Allow micro, small and medium enterprises — including in rural, Indigenous and remote communities — to offer services and products across Canada and beyond without prohibitive onboarding costs. Ensure that public sector modernization efforts are secure, accessible, and efficient.

The Road Ahead

Canada is at a turning point. The foundation of trust that underpins our digital and economic systems is under strain, but the tools and standards to reinforce it already exist. Frameworks like the PCTF offer governments and businesses practical, scalable solutions that:

Meet privacy, security, and accessibility requirements. Support inclusive digital access for underserved communities. Complement formal standards and enable rapid deployment. Preserve Canadaʼs digital sovereignty. Budget 2025 offers a strategic moment to invest in these tools, not just as a technical fix but as a long-term economic, national security, and democratic priority.

Conclusion

Trust is Canadaʼs most valuable economic asset in the digital age. Whether enabling a small business to sell across borders, a citizen to access services securely, or a hospital to verify a clinicianʼs credentials during a crisis, trust infrastructure is the connective tissue of our digital society. DIACC welcomes further collaboration with federal partners to ensure Canadians can interact, transact, and innovate with confidence in a digital-first world. Thank you once again for the opportunity to provide our input in advance of Budget 2025 and as we collectively move forward on the path to a digitally and economically prosperous Canada.

Public Review Period for Proposed Second Implementer’s Draft of OpenID Connect Native SSO for Mobile Apps The OpenID Connect Working Group recommends approval of the following specification as an OpenID Implementer’s Draft:

OpenID Connect Native SSO for Mobile Apps 1.0

This would be the second Implementer’s Draft of this specification.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note starts the 45-day public review period for the specification draft in accordance with the OpenID Foundation IPR policies and procedures. Unless issues are identified during the review that the working group believes must be addressed by revising the draft, this review period will be followed by a fourteen-day voting period during which OpenID Foundation members will vote on whether to approve this draft as an OpenID Implementer’s Draft.

The relevant dates are:

Implementer’s Draft public review period: Monday, August 4, 2025 to Thursday, September 18, 2025 (45 days) Implementer’s Draft vote announcement: Friday, September 5, 2025 Implementer’s Draft voting period: Friday, September 19, 2025 to Friday, October 3, 2025

The OpenID Connect working group page is https://openid.net/wg/connect/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote.

You can send feedback on the specification in a way that enables the working group to act upon it by (1) signing the contribution agreement at https://openid.net/intellectual-property/ to join the working group (please specify that you are joining the “AB/Connect” working group on your contribution agreement), (2) joining the working group mailing list at https://lists.openid.net/mailman/listinfo/openid-specs-ab, and (3) sending your feedback to the list.

Marie Jordan – OpenID Foundation Board Secretary

 

About The OpenID Foundation (OIDF)

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.

The post Public Review Period for Proposed Second Implementer’s Draft of OpenID Connect Native SSO for Mobile Apps first appeared on OpenID Foundation.

Community calls have been a cornerstone of my engagement and community building practice for well over a decade. I started a couple community calls at Greenpeace International, one of which continues a good 8 or 9 years later. Regular readers have probably heard of the Open Recognition is for Everybody (ORE) call. Now, we’re spinning one up with Amnesty International UK.

In this blog post, I reflect on why community calls hold such significance to me. For me, community calls are vital hubs where connections, ideas, and growth converge.

Being open and inclusive cc-by-nd Bryan Mathers for WAO

We all stand on the shoulders of giants. I learned about community calls way back when I was working at Mozilla. At Mozilla, we had community calls for communities, sub-communities, projects and procedures. The majority of our meetings were simply open – if you knew about it, you could join. Sometimes we promoted calls and asked for participation, sometimes we just waited to see who showed up. If you showed up to a call, you were included, whether anyone had specifically invited you or not.

Working openly is a transformative way to bring people together and create safe spaces where people can share challenges, celebrate successes, and co-create solutions. The regularity of designated community calls helps build trust and camaraderie, turning strangers into collaborators. By creating space for diverse voices, we enrich our problem-solving approaches and ensure that decision-making reflects a wide range of perspectives. These inclusive practices have strengthened communities, making them more resilient and adaptable.

Strengthening the community cc-by-nd Bryan Mathers for WAO

If I think about all the different community calls I’ve been a part of, and all the people I’ve met because of open community calls, I’m reminded of the power those calls have to shape things. These calls aren’t presentations, webinars or regular meetings, they are spaces where people have the power to shape the agenda and talk about issues that matter to them.

Part of building successful community calls is to let go of trying to control conversations. While we might put together a loose agenda to guide a community call, we strive to make sure that everyone in attendance feels like their being there matters. Community calls are not transactional, they are spaces that help us be part of a community, find ways to amplify more voices and work together.

Just talk to people cc-by-nd Bryan Mathers for WAO

Part of what makes a community thrive is helping people find a place of belonging. Community calls help by providing a flexible space where people can just talk to each other. They are not just about discussing details or progress in a project, but also about celebrating one another and figuring out what a collective future for a project or an idea might be. They’re great spaces to figure out problems, while also getting to know the people you’re collaborating with.

Community calls have been instrumental in shaping open projects and building meaningful connections. Their role in driving innovation, inclusivity, and adaptability is immeasurable. As I look forward to building open calls for the AIUK community, I am reminded that these calls are not just meetings—they're milestones in a journey towards a more connected and collaborative world.

If you are looking for a way to encourage a group of people to co-create and collaborate, check out 11 steps to running an online community meeting. It’s a resource that I wrote almost a decade ago and continue to return to over and over as I work to connect people working to make the world a better place.

Google has implemented significant enhancements to biometric authentication and security features in Chrome and Google Workspace, marking the latest step in the company’s broader push toward stronger authentication methods. These updates build upon previous Chrome security improvements while addressing critical vulnerabilities in desktop password management.

The OpenID Foundation is excited to announce the first interoperability event testing against the soon-to-be-final Shared Signals Framework (SSF) specification at Authenticate 2025. 

This event will demonstrate interoperability on the final specification, after the membership votes on it as being ‘final’ by end of August), as per OIDF Process Document. It will serve as the final phase of testing on the OpenID Foundation open source tests before they are announced as available for implementer self-certification, as per our certification program process. 

Demonstrating real world business value

SSF interoperability events enable participants to demonstrate real-world use cases with their products leveraging CAEP, RISC or SCIM events to deliver business value. The interoperability testing conducted at the three previous Gartner IAM Summits drew an amazing response as conference attendees witnessed firsthand how their security can be dramatically improved using SSF.

The sessions will be led by Atul Tulshibagwale, Corporate Board Member of the OpenID Foundation and CTO of SGNL. Atul will also present a breakout session on Monday, October 13, explaining the standards, and revealing the interoperability testing results.

Atul noted “Demonstrating conformance to the final published specifications is an important milestone that this interoperability test will establish. Companies interested in securing their systems using CAEP and SSF can rely on these interoperable implementations with the confidence that future products would have to conform to the same specifications.”

Gail Hodges, the OpenID Foundation’s  Executive Director added: “We are delighted to see the Shared Signals specifications moving through the public review and voting process, to see the Shared Signals Working Group (SSWG) bring those specifications through four interoperability events on two continents, and to prove out the open source tests so any implementer can build to and self certify to the same global open standards. We are grateful to our friends at our peer standards body FIDO for their invitation to demonstrate the interoperability of Shared Signals at their annual event in San Diego.”

Andrew Shikiar, Executive Director and CEO of the FIDO Alliance said: “The Authenticate conference has proven to be a fantastic venue for global attendees to collaborate on innovations in authentication and digital identity. We welcome the OpenID Foundation’s Shared Signals Framework implementers to interoperability test and demonstrate their implementations, which complement the strong authentication capabilities of passkeys enabling responsive session management using CAEP.”

Invitation to participate

The OpenID Foundation’s SSWG is inviting participation from implementers of the proposed final specifications of SSF, CAEP and RISC. As always, the OpenID Foundation welcomes those who have demonstrated interoperability to previous versions of these standards, as well as new entrants implementing for the first time.

To accommodate this diversity of new and earlier implementations, the SSWG has designed the following rules:

Conformance Tests: All participants that have a SSF Transmitter must pass the OpenID Foundation’s free, open source conformance tests. Event Types: Transmitters and Receivers must support the SSF verification event type and at least one additional event type, such as CAEP session revoked, CAEP credentials changed, or CAEP device compliance change. Interoperability Tests: Each participant must test with at least one other participant to achieve the ‘interoperable’ status. Note that Transmitters need to pass the conformance tests in order to participate. Implementation categories

Interoperable implementations will be categorized as follows:

Available Now: Publicly documented, currently available solution Available Soon: Publicly documented solutions with near-term availability In Development: Solutions not publicly documented or available.

There will be 15 demonstration slots, divided into three sessions of five slots each. These will be allotted to interoperable implementations based on their category above, with preference given to those with membership of the OpenID Foundation

More on Shared Signals

 

To read more about why shared signals are critical specifications, and why Gartner analysts, CISA, NIST and others refer to Shared Signals as a critical best practice to secure public and private ecosystem implementations read more here:

“Shared Signals Framework: The Blueprint for Modern IAM (Part 1 of 4)” – OpenID Foundation “Juggling with Fire Made Easier: Provisioning with SCIM (Part 2 of 4)” – OpenID Foundation  “Review of the Summer 2023 Microsoft Exchange Online Intrusion” CISA Cybersafety Review Board Report NIST SP800-63-4 (draft) AuthZEN & Shared Signals in the Gartner IAM 2025 Spotlight – OpenID Foundation Gartner report – Hype Cycle for Digital Identity 2025 (Note: requires Gartner subscription or purchase). About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.   

 

The post Shared Signals interop event at Authenticate 2025: Call for participation first appeared on OpenID Foundation.

This summer marks ten years since the Ethereum network launched, forever transforming the blockchain space and introducing the world to smart contracts, decentralized applications, and programmable trust. At LF Decentralized Trust (LFDT), we’re proud to join the global community in celebrating this milestone and spotlighting the critical role our projects and contributors play in Ethereum’s growth and evolution.

Back to our Developer Showcase Series to learn what developers in the real world are doing with LF Decentralized Trust technologies. Next up is Antonio Mota, Vice President, Applications Developer and Lead Analyst, DLT Centre of Excellence, Citi Innovation Labs.

How can technology serve as a tool for justice, not harm? Our recent six-month Matchbox partnership with TechHer Nigeria helped us explore exactly that. 

The post PARTNERING FOR IMPACT: BUILDING SAFE DIGITAL SPACES WITH TECHHER NIGERIA appeared first on The Engine Room.

The time has come to put open data at the heart of the New Zealand story.  By this I mean the deployment of digital public infrastructure to secure our data so it can flow smoothly and safely with the correct permissions. Change is hard. System change is even harder. But that doesn’t mean we shouldn’t be aspirational.

It is encouraging to see Hon Judith Collins‘ “we’ll have a Government app by Christmas” programme take a significant step forward with the appointment of two exceptional New Zealand tech companies.

Congratulations to both Dave Clark NZ and MATTR teams. This is exactly the kind of partnership between government and local tech that strengthens our digital economy and showcases New Zealand innovation on the world stage – DIA announcement here.

The structural separation of digital identity from the traditional tech stack represents a seismic shift for the industry and for how systems are designed and developed. Despite extensive consultation as the technology evolved over the past few years, the long-awaited reference architecture and design for government implementation are now a priority.

As we build our profile, we are grateful that so many accomplished changemakers are stepping up to speak at our highly anticipated Digital Trust Hui on 12 August:

Matthew Evetts – Partner – Digital & Cyber, KPMG Tim Ransom – Product Manager – Public, Community and Consumer Health, Te Whatu Ora Joel Foster – Chief Commercial Officer, Lumin  Helen Littlewood – Senior Product Manager,Worldline Contactless Silona Bonewald – President, LeadingBit Solutions | Open Source Evangelist & Standards Expert Kristy Phillips – Chair, Hospitality New Zealand Anna Curzon – Chair, B416 Don Christie, Managing Director, Catalyst IT Myles Ward – Deputy Government Chief Digital Officer, DIA Maria Roberston, Chair, Digital Identity New Zealand

At the Hui, it will be valuable to see the DIA spell out the work that the Department has underway to resolve any policy and regulatory barriers for accredited providers, issuing credentials (driving, education, travel, age assurance), along with DIA issued credentials under DISTF accreditation.

It will be beneficial at the Hui to see DIA outline the work underway to address policy and regulatory obstacles for accredited providers, specifically regarding the issuance of credentials such as driving, education, travel, and age assurance, as well as DIA-issued credentials under DISTF accreditation.

Have you secured your spot at the Digital Trust Hui Taumata?

Join us on 12 August in Wellington for a full day of keynotes, panels, roundtables, and exhibits, expertly guided by MC Ngapera Riley. Hear from leaders including Ministers Judith Collins and Scott Simpson, James Monaghan (MISSION), Myles Ward (DIA), Liz MacPherson (Privacy Commissioner), Helen Littlewood (Worldline), Christopher Goh (Austroads), and Andrew Weaver (Payments NZ). With 30+speakers and support from sponsors including Payments NZ, Worldline, IMB, KPMG, Lumin, Ping Identity, NEC, DIA, Westpac, MATTR, Middleware Group, JNCTN, and MinterEllisonRuddWatts, this is a must-attend event shaping Aotearoa’s digital trust future. View the Programme and Register now!

DINZ Strategy Refresh

New Zealand stands at the frontier of a digital future where open, trusted data unlocks better services, richer insights, and empowered citizens.

There is an increasing consensus among government, industry, Iwi, communities, and citizens to collaboratively undertake a bold, values-led transformation of our data systems. This transformation will be underpinned by transparent and auditable public infrastructure.

The upcoming digital identity strategy refresh will be looking at, amongst other things, how to accelerate credential uptake, how to unlock productivity with digital identity and the role of identity solutions in the world of AI and agentic systems.

I’m looking forward to this session with our Executive Council in the coming weeks as we work to focus our energy on making real change to support our vision of a country where people can express their identity using validated and trusted digital means in order to fully participate in a digital economy and society.

In Other News
 

Dave Clark NZ and MATTR secure major government contract
Dave Clark NZ and digital identity firm MATTR have won a significant New Zealand government contract to develop a new app focused on secure digital identity services. Read more.
  Digital ID developments won’t replace wallets just yet
Despite progress in digital identity systems, experts say physical IDs and wallets will remain necessary for the foreseeable future due to infrastructure and adoption challenges. Read more.
  New Zealand launches world-first deepfake experiment to build public trust
New Zealand is leading a groundbreaking deepfake detection trial aimed at boosting public awareness and resilience against synthetic media manipulation. Read more.
  Department of Internal Affairs (DIA) announces updated rules for the DISTF
The feedback has been thoroughly analysed and presented to both the Trust Framework Board and the Minister for Digitising Government. As a result, the updated rules went into force on 24 July 2025. For a comprehensive overview of the updated rules and a summary of the feedback received, please visit the Trust Framework for Digital Identity Legislation page.

With a realistic government timeline now established, we must collectively prepare for launch. There is a significant amount of work ahead, and no time to lose.

Fortunately, our Digital Identity NZ membership possesses world-class capabilities, ideally suited to assist with consultation and bridge delivery gaps as we move forward.

Ngā mihi nui,

Andy Higgs
Executive Director, Digital Identity NZ

Banner image credit: Rocket Lab

The post Open spaces, open hearts, open minds…time to add Open data to the mix! appeared first on Digital Identity New Zealand.

The two-week voting period will be between Monday, August 15, 2025 and Monday, August 29, 2025, once the 60 day review of the specification has been completed.   The OpenID Shared Signals Working Group page is https://openid.net/wg/sharedsignals/.  If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/benefits-members/.   The vote will be conducted at https://openid.net/foundation/members/polls/373.   Marie Jordan – OpenID Foundation Secretary   About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.   

The post Notice of Vote to Approve Three Shared Signals Final Specifications first appeared on OpenID Foundation.

As fraud, regulatory scrutiny, and consumer expectations evolve, Canadian Automotive Retail and Finance Sectors are under pressure to modernize identity verification (IDV) practices. This report summarizes insights from DIACC’s recent industry forum, where finance leaders, dealership executives, and regulators explored the impact of digital IDV solutions on reducing fraud, improving operational efficiency, and fostering consumer trust.

Download the report here.

2025-Spring-Plenary-Client-IDV-Forum-Summary_ENG

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. High-quality journalism is critical […]

August 2025

DIF Website | DIF Mailing Lists | Meeting Recording Archive

Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3. Special Interest Group Updates; 4. User Group Updates; 5. Announcements; 6. Get involved! Join DIF 🚀 Decentralized Identity Foundation News DIF Partners with MIT's Project NANDA for Packed Event

DIF partnered with MIT's Project NANDA for a well-attended event at Circuit Launch on July 18, 2025, where Ramesh Raskar shared his vision for architecting an Internet of AI Agents. DIF Technical Steering Committee chair Andor Kesselman served as co-host, with robust discussion focusing on the relevance of decentralized identity for the agentic web.

During and after the event, discussion covered how DIF's decentralized identity standards can provide the cryptographic foundation for Project NANDA's agentic web, enabling persistent, verifiable identifiers for AI agents operating autonomously across organizational boundaries. This collaboration addresses the critical challenge of maintaining human oversight and trust as AI systems gain greater agency, ensuring that robust identity infrastructure underpins the future of AI collaboration.

DIF co-hosted event with Project NANDA in Mountain View, CA on July 18, 2025

Global Digital Collaboration Conference in Geneva

DIF staff and community had a strong presence at the Global Digital Collaboration (GDC) conference in Geneva on July 1-2, 2025, with our community delivering key presentations across multiple tracks. Highlights included our opening session on Agentic AI and Digital ID, addressing critical trust challenges as AI agents become more autonomous. Additional DIF-led sessions covered identity foundations for Industry 4.0 transformation, decentralized identifiers for global interoperability, and digital human rights.

DIF community at GDC

The conference demonstrated the maturity of decentralized identity solutions, with presentations spanning from privacy-enhancing technologies and trust management for wallets to enterprise blockchain implementations and regulatory compliance frameworks. The diverse roster of sessions highlighted how decentralized identity is being deployed across sectors—from government digital infrastructure projects to enterprise security applications—while fostering meaningful dialogue between technologists, policymakers, and standards bodies globally.

Visit the GDC website for session videos and stay tuned for the upcoming Book of Proceedings featuring detailed insights from all presentations.

DIF Labs Beta Cohort 2 Projects Launch

Following the selection process completed in June, DIF Labs Beta Cohort 2 is now in full swing with three innovative projects that push the boundaries of decentralized identity technology. The selected projects focus on:

Privacy-preserving verifiable credentials using advanced cryptographic techniques Anonymous multi-signature protocols for group credentials Novel approaches to privacy-preserving revocation mechanisms.

Each project team is receiving dedicated mentorship from DIF's expert community and is committed to delivering open-source implementations that will benefit the entire ecosystem. The projects are scheduled to run through September 2025, with regular check-ins and a final showcase event planned.

See the DIF Labs web site for more information.

DIF Showcases Decentralized Identity for Seamless Travel Experience at HITEC Conference

DIF presented at HITEC 2025 in Indianapolis, where hospitality technology veterans mapped out how self-sovereign identity can align data privacy with friction-free travel experiences. The session featured Douglas Rice (Managing Director, Hospitality Technology Network), Nick Price (former CIO, Mandarin Oriental Hotel Group & citizenM), Kim Hamilton Duffy (DIF Executive Director), and Bill Carroll (CEO, Marketing Economics; retired Cornell professor). The speakers demonstrated how traveler-controlled digital wallets can enable seamless journeys—from AI-powered trip planning with auto-completing visa forms to face-scan boarding, NFC room keys, and verified guest reviews.

The presentation highlighted real-world momentum with examples including EU "Seamless Travel" pilots across 27 member states, Cathay Pacific's Hong Kong-Tokyo trial packing seven credential types into passenger wallets, and Bhutan's nationwide digital identity program built on decentralized identifiers. The speakers emphasized that centralized data silos are incompatible with the hyper-personalization guests demand, while self-sovereign identity delivers immediate benefits including reduced breach risks, lower cyber-insurance premiums, and improved revenue through verified, up-to-date traveler data.

See Alex Bainbridge's article for a detailed recap, as well as the recording and presentation deck. Additional coverage available at PhocusWire.

DIF H&T team at HITEC conference

🛠️ Working Group Updates

Browse our active working groups here

Creator Assertions Working Group

The Creator Assertions Working Group made significant progress on terminology standardization and integration with broader credential frameworks. A key development was the group's decision to transition from "identity assertions" to "attribution assertions," recognizing that "attribution" better captures the essence of content creation claims while being less controversial in industry discussions. The team continued advancing their integration with the C2PA ecosystem and made substantial progress on metadata assertion standards. Work also progressed on media identifier systems and the development of flexible metadata frameworks that can accommodate various content types and use cases.

👉 Learn more and get involved

Applied Crypto Working Group

The BBS+ team achieved significant milestones in pseudonym generation and post-quantum security considerations. Key developments included the finalization of polynomial evaluation methods for pseudonym generation, addressing potential security vulnerabilities from adversarial users through more robust cryptographic approaches. The team made substantial progress on test vector development for the 0.9 draft release and continued coordination with IETF standardization efforts. Discussions also covered the efficiency implications of different cryptographic commitment schemes and their practical applications in large-scale deployments.

👉 Learn more and get involved

DID Methods Working Group

The DID Methods Working Group focused intensively on W3C standardization efforts and refining the evaluation process for DIF-recommended DID methods. Significant progress was made on the proposed W3C DID Methods Working Group charter, with the team addressing concerns about blockchain inclusion and standardization scope. The group refined evaluation criteria for DID method proposals, emphasizing the need for multiple implementations, significant deployments, and clear compliance with DID traits. Work continued on balancing objective criteria with expert evaluation to ensure high-quality recommendations while maintaining transparency in the assessment process.

👉 Learn more and get involved

Identifiers and Discovery Working Group

Multiple work streams advanced significantly this month. The DID:webvh team made substantial progress toward their 1.0 specification release, with multiple implementations now passing comprehensive test suites and performance analysis demonstrating efficient handling of DID updates. The DID Traits team prepared for their 1.0 release, focusing on key validation capabilities and long-term availability requirements. The group also explored applications in software supply chain contexts and examined compliance with emerging regulations like the EU's Cyber Resilience Act, demonstrating the practical relevance of decentralized identifiers in enterprise environments.

👉 Learn more and get involved

DIDComm Working Group

The DIDComm Working Group advanced work on binary encoding support through the CBOR implementation, positioning it as an optional feature for version 2.2 with potential to become the default in future major releases. The team addressed important technical challenges around message encoding detection, MIME type handling, and implementation compatibility. Significant discussions covered privacy considerations and "phone home" concerns in credential verification systems, with the group exploring how verifiable credentials can be presented without requiring direct communication with issuers. The group also examined DIDComm applications in AI agent-to-agent communications.

👉 Learn more and get involved

Claims & Credentials Working Group

The Credential Schemas team launched their community schemas initiative, creating a framework for organizations to contribute verifiable credential schemas to a shared repository for potential standardization. Significant progress was made on aligning their basic person schema with schema.org standards while maintaining compatibility with existing frameworks like OIDC and UK ID assurance. Key developments included extending postal address schemas for banking KYC requirements, refining terminology around personhood verification credentials, and establishing processes for schema synchronization between repositories. The team also began exploring employment credentials and anti-money laundering certifications as future development priorities.

👉 Learn more and get involved

Hospitality & Travel Working Group

The newly launched Hospitality & Travel Working Group hit the ground running with substantial progress on the HAT Pro specification. The team developed comprehensive schemas for food preferences, dietary restrictions, and accessibility requirements, utilizing graph-based models to avoid data duplication and improve cross-referencing capabilities. Key developments included the creation of UML models and JSON schemas for complex preference structures, exploration of AI-assisted data input to simplify user experiences, and the establishment of engagement processes for subject matter experts across various travel sectors. The group is preparing for major presentations at industry events and has launched a dedicated website to showcase their work.

👉 Learn more and get involved

DIF Labs Working Group

DIF Labs Beta Cohort 2 projects are now in active development phase, with three selected projects working on cutting-edge privacy-preserving technologies. The projects focus on legally binding verifiable credentials using Qualified Electronic Signatures (QES), comparative analysis of privacy-preserving revocation mechanisms, and anonymous multi-signature verifiable credentials. Each project team is receiving dedicated mentorship from DIF's expert community and is committed to delivering open-source implementations that will advance the broader decentralized identity ecosystem. The program continues to demonstrate the value of focused, mentored development in advancing the state of the art.

👉 Learn more and get involved

🌎 DIF Special Interest Group Updates

Browse our special interest groups here

DIF Africa SIG

The Africa SIG featured an impressive deep-dive presentation on Ethiopia's national digital identity system, Faida, and its associated digital credential platform FaidaPass. Representatives from Ethiopia's national ID system provided detailed insights into the architecture, features, and implementation of this groundbreaking system, which serves as one of the first full-scale standards-compliant deployments globally. The presentation highlighted the use of decentralized verification models, biometric authentication capabilities, and self-sovereign identity principles, while addressing innovative solutions for non-smartphone users and future monetization strategies. The session demonstrated Africa's leadership in practical digital identity implementation.

👉 Learn more and get involved

APAC/ASEAN Discussion Group

The APAC/ASEAN group hosted comprehensive presentations on digital identity solutions in Australia, featuring True Vault's approach to creating a decentralized identity ecosystem. Discussions covered recent regulatory changes including the Digital Identity Act, international standards alignment, and the challenges of achieving interoperability across different jurisdictions. The group explored the evolution from manual to digital identity verification methods and examined the potential for global expansion of digital identity solutions while addressing privacy concerns and user control requirements. The session highlighted Australia's voluntary approach to digital identity and its implications for regional adoption.

👉 Learn more and get involved

DIF Japan SIG

The Japan SIG focused on recent developments in DID and AI agent authentication, with participants sharing updates on their organizations' initiatives and emerging challenges. The group explored the intersection of decentralized identity with AI systems and examined potential applications across various sectors. Key discussions included the unique requirements for AI agent identity management and the challenges of implementing decentralized identity principles in automated systems. The group also considered future meeting formats and potential offline events to enhance community engagement and collaboration.

👉 Learn more and get involved

DIF Hospitality & Travel SIG

The Hospitality & Travel SIG hosted presentations highlighting decentralized identity adoption in the travel industry. Key sessions included discussions with Microsoft on AI-driven cybersecurity solutions for hospitality, analysis of Apple's digital identity announcements and their implications for travel, and exploration of AI agents' potential to revolutionize customer interactions in travel and hospitality. The group examined both opportunities and challenges in implementing decentralized identity solutions across various travel scenarios, from border crossing to personalized service delivery.

👉 Learn more and get involved

📖 DIF User Group Updates DIDComm User Group

The DIDComm User Group explored practical implementations and emerging applications of the DIDComm protocol, with particular focus on AI agent communications. Key discussions included demonstrations of new systems and their communication protocols, exploration of generative AI communication frameworks and their similarities to DIDComm approaches, and examination of security considerations for AI agent interactions.

👉 Learn more and get involved

📢 Announcements H&T Working Group Launches Blog

As Hospitality & Travel activity increases at DIF, Autoura CEO Alex Bainbridge has launched a special H&T focused blog. We encourage you to visit and subscribe for updates.

🆔 Get involved! Join DIF

If you would like to get in touch with us or become a member of the DIF community, please visit our website or follow our channels:

🐦 Follow us on Twitter/X 💻 Join us on GitHub 📺 Subscribe on YouTube 🔍 Read the DIF blog New Member Orientations

If you are new to DIF, join us for our upcoming new member orientations. Find more information on DIF's Slack or contact us at community@identity.foundation if you need more information.

ends August 9th

The LegalXML – Electronic Court Filing pleased to announce that ECF V5.01 Errata 01 is now available for public review and comment. The public review is now open and ends August 9, 2025 at 23:59 UTC.

Electronic Court Filing Version 5.01 Errata 01
Committee Specification Draft 01
21 June 2025

https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/errata01/ecf-v5.01-errata01-csd01.docx

https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/errata01/ecf-v5.01-errata01-csd01.html

https://docs.oasis-open.org/legalxml-courtfiling/ecf/v5.01/errata01/ecf-v5.01-errata01-csd01.pdf

How to Provide Feedback

OASIS and the LegalXML – Electronic Court Filing value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

Comments may be submitted to the project by any person through the use of the project’s Comment Facility. TC members should send in comments via the TC mailing list. All others should submit to the comment mailing list after following instructions listed here.

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification. 

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information about the specification and the LegalXML – Electronic Court Filing TC can be found at the TC public home page here.

Additional references:

[1] https://www.oasis-open.org/policies-guidelines/ipr/

[2] http://www.oasis-open.org/committees/legalxml-courtfiling/ipr.php

Intellectual Property Rights (IPR) Policy

RF on Limited Terms Mode

The post LegalXML – Electronic Court Filing V5.01 Errata Public Review appeared first on OASIS Open.

Gail Hodges, Executive Director OpenID Foundation

Today the OIDF is proud to announce that the OpenID for Verifiable Credential Issuance (OpenID4VCI) specification has proven interoperability through the pairwise testing of seven issuers and five wallets providers from around the world.  

The clear evidence of interoperability is a meaningful and timely result as this specification moves through a 60 day public review period. At the end of this period, the OpenID Foundation membership will cast their votes to elect this specification as a “Final” specification in line with the OpenID Foundation Process Document.

OpenID4VCI Interoperability Objectives 

This OpenID4VCI interoperability project had five objectives: 

Prove out the OpenID4VCI specification before the vote to name it a Final specification Provide interoperability results and implementer feedback to the Digital Credentials Protocols WG To provide results on interoperability to standards body partners (e.g. ISO/IEC , W3C, and ETSI) Brief government partners on progress in the standards they have selected to support their ecosystems and projects  (e.g. European Commission EUDI Wallet project, NIST NCCoE mDL project, and the Japan Digital Agency pilot project)  Provide accurate, proven, open source tests to the global community of issuers, wallets, and vendors for them to prove out their own implementations that use these specifications.

To prove out the technical interoperability objectives, the specifications tested included:

OpenID for Verifiable Credential Issuance  v16 The OpenID Foundation’s OpenID for Verifiable Credentials High Assurance Interoperability Profile Implementer’s Draft 2.0 ISO/IEC IS 18013-5:2021 Mobile Driving License (mDL) and “mdoc” specification ISO/IEC TS 18013-7:2024   IETF’s SD-JWT draft 17  Pairwise Testing

The invitation to participate in the Interop event was made available to contributors to the DCP WG, those that have signed a DCP WG Contribution Agreement, to ensure any interoperability feedback could be used to inform the OpenID4VCI specs and tests. 

The pairwise interop demonstration was conducted July 16, as the third in a series of interop events from May to July to mature implementations in line with the specifications. In the third OpenID4VCI interop event on July 16th, the participants took part in a 90 minute, remote interop meeting followed by an 8 day window to remediate any bugs asynchronously.   During this time, out of the 59 possible issuer/ wallet pairs that could be tested, 47 pairwise tests were conducted. Of those 47 pairs:

87% passed successfully 11% failed with resolvable issues    2% failed without an immediately obvious issue.

Overall, the implementers and the DCP WG determined that these results did not include any material concerns with the OpenID4VCI v16 of the specification, or the OIDF open source tests on OpenID4VCI. For noting, the results were consistent across a range of scenarios supported by the specification, with implementers demonstrating one or multiple configurations of OpenID4VCI: 

OpenID4VCI with SD-JWT, Custom URI initiated and client authentication using wallet attestation-based client authentication with x5c header (designated as “HAIP mode”) OpenID4VCI with SD-JWT, Custom URI initiated and client authentication using client assertion with private_key_jwt   OpenID4VCI with SD-JWT, Custom URI initiated, no client authentication   OpenID4VCI with mdoc, Custom URI initiated, no client authentication   Global Expert Participants

Leading implementers from around the world included (7 Issuers and 5 wallets). They included: 

Bundesdruckerei GmbH Fikua  MATTR  Open Wallet Foundation (Android “Multipaz”) Lissi GmbH Meeco MyMahi Wallet OpenID Foundation (open source tests)

A big thanks to all of our interop participation teams!

Why This Demonstration Mattered

Over the past 18 months, digital credentials have moved from promising prototypes to production pilots in finance, healthcare, transportation, and government services. In the California DMV and OIDF hackathons in October and November 2024, we saw a wide range of use cases demonstrated, and in Europe, we have seen 11 key use cases progressed as part of the European Digital Identity Wallet’s Large Scale Pilots. Earlier this year we conducted a  May 5th Interop event for OpenID for Verifiable Presentation, with pairwise and multi-wallet tests conducted in partnership with the NIST NCCoE Mobile Driver’s License (mDL) project.   In other recent declarations, the UK.Gov, the Swiss Confederation, and Japan Digital Agency selection the OpenID for Verifiable Credentials in their digital identity projects. Other jurisdictions are poised to follow suit and adopt a similar reference architecture centered on the use of OpenID4VP and OpenID4VCI. This interop event on OpenID4VCI served as the vital pressing testing of interoperability enabled by the specifications. By meeting the specification and interoperability targets, the specs are on track to scale in line with the European Digital Identity Wallet and other jurisdictions in the months ahead. To get to this point, there were three key components:

Liaisons and Partnerships: The Foundation has long-term liaisons and partnerships with peer standards bodies such as W3C, ISO, IETF, and ETSI. These liaisons and ongoing technical conversations have underpinned the development of interoperable standards demonstrated on July 16th, alongside the large number of leading-edge implementers ready to prove out the specifications together. The results of this interoperability event will be shared via a liaison statement with  ISO/IEC 18013-7 WG10 to inform this Work Group’s due diligence on online presentation specifications, and W3C’s work on the Digital Credentials API and ETSIs work on TS 119 472TS 119 472  which relate to the EUDIW. Conformance Testing: OIDF developed open-source tests aligned to the specifications for use before and during the interop event. The implementers could prove their implementations against the tests before testing against their peers and provide critical feedback on the tests for the benefit of future implementers. Once the specs and open-source tests are finalized, implementers will be able to self-certify their implementations. Self-certification and other conformance requirements are often vital components of ecosystem governance to ensure all participants in an ecosystem have met the same high bar for security and interoperability.   Remote Interop for Global Participation: Finally, this event was hosted in a remote format, with implementers located in several European countries, New Zealand, San Francisco, and beyond. Even for some implementers not taking part in the live interop event, teams were able to connect across time zones over the following week to triage issues and close gaps. Implementer Feedback 

The feedback from the implementers on the benefits of the July 16th interop is positive and encouraging that we are at an inflection point:  

Oliver Terbu from MATTR stated:

“We’re proud to have contributed to OpenID4VCI Interop #3 and see the protocol maturing towards real-world deployments. OpenID4VCI’s focus on simplicity and interoperability across diverse ecosystems makes it a cornerstone for scalable and interoperable digital credential issuance.”

Stefan Charsley of MyMahi stated: 

“MyMahi worked with a variety of issuer teams to test interoperability for the MyMahi Wallet, demonstrating OpenID’s OpenID4VCI standardization efforts have been applied practically to achieve interoperability at both regional and global levels. We look forward to working with more teams utilizing OpenID standards.” 

Jan Vereecken, of Meeco said: 

“For Meeco, the interop was a valuable opportunity to test our implementation alongside other participants. It validated the work we’ve done to stay aligned with the evolving OpenID4VCI standard and reinforced our commitment to advancing secure and interoperable digital credential infrastructure. I think events like this are essential to move the whole ecosystem forward. We’re proud to be contributing to that momentum as the DCP WG is finalising the 1.0 version of this specification and practical implementor feedback is crucial to the whole process.”

Micha Kraus of Bundesdruckerei GmbH, a German federal technology company, that prints German passports, identity cards and credentials and protects identities and data with solutions “made in Germany, stated:

“This Interop event was an important step toward standardized, harmonized solutions in the ID Wallet domain. As active promoters of standardization, we are proud of the progress in collaboration with our international partners. Our goal is to shape secure, privacy- and user-friendly solutions that users will be happy to adopt in the future. The experience we have gained at the Bundesdruckerei in this project is widening our broad expertise in this field and can be applied to the implementation of the German national EUDIW.”

Oriol Canadés from Fikua stated:

“Participating in the OpenID4VCI Interop #2 and #3 was a valuable milestone for Fikua. It allowed us to validate our Issuer implementations across diverse client authentication mechanisms and credential formats. This kind of hands-on collaboration is key to maturing the standard and ensuring real-world readiness. We’re proud to contribute to an ecosystem that prioritizes interoperability, security, and user-centric design.”

Voices from the DCP WG and Foundation Leadership 

Torsten Lodderstedt, the specification editor and co-chair of the Digital Credentials Protocol Working Group, expressed gratitude for the live feedback from implementers:

“Validating these features in real-world scenarios is crucial as we head toward final publication,” he said, inviting new contributors to help the working group evolve the specification beyond its first edition.

Gail Hodges, Executive Director of the OpenID Foundation said:

“This interop event proved that verifiable credential issuance using OpenID for Verifiable Credential Issuance works across platforms, across devices, and for different credential types. The participants, WG members and cochairs are confident that the underlying specification and test suite are on a solid trajectory to achieve recognition as a Final specification and to support implementers in the months ahead. The timing could not be better as over 30 jurisdictions have selected and are deploying OpenID4VCI to support their digital identity credential issuance to digital identity wallets.”  

Next Steps Toward Global Adoption

The OpenID4VP specifications are on track for final publication mid September 2025, and are currently in the 60 day public review period until August 28, 2025, with the voting to be held August 29th to Friday, September 12, 2025. 

OpenID Foundation’s open source tests are already available for free and open use on OIDF servers or on an implementer’s own server:  

How to run conformance tests for OpenID for Verifiable Presentations How to run conformance tests for OpenID for Verifiable Credential Issuance

In the weeks ahead, the OpenID4VCI tests will have mdoc credential types added, and other negative and positive tests will be added for completeness. They currently cover the core components required for interoperability and security such as OpenID4VP and OpenID4VCI with DC API, HAIP, for SD-JWT and mdoc, and a range of DCQL queries. By the end of September, the OpenID Foundation intends to open up self-certification for OpenID4VP and OpenID4VCI. Similar to OpenID Connect and FAPI 1.0 and FAPI 2.0, implementers will have the option (but not the obligation) to submit the results of their implementations against the test suite, and the OIDF will review those results and publish them online for a modest fee.  The OpenID foundation is also working closely with ecosystem partners to ensure their certification and conformance programs benefit from the OIDF tests and, as appropriate, partner on development and delivery of their ecosystem’s conformance program. 

In parallel, collaboration with OIDF’s peer standards bodies will continue, such as with W3C, ISO/IEC, ETSI, FIDO, EMVCo and others. In addition, support for key projects will also continue as the  NIST NCCoE Mobile Driving License (mDL) project transitions from “opening a bank account” to the government services use cases, and transit in Japan moves through the pilot process.  

“This OpenID4VCI interoperability demonstration is a pivotal milestone in a long journey to finalize these critical wallet specifications,” Gail concluded. “Thank you to every implementer, observer and standards body partner for this interop project a success. Together, we are building a truly global digital identity ecosystem, one that empowers users, protects privacy and delivers real-world value.”

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, FAPI has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling ‘networks of networks’ to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.  

The post OpenID Foundation demonstrates real-world interoperability of new Digital Identity Issuance Standards first appeared on OpenID Foundation.

Jay White of Microsoft and Pablo Breuer Secure Additional Terms, Reinforcing Continuity and Strategic Momentum at OASIS

Boston, MA, 24 July 2025 – OASIS Open, the international standards and open source consortium, announced the results of its 2025 Board of Directors Elections. Three newly elected members and two re-elected members joined the Board in providing strategic governance and leadership to advance OASIS’s mission of solving global challenges through open development and collaboration. 

OASIS is pleased to welcome new board directors Jason Clinton of Anthropic, Charles Frick of Johns Hopkins Applied Physics Laboratory (APL), and Sarah Liang of EY. OASIS also congratulates Jay White of Microsoft and Pablo Breuer on their re-election to additional terms. The continuing members of the Board are Jim Cabral, Gershon Janssen, Bret Jordan, Vasileios Mavroeidis, Daniel Rohrer, and Daniella Taveau.

“I’m delighted to welcome Jason, Charles, and Sarah to the Board, and to congratulate Jay and Pablo on their re-election,” said Gershon Janssen of Reideate, OASIS Board President and Chair. “Their expertise will be instrumental as we continue shaping open standards that address global challenges. I also want to thank our departing directors Jason, Daniel, and Omar for their outstanding service and lasting impact they’ve made on the OASIS community.”

New Board Members

Jason Clinton serves as Chief Information Security Officer (CISO) at Anthropic, where he guides security strategy, including detection and response, compliance, physical security, security engineering, and IT. He brings over a decade of experience in infrastructure security, having previously led efforts in defense against advanced persistent threats and contributed to major operating system and payment platform development. Jason also serves on the Coalition for Secure AI’s (CoSAI) Project Governing Board.

“The rapid advancement of AI makes robust, open standards more crucial than ever,” said Clinton. “Through initiatives like CoSAI, OASIS brings together industry leaders to develop frameworks that protect users while enabling innovation. I’m honored to join the OASIS board and work alongside leaders who share this commitment to responsible AI development.”

Charles Frick, a Chief Scientist in the cyber capabilities development group at Johns Hopkins Applied Physics Laboratory (APL), leads multiple research and pilot efforts focused on cybersecurity automation, machine-speed threat information sharing and operational resilience. He chairs the Indicators of Behavior (IoB) sub-project within the Open Cybersecurity Alliance (OCA), guiding development and adoption of new standards for behavior-based threat intelligence.

“As cybersecurity threats continue to evolve, transparency, interoperability and collaboration are essential,” said Frick. “I’m honored to join the OASIS board and contribute to its vital mission at the intersection of open standards and open source. I look forward to advancing standards that support automation, resilience and trust—especially in areas like behavior-based threat intelligence and cyber-physical system security—so that we can better protect critical infrastructure and global digital ecosystems.”

Sarah Liang is a Partner at EY and serves as the Global Responsible AI Leader, where she drives comprehensive AI governance initiatives throughout the firm and for client solutions worldwide. Her expertise encompasses monitoring the regulatory landscape, aligning with legal and compliance standards, designing AI risk management solutions, and developing responsible AI frameworks that operationalize governance without hindering innovation. Sarah actively participates in key standards organizations, including CoSAI, bringing cross-industry insights and collaborative approaches to standards development.

Liang noted, “I’m honored to join the OASIS Board of Directors. OASIS and the EY organization share a vision of driving the beneficial long-term impact of AI use through transparency, security, trust, and scalability. We have a responsibility to act now and define global standards for AI development and deployment. I look forward to working alongside my fellow board members to help transform businesses through sustainable growth and innovation, while contributing to long-lasting positive change.”

Outgoing Board Members

OASIS expressed sincere appreciation to outgoing Board members Jason Keirstead, Daniel Riedel, and Omar Santos for their valuable service during their tenure as directors. Everyone at OASIS extends our heartfelt thanks for their dedicated leadership and lasting contributions to the organization’s mission. To view the current Board of Directors, please visit our website.

Media inquiries: communications@oasis-open.org

The post Anthropic, EY, and Johns Hopkins APL Executives Elected to OASIS Board to Drive Open Development and Global Collaboration appeared first on OASIS Open.

ISL had the opportunity to present at USENIX Association’s PEPR 2025 conference with a presentation entitled, “Safetypedia: Crowdsourcing Privacy Inspections”. The full video of the presentation can be viewed below:

The post PEPR ’25 – Safetypedia: Crowdsourcing Privacy Inspections appeared first on Internet Safety Labs.

With iOS 26 and macOS Tahoe 26, Apple is solving a key problem, though For the first time, Apple is adding support for true passkey portability. This means you can move your credentials from Apple Passwords to a dedicated password manager like 1Password, Dashlane, or Bitwarden, and even move them back. The system handles the transfer securely and locally, so you don’t have to worry about exporting plaint text CSV files and crossing your fingers that nothing gets exposed.

Passkey portability is built on a new standard from the FIDO Alliance that lets apps exchange credentials in a private and encrypted way. It uses Face ID, Touch ID, or your device passcode to approve the transfer. From the user’s perspective, it just works. And that’s exactly how it should be.

Reddit has implemented mandatory age verification for UK users to comply with the country’s Online Safety Act, which took effect in July 2025. The legislation requires digital platforms to prevent minors from accessing unsafe content, particularly mature or adult material, following Ofcom’s broader push for stricter online age verification across digital platforms.

The platform’s verification system requires UK users to submit either a government-issued ID, such as a passport, or a selfie through Persona, a third-party identity verification company. The approach follows successful implementations by other platforms, including Discord’s recent rollout of facial scan and ID verification in the UK. Persona handles the sensitive data to maintain user privacy, storing uploaded photos or IDs for a maximum of seven days without sharing the information with Reddit.

Reddit retains only the user’s verification status and birthdate, eliminating the need for repeated verification when accessing restricted content. Persona has confirmed it does not access Reddit user data, including subreddit activity. The privacy-focused approach matches emerging standards in digital identity verification, consistent with the principles established by the FIDO Alliance’s certification program for face-based remote identity verification.

Over the past three months, The Engine Room and Puentes have been exploring how to nurture connection, online and beyond the screen, in a world where division often seems to be the norm.

The post DANCES, KEYS, AND GARDENS: NURTURING COLLECTIVE DIGITAL CARE appeared first on The Engine Room.

By now you’ve seen one of these:

Never mind that you’re not running an ad blocker, but merely blocking tracking. Instead, note the small print in the lower right: “VRM by Admiral.”

By “VRM,” Admiral means this:

What we’re looking at here is the $.5 billion Consent Management Platform business, currently dominated worldwide by OneTrust, with a 40% market share. In the US, Admiral is the leading provider to publishers, giving it a high profile there. In Europe, the leaders are OneTrust, Usercentrics, and CookieYes.

So here is a challenge for Admiral , OneTrust, and the rest of them: make VRM  mean Vendor Relationship Management (like it says in Wikipedia).

Our case: real relationships are based on mutual trust, which can only happen if personal privacy is fully respected as a starting point. Consent management by cookie notice can’t cut it.  For real trust, we need people to bring their own terms to every website’s table, and have agreements to those. This is why we, the ProjectVRM community, through Customer Commons (our nonprofit spinoff) and the IEEE P7012 (aka MyTerms) working group, created the draft standard (on track to become official early next year) for machine-readable personal privacy terms. Three years ago, I called MyTerms The Most Important Standard in Development Today. The CMP business can help make it so, by getting on the Cluetrain.

Here are some opportunities:

CMPs can provide sites & services with easy ways to respond to MyTerms choices brought to the table by visitors. Let’s call this a Terms Matching Engine.The current roster of terms we’re working with at Customer Commons (abbreviated CuCo, hence the cuco.org shortcut) starts with  CC-BASE, which is “service provision only.” It says to a website, “just give me your service, and nothing more.” In other words, no tracking. Yet. Negotiation toward additional provisions comes after that. Those can be anything, but they should be in the spirit of We’re starting with personal privacy here, and the visitor sets the terms for that. There is a whole new business (which, like the VPN, grammar-help, and password management businesses, people would pay for) in helping people present, manage, remember, and monitor compliance with their terms, and what additional agreements have been arrived at. This can involve browser add-ons such as the one pictured  on the ProjectVRM r-button page. CMP companies can make money there too, adding a C2B business to their B2B ones. Go beyond #2 to provide real VRM. Back in the last millennium, Iain Henderson pointed out that B2B relationships tend to have hundreds or thousands of variables over which both parties need to agree. Nitin Badjatia, another CRM veteran (and a Customer Commons board member like Iain and myself), has also pointed out that companies like Oracle have long provided AI-assisted ways for B2B relationships to arrive at contractual agreements. The same can work for C2B, once the base privacy agreement is established. There can be a business here that expands on what gets started with that first agreement. Verticals. There can be strong value-adds for regulated industries or companies wanting to acquire and signal accountability, or look for firmer ways to establish a privacy regime better than the called consent, which doesn’t work (except as thin ass-covering for companies fearing the GDPR and the CCPA). For example: banks, insurers, publishers, health care providers. For people (not just corporate clients), CMPs could offer browser plugins or apps (mobile and/or computer) that help people choose and present their privacy terms, track who honors them, notify them of violations, and have r-buttons mean something. Or multiple things.

Here is what a VRM-friendly person in the UK came up with as a prototypical first by a CMP away from cookie notices:

That was after this post went up.  (Which is great.)

Obviously, we want cookie notices (and other forms of friction) to go away, but we also want CMPs to have a nice way to participate in a customer-led world in which intention-based economies can grow.

And here is an example of r-buttons in a browser:

Real relationships, including records of agreements, can be unpacked when a person (not a mere “user”) clicks on either the ⊂ or the ⊃ symbols. There are golden opportunities here for both VRM and CRM vendors. And, of course, companies such as Admiral and OneTrust working both sides—and being truly trusted.

Give us more. (Like that cookie notice above.)

did:webvh adds historical verifiability to did:web, using cryptographic provenance to establish that the current DID document is the result of legitimate updates by the DID controller. Today on the show we talk with Stephen Curran and John Jordan, co-creators and implementers of the did:webvh specification.   References ACA-py Plug In https://aca-py.org/latest/features/PlugIns/  AnonCreds Specification https://hyperledger.github.io/anoncreds-spec/  DID...

did:webvh adds historical verifiability to did:web, using cryptographic provenance to establish that the current DID document is the result of legitimate updates by the DID controller. Today on the show we talk with Stephen Curran and John Jordan, co-creators and implementers of the did:webvh specification.   References ACA-py Plug In https://aca-py.org/latest/features/PlugIns/  AnonCreds Specification https://hyperledger.github.io/anoncreds-spec/  DID...

The OpenID Foundation has launched a new Ecosystems Support Community Group (ESCG) to help public and private sector ecosystem leaders understand the key architectures, decisions, and best practices at the forefront of open banking/open data and digital identity adoption globally. 

Context

The ESCG arrives at a critical time when 90+ jurisdictions are pursuing open banking/open finance/open data, and 60+ are pursuing digital identity, as per the Cambridge Judge School of Business (2024). The ESCG provides a safe space for architects and other ecosystem leaders to convene with other experts. The trusted relationships in this ESCG can not only help inform local decision processes before launch, but also inform ongoing maintenance, roadmap development, and monitor security issues. 

Similar to OIDF’s other community groups (CGs), the ESCG will not develop specifications. Instead, its purpose is to support ecosystem decision-makers as they build and maintain their ecosystems, providing world class, independent, and opinionated views on how to combine, profile, and implement these to realize the benefits of the specifications. 

Building on the OpenID Foundation’s proven track record

The OIDF already plays a central role supporting and connecting ecosystem experts in three key ways: 

Convening experts in our Working Groups (WGs), such as FAPI WG, the Digital Credentials Protocols WG, A/B Connect WG, and others. Supporting ecosystems and individual implementers with certification to OIDF specifications (over 4k implementers self-certified to date).  Providing safe spaces for experts to engage, including the Death and Digital Estate Community Group, Australian Digital Trust Community Group and OIDF workshops and conferences. 

This ESCG will play an essential and pragmatic role, providing expertise that cuts across other OIDF WGs/CGs, as well as specifications from peer standards bodies. 

Six core guiding principles

This new ESCG will operate under the following six organising principles:

Sharing: provide a safe community environment for ecosystem governing bodies to share experiences and learnings, and to ask questions. Privacy: Promote the enhancement of user privacy and control by using explicit consent mechanisms, accompanied by best practices for informed consent. Security: identify and promote best current security practices for all ecosystem participants. Interoperability: the ESCG must promote the benefits and mechanisms for interoperability across ecosystems irrespective of use case, industry sector or jurisdiction. Recognition: the ESCG will recognise that each ecosystem will need to make its own pragmatic decisions to support its own route towards interoperability over time.   Cost reduction: Promote a lower cost of adoption and change for ecosystem participants (e.g., data recipients, data providers, ecosystem governing bodies, etc.). The global push for digital wallets and open data

Given the emergence of digital wallet based ecosystems and the global push towards Digital Public Infrastructure, we anticipate that nearly all jurisdictions will push for open data and digital identity deployments in the years ahead. From the 26 ecosystems that the OIDF supports today, we know that most of the decisions each implementer needs to make are very similar. 

While local laws, requirements, and cultures may lead to differences in configuration, the majority of decisions are harmonized across jurisdictions. Furthermore, new ecosystems benefit from the lessons learned from prior implementations and dramatically reduce time-to-market.

Preventing fragmentation of ecosystem standards

As public and private sector ecosystems develop their policies and architectures, they must evaluate technical options, make key governance decisions, and maintain clear communication with implementers.  

The OpenID Foundation is aware of native ecosystem divergences, which, if left unsatisfied, will lead to amplified challenges for security and interoperability across borders and use cases. This will become increasingly difficult to solve as the global market continues to develop at an accelerating pace, with each jurisdiction at risk of becoming an ‘island’ that cannot interoperate with others.  

Resolving the resultant global fragmentation would introduce an expensive cost of change for each implementer within a given ecosystem.

Join the initiative

The OpenID Foundation’s new Ecosystems Support Community Group is open to all who wish to join the conversation and contribute to the discussion.

What we will do:

Capture existing and emerging ecosystem configurations and develop an Ecosystems Tracker. Evaluate key differences between ecosystem configurations and specifications.  Assess how to combine different specifications. Capture and communicate ecosystems’ requirements to other WGs, OIDF’s conformance test team and OIDF, in general.

The new ESCG will also develop, or initiate the development of, best practices and reference architectures to support different types of ecosystems, assisting key decision-making for governance bodies. These guides will provide recommendations for specifications, associated design of conformance testing, and other aspects of ecosystem development and deployment. 

If you are an ecosystem leader grappling with the policy, technical, and operational challenges of enabling open banking/open data, and/or digital identity, we hope you will consider joining the ESCG to share your own experiences with your peers. 

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net. 

The post OIDF launches Ecosystems Support Community Group  first appeared on OpenID Foundation.

The packaging around your product now matters just as much as the product itself.

For companies navigating Extended Producer Responsibility (EPR) laws, that's quickly becoming the reality. And it’s reshaping how teams think about data, packaging, and compliance.

In this episode, Lindsay Savage, Senior Director of Data Governance and Business Platforms at Georgia-Pacific LLC, joins hosts Reid Jackson and Liz Sertl to demystify what EPR means for manufacturers and retailers. 

With legislation ramping up across states, Lindsay explains how brands are preparing for complex reporting requirements, coordinating across departments, and turning sustainability regulations into opportunities for smarter product innovation.

In this episode, you’ll learn:

Why EPR is more than a packaging issue and why it matters now

How Georgia-Pacific is building scalable systems to manage regulatory data

Tips for companies just getting started, from legal teams to logistics

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:21) Lindsay Savage’s background

(03:16) What EPR means for your business

(04:50) Every state has its own rules

(06:15) Data overload and the push for standards

(07:36) Breaking down product, packaging, and pallet

(09:27) Two ways to report EPR data

(11:20) How to get started with EPR compliance

(12:40) Building cross-functional teams for success

(17:55) Embracing AI tools to stay ahead

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Lindsay Savage on LinkedIn Check out Georgia-Pacific

MyData Global has submitted A Human-Centric Roadmap for Europe to the European Commission’s public consultation on Data Union Strategy. The Roadmap has incorporated input from the MyData community, and the […]

Microsoft Copilot is becoming the interface for how users work with AI across the Microsoft ecosystem. But what happens when you enhance Copilot with the ability to understand and remember structured, verifiable knowledge?

With the integration of the OriginTrail Decentralized Knowledge Graph (DKG) and the Model Context Protocol (MCP), you can build AI agents that reason over live data, contribute to shared memory, and deliver trusted outputs backed by cryptographic proofs.

By extending Microsoft’s AI infrastructure with OriginTrail, you equip Copilot agents with powerful capabilities for knowledge discovery, memory, and collaboration.

What is MCP?

The Model Context Protocol (MCP) is an open standard that defines how language models access and utilize tools and external data sources.

MCP uses a client-server architecture where:

MCP Servers expose tools and data, both local and remote, MCP Clients, such as agents built in Microsoft Copilot Studio, call these tools using a standard protocol.

This architecture makes it easy to build AI systems that are modular, composable, and interoperable across different environments.

What role does the DKG play?

The OriginTrail DKG provides a decentralized layer for structured, verifiable knowledge that AI agents can query, write to, and collaborate over. When connected to an MCP server equipped with DKG tools, agents are empowered to retrieve and build upon interconnected, verifiable knowledge.

AI agents can:

Retrieve semantically rich knowledge, Generate and publish new Knowledge Assets, Collaborate on a shared, verifiable knowledge base.

Each interaction is built with data provenance, version control, and ownership in mind. Knowledge is shared, structured, and trustworthy!

Supercharging Microsoft Copilot with verifiable memory!

Through this integration, builders can now connect OriginTrail DKG with custom agents built in Microsoft Copilot Studio.

Here’s what that enables:

The DKG MCP server runs alongside an OriginTrail DKG Node, Custom actions are registered in Microsoft Copilot Studio to access DKG tools, These actions can be triggered by agents within environments like Microsoft Teams.

This setup allows Copilot-based agents to access interconnected, verifiable knowledge in real time, and contribute new structured information back into the DKG.

Agents can then:

Ask precise questions over a structured knowledge graph, Write their own memory as reusable Knowledge Assets, Store results, update context, and collaborate with other agents.

This integration brings reasoning, verifiability, and memory collaboration directly into Copilot-powered workflows

See it in action!

In the live demo, Jurij Škornik, General Manager at Trace Labs, core developers of OriginTrail, walks us through:

Running the DKG MCP server with an OriginTrail Edge Node, Building a custom agent in Microsoft Copilot Studio, Adding custom actions to enable interaction via Microsoft Teams.

The result is a working Copilot agent with full access to decentralized, verifiable memory. Check it out!

As AI becomes central to enterprise workflows, adding verifiability and structure to its memory is essential. Combining OriginTrail DKG and MCP means your agents are working with knowledge that is:

Structured using open standards (like RDF and schema.org), Interconnected across multiple data sources, Verifiable thanks to cryptographic anchoring, Portable across applications, agents, and ecosystems, such as Microsoft.

This opens the door to new applications in supply chains, research, content management, enterprise collaboration, and more!

Build AI agents with verifiable memory using OriginTrail and Microsoft Copilot! was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.

Global Participation Expands as the Coalition Releases Essential AI Guidance

Boston, MA – 17 July 2025 – The Coalition for Secure AI (CoSAI), an OASIS Open Project, celebrates its first anniversary since launching at the Aspen Security Forum in 2024. Over the past year, CoSAI has grown into the industry’s leading collaborative ecosystem for AI security, expanding from its initial founding sponsors to more than 45 partner organizations worldwide. Its mission to enhance trust and security in AI development and deployment has resonated widely, attracting premier sponsors EY, Google, IBM, Microsoft, NVIDIA, Palo Alto Networks, PayPal, Protect AI, Snyk, Trend Micro, and Zscaler. Through multiple workstreams, the coalition has produced practical frameworks and research addressing real-world challenges in securing AI systems. Central to CoSAI’s impact this year are the most recent releases of the “Principles for Secure-by-Design Agentic Systems,” which establishes three core principles for autonomous AI, and the “Preparing Defenders of AI Systems” whitepaper. 

Security Principles Help Safeguard Agentic AI Systems

CoSAI’s Technical Steering Committee (TSC) has released the “Principles for Secure-by-Design Agentic Systems,” a foundational document aimed at helping technical practitioners address the unique security challenges posed by autonomous AI. 

The principles offer practical guidance on balancing operational agility with robust security controls, establishing that secure agentic systems should be Human-governed and Accountable, architected for meaningful control with clear accountability, constrained by well-defined authority boundaries aligned with risk tolerance, and subject to risk-based controls ensuring alignment with expected business outcomes. They must be Bounded and Resilient, with strict purpose-specific entitlements, robust defensive measures including AI-specific protections, and continuous validation with predictable failure modes. Finally, they should be Transparent and Verifiable, supported by secure AI supply chain controls, comprehensive telemetry of all system activities, and real-time monitoring capabilities for oversight and incident response. 

This blog post provides additional context on the principles and how they can be applied in real-world environments.

“As agentic AI systems become more embedded in organizations’ operations, we need frameworks to secure them,” said David LaBianca, Project Governing Board co-chair at CoSAI. “These principles provide a technical foundation for organizations to adopt AI responsibly and securely.”

New Defender Frameworks Help Organizations Operationalize AI Security

CoSAI has published another landscape paper, “Preparing Defenders of AI Systems,” developed through our workstream on Preparing Defenders for a Changing Cybersecurity Landscape. The paper provides practical, defender-focused guidance on applying AI security frameworks, prioritizing investments, and enhancing protection strategies for AI systems in real-world environments.

A companion blog post offers additional insights on how this evolving resource bridges high-level frameworks with practical implementation and will continue adapting as AI threats and technologies advance.

“This paper provides defenders with specific guidance on how security frameworks must be adapted to mitigate risks in the AI transformation─pinpointing gaps in current approaches and prioritizing critical investments,” said Josiah Hagen of Trend Micro and Vinay Bansal of Cisco, CoSAI’s Workstream 2 Leads. “As security practices are aligned with AI adoption realities, organizations are empowered to make informed decisions and protect their assets while ensuring innovation doesn’t outpace defenders. This exemplifies CoSAI’s commitment to connecting emerging threats to AI systems with practical security solutions.”

These foundational outputs from CoSAI’s first year set the stage for even greater impact ahead.

Looking Ahead: Building a Secure AI Future

As CoSAI enters its second year, the coalition is positioned to further accelerate AI security innovation through expanded research initiatives, practical tool development, and increased global engagement. With active workstreams producing actionable guidance and a growing community of practitioners, CoSAI continues to drive adoption of secure-by-design AI systems across industries. Its commitment to open source collaboration and standardization remains central to establishing trust in AI technologies. Realizing this vision requires continued collaboration across the AI security community.

Get Involved

Technical contributors, researchers, and organizations are invited to join CoSAI’s open source community and help shape the future of secure AI. To learn more about how to get involved, contact join@oasis-open.org.

One year in: What CoSAI members are saying about our impact

Premier Sponsors: 

EY:
“At the EY organization, we believe it is our responsibility to shape the future and not leave it to chance, so that the next generation inherits a world improved by AI, not made worse by it. It has been a privilege to serve as a founding member of CoSAI, a powerful platform for EY teams to collaborate with global technology leaders in shaping secure and responsible AI. As we enter the exponential age, we remain committed to leading with clarity, confidence and purpose.”
– Sarah Liang, EY Global Responsible AI Leader
Google
“It’s been great to see CoSAI grow with so many new partners and instrumental frameworks since we first introduced it last year. Google is proud to have been a co-founder for this initiative and we look forward to seeing more work from CoSAI’s workstreams, specifically across critical areas like agentic security.”
– Heather Adkins, VP of security engineering, Google
IBM: 
”From establishing critical work streams to launching innovative initiatives around Security Principles of Agentic AI, AI model signing and attestation, and MCP Security, CoSAI has built real momentum in securing AI at scale—all in just one year. It’s been rewarding to co-chair the Technical Steering Committee and collaborate with this talented, cross-industry community to tackle the evolving challenges of AI security and help shape industry standards.”
– J.R. Rao, IBM Fellow and CTO, Security Research, IBM
NVIDIA: 
“As AI becomes increasingly integral to critical infrastructure and enterprise operations, security must be foundational at every stage of development and deployment. As an industry enabler of AI for both hardware and software, NVIDIA is proud to support CoSAI’s collaborative efforts to advance practical, open standards across industries to democratize and scale AI for the entire market.”
— Daniel Rohrer, Vice President of Software Product Security, NVIDIA
Palo Alto Networks:
“As public and private organizations increasingly integrate advanced and agentic AI models into critical networks, the development of industry-driven AI security frameworks, such as CoSAI’s ‘Principles for Secure-By-Design Agentic Systems,’ will be vital for the security of our digital ecosystem. CoSAI’s initiatives over the past year are commendable, and we eagerly anticipate continuing our contributions to their mission.”
– Munish Khetrapal, VP of Cloud Management, Palo Alto Networks
Trend Micro: 
“As AI continues to reshape how businesses operate, we see tremendous value in collaboration that drives open standards and innovation across the industry. Over the past year, our work with CoSAI has reflected a shared commitment to raising the bar for security. We’re proud to stand alongside CoSAI in helping lead the way to a more secure and resilient digital future.”
– Kevin Simzer, COO at Trend Micro

General Sponsors: 

Adversa AI:
“At Adversa AI – an Agentic AI Security startup – we are proud to be a COSAI sponsor and a co-lead of the Agentic AI Security workstream. As pioneers of AI security and continuous AI red teaming, we believe Agentic AI demands a new security paradigm—one that goes beyond traditional guardrails to test cognition, autonomy, and context. COSAI’s Agentic AI Security Principles mark a pivotal step forward, and we’re committed to shaping the future of secure Agentic AI systems.”
— Alex Polyakov, Co-Founder of Adversa AI
Aim Security:
“CoSAI is building what the industry urgently needs: clarity and collaboration in securing AI systems. As pioneers in AI security, we at Aim are excited to work alongside this diverse community to help define the future of AI defense –  for agentic systems and beyond.”
– Matan Getz, CEO and Co-Founder, Aim Security
Amazon:
“The first year of CoSAI highlights how industry collaboration can advance AI security. As a founding member, Amazon supports the coalition’s mission to develop open standards and frameworks that benefit the entire AI ecosystem. Together, we look forward to strengthening the foundation of secure AI.”
– Matt Saner, Sr. Manager, Security Specialist Solution Architecture; CoSAI Governing Board and Executive Steering Committee member
Anthropic: 
“Safe and secure AI development has been core to our mission from the start. As AI models become more autonomous, CoSAI’s work is increasingly vital for ensuring that AI systems remain secure, trustworthy, and beneficial for humanity. We’re proud to continue this important work alongside other industry leaders.”
– Jason Clinton, Chief Information Security Officer, Anthropic Cisco: 
“As AI systems become more agentic and interconnected, securing them is now more important than ever. During the last year, CoSAI’s workstreams helped empower defenders and innovators alike to advance AI with integrity, trust, and resilience. We’re proud to help shape industry frameworks with this global coalition; uniting leaders across disciplines to safeguard the future of AI. Together, we’re ensuring that security is foundational to every phase of AI’s evolution.”
– Omar Santos, Distinguished Engineer, Advanced AI Research and Development, Security and Trust, Cisco
Cohere: 
“We’re proud to support CoSAI and collaborate with industry peers to ensure AI systems are developed and deployed securely. Over the last year, these collective efforts have built an important foundation that helps drive innovation while protecting against emerging threats. Our shared commitment to secure-by-design principles is increasingly important as AI adoption accelerates.”
-Prutha Parikh, Head of Security, Cohere
Fr0ntierx:
“CoSAI has united a global community around one of the most critical opportunities of our era: advancing safe, responsible, and innovative AI. At Fr0ntierX, we’re proud to contribute to this mission by helping build an infrastructure foundation rooted in trust, interoperability, and privacy. As AI continues to evolve, we remain committed to ensuring that innovation goes hand in hand with alignment and meaningful user control.”
– Jonathan Begg, CEO, Fr0ntierX
GenLab: 
“Over the past year, CoSAI has brought clarity to securing AI across the AI supply chain. The Six Critical Controls give leaders something concrete to work from, and GenLab has been proud to support that work from the start. As AI adoption accelerates, these frameworks are going to be essential—not just for safety, but for trust across sovereign systems.”
– Daniel Riedel, Founder & CEO, GenLab Venture Studios
HiddenLayer:
“As one of the earliest members of CoSAI, HiddenLayer recognized the urgency of securing AI from the outset. CoSAI’s work over the past year has provided much-needed clarity in a rapidly evolving space, offering actionable frameworks that empower organizations to operationalize AI security and governance. Its mission has reinforced our belief that trust must be embedded into AI systems by design. As threats become more advanced and the AI attack surface expands, our continued collaboration with CoSAI remains essential to ensuring that AI innovations are safe and secure.”
— Malcolm Harkins, Chief Security & Trust Officer, HiddenLayer Intel:
“CoSAI’s first year has been marked by strong momentum—from the release of landscape papers of technical workstreams to the timely initiation of the Agentic AI Systems workstream. These milestones reflect the coalition’s ability to anticipate and act on emerging security needs. At Intel, we’re proud to partner with CoSAI members to ensure that secure-by-design principles are embedded early in the AI system design and deployment.”
– Dhinesh Manoharan, VP Product Security & GM of INT31, Intel
Lasso Security
“At Lasso, we believe secure-by-design must be the foundation of AI innovation. CoSAI has played a critical role in turning complex AI security challenges into practical, actionable guidance—from agentic systems to defender frameworks. As proud contributors to this effort, we’ve seen firsthand how CoSAI is helping shape a more trustworthy AI future and laying the groundwork for secure, enterprise-grade solutions.”
– Elad Schulman, CEO & Co-Founder, Lasso Opal Security: 
“Opal is a proud early supporter of CoSAI—because Opal helps customers track agents and other NHIs in our platform, we’re deeply invested in securing AI’s future. CoSAI assembles leading minds to set standards for a world in which every employee calls on multiple agents. Opal is honored to contribute to this organization and learn from luminaries at trailblazing member organizations. We look forward to future consensus-building, standards setting, and insights.”
–Umaimah Khan, CEO, Opal Security
Operant:
“In a world where AI is rapidly reshaping everything from infrastructure to decision-making, collaboration is our best defense. I’m proud to have joined the board of Coalition for Secure AI as it brought together industry leaders, researchers, and policymakers under one roof, filling a major gap in the evolution of Responsible AI that is now more urgent than ever. CoSAI represents the kind of cross-industry partnership that will shape how we build a more secure and trustworthy AI ecosystem for everyone. A secure AI future is only possible if we build it together.”
– Priyanka Tembey, CTO, Operant AI
Red Hat:
“Security is the foundation of trustworthy AI, not an afterthought. At Red Hat, we believe security-first principles and processes must be woven into the fabric of every platform from day one, including AI, which the recently released CoSAI Principles for Secure-by-Design Agentic Systems helps to address. We are proud to have been part of CoSAI for the past year and look forward to helping further advance the foundational components of the community.”
– Garth Mollett / Product Security Lead Architect, Red Hat
TrojAI: 
“CoSAI’s collaborative and transparent approach to make AI safer and more secure for everyone closely reflects TrojAI’s own mission. We’re proud to support this important initiative and celebrate its first year of progress. As AI adoption increases, we believe that security will be integral to the sustainable growth of AI. CoSAI’s efforts to develop best practices and unified methodologies are invaluable for secure AI development and deployment.”
– Lee Weiner, CEO, TrojAI VE3: 
“We joined CoSAI right at the beginning because its mission aligned with our belief that AI must be built securely, responsibly, & transparently. CoSAI insights and frameworks like critical controls, have deeply influenced how we approach AI security and governance at VE3. From shaping internal practices to launching our own AI safety, security and governance whitepaper, CoSAI’s work has been instrumental for us. As AI systems grow more complex and autonomous, this partnership becomes more vital and we’re honored to be part of CoSAI’s journey.”
— Manish Garg, Managing Director, VE3
Wiz:
“AI’s growth echoes the early cloud era, when innovation outpaced security and the industry had to close the gap together. At Wiz, we believe that securing AI takes more than technology — it requires collaboration among industry leaders. Over the past year, CoSAI has driven these critical conversations, and Wiz is proud to stand with this coalition as new AI security challenges emerge, from autonomous AI agents to MCP.” 
– Alon Schindel, VP of AI & Threat Research, Wiz About CoSAI

The Coalition for Secure AI (CoSAI) is a global, multi-stakeholder initiative dedicated to advancing the security of AI systems. CoSAI brings together experts from industry, government, and academia to develop practical guidance, promote secure-by-design practices, and close critical gaps in AI system defense. Through its workstreams and open collaboration model, CoSAI supports the responsible development and deployment of AI technologies worldwide.

CoSAI operates under OASIS Open, the international standards and open source consortium. www.coalitionforsecureai.org

About OASIS Open

One of the most respected, nonprofit open source and open standards bodies in the world, OASIS advances the fair, transparent development of open source software and standards through the power of global collaboration and community. OASIS is the home for worldwide standards in AI, emergency management, identity, IoT, cybersecurity, blockchain, privacy, cryptography, cloud computing, urban mobility, and other content technologies. Many OASIS standards go on to be ratified by de jure bodies and referenced in international policies and government procurement. www.oasis-open.org

Media Inquiries:
communications@oasis-open.org

The post Coalition for Secure AI Marks First Anniversary with New Principles for Agentic Systems and Defender Frameworks appeared first on OASIS Open.

Play Video

Watch the full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/TOIP-EGWG-2025-07-10_-Kyle-Robinson-Digital-Trust-Ecosystems_-Why-they-dont-make-sense_.wav

Here is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:

Excerpt

Learn why Kyle’s practical experience with the Canadian Province of British Columbia’s digital trust initiative has led him to focus on specific, high-impact digital credentials over broad “ecosystems.” Documenting these well fosters trust and enables organic growth and unpredictable efficiencies, naturally building interoperable digital trust networks.

Briefing Document: A Smarter Approach to Digital Credentials and Ecosystems

Date: July 10, 2025

Sources:

“Digital Credentials Presentation” (Presentation Excerpts) “GMT20250710-145520_Recording.cc.vtt.txt” (Meeting Transcript – VTT) “GMT20250710-145520_Recording.m4a” (Meeting Audio – M4A) “GMT20250710-145520_Recording.transcript.vtt.txt” (Meeting Transcript – VTT) “GMT20250710-145520_RecordingnewChat.txt” (Meeting Chat Log) Executive Summary

The prevailing approach of focusing on broad “ecosystems” for digital credential development is inefficient and limits opportunities. Instead, a more effective strategy involves starting with specific, high-impact credentials, rigorously documenting them in a trusted and public manner, and then allowing organic growth and adoption to naturally form interoperable networks. The Province of British Columbia (BC) is a leading example of this approach, leveraging foundational identity credentials and promoting their open use, which has led to unpredicted and valuable use cases and significant administrative efficiencies. The discussions highlight the “fractal” nature of ecosystems and the critical role of strong governance and transparency in building trust in digital credentials.

Key Themes and Most Important Ideas/Facts 1. The Flaws of an Ecosystem-First Approach Too Many Credentials to Tackle: Attempting to develop digital credentials for an entire industry or “ecosystem” simultaneously (e.g., healthcare or finance) is “a massive undertaking, resource-intensive, hard to coordinate, and risks spreading us too thin, leading to weak, untrusted credentials.” (Digital Credentials Presentation). As Kyle Robinson notes, “there’s just too many different types of credentials and different authorities for those credentials to really get a good handle on.” (Meeting Transcript). Constrains Opportunities: Pre-planning an entire ecosystem creates a rigid scope, preventing the discovery of “unexpected opportunities that could arise organically.” (Digital Credentials Presentation). Eric Drury echoes this, stating that “building a use case for an ecosystem is much more complicated than building a use case for a single credential.” (Meeting Transcript). 2. Recommendation: Start with Specific, High-Impact Credentials Build Trust and Quality: The core recommendation is to “focus on a few high-impact credentials, like a digital CPA certification. By putting all our effort into making them robust and trustworthy, we create a gold standard that people rely on. Trust drives adoption.” (Digital Credentials Presentation). Foundational Credentials as Catalysts: BC’s strategy focuses on “foundational credentials,” such as “identity of a person, identity of a business.” These are “foundational credentials which… kind of start right at the core of everything and then other credentials are built on top of those.” (Meeting Transcript). This layering allows for credentials like a “licensed doctor” to build upon a verified personal identity. Open More Doors Through Ripple Effects: Strong, well-executed credentials “create ripple effects.” (Digital Credentials Presentation). BC has observed this with their “lawyer credential,” where “all these what we call verifiers, or relying parties, started popping up, saying, oh, we could use that too, we could use that too, we could use that too.” (Meeting Transcript). This organic growth leads to “unpredicted” opportunities. 3. Credential Documentation: The Foundation of Trust Trusted Location: “Documentation must reside in a secure, reputable platform to ensure credibility.” (Digital Credentials Presentation). The BC Gov’s Digital Trust Toolkit is highlighted as a model for “transparent, trusted documentation that stakeholders can rely on.” (Digital Credentials Presentation). This toolkit serves as a “source of truth of governance documentation for credentials that are in production.” (Meeting Transcript). Active Promotion and Public Visibility: Documentation is insufficient without visibility. It “needs to be public, publicly exposed. So that a verifier can look at that document and have enough information to read it to be able to trust it.” (Meeting Transcript). This active promotion through various channels (webinars, industry forums, social media) “builds awareness and encourage adoption among users and organizations.” (Digital Credentials Presentation). Transparency of Issuance and Revocation: Trust extends beyond the technical aspects of a credential; it requires confidence in the “issuance process that the issuing authority goes through to be able to issue that to the right person, with the right attribute information.” (Meeting Transcript). Furthermore, visibility into “revocation status” is critical. If a ledger were to disappear, the ability to check revocation status would be lost, underscoring the need for robust infrastructure. 4. The Nature of Ecosystems and Organic Growth Fractal Nature of Ecosystems: The discussion introduces the concept of ecosystems as “fractal.” As Carly Huitema explains, “You can zoom in all the way into grains of dirt, and there’s an ecosystem there. And then you can zoom all the way out to the planet scale ecosystem.” (Meeting Transcript). This implies that “person is a microcosm” that can be “observed in other ecosystems,” with “boundaries are always fuzzy.” (Meeting Transcript). Market-Driven Adoption: The “overall drive of all of this is driven by those relying parties and verifiers.” When they “see value in doing something with credentials they will implement it, and they will tell their friends. And that’s sort of how you can see that growth and that adoption happening.” (Meeting Transcript). This organic growth is preferred over top-down, pre-defined ecosystem planning. Savings and Efficiency as Drivers: Digital credentials offer tangible benefits, such as “a ton of administrative time” savings for verifiers. For example, the City of Vancouver is realizing benefits where “nothing needs to be reviewed because the technology’s already trusting the stuff that the province is producing. So they don’t have to, like, have somebody manually reveal a form.” (Meeting Transcript). 5. Trust Beyond BC: Scaling and Interoperability Challenges Establishing “Legitimacy”: A key challenge is distinguishing “legitimate” from “non-legitimate” credentials beyond the issuing authority. BC addresses this by publishing the issuer DID, schema ID, and credential definition ID on the Candy ledger. This allows relying parties to cryptographically verify the origin. Cross-Jurisdictional Interoperability: The question of how this scales beyond BC is raised, particularly when different jurisdictions (e.g., Alberta, Rhode Island, Utah) might make different technical choices for their credentials. This mirrors the non-digital world where regulations define accepted IDs. Role of Trust Registries and Standards Bodies: The idea of “trust registries” is introduced as a potential solution for looking up legitimate issuers and their governance frameworks across jurisdictions. This could be driven by “standards bodies,” which could publish “trust registries published on their websites, or in some type of technology to say, hey, this standards body here, these are all of the organizations that we have audited and are following.” (Meeting Transcript). Government’s Evolving Role: While government’s primary role remains issuing foundational IDs and enforcing laws, its new role in “building and supplying software to citizens” (e.g., the BC Wallet app) is seen as a way to “help adoption.” (Meeting Transcript). The future may see OS manufacturers playing a larger role in built-in wallets. Conclusion

The discussion reinforces that while the concept of a broad “ecosystem” might be a useful descriptive tool, the practical and successful implementation of digital credentials should pivot towards a credential-first approach. By focusing on building trust and quality in individual, high-impact credentials, making their governance transparent and public, and fostering organic adoption through demonstrated value, digital trust networks can emerge and grow naturally, leading to widespread benefits. The BC government’s experience serves as a compelling case study for this evolving strategy.

For more details, including the slides,  meeting recording and transcript, please see our wiki 2025-07-10 Kyle Robinson & Digital Trust Ecosystems. Why they don’t make sense.

https://www.linkedin.com/in/kylegrobinson/

The post TOIP EGWG 2025-07-10: Kyle Robinson, Digital Trust Ecosystems. Why they don’t make sense. appeared first on Trust Over IP.

For the good of both.

Customers need privacy, respect, and the ability to provide good and helpful information to the companies they deal with. The good clues customers bring can include far more than what companies get today from their CRM systems and from surveillance of customer activities. For example, market intelligence that flows both ways can happen on a massive scale.

But only if customers set the terms.

Now they can, using a new standard from the IEEE called P7012, aka MyTerms. It governs machine readability of personal privacy terms. These are terms that customers proffer as first parties, and companies agree to as second parties. Lots of business can be built on top of those terms, which at the ground level start with service provision without surveillance or unwanted data sharing by the company with other parties. New agreements can be made on top of that, but MyTerms are where genuine and trusting (rather than today’s coerced and one-sided) relationships can be built.

When companies are open to MyTerms agreements, they don’t need cookie notices. Nor do they need 10,000-word terms and conditions or privacy policies because they’ll have contractual agreements with customers that work for both sides.

On top of that foundation, real relationships can be built by VRM systems on the customers’ side and CRM systems on the corporate side. Both can also use AI agents: personal AI for customers and corporate AI for companies. Massive businesses can grow to supply tools and services on both sides of those new relationships. These are businesses that can only grow atop agreements that customers bring to the table, and at scale across all the companies they engage.

This is the kind of thing that four guys (me included)† had in mind when they posted The Cluetrain Manifesto* on the Web in April 1999. A book version of the manifesto came out in early 2000 and became a business bestseller that still sells in nine languages. Above the manifesto’s 95 theses is this master clue**, written by Christopher Locke:

MyTerms is the only way we (who are not seats or eyeballs or end users or consumers) finally have reach that exceeds corporate grasp, so companies can finally deal with the kind of personal agency that the Internet promised in the first place.

The MyTerms standard requires that a roster of possible agreements be posted at a disinterested nonprofit.  The individual chooses one, the company agrees to it (or not). Both sides keep an identical record of the agreement.

The first roster will be at Customer Commons, which is ProjectVRM’s 501(c)3 nonprofit spinoff. It was created to do for personal privacy terms what Creative Commons does for personal copyright licenses. (It was Customer Commons, aka CuCo, that the IEEE approached with the idea of creating the MyTerms standard.)

Work on MyTerms started in 2017 and is in the final stages of IEEE approval process. While it is due to be published early next year, what it specifies is simple:

Individuals can choose a term posted at Customer Commons or the equivalent Companies can agree to the individual’s choice or not The decision can be recorded identically by both sides Data about the decision can be recorded by both sides and kept for further reference, auditing, or dispute resolution Both sides can know and display the state of agreement or absence of agreement (for example, the state of a relationship, should one come to exist)

MyTerms not a technical spec, so implementations are open to whatever. Development on any of those can start now. So can work in any of the six areas listed above.

The biggest thing MyTerms does for customers—and people just using free services—is getting rid of cookie notices, which are massively annoying and not worth the pixels they are printed on.  If a company really does care about personal privacy, it’ll respect personal privacy requirements. This is how things work in the natural world, where tracking people like marked animals has been morally wrong for millennia. In the digital world, however, agreements need to be explicit, so programming and services can be based on them. MyTerms does that.

For business, MyTerms has lots of advantages:

Reduced or eliminated compliance risk Competitive differentiation Lower customer churn Grounds for real rather than coerced relationships (CRM+VRM) Grounds for better signaling (clues!) going in both directions Reduced or eliminated guesswork about what customers want, how they use products and services, and  how both might be improved

Lawyers get a new market for services on both the buy and sell sides of the marketplace. Companies in the CMP (consent management platform) business (e.g. Admiral and OneTrust) have something new and better to sell.

Lawmakers and Regulators can start looking at the Net and the Web as places where freedom of contract prevails, and contracts of adhesion (such as what you “agree” to with cookie notices) are obsolesced.

Developers can have a field day (or decade). Look for these categories to emerge

Agreement Management Platforms – Migrate from today’s much-hated consent management platforms (hello OneTrust, Admiral, and the rest). Vendor Relationship Management (VRM) Tools and services – Fill the vacuum that’s been there since the Web got real in 1995. Customer Relationship Management (CRM) – Make its middle name finally mean something. Customer Data Return (CDR) – Give, sell back, or share with customers the data you’ve been gathering without their permission since forever. Talking here to car companies, TV makers, app makers, and every other technology product with spyware onboard for reporting personal activity to parties unknown. Platform Relief –  Free customers from the walled gardens of Apple, Microsoft, Amazon, and every other maker of hardware and software that currently bears the full burden of providing personal privacy to customers and users. Those companies can also embrace and help implement MyTerms for both sides of the marketplace. Personal AI (pAI)– Till and plant a vast new greenfield for countless companies, old and new. This includes Apple (which can make Apple Intelligence truly “AI for the rest of us” rather than Siri in AI drag), Mozilla (with its Business Accelerator for personal AI) , Kwaai (for open source personal AI), and everyone else who wants to jump on the train. Big meshes of agents, such as what these developers are all working on.

In the marketplace, we can start to see all these things:

Predictions made by The Intention Economy: When Customers Take Charge finally come true. New dances between customers and companies, demand and supply. (“The Dance” is a closing chapter of The Intention Economy.) New commercial ecosystems can grow around a richer flow of clues in both directions, based on shared interest and trust between demand and supply. Surveillance capitalism will be obsolesced — and replaced by an economy aligned with personal agency and respect from customers’ corporate partners. A new distributed P2P fabric of personally secure and shared data processing and storage — See what KwaaiNet + Verida, for example, might do together.

All aboard!

†Speaking for myself in this post. I invite the other two surviving co-authors to weigh in if they like.

*At this writing, the Cluetrain website, along with many others at its host, is offline while being cured of an infection.  To be clear, however, it will be back on the Web. Meanwhile, I’m linking to a snapshot of the site in the Internet Archive—a service for which the world should be massively grateful.

**The thesis that did the most to popularize Cluetrain was “Markets are conversations,” which was at the top of Cluetrain’s ninety-five theses. Imagining that this thesis was just for them, marketers everywhere saw marketing, rather than markets, as “conversations.” Besides misunderstanding what Cluetrain meant by conversation (that customers and companies should both have equal and reciprocal agency, and engage in human ways), marketing gave us “conversational” versions of itself that were mostly annoying.  And now (thank you, marketing), every damn topic is now also a fucking “conversation”—the “climate conversation,” the “gender conversation,” the “conversation about data ownership.” I suspect that making “conversation” a synonym for “topic” was also a step toward making every piece of propaganda into a “narrative.” But I digress. Stop reading here and scroll back to read the case for MyTerms. And please, hope that it also doesn’t become woefully misunderstood.

Abstract

As the automotive industry transitions toward software-defined vehicles, autonomous technologies, and connected services, cybersecurity has become a critical concern. This white paper from the FIDO Alliance outlines key challenges and emerging solutions for securing next-generation vehicles. It examines global regulatory frameworks such as UN R155, UN R156, and ISO/SAE 21434 and presents the FIDO Alliance’s standards for passwordless authentication, secure device onboarding, and biometric certification.

Audience

This paper addresses the automotive industry. The audience includes automotive system engineers, automotive IVI product and development managers, automotive networking and in-vehicle cyber security engineers, product managers for in-vehicle services for applications such as purchasing, IT system cyber security managers, engineers seeking to support global regulatory frameworks such as UN R155/R156 and ISO/SAE 21434, manufacturing system engineers, and car-to-cloud connectivity engineers.

Download the White Paper 1. Introduction

The automotive industry is undergoing transformative changes, including the shift to software-defined and autonomous vehicles, advanced IT-like architectures, over-the-air (OTA) updates, and the rise of in-vehicle commerce. While these changes offer new revenue opportunities, they also bring significant cybersecurity threats.

Global cybersecurity legislation, such as UN Regulation 155, UN Regulation 156, and ISO/SAE 21434, aim to protect vehicles from emerging threats. The FIDO Alliance plays a crucial role by providing standards for secure authentication, device onboarding, and biometrics certification.

Utilizing standards helps automotive companies ensure consistent security, leverage collective expertise, and avoid proprietary solutions that have the potential to stymie new markets and revenue. FIDO standards apply to various automotive applications, including consumer services, in-vehicle solutions, workforce authentication, and manufacturing, ensuring robust cybersecurity across the industry.

This paper provides companies within the automotive ecosystem an insight into the standards and services the FIDO Alliance offers together with a review of current and future use cases.

The FIDO Alliance is seeking feedback and partnership with industry experts to help ensure that FIDO’s programs are fit for purpose and successfully help companies meet cybersecurity needs, improve driver experiences, and tap into new opportunities.

2. Evolution of the automotive industry

The automotive industry has 140 years of history and is currently going through changes that affect all aspects of the industry:

Electrification and sustainability Software-defined vehicles and connectivity Autonomous and assisted driving Shifting business models: Mobility-as-a-Service (MaaS) and direct sales Supply chain disruptions and geopolitical risks New revenue streams: data monetization and services Rollout of EV charging infrastructure and its energy grid impacts Changing consumer expectations and digital experiences

These changes bring potential upside to manufacturers in terms of new revenue opportunities and improved vehicles, but they also introduce considerable cyber threats.

Vehicles have evolved from isolated mechanical systems into interconnected cyber-physical platforms (often created by various entities) that integrate complex software, hardware, and communication networks. Manufacturers implement these systems to provide end users with a better vehicle and an enhanced driving experience, but they also bring an increased risk of cyber threats associated with new “attack surfaces”. These potential threats come in many forms, from malicious hackers to state funded actors. To minimize these threats, it is now a fundamental priority for manufacturers, their suppliers, regulators, and other industry stakeholders to focus on cybersecurity.

3. Meet the challenges and seize the opportunity

Automotive cybersecurity professionals have a massive challenge in front of them. On one side they need to react to the rise in threats and account for the associated legislation that has been developed to protect consumers. On the other side they need to be open to supporting new business models such as in-vehicle commerce, value added vehicle features such as subscription services, as well as additional cybersecurity for factories and offices. While there is no one simple solution to meet all of these needs, utilizing standards and certification programs from organizations such as the FIDO Alliance can help greatly.

4. Automotive cybersecurity and global legislation

National governments and international organizations have enacted regulations that require stringent cybersecurity measures throughout the automotive lifecycle, including design, operation, and even end-of-life. These frameworks aim to shield vehicles from emerging threats and establish a baseline for safety and trust across the automotive ecosystem. Major worldwide examples include:

United Nations Regulation 155 and United Nations Regulation 156: mandate that vehicles incorporate a Cybersecurity Management System (CSMS) and a Software Update Management System (SUMS) ISO/SAE 21434: provides the foundation for global automotive cybersecurity engineering, outlining processes for managing cyber risks throughout the entire vehicle lifecycle China’s GB 44495-2024 and GB 44496-2024: regulate the Cyber Security Management System (CSMS) and govern secure software updates in a granular fashion India’s AIS 189 and AIS 190: align with UN R155 and R156, to regulate the cybersecurity of connected vehicles United States: Publication of cybersecurity best practices by the National Highway Traffic Safety Administration (NHTSA) that emphasize secure vehicle development processes, incident response plans, and continuous risk monitoring

Refer to Appendix A to learn more about these standards.

5. The FIDO Alliance and FIDO standards

The FIDO Alliance is an open industry association with a focused mission: reduce the world’s reliance on passwords. To accomplish this, the FIDO Alliance promotes the development of, use of, and compliance with standards for user authentication and device onboarding.

The FIDO Alliance:

Develops technical specifications that define an open, scalable, interoperable set of mechanisms to reduce reliance on passwords for authentication of both users and devices. Tracks the evolution of global regulations and evolves its own standards to help industries satisfy those regulations in a harmonized way, reducing their compliance burdens. Operates industry certification programs to ensure successful global adoption of these specifications. Provides education and market adoption programs to promote the global use of FIDO. Submits mature technical specifications to recognized standards development organizations for formal standardization.

The FIDO Alliance has over 300 members worldwide, with representation from leaders in IT, silicon, payments, and consumer services and features a Board of Directors that includes representatives from Apple, Visa, Infineon, Microsoft, Dell, Amazon, and Google. The Alliance also has a variety of active working groups where like-minded members can develop and advance technical work areas and coordinate on market-specific requirements.

The FIDO Alliance is planning to launch an automotive working group, where leaders in this sector can identify and collaborate on technical, business, and market requirements. To learn more, use the Contact Us form at https://fidoalliance.org/contact/ or email info@fidoalliance.org.

6. FIDO for automotive cybersecurity compliance

Meeting the demands of the primary automotive cybersecurity standard ISO/SAE 21434 and subsequently the most prominent regulation, UN R155, hinges on strong identity management and secure device onboarding. While these standards don’t prescribe FIDO protocols per se, they outline key principles where FIDO offers tangible benefits.

ISO 21434, particularly Clauses 8 and 9 concerning risk assessment and threat mitigation, calls for strategies to prevent unauthorized access. FIDO’s passwordless authentication directly addresses this by eliminating weak credentials and reducing risks from phishing and credential stuffing, common threats to connected vehicle systems. Additionally, Clause 10’s focus on secure software deployment aligns with FIDO Device Onboard (FDO), ensuring only authenticated devices join the ecosystem, mitigating supply chain attacks and unauthorized software injections. This direct mapping of FIDO’s capabilities to specific clauses demonstrates its value in achieving compliance.

Beyond these founding standards, FIDO’s approach has broad applicability to emerging regulations, providing OEMs with a pathway to meeting global compliance demands and bolstering cybersecurity resilience across their connected car ecosystem. Some examples include China’s GB 44495-2024 and India’s AIS 189, which call for regional automotive cybersecurity standards and reinforce the need for features such as secure authentication in the software-defined vehicle (SDV) era. China’s GB regulation, similar to UN R155, emphasizes authenticity and integrity in remote updates, where FIDO’s passkey-based authentication provides a compliant approach to verifying access. India’s regulations, currently still in draft, align with UN R155, highlighting the importance of securing vehicle-to-cloud communications and identity management.

7. Overview of emerging use cases where FIDO standards may apply

FIDO standards can be applied to a wide range of scenarios. These can be customer-facing, embedded within the vehicle, or as part of the manufacturer’s IT infrastructure.

High level overview of some of some of these scenarios include but not limited to:

In-vehicle commerce: This includes payments using credentials stored and managed in vehicle to enable convenient fueling, EV charging, parking reservations, car washes or even in-vehicle marketplaces managed by the car manufacturer. Implementation of passkeys to authenticate the associated car user and biometric component certification are most relevant to these use cases. Authentication to personalized services: These applications include easy access to customized automotive settings (for example, headrest and seat adjustments) as well as to informational and entertainment content. In-vehicle solutions: This segment includes applications such as car-to-cloud connectivity and onboarding of ECUs and zone controllers within the vehicle. Implementation of FIDO Device Onboard (FDO) is most applicable to these applications. Workforce authentication: These applications include controlling workforce access to IT systems whether at a development office, manufacturing site, or dealership. Implementation of passkeys and FIDO USB authentication keys are most applicable to these applications. Manufacturing: Modern manufacturing facilities are moving towards software defined control, AI, and robotic systems. The secure deployment of these solutions is often time consuming and expensive. Implementation of FIDO Device Onboard (FDO) can accelerate deployments and increase security. 8. FIDO Alliance technology overview

In the same way that Ethernet started as an IT networking solution, FIDO standards were not specifically created for automotive applications. However, they are highly relevant in modern vehicles where robust cybersecurity is a critical, foundational element rather than just a desirable feature. FIDO standards, such as passkeys, are being used as is in the automotive world today.

The FIDO Alliance technology portfolio for automotive applications can be broadly grouped into three main areas:

Passkeys: The FIDO Alliance is transforming authentication through open standards for phishing-resistant sign-ins using passkeys. Passkeys are more secure than passwords and SMS OTPs, easier for consumers and employees to use, and simpler for service providers to deploy and manage. Automotive manufacturers leverage passkeys for a wide variety of use cases.

Device Onboarding: The FIDO Alliance establishes standards for secure device onboarding (FDO) to ensure the safety and efficiency of connected devices in segments such as industrial and enterprise. In the automotive sector, manufacturers can apply this standard to the connections between Electronic Control Units (ECUs) and zone controllers or connections between the vehicle itself and the cloud services that facilitate over-the-air software updates. This standard has been adopted by Microsoft, Dell, ExxonMobil, Red Hat and others.

Biometrics certification: The FIDO Alliance offers a certification program tailored to specific applications that uses independent test labs to measure performance of biometric sensors (such as iris or fingerprint sensors). Biometric sensors are becoming an increasingly important component of vehicles. Typical use cases might be to automatically configure the driver’s seat position or as part of a payment system. In these two examples the definition of “good technical performance” can differ greatly. Samsung, ELAN Microelectronics, Thales, Qualcomm, Mitek, iProov, and others have had biometric components certified by FIDO Alliance.

9. FIDO Alliance technology deep dive

To better understand how automotive manufacturers and the FIDO Alliance can work together, this section discusses current FIDO technologies and how they might integrate with automotive applications.

9.1 Passkeys and user authentication

A passkey is a FIDO authentication credential based on FIDO standards, that allows a user to sign in to apps and websites with the same steps that they use to unlock their device (biometrics, PIN, or pattern). With passkeys, users no longer need to enter usernames and passwords or additional factors.

Passkeys are the signature implementation of FIDO authentication standards, and they offer secure yet simplified sign-in to a wide range of services. Passkeys are supported by all major device operating systems and browsers and have been utilized by many industry leaders including Apple, Google, Microsoft, Samsung, Amazon, Walmart, PayPal, and Visa.

The following diagram illustrates how passkeys can be used for in-car applications, such as when a driver signs in to a cloud service.

Figure 1:Sample passkey usage in automotive

Passkeys rely on a technology known as public key cryptography (PKC), in which a virtual key pair is created, one private and the other public. For each private key (stored on the user’s device) there exists a matching public key (stored on the server) that is used to check signatures created with the private key.

In the diagram, a user (the driver in this case) first registers with a cloud service such as a payment service. During the registration process, a private and public cryptographic key is created by the FIDO Authenticator. The private key is stored securely in the infotainment system of the vehicle and is associated with that driver. The public key is stored on the cloud of the service provider.

When the driver wants to sign in to the service, a request is sent from the vehicle to the cloud service. The service then sends an authentication request to the vehicle. This challenge can only be successfully authorized by the user that holds the matching private key. To make sure that request is genuine, the driver is asked to confirm that they want to sign in. This is typically achieved via a biometric sensor such as fingerprint or face. Once this verification is complete, the user gains access to the service. Several FIDO hardware and software components are used for this process.

9.2 Passkey components

Three FIDO Certified components are used in the example:

FIDO authenticator

A FIDO authenticator is a software component or a piece of hardware that can perform FIDO authentication to verify possession and/or confirm user identity. In the example, the FIDO authenticator likely resides in the car infotainment system.

FIDO server

The server provides an application with a programming interface that can be leveraged with a FIDO Certified client to perform strong authentication. The server sits inside the cloud application.

Biometric components

Biometric components can identify an individual and are often used to compliment a FIDO authenticator. These sensors can take multiple forms including fingerprint, iris and face. The FIDO Alliance certifies the efficacy of biometric subsystems including end-to-end performance, differential assessment of demographic groups, and presentation attack detection (PAD).

Although the example is an in-vehicle use case, the same passkey technology can be applied inside a factory, development center, or dealership to ensure that systems are resilient to phishing attacks or other common password attack vectors.

9.3 In-vehicle biometrics

Installation of biometric components in vehicles is expected to increase rapidly over time. The performance needs of these components will vary by sensor type and target application. Today, the FIDO Alliance offers a comprehensive independent certification program for biometric components such as fingerprint and iris sensors. By specifying in a request for quote (RFQ) that products should be FIDO Certified, automotive manufacturers can simplify selection of sensors. For more information on FIDO Certification, visit https://fidoalliance.org/certification/.

9.4 FIDO Device Onboard (FDO)

When a computer device (such as an ECU) first connects to its management platform (the zone controller), it needs to be onboarded and provisioned. A parallel example might be the connection between a vehicle and its cloud. FIDO Device Onboard (FDO) was developed by FIDO Alliance members to meet the automation and high security requirements of such onboarding experiences.

With FDO, a device is first connected to the (wired or wireless) network and then powered up. The device then automatically and securely onboards to the management platform. FDO is based on a zero-trust architecture and therefore offers a high level of security as both the device and the management platform must cryptographically authenticate themselves to each other. FDO also provides resilience to supply chain attacks.

A number of leading technology providers have demonstrated implementations of FDO solutions including Dell, Microsoft, Red Hat, Intel, and ASRock.

10. FIDO technology use cases deep dive

The FIDO Alliance has identified several use cases where FIDO technology can be applied to support the automotive industry. This section discusses possible use cases with the hopes of fostering further conversations.

10.1 Consumer use cases

Historically, many cybersecurity applications have been “behind the scenes”. In modern vehicles there is an increasing number of new applications that directly impact the driver and passenger in-vehicle experience and open new revenue opportunities for manufacturers. One such area is the emergence of in-vehicle commerce.

Several factors are driving in-vehicle commerce:

Technological advancements Software Defined Vehicles (SDVs) allow for continuous updates and new functionality without hardware modifications. Autonomous driving introduces a new use case for vehicles as productivity or leisure spaces. Changing consumer expectations Consumers demand experiences in their vehicles akin to those offered by their smartphones and other digital devices. Revenue opportunities By acting as platforms for digital services, vehicles open new revenue streams for car manufacturers and service providers.

10.2 Identity verification, authentication, and authorization

The growing connectivity and services associated with modern vehicles brings about new requirements for identity verification, authentication, and authorization.

Identity verification: The process of confirming a person’s identity. It can involve comparing information provided by a person with records in a database or with the person’s physical documents such as a driver’s license. Authentication: Confirms that a person is who they say they are when attempting to sign in to systems, services, and resources. Authorization: The step after authentication that determines user access in terms of accessing data or performing actions.

Unlike other computing devices, such as smartphones and wearables, vehicles often have multiple users including family members, friends, co-workers, or renters. Each user may need access to services or to perform transactions tied to their unique identities and credentials. Therefore, vehicular computing resources must be cyber secure and capable of managing secure access and authentication for a diverse user base, including third-party service providers.

10.3 In-vehicle commerce and authentication

Commerce services in vehicles are closely tied to payments, making strong and user-friendly authentication essential. Drivers must trust that transactions are secure, manufacturers aim to minimize liability for unauthorized payments, and financial institutions require robust, standards-compliant authentication mechanisms. In addition, regulatory frameworks, such as Europe’s Payment Services Directive 2 (PSD2), mandate strong customer authentication (SCA) for cardholder-initiated transactions.

SCA requires a combination of at least two out of three factors:

Possession (something the user has, for example, a key, phone, or vehicle) Inherence (something the user is, for example, biometrics like fingerprint or facial recognition) Knowledge (something the user knows, for example, a PIN or password)

If the passkey authenticator is not natively integrated into the vehicle, authentication must be implemented using alternative multi-factor configurations. This can be achieved through software-based approaches, such as combining a PIN (knowledge) with the vehicle as a possession factor, or through hardware-based methods, such as biometric authentication (inherence) via fingerprint sensors or facial recognition, again anchored by the vehicle as the possession factor.

In-vehicle commerce can be broadly categorized into three main areas:

On-demand features

With on-demand features, vehicles now allow users to activate specific functionalities based on their needs. This includes advanced driver-assistance systems, comfort features like heated seats, and performance upgrades. On-demand features can be offered through flexible subscription models or pay-per-use systems. These features enhance customer satisfaction and create additional revenue streams for manufacturers.

Vehicle-related services

Vehicle-related services are seamlessly integrated services that include fueling, EV charging, parking reservations and payments, car washes, and toll payments. To maximize user convenience, the vehicle acts as a payment hub without reliance on a smartphone.

Convenience features

With implementation of convenience features such as shopping, entertainment, education, and even remote work functionalities, the vehicle becomes an extension of the user’s digital ecosystem. Examples include ordering coffee or groceries on the go, streaming movies, or attending virtual meetings during commutes. These categories illustrate that vehicles are no longer just modes of transportation but platforms that enable various service providers to engage with drivers and passengers.

10.4 Driver ID Verification for vehicle access control

Vehicle access requires a high level of authentication and is well suited to biometric sensors.

Keyless entry and ignition: Biometric systems like fingerprint and facial recognition can replace traditional keys to provide secure, biometric-based authentication for vehicle access and ignition. Anti-theft measures: Vehicles can utilize biometric authentication to prevent unauthorized usage or theft, including carjacking. Vehicle and OEM services: Vehicles can use biometric authentication as the first step to assessing a driver’s rights and privileges in determining how vehicle services can be accessed.

10.5 Personalization, fleet management and autonomous vehicles

Vehicles are often shared and the ability to automatically adapt to a specific driver is an important capability. The criteria and threshold for identification and authentication varies greatly depending on the specific application. For example, adjusting a driver’s seat adjustment versus passenger authorization for an autonomous vehicle.

10.5.1 Personalization

Adaptive in-car settings: Biometric recognition can identify drivers or passengers in order to adjust seat positions, climate controls, infotainment preferences, and navigation routes according to stored profiles. Adaptive usage-based services: By seamlessly authenticating the driver, the automaker can provide use-based insurance or leasing and financing options for personal and commercial scenarios. Fleet management Shared vehicles and fleets: Biometric-enabled processes ensure smooth transitions between users in car-sharing or fleet systems, loading personal settings for each verified driver. Compliance tracking: Digital wallets can hold compliance documents (for example, licenses and vehicle inspection reports) to reduce paperwork and enhance audit readiness by asserting compliance attributes to authorized users.

10.5.2 Autonomous vehicles

Passenger authentication and ID verification: In self-driving cars, biometric systems authenticate passengers to ensure authorized use and personalized experiences.

Why key possession is not sufficient authentication

There are several reasons why a physical key is not a sufficient form of user authentication.

A physical key verifies access to the vehicle but does not confirm the identity of the individual using it. In scenarios such as ridesharing, fleet management, or multi-user vehicles, relying solely on key possession fails to distinguish authorized users from unauthorized users. As discussed earlier, for payment use-cases there is a need in some markets to be compliant with SCA regulations. A key only satisfies the possession factor and therefore does not meet the SCA requirements for secure payments. A vehicle key can be lost, stolen, or duplicated allowing unauthorized individuals to gain access. Without additional layers of authentication, transactions made in the vehicle could be fraudulent. Multi-party and platform complexity: In-car commerce involves multiple stakeholders such as Original Equipment Manufacturers (OEMs), service providers, and users. Authentication must ensure that the user is authorized to transact across all platforms and services, necessitating identity verification beyond simple possession.

10.6 Electronic systems and manufacturing use cases

10.6.1 In-vehicle ECU, zone controller, and compute onboarding

As the compute level rises within vehicles, the need for efficient and fast communication becomes increasingly important. In response to this need, cars are increasingly moving to an IT-centric architecture with Ethernet becoming the networking technology of choice to link zone controllers and ECUs inside a vehicle.

In addition to high speed and secure communication, there is a need to ensure that both the device (ECU) and the management platform (Zone controller) are cryptographically authenticated against each other. Although initially developed for IoT and IT systems, the FIDO Alliance team believes that FIDO Device Onboard (FDO) can be a fast and secure way to automate the onboarding process. As FDO is an open standard, automotive manufacturers can benefit from economies of scale savings versus paying for the development and maintenance of proprietary solutions.

In addition to speed and security, FDO also provides resilience to supply chain attacks and grey market counterfeits.

10.6.2 Car to cloud onboarding

As the complexity of car features grows and autonomous driving technology increases, a modern car is essentially a computer on wheels that requires a vast amount of software for all functions to operate.

Most sources agree that a typical modern car is managed by software generated by around 100 million lines of code. The very nature of this complexity confirms that the days when vehicle software can be frozen at vehicle product launch is no longer realistic.

Software updates are now a mandatory feature of modern automobiles and a secure and efficient way of connecting the vehicle to the manufacturer’s cloud is essential.

FDO provides a secure and fast method for vehicles to onboard to their management platforms, making Over the Air (OTA) software updates possible.

Figure 2:FIDO fit for in-vehicle systems

Additionally, new updates to the FDO standard are expected to allow software to securely deploy to bare ECUs or zone controllers, which would greatly simplify dealership repairs and upgrades.

10.7 Workforce authentication (passkeys/FIDO keys)

For many years the IT industry has been using FIDO authenticators to ensure that only authorized staff have access to systems. The risks associated with attacks in this space have been highlighted by the recent challenges faced by some automotive dealers.

Figure 3:FIDO fit for workforce authentication

A cyberattack on a software provider for car dealerships occurred in June of 2024 and disrupted the operations of thousands of dealerships in North America. This attack caused major disruptions, including delays for car buyers and an estimated $1 billion in collective losses for dealerships.

10.8 Manufacturing use cases

Factories are using classic fixed function manufacturing functions such as motion control and PLCs less as they move towards use of far more flexible and intelligent software defined control and AI based vision systems. This transition introduces large numbers of general-purpose computers to the factory floor.

At installation, each server or industrial PC needs to be onboarded to its respective management platform (on-premises or cloud). This onboarding process typically requires that skilled technicians manually configure the credentials or passwords in the devices, a process that is slow, not secure, and expensive.

With FIDO Device Onboard (FDO), a technician can plug in an industrial PC and have it automatically and securely onboard the management server platform.

The following diagram shows how FDO is used to onboard the industrial PCs to the local servers which are in turn onboarded to the manufacturing cloud.

Figure 4:FIDO fit for automotive manufacturing

11. Why using standards helps

Cybersecurity standards, such as those from the FIDO Alliance, offer value in ways that are hard for any single company to achieve. These consensus-based standards represent maturity and provide consistency for the industry, which are crucial for reliable authentication and authorization. FIDO cybersecurity standards are based on diverse expertise, provide clarity in a changing cybersecurity landscape, and offer essential guidance for certification authorities and regulators as they develop new laws.

Although the automotive industry has utilized standards almost since its inception, there are still areas where companies have tried to develop their own proprietary solutions. Such solutions rarely add value for the manufacturers and require engineering talent to develop and time to maintain.

As the automotive computing platform is a system of systems, the automotive industry can benefit from lessons learned by related industries. Open standards supported by certification programs help streamline product and service development.

FIDO’s standards are essentially commoditizing authentication elements that are critical to cybersecurity, but that are not natural areas for competitive differentiation. By leveraging standards, vendors and manufacturers can now focus their resources and development efforts on higher-value services.

11.1 Benefits of partnering with the FIDO Alliance

Diverse expertise: The FIDO Alliance brings together skilled professionals from various companies, including cloud players, credit card companies, and manufacturers.

Ecosystem cohesion: Standards ensure quality, security, and interoperability within ecosystems, which is crucial for applications like payments.

Adapt to emerging threats: The threat landscape is always evolving. As an example, quantum computing represents a significant threat to commonly used encryption techniques. Although quantum computing is in a relatively early stage of maturity, standards groups such as the FIDO Alliance are already defining how to create quantum resilient solutions.

12. FIDO Certification programs for the automotive industry

The FIDO Alliance’s world-class certification programs validate that products conform to FIDO specifications and interoperate effectively and assess security characteristics and biometric performance. With over 1,200 FIDO Certified products from hundreds of vendors around the world, these programs unlock the value of FIDO’s open standards for vendors and buyers. By specifying FIDO Certification in their RFQ’s, manufacturers can be sure that their suppliers will deliver performant, secure, and interoperable products.

Automotive OEMs can seek out and leverage components that are already certified (for example, authenticators or biometric components) and FIDO Alliance’s certification team is also developing an automotive profile with its lab partners that replicates in-car environments for more precise biometric tests. The Alliance seeks automotive sector feedback to help us collectively:

Address gaps in the current certification specifications Update specifications as needed Issue sector-specific policies Implement new testing procedures

For more information on FIDO Certification, visit https://fidoalliance.org/certification/.

13. Conclusion and next steps

The automotive industry and cybersecurity are evolving quickly; the FIDO Alliance’s proven and established standards and certification programs can help with a wide range of automotive industry applications. Applications include in-vehicle services and payment authentication, onboarding zone-controllers, car-to-cloud connectivity, OTA updates, and leveraging biometrics for a better driver experience.

The FIDO Alliance provides a path for automotive manufacturers and their suppliers to simplify their development processes, raise security levels, improve customer experience, reduce costs and tap into new revenue opportunities.

Feedback is welcome on the topics covered within this white paper and the FIDO Alliance encourages interested parties to engage with the Alliance and its members. FIDO Alliance members can learn more about FIDO standards and have opportunities to influence how these standards evolve. Additionally, members get the benefit of being able to engage with a broad range of thought leaders from leading companies within the broader ecosystem.

To get involved visit https://fidoalliance.org/members/become-a-member/ or use the Contact Us form at https://fidoalliance.org/contact/.

14. Appendix A – Global legislation applicable to automotive cybersecurity

National governments and international organizations have enacted regulations that require stringent cybersecurity measures throughout the automotive lifecycle, from design to operation and even end of life. These frameworks aim to shield vehicles from emerging threats and establish a baseline for safety and trust across the automotive ecosystem.

United Nations Regulations 155 and 156: These are the most prominent and clearly defined automotive cybersecurity regulations. Adopted under the WP.29 framework in 2021, UN R155 and R156 are globally recognized and mandate that vehicles incorporate a Cybersecurity Management System (CSMS) and a Software Update Management System (SUMS). These regulations are prerequisites for type approvals in over 50 countries, including most EU nations, Japan, South Korea, and Australia (UNECE, 2021).

ISO/SAE 21434: This standard provides the foundation for global automotive cybersecurity engineering, outlining processes for managing cyber risks throughout the entire vehicle lifecycle. It complements existing regulations and aids manufacturers in complying with mandatory regulations such as UN R155 (ISO, 2021).

China’s GB 44495-2024 and GB 44496-2024: Introduced in the summer of 2024, these regulations mirror UN R155 and R156 but are more detailed in specificity. GB 44495 outlines cybersecurity requirements for connected vehicles, while GB 44496 governs secure software updates. China’s focus on intelligent connected vehicles highlights its ambition to lead in autonomous and connected technologies (Shadlich, 2024).

India’s AIS 189 and AIS 190: India has introduced AIS 189 and AIS 190, standards aligned with UN R155 and R156, to regulate the cybersecurity of connected vehicles. These frameworks emphasize risk management, monitoring, secure communication protocols, and secure software updates, similar to UN R155/R156 (Vernekar, 2024).

United States: While there are no mandated federal regulations for automotive cybersecurity, the National Highway Traffic Safety Administration (NHTSA) has published cybersecurity best practices. These guidelines emphasize secure vehicle development processes, incident response plans, and continuous risk monitoring. They align with ISO/SAE 21434 and offer a proactive approach to mitigating vulnerabilities in connected vehicles (NHTSA, 2022).

Document history ChangeDescriptionDateInitial publicationWhite paper first published.7-2025             15. Contributors

Conor White, Daon, Inc
Richard Kerslake, FIDO Alliance
Andrew Shikiar, FIDO Alliance
Nimesh Shrivastava, Qualcomm Inc
Drew Van Duren, Qualcomm Inc
Jens Kohnen, Starfish GmbH & Co. KG
Tin T. Nguyen, VinCSS JSC
Henna Kapur, Visa

16. References

Harley, M. (2024, March 28). EU Cybersecurity Laws Kill Porsche’s 718 Boxster and Cayman Early. Retrieved from https://www.forbes.com/sites/michaelharley/2024/03/28/eu-cybersecurity-laws-kill-porsches-718-boxster-and-cayman-early/

ISO. (2021). ISO/SAE 21434:2021 Road vehicles—Cybersecurity engineering. International Organization for Standardization. Retrieved from https://www.iso.org/standard/70918.html

Miller, C., &amp; Valasek, C. (2015, July 21). Hackers remotely kill a Jeep on the highway—With me in it. Wired. Retrieved from https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway

National Highway Traffic Safety Administration (NHTSA). (2022, September 7). Cybersecurity best practices for new vehicles. NHTSA. Retrieved from https://www.nhtsa.gov/press-releases/nhtsa-updates-cybersecurity-best-practices-new-vehicles

Shadlich, E. (2024, September 2). China’s New Vehicle Cybersecurity Standard: GB 44495-2024. Retrieved from https://dissec.to/general/chinas-new-vehicle-cybersecurity-standard-gb-44495-2024/

UNECE. (2021). UN Regulation No. 155 – Cyber security and cyber security management system. UNECE. Retrieved from https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security

University of Detroit Mercy. (n.d.). Vehicle cybersecurity engineering program. Retrieved from https://eng-sci.udmercy.edu/academics/engineering/vehicle-cyber-eng.php

Vernekar, A. (2024, October 10). Securing The Future Of Indian Automobiles: Understanding AIS-189 And Cybersecurity For Vehicles. Retrieved from https://vayavyalabs.com/blogs/securing-the-future-of-indian-automobiles-understanding-ais-189-and-cybersecurity-for-vehicles/

Walsh College. (n.d.). Bachelor of Science in Automotive Cybersecurity. Retrieved from https://walshcollege.edu/walsh-undergraduate-degree-programs/bachelor-of-science-in-information-technology/bachelor-of-science-in-automotive-cybersecurity/

Reflections on recent conversations about digital identity, sovereignty, and the erosion of foundational principles

Echoes from Geneva

I wasn’t present at the Global Digital Collaboration conference (GDC25), but the observations shared by colleagues who attended have crystallized some issues I’ve been wrestling with for years. I should note there’s a selection bias here: I’m the author of the 10 principles of self-sovereign identity, so my community tends to have strong opinions about digital identity. Still, when multiple trusted voices independently report similar concerns, patterns emerge that are worth examining. And these weren’t casual observers sharing these concerns. They were seasoned practitioners who’ve spent decades building identity infrastructure. Their collective unease speaks to something deeper than technical disagreements.

It’s hard to boil the problems at GDC25 down to a single issue, because they were so encompassing. For example, there was a pattern of scheduling issues that undercut the community co-organizing goal of the conference and seemed to particularly impact decentralized talks. One session ended up in a small, hot room on the top floor that was hard to find. (It was packed anyway!) Generally, the decentralized-centric talks were in bad locations, they were short, they had restricted topics, or they were shared with other panelists.

I think that logistical shuffling of events may point out one of the biggest issues: decentralized systems weren’t given much respect. This may be true generally. There may be lip service to decentralized systems, but not deeper commitments. Its value isn’t appreciated, so we’re losing its principles. Worse, I see the intent of decentralization being inverted: where our goal is to give individuals independence and power by reducing the control of centralized entities, we’re often doing the opposite — still in the name of decentralization.

The Echo Chamber Paradox

The problems at GDC25 remind me of Rebooting the Web of Trust (RWOT) community discussions I’ve been following, which reiterate that this is a larger issue. We debate the finer points of zero-knowledge proofs and DID conformance while missing the forest for the trees. Case in point: the recent emergence of “did:genuineid” — a centralized identifier system that fundamentally contradicts the “D” in DID.

Obviously, decentralization is a threat to those who currently hold power (whether they be governments, corporations, billionaires, or others who hold any sort of power), because it tries to remove their centralization (and therefore their power), to instead empower the individual. But if we can’t even maintain the semantic integrity of “decentralized” within our own technical community, devoted to the ideal, how can we fight for it in the larger world?

The Corpocratic Complication

GDC25 was held in Geneva, Switzerland. 30+ standards organizations convened to discuss the future of digital identity. Participants spanned the world from the United States to China. There was the opportunity that GDC25 was going to be a truly international conference. Indeed, Swiss presenters were there, and they spoke of privacy, democratic involvement, and achieving public buy-in. It was exactly the themes that we as decentralized technologists wanted to hear.

But from what I’ve heard, things quickly degraded from that ideal. Take the United States. The sole representative of the country as a whole attended via teleconference. (He was the only presenter who did so!) His talk was all about Real ID, framed as a response to 9/11 and rooted in the Patriot Act. It lay somewhere between security-theatre and identity-as-surveillance, and that’s definitely not what we wanted to hear. (The contrast between the US and Swiss presentations was apparently jarring.)

And with that representative only attending remotely, the United State’s real representatives ended up being Google and Apple, each advancing their own corpocratic interests, not the interests of the people we try to empower with decentralized identities.

This isn’t just an American problem. It’s a symptom of a deeper issue happening across our digital infrastructure. It’s likely the heart of the inversions of decentralized goals that we’re seeing — and likely why those logistical reshufflings occurred: to please the gold sponsors. In fact, the conference sponsors tell the story: Google, Visa, Mastercard, and Huawei were positioned as “leading organizations supporting the advancement of wallets, credentials and trusted infrastructure in a manner of global collaboration.”

While Huawei’s presence demonstrates international diversity—a Swiss conference bringing together Europe and Asia—it also raised questions about whose vision of “trust” would ultimately prevail. When payment platforms and surveillance-capable tech giants frame the future of identity infrastructure, we shouldn’t be surprised when the architecture serves their interests first.

This echoes my concerns from “Has SSI Become Morally Bankrupt?”. We’ve allowed the narrative of self-sovereignty to be co-opted by the very platforms it was meant to challenge. The technical standards exist, but they’re being implemented in ways that invert their original purpose. Even UNECE sessions acknowledged the risk of “diluting the autonomy and decentralization that SSI is meant to provide.”

The Sovereignty Shell Game

Google was partnered with German Sparkasse on ZKP technology and that revealed a specific example of this co-opting.

Google’s open-sourcing of its Zero-Knowledge Proof libraries, announced July 3rd in partnership with Germany’s network of public savings banks, was positioned as supporting privacy in age verification. Yet as Carsten Stöcker pointed out, zero-knowledge doesn’t mean zero-tracking when the entire stack runs through platform intermediaries. Carsten noted that Google has “extensive tracking practices across mobile devices, web platforms and advertising infrastructure.” Meanwhile, the Google Play API makes no promises that the operations are protected from the rest of the OS.

The Google ZKP libraries (“longfellow-sk”) could be a great building block for truly user-centric systems, as they link Zero-Knowledge Proofs to legacy cryptographic signature systems that are still mandatory for some hardware. But they’d have to be detached from the rest of Google’s technology stack. Without that, there are too many questions. Could Google access some of the knowledge supposedly protected by ZKPs? Could they link it to other data? We have no idea.

The European Union’s eIDAS Regulation, set to take effect in 2026, encourages Member States to integrate privacy-enhancing technologies like ZKP into the European Digital Identity Wallet, but integration at the platform level offers similar dangers and could again invert the very privacy guarantees ZKP promises.

Historical Echoes, Modern Inversions

Identity technology’s goals being inverted, so that identity becomes a threat rather than a boon, isn’t a new problem. In “Echoes of History”, I examined how the contrasting approaches of Lentz and Carmille during WWII demonstrate the life-or-death importance of data minimization. Lentz’s comprehensive Dutch identity system enabled the Holocaust’s efficiency; Carmille’s deliberate exclusion of religious data from French records saved lives. Even when they’re decentralized, today’s digital identity systems face the same fundamental questions: what data should we collect, what should we reveal, and what should we refuse to record entirely?

But we’re adding a new layer of complexity. Not only must we consider what data to collect, but who controls the infrastructure that processes it. When Google partners with Sparkasse on “privacy-preserving” age verification, when eIDAS mandates integration at the operating system level, we’re not just risking data collection: we’re embedding it within platforms whose business models depend on surveillance. Even if the data is theoretically self-sovereign, the threat of data collected is still data revealed — just as happened with Lentz’s records.

The European eIDAS framework, which I analyzed in a follow-up piece to “Echoes from History”, shows how even well-intentioned regulatory efforts can accelerate platform capture when they mandate integration at the operating system level. As I wrote at the time, a history of problematic EU legislation that had the best of intentions but resulted in unintended consequences has laid the groundwork, and now identity is straight in that crosshairs. One of the first, and most obvious problems with eIDAS is the mandate “that web browers accept security certificates from individual member states and the EU can refuse to revoke them even if they’re dangerous.” There are many more — and I’m not the only voice on eIDAS and EUDI issues.

Supposedly self-sovereign certificates phoning home whenever they’re accessed is another recent threat that demonstrates best intentions gone awry. This not only violates privacy, but it undercuts some of our best arguments for self-soveereign control of credentials by returning liability for data leaks to the issuer. The No Phone Home initiative that Blockchain Commons joined last month represents one attempt to push back on that, but it feels like plugging holes in a dam that’s already cracking. It all does.

The Builder’s Dilemma

What troubles me most is the split I see in our community. On one side, technology purists build increasingly sophisticated protocols in isolation from policy reality. On the other, pragmatists make compromise after compromise until nothing remains of the original vision.

The recent debates about did:web conformance illustrate this perfectly. Joe Andrieu correctly notes that did:web can’t distinguish between deactivation and non-existence — a fundamental security boundary. Yet did:web remains essential to many implementation strategies because it bridges the gap between ideals and adoption. It provides developers and users with experience with DIDs, but in doing so undercut decentralized ideals for those users. We’re caught between philosophical purity and practical irrelevance.

In my recent writings on Values in Design and the Right to Transact, I’ve tried to articulate what we’re fighting for. But values without implementation are just philosophy, and implementation without values is just surrender.

The Global Digital Collaboration highlighted this tension perfectly. International progress on digital identity proceeds apace: Europe, Singapore, and China all advance their frameworks, but there are still essential issues that invert our fundamental goals in designing self-sovereign systems. Meanwhile, the U.S. remains even more stalled, its position represented only by the platforms that benefit from the status quo. Alongside this, technical standards discussions proceed in isolation from the policy, regulatory, and social frameworks that will determine their real-world impact.

Where Do We Go From Here?

I find myself returning to first principles. When we designed TLS 1.0, we understood that technical protocols encode power relationships. When we established the principles of self-sovereign identity, we knew that architecture was politics. Ongoing battles, such as those between Verifiable Credentials and ISO mDLs, between DIDComm and OpenID4VC, demonstrate disagreements over these power relationships made visible in technological discussions.

The question now is whether we can reclaim our ideals before they’re completely inverted by the side of centralized power and controlled architecture.

The path forward requires bridging the gaps Geneva revealed:

Between corporate platform dominance and global digital sovereignty Between the promise of decentralization and the reality of recentralization Between technical standards and policy reality Between privacy absolutism and implementation pragmatism A Personal Note

After three decades of building internet infrastructure, I’ve learned that the most dangerous moment isn’t when systems fail, it’s when they succeed in ways that invert their purpose. We built protocols for human autonomy and watched them become instruments of platform control. We created standards for decentralization and see them twisted into new forms of centralization.

This conversation continues in private Signal groups, in conference hallways, in the space between what we built and what we’ve become. The Atlantic Council warns of power centralizing “in ways that threaten the open and bottom-up governance traditions of the internet.” When critics from across the geopolitical spectrum — from sovereignty advocates to digital rights groups — all sense something amiss, it suggests a fundamental architectural problem that transcends ideology.

Perhaps it’s time for a new architecture: one that acknowledges these inversions and builds resistance into its very foundations.

But that’s a longer conversation for another day.

Christopher Allen has been architecting trust systems for over 30 years, from co-authoring TLS to establishing self-sovereign identity principles. He currently works on alternative approaches to digital identity through Blockchain Commons.

Community Responses & Discussion since Publication

This article sparked significant discussion across the digital identity community:

Mailing List Discussion W3C Credentials Community Group Thread (39 messages, July 16-17) Debate between pragmatic incrementalism vs. human rights imperatives Questions about whether current standards help or hinder decentralization Concerns about “death by 1000 compromises” in SSI implementation My own synthesis and response to this CCG thread, including highlighting Utah’s “recognizer not issuer” as an altertive model De-platforming humans sub-thread (19 messages, July 17) Adrian Gropper proposes moving beyond SSI as “anti-pattern” Discussion of Nostr as alternative architecture Debate over whether did:web is truly decentralized given DNS dependencies Response Articles A Pattern of Moral Crisis - Kyle Den Hartog Examines how technologies get co-opted during times of crisis, drawing parallels to historical censorship patterns Centralized SSI - Kyle Den Hartog Analyzes how trust architectures themselves, not just technology, determine whether systems preserve or remove agency Cyber Storm Rising: Designing for the Warzone - Carsten Stöcker Reframes decentralization as urgent cybersecurity necessity, not just privacy concern, citing Ukraine’s experience Choose Love and Joy - Will Abramson Optimistic perspective on using advanced cryptography and blockchain “hardness” to build kinder digital futures Privacy in EUDI - Jaromil (Dyne.org) Technical analysis of European Digital Identity implementation and privacy implications Decentralized Age Verification - Kyle Den Hartog Concrete proposal for privacy-preserving content moderation that shifts roles within the SSI triangle

Join these ongoing discussion or share your perspective.

did:jwk embeds a JSON Web Key (JWK) in a DID to enable the use of JWKs in DID-enabled systems. Simple and straightforward, it promises to give did:key and did:pkh a run for their money. We talk with two of the co-authors of did:jwk, Jeremie Miller, known for creating Jabber and XMPP, and Orie Steele, CTO...

did:jwk embeds a JSON Web Key (JWK) in a DID to enable the use of JWKs in DID-enabled systems. Simple and straightforward, it promises to give did:key and did:pkh a run for their money. We talk with two of the co-authors of did:jwk, Jeremie Miller, known for creating Jabber and XMPP, and Orie Steele, CTO...

The Overlays Capture Architecture (OCA) is a foundation for Dynamic Data Economy structuring and presenting data in a traceable and verifiable way. Recognising today’s need of interoperability between standards, the release of OCA v2, the architecture takes a major leap forward, introducing a modular and extensible approach in the definition of overlays.

Community 2.0

The new specification centers around making overlays easier to define, share, and validate — even by non-technical users. At its core, OCA v2 introduces the concept of Community Overlays, empowering ecosystems to create and maintain their own overlay definitions without deep technical barriers.

We used the term Community (i.e. not ecosystem) to stress the need of creating the flexibility to create specific overlays for a given purposes shared by multiple users. For example, in science this approach helps to define the ultra-precise meaning of certain datasets while keeping them in line with common standards. In compliance, the approach enables the definition of data structures that must match specific regulatory constraints in a given jurisdiction. In supply-chain, the approach enables domain specific definitions of data exchanges to be used across the entire chain without requiring a centralised authority.

Definition of Community-Driven Overlay

Enabling Community Overlays required a different approach to the way the overlays are defined. Instead of specifying them in the OCA specification, we created a Domain-Specific Language (DSL), which allows us to create overlay definitions, which we called OVERLAYFILE.

OVERLAYFILE is a text-based file which can consist of one or many definitions of various overlays. If you are familiar with programming, think of it as a *.h (header) file from C++. If you are not familiar with technology, think of it as the exact structure of the dataset your boss, team, department or company validated for use.

Having clearly defined overlays, the relevant tooling support any community-defined overlay and simplify the way we manage overlays in the whole ecosystem. When you use it, you have the cryptographic assurance to use what the community has validated for use.

A new file type, .overlaysfile, allows communities to formally define their own overlays. By separating overlay definitions from usage, ecosystems can establish governance and enable cross-project reusability. Overlay repositories further support this, enabling easy distribution and import of overlays.

Enhanced Modularity and Validation

The new approach allows overlays to define schemas, ensuring proper structure and data integrity. Tooling can now validate authored overlays against community-defined schemas, reducing errors and increasing trust.

OCA Bundle in JSON format

An OCA Bundle is a set of OCA objects serving as envelop for distribution and usage of the semantic. With v2 we finally introduced long waiting new encoding format which replace old .zip file by simple JSON object. This new format was in test since quite some time in reference implementation of OCA and now it is official part of the OCA specification allowing to simplify the tooling and the way how the bundle is transmitted.

OCA Specification v2

Finally we release RC1 of Overlays Capture Architecture Specification v2.0.0 which is signal for readiness of mentioned features and functions. The process of implementation already started in our reference implementation which can be followed at oca-rs.

Below you would find the list of major changes which version 2.0.0 brings:

Sensitive overlay replaces PII's flagging in capture base. This enables an enhanced approach to privacy and other risks flagged directly in the schema

Categories from the Label overlay have move to presentation layer. Thus strictly enforcing the distinction between data inner structure and meaning with data presentation.

Upgrade to “Community Overlays” of certain previously “core overlays”. - all overlays listed below are nominated as community overlays and hosted in an Overlays Repository.

Information

Transoformation

Presentation

Layout

Conditional

Unit mapping

Introduce SemVer for all objects

Support for 639-1 and 639-3

Support for namespacing in overlay name

OCA2.0 build for stronger, verifiable data integrity

All objects of the Overlays Capture Architecture, the Capture Base, Overlays and Bundle are compatible with CESR encoding. This ensures that those objects can be authenticated using DKMS a KERI based decentralised key management.

This is pivotal to establish cryptographically verifiable integrity of data objects. This property enables the implementation of distributed governance models - a topic that will receive much attention at the Human Colossus Foundation

Webinar at DSWG

The Technology Council, who is responsible for maintaining the OCA specification and reference implementation, hosted a webinar during the Decentralised Semantic Working Group where they delved into the details of the design of the new architecture and all the features of version 2.0.

Decentralised Semantic Working Group - Overlays Capture Architecture 2.0

Looking Ahead

With OCA v2, the Overlays Capture Architecture moves closer to its vision of an open, extensible semantic ecosystem where organizations and communities can seamlessly create, validate, and share schemas.

Cybersecurity experts are urging internet users to take immediate steps to secure their online accounts, after largest-ever data leak exposed more than 16 billion login credentials including from major platforms like Google, Facebook, Apple, and even government services.

The breach, discovered by researchers at Cybernews, is believed to have been carried out using infostealers that harvested login data and other sensitive credentials from multiple platforms. “This is not just a leak – it’s a blueprint for mass exploitation,” Cybernews said in a statement. “With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing.”

Over the last few decades, compromised usernames and passwords have typically been at the root of some of the most sensational, damaging, and costly data breaches. An incessant drumbeat of advice about how to choose and use strong passwords and how not to fall prey to social engineering attacks has done little to keep threat actors at bay. 

Meta has begun rolling out passkey login authentication for Facebook users on iOS and Android mobile devices, marking a significant advancement in the industry-wide movement away from traditional password-based security. The implementation follows similar moves by tech giants Apple, Google, and Microsoft who have been leading the charge toward passwordless authentication.

The new passkey feature will become available to users globally over the coming weeks. To use the functionality, users must have devices that support FIDO2/WebAuthn standards, which are commonly found in modern iOS and Android smartphones. These standards, developed through collaboration between the FIDO Alliance and the World Wide Web Consortium (W3C), provide a secure framework for passwordless authentication that has been widely adopted across the technology industry.

Look up customer journey or customer experience (aka CX) and you’ll find nothing about what the customer drives, or rides. All results will be for systems meant for herding customers like cattle into a chute that the CX business (no kidding) calls a sales funnel:

Do any customers want to go down these drains?

But let’s stick with the journey metaphor, because there are good people in the marketing business who have thought deeply about how people buy and own things. Chief among those people is Estaban Kolsky, of Constellation Research. He visualizes the journey in a way that not only gives weight to the ownership experience, but separates it from the sales experience :

As for our actual experience, we spend 100 percent of our lives with things we own, and just a tiny percentage on buying them. So the real ratio should look more like this:

And yet, as I pointed out several years back in Turning the Customer Journey Into a Virtuous Cycle…

…consider the curb weight of “solutions” in the world of interactivity between company and customer today. In the BUY loop of the customer journey, we have:

1. All of advertising, which Magna Global expects to pass $.5 trillion, more than a decade ago

2. All of CRM/CX, which now exceeds $100 billion

3. All the rest of marketing, which has too many segments for me to bother looking up

So, in the OWN loop we have a $0 trillion greenfield.

To enter that greenfield, we need customers to be in charge of their side of these relationships— preferably through means for interaction that customers themselves control—on terms that are agreeable to both sides, rather than the one-sided terms we suffer every time we click AGREE on a cookie notice.

To help imagine how that will work, I volunteer a real-world example from my own life.

A few years back, I bought a pair of LAMO Mens Mocs at a shopping mall kiosk in Massachusetts. Here’s one:

I like them a lot. They’re very comfortable and warm on winter mornings. In fact I still wear them, even though the soles have long since come apart and fallen off. Here is how they looked after a few years of use:

I’m showing this so you, and LAMO, can see what happens, and how we can both use my experience—and those of other customers—to change the world.

See, I like LAMO, and would love to help the company learn from my experience with one of their products. As of today, there are four choices for that:

Do nothing (that’s the default) Send them an email Go on some website and talk about it. (A perfect Leighton cartoon in the  New Yorker shows a couple registering at a hotel while the person behind the counter says, “If there’s anything we can do to make your stay more pleasant, just rant about it on the Internet.”) Get “social” by tweeting to @LAMOfootwear or posting to LAMO’s Facebook page. (For wisdom on “social” relations between brands and presumed fans, see Bob Hoffman‘s talk on the topic.)

So here is a fifth choice: give these moccasins their own virtual cloud, where LAMO and I can share intelligence about whatever we like, starting (on my side) with reports on my own experience, requests for service, or whatever. Phil Windley calls these clouds picos, for persistent compute objects. Picos are breeds of what Bruce Sterling calls spime: persistent intelligence for things. Picos have their own operating system (e.g., Wrangler, which Phil most recently posted about here), and don’t need intelligence on board. Just scan a QR code, and you’ll get to the pico. Here’s the QR code on one of my LAMO moccasins:

Go ahead and scan the code with your phone. You’ll get to a page that says it’s my moccasin.

That’s just one view of a potential relationship between me and Lamo — one in which I can put a message that says “If found, call or text _______.” Another view is on my own dashboard of things in my OWN cycle, and direct connections to every one of those companies. That relationship can rest on friendly terms in which I’m the first party and the company is the second party. (For more on that, see here and here.)

So look at the relationship between me and Lamo as a conduit (the blue cylinder below) that lives in the pico for my mocassin. That conduit goes from my VRM (vendor relationship management) dashboard to Lamo’s CRM (customer relationship management) system. There is no limit to the goodness that can pass back and forth between us, including intelligence about how I use my moccasins.

Let’s look at what can happen at either or both ends of that conduit.

A pico for a product is a CRM dream come true: a standard way for every copy of every product to have its own unique identity and virtual cloud (in which any data can live), and standard way any customer can report usage and other intelligence about any product they own—without any smarts needing to live on the thing itself.

If I scan that QR code, I can see whatever notes I’ve taken. I can also see whatever LAMO has put in there, with my permission. Also in that cloud is whatever programming has been done on it. Here is one example of simple relationship logic at work:

IF this QR code is scanned, THEN send LAMO a note that Doc has a new entry in our common journal.

Likewise, LAMO can send me a note saying that there is new information in the same journal. Maybe that information is a note telling me that the company has changed sole manufacturers, and that the newest Mens Mocs will be far more durable. Or maybe they’ll send a discount on a new pair. The correct answer for what goes in the common journal (a term I just made up) is: whatever.

Now let’s say LAMO puts a different QR code, or other identifier, in every moccasin it sells. Or has a CRM system that is alert to notifications from customers who have turned their LAMO moccasins into picos, making all those moccasins smart. LAMO can then not only keep up with its customers through CRM-VRM conduits, but tie interactions through those conduits to the dashboards of their accounting systems (from Xero or other companies that provide enriched views of how the company is interacting with the world).

This is one huge potential key to the future of customer service, customer relationship management (CRM), call centers, loyalty programs, continuous improvement, customer experience (CX), customer engagement (CE) and other complicated ways businesses today try to solve all relationship problems from the maker’s or the seller’s side alone.

Follow the links in the last paragraph (all to Wikipedia), and you’ll find each of them has “multiple issues.” The reason for that is simple: the customer is not involved with any of them. All those entries make the sound of industries talking to themselves — or one hand slapping.

This is an old problem that can only be fixed on the customer’s side. Before the Internet, solving things from the customer’s side — by making the customer the point of integration for her own data, and the decider about what gets done with that data — was impossible. Now that we have the Internet, it’s very possible, but only if we get our heads out of business-as-usual and back into our own lives. This will be good for business as well.

A while back I had meetings with two call center companies, and reviewed this scenario:

A customer scans the QR code on her cable modem, activating its pico. By the logic described above, a message to the call center says “This customer has scanned the QR code on her cable modem.” The call center checks to see if there is an outage in the customer’s area, and — if there is — finds out how soon it will be fixed. The call center sends a message back saying there’s an outage and that it will be fixed within X hours.

In both cases, the call center company sai,d “We want that!” Because they really do want to be fully useful. And — get this — they are programmable.

Unfortunately, in too many cases, they are programmed to avoid customers or to treat them as templates rather than as individual human beings who might actually be able to provide useful information. This is old-fashioned mass-marketing thinking at work, and it sucks for everybody. It’s especially bad at delivering (literal) on-the-ground market intelligence from customers to companies.

Call centers would rather be sources of real solutions rather than just customer avoidance machines for companies and anger sinks for unhappy customers. The solution I’m talking about here takes care of that. And much more.

Now let’s go back to shoes.

I’m not a hugely brand-loyal kind of guy. I use Canon cameras because I like the long-standing 5D user interface more than the competing Nikon ones, and Canon’s lens prices tend to be lower. I use Apple computers because they’re easy to get fixed and I can open a command line shell and get geeky when I need to. I drive a 2017 VW wagon because I got it at a good price. And I buy Rockport shoes because, on the whole, they’re pretty good.

Used to be they were great. That was in the ’70s and early ’80s when Saul and Bruce Katz, the founders, were still in charge. That legacy is still there, under Reebok ownership; but it’s clear that the company is much more of a mass marketing operation than it was back in the early days. Still, in my experience, they’re better than the competition. That’s why I buy their shoes. Rockports are the only shoes I’ve ever loved. And I’ve had many.

So here is a photo I took of wear-and-tear on two pairs of Rockport casual shoes I still use, because they’re damned comfortable:

Shots 1 and 2 are shoes I bought in June 2012, and are no longer sold, near as I can tell. (Wish they were.) Shots 3 and 4 are of shoes called Off The Coast 2 Eye. I bought mine in late 2013, but didn’t start wearing them a lot until early this year. I bought both at the Rockport store in Burlington Mall, near Boston. I like that store too.

The first pair has developed a hole in the heel and loose eyelet grommets for the laces around the side of the shoe. The hole isn’t a big deal, except that it lets in water. The loose eyelets are only a bother when I cross my feet sitting down: they bite into the other ankle. The separating outer sole of the second pair is a bigger concern, because these shoes are still essentially new, and look new except for that one flaw. A design issue is the leather laces, which need to be double-knotted to keep from coming undone, and even the double-knots come undone as well. That’s a quibble, but perhaps useful for Rockport to know.

I’d like to share these experiences privately with Rockport, and for that process to be easy. Same with my experiences with LAMO moccasins.

It could be private if Rockport and LAMO footwear came with QR codes for every pair’s pico — it’s own cloud. Or if Rockport’s CRM or call center system was programmed to hear pings from my picos.

Ideally, customers would get the pico along with the shoe. Then they would have their own shared journal and message space — the conduit shown above — as well as a programmable system for creating and improving the whole customer-company relationship. They could also get social about their dialogs in their own ways, rather than only within Facebook and Twitter, which are the least private and personal places imaginable.

This kind of intelligence exchange can only become a standard way for companies and customers to learn from each other if the code for picos is open source. If Rockport or LAMO try to “own the customer” by locking her into a closed company-controlled system — the current default for customer service — the Internet of Things will be what Phil calls “the Compuserve of things”. In other words, divided into the same kind of closed and incompatible systems we had before the Net came along.

One big thing that made the Internet succeed was substitutability of services. Cars, banks, and countless other product categories you can name are large and vital because open and well-understood standards and practices at their base have made substitutability possible. Phil says we can’t have a true Internet of Things without it, and I agree.

The smartest people working for companies are their customers. And the best way to activate customer smarts is by giving them scale. That’s what picos do.

As a bonus, they also give companies scale. If we can standardize picos, we’ll have common and standard ways for any customer and any company to relate to each other through any VRM + CRM system. Think about how much more, and better, intelligence a company can get from its customers this way, rather than through the ones barely succeeding now, where the company does all the work, and fails to know an infinitude of useful stuff customers could be telling them. Think about how much more products can be improved, an iterated over time. Think about how much more genuine loyalty can be created and sustained with this kind of two-way system.

Then think how much companies can save by not constantly spying on customers, guessing about what they might want, spamming them with unwanted and unnecessary sales messages, maintaining systems try to relate but actually can’t, and herding customers into imaginary funnels that customers would loathe if they could see what’s going on.

It’s a lot.

So let’s start working on growing a sane world of business that’s based on market intelligence that flows both ways, instead of the surveillance-based guesswork and delusional imaginings of marketing that smokes its own exhaust. We can do it, privately, and at scale.

The first ancestor of this post appeared at ProjectVRM on 19 Apri 2014. It was updated a bit on 8 June 2017. The second one was posted here on Medium in 2016. With IEEE P7012, aka MyTerms nearing completion, there is a good chance we can make this dream come true in 2026.

We are excited to share that we are starting a new project in partnership with the Numun Fund to map organizations and community responses addressing technology-facilitated gender-based violence (TFGBV), specifically intimate partner violence (IPV) affecting girls, young women and LGBTIQ+ activists in the Majority World.

The post Help Us Map Responses to Tech-Facilitated Intimate Partner Violence Affecting Young Women and LGBTIQ+ Activists appeared first on The Engine Room.

We reconstruct memory through listening. Over the past three months, as we shared in April, we immersed ourselves with our ears wide open and a shared desire to explore a digital sound archive that began taking shape over 20 years ago.

The post Weaving Sound Memories: Exploration and Care of the Oír Más Archive appeared first on The Engine Room.

How are brands thinking about their supply chains five years after the COVID-19 crisis?

Companies are now leaning more heavily into innovation, from making their operations resilient to market changes to launching sustainability initiatives.

In this episode, Stephanie Mehta, CEO and Chief Content Officer at Mansueto Ventures, joins hosts Reid Jackson and Liz Sertl following her keynote at GS1 Connect. They discuss why the supply chain is now at the center of innovation and how companies can stay ahead of changes in the economy and evolving customer demands.

Drawing on her experience leading Fast Company and Inc., Stephanie shares how resilience, sustainability, and data-driven thinking are transforming the business landscape for companies of every size.

 

In this episode, you’ll learn:

How companies are using the supply chain to drive innovation and acceleration

Why executives are rethinking product packaging, automation, and logistics

The impact of data and social media on a company’s operations

 

Jump into the conversation:

(00:17) Introducing Next Level Supply Chain

(02:32) Stephanie Mehta’s journey from business journalist to CEO

(03:27) How GS1 US collaborates with media brands

(04:13) Reaching small businesses with supply chain storytelling

(05:41) What most people miss about barcodes

(07:35) Why innovation should not stop post-crisis

(08:23) How sustainability aligns with consumer demand

(11:16) Solving forecasting and inventory with better data

(12:05) The logistics of HP’s sustainability initiative

(15:56) Social media’s growing impact on supply chains

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Stephanie Mehta on LinkedIn

Check out Mansueto Ventures

Through our Matchbox Program, we partner with civil society organizations to strengthen their work by harnessing the power of data and technology. Our recent partnership with Trans Youth Initiative-Uganda (TYI-Uganda) offers a lens into how collaborative platform development can respond to pressing social challenges while also building long-term  organizational capacity.

The post WHEN SAFETY IS POLITICAL: DIGITAL SOLUTIONS FOR TRANS YOUTH IN UGANDA appeared first on The Engine Room.

Microsoft has said that it’s ending support for passwords in its Authenticator app starting August 1, 2025.

Microsoft’s move is part of a much larger shift away from traditional password-based logins. The company said the changes are also meant to streamline autofill within its two-factor authentication (2FA) app, making the experience simpler and more secure.

Over the past few years, Microsoft has been pushing for a passwordless future using technologies like passkeys, Windows Hello, and FIDO2-based authentication. These methods offer better protection against phishing and password reuse, which are still major attack vectors. While it may feel like a hassle at first, this change is actually aimed at reducing your risk in the long run.

Invitation to comment on OpenDocument Version 1.4 before call for consent as OASIS Standard - ends September 7th

OASIS Members and other interested parties,

OASIS and the Open Document TC [1] are pleased to announce that Open Document Version 1.4 CS01 is now available for public review and comment.

The OpenDocument Format (ODF) is an open XML-based document file format for office applications to be used for documents containing text, spreadsheets, charts, and graphical elements. The file format makes transformations to other formats simply by leveraging and reusing existing standards wherever possible. As an open standard under the stewardship of OASIS, OpenDocument also creates the possibility for new types of applications and solutions to be developed other than traditional office productivity applications.

The TC received three Statements of Use from Microsoft, Allotropia Software GmbH, and The Document Foundation [3].

The candidate specification and related files are available here:

OpenDocument Version 1.4 
Part 1: Introduction
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part1-introduction/OpenDocument-v1.4-cs01-part1-introduction.odt(Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part1-introduction/OpenDocument-v1.4-cs01-part1-introduction.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part1-introduction/OpenDocument-v1.4-cs01-part1-introduction.pdf

OpenDocument Version 1.4 
Part 2: Packages
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part2-packages/OpenDocument-v1.4-cs01-part2-packages.odt(Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part2-packages/OpenDocument-v1.4-cs01-part2-packages.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part2-packages/OpenDocument-v1.4-cs01-part2-packages.pdf

OpenDocument Version 1.4
Part 3: OpenDocument Schema
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part3-schema/OpenDocument-v1.4-cs01-part3-schema.odt (Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part3-schema/OpenDocument-v1.4-cs01-part3-schema.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part3-schema/OpenDocument-v1.4-cs01-part3-schema.pdf

OpenDocument Version 1.4
Part 4: Recalculated Formula (OpenFormula) Format
Committee Specification 01
2 August 2024
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part4-formula/OpenDocument-v1.4-cs01-part4-formula.odt (Authoritative)
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part4-formula/OpenDocument-v1.4-cs01-part4-formula.html
https://docs.oasis-open.org/office/OpenDocument/v1.4/cs01/part4-formula/OpenDocument-v1.4-cs01-part4-formula.pdf
Schema files are located here.

For your convenience, OASIS provides a complete package of the prose specification and related files in a ZIP distribution file. You can download the ZIP file at: OpenDocument-v1.4-cs01.zip

Members of the Open Document TC approved this specification by Special Majority Vote [2]. The specification had been released for public review as required by the TC Process.

Public Review Period

The 60-day public review is now open and ends 7 September 2025 at 23:59 UTC.

This is an open invitation to comment. OASIS solicits feedback from potential users, developers and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.

Comments may be submitted to the project by any person through the use of the project’s Comment Facility. Members of the TC should submit feedback directly to the TC’s members-only mailing list. All others should follow the instructions listed here.

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review  we call your attention to the OASIS IPR Policy [4] applicable especially [5] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

========== Additional references:

[1] OASIS Open Document TC

[2] Approval ballot

[3] Links to Statements of Use
Microsoft:
https://groups.oasis-open.org/discussion/statement-of-use-from-microsoft
Allotropia Software GmbH:
https://groups.oasis-open.org/discussion/statement-of-use-for-open-document-format-for-office-applications-opendocument-version-14-cs01
Document Foundation:
https://groups.oasis-open.org/discussion/fwd-statement-of-use-odf-14

[4] https://www.oasis-open.org/policies-guidelines/ipr/
https://www.oasis-open.org/committees/office/ipr.php

Intellectual Property Rights (IPR) Policy

The post Invitation to comment on OpenDocument Version 1.4 before call for consent as OASIS Standard – ends September 7th appeared first on OASIS Open.

On June 30th, Geneva became the stage for an informal event: the kick-off meeting of the DKMS Alliance. This gathering marks the official launch of a collaborative initiative poised to reshape digital trust infrastructure for the next generation.

At the time Geneva’s international traditions lead the city to host the Global Digital Conference 2025, the DKMS Alliance aims to bring now the open-source primitives enabling the digital authentication of tomorrow to the enterprises and organisations with the required support, maintance and stability they needs to build digital interoperable solutions at scale.

The DKMS Alliance — is a joint endeavor kicked off by Human Colossus Foundation, Vereign AG and argonAUTHs. Anchored in the architectural roots of KERI (Key Event Receipt Infrastructure), the Alliance unites deep technical expertise and strong operational capabilities to deliver to the world a new paradigm for secure, verifiable, and sovereign digital interactions.

A Shared Vision for Open and Secure Digital Infrastructure

The Alliance goal is to drive adoption, sustainability, and market readiness for digital infrastructure components that are open, secure, and industrial-grade. By combining the power of DKMS, a Rust implementation of KERI, and the Overlays Capture Architecture (OCA) into production-ready resources the Alliance provides its members the first movers advantage to develop enterprise applications that scales. The DKMS Alliance aims to become a community acting as a beacon of dynamic innovation and reliability to deploy resilient solutions build on top of a reliable digital trust infrastructure.

The DKMS Alliance represents today a powerful fusion of complementary strengths. From the Human Colossus Foundation’s pioneering work on the KERI protocol and in data semantics and governance to Vereign’s production deployments in secure communications and ArgonAUTHs’ cryptographic agility and verifiability at scale, the founding organizations bring together decades of experience in building trust frameworks, decentralized identity, secure communication, and verifiable data ecosystems.

Why Now?

In a world increasingly challenged by fragmented approaches to digital trust, vendor lock-in, and fragile ecosystems, the DKMS Alliance provides a unified, community-driven foundation. By offering stable APIs, modular architectures, and predictable release cycles, the Alliance ensures that the core infrastructure remains robust and future-proof.

The Alliance also emphasises transparent governance, which will be build with Alliance members. This commitment to openness and quality positions it to become the go-to stack for governments and enterprise innovators looking to implement decentralised trust layers.

The Kick-off: Setting the Stage for Collective Action

The Geneva meeting brought together a mix of technical leaders, strategists, funders and early adopters to align on shared goals, identify immediate priorities, and announced a roadmap for 2025 and beyond. It marked the transition from vision to execution. Focused action points emerged to accelerate engineering efforts, develop governance structures, and expand outreach to early members.

As an early member of the DKMS Alliance, organizations have the unique opportunity to influence the evolution of specifications and implementations, gain early access to deliverables, and secure premium support from the visionary leaders shaping tomorrow’s digital trust landscape.

Join Us on This Journey

The DKMS Alliance is more than just a technical project — it’s a call to collective stewardship of the global digital commons. By joining, organizations not only protect critical dependencies but also demonstrate leadership in privacy, security, and data sovereignty. As a renegade from the current mainstream, you become within your domain, the reputable authority of tomorrow’s digital architecture.

We invite you to become part of the transformative movement. Check our Prima Vista document on how you can join this journey. Together, we can build the resilient, trustworthy, and open digital infrastructure the world urgently needs.

Stay tuned — more information, updates, and opportunities to engage with the DKMS Alliance will be coming soon!

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. Every day, billions of […]

Play Video

Watch the full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/ToIP-EGWG-2025-06-26_-Aakash-Guglani-Enhancing-Trust-using-Digital-Public-Infrastructure-DPI.wav

Here is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:

Briefing Document: India’s Digital Public Infrastructure (DPI)

Date: June 26, 2025
Source: Excerpts from Trust over IP Ecosystems and Governance Working Group Meeting
Presenter: Aakash Guglani from the Digital India Foundation.
Topic: Enhancing Trust using Digital Public Infrastructure (DPI)
Excerpt: India’s Digital Public Infrastructure (DPI) and Unified Payment Interface (UPI) revolutionize financial inclusion, bringing over 500 million people into the digital economy. This open-source, mobile-first system builds trust and breaks traditional payment monopolies.

Executive Summary

This briefing document provides an overview of India’s Digital Public Infrastructure (DPI), focusing on its development, impact, and future direction as presented by Aakash Guglani from the Digital India Foundation. The DPI, particularly the Unified Payments Interface (UPI) and Aadhaar, has been instrumental in formalizing India’s economy, empowering its vast and diverse population, and challenging traditional payment monopolies. It represents a unique, policy-driven approach that blends public and private sector participation, aiming for broad inclusivity rather than just serving the affluent.

I. Core Philosophy and Context Addressing India’s Unique Challenges: India’s DPI was developed to address the needs of its “100 million plus” households, representing “500 million people” who were largely deprived and excluded from the burgeoning digital economy. Traditional private platforms primarily targeted the “top 1%,” while public approaches lacked state capacity and risked centralization. (00:07:39, 00:10:50) A “Digital Public Infrastructure” Approach: India adopted a “distro public infrastructure” model, which emphasizes diversity, choice, openness, and sovereignty. It’s a collaborative effort involving both public and private sectors. (00:11:08) Contrast with Other Models: Unlike purely private platforms or a “totally state-led model” like China’s, India’s DPI is designed to be a democratic solution. “We could not go with private platforms, and we never had the state capacity like China to go for a totally state-led model.” (00:09:30, 00:16:40) II. Key Components and Their Impact A. Aadhaar: Unique Digital Identity Foundation of DPI: Over the last 10 to 15 years, India has established “more than 1.3 billion Aadhaar,” a unique digital identity based on 10 biometrics (fingerprints and iris scan) for “99% of Indians.” (00:11:37, 00:11:50) Enabled EKYC: Aadhaar facilitated “EKYC (Know Your Customer),” drastically reducing the cost of customer acquisition for banks. The cost of KYC dropped from “$25 to $1.” (00:12:02, 00:21:16, 00:21:21) This cost reduction made it economically viable for banks, previously reluctant due to high offline verification costs, to open “zero-cost accounts” for the rural and unbanked population. (00:21:21, 00:21:29) Broad Financial Inclusion: This initiative, known as “JanDhan Yojna,” led to “more than 500 million people [having] bank accounts, which is totally zero cost.” (00:19:53, 00:21:10) B. Unified Payments Interface (UPI) Solution to Payment Friction: UPI addressed significant problems in India’s financial landscape, including limited digital transactions, high costs for credit card usage, reliance on paper receipts, and lack of “information collateral” for poor individuals seeking credit. (00:15:08, 00:16:56) Massive Adoption and Interoperability: As of March 2025, UPI recorded “more than 18 billion transactions.” (00:18:30) Over 200 banks are integrated, and it’s “totally interoperable.” A payment between a customer from Bank A and a merchant from Bank B takes “less than 10 seconds” via a QR code scan. (00:18:37, 00:18:42, 00:18:54) There is “no MDR (Merchant Discount Rate)” for most transactions, which incentivizes small vendors like vegetable sellers to adopt digital payments. (00:19:04, 00:19:15) “Every part of the country is using UPI,” demonstrating “deeper usage” even in poorer regions. (00:31:47, 00:31:52) Economic Empowerment: For retailers, UPI reduces the “cost of business” by allowing them to “service 3-4 people at a time” without handling cash and change. (00:29:21) It empowered women by ensuring that earnings from their stores went directly to their bank accounts, preventing misuse of physical cash. (00:30:13, 00:30:24) Challenging Global Monopolies: UPI has fundamentally reshaped the global payment landscape. It involves a diverse range of participants including “Visa, Mastercard, Google Pay, Phone Pay, American Express.” (00:33:45, 00:33:50) “It is not dominant by two major players,” effectively “break[ing] monopoly of private players.” (00:33:50, 00:33:58) UPI has “crossed the transaction volumes of Visa and Mastercard combined.” (00:34:14) “46% of real-time payments across the world happen out of India.” (00:34:21) Beyond the “Bottom of the Pyramid”: DPI, including UPI and EKYC, has also benefited the middle and upper-middle classes. The reduced KYC cost facilitated the opening of “more than 190 million DMAT accounts” (online stockbroking accounts) between 2016 and 2024, many for “first-time users.” (00:34:43, 00:35:08, 00:35:14, 00:35:52) This formalizes the economy and encourages savings. III. Enablers and Policy Framework Government Subsidies: An ongoing annual government subsidy of “$0.2 billion for MDR” (Merchant Discount Rate) for UPI usage is in place. This is viewed as an investment in “public railroad” or “public highway” infrastructure due to its immense “inclusion value.” (00:40:41, 00:40:54, 00:41:09) Agile Policy: The success of DPI is underpinned by “agile policies.” Examples include: The central bank’s allowance for EKYC (2012-2013). (00:45:04) An IT Act making “digital documents equivalent to offline documents” for digital locker services. (00:45:21) The RBI’s Digital Payments Committee recommending UPI. (00:45:49) Government procurement shifting to “totally digitally” platforms using UPI. (00:46:39) Leadership and Trust: The Prime Minister’s public use of UPI and foreign leaders using it in India “enhances trust in people,” creating a “virtuous cycle.” (00:47:01) Mobile-First, Low-Tech, Multilingual: The platforms are designed to be mobile-first, multilingual, and low-tech, supporting feature phones and even “offline availability.” (00:39:31, 00:39:38) Internet Penetration: Government efforts to provide “free internet” increased coverage from 25% to 48%, a “major contributor for UPI.” (00:33:11) Indigenous Development: All platforms are “indigenously made,” addressing specific Indian problems. (00:39:38) IV. Future Directions and Challenges Next Stage: Credit Enablement: With 500 million bank accounts and 1.2 billion digital identities, the focus shifts to empowering users by providing credit. (00:36:00, 00:36:26) Account Aggregator: A framework allowing individuals to consent to share their financial data between banks, mutual funds, insurance providers, etc., using the EKYC framework, to facilitate consumer and business loans. (00:36:41, 00:36:53) Open Credit Enablement Network (OCEN): This leverages the transaction data from informal vendors (e.g., vegetable sellers) who now have “information collateral” on their transaction frequency and average ticket size, making it “easier for banks to also financialize them.” (00:37:29, 00:37:35, 00:37:49) This moves DPI beyond just a base to “formalize the economy.” (00:37:49) Global Export of DPI: India aims to share its open-source DPI frameworks, including UPI APIs on GitHub, “freely to anyone around the world.” This includes cross-border payment solutions and sharing its vaccination system. (00:38:16, 00:38:34, 00:38:42) Future Open Data Platforms: The “India Stack was the beginning,” with future initiatives including digital commerce, online financial information sharing, online credit availability, digitization of health records, AI-based voice, and digital skills. (00:38:54, 00:39:04) Tech Sovereignty: India advocates for “tech sovereignty” to avoid reliance on foreign private entities that could “cut off my access” due to geopolitical tensions, as seen in the Russia-Ukraine war. The aim is to prevent private companies from engaging in “geopolitical positioning.” (00:48:14, 00:49:06, 00:49:32, 00:49:45) Fraud and Cybersecurity: With massive scale, the system faces “more than a million cyberattacks” annually, including those from state and non-state actors. (00:51:38, 00:51:49, 00:51:53) Common frauds include “digital arrest” scams using AI-based voice to demand UPI transfers. (00:53:00, 00:53:07) RBI is implementing measures like mandating brokers to use “authenticated UPI IDs,” displaying the recipient’s name before transfer, and nudging users not to pay while on a call. (00:55:54, 00:56:03, 00:56:10) The direct debit nature of UPI makes reversing fraudulent transactions difficult once money is transferred. (00:54:47) Ongoing efforts include public advisories and potential future escrow services. (00:53:23, 00:57:00) V. Conclusion

India’s DPI journey, marked by the success of Aadhaar and UPI, demonstrates a powerful model for digital inclusion and economic formalization in a democratic context. By leveraging agile policy-making, strategic government investment, and open-source technology, India has built a robust digital public good that empowers its citizens and offers significant lessons for the Global South. The ongoing challenge lies in mitigating fraud and expanding the system to foster greater financial empowerment through credit, while maintaining technological sovereignty.

For more details, including the slides,  meeting recording and transcript, please see our wiki 2025-06-26 Aakash Guglani & Enhancing Trust using Digital public Infrastructure (DPI) – Home – Confluence

https://www.linkedin.com/in/aakashguglani/ https://digitalindiafoundation.org/

The post ToIP EGWG 2025-06-26: Aakash Guglani, Enhancing Trust using Digital Public Infrastructure (DPI) appeared first on Trust Over IP.

We’re excited to announce that Human Colossus Foundation (HCF) will participate in GC25: Global Digital Collaboration on Wallets & Credentials, taking place on July 2, 2025. This important event, hosted by the Swiss Confederation, brings together leading organizations and innovators to shape the future of digital wallets, credentials, and interoperable identity systems.

At HCF, we believe that empowering individuals to control their own digital space is foundational to building a sustainable and trustworthy digital society. This vision is captured in our ongoing work around the concept of the Digital Self, as discussed in our blog post Self Actioning System, a preferred systematic embodiment of “Digital Self”. Central to this idea is the belief that enabling global digital collaboration can only emerge when individuals have sovereignty over their credentials and interactions.

HCF on Governance in Digital Trade

As part of GC25, HCF will also participate in the panel discussion "Governance in Digital Trade – Decentralization as Response to Challenges in a Multi-Polar World." moderated by Stephan Wolf from the Verifiable.Trade Foundation and including the Digital Governance Institute, FIWARE, and the Asia PKI Consortium, we will bring forward the necessity of a digital governance able to consider the sovreignty of peer-to-peer connections in a multi-polar world.

The world is changing rapidly, placing supply chains and financial systems under increasing pressure. In a multi-polar landscape shaped by shifting tariffs and transformative AI, flexibility and speed have become essential. Digitalisation and open networks provide a clear path to inclusive global market participation. However, governance remains a largely overlooked but crucial topic.

This session will explore current initiatives but also deal with challenging questions. By examining these questions from different perspectives, the panel aims to bridge public and private demand to address the complexities of modern global trade.

HCF will contribute its perspective on how decentralized governance models, such as those enabled by the Dynamic Data Economy, can empower organizations and individuals alike.

Digital Self: Enabling Individual Agency

The Digital Self represents a shift from centralized data control to individual empowerment, allowing each person to define, manage, and protect their digital identity and data assets. Events like GC25 are critical because they convene diverse stakeholders to co-create frameworks and standards that make this shift possible — from verifiable credentials to interoperable wallets.

Introducing the Dynamic Data Economy

HCF is contributing to this discussion through the introduction of the Dynamic Data Economy (DDE), a groundbreaking approach outlined in our launch announcement. The DDE offers an infrastructure where data is not merely a static asset but a dynamic, contextual element that individuals can control and share on their terms.

This model supports privacy, promotes innovation, and opens the door to new economic models centered around consent and transparency — all essential ingredients for a human-centric digital future.

Looking Ahead

Our participation in GC25 aligns with our mission to advance data governance standards that prioritize individual autonomy. By collaborating with global leaders at this event, we aim to further the conversation on building infrastructures that respect and reinforce the Digital Self.

We invite all who share this vision to join us in exploring how we can collectively build a more equitable, dynamic, and user-controlled digital ecosystem.

Stay tuned for more updates from GC25 and beyond!

Dashlane lets you open an account with a FIDO2-spec USB security key as your authentication.

One of the better-known password managers is now inviting people to try it without having to create yet another password. Instead, Dashlane is now inviting people to try opening a new account secured only by a USB security key compliant with the “FIDO2” authentication standard; FIDO being short for Fast Identity Online.

Emphasize “try.” The company’s support page for this “early access” program notes that it supports only Google Chrome and Microsoft Edge, not Dashlane’s mobile apps. For now, it doesn’t let you create an account secured only by a passkey, the form of FIDO2 security more people use. 

The page also highlights a warning that this is an early-days exercise: “Important: Accounts created as part of the early access program are for testing purposes only. We recommend using your primary Dashlane account to store and manage your data.”

For all of us who hate passwords, passkeys represent a simpler and safer way of authenticating online accounts. But adoption has been slow, with many companies and websites still relying on passwords. Now the world’s biggest social media platform is jumping on the bandwagon.

On Wednesday, Facebook announced that it’s now rolling out support for passkeys on mobile devices. This means you’ll be able to use one to sign in to Facebook on an iPhone or Android device. But the passkey won’t be limited to your actual Facebook account.

Andrew Shikiar, Executive Director and CEO of the FIDO Alliance, joins us to discuss the shift from passwords to passkeys and the role of FIDO in driving secure, passwordless authentication. He explores the challenges of adoption, the importance of identity verification, and how cross-platform interoperability is accelerating passkey use. The conversation also touches on the impact of generative AI on cybersecurity and what the future holds for passkeys in building long-term resilience.

Apple this week provided a glimpse into a feature that solves one of the biggest drawbacks of passkeys, the industry-wide standard for website and app authentication that isn’t susceptible to credential phishing and other attacks targeting passwords.

The import/export feature, which Apple demonstrated at this week’s Worldwide Developers Conference, will be available in the next major releases of iOS, macOS, iPadOS, and visionOS. It aims to solve one of the biggest shortcomings of passkeys as they have existed to date. Passkeys created on one operating system or credential manager are largely bound to those environments. A passkey created on a Mac, for instance, can sync easily enough with other Apple devices connected to the same iCloud account. Transferring them to a Windows device or even a dedicated credential manager installed on the same Apple device has been impossible.

A recent LF Decentralized Trust (LFDT) webinar highlighted a significant advancement in self-sovereign identity (SSI) infrastructure: the release of a new plugin enabling integration between Hedera and the ACA-Py framework. This plugin, developed by DSR Corporation, has been open sourced under the OpenWallet Foundation and extends ACA-Py with support for the Hedera network. Complementing this, a new Python SDK, now part of the LFDT-hosted Hiero project, provides developers with tools to manage Decentralized Identifiers (DIDs) and Hyperledger AnonCreds Verifiable Credentials on Hedera using the Hedera Consensus Service. Together, these contributions—spanning both the OpenWallet and Hiero ecosystems—anchor critical identity metadata to Hedera’s high-throughput, public distributed ledger and expand the reach of open source digital identity tooling.

Whitepaper on AI Supply Chain Risks and Agentic Systems Workstream Strengthen the Coalition's Impact on Secure AI Development

Boston, MA 26 June 2025 – The Coalition for Secure AI (CoSAI), an OASIS Open Project dedicated to advancing AI security, proudly welcomes Palo Alto Networks and Snyk as Premier Sponsors. Their commitment reinforces CoSAI’s rapidly expanding network of 45 partner organizations united in the mission to advance secure and trustworthy AI. This growth comes as CoSAI deepens its technical leadership with the release of a whitepaper focused on securing the AI software supply chain and the launch of a dedicated workstream on secure agentic system design, addressing the security implications of increasingly autonomous AI systems.

Expanding Industry Support

“Securing AI is one of the most urgent challenges facing the industry today,” said Sam Kaplan, Assistant General Counsel for Public Policy & Government Affairs, Palo Alto Networks. “By joining CoSAI, Palo Alto Networks is proud to support open collaboration that empowers developers to embed security from the start.”

Manoj Nair, Chief Innovation Officer, Snyk, added, “As AI transforms the cybersecurity landscape, proactive security standards are essential. Snyk is excited to contribute to CoSAI’s growing efforts to develop practical, open tools for safer AI adoption.”

Palo Alto Networks and Snyk join CoSAI’s distinguished group of Premier Sponsors – including EY, Google, IBM, Microsoft, NVIDIA, PayPal, Protect AI, Trend Micro, and Zscaler – united in accelerating the development of secure and responsible AI across industries.

New Landscape Paper: Addressing Security Risks in the AI Supply Chain

CoSAI’s first landscape paper, Establish Risks and Controls for the AI Supply Chain, explored further in our blog post, was developed through cross-sector collaboration to help teams integrate security at every stage of the AI system lifecycle, from design to deployment. Published by CoSAI’s Workstream 1: Software Supply Chain Security for AI Systems, the paper examines the unique supply chain security risks of AI systems, focusing on data, infrastructure, applications, and models, and highlights the need for specialized safeguards beyond traditional security practices. It also outlines key vulnerabilities, roles across stakeholder groups, and evaluates existing frameworks like SAIF, MITRE ATLAS, and OWASP AI Exchange to identify gaps and guide a more resilient, secure AI development lifecycle.

“This landscape paper is a significant step forward in AI security, offering comprehensive risk overview and practical protection strategies,” said Matt Maloney, Manager of Technical Staff at Cohere and CoSAI Workstream 1 Lead. “It’s an important resource mapping supply chain risks and highlighting where traditional controls fall short,” added Andre Elizondo, Principal Solutions Engineer at Wiz and CoSAI Workstream 1 Lead. Both emphasized the paper’s evolution alongside emerging AI agent technologies.

Introducing a New Workstream on Secure Agentic System Design

To address the growing need for secure-by-design approaches to autonomous AI, CoSAI has launched Workstream 4: Secure Design Patterns for Agentic Systems. This new track focuses on developing security models and architectural guidance for agentic systems, including updates to AI threat modeling, secure infrastructure design, and cross-system integration.

The addition of Workstream 4 complements CoSAI’s three existing workstreams:

Workstream 1: Software Supply Chain Security for AI Systems Workstream 2: Preparing Defenders for a Changing Cybersecurity Landscape Workstream 3: AI Security Risk Governance

“The launch of a workstream focused on Secure Agentic System Design reinforces CoSAI’s commitment to addressing the growing complexity of AI-driven autonomous systems,” said Workstream 4 Leads Sarah Novotny, Independent Consultant, and Ian Molloy, Department Head, Securing AI, IBM Research. “As agentic systems become more capable and pervasive, it becomes critical to ensure they are built on a foundation of security, transparency, and accountability.”

Get Involved 

CoSAI welcomes technical contributors, researchers, and organizations to participate in its open source community and support its ongoing work. OASIS welcomes additional sponsorship support from companies involved in this space. Contact join@oasis-open.org for more information.

Media Inquiries: communications@oasis-open.org

The post Coalition for Secure AI Welcomes Palo Alto Networks and Snyk, Advances AI Security with New Publication and Workstream appeared first on OASIS Open.

The FIDO Alliance hosted its annual India Working Group (FIWG) Member Meetup & Workshop on June 6, 2025, at Google’s Ananta campus in Bengaluru. With over 100 attendees representing leading technology companies, financial service providers, telecom operators, government agencies, retailers, and platform providers, the event served as an important forum for advancing phishing-resistant, passwordless authentication efforts in India.

The program began with welcome remarks from FIWG Chair Niharika Arora (Google) and Vice Chair Tapesh Bhatnagar (G+D), followed by a keynote address from FIDO Alliance President Sam Srinivas. Sam’s session offered a forward-looking overview of the global FIDO roadmap, covering recent progress in passkey adoption, certification, and platform interoperability, highlighted by many attendees as one of the most valuable sessions of the day.

Throughout the morning, FIWG member organizations shared implementation case studies drawn from real-world deployments. Christopher Clement Soris of Zoho Corporation presented lessons from integrating passkeys into enterprise workflows, emphasizing developer enablement and user trust. Vishu Gupta, Piyush Ranjan, and Deepak Singal of Times Internet shared insights into their journey deploying passkeys across consumer media platforms, with a focus on UX challenges and account recovery design. Shantanu Shirke of Mastercard showcased its Global Financial Framework (GFF) through a live demo of its FIDO-enabled authentication solution, and Simon Trac Do of VinCSS introduced applications of the FIDO Device Onboard (FDO) protocol for secure and scalable onboarding of IoT devices.

The Google Android and Chrome teams, including Niharika Arora, Eiji Kitamura, and Neelansh Sahai, provided updates on platform support for passkeys, highlighting recent enhancements to Android APIs, Chrome UX flows, and best practices for relying parties. These updates offered implementers concrete guidance on leveraging native OS features to enable seamless, secure sign-ins.

The event concluded with a panel discussion titled “Modern Authentication Meets Legacy Systems,” moderated by Niharika Arora and featuring Amit Mathur (Ensurity), Rooparsh Kalia (Mercari), Rahul Dani (Yubico), Tom Sheffield (Target), and Sam Srinivas (Google). The discussion addressed practical challenges in deploying FIDO-based authentication in environments with legacy infrastructure, including backward compatibility, account recovery, and risk trade-offs. Panelists shared candid reflections and emphasized the importance of phased integration strategies and cross-industry collaboration.

Compared to the 2024 edition, this year’s workshop reflected a clear evolution, from awareness-building to implementation maturity. While last year’s focus was largely on introducing the promise of passkeys and FIDO standards, the 2025 program emphasized operational insights, technical execution, and collaborative solutions.

[Watch the Highlight Video]

Through post-event surveys, participants expressed strong appreciation for the event’s practical focus, noting the value of detailed case studies, direct access to platform teams, and the opportunity to connect with peers tackling similar challenges. Many described the in-person format as especially effective for fostering shared understanding and building momentum.

As passkey adoption continues to accelerate across India, the India Working Group remains a vital platform for aligning implementation efforts, exchanging knowledge, and enabling long-term deployment success. Sincere thanks to all speakers, panelists, and attendees for their contributions, and to Google for hosting us in Bengaluru. We look forward to continuing this important work together throughout 2025 and beyond.
*Read last year’s recap: 2024 FIDO Alliance India Working Group Meetup and Workshop

The post South Florida Leaders Gather to Explore the Future of Learning, Hiring, and Innovation appeared first on Velocity.

Apple has announced significant enhancements to its operating systems that will implement secure import and export capabilities for passkeys, building on the company’s ongoing efforts to eliminate traditional passwords. The new features match standards developed by the FIDO Alliance for cross-platform credential management, joining similar initiatives from Microsoft and Google in the push toward passwordless authentication.

The new implementation will enable seamless and secure transfer of passkeys across platforms, addressing previous limitations in transferring credentials between devices and applications. The system uses a standardized data schema developed by the FIDO Alliance to ensure compatibility between different credential manager apps across iOS, iPadOS, macOS, and visionOS 26. The standardization is particularly significant as password-based attacks continue to rise, pushing the industry toward more secure authentication methods.

Passwordless authentication has picked up in recent years. But the method drawing the most interest in security circles is physical security keys based on the FIDO2 standard.

These USB or NFC keys offer something beyond the usual passwordless methods, like synced device passkeys or biometric logins. Here, you’re not relying on cloud-stored credentials or browser memory. Instead, everything depends on holding the key and verifying it with something only you know, like a PIN or fingerprint.

This shift to hardware security keys is gaining momentum across industries. Dashlane, for instance, has just rolled out an update that enables users to make a FIDO2 key their main passwordless login for unlocking credential vaults.

In this article, we explore where passwordless authentication stands today, what makes physical keys different, and how platforms are handling the hard parts like recovery, usability, and long-term security.

Confused by the new regulations and a patchwork of state-level policies?

With a new administration setting fresh policy priorities, supply chains are facing shifting rules and growing pressure to adapt.

Maggie Lyons, Vice President of Government and Regulatory Affairs at GS1 US, joins hosts Reid Jackson and Liz Sertl to decode the changes affecting how products are made, moved, and sold, and what businesses can do to stay ahead. From SNAP waivers and red dye bans to extended producer responsibility (EPR) laws and 2D barcodes, this episode breaks down how government decisions are impacting daily operations across food, retail, and consumer packaged goods (CPG).

Maggie’s team works with policymakers and industry leaders to align mandates with existing systems, helping avoid duplication and enabling efficient, standards-based implementation.

In this episode, you’ll learn:

How state-level regulation is influencing national supply chain strategies

Why new ingredient bans could create a ripple effect across CPG brands

What you can do to stay ahead of policy changes impacting your industry

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:07) Why GS1 built a policy team

(04:02) From Capitol Hill to CPG strategy

(06:34) Staying focused amid constant regulatory shifts

(08:48) Government agencies shaping supply chain standards

(10:38) Customs, tariffs, and food assistance priorities

(14:59) How SNAP waivers complicate retail operations

(17:57) What red dye bans mean next

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Maggie Lyons on LinkedIn

For modern IT or Internet users, logging in to a website or app using a password is all too familiar. Increasingly, however, passwords create security concerns as they can be easily cracked or stolen. This is where passwordless authentication provides a more secure and convenient alternative.

“Password fatigue is real. Users demand faster, frictionless ways to authenticate without remembering complex strings,” said Edwardcher Monreal, Principal Solutions Architect for IAM Consumer Authentication Solutions at HID.

Kia ora,

Matariki is a time for remembrance, celebration, and looking toward the future. Traditionally, Matariki was a time to honour ancestors, celebrate the harvest, and acknowledge the changing seasons.

Today, we stand at a pivotal moment where two transformative technologies – digital identity and artificial intelligence – are reshaping the fabric of society.  As the marginal cost of knowledge approaches zero, decentralised systems offer abundance creation through co-operation, as opposed to sticking with a more traditional scarcity-based approach. 

For DINZ members, the adoption playbook demands conscious choices: about focus, trade-offs, standards, and sovereignty. As local momentum builds around the world’s first decentralised credential identity ecosystem, the question is no longer whether disruption will occur – but how we collectively shape it, and who it serves. Perhaps Moby put it best in his 2002 song “We are all made of stars.”

It is hard to believe we are still using multi-password sign-on and facsimiles of identity proofs in an era where nearly everything we do is online. For those frustrated by the pace of change, it is important to remember we’re building a system for 30 years, of which the past five years has been very much design and build. The next five years will be about driving adoption.

With a tsunami of digital credentials hitting global markets, the race to be “first to issue” DISTF accredited credentials is on!  At the starting line are the DIA, NZTA, Air NZ, Hospitality NZ, alongside other go-to-market models such as Apple and Google’s online proxies.

Techweek Highlights

Those fortunate enough to attend Digital Public Infrastructure: The Invisible Foundation for NZ’s Digital Future in the General Assembly room in Parliament would have heard Minister Collins deliver the powerful message that “digital identity is the key to unlocking productivity in New Zealand.” 

The Minister’s call to action was compelling, raising the question of whether centralised apps are the answer for a citizen-centric experience at this particular technology inflection point still open for debate.

It is encouraging to see a shared understanding that the implementation of digital public infrastructure (DPI) will provide New Zealanders with an inclusive, future-ready trust layer that enhances privacy, security, provenance and fraud prevention, while preserving Aotearoa’s economic sovereignty. 

What’s more, an interoperable decentralised identity ecosystem will support the profound productivity improvements presented by hyperscale AI, without diminishing human agency by moving our data (and your soul) into someone else’s “cloud”.

Digital Trust Hui Taumata – Update

We have secured the world’s foremost native digital credential architect and builder James Monaghan to deliver the international keynote and host roundtable discussions at the Digital Trust Hui at Te Papa on 12 August, 2025.  

This must-attend identity conference promises to be more “Doey” than Hui. Our valued sponsors will showcase the most exciting identity projects in this space, and show how accelerating adoption of Trust Technology can help mitigate concerns around AI-related risks.

Roundtable discussions are currently being shaped around four key focus areas:

Regulatory barriers to change (public policy enablers such as omnibus bills to allow digital identity implementation) Identity for natural persons (early adopters, Privacy and taking control, proof of age, everyday applications, online verification, ID assurance hierarchy) Identity for legal entities (identity as a service, AML, license to operate, compliance, monitoring, directory enabled and real world asset marketplaces) Identity for machines (delegation, reputation, agents, bots, agentic commerce)

Assuming sufficient interest from government and industry sponsors, we plan to arrange an ecosystem design workshop with James Monaghan while he is in Wellington.

The Census Goes Digital: A Shift Towards Data-Driven Public Infrastructure

Stats NZ has officially retired the traditional census, opting instead for a new approach that leverages integrated administrative data. This marks a significant shift in how the government collects and uses trusted digital information – reinforcing the need for secure, privacy-preserving identity systems to ensure accuracy, inclusion, and transparency. It’s a timely reminder of the critical role digital identity plays in building smarter, citizen-centric public services. Read the full RNZ article.

Welcome to Our New Chair – Maria Robertson

Please join me in welcoming Maria Robertson as the new Chair of DINZ. You can read her introductory statement to the DINZ community on our website.

As we reset the DINZ playbook and hone our focus to accelerate adoption, Maria has already started to elevate our thinking thanks to her extensive experience across the public service, infrastructure and secondary industries.

Suffice to say, the first few weeks have been a baptism by fire, but I’m thoroughly enjoying being back in the identity services world at such a pivotal time. Your feedback is encouraged as we strive to fan the flames of adoption by issuers, holders and relying parties for the empowerment of all New Zealanders.

Mānawatia a Matariki,

Andy Higgs
Executive Director, Digital Identity NZ

Read full news here: Ready…Reset…Go!

SUBSCRIBE FOR MORE

The post Ready…Reset…Go! appeared first on Digital Identity New Zealand.

DIF Labs Beta Cohort 2 officially kicks off tomorrow, June 24th at 8 AM PST! This cohort brings together three projects that will advance privacy, legal frameworks, and governance in verifiable credentials.

Meet Our Beta Cohort 2 Projects Legally-Binding Proof of Personhood for Verifiable Credentials via QES

Led by Jon Bauer and Roberto Carvajal

This project creates a standardized method to anchor Verifiable Credentials to legally recognized, high-assurance proof of an individual's identity through Qualified Electronic Signatures (QES). By leveraging eIDAS-recognized QES technology, this work will enable any W3C Verifiable Credential to carry the same legal weight as a handwritten signature.

labs/proposals/beta-cohort-2-2025/legallybinding-vcs/legallybinding-vcs.md at main · decentralized-identity/labs An incubation chamber for Decentralized Identity focused development - decentralized-identity/labs GitHubdecentralized-identity Privacy-Preserving Revocation Mechanism

Led by Kai Otsuki and Ken Watanabe

This research project delivers an analysis of privacy-preserving revocation mechanisms for W3C Verifiable Credentials. The team will catalog real-world revocation scenarios, benchmark cryptographic mechanisms including status lists, dynamic accumulators, zk-SNARK proofs, and short-term credentials, and provide an open-source prototype evaluating computational costs for Issuers, Holders, and Verifiers.

labs/proposals/beta-cohort-2-2025/pp-revocation-mechanism/001_proposal.md at main · decentralized-identity/labs An incubation chamber for Decentralized Identity focused development - decentralized-identity/labs GitHubdecentralized-identity Anonymous Multi-Signature Verifiable Credentials

Led by Seohee Park and Lukas Han

This protocol enables Verifiable Credential issuance that requires m-of-n multi-signature approval while maintaining anonymity of individual signers. Using Semaphore, it enables decentralized governance for VC issuance in organizations such as DAOs or government agencies, cryptographically proving sufficient participation without revealing participating member identities.

labs/proposals/beta-cohort-2-2025/anon-multi-sig-vc/anon_multi_sig_vc_proposal.md at main · decentralized-identity/labs An incubation chamber for Decentralized Identity focused development - decentralized-identity/labs GitHubdecentralized-identity Gratitude to Our Leadership Team

We extend our thanks to our project leads who will be driving these initiatives forward. Their expertise is essential to advancing the state of verifiable credentials technology.

We're grateful to our mentors who share their knowledge and experience with our cohort participants. You can learn more about our mentor network in our directory.

Recognition goes to our chairs who provide strategic guidance and oversight:

Andor Kesselman Ankur Banerjee Daniel Thompson-Yvetot What's Next?

Tomorrow's kick-off session will bring together all participants to align on project goals, establish collaboration frameworks, and set the stage for three months of research and development. These projects address challenges in legal compliance, privacy preservation, and decentralized governance.

Stay tuned for updates as Beta Cohort 2 progresses.

DIF Labs continues to foster innovation in decentralized identity through collaborative research projects. Learn more about Lab's work at labs.identity.foundation.

As Hyperledger Foundation laid out in the Helping a Community Grow by Pruning Inactive Projectspost, there is an important life cycle to well governed open source projects. Through the evolution of the market, Hyperledger Foundation and, now, LF Decentralized Trust has been the home to a growing ecosystem of blockchain, identity, and related projects. 

As the new Chair of the Executive Council of Digital Identity NZ, I am looking forward to leading a passionate and future-focused community working to build a trusted, inclusive, and interoperable digital identity ecosystem for New Zealand, building on the impressive work the Executive Council has done over the past few years . 

With a background in executive leadership across public service and advisory roles I have advocated for and delivered the transformative potential of digital identity as public infrastructure. Whether enabling seamless access to services, supporting mobility and consent, or underlining trust in our digital economy, identity – in all of its forms – is foundational to a modern, resilient society. 

DINZ plays a crucial convening role across government, iwi, industry, and civil society. As Chair, my focus is to champion practical progress: supporting policy and technical frameworks that uphold te ao Māori perspectives on identity, ensuring identity solutions reflect the needs of all New Zealanders, and advocating for interoperability that positions us as globally connected and locally grounded.

Our mission is urgent and clear: to enable every person in Aotearoa to participate safely and confidently in the digital world. I look forward to working with all our members to realise that vision.

Maria Robertson.

The post Introductory Statement – Chair of the Executive Council, Digital Identity NZ appeared first on Digital Identity New Zealand.

Source: Original LF Decentralized Trust post

Wenjing Chu, Chair of the AI and Human Trust Working Group at Trust over IP, an LF Decentralized Trust project | Jun 12, 2025

In a world where AI can create photos, videos, and even voices that look and sound real, how do we know what to trust?

Every day, more content we see online is generated or altered by AI. That’s not always a bad thing. AI can help us create amazing art, get work done faster, or imagine new possibilities. But it also opens the door to misinformation, impersonation, and confusion. When anyone can create content that looks authentic, how do we tell what’s actually real?

To enhance human trust in AI systems and explore how AI itself can be used to address complex trust challenges in digital ecosystems, Trust over IP (ToIP), a project of LF Foundation Decentralized Trust, has launched a new AI and Human Trust (AIM) Working Group. It builds on the work done over the past three years by ToIP’s AIM task force.

The recently released white paper from the working group, ToIP Trust Spanning Protocol (TSP): Strengthening Trust in Human and AI Interactions, offers a way forward for building, maintaining and verifying interactions involving AI technologies. It brings together three powerful tools, the Trust Spanning Protocol (TSP)1, the C2PA Specification2, and the work of the Creator Assertion Working Group (CAWG)3, to build a system of authenticity for the digital world.

The key components include:

TSP (Trust Spanning Protocol) provides a strong foundation for online trust between people, platforms, and tools—making sure that when something claims to come from someone, it actually does. (The “Connector”) The C2PA Specification is a growing standard that helps attach a digital “nutrition label” to content—showing when it was made, how it was edited, and by what capture devices or software. (The “How” and the “What”) CAWG (Creator Assertion Working Group at DIF) focuses on making sure that individual and organizational content creators can identify themselves with their content and provide additional information for their audience to understand their content. (The “Who”)

Why do we need all three? Because content authenticity isn’t just about how something is created. It’s also about who made it, and how it gets communicated through public networks while retaining the integrity of actions made to it. C2PA gives us technical metadata about tools and edits. CAWG ensures the human creator is identified and attributed. And TSP makes the entire chain, from camera or AI tool to multiple individual human collaborators to final distribution platform, trustworthy at every step. Together, they provide a complete system covering creation, collaboration, and distribution.

All put together, these can help us answer the most important question about this digital artifact: Can I trust this?

This isn’t just a technical fix. It’s a new way to think about digital truth. And the paper lays out a path toward a future where users can more confidently trust the source and actions made to digital content in a way that’s accountable, verifiable, and respectful of creators.

Read the full white paper here.

We invite technologists, developers, artists, policy makers, and everyday internet users to take a look. It’s about restoring trust in a world where AI has blurred the lines of what is real and what is artificially generated.

1. Trust Spanning Protocol (TSP) is an ongoing work by Trust over IP (ToIP), a project of LFDT: https://trustoverip.github.io/tswg-tsp-specification
2. The C2PA Specification is an ongoing work by The Coalition for Content Provenance and Authenticity (C2PA): https://c2pa.org/specifications/specifications/2.2/index.html
3. The Creator Assertions Working Group (CAWG) is a joint effort by the Decentralized Identity Foundation (DIF) and ToIP. See https://cawg.io

__

Want to dive deeper into ToIP’s work on verifying authenticity? Check out this LF Decentralized Trust Webinar: Verifiable Authenticity—Answering the Threat of AI Deep Fakes

The post How Can We Trust What We See Online? Here’s One Way Forward appeared first on Trust Over IP.

On the ProjectVRM list, John Wunderlich shared a find that makes clear how advanced and widespread  AI-based shopping recommendation has gone so far (and not just with ChatGPT and Amazon). Here it is: Envisioning Recommendations on an LLM-Based Agent Platform: Can LLM-based agents take recommender systems to the next level?

It’s by Jizhi Zhang, Keqin Bao, Wenjie Wang, Yang Zhang, Wentao Shi, Wanhong Xu, Fuli Feng, and Tat-Seng Chua* and is published in the Artificial Intelligence and Machine Learning section of Research and Advances in Communications of the ACM. So it’s serious stuff.

Here’s one graphic from the piece, with its caption:

Illustration of the Rec4Agentverse. The left side depicts three roles in the RecAgentverse: the user, the Agent Recommender, and Item Agents, along with their interconnected relationships. In contrast to traditional recommender systems, the Rec4Agentverse has more intimate relationships among the three roles. For instance, there are multi-round interactions between 1) users and Item Agents and 2) the Agent Recommender and Item Agents. The right side demonstrates how the Agent Recommender can collaborate with Item Agents to affect the information flow of users and offer personalized information services.

With VRM, however, we need our own personal AI agents, and useful data that’s not limited to what’s gathered by surveillance (which we can assume is most if not all of the Information layer). So I started a conversation with ChatGPT. I’ll divide it into sections: Who wrote the CACM piece The state of recommendation science Who is working on personal AI How one can get started Forms of personal data to manage

There’s a lot here. The meat of it, for ProjectVRM purposes, starts in section 3. (The first two are more about what we’re up against.) Please read the whole thing and help us think through where to go with the challenge facing us. As we see in section 3, we do have some stuff on our side.

1. Who wrote the CACM piece Me: Can you tell me more about the authors here: https://cacm.acm.org/research/envisioning-recommendations-on-an-llm-based-agent-platform/? ChatGPT:

 Jizhi Zhang

Affiliation: University of Science and Technology of China (USTC), Data Science Lab (inferred from USTC page) cacm.acm.org+14data-science.ustc.edu.cn+14x.com+14.
Research Interests: Recommendation systems, LLM-based agent platforms, and interactive intelligent systems—his lead authorship and continued work on Prospect Personalized Recommendation on LLM-Based Agent Platform (arXiv Feb 2024) reinforce this arxiv.org.

 Keqin Bao, Wenjie Wang, Yang Zhang, Wentao Shi, Fuli Feng, Tat‑Seng Chua

Affiliations: While CACM doesn’t list this, Jizhi Zhang and Fuli Feng are part of USTC’s Data Science Lab; Tat‑Seng Chua is a distinguished researcher from the National University of Singapore known for multimedia and information retrieval.
Expertise: A mix of recommender system design, LLM-agent evaluation, multimedia analysis, and human-AI interaction—reflecting a blend of USTC’s strengths and CACM relevance data-science.ustc.edu.cn+8cacm.acm.org+8data-science.ustc.edu.cn+8linkedin.com+4arxiv.org+4researchgate.net+4.

 Wanhong Xu

Affiliation: USTC Data Science Lab (USTC LDS), contributor to the same article .
Role: Emerging researcher whose latest publication is this Rec4Agentverse article, indicating an early-career focus in LLM-based recommender systems linkedin.com+8data-science.ustc.edu.cn+8linkedin.com+8.

Broader Context & Contributions

The group operates at the intersection of Large Language Models, agent-oriented systems, and recommender systems, pioneering a Rec4Agentverse paradigm that treats LLM-powered agents as “recommendable” items collaborating with one another—an evolution of traditional recommendation frameworkscacm.acm.org+5cacm.acm.org+5cacm.acm.org+5.
Their work continues earlier research (e.g., Prospect Personalized Recommendation… in Feb 2024), solidifying their ongoing commitment to expanding intelligent, conversational recommendation platforms arxiv.org.

Why This Matters

Academic Thought Leadership: Jizhi Zhang and colleagues are pushing forward thinking about how recommendations can evolve when agents—not passive items—are central.
Institutional Backing: All deeply connected to USTC’s Data Science Lab, underscoring strong Chinese academic investment in AI-driven recommender innovation.
Collaborative Reach: Including scholars like Tat‑Seng Chua broadens the research to include international perspectives in multimedia and retrieval systems.

In summary: This team is a multidisciplinary cohort—centered at USTC with international collaboration—who are pioneering the idea that LLM agents can become interactive, dynamic items in recommender systems. Their work positions them at the forefront of intelligent agent systems and could reshape how platforms personalize experiences in the future.

If you’re curious about any individual’s past publications, citation impact, or related work (e.g., on Agent4Rec), I’d be happy to dive deeper!

 

3. The state of recommendation science

Me:

How large is the emerging science, within the AI field, of recommendations?

ChatGPT:

The science of recommendations, particularly within the AI field, is not just emerging—it’s a massive, rapidly evolving subfield that is both academically rich and commercially dominant. That said, it’s also entering a new phase, driven by the rise of large language models (LLMs), interactive agents, and multimodal platforms.

Academic Scope 1. Established Field: Recommender Systems

Recommender systems (RecSys) are a well-developed domain within AI and machine learning, with roots in the 1990s.
Annual conferences like:
ACM RecSys (since 2007)
SIGIR, KDD, WSDM, and NeurIPS regularly feature recommendation research.
Thousands of papers annually on topics like:
Collaborative filtering
Matrix/tensor factorization
Deep learning for recommendation
Fairness, transparency, and explainability in RecSys
Reinforcement learning and bandit algorithms for personalization

As of 2024, over 60,000 papers in academic databases (e.g., Google Scholar) are tagged or indexed under “recommender systems”.

Current Trends & Expanding Frontiers 2. LLMs + Recommendation = New Subfield

A major shift is underway: integrating Large Language Models (LLMs) into recommendation systems.
These go beyond “you may also like” to:
Use natural language context and dialogue
Generate explanations, not just rankings
Support conversational recommendation
Coordinate agent ecosystems, e.g., multi-agent reasoning environments

Example paradigms:

RecMind – reasoning-aware recommendation agents
Rec4Agentverse – treating agents as recommendable entities
ChatRecs – integrating LLMs into live user conversations

3. Multimodal & Multitask Integration

Systems increasingly blend text, image, video, behavior, and user feedback.
LLMs allow richer personalization using complex user intent derived from unstructured data.

4. Industry Investment

FAANG companies (especially YouTube, Netflix, Amazon, TikTok, and Spotify) base their core user experience on AI-driven recommendation.
Billions of dollars are spent optimizing:
Ranking quality
Engagement prediction
Real-time inference
Federated and privacy-preserving personalization

Estimate of Scope

Area

Estimate (2024–25)

Academic papers (RecSys + AI)

60,000+ overall; thousands per year

Top conferences with recommender tracks

20+ (ACM RecSys, SIGIR, KDD, NeurIPS, etc.)

Active researchers

Tens of thousands globally

Emerging subfields

LLM-based Rec, conversational Rec, agent-based Rec, explainable Rec

Industry scale

$10B+ annually invested in personalization tech

In Summary

The science of recommendation is:

Not new, but rapidly evolving
Core to AI applications, especially with LLMs and agents
One of the most commercially and socially impactful domains in modern AI
Growing into new subfields (e.g. Rec4Agentverse, LLM Rec, multi-agent Rec)

Let me know if you’d like a visual map of how the recommendation science ecosystem is structured—or who the top authors and institutions are in this space

3. Who is working on personal AI Me: And who, if anyone, is working to provide customers with their own personal AI tools: ones that work for them, to empower their own agency in the marketplace? By which I mean truly personal AI, and not the kind personalized by some external LLM (or similar) system. ChatGPT:

That’s an essential and forward-looking question—especially as most “AI for you” today really means “AI about you, for someone else.”

While Big Tech firms dominate personalized AI, a growing ecosystem is focused on truly personal AI—that is, AI you own, that works for you (not advertisers or platforms), and that enhances your agency in the marketplace and your life.

Here are the most notable people, projects, and initiatives advancing truly personal AI today:

1. Kwaai and pAI-OS (South Africa / Global)

Kwaai is building an open-source, user-sovereign personal AI OS called pAI-OS.
Designed to run locally or at user discretion, with full data ownership, modular agent systems, and plugin capability.
Aligns with IEEE P7012 (“MyTerms”) privacy standards (see below).
Actively exploring intentcasting, customer signaling, and VRM (Vendor Relationship Management).
Site: https://kwaai.ai

2. Indie AI and Personal Agent projects

Several smaller open-source initiatives are trying to build personal agent toolkits that you can host and configure:

Examples:

AutoGen Studio (Microsoft) – allows building agent workflows, some of which can be user-defined. But it’s not yet fully personal or private.
Langroid – open-source framework for local agent-based LLM systems. Designed for extensibility, can be made personal with effort.
OpenDevin, Superagent, Auto-GPT – can be self-hosted, though most are still tool-centric rather than user-centric.
Personal.ai – A commercial startup that says it is personal, but uses centralized storage and fine-tuning, so actual user control is limited.

 Reality check: Most of these still rely on external LLMs (like OpenAI or Anthropic), even if they claim to be “your AI”.

3. Solid Project (by Tim Berners-Lee)

While not AI per se, Solid is a decentralized identity and data storage architecture that allows individuals to store their own data in personal data pods.
AI tools can be layered on top to access only the data you choose to share.
Foundation for personal AI assistants that can work with your data, not on others’ clouds.
https://solidproject.org

4. IEEE P7012 – MyTerms

A standard being developed to flip the notice-and-consent regime—so individuals, not companies, dictate the terms of data use.
Backed by Customer Commons and designed to support intentcasting and personal marketplace signaling.
This enables a personal AI to serve as your agent, enforcing your terms and engaging the marketplace on your behalf.

5. Project VRM (Vendor Relationship Management)

Initiated by Doc Searls to empower customers with tools to manage vendors, not just the reverse.
Envisions personal tools (including AI) to:
Signal intent
Manage service contracts
Retain records of offers, purchases, warranties
Avoid manipulation, surveillance, and lock-in

Project VRM is not a software project per se, but a framework guiding developers to build personal tools that support individual autonomy.

6. Open-source LLM stacks for local use

Several local LLM projects can be combined with personal data layers to build truly personal AI:

LM Studio – runs local models on desktop
PrivateGPT – local inference + local documents
Ollama – macOS-native interface for fast-running models like LLaMA, Mistral
LangChain / LlamaIndex – frameworks for building RAG systems with local documents

These aren’t personal AI systems yet—but they are key ingredients.

Summary

Name / Project

What They Do

Status

Kwaai / pAI-OS

Open, personal AI OS and agent platform

Early but active

Solid

Personal data control layer

Stable; in use

IEEE P7012

Standards for user-enforced data terms

In development

Project VRM

Framework for tools that empower buyers

Thought leadership; toolkits emerging

Local AI frameworks

Tech foundations for personal AI

Available, DIY-friendly

The Gap

Despite this promising landscape, no major platform today delivers a fully integrated, easy-to-use personal AI that you own, configure, and direct—yet. But:

A personal AI revolution is underway, led by privacy advocates, open-source communities, and a few visionary developers—not Big Tech.

Would you like help putting together a DIY stack for your own personal AI toolkit based on this landscape?

Me: Can you name some of the people in the personal AI revolution, and tell me what that DIY stack would contain? ChatGPT:

Absolutely. Here’s a breakdown of key people involved in the personal AI movement, followed by a practical DIY stack you can start building today.

People Leading or Advancing the Personal AI Revolution

These individuals aren’t all working on the same projects, but they’re aligned in trying to build AI that’s owned, run, and controlled by the individual—not centralized platforms.

 Tim Berners-Lee

Project: Solid (stewarded by ODI, commercially implemented by companies including TBLs Inrupt)
Focus: Decentralized web and personal data ownership via data pods
Impact: Infrastructure for privacy-respecting personal AI agents
https://solidproject.org

 Doc Searls

Project: Project VRM, Customer Commons, IEEE P7012
Focus: Customer empowerment, intentcasting, reversing surveillance capitalism
Impact: Philosophy and standards for customer-directed personal AI
https://projectvrm.org

 Tawanda Kembo & Kwaai team

Project: pAI-OS (personal AI operating system)
Focus: Agent-centric open-source operating system for personal AI
Impact: One of the few efforts aiming to create a complete personal AI stack
https://kwaai.ai

 Simon Willison

Project: Datasette, open tools for data management
Focus: Personal data control, lightweight databases, LLM + local tooling
Impact: Key figure in the open data + local AI tooling space
https://simonwillison.net

 Brian Roemmele

Project: Multiplex (personal voice AI)
Focus: Voice-first personal assistants you run locally
Impact: Vocal advocate for true personal AI, often referencing “software you own”

A DIY Personal AI Stack (2025 Edition)

This stack assumes local-first, modular, privacy-respecting tools. You can mix and match based on your needs.

Core Components

Layer

Tools / Projects

Notes

1. OS Layer

Linux, pAI-OS (in dev)

Linux gives flexibility; pAI-OS aims to be a full personal AI OS

2. Local LLM Inference

Ollama, LM Studio, PrivateGPT, LocalAI

Run models like LLaMA 3, Mistral, Phi-3 entirely offline

3. Vector Database

Chroma, Weaviate, Milvus, or SQLite with FTS5

Store and retrieve embedded text data

4. Personal Indexing

LlamaIndex, LangChain, AutoGen, GPTPilot

Feed personal documents and data to your LLM

5. Personal Data Storage

Solid POD, Datasette, Obsidian

Your life’s data, structured and queryable

6. Personal Agent Framework

Superagent, CrewAI, Langroid, AutoGen

Design agents that act on your behalf, modular and scriptable

7. Front-end Interface

Gradio, Streamlit, Tauri app, Electron

Local GUI/UX to interact with your agent

8. Voice Interface (optional)

OpenVoice, Vosk, Whisper.cpp, Coqui TTS

Build voice-in/voice-out agent on your machine

Optional Add-ons

Offline search: Chat over your files, PDFs, photos, and emails with LlamaIndex + PrivateGPT
Calendar/notes: Sync with Obsidian or local markdown-based knowledge base
Browser agent: Auto-control browser via Puppeteer/Playwright for marketplace navigation

What’s Still Missing?

True personal OS integration (like what pAI-OS is trying to do)
Seamless data portability and contract enforcement (IEEE P7012 is working on it)
Trusted personal AI app ecosystem (some apps, like Beeper or Obsidian, are getting close)

Would you like a tailored recommendation for building a personal AI stack based on your technical skill level or use cases (e.g., journaling, research, negotiation, shopping, data querying)?

4. How can I get started? Me: Yes. My technical skill level is modest at best. I can write HTML and do very basic stuff in the command line. I have an extra laptop I can devote to solo work, and Ethernet to a 2.1GB/s symmetrical fiber connection to the Internet with no data limits. ChatGPT:

Great — with your setup (modest technical skills, spare laptop, blazing-fast fiber), you’re in an excellent position to begin building a practical personal AI system without diving too deep into complex dev work. Here’s a recommended stack tailored to your current skills and goals:

YOUR PERSONAL AI STARTER STACK (2025) 1. Platform Base

Use a Linux distribution designed for ease of use and AI tinkering:

Recommended: Pop!_OS or Ubuntu 24.04
Easy GUI, good hardware compatibility, lots of online support
Optional: Use your laptop in “air-gapped” mode for privacy and full local control

2. Run a Local LLM with LM Studio

LM Studio (macOS/Windows/Linux) lets you run LLaMA 3, Mistral, Phi-3, and others without coding.
Built-in UI — chat with models locally, no internet required after download.
You can download 7B or 13B models based on your hardware.
Best for: private journaling, summarizing files, answering questions.

 Why it’s ideal for you:

GUI-based
Just click and download models
No API keys or command-line needed once installed

3. Chat with Your Files (PrivateGPT / LlamaIndex)

PrivateGPT or GPTPilot can let you ask questions across PDFs, emails, and notes stored on your machine.
Start simple: drop files into a folder, let the AI index them.
Optionally install via Docker (one command), or use their prebuilt apps.

Use case:

“Summarize this research PDF”
“What did I write about project X last month?”
“Find the email where someone mentioned a refund”

4. Knowledge Base + Journaling with Obsidian

Obsidian = Markdown-based knowledge base.
Everything you write stays local.
You can point LM Studio to your notes to query your own memory.

Easy way to:

Keep private journals
Index your life
Ask your AI things like “What are my goals for June?”

5. Personal Data Management with Datasette

Datasette by Simon Willison lets you browse and query your own data with simple SQL and CSV files.
Feeds AI with structured personal info (purchases, inventory, plans, etc.)
You can install it with a single terminal command:
bash
CopyEdit
pip install datasette datasette serve your-data.db
datasette serve your-data.db

Combine with LM Studio to get responses like:

“What subscriptions do I need to cancel?”
“When did I last back up my photos?”

6. Optional: Browser Helper Agent (Local, Simple)

Use AutoBrowser or a simpler Puppeteer script to automate browsing tasks (like checking prices, news, account activity).
Start with prebuilt scripts. No coding needed if you copy/paste working examples.

7. Privacy Boosters

Run Tailscale or WireGuard to access your AI remotely if needed.
Use LocalAI or Ollama if you later want to run everything without GUI (more advanced).

Putting It All Together

Task

Tool

Chat privately with an AI

LM Studio

Summarize your own notes or PDFs

PrivateGPT or GPTPilot

Store and reflect on your life data

Obsidian, Datasette

Manage subscriptions and tasks

Datasette + Chat

Ask about your files or history

LlamaIndex or GPT over Obsidian notes

Use voice later (optional)

Whisper.cpp, OpenVoice (easy tools)

Next Steps (in plain order)

Install Pop!_OS or Ubuntu on your spare laptop
Install LM Studio and download a 7B model like Mistral or LLaMA 3
Start using it to answer personal questions and summarize documents
Add Obsidian to start journaling and reflecting
Try PrivateGPT or Datasette to search your past or track your life

Would you like a checklist or an install script to get started with this stack? I can also help you set up a file structure to begin tracking and querying your own data.

5. Forms of personal data to manage Me: The personal data I need to manage are health records (from 20-plus providers), financial records (fewer than health), travel records (including the kind kept by apps that watch my movements), subscriptions and other recurring payments, shows I have watched and on what channels or services (data gathered by my Samsung and Roku TVs and presumably shared with others but to which I don’t yet have access), continuing work and work history with various clients and employers, contacts, archival and current calendars, real estate, personal items bought or acquired from various sources and where they are kept or stored, and business dealings. What would be the file structure for all that, and how would I manage it? Note that I am not talking about shopping yet; that’s a separate concern. ChatGPT:

Thanks for the detailed breakdown — you’re describing the foundation of a true personal data architecture: structured, queryable, and under your control. Let’s build you a file structure and management strategy that matches your needs without overcomplicating the tech.

Recommended Top-Level Folder Structure

This folder structure is designed to be future-proof, machine-readable, and human-usable. Use plain folders, CSV/JSON/Markdown files, and optional SQLite databases to store structured data. You can later layer tools (like LLMs or Datasette) on top.

markdown CopyEdit /PersonalAI_Data
│
├── Health/
│ ├── Providers/
│ ├── Visits/
│ ├── Prescriptions/
│ ├── Labs_Imaging/
│ └── Insurance_Claims/
│
├── Finance/
│ ├── Bank_Accounts/
│ ├── Credit_Cards/
│ ├── Investments/
│ └── Taxes/
│
├── Travel/
│ ├── Trips/
│ ├── Locations_History/
│ └── Maps_GPX_KML/
│
├── Subscriptions/
│ ├── Streaming/
│ ├── News_Publications/
│ ├── Software_Tools/
│ └── Utilities_Bills/
│
├── Media_Viewed/
│ ├── TV_Shows/
│ ├── Movies/
│ ├── Channels_Services/
│ └── Watch_History.csv
│
├── Work/
│ ├── Employers/
│ ├── Clients/
│ ├── Projects/
│ └── Timesheets_Invoices/
│
├── Contacts/
│ └── contacts.csv
│
├── Calendar/
│ ├── Archive_ICS/
│ ├── Current_ICS/
│ └── Events_Tags.csv
│
├── Real_Estate/
│ ├── Properties_Owned/
│ ├── Rentals/
│ └── Maintenance_Records/
│
├── Personal_Items/
│ ├── Furniture/
│ ├── Electronics/
│ ├── Art_Collectibles/
│ └── Inventory.csv
│
└── Business/
├── Deals/
├── Agreements/
├── Partners/
└── Notes/
Strategy for Managing It All 1. Use Consistent File Types Data Type File Format Structured entries .csv, .json, .sqlite Notes or logs .md (markdown) Documents .pdf, .docx, .txt Images/attachments store in attachments/ subfolder per topic 2. Naming Conventions (Machine + Human Friendly)

Use ISO-like formats to make things sortable and parseable:

yaml CopyEdit 2024-06-16_labresults_providerX.csv
2023_Q4_taxes_federal.pdf
clientA_2022-11_contract.pdf 3. Data Capture Tools

You don’t need to build it all manually:

Use Obsidian for ongoing notes (e.g. travel journal, work logs)

Use Paperless-ngx (optional) to OCR and tag your scanned PDFs (health, finance)

Use GPS History Export from Google and Apple for travel/locations

Use email filters or Zapier to auto-download bills, statements, confirmations

4. Querying and Reviewing

Add one or more of these later:

Datasette → browse and search CSVs/SQLite locally

LM Studio + PrivateGPT → ask, “When did I last visit Dr. Chen?” or “What devices are in storage?”

LlamaIndex → index your file tree and let AI search/summarize it

Summary of Benefits Goal This Setup Delivers Total local control You decide access, storage, retention Future AI-readiness Structured enough for agents to use Easy to back up Plain files, portable databases Modular growth Start simple, layer in AI when ready

Would you like me to generate a starter template with folder structure and some CSV/Markdown file formats filled in with mock data for each domain? That way you can load it directly into your system and start customizing.

Me again:

That’s it for now.

What should my next request be, or what other direction would you like me (or us) to take this? Or, what are the learnings we have so far in this field that barely exists? Oh, and excuse whatever inaccuracies ChatGPT may have floated above. Or give me fixes. Thanks. *The links are mine and based on searches for those names. I might have some of them wrong, however, since searches for those names bring up many scholars with the same names. And, while each name had a link, they all went to an author archive page that was absent (with one exception) of other contributions to the publication.

NEWARK, NJ, June 18, 2025 – A shared commitment to community and service led to a meaningful partnership between Edge, a nonprofit organization that recently transitioned to a fully virtual workforce, and MENTOR Newark, a local organization dedicated to supporting youth through mentoring and empowerment programs.

When Edge found itself with available office space, it began the search for a subtenant. A mutual business contact introduced Edge’s Executive Director of Human Resources and Administration, Amy Olavarria, to Thomas Owens, Executive Director of MENTOR Newark. Olavarria elaborates, “We had been working with a realtor to sublease the space but couldn’t find a good match, until we were introduced to Thomas and learned about his organization’s mission and their need for a new headquarters,” said Olavarria. “I’ve met several of the young adults in the program, and they’re all so mature, motivated, and well-mannered. It’s inspiring to see, and MENTOR Newark is truly an incredible organization.”

Previously located in a lower-level space in the same building, MENTOR Newark had involved its students in renovating their former office, so the move came with some uncertainty. “Our students were deeply involved in creating the previous space, so I wasn’t sure how they would connect with the new one,” admitted Owens. “But when they walked in, they immediately saw the possibilities and were genuinely excited. They appreciated the new amenities, including the kitchen, private bathrooms, and most importantly, their own dedicated area called the Student Office.”

That sense of ownership was on full display during an open house in April 2025, where community members gathered to tour the space and meet the young leaders of MENTOR Newark. “People were moved, and saw the students taking responsibility for the space, engaging with guests, and leading parts of the event,” shares Owens. “There was dancing, laughter, and a strong sense of pride. When people learned it all came together through a partnership between two nonprofits, it left a lasting impression.”

For Edge, the partnership with MENTOR Newark was a natural extension of its mission and community commitment. “Edge is honored to have Thomas and his organization in this space,” adds Olavarria. “Even though MENTOR Newark and Edge are two nonprofits in different industries, we share a common goal: to help and serve the people in our communities and beyond. Working with MENTOR Newark is perfectly aligned with Edge’s brand promise of CONNECTED. COMMITTED. COMMUNITY. I attended their grand opening, and the atmosphere was one of home, community, and acceptance—regardless of age or background. It was a powerful feeling of unity and peace.”

About Edge

Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.

About MENTOR Newark

MENTOR Newark is the New Jersey affiliate of MENTOR, the National Mentoring Partnership, and connects youth in Newark, New Jersey, to caring mentors who provide guidance, support, and positive role modeling. ​The organization collaborates closely with the Newark Board of Education to offer mentoring professional development to staff and support the implementation of a comprehensive district-wide student mentoring program. MENTOR Newark actively works with more than 40 local mentoring organizations, many of which run programs within Newark Board of Education schools. To learn more, visit www.newarkmentoring.org.

The post MENTOR Newark Partners with Edge to Find a New Home appeared first on NJEdge Inc.

We’re introducing passkeys on Facebook for mobile devices, offering another tool to safeguard your privacy and security. Passkeys are a new way to verify your identity and log in to your account that’s easier and more secure than traditional passwords. 

Passkeys will soon be available on iOS and Android mobile devices for Facebook, and we will begin rolling out passkeys to Messenger in the coming months. The same passkey you set up for Facebook will also work on Messenger once this capability launches. 

FIDO Alliance’s flagship event features an expanded agenda to deliver practical strategies for implementing usable, phishing-resistant security across the entire account lifecycle.  Super Early Bird discounts are available through June 20.

Carlsbad, Calif., June 18, 2025 – The FIDO Alliance has announced the agenda for Authenticate 2025, the only industry conference dedicated to digital identity and authentication with a focus on phishing-resistant sign-ins with passkeys. The event will take place October 13–15, 2025 at the Omni La Costa Resort and Spa in Carlsbad, Calif., with options for virtual participation available.

The focus of the program for the Authenticate 2025 conference is achieving phishing-resistant authentication with passkeys and the adjacent considerations required to achieve end-to-end account security with usability in mind.

Visit https://authenticatecon.com/event/authenticate-2025/ to view the full session guide and register ahead of the June 20th Super Early Bird deadline.

Authenticate is built for CISOs, security strategists, enterprise architects, product leaders, UX professionals, and anyone engaged in the identity lifecycle from strategy to implementation. Attendees will gain practical knowledge around deploying phishing-resistant authentication at scale, designing secure user experiences, understanding complementary technologies, and navigating policy and compliance requirements. 

This year’s event will showcase keynotes and sessions led by top executives and industry leaders at the forefront of the passwordless movement. The agenda for 2025 has been revamped to include: longer track sessions for more in-depth presentations, an increased focus on masterclasses for actionable synced and device-bound passkey implementation best practices, and a new solutions theater track to showcase live demonstrations of the latest identity and authentication solutions. This year’s agenda also features more opportunities for networking and exploration of the interactive expo hall to foster collaboration and idea sharing.

With four dynamic stages across four curated content tracks,  Authenticate 2025 will offer sessions on: 

Account onboarding Remote identity verification and proofing Authorization Biometrics Session security Device onboarding and authentication Cybersecurity/fraud threats and detection Digital identity/digital wallets The future of digital identity and authentication

Sponsorship Opportunities Available
Authenticate 2025 offers unique sponsorship opportunities for companies to showcase solutions to an engaged, decision-making audience. With limited availability remaining, prospective sponsors can learn more and apply at https://authenticatecon.com/sponsors/ or contact authenticate@fidoalliance.org. 

About Authenticate 

Authenticate is the premier conference dedicated to advancing digital identity and authentication, with an emphasis on phishing-resistant sign-ins using passkeys. Hosted by the FIDO Alliance, this event brings together CISOs, security strategists, product managers and identity architects to explore best practices, technical insights and real-world case studies in modern authentication. The 2025 conference will take place from October 13-15 at the Omni La Costa Resort & Spa in Carlsbad, California, and will be co-located with the FIDO Alliance member plenary sessions, which run through October 16. 

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication with innovations, like passkeys. Signature sponsors for Authenticate 2025 are Google, Microsoft, Visa, and Yubico.

To learn more and register, visit https://authenticatecon.com/event/authenticate-2025/, and follow @AuthenticateCon on X. Register now and get the super early bird discount through June 20, 2025.

Authenticate Contact
authenticate@fidoalliance.org

PR Contact
press@fidoalliance.org

v1.1 of the 3 specifications includes one powerful new moving part

As CAWG activity picks up steam at DIF, there are a few details the rest of DIF and the broader community of decentralizers might want to be tracking:

The specification includes a powerful new indirection called an Identity Aggregator, which designates an external authority to translate a long-lived identifier embedded in signed credentials (at time of publication) to one or more identifiers with local significance anywhere an asset is used (at time of republication or consumption). Industry-specific identifier schemes are being researched by a distinct task force within the group for prototyping and getting adoption in media verticals. Registering/organizing external metadata standards and DID interop are on-going discussions. Wait, what Working Group is this?

If you're following from a distance, you have a vague sense that CAWG is a DIF working group doing something-something C2PA. If that distance is a long distance, you might know C2PA is a big-name, media-authenticity initiative with many mega-corporations signed on. The reality is actually more decentralized than meets the eye: CAWG is specifying open-world extension points that use Verifiable Credentials to let all kinds of claims and all kinds of actors embed metadata and rights declarations in C2PA documents, not just the big boys.

As the name would imply, "creators" is a capacious term which includes influencers, independents, rights-holders unions, creative agencies, freelancers, and even anonymous social media microcelebrities alike. The extension points and interoperability mechanisms this group is working on bring verifiability at various scales at once, and to various kinds of ecosystems and markets. The "Assertions" that these creators are inserting into signed C2PA manifests embedded in professional media assets are the open-world extension point that let C2PA manifests contain arbitrary metadata (treated in a separate specification being iterated by the group), arbitrary trust signals, and arbitrary attached credentials.

Enter the Aggregator

The Identity Claims Aggregator (often referred to as "aggregator" in the group) names a piece of software (which can be internal or external to an authoring tool) that tracks multiple identifiers enabling verifiable credentials (issued against them) to be inserted meaningfully. It also witnesses proofs of (and later attests to) control of many kinds of external identifiers, and generally organizes the chaos of the world's many overlapping identifier schemes and attestation formats. To the outside observer, this might seem a very complicated translation mechanism, but to the decentralized identity veteran, this is a familiar necessity. Every verifiable credential scheme eventually needs this kind of translator/aggregator role, if it is to be an open system or even if it is "only" going to federate across the tech stacks of multiple existing systems.

Taken from section 8.1.1.2 of the v1.1 Identity Assertion specification

The conversation so far in the working group has been working its way from the general to the concrete: do aggregators only aggregate identifiers and information sources known at the time of authoring/inserting, or can an aggregator add on new attestations at a later time? Must aggregators limit themselves to public identifiers, or can they use an internal/aggregator-specific one? Can an aggregator host a live API for post-facto information to be passed out-of-band, like additional credentials or updated credentials? How tightly, if at all, should this group specify such an API, if so? These are the high-level questions being debated on the back-burner of CAWG meetings this summer.

The Aggregator-Indirection Question

Zooming in a little more, there are further questions being tackled. Aggregators model a great happy-path solution for embedding declarations and strong identifications into each asset, but what about the many unhappy paths? For example, what if a creator’s assertions are scattered across many identifiers and credential types, and embedding those assertions requires all kinds translations and metadata to be legible? What if identifiers change, or new assertions become relevant after publishing– can “placeholder” or indirection identifiers be used to query data sources that continue receiving assertions after publication? Can an indirection or service be used to display more or less assertions depending on audience, or changeable-over-time consent policies? Can assertions and identities be “self-custodied”? What is the “account recovery” story for these increasingly complex use-cases?

While adding the aggregator was the biggest change in v1.1, it will be a long while until the exact scope and limits of this role are decided. It may well be that some advanced features get postponed to a later stage in the roadmap, because of the sheer complexity they entail, but it will definitely be an ongoing topic simmering in the background whenever smaller debates come up.

Separate Work Stream: Industry-Specific Identifiers

In parallel, a subgroup is meeting separately to research and sanity-check the integration of major media-industry identifier schemes and metadata schemes, looking for interop corner-cases and relevant prior art.

Interested parties are encouraged to pop into the subgroup's github issues and meetings if they are working on (or just curious about, or experienced with) industry associations and media archiving best practices. The usual IP caveats apply: if joining a live call as a non-DIF member or commenting on github issues, refrain from going into concrete detail on anything "patentable" like implementation details or solutions.

Other Big Questions between V1.1 and v2.0

These advanced features of the aggregator aren’t the only big questions that we can expect to simmer and percolate across the next few "minor versions". Additionally, the interop issues around existing metadata standards (not just major W3C standards, but real-world ones from industry and library sciences) are potentially inexhaustible, as the group's Metadata specification gives scaffolding for inserting any structured metadata into assertions.

A slightly less vast but still very open-ended interoperability question is which DID methods to recommend or even require of all implementers, and how to manage or triage the remainder of the list of possible current (and future!) DID methods. Intersecting with the ongoing work of the DID Method Standardization Working Group, and older efforts like DID Traits to define equivalence or translatability between DID methods with similar architectures, semantics and guarantees, there is something of a simmering backlog-debate about which forms of DID make how much sense for the CAWG use-cases.

Of course, the evaluation of DID methods for these tiered-accreditation and decentralized reputation use-cases necessarily includes more than just technical analysis; legal and business readiness factor in as well, including competitiveness and market health/structure considerations to keep media authenticity from being a perk in closed ecosystems. Luckily, the new co-chair Scott Perry brings much experience and open lines of dialogue with multiple working groups at the Trust-over-IP Foundation which work on exactly these aspects of DID technology and business processes. In particular, agentic identity is a topic that ToIP generally, and Scott specifically, are bringing into the scope of the WG, so keep an eye out for issues and PRs along those lines in the coming months as well.

Google is making its biggest security push yet. The company strongly urges its 2 billion Gmail users to switch passwords to passkeys. While not mandating immediate changes, Google has made passkeys the default authentication method. They’ve also set a hard deadline for third-party apps. The FBI reported cyber attacks jumped 33% last year. Those attacks cost over $16 billion in damages. Google’s response shows how seriously Big Tech is taking the password problem affecting every internet user.

A values-based list of barriers faced by 14–19 year olds in the UK

In this post, we continuing to share outputs from a project we’re working with the Responsible Innovation Centre for Public Media Futures (RIC), hosted by the BBC. We’ve already published:

What does AI Literacy look like for young people aged 14–19? What makes for a good AI Literacy framework? Core Values for AI Literacy AI Literacy or AI Literacies? Image CC BY-ND Visual Thinkery for WAO

This project has involved both desk research and input from experts in the form of a survey, individual interviews, and a roundtable which we hosted a couple of weeks ago. One area we wanted to ensure we understood were gaps in existing provision around AI Literacies for young people.

The gaps we identified were focused on the 14–19 age range in the UK, with a long list of areas with many themes. We have organised and summarised these around the core values identified in a previous post.

The gaps reflect a pattern seen across education, media, and wider society: provision is uneven. It is often shaped by short-term thinking and competing interests. Overall, it is limited by a lack of clear leadership or coordination.

Unfortunately, many interventions around AI Literacies are focused on technical skills or compliance. These do not connect with young people’s real interests or lived experiences, nor do they address the deeper ethical, social, and cultural questions raised by AI.

As a result of this, many learners — especially those already facing disadvantage — are left with fragmented support and few opportunities to develop genuine agency or critical judgement.

Human Agency and Informed Participation Lack of systemic, rights-based frameworks: There is little structured provision to help young people shape, question, or influence AI, with most education focused on adapting to technology rather than encouraging agency or clarifying institutional responsibilities. Dominance of industry narratives: Commercial interests and tech industry funding often drive the agenda, narrowing the conversation and limiting opportunities for young people to challenge prevailing narratives or understand the political dimensions of AI. Insufficient progression and curriculum integration: There is no standardised, dynamic curriculum or progression framework for AI Literacies, especially for post-16 learners, and limited integration across subjects beyond computing or digital studies. Teacher confidence and support gaps: Many teachers lack confidence, training, and adaptable resources to support the development of AI Literacies, resulting in inconsistent, sometimes contradictory, messaging and limited support for critical engagement. Disconnect between knowledge and action: Awareness of AI bias, manipulation, or power structures does not reliably translate into agency or behavioural change, with motivation and broader social context often overlooked. Equity, Diversity, and Inclusion Persistent digital and social divides: Access to tools and resources to develop AI Literacies is highly unequal, shaped by school policies, family resources, and broader digital divides, with privileged students often able to bypass restrictions. Lack of cultural and global adaptation: Most resources are developed in the global north and do not reflect the needs or realities of diverse cultural, socioeconomic, or linguistic backgrounds, including those from in the global south. Barriers for marginalised groups: AI tools and resources can disadvantage non-native English speakers, students with disabilities, and those with limited digital access, reinforcing existing inequalities. Neglect of visual and multimodal literacy: There is insufficient focus on images, deepfakes, and multimodal content, despite their growing importance for misinformation and manipulation. Resource design and authenticity: Overly polished, anthropomorphised, or inaccessible resources can alienate young people; there is a need to co-design authentic, relatable, and context-driven materials that reflect lived experiences with young people from a range of background Creativity, Participation, and Lifelong Learning Short-termism and lack of sustainability: Funding and interventions are often short-lived, with little focus on long-term, joined-up strategies or progression frameworks. Imbalance between creativity and consumption: Most young people are consumers, not creators, of AI content; there is insufficient emphasis on participatory, creative, and hands-on engagement with AI. Restrictive and risk-averse policies: Overly strict barriers on access to AI tools in schools can limit meaningful learning opportunities and create anxiety or underground use. Missed opportunities for experiential and peer learning: There is underuse of hands-on, constructionist, and peer-led approaches, which are effective for this age group and for a rapidly evolving field like AI. Failure to address entrenched digital habits: Many interventions come too late to shift established digital habits; young people may have high digital skill but lack guidance on purposeful, critical, or participatory use. Critical Thinking and Responsible Use Overemphasis on technical skills: Current provision is skewed towards prompt engineering and functional tool use, with insufficient attention to understanding different kinds of AI, ethical reasoning, systemic impacts, and critical engagement. Insufficient ethical, environmental, and societal focus: Real-world harms, environmental costs, and the broader impact of AI are rarely discussed, leaving gaps in understanding responsible use. Media and information literacy gaps: Algorithmic and data literacy gaps: Young people struggle to understand how data shapes AI outputs, how to assess real versus fake (including deepfakes), and how to evaluate, challenge or seek redress for algorithmic decisions or AI-generated content. Anthropomorphism and mental models: Many young people, particularly younger teens, misattribute human-like qualities to AI, affecting their critical judgement and ability to interrogate outputs. Lack of robust assessment and evidence: There is a shortage of baseline data on AI literacy levels and limited frameworks for evaluating the effectiveness and impact of interventions, especially in terms of behavioural change. Upholding Human Rights and Wellbeing Disconnection from youth interests and lived experience: AI Literacy resources often fail to connect to young people’s real interests (creativity, sports, mental health), focusing instead on employability or compliance. Socio-emotional and privacy risks: Young people may use AI for companionship or advice, sharing sensitive information without understanding privacy or data risks; frameworks rarely address identity, trust, or changing markers of adulthood. Confusion and inconsistency in terminology: There is no consensus on what “AI literacy” means, and inconsistent definitions can intimidate learners or place excessive responsibility on individuals. Unclear responsibility and leadership: It remains unclear who should lead on the development of AI Literacies. Schools, parents, government, industry, and third sector bodies all have a role to play, but the current situation leads to fragmented provision and a lack of accountability. Neglect of digital relationships and boundaries: The role of AI as an “invisible third party” in relationships, and the shifting boundaries of privacy and identity, are rarely addressed in current resources. Next up

We’re still finalising our framework for AI Literacies and will be sharing it soon. Meanwhile, you can follow our work on this topic so far at https://ailiteracy.fyi.

Please do get in touch if you have projects and programmes that can benefit from our experience and expertise in education and technology!

Acknowledgements

The following people have willingly given up their time to provide invaluable input to this project:

Jonathan Baggaley, Prof Maha Bali, Dr Helen Beetham, Dr Miles Berry, Prof. Oli Buckley, Prof. Geoff Cox​, Dr Rob Farrow, Natalie Foos, Leon Furze, Ben Garside, Dr Daniel Gooch, Dr Brenna Clarke Gray, Dr Angela Gunder, Katie Heard, Prof. Wayne Holmes, Sarah Horrocks, Barry Joseph, Al Kingsley MBE, Dr Joe Lindley, Prof. Sonia Livingstone, Chris Loveday, Prof. Ewa Luger, Cliff Manning, Dr Konstantina Martzoukou, Prof. Julian McDougall, Prof. Gina Neff, Dr Nicola Pallitt, Rik Panganiban, Dr Gianfranco Polizzi, Dr Francine Ryan, Renate Samson, Anne-Marie Scott, Dr Cat Scutt MBE, Dr Sue Sentance, Vicki Shotbolt, Bill Thompson, Christian Turton, Dr Marc Watkins, Audrey Watters, Prof. Simeon Yates, Rebecca Yeager

At Global Digital Collaboration on July 2nd, a full day of sessions co-curated by DIDAS and partners will address how privacy-enhancing technologies (PETs) and trustworthy governance models can become core enablers of digital trust across sectors and jurisdictions.

The day begins with a high-level update session featuring SPRIND, Google, EPFL, Johannes Kepler University, and others. It will explore the current maturity, post-quantum readiness, and practical deployment of PETs such as BBS+, SD-JWT, and ZK-mDoc. The session aims to establish shared terminology and frameworks for unlinkability and selective disclosure across global credential ecosystems.

In parallel, the e-democracy workshop series (Part 1 & 2), led by the Center for Digital Trust (C4DT) at EPFL, DIDAS, the Human Colossus Foundation, and other civil society actors, will explore how digital services like e-ID and e-collecting e-voting and related challenges which must be redesigned for resilience to protect public trust, prevent fraud, and ensure accountability. The sessions aim to define foundational principles for a trustworthy digital democracy, co-created by experts in law, governance, cryptography, and policy.

Running alongside, a collaborative mapping session by Johannes Kepler University, Orange, Ethereum researchers, DIDAS, EUDI and other Global Ecosystems and pilot teams are invited to identify and classify global use cases where PETs-particularly zero-knowledge proofs-are essential. The session will help align performance and privacy requirements across deployment contexts, feeding into implementation roadmaps and standards discussions.

In the afternoon, a deep dive on unlinkability will be led by experts from Google, SPRIND, EPFL and the Linux Foundation’s decentralized trust initiatives. This session will focus on the risks of issuer–relying party collusion in credential ecosystems, and why unlinkability is non-negotiable for use cases like transport and location-sensitive infrastructure.

Later, a technically grounded session titled “ZKProofs: From Crypto Potential to Regulatory Acceptance” will bring together Google, ETSI, and NIST to map out viable ZKP schemes, their mobile-readiness, and interoperability features. The goal is to bridge the gap between cryptographic innovation and institutional trust, and to align stakeholders around a roadmap for responsible, cross-border adoption and acceptance.

The day concludes with a multi-stakeholder roundtable moderated by DIDAS with invitees from the ITU, the OpenWallet Foundation, LF Decentralized Trust, OECD, UNHCR the Swiss confederation, the EU Commission and other country delegates and potential funding partners to explore long-term collaboration structures. This final session will address how to sustain PET development through ongoing working groups, interoperable governance, and shared funding models.

 

Public Sector & Multilateral Institutions

Swiss Confederation European Commission ITU (International Telecommunication Union) OECD UNHCR SPRIND (Federal Agency for Disruptive Innovation, Germany) EUDI Pilot Teams (various EU member states)

 

Research & Academia

EPFL – École Polytechnique Fédérale de Lausanne C4DT – Center for Digital Trust (EPFL) Johannes Kepler University Linz Ethereum Research Community

 

Civil Society & Ecosystem Actors

DIDAS – Digital Identity and Data Sovereignty Association Digital Society Association (Switzerland) Human Colossus Foundation Other invited civil society contributors

Private Sector & Standards Bodies

Google Orange Linux Foundation – Decentralized Trust Initiative OpenWallet Foundation ETSI – European Telecommunications Standards Institute NIST – U.S. National Institute of Standards and Technology LF Decentralized Trust

Core Themes

Privacy-enhancing technologies (PETs), ZKPs, unlinkability Verifiable credentials, digital identity, selective disclosure Trust infrastructure governance, interoperability, post-quantum security E-democracy, civic trust, institutional resilience Multi-stakeholder collaboration, sustainable funding, global alignment

This collaborative agenda reflects a global commitment to building privacy-preserving, interoperable, and inclusive digital ecosystems with shared responsibility across sectors.

authID’s decision this month to integrate its biometric identity verification technology with Ping Identity’s PingOne DaVinci service is a necessary step at a time when humans continue to be the weakest security link for organizations and bad actors increasingly target passwords to gain access to corporate networks, according to Jeff Scheidel, vice president of operations for the Denver-based company.

Apple OSes will soon transfer passkeys seamlessly and securely across platforms.

Apple this week provided a glimpse into a feature that solves one of the biggest drawbacks of passkeys, the industry-wide standard for website and app authentication that isn’t susceptible to credential phishing and other attacks targeting passwords.

Overview

The FIDO Alliance and host sponsor Thales recently held a one day seminar on authentication, identity and the road ahead.

Seminar sessions provided an exploration of the current state of authentication for workforce and consumer sign-ins – with a focus on FIDO and passkeys including adoption status and case studies. The seminar also featured discussions on other relevant topics for IAM professionals, such as the latest in attacks and threats, identity verification technology advances, and post-quantum cryptography. Attendees had the opportunity to engage directly with authentication and identity experts through open Q&A, networking and demos.

View the presentations below:

The OASIS XACML Technical Committee (TC) is currently engaged in an effort to produce a successor to XACML version 3.0, and we’re looking for input from the community. The goals of this new version(s) are:

To modernize the language to make it more accessible to a wider audience, To add new features to extend the expressibility of the language and support new use cases, and To simplify the language where possible.

The headline change is the decision to abstract the core language to remove its dependence on XML and XML Schema, i.e., to make it syntax-agnostic. This will facilitate the use of other syntaxes for representing the core language. The TC has decided to define representations for at least JSON and YAML, while continuing to support XML. To reflect this expanded scope and modernized approach, the effort is being referred to as “XACML Next Gen” rather than “XACML 4.0.”

The XACML TC intends that implementations will be able to claim conformance with the core language by implementing one or any combination of the possible syntaxes. XML will not be required.

There is a strong desire in the XACML TC to find a new name for the core language to show that it is no longer tied to XML. Various suggestions are on the table, but there is no clear frontrunner at this time. The new name should lend itself to distinct acronyms for each supported syntax for simple identification. Regardless of the new name and version number for the core language, there is consensus in the TC that the XML representation of the core language will be known as XACML 4.0 in recognition of its antecedent. So the moniker “XACML 4.0” will reference only part of the TC’s eventual outputs.

The major structural change to the core language is the merging of PolicySet and Policy into a single construct that will carry the name “Policy.” A new Policy may contain embedded policies, policy references, rules, and variable definitions. This change removes some duplication from the core language where essentially the same thing was defined under separate names for both policy sets and policies, for example, PolicySetId and PolicyId. There is now only PolicyId. There are no longer separate policy combining algorithms and rule combining algorithms, just combining algorithms.

Current Changes In Progress 1. Support for JSON and YAML Policies

One of the most anticipated updates in XACML Next Gen is the addition of JSON and YAML as alternative policy representation formats. While XACML has traditionally been based on XML, these new formats aim to:

Simplify policy authoring by providing more concise and readable structures. Improve integration with modern applications that rely on JSON-based APIs. Reduce verbosity compared to XML, making policies easier to maintain. Improve readability and auditability by allowing the substitution of many URIs with short string names using standardized and user-defined vocabularies. 

Implications for Policy Writers:

Policies can now be expressed in JSON or YAML, reducing the learning curve for those unfamiliar with XML. JSON and YAML formats align with modern infrastructure-as-code practices, allowing policies to be managed like other configuration files. 2. Simplified and More Efficient Policy Structure

To make policies easier to write and maintain, XACML Next Gen is introducing:

A. Flattened Policy Hierarchy The distinction between Policy and PolicySet is being removed, creating a single structure that can contain both rules and sub-policies. This means fewer elements to track and simplifies how policies are nested and combined. B. Common Structure for Obligations and Advice The structure of an obligation or advice instance is practically the same, except for naming. Obligation and Advice will be replaced by a common Notice structure with the semantic differences indicated by a boolean flag. Likewise, for the various structures related to obligations and advice. C. Targets Revised Targets in policies have been changed to Boolean expressions, giving them the same expressive power and flexibility as Conditions in rules. Targets have been removed from rules; a Condition is sufficient. D. Decluttering CombinedDecision, ReturnPolicyIdList, and MustBePresent have been given sensible defaults so that they can usually be omitted, reducing clutter.

E. Global Variables for Reusability

Variables will be defined globally and reusable across multiple policies, reducing redundancy and improving clarity. Policy writers will be able to import global variables without having to redefine them within each policy. F. Composite Functions for Simpler Expressions Policy authors will be able to define custom functions that can be reused across multiple rules, reducing repetition. Example: Instead of repeating the same logical expression in multiple places, writers can define it once and reference it when needed. 3. Improved Policy Efficiency A. Optimized Rule Evaluation New ternary conditional functions (similar to a ? b : c in programming languages) allow policy writers to define logic more concisely. B. Aggregate Functions for Policy Simplification XACML Next Gen will introduce functions like min, max, sum, and average, enabling policy writers to perform calculations on groups of attributes without excessive nesting. C. Shortcuts for Common Operations New functions like empty-bag() and non-empty-bag() make it easier to check for missing attributes without verbose expressions. D. JSONPath Support for JSONPath will be added to the language. Like support for XPath, it will be optional to implement. Support for newer XPath versions will be added. 4. Naming and Structural Changes

To better reflect its expanded scope beyond XML, there are ongoing discussions about renaming XACML to something more format-agnostic. Current discussion can be viewed [here].

Regardless of the naming decision, the XML version will continue to be referred to as XACML, ensuring backward compatibility.

XACML Next Gen is shaping up to be a more flexible, efficient, and modern policy definition framework. By introducing JSON and YAML, flattening policy structures, and adding global variables and composite functions, the new version aims to make policy authoring easier and less error-prone, while the addition of canonical string identifiers will significantly improve the readability and audibility of policy corpora.

We Want Your Feedback

The XACML TC is eager to hear from the broader community as we move forward with this next-generation effort. Whether you’re a longtime implementer, a policy expert, or simply someone with a stake in access control, your input can help shape a modern, more accessible, and flexible standard. We’re especially interested in feedback on new feature requirements, potential use cases, naming ideas for the core language, and thoughts on the move toward syntax-agnostic design. If you’d like to get involved or share your perspective, please contact us via our GitHub project.

Authors

Steven Legg, Editor, OASIS XACML Technical Committee
[LinkedIn Profile]

William Parducci, Co-Chair, OASIS XACML Technical Committee
[LinkedIn Profile] 

The post Help Guide the Next Generation of XACML appeared first on OASIS Open.

Andrew Shikiar, Executive Director and CEO of the FIDO Alliance, joins us to discuss the shift from passwords to passkeys and the role of FIDO in driving secure, passwordless authentication. He explores the challenges of adoption, the importance of identity verification, and how cross-platform interoperability is accelerating passkey use. The conversation also touches on the impact of generative AI on cybersecurity and what the future holds for passkeys in building long-term resilience.

About Expert Insights:

Expert Insights saves you time and hassle by rigorously analyzing cybersecurity solutions and cutting through the hype to deliver clear, actionable shortlists. We specialize in cybersecurity. So, our focus is sharper, our knowledge is deeper, and our insights are better. What’s more, our advice is completely impartial.

In a world saturated with information, we exist to arm experts with the insights they need to protect their organization. That is why over 1 million businesses have used us to inform their cybersecurity research.

Listen to the podcast.

In a world where AI can create photos, videos, and even voices that look and sound real, how do we know what to trust?

Collaborating to respond to UNESCO’s call for think pieces

A couple of months ago, after seeing a UNESCO call for contributions, Doug began wrangling a group of thinkers and educators to respond to the call in a collaborative and open way. Naturally, I got involved, and thus we thought this story would be a good one for the WAO blog :)

There were six of us on that stormy night…

Bryan Alexander – an internationally known futurist, researcher, writer with this popular blog and newsletter, AI, academia, and the Future.  ​Helen Beetham – a researcher and consultant in digital education who has edited several standard texts including Rethinking Pedagogy for a Digital Age. Her articles on AI, education, and society can be found at imperfect offerings. ​Doug Belshaw – co-founder of We Are Open Co-op, working at the intersection of systems thinking, digital literacies, and Open Recognition. Doug's writings can be accessed via his website. ​Laura Hilliger – concept architect, open strategist, and co-founder of We Are Open Co-op. Her website contains links to her blog and newsletter. ​Ian O'Byrne – Associate Professor of Literacy Education at the College of Charleston. He maintains an active presence through his website and weekly newsletter Digitally Literate. ​Karen Louise Smith – Associate Professor in the Department of Communication, Popular Culture and Film at Brock University. She teaches courses related to social media, surveillance, and new media policy and her writing can be accessed via her website.

The six of us met up online to chat about how we might collaborate to respond to UNESCO’s call, and decided that we would each write our own think pieces. We then met up regularly to chat about where we were, what ideas were floating around and get inspiration from one another. Once we had drafts, we each read each other's pieces offering comments and suggestions. 

Our finished pieces can be found at this linktree: https://linktr.ee/ai_future_education

After we submitted our think pieces to UNESCO, we decided to do a roundtable event hosted by Doug. Over 100 people signed up, with 50 more on the waitlist. Participants gathered to discuss the transformative potential of Artificial Intelligence (AI) in education. The event brought together educators, tech experts, and policymakers to dissect our six pieces on AI's future role in learning environments.

This blog post summarises our very nuanced discussion surrounding AI's role in education. If you’re interested in this type of thing, we’d recommend watching the full session.

1. Personalized Learning

One of the themes discussed was personalized learning facilitated by AI. While AI can functionally analyze student data to tailor curricula and pacing, we talked about the emotional and social dimensions of learning. The lack of empathy in AI systems hinders holistic education, which requires human interaction.

2. Equity and Access

We talked about the theory that AI could democratize access to quality education, but we highlighted significant challenges. Unequal access exacerbates existing disparities in educational opportunities, and it is not just infrastructure that is inequitable in our education system.

3. The Educator's Role

AI’s impact on educators’ roles was another theme in our conversation. While AI can handle routine tasks like grading, potentially reducing administrative burdens, there are concerns about over-reliance on technology displacing human interaction. We argued for understanding teachers as mentors, facilitators, guardians and creatives to try and make clear that “efficiency” is not a goal in education.

4. Privacy and Bias

We talked a lot about the ethical implications surrounding various aspects of AI. From data privacy concerns, algorithmic bias, and transparency in AI decision-making, we stressed the importance of ethical guidelines and accountability measures.

5. Collaboration

We talked a bit about the potential for collaboration between educators and AI. We tried to think about what a complementary relationship with AI might look like for education. While AI might enhance some of our teaching tools, it cannot be allowed to overshadow the irreplaceable human element.

6. The Future of Education

In conclusion, we know and spoke about the fact that any technology and its implementation in education must be approached with caution and balance. Our conversation underscored that AI is not a panacea but a technology that exists within a particular context, and that like any technology, it’s how we use it that matters.

Go deeper:

This is the video ​Recording for the full session  We made an AI generated ​Chat summary ​All of our think pieces are worth a close read. Jump in individually: Bryan Alexander - Several futures for AI and education Helen Beetham - The implications of ‘artificial intelligence’ for the right to education in equality and dignity Doug Belshaw - Marching Backwards into the Future: AI’s Role in the Future of Education Laura Hilliger - It is not the tool, it is the artist who sparks the revolution: The Importance of Art Education with or without AI Ian O'Byrne - Amplifying Human Cognition: Artificial Intelligence as Mirror and Magnifier Karen Louise Smith: Building warm expert expertise to mitigate against data harms in AI-powered edtech

Many thanks to Bryan Mathers of Visual Thinkery, who provided the illustrations included in this post. To see all of those that he drew based on the session, visit his website. 

did:sol is the Solana DID method. Solana is an application-centric blockchain praised for it’s high-throughput and composability. Today on the show we talk with Martin Riedel, and Daniel Kelleher, co-editors and implementers of the did:sol specification.   References Civic https://www.civic.com/  x:  @civickey Cryptid https://github.com/identity-com/cryptid  DID Directory https://diddirectory.com/  did:sol spec  https://g.identity.com/sol-did/ did:sol on diddirectory.com  https://diddirectory.com/sol  did:sol on...

did:sol is the Solana DID method. Solana is an application-centric blockchain praised for it’s high-throughput and composability. Today on the show we talk with Martin Riedel, and Daniel Kelleher, co-editors and implementers of the did:sol specification. References Civic https://www.civic.com/ x:  @civickey Cryptid https://github.com/identity-com/cryptid DID Directory https://diddirectory.com/ did:sol spec https://g.identity.com/sol-did/ did:sol on diddirectory.com https://diddirectory.com/sol did:sol on...

Exploring the plural, context-dependent, and socially-negotiated nature of new literacies

Over the past couple of months, we’ve been working on an ‘AI Literacy’ project with the Responsible Innovation Centre for Public Media Futures (RIC), hosted by the BBC. We’ve already published:

What does AI Literacy look like for young people aged 14–19? What makes for a good AI Literacy framework? Core Values for AI Literacy

In this post, we want to explore the tension we’ve felt between referring to ‘AI Literacy’ in the singular, versus referring to a plurality of ‘AI Literacies’. Ultimately, although our original brief used the singular form (as do many of our peers) we have decided to take the latter, plural, approach — for reasons we will explain below.

One very practical reason to emphasise ‘AI Literacies’ is that it is difficult to talk about ‘delivering’ a literacy. “Literacy” always begs the question of context: What does literacy mean to this particular person in this particular setting at this particular moment? What it means to be ‘AI literate’ is going to look very different to someone working in a corporate office job, compared to a teenager using AI for a creative project. Additionally, there are multiple literate behaviours when we think about AI — for example, understanding the socio-economic reality of the AI landscape versus knowing how to prompt an LLM to get the kind of information or answer you are looking for.

AI Literacies are therefore both plural and context-specific. They are also socially-negotiated. Literate behaviours depend on the community with which an individual is interacting. This becomes evident through a few examples.

Image CC BY-ND Visual Thinkery for WAO

If you are a parent of teenagers, you will have experienced a time when they respond in a way which makes sense to them and their friends, but not to you. You are likely to have to ask them what they mean or use a resource like the Urban Dictionary. Other behaviours such as using a particular emoji might be hilarious for reasons you cannot quite comprehend.

These “rhetorics of communication” are an important part of literacy practices, especially in the digital realm. They constitute ways of interacting with other people within a techno-social system which itself privileges and foregrounds certain kinds of behaviours, while either explicitly or implicitly discouraging others. For example, contemporary chat apps allow you to see not only that a message has been delivered, but whether it has been read. The act of not reading a particular message may be seen in multiple lights: Is the person ignoring me? Are they mad at me? Are they offline in the forest?

Any time we are communicating in ways which are mediated by technologies, part of literate behaviour involves understanding the “affordances” that the technology provides as well as understanding how that technology might be shaping our behaviour.

If you were, for example, quickly texting your teenager while at work, you might send your text and then open a workplace chat window which looks and feels very much like the social one which you have just been using. However, because the context is different — as well as perhaps both the demographic makeup and number of people in the chat — you act differently. =Your literate behaviours are thus socially-negotiated, meaning that you vary your behaviour in different situations.

As we start to understand AI Literacies, we need to think about the most common way in which people experience generative AI — by prompting a Large Language Model (LLM) through a chat window. The chat window is a familiar technology, but the fact that there isn’t a human on the other side of it is not. Part of AI Literacies therefore involves exhibiting and modifying our behaviours based on our knowledge and experience of factors that surround this particular chat window.

Image CC BY-ND Visual Thinkery for WAO

With personal or workplace chats, what is outside of the frame informs literate behaviours inside the frame. Similarly, when we are interacting with AI, the more we know about what is outside the frame, the more we can develop appropriate literate behaviours inside the frame. Again, these literate behaviours are plural: will others be able to tell that you are using the outputs of an LLM? (will they mind?) They are based on context: should you trust the company behind the technology you are using? And they are socially-negotiated: are there environmental concerns of which you should be aware?

Angela Gunder’s Dimensions of AI Literacies provides a helpful way to think about these issues. Building on my work on the Essential Elements of Digital Literacies, Gunder’s framework sets out a series of overlapping dimensions that shape how people interact with AI. This approach supports the idea that AI Literacies are not a fixed set of skills, but a collection of practices negotiated within communities and shaped by context.

AI Literacies, like Critical Media Literacies, Digital Literacies, Information Literacies, Data Literacies, and a whole host of “new” literacies, should be considered to be fundamentally plural. What counts as “literate behaviours” are socially-negotiated based on context. Words and phrases, however, are important to describe what we mean. And that is why we will be referring to AI Literacies in the project we’re doing with the RIC for the BBC.

Coming soon

We are working on a public version of our landscape setting and framework for AI Literacies. We’ll be sharing that soon. In the meantime, follow our contributions to this space through https://ailiteracy.fyi/ and get in touch if you have projects and programmes that can benefit from our experience and expertise in education and technology.

What if you could see what your customers are searching before they even hit 'buy'?

In today’s hyper-competitive marketplace, that’s exactly what the best brands are doing, and it’s giving them a serious edge.

In this episode, Chris Barnes, General Manager of Retail & Alternative Channels at Jungle Scout, joins hosts Reid Jackson and Liz Sertl to break down how brands are using real-time search, product, and shopper data to respond faster to market signals on Amazon and beyond.

Chris shares how companies are identifying market opportunities, protecting category share, and improving performance across pricing, inventory, and advertising, all by knowing what to look for in the data.

In this episode, you’ll learn:

How to use search and shopper behavior to guide product strategy

Why category management looks different in the age of marketplaces

The data brands overlook and how it impacts sales performance

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:07) Chris Barnes on his career journey

(04:38) Transforming strategy with data and intelligence

(05:55) Category management in-store vs. online

(09:23) AI’s impact on search and consumer behavior

(13:04) Dude Wipes’ growth and success

(15:35) Leveraging data to understand consumer needs

(19:17) Power of data analytics in product development

(20:48) Top strategies for maximizing growth

(27:37) The future of agencies and AI in business

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Chris Barnes on LinkedInCheck out Jungle Scout

Applications closed. Reviews done. It’s time to share who’s joining the Web3j mentorships this year under the Linux Foundation Decentralized Trust program. This year, there are two projects aimed at advancing Web3j, which is a highly modular, reactive, type safe Java and Android library for working with Smart Contracts and integrating with clients (nodes) on the Ethereum network.

The post Reinventing How Career Records Are Shared appeared first on Velocity.

Mastercard has launched advanced payment passkeys across Europe as part of its initiative to enhance online transaction security and replace traditional passwords. The company reports that its tokenization and passkey implementation has achieved nearly 50 percent adoption in European e-commerce transactions, building on its successful passkey deployment in Latin America earlier this year.

The payment technology company’s new security measures arrive at a critical time, as data shows that one in four business owners in Europe face targeting by scammers. A quarter of these businesses express concern about their ability to recover from potential cyber attacks. The expansion follows the broader industry trend toward passwordless authentication, with the FIDO Alliance reporting significant growth in enterprise passkey adoption.

OneSpan announced Thursday (June 5) its acquisition of Nok Nok Labs, a provider of FIDO passwordless software authentication solutions.

OneSpan said joining forces with Nok Nok enables the company to provide customers worldwide with a comprehensive authentication portfolio, available on-premises or in the cloud. This combined offering now includes support for OTP, FIDO, software, and hardware solutions, such as Digipass, FIDO2 protocols, and Cronto solutions for transaction signing.

Victor Limongelli, CEO at OneSpan, described the acquisition as a “bold step toward providing customers with maximum choice in authentication.” He added that the company is evolving its entire authentication platform to include FIDO standards, believing that passwordless authentication is an important part of the future. With Nok Nok’s technology and FIDO expertise, OneSpan aims to offer a comprehensive and versatile customer authentication solution.

Phillip Dunkelberger, president and CEO at Nok Nok, noted that joining OneSpan allows them to bring their vision, rooted in open standards like FIDO, to a broader audience via OneSpan’s global reach. Andrew Shikiar, executive director and CEO of the FIDO Alliance, said Nok Nok has been a “trailblazer” in the FIDO ecosystem.

Dashlane lets you open an account with a FIDO2-spec USB security key as your authentication.

One of the better-known password managers is now inviting people to try it without having to create yet another password. Instead, Dashlane is now inviting people to try opening a new account secured only by a USB security key compliant with the “FIDO2” authentication standard; FIDO being short for Fast Identity Online.

Emphasize “try.” The company’s support page for this “early access” program notes that it supports only Google Chrome and Microsoft Edge, not Dashlane’s mobile apps. For now, it doesn’t let you create an account secured only by a passkey, the form of FIDO2 security more people use. 

NEWARK, NJ, June 5, 2025 – Edge, a leading provider of innovative technology solutions for higher education, today announced that IronBrick, a Workday resell partner specializing in selling Workday to the higher education and public sector markets, is now part of the EdgeMarket Cooperative Pricing System. The addition of this industry leader to EdgeMarket comes as a direct result of successful bids under the EdgeMarket’s Higher Education Ecosystem (HEES) Request for Proposal (RFP), solidifying the organization’s commitment to delivering transformative solutions to educational institutions.

The HEES RFP, a significant initiative aimed at providing access to an interconnected ecosystem of software and solutions designed to enable successful outcomes within higher education, seeks to identify best-in-class technology partners. Edge’s contract vehicle, coupled with IronBrick’s deep industry expertise and the power of the Workday platform, creates a powerful set of tools to address the unique challenges and evolving needs of colleges and universities.

“This alignment marks a significant milestone in Edge’s commitment to empowering higher education institutions with cutting-edge solutions. Workday and IronBrick are industry leaders enabling excellence in higher education operations. We are confident that this collaboration will deliver exceptional value and drive positive outcomes for participating institutions.”

— Dan Miller
AVP EdgeMarket and Solution Strategy, Edge

Workday Human Capital Management (HCM), Workday Financial Management, and Workday Students help to transform higher education institutions, modernize experiences, and streamline administrative and academic operations. Its cloud-native architecture provides scalability, agility, and real-time insights to help make data-driven decisions.

“IronBrick is excited to collaborate with Edge and Workday to provide a new avenue for purchasing Workday for higher education institutions under the HEES RFP,” stated Zebulon Mellett, President, IronBrick Associates, LLC. “Our focused expertise in the higher education sector, combined with Edge’s strong relationships and the Workday platform, will allow for long-term success for our clients.”

Edge, Workday, and IronBrick are committed to helping higher education institutions modernize operations, enhance the employee experience, and drive student and institutional success, via a contract designed to streamline time to procurement. This collaboration represents a powerful step forward in transforming core operational applications within the higher education community.

About Edge

Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.

About IronBrick

IronBrick excels at Adaptive Innovation. As a dedicated Workday partner, IronBrick is a reseller of Workday solutions to State and Local, Higher Education, and Federal clients. We strive to balance the wants and needs of application users with the technical challenges of IT organizations. IronBrick partners with leading System Integrators and specialized technology providers to deliver complete solutions. To learn more about IronBrick, visit ironbrick.com.

The post Edge Announces the Availability of Workday, via its Reseller, IronBrick, to the EdgeMarket Higher Education Ecosystem of Solutions appeared first on NJEdge Inc.

At Blockchain Commons, we design open infrastructure that prioritizes privacy, autonomy, and human dignity. That’s why I support and personally signed the No Phone Home Initiative. It is not just a position, it’s a call to preserve a foundational principle of decentralized identity: Credentials must be verifiable without enabling surveillance!

Why “No Phone Home” Matters

The problem is simple: when verifying a digital credential such as a mobile driver’s license or a diploma, many systems require contacting the original issuer. This creates a digital trail of who is verifying what, when, and why. That trail can be used to profile and surveil, allowing issuers to track credential holders without their knowledge.

Manu Sporny, in an email to the W3C Credentials Community Group (June 3, 2025), clarified the stakes:

“Retrieving a status list could be misinterpreted as ‘phoning home’ … but it’s not anywhere near the same level of “phoning home” that contacting the issuer and telling them ‘I’ve got Steve here at booze-hut.com, is he over 21?’ achieves.”

But the threat of direct identity leak is just the tip of the iceberg. That’s because credential presentation isn’t a one-off event. It’s recurrent. Even when identifiers or interactions are pseudonymous, repeated verifications leak sensitive metadata, allowing issuers or third parties to correlate time, location, and use-pattern metadata into behavioral profiles.

The Decentralized Identity Foundation talks about some of this in “Nearly 100 Experts Are Saying ‘No Phone Home’”:

“The risks multiply when applied across domains. Federated protocols developed for use within organizations become surveillance systems when used between different sectors or jurisdictions. Phone home capabilities that seem innocuous within a single domain can become tools for tracking and control when applied broadly without aggressive oversight and fine-tuning.”

Problematically, this is how these systems are designed to work! As Kim Hamilton Duffy says in the first of a series of articles on mDL privacy that she’s currently working on:

“This isn’t an unintended consequence—it’s an architectural feature that can trivially enable persistent record-keeping of when and where you use your credentials, creating patterns that can be analyzed long after the original transaction by unknown third parties.”

This also reveals yet another danger: how “normal” it feels to let credential issuers remain silently in the loop.

Revocation Without Surveillance

Some argue that checking for the revocation of a credential requires phoning home. But that’s a false dilemma. In the same W3C thread, Sporny noted:

“There are a few ways to retrieve a status list without directly contacting the issuer that use commonly deployed web technology.””

Technical mitigations discussed and developed by the community include:

Large, pseudonymous status lists (e.g., Bitstring Status List) Use of CDNs or file mirrors to avoid direct issuer contact Oblivious HTTP (OHTTP) for unlinkable status fetching

There are still issues with these potential mitigations. For example, Kyle Den Hartog (Pryvit NZ) raised concerns about status list misuse:

“An issuer creates a bitstring list of sufficiently large size, but only includes 1 active credential index per bitstring list. All other indexes are spoofed. The rest of the list would look active to the holder/verifiers but could still be a tracking mechanism by the issuer.”

But, these edge-case attacks reinforce why the core architecture must be surveillance-resistant by default.

Privacy isn’t the only issue with revocation checking: it’s also a structural risk. If we tie credential validity to live status checks, we quietly shift power from holders to issuers. It becomes a form of dependency injection, one that contradicts the goal of self-sovereign identity.

Not Just Technical: It’s Ethical

This isn’t just a technical issue. It goes to the ethical heart of self-sovereign identity design.

Daniel Hardman offered this framing in a related thread on edge cases:

“Verifiable credentials verify without issuer coordination; that is what the ‘verifiable’ in ‘verifiable credential’ means.”

Joe Andrieu argued in the same May 2025 thread:

*The identity system that wins is going to be the one we can use in any circumstance by anyone. … It’s my wallet. I expect it to serve me, as a user agent. I do not accept that it might also serve the state as a surveillance platform.

At Blockchain Commons, we agree. The ability to verify credentials offline, without depending on a central service, is essential for resilience and civil liberties.

A report prepared for the American Civil Liberties Union (ACLU) put it clearly by requiring “No Issuer ability to track via phone home mechanism” and saying:

“One way a digital ID can differ from physical ID is that it can enable the issuers of the digital ID to track where, when, and to whom one shows their ID. This tracking can reveal very private and sensitive information about the digital ID holder — namely, when and where, online or off, they present their ID. Standards and technologies should be designed so that the issuer (or any of its agents or contractors) cannot engage in any of these forms of tracking.”

Emergencies Are Not an Excuse

Some use cases such as disaster response or first responder tracking have prompted discussions around consent-based “check-ins.” These are complex and worthy of consideration. But the VC Data Model 2.0 spec is clear:

“Credential status specifications MUST NOT enable tracking of individuals, such as an issuer being notified (either directly or indirectly) when a verifier is interested in a specific holder or subject. Unacceptable approaches include “phoning home …”

But compliance doesn’t equal safety. Even digital credentials that conform to existing standards—such as ISO 18013-5—can still include implementation choices that enable surveillance. Privacy must be baked into system design, not retrofitted through policy disclaimers.

As Alexis Hancock of the Electronic Frontier Foundation (EFF) warned (via State Scoop):

“We have to act now because governments are enthusiastic about digital ID, but if we don’t pin down these basic principles now, it’s going to be a problem later.”

We can build systems that are opt-in, purpose-specific, and out-of-band, without compromising the privacy baseline for everyone else.

Our Commitment

At Blockchain Commons, we believe decentralized identity should empower the individual, not quietly report on them. We are actively designing open standards such as Gordian Envelope and dCBOR to support truly private, verifiable, interoperable credentials.

We support “No Phone Home” because surveillance should never be the default. And we invite others to join us in making sure the future of identity remains decentralized, private, and just.

Kia ora,

Welcome to the May edition of the Digital Identity NZ newsletter. This month, we’re excited to introduce our new Executive Director, share insights from Techweek25’s Foundations for Tomorrow Event.

Andy Higgs Appointed as New Executive Director

We’re pleased to announce that Andy Higgs has joined Digital Identity NZ as our new Executive Director.

Andy brings over 20 years of experience across digital identity, AI strategy, and innovation in both public and private sectors. His background includes leadership roles at Futureverse and Centrality, where he focused on self-sovereign identity solutions and ecosystem partnerships.

His experience extends to policy development with the Department of Internal Affairs and Ministry of Business, Innovation and Employment, including work on the Digital Identity Services Trust Framework and the Consumer Data Right.

Andy’s collaborative approach will be valuable as DINZ continues to work alongside members to build a trusted digital identity ecosystem for everyone in Aotearoa.

Digital Public Infrastructure: Foundations for Tomorrow Event

During Techweek25, government, industry, and public sector leaders gathered at Parliament’s Legislative Chamber to discuss how digital public infrastructure (DPI) could transform service delivery across New Zealand.

Key takeaways for the digital identity community:

Ministerial vision: Hon Judith Collins KC announced plans for an all-of-government app allowing citizens to store digital credentials, receive notifications, and access services in one secure digital space.
  Economic benefits: Pete Herlihy from AWS highlighted that digital identity is one of four core components of DPI that can deliver significant economic growth—between 1-2% of GDP in developed nations.
  Human-centered approach: Deloitte’s Adithi Pandit emphasised how unified digital infrastructure could enable more joined-up social services and reduce fragmentation.
  Implementation plans: Public Service Commissioner Sir Brian Roche indicated a move toward greater centralisation with prescribed platforms and standards to make digital infrastructure a low-cost utility.
  Industry perspective: Xero founder Rod Drury called for greater urgency in digital identity implementation, suggesting New Zealand could leverage its small size to move quickly and “solve digital identity by Christmas.”

Read the full event recap here.

Member News

Our DINZ community continues to grow! We’re delighted to welcome POLipay as a member and look forward to featuring and engaging them in our ecosystem.

See all organisation members here.

Stay Connected

Thank you for being part of our community. We look forward to sharing more updates next month. 

Ngā mihi nui,

The team at Digital Identity NZ

Read full news here: Introducing Our New Executive Director | May Newsletter

SUBSCRIBE FOR MORE

The post Introducing Our New Executive Director | May Newsletter appeared first on Digital Identity New Zealand.

ABSTRACT: “Fair Witnessing” is a new approach for asserting and interpreting digital claims in a way that mirrors real-world human trust: through personal observation, contextual disclosure, and progressive validation. It can be implemented with the decentralized architecture of Gordian Envelopes to allow individuals to make verifiable statements while balancing privacy, accountability, and interpretability. At its core, fair witnessing is not about declaring truth, it’s about showing your work.

In the early days of decentralized identity, we referred to what we were working on as “Verifiable Claims.” The idea was simple: let people make cryptographically signed statements and allow others to verify them. But something unexpected happened. People assumed these claims would settle arguments or stop disinformation. They saw the term “verifiable” and equated it with “truth.”

The reality was more modest: we could verify the source of a claim but not its accuracy. We could assert that a claim came from a specific person or organization (or even camera or other object) but not whether that claim was unbiased, well-observed, or contextually complete.

This misunderstanding revealed a deeper problem: how do we represent what someone actually saw and how they saw it, in a way that honors the complexity of human trust?

A Heinleinian Inspiration

Iin Stranger in a Strange Land, Robert Heinlein described a special profession: the Fair Witness. A Fair Witness would be trained to observe carefully, report precisely, make no assumptions, and avoid bias. If asked what color a house was, a Fair Witness would respond, “It appears to be white on this side.”

It is this spirit we want to capture to fulfill the promise of the original verifiable claims.

A Fair Witness in our digital era is someone who not only asserts a claim but also shares the conditions under which it was made, including context, methodology, limitations, and bias:

What were the physical conditions of the observation? Was the observer physically present? Did they act independently? What interests or leanings might have shaped their perception? How did they minimize those biases?

These are not just nice-to-haves. They are necessary components of evaluating a claim’s credibility.

Beyond Binary Trust

Fair witnessing challenges binary notions of trust. Traditional systems ask a “yes” or “no” question: do you trust this certificate? This issuer?

But trust is rarely binary like this in the real world. It is layered, contextual, and progressive. The claim made by a pseudonymous environmental scientist might start out with low trust but could grow in credibility as:

They reveal their professional history. Others endorse their work. They disclose how they mitigated their potential biases.

Trust builds over time, not in a single transaction. That’s progressive trust.

Trust as a Nested Statement

To marry a fair witness claim to the notion of progressive trust requires the nesting of information. As shown in the example of the environmental scientist, the witnessing of an observation gains weight as the context is added: turning the scientist’s claims into a fair-witness statement required collecting together information about who the scientist is, what their training is, and what their peers think of them.

But as noted, progressive trust isn’t something that occurs in a single transaction: it’s revealed over time. We don’t want it to all be revealed at once, because that could result in information overload for someone consulting a claim and could have privacy implications for the witness.

A progressive trust model of fair witnessing requires that you show what you must and that you withhold what’s not needed—until it is.

Privacy and Accountability, Together

This model strikes a crucial balance. On one hand, it empowers individuals (fair witnesses) to speak from experience without needing permission from a centralized authority. On the other hand, it allows others to verify the integrity of the claim without requiring total exposure.

There are numerous use cases:

You can prove you were trained without revealing your name. You can demonstrate personal observation without revealing your exact location. You can commit to a fact today and prove you knew it later. Fair Witnessing with Gordian Envelope

The demands of Fair Witnessing go beyond the capabilities of traditional verifiable credentials (VCs), primarily because VCs can’t remove signed information but maintain its validation—and the ability to do so is critically important if you want to nest information for revelation over time.

Fortunately, a technology already exists that provides this precise capability: Blockchain Commons’ Gordian Envelope, which allows for: the organized storage of information; the validation of that information through signatures; the elision of that information; the continued validation of the information after elision; and the provable restoration of that information.

Any subject, predicate, or object in Gordian Envelope can itself be a claim, optionally encrypted or elided. This enables a deeply contextual, inspectable form of expression.

For example:

Alice could make a fair-witness observation, which would be an envelope. Information on the context of Alice’s assertion can be a sub-envelope. A credential for fair witness training can be a sub-envelope. Endorsements of Alice’s work as a fair witness can be sub-envelopes. Endorsements, credentials, and even the entire envelope can be signed by the appropriate parties. Any envelope or sub-envelope can be elided, without affecting these signatures and without impacting the ability to provably restore the data later.

It’s progressive trust appropriate for use with fair witnessing in an existing form!

Toward a New Epistemology

Being a Fair Witness isn’t about declaring truth. It’s about saying what’s known, with context, so others can assess what’s truth. Truth, in this model, is interpreted, not imposed. A verifier—or a jury—decides if a claim is credible, not because a central authority says so, but because the Fair Witness has provided information with sufficient context and endorsements.

In other words, fair witnessing is not about what is true, but about how we responsibly say what we believe to be true—and what others can do with that.

This is epistemology (the theory of knowledge) that’s structured as a graph. It’s cryptographically sound, privacy-respecting, and human-auditable. It reflects real-world trust: messy, contextual, and layered. By modeling that complexity rather than flattening it, we gain both rigor and realism.

Conclusion

In a world of machine-generated misinformation, ideological polarization, and institutional distrust, we must return to the foundations: observation, context, and human responsibility.

Fair witnessing offers a new path forward—one that is verifiable, privacy-respecting, and grounded in how humans actually trust.

Learn more: [ Progressive Trust Gordian Envelope ]

After decades of cautiously watching from the sidelines, governments around the world have started investing in, rolling out, and regulating digital identity systems on aggressive timelines. These foundational changes to government infrastructure and the economy are happening largely outside public awareness, despite their generational consequences for privacy.

Digital identity systems implemented by governments today will shape privacy for decades. Whatever ecosystems and technical architectures are established in the coming years could ossify quickly, and it would take enormous political will to make changes at such a foundational level if society develops buyer's remorse once the ripple effects become clear.

That's why nearly 100 experts across technology, policy, and civil liberties have united around one principle: digital identity systems must be built without latent tracking capabilities that could enable ubiquitous surveillance. Thus, the nophonehome.com petition.

Who's Behind This

Civil society groups working on legal advocacy and industry oversight (ACLU, EFF), cybersecurity experts (including Bruce Schneier), privacy-by-design software companies of various sizes (Brave, many DIF members), and experts from university faculties (Brown, Columbia, Imperial College London) all signed on. The list includes authors of collaborative open standards, chief executives, state privacy officers, and other public servants. This is not a coalition of "activists" so much as a broad coalition of experts and policy-watchers sounding an alarm about consequential decisions passing largely unnoticed by the average citizen and end-user.

The breadth of this coalition reflects widespread concern about the technical and policy implications of embedded tracking capabilities.

What "Phone Home" Means

As a general rule, "phone-home" is a shorthand for architectural principles of tracking enablement (just as "no phone-home" refers to tracking mitigation, broadly speaking). When a verifier of credentials interacts directly with the credential's issuer—even if just to check validity or revocation status—they are "phoning" the credential's "home." This opens the subject and/or the holder of that credential to privacy risks, no matter how well the request is anonymized or handled. These API connections create data that can be combined, correlated, and abused, especially when verifiers share information or when issuers abuse their role.

The risks multiply when applied across domains. Federated protocols developed for use within organizations become surveillance systems when used between different sectors or jurisdictions. Phone home capabilities that seem innocuous within a single domain can become tools for tracking and control when applied broadly without aggressive oversight and fine-tuning. Over time, little mismatches and slippages in how these protocols work get exploited and stretched, amplifying glitches.

In the worst-case scenario, some systems enable real-time revocation decisions, giving issuers—potentially governments—immediate control over citizens' ability to access services, travel, or participate in society. A natural tendency to "over-request" foundational documents in situations where such strong identification is unjustified is amplified by familiarity, lack of friction, and other UX catnip; all the SHOULDs in the world won't stop verifiers from doing it. And verifiers over-asking without also providing a fallback or "slow lane" can make a sudden or temporary unavailability of foundational credentials painful or even exclusionary. The side-effects and externalities pile up dangerously in this industry!

Technologists see these kinds of capabilities (phone-home of any kind, remote revocation, low-friction foundational identity requests) like loaded guns in Act 1 of a Chekhov play: "If this capability exists within a digital identity system, even inactively, it will eventually be misused."

The Scale and Timing Problem

Most foundational identity systems being implemented for national-scale deployment include system-wide phone home tracking capabilities, either actively or latently. Many policymakers involved in these rollouts are not even aware of the tracking potential built into the standards they are adopting.

Four factors make this moment critical:

Scale of deployment: These systems will serve billions of users across developed nations, effectively replacing physical credentials. Precedent-setting effects: When one jurisdiction adopts tracking-enabled systems, it influences global practices and standards. Infrastructure persistence: Technical decisions made today will persist for decades, becoming prohibitively expensive to change once embedded. Mission creep inevitability: Capabilities developed for legitimate purposes like fraud prevention naturally accrue new private-sector and/or public-sector use-cases over time due to natural market pressures. Today's private-sector usage is tomorrow's public-sector secondary data market. The Fallacy of "Privacy by Policy"

The fundamental problem with latent tracking capabilities is that policies change, but technical architecture persists. If a system has surveillance capability—even if unused—it will eventually be activated. Emergencies, changing administrations, or shifting political priorities can quickly justify "pressing the button" to enable widespread tracking.

The solution is simple: they cannot press a button they do not have.

Consider AAMVA's recent decision to prohibit the "server retrieval" capability throughout the U.S.—a positive step that we welcome. However, most low-level implementations (e.g. core libraries) will likely implement the entire specification and leave it to the last-mile implementers to honor (or not) this policy. As an incubator of new specifications and prototypes, DIF feels strongly that jurisdiction-by-jurisdiction policies is just "turning off" what the specification still instructs software to implement for later policies to turn back on at the flick of a switch. We believe the underlying ISO specification needs to remove "server retrieval" completely, lest every authority in the U.S. remain one emergency away from activating broad, identity-based surveillance of all citizens.

Privacy-Preserving Alternatives Exist

The choice between security and privacy is false. Offline-first verification operates without server communication—the credential contains cryptographic proofs that can be validated independently. The ISO 18013-5 standard itself includes "device retrieval" mode, a privacy-preserving alternative that functions entirely offline.

Even credential revocation can be implemented without phone home capabilities. Privacy-preserving revocation systems are in production today, proving that security and privacy can coexist.

The technology exists. The standards exist. What has been missing is commitment to prioritize privacy over the operational convenience of centralized tracking.

Moving Forward

Awareness is growing. We welcome developments like AAMVA's prohibition of server retrieval, but more work is needed across the broader digital identity ecosystem to eliminate latent surveillance capabilities entirely.

The Decentralized Identity Foundation develops standards that prioritize privacy, supports implementations that respect user autonomy, and advocates for technical architectures that prevent tracking and add friction to data misuse. Our membership includes many technologists and vendors designing tracking-free alternatives for these and other use cases.

We encourage you to read the full No Phone Home statement at https://nophonehome.com. Whether you are building, deploying, or using these systems, your voice matters at this critical juncture.

The question is not whether we can build privacy-preserving digital identity—it is whether we will choose to do so. Let's build it right.

The Decentralized Identity Foundation (DIF) is an engineering-driven organization focused on developing the foundational elements necessary to establish an open ecosystem for decentralized identity and ensure interoperability between all participants. Learn more at identity.foundation.

OASIS Members Advance Digital Lexicography with an Interoperable Data Model for Dictionaries

Boston, MA – 29 May 2025 – Members of OASIS Open, the global open source and standards organization, have approved the Data Model for Lexicography (DMLex) Version 1.0 as an OASIS Standard, a status that signifies the highest level of ratification. Developed by the OASIS Lexicographic Infrastructure Data Model and API Technical Committee (LEXIDMA TC), DMLex v1.0 establishes a groundbreaking framework for internationally interoperable lexicographic work, advancing innovation in digital dictionaries, language services, and related industries. 

“We’re incredibly proud of what we’ve achieved with DMLex v1.0. This is a lifechanging milestone for lexicography, paving the way for a new level of digitisation and for truly innovative applications,” said Michal Měchura, Chair of the OASIS LEXIDMA TC. “By providing a common framework for structuring and exchanging lexicographic resources, DMLex empowers language documentors around the world to manage their content more effectively, to collaborate and to build smarter language technologies.”

Lexicography has undergone a profound transformation in the digital age, with dictionaries now being compiled from language corpora and consumed through web platforms, mobile apps, and integrated into search engines, writing tools, and machine translation software. However, legacy data models have been hampering further innovation. DMLex v1.0 addresses these challenges by introducing a modular, IT-friendly, and content-rich data model designed to meet the needs of both lexicographers and technology developers. DMLex has been designed to be easily and straightforwardly implementable in XML, JSON, RDF, NVH, as a relational database, and as a Semantic Web triplestore.

OASIS encourages widespread adoption of DMLex v1.0 and invites feedback from lexicographers, developers, and other stakeholders to further enhance its capabilities. Participation in the LEXIDMA TC is open to all through membership in OASIS. For more information, visit the TC homepage and read Michal Měchura’s blog post exploring the goals and impact of DMLex.

The post Data Model for Lexicography Approved as an OASIS Standard appeared first on OASIS Open.

In 1958, Oliver R. Smoot, a student at MIT, was famously used as a human measuring stick to measure the length of the Harvard Bridge. Smoot, measuring a mere 5 foot 7 inches (1.70 m), would lay down on the bridge as his associates noted his position. It took a fair bit of time to measure the bridge as Smoot had to be carried by his associates to each new position – but the effort was well worth it. Thus, a playful, unconventional unit of measure was born. Over the years, smoot is remembered as a symbol of creativity, collaboration, and the unique quality of grassroots development. 

Mercari, the Japanese e-commerce company behind the Mercari marketplace, has surpassed 10 million registered users of passkeys for authentication.

Yubico, a provider of hardware authentication security keys, has announced the expanded availability of YubiKey as a Service to all countries in the European Union.

This builds upon the company’s existing reach in markets such as the UK, U.S., India, Japan, Singapore, Australia and Canada. In addition, Yubico has expanded the availability of YubiEnterprise Delivery across 117 new locations around the world.

This now brings the total to 199 locations (175 countries and 24 territories and it more than doubles existing delivery coverage of YubiKeys to both office and remote users in a fast nad turnkey way. “Enterprises today are facing evolving cyber threats like AI-driven phishing attacks,” said Jeff Wallace, senior vice president of product at Yubico.

Authentication software company Entersekt has launched a partnership with South Africa-based PayTech solution provider Stanchion.

The partnership is aimed at “enhancing payment integration capabilities and delivering cutting-edge solutions to financial institutions worldwide,” the companies said in a Wednesday (May 21) news release.

The collaboration combines Stanchion’s tools for “modernizing, transforming, and accelerating innovation within payment systems” with Entersekt’s 3-D Secure payment authentication solution, which provides transaction authentication across all three domains: the merchant acquirer domain, the card issuer domain and the interoperability domain.

Passwords have been used as the first line of defense in protecting one’s digital identity, but they are fast becoming obsolete due to rampant identity theft. There seems to be no value in passwords anymore due to the increase in breaches of security systems on different platforms. This calls for an easier method of suppressing theft.

It is equally important to recognize the rise of passkeys as they help a great deal in bolstering digital identity protection.

As a precursor to the LF Decentralized Trust Mentorship 2025 Project, “Blockchain-Based OAuth 2.0 Authorization in 5G Core Networks with Hyperledger Fabric,” this blog is the first in a series that explores the evolution of OAuth 2.0 authorization in 5G Core Networks, highlighting its current limitations and the potential of decentralized frameworks to enhance security. In this series, we will discuss how OAuth 2.0 operates in 5G, its risks, and how the integration of Hyperledger Fabric can overcome these challenges.

WAO is currently working with the Responsible Innovation Centre for Public Media Futures (RIC), which is hosted by the BBC. The project, which you can read about in our kick-off post, is focused on research and analysis to help the BBC create policies and content to help improve the AI Literacy skills of young people aged 14–19.

We’re now at the stage where we’ve reviewed academic articles and resources, scrutinised frameworks, and reviewed input from over 40 experts in the field. They are thanked in the acknowledgements section at the end of this post.

One of the things that has come up time and again is the need for an ethical basis for this kind of work. As a result, in this post we want to share the core values that inform the development of our (upcoming) gap analysis, framework, and recommendations.

Public Service Media Values

Public Service Media (PSM) organisations such as the BBC have a mission to “inform, educate, and entertain” the public. The Public Media Alliance lists seven PSM values underpinning organisations’ work as being:

Accountability: to the public who fund it and hold power to account Accessibility: to the breadth of a national population across multiple platforms Impartiality: in news and quality journalist and content that informs, educates, and entertains Independence: both in terms of ownership and editorial values Pluralism: PSM should exist as part of a diverse media landscape Reliability: especially during crises and emergencies and tackling disinformation Universalism: in their availability and representation of diversity

These values are helpful to frame core values for the development of AI Literacy in young people aged 14–19.

AI Literacy Core Values

Using the PSM values as a starting point, along with our input from experts and our desk research, we have identified the following core values. These are also summarised in the graphic at the top of this post.

1. Human Agency and Empowerment

AI Literacy should empower young people to make informed, independent choices about how, when, and whether to use AI. This means helping develop not just technical ability, but also confidence, curiosity, and a sense of agency in shaping technology, rather than being shaped by it (UNESCO, 2024a; Opened Culture, n.d.). Learners should be encouraged to question, critique, adapt, and even resist AI systems, supporting both individual and collective agency.

2. Equity, Diversity, and Inclusion

All young people, regardless of background, ability, or circumstance should have meaningful access to AI Literacy education (Digital Promise, 2024; Good Things Foundation, 2024). Ensuring this in practice means addressing the digital divide, designing for accessibility, and valuing diverse perspectives and experiences. Resources and opportunities must be distributed fairly, with particular attention to those who are digitally disadvantaged or underrepresented.

3. Critical Thinking and Responsible Use

Young people should be equipped to think critically about AI, which means evaluating outputs, questioning claims, and understanding both the opportunities and risks presented by AI systems. In addition, young people should be encouraged to understand the importance of responsible use, including understanding bias, misinformation, and the ethical implications of AI in society (European Commission, 2022; Ng et al., 2021).

4. Upholding Human Rights and Wellbeing

Using a rights-based approach — including privacy, freedom of expression, and the right to participate fully in society — helps young people understand their rights, navigate issues of consent and data privacy, and recognise the broader impacts of AI on wellbeing, safety, and social justice (OECD, 2022; UNESCO, 2024a).

5. Creativity, Participation, and Lifelong Learning

AI should be presented as a tool for creativity, collaboration, and self-expression, not just as a subject to be learned for its own sake. PSM organisations should value and promote participatory approaches, encouraging young people to contribute to and shape the conversation about AI. This core value also recognises that AI Literacy is a lifelong process, requiring adaptability and a willingness to keep learning as technology evolves (UNESCO, 2024b).

Next Steps

We will be running a roundtable for invited experts and representatives of the BBC in early June to give feedback on the gap analysis and emerging framework. We will share a version of this after acting on their feedback.

If you are working in the area of AI Literacy and have comments on these values, please add them to this post, or get in touch: hello@weareopen.coop

Acknowledgements

The following people have willingly given up their time to provide invaluable input to this project:

Jonathan Baggaley, Prof Maha Bali, Dr Helen Beetham, Dr Miles Berry, Prof. Oli Buckley, Prof. Geoff Cox​, Dr Rob Farrow, Natalie Foos, Leon Furze, Ben Garside, Dr Daniel Gooch, Dr Brenna Clarke Gray, Dr Angela Gunder, Katie Heard, Prof. Wayne Holmes, Sarah Horrocks, Barry Joseph, Al Kingsley MBE, Dr Joe Lindley, Prof. Sonia Livingstone, Chris Loveday, Prof. Ewa Luger, Cliff Manning, Dr Konstantina Martzoukou, Prof. Julian McDougall, Prof. Gina Neff, Dr Nicola Pallitt, Rik Panganiban, Dr Gianfranco Polizzi, Dr Francine Ryan, Renate Samson, Anne-Marie Scott, Dr Cat Scutt MBE, Dr Sue Sentance, Vicki Shotbolt, Bill Thompson, Christian Turton, Dr Marc Watkins, Audrey Watters, Prof. Simeon Yates, Rebecca Yeager

References Digital Promise (2024). AI Literacy: A Framework to Understand, Evaluate, and Use Emerging Technology. https://doi.org/10.51388/20.500.12265/218 European Commission (2022) DigComp 2.2, The Digital Competence framework for citizens. Luxembourg: Publications Office of the European Union. https://doi.org/10.2760/115376. Good Things Foundation (2024) Developing AI Literacy With People Who Have Low Or No Digital Skills. Available at: https://www.goodthingsfoundation.org/policy-and-research/research-and-evidence/research-2024/ai-literacy Jia, X., Wang, Y., Lin, L., & Yang, X. (2025). Developing a Holistic AI Literacy Framework for Children. In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (pp. 1–16). ACM. https://doi.org/10.1145/3727986 Ng, D. T. K., Leung, J. K. L., Chu, S. K. W., & Qiao, M. S. (2021). Conceptualizing AI literacy: An exploratory review. Computers and Education: Artificial Intelligence, 2(100041), 100041. https://doi.org/10.1016/j.caeai.2021.100041 OECD (2022) OECD Framework for Classifying AI Systems. Paris: OECD Publishing. https://www.oecd.org/en/publications/oecd-framework-for-the-classification-of-ai-systems_cb6d9eca-en.html Opened Culture (n.d.) Dimensions of AI Literacies. Available at: https://openedculture.org/projects/dimensions-of-ai-literacies Open University (2025) A framework for the Learning and Teaching of Critical AI Literacy skills. Available at: https://www.open.ac.uk/blogs/learning-design/wp-content/uploads/2025/01/OU-Critical-AI-Literacy-framework-2025-external-sharing.pdf UNESCO (2024a) UNESCO AI competency framework for students. Available at: https://unesdoc.unesco.org/ark:/48223/pf0000391105 UNESCO (2024b) UNESCO AI Competency Framework for Teachers. Available at: https://unesdoc.unesco.org/ark:/48223/pf0000391104

ISL presented at ConPro 2025’s 9th Workshop on Technology and Consumer Protection. The conference was a perfect opportunity to showcase our presentation on Safetypedia: Crowdsourcing Mobile App Privacy and Safety Labels.

Open PDF

The post IEEE’s ConPro ’25: Safetypedia: Crowdsourcing Mobile App Privacy and Safety Labels appeared first on Internet Safety Labs.

Many in the DIF community are asking about the upcoming Global Digital Collaboration conference in Geneva. As the date is quickly arriving, we wanted to give a sneak preview of what's ahead.

Table of Contents:

About the GDC Conference The Agenda Learn more and participate About the GDC Conference Key Details When: July 1-2, 2025 Where: Centre International de Conférences Genève (CICG), Switzerland Cost: Free (registration required) Register: https://lu.ma/gc25 (registration is available through any co-organizing partner) What is the GDC?

Global Digital Collaboration is a landmark gathering bringing together 30+ global organizations to advance digital identity, wallets, and credentials - hosted by the Swiss Confederation.

What makes this conference truly unique is that, from the beginning, it's been co-organized by the participating organizations, who have worked with their communities, and with each other, to form an agenda that will help advance the most critical topics in digital identity.

Rather than being driven by a single organization's vision, the GDC represents a collaborative effort where international organizations, standards bodies, open-source foundations, and industry consortia have jointly defined priorities and sessions that address the most pressing challenges in digital trust infrastructure. This multi-stakeholder approach ensures broader perspectives are represented and creates unprecedented opportunities for alignment across traditionally separate communities.

Why Attend? Unprecedented collaboration: This conference's collaborative nature bridges organizations that rarely coordinate at this scale. Connect: Connect with peers from government and private sectors to advance standards coordination, cross-border interoperability, and robust digital public infrastructure Network with experts: Engage directly with technical leaders, government officials, and industry pioneers shaping the future of digital trust Who Is Organizing?

The current list of co-organizers can be seen in the header image, with more to be added later this week. As a brief preview, this includes:

International & Government Organizations

European Commission (DG-CNECT) International Telecommunication Union (ITU) United Nations Economic Commission for Europe (UNECE) World Health Organization (WHO)

Standards Development Organizations & Open Source Foundations

Decentralized Identity Foundation (DIF) Eclipse Foundation European Telecommunications Standards Institute (ETSI) FIDO Alliance International Electrotechnical Commission (IEC) International Organization for Standardization (ISO) Linux Foundation Decentralized Trust (LFDT) OpenWallet Foundation (OWF) Trust Over IP (TOIP) World Wide Web Consortium (W3C)

Industry Consortia

Cloud Signature Consortium (CSC) Digital Credentials Consortium (DCC) Global Legal Entity Identifier Foundation (GLEIF)

Next, we'll look at the exciting conference agenda and highlight key sessions for the DIF community.

The Agenda

The conference is structured across two distinct days, each with a specific purpose. Day 1 features plenary sessions designed to provide comprehensive overviews of global initiatives and sector-specific developments in digital identity. This agenda is nearly finalized and a draft has been published.

Day 2 offers a more interactive format with parallel presentations, technical deep dives, workshops, and collaborative sessions. The preliminary Day 2 schedule will be published next week, but we can share an early preview of the key themes and sessions that should be of particular interest to the DIF community.

Day 1: Global Landscape & Sector Scan Morning sessions feature updates from government and industry stakeholders worldwide Afternoon sessions explore major use cases across sectors including travel, health, education, and finance Morning: Opening & Global Landscape Opening addresses by leaders from ITU, ISO, WHO, and more Regional updates from: European Commission Switzerland United States China/Singapore Japan India Korea Australia Global South Afternoon: Sector Updates 🚘 Driving Licenses 🧳 Travel Credentials ⚕️ Health Credentials 📚 Educational Credentials 📦 Trade 💸 Payments 🏢 Organizational Credentials 🪙 Digital Assets 🪪 Standards for ID and Wallets 🔏 Digital Signatures 🔑 Car Keys Day 2: Technical Deep Dives and Working Sessions

Day 2 features parallel sessions where participants will be encouraged to follow their interests plus share their experience and expertise.

Parallel sessions across multiple tracks including:

Privacy & Security: Zero-knowledge proofs, unlinkability Industry and Organizational Focus: Industry 4.0, Digital Product Passports, European Business Wallet Implementation & Deployment: Real-world wallet applications Standards & Interoperability: Cross-border credential exchange Policy & Regulation: Governance frameworks Emerging Technology: Emerging needs around AI and digital identity Demo Hour: See wallet applications and more Learn More and Participate Get Updates

There will soon be a GDC web site to more easily access event information and schedule. For now, we recommend:

Follow Global Digital Collaboration on LinkedIn And of course, subscribe to the DIF blog for additional updates focused on the DIF community Ready to Register?

You can also register through any co-organizer available at https://lu.ma/gc25

👉 DIF community members are encouraged to use DIF's dedicated registration link: https://lu.ma/gc25-dif

Tickets are free of charge and grant full access to the entire conference, regardless of the organization used during registration

Hotels & Discounts

The upcoming GDC web site will be updated with the latest information. For now, feel free to use the discount codes on this google document.

Looking Forward

The Global Digital Collaboration conference represents a unique opportunity for advancing digital identity solutions that can work across borders while putting users in control. DIF is committed to ensuring privacy and agency remain front and center in these conversations.

For those in the DIF community and beyond, this is an unparalleled opportunity to shape the future of digital identity in collaboration with global decision-makers and implementers.

How do you build a beverage brand from scratch and land in over a thousand stores?

For Aisha Chottani, it started with stress and a few homemade “potions”.

In this episode, Aisha, Founder and CEO of Moment, joins hosts  Reid Jackson and Liz Sertl to talk through what really goes into launching and scaling a functional drink brand. From labeling boxes by hand to managing relationships with co-packers and navigating supply chain failures, Aisha shares the behind-the-scenes story most startup founders keep to themselves.

She also gets real about what went wrong, like barcode mix-ups and Amazon returns gone sideways, and how those lessons became systems that power Moment’s growth today.

In this episode, you’ll learn:

Why small brands need relationships more than volume

How early mistakes can turn into long-term wins

What to watch out for when scaling distribution and operations

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(01:34) Building a global mindset from four continents

(03:07) From McKinsey burnout to homemade “potions”

(06:06) Barcode errors and the pain of early logistics

(08:21) Growing Moment to 1,000 stores and 30 DCs

(11:33) What small brands can leverage on

(14:06) Collaborating with Lululemon

(17:15) Why Moment leans into a subscription model 

(20:39) Operational failures to learn from

(27:36) Aisha’s favorite technology

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Aisha Chottani on LinkedInCheck out Moment

Play Video

Watch the full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/EGWG-2025-05-15_-The-C2PA-Conformance-Program-Scott-Perry.wav

Here is a detailed briefing document reviewing the main themes and most important ideas or facts from the provided source, generated by Google’s NotebookLM:

Briefing Document: Review of C2PA and its Governance

Date: May 15, 2024
Source: Excerpts from “GMT20250515-145218_Recording_2560x1440.mp4”
Presenter: Scott Perry, Co-chair of Trust over IP’s Foundations Steering Committee, Founder and CEO of the Digital Governance Institute, Co-chair of the Creator Assertions Working Group at the Decentralized Identity Foundation (DIF).
Topic: C2PA (Coalition for Content Provenance and Authenticity) and the Application of Trust over IP’s Governance Metamodel.

1. Executive Summary

This briefing summarizes a presentation by Scott Perry on the Coalition for Content Provenance and Authenticity (C2PA) and the application of the Trust over IP (ToIP) governance metamodel to its conformance program. The C2PA is an industry-wide initiative creating a technical standard to attach “truth signals” or provenance information to digital objects. Facing a critical need to operationalize and govern this specification to ensure market trust and adoption, the C2PA has adopted the ToIP governance metamodel. This framework provides the necessary structure to establish a conformance program, define roles and responsibilities, manage risks, and create trust lists for compliant products and certification authorities. The program is set to officially launch on June 4th, initially focusing on self-assertion for conformance and introducing two levels of implementation assurance, with plans for independent attestation and higher assurance levels in the future.

2. Key Themes and Ideas The Problem of Trust in Digital Objects: The presentation highlights the growing challenge of establishing trust and authenticity for digital content in a world of easily manipulated or AI-generated media. This is particularly relevant for industries like telecommunications struggling with identity and verification, as noted by a participant’s observation about OTPs and SMS verification. C2PA as a Standard for Provenance and Authenticity: The C2PA specification aims to provide a technical solution by creating a “content credential” or manifest that is cryptographically bound to a digital object. This manifest acts as a ledger of actions taken on the object, providing a history and “nutrition label” of its source and modifications. “basically, it’s all of the major tech companies except Apple… coming together to create a standard for provenence, authenticity, truth signals on digital objects that can be digitally attached to digital objects.” Content Credential (Manifest): This is the core mechanism of the C2PA. It is a digitally attached ledger of actions taken on a digital object, such as “Camera took picture,” “edited picture,” or “an AI took this picture.” This manifest is “bound to it and linked to it” in a “cryptographically binding format,” providing tamper evidence. Scope of C2PA Responsibility: The C2PA primarily focuses on “created assertions,” which are “product-driven,” documenting actions taken within a product (e.g., a camera generating a picture, Photoshop editing an image). Distinction from “Gathered Assertions”: The C2PA does not take responsibility for “gathered assertions,” which are claims made by individuals or organizations outside of a product (e.g., “I Scott Perry took the picture” or industry-specific identifiers). These are the purview of other groups like CAWG (Content Authenticity Working Group) and related efforts like the Creator Assertions working group at DIF. Binding Mechanism: The C2PA uses X.509 certificates to bind the generator product to the digital asset. “when a picture is taken, the X509 certificate will be used will be binding it will be used to bind it bind the product to the asset.” This requires camera manufacturers and other product vendors to obtain certificates from approved Certification Authorities (CAs). The Need for Governance: While the C2PA created a technical specification, they recognized the critical need for a governance framework to operationalize and control the standard’s implementation and use in the market. “the key aspect is you have a spec out but you can’t control the use of the specification… they couldn’t get, you know, their arms around, you know, the on controlling its the specification use.” Application of ToIP Governance Metamodel: Scott Perry highlights how the ToIP governance metamodel provided the necessary structure for the C2PA to build its conformance program. “I came in with my toolkit from the the trust over IP project and it worked beautifully. It just created the structure to allow them to make the right decisions for themselves.” Key Components of the Governance Program (based on ToIP):Risk Assessment: Started with a “threats and harms task force” to identify major risks, particularly around the tampering of evidence and manifests. Governance Requirements and Framework: Defined primary documents (specification, security requirements, legal agreements) and control documents (privacy, inclusion, equitability requirements). A key output is a glossary of terms for the new ecosystem. Governance Roles and Processes: Identified key roles: the Governing Authority (C2PA Steering Committee), the Administering Party (Conformance Task Force), and Governed Parties (CAs, Generator Product companies, Validator Product companies). Legal Agreements: Formal agreements are being established between the C2PA and governed parties outlining roles, responsibilities, conformance requirements, and dispute resolution mechanisms. Conformance Criteria and Assurance: Defined based on the C2PA specification and implementation security requirements. The program includes “four levels of of assurance around the implementation of products,” though initially rolling out with two levels. These levels are tied to “security objectives” and assessed against the “target of evaluation” (the product and its supporting infrastructure). Conformance Process: Involves an intake form, application review, assessment of infrastructure (initially self-assertion, moving towards independent attestation), legal agreement signing, and adding records to trust lists. Residual Risk Assessment and Adaptation: The program includes a process to learn from the rollout, identify unmet requirements or issues, and adapt the program for continuous improvement. Trust Lists (Registries): Central to the program are trust lists identifying approved Generator Products, Validator Products, and Certification Authorities. A timestamp authority trust list is also being added. Levels of Assurance: The program is defining levels (initially rolling out two) to reflect different degrees of confidence in the implementation of the C2PA specification and associated security requirements. Achieving a higher level of assurance requires meeting all requirements for that level. Self-Assertion (Initial Rollout): Due to the complexity of auditing and getting the program launched quickly, the initial phase requires participants to self-assert that they meet the specification and requirements. Conformance Certificate: Upon successful conformance, products will receive a certificate tied to an OID (Object Identifier) denoting the assurance level they have achieved. This OID in the manifest’s certificate will identify the assurance level of the provenance information. JPEG Trust and Copyright: While C2PA provides provenance information that can be used for copyright, it doesn’t define ownership or copyright laws. JPEG Trust is mentioned as an organization creating an ISO standard focused on copyrights in concert with the C2PA standard. Relationship with W3C: The C2PA is actively engaged with the W3C, with discussions happening at the technical working group level regarding related standards like PROV (for provenance). Future Directions: Plans include introducing higher levels of assurance, implementing independent attested conformance, developing quality control software for assessing product compliance, and establishing a fee structure for the conformance program. CAWG (Content Authenticity Working Group) as a Broader Ecosystem: CAWG is viewed as a potentially larger ecosystem dealing with identity, metadata, endorsements, and AI learning process specifications, which will need to create their own applications and standards that can integrate with the C2PA foundation. 3. Important Ideas and Facts The C2PA is the Coalition for Content Provenance and Authenticity. It includes major tech and product manufacturers, excluding Apple initially but aiming to include them. The core technical output is the Content Credential (Manifest), a digitally attached ledger of actions on a digital object. The manifest provides tamper evidence and binds the product to the asset using X.509 certificates. C2PA focuses on “created assertions” (product-driven actions), leaving “gathered assertions” (individual/organizational claims) to other groups like CAWG. The Trust over IP governance metamodel has been successfully applied to structure the C2PA conformance program. The program addresses threats and harms related to tampering and requires adherence to implementation security requirements. The C2PA conformance program will officially launch on June 4th at the Content Authenticity Initiative symposium in New York City. The initial launch will include two levels of implementation assurance and a self-assertion confidence model. Key outputs of the governance program are legal agreements and trust lists of conforming products and certification authorities. The C2PA standard is becoming an ISO standard this year. Timestamp authorities will play a crucial role in providing trust signals related to the time of claim assertion. The program includes mediation and dispute resolution mechanisms in its legal agreements. The governance program provides the structure for the C2PA to “operationalize the spec” and control its use. 4. Key Quotes “basically, it’s all of the major tech companies except Apple… Coming together to create a standard for provenence, authenticity, truth signals on digital objects that can be digitally attached to digital objects.” “what it what it’s proposed to do is to create a ledger of actions against a digital object that is bound to it.” “It’s kind of the nutrition label on food… it’s really the nutrition label of all digital objects.” “The C2PA did not want to get involved in all of the the potential root, you know, actions and and variances about those types of things. They wanted to create the platform.” “They create the platform and they create the binding between the digital asset and the and the manifest using X509 certificates.” “The key aspect is you have a spec out but you can’t control the use of the specification… they couldn’t get, you know, their arms around, you know, the on controlling its the specification use.” “the governance program was needed to operationalize the spec. The spec was had, you know, a limitation in its usefulness without a governance program around it.” “I came in with my toolkit from the the trust over IP project and it worked beautifully. It just created the structure to allow them to make the right decisions for themselves.” “we’re creating a program which will hold generator and validator products accountable to the specific ification that’s already been published.” “We are creating two levels of implement implementation assurance and we are are using a self assertion confidence model we don’t have the mechanisms in place to hold organizations accountable for meeting the specification we don’t have an you know an assurance mechanism in place yet to do that.” “It is the hope that you know copyright laws can use the trust signals that are coming from the CTBA specification and conformance program in use for defining ownership and copyright.” “The conformance criteria is the spec and the spec is now at at level 2.2.” “we are looking at levels of assurance around the implementation of a product. Now it’s not just the product but it’s also its infrastructure.” “These are the kinds of records that were that are in the schema for the trust list.” 5. Next Steps Official launch of the C2PA conformance program on June 4th. Continued work on independent attestation and higher levels of assurance for the conformance program. Development of quality control software or processes for assessing product compliance. Ongoing collaboration with W3C and other relevant standards bodies. Further exploration of the broader CAWG ecosystem and its integration with C2PA.

This briefing provides a foundational understanding of the C2PA, its technical specification, and the crucial role of the newly established governance program, structured using the Trust over IP metamodel, in driving its adoption and ensuring trust in the digital content landscape.

For more details, including the meeting transcript, please see our wiki 2025-05-15 Scott Perry & The C2PA Conformance Program – Home – Confluence

https://www.linkedin.com/in/scott-perry-1b7a254/ https://digitalgovernanceinstitute.com/

The post EGWG 2025-05-15: The C2PA Conformance Program, Scott Perry appeared first on Trust Over IP.

NETOPIA Payments becomes the first online payment processor in the world to implement Click to Pay with Passkey FIDO (Fast Identity Online) – a modern online checkout solution built on EMV® global standards, designed to redefine the digital payment experience: faster, safer, and without manual card data entry.

Editors

Shane Weeden, IBM
An Ho, IBM

Abstract

Session hijacking is a growing initial attack vector for online fraud and account takeover. Because FIDO authentication reduces the effectiveness of other simpler forms of compromise, such as credential stuffing and phishing, cybercriminals turn to theft and re-use of bearer tokens. Bearer tokens are a form of credential which include session cookies used by browsers connecting to websites and OAuth access tokens used by other thick client application types such as native mobile applications. When these credentials are long-lived and can be “lifted and shifted” from the machine where they were created to be usable by a bad actor from another machine, their tradable value is significant. Emerging technologies such as Device Bound Session Credentials (DBSC) for browsers and Demonstrating Proof of Possession (DPoP) for OAuth applications seek to reduce the threat of session hijacking. This article describes how these technologies address the problem of session hijacking and how they complement strong phishing resistant authentication in online ecosystems.

Audience

This white paper is for chief information security officers (CISOs) and technical staff whose responsibility it is to protect the security and life cycle of online identity and access management from online fraud. 

Download the White Paper 1. Introduction

Authentication and authorization are integral parts of an identity lifecycle, especially for online credential ecosystems. The growing threat of online identity fraud with costly security incidents and breaches has enterprises looking for ways to protect and secure their workforces from account takeover through different attack vectors such as phishing, credential stuffing, and session hijacking. For authentication, FIDO authentication with passkeys provides users with “Safer, more secure, and faster online experiences”, and an increase in the adoption of passkeys has contributed to a reduction of the success of attack vectors of credential phishing, credential stuffing, and session hijacking accomplished via man-in-the-middle (MITM) phishing attacks. However, what happens after the authentication ceremony?

After authentication, browsers and application clients are typically issued other credentials. Enterprise applications generally fall into two primary categories: those that are web browser based and use session cookies for state management and those that are thick client applications using OAuth access tokens (this includes some browser-based single page applications and most native mobile applications). Both types of credentials (session cookies and access tokens) are considered, in their basic use, as “bearer” tokens. If you have the token (the session cookie or the access token), then you can continue to transact for the lifetime of that token as the user who authenticated and owned it.This whitepaper explores adjacent technologies that address the “lift and shift” attack vector for bearer tokens and how these technologies complement FIDO-based authentication mechanisms. In particular, this paper focuses on the proposed web standard Device Bound Session Credentials (DBSC) for protecting browser session cookies and OAuth 2.0 Demonstrating Proof of Possession (DPoP) for protecting OAuth grants.

2. Terminology

session hijacking: An exploitation of the web session control mechanism that is normally managed for a session cookie.

credential stuffing: An automated injection of stolen username and password pairs (credentials) into website login forms to fraudulently gain access to user accounts.

1. Passkeys – https://fidoalliance.org/passkeys/
2. Device Bound Session Credentials – https://github.com/w3c/webappsec-dbsc
3. OAuth 2.0 Demonstrating Proof of Possession (DPoP) – RFC9449: https://datatracker.ietf.org/doc/html/rfc9449
4. Session hijacking attack https://owasp.org/www-community/attacks/Session_hijacking_attack
5. Credential stuffing https://owasp.org/www-community/attacks/Credential_stuffing

access token: A credential used by a client-side application to invoke API calls on behalf of the user.

session cookie: A credential managed by browsers to maintain session state between a browser and a website.

bearer token: A token (in the context of this whitepaper may refer to either an access token or a session cookie) so called because whoever holds the token can use it to access resources. A bearer token on its own can be “lifted and shifted” for use on another computing device.

sender-constrained token: A token protected by a mechanism designed to minimize the risk that anything other than the client which established the token during an authentication process could use that token in subsequent requests for server-side resources.

Device Bound Session Credential (DBSC): A proposal for a W3C web standard defining a protocol and browser behavior to establish and maintain sender-constrained cookies. The mechanism uses proof of possession of an asymmetric cryptographic key to help mitigate session cookie hijacking.OAuth 2.0 Demonstrating Proof of Procession (DPoP): A mechanism for implementing sender-constrained access tokens that requires clients to demonstrate possession of an asymmetric cryptographic key when using the token.

OAuth 2.0 Demonstrating Proof of Procession (DPoP): A mechanism for implementing sender-constrained access tokens that requires clients to demonstrate possession of an asymmetric cryptographic key when using the token.

3. Adjacent/complementary technologies for a secure ecosystem

While FIDO authentication technology can effectively eliminate phishing and credential stuffing attacks that occur during the login process, the addition of solutions to mitigate threats associated with bearer token theft is equally important. Bad actors whose attacks are thwarted during the login process will go after the next weakest link in the chain and try to steal post-authentication bearer tokens. This section explores two of these technologies for protecting bearer tokens: Device Bound Session Credentials (DBSC) protect browser-based session cookies and Demonstrating Proof of Possession (DPoP) protects OAuth grants. Alternative approaches to protect bearer tokens are also discussed.

Because no single piece of technology can protect against all threats, a combination of multiple techniques is required for adequate protection.

Table 1: Combination of technologies for increased security

TechnologiesAuthentication threatsPost-authentication threatsRemote PhishingCredential StuffingToken TheftPasskeysDBSC/DPoPPasskeys + DBSC/DPoP

3.1 Browser session cookie security

Before discussing Device Bound Session Credentials (DBSC), you will need to understand the problem being addressed regarding browser session cookies. Session hijacking via cookie theft allows an attacker, who possesses stolen cookies, to bypass end-user authentication, including any strong or multi-factor authentication (MFA). This is particularly problematic when browsers create long-lived session cookies (which are a type of bearer token), since these cookies can be traded as alternatives to a user’s primary authentication credentials and then used from the attacker’s machine. This can lead to unauthorized access to sensitive data, financial loss, and damage to an organization’s reputation. 

Attackers perform cookie theft through various methods such as man-in-the-middle phishing of a user’s existing MFA login process (when phishing-resistant authentication such as FIDO is not used), client-side malware, and occasionally through vulnerabilities in server-side infrastructure or software. Regardless of how cookie theft is perpetrated, when successful, these attacks are not only dangerous, but also hard to isolate and detect. Complementary technologies, such as Device Bound Session Credentials (DBSC), minimize the risks associated with browser cookie theft by making stolen cookies impractical to use from any machine other than the machine to which they were issued during authentication.

3.2 Device Bound Sessional Credentials – DBSC

DBSC refers to a proposed web standard currently in development within the Web Application Security working group of the W3C[2]. The goal of DBSC is to combat and disrupt the stolen web session cookies market. This is achieved by defining an HTTP messaging protocol and required browser and server behaviors to result in binding the use of application session cookies to the user’s computing device. DBSC uses an asymmetric key pair and in browser implementations the private keys should be unextractable by an attacker – for example stored within a Trusted Platform Module (TPM), secure element, or similar hardware-based cryptographic module.

At a high level, the API in conjunction with the user’s browser and secure key storage capabilities, allows for the following:

The server communicates to the browser a request to establish a new DBSC session. This includes a server-provided challenge. The browser generates an asymmetric key pair, then sends the public key along with the signed challenge to the server. This process is referred to as DBSC registration. Browser implementations of DBSC should use operating system APIs that facilitate secure, hardware-bound storage and use of the private key. The server binds the public key to the browser session by issuing a short-lived, refreshable auth_cookie which is then required to be transmitted in subsequent browser requests to the web server.

As the auth_cookie regularly expires, a mechanism is required for the browser to refresh the auth_cookie asynchronously to primary application web traffic. The refresh process requires signing a new server-issued challenge with the same private key created during DBSC registration, thereby re-proving (regularly) that the client browser is still in possession of the same private key.

Limiting the lifetime of the auth_cookie to short periods of time (for example, a few minutes) disrupts the market for trading long-lived session cookies. An attacker can only use stolen session cookies (including the auth_cookie) for a brief period, and cannot perform a refresh operation, since the private key required to perform a refresh operation is not extractable from the client machine.

DBSC may be introduced into existing deployments with minimal changes to the application. This is important as DBSC could easily be incorporated as a web plugin module in existing server-side technology (for example, Apache module, Servlet Filter, or reverse proxy functionality). This permits enterprises to roll out deployment of DBSC in phases without a complete overhaul of all current infrastructure and companies can prioritize certain critical endpoints or resources first.

DBSC server-side implementations can also be written in a manner that permits semantics, for example: “If the browser supports DBSC, use it, otherwise fallback to regular session characteristics.” This allows users to gain the security advantages of DBSC when they use a browser that supports it without having to require all users to upgrade their browsers first.

Refer to the Device Bound Session Credentials explainer for more details on the DBSC protocol and standard, including a proposal for enterprise-specific extensions that adds attestation to DBSC keypairs.

3.2.1 What makes DBSC a technology complementary to FIDO?

The DBSC draft standard permits the login process to be closely integrated with the DBSC API. While FIDO is a mechanism that makes authentication safer and phishing resistant, DBSC is a mechanism that makes the bearer credential (session cookie) safer post-authentication. They complement each other by reducing the risk of account takeover and abuse, making the entire lifecycle of application sessions safer.

3.2.2 Alternative solutions

DBSC is not the first standard to propose binding session cookies to a client device. Token Binding is an alternative that combines IETF RFCs 8471, 8472, and 8473. Token Binding over HTTP is implemented via a Transport Layer Security (TLS) extension and uses cryptographic certificates to bind tokens to a TLS session. Token Binding has had limited browser adoption and is complex to implement as it requires changes at the application layer and in TLS security stacks. The Token Binding over HTTP standard has not been widely adopted and only one major browser currently offers support.

3.2.3 Advice

The DBSC standard relies on local device security and operating system APIs for storage and use of the private key that is bound to the browser’s session. While these private keys cannot be exported to another device, the key is available on the local system and may be exercisable by malware residing on the user’s device. Similarly, in-browser malware still has complete visibility into both regular session cookies and short-lived auth_cookies. DBSC is not a replacement for client-side malware protection, and the threat model for DBSC does not provide protections from persistent client-side malware. Ultimately, the user must trust the browser.

As browsers start to support DBSC over time, it will be important for servers to be able to work with a mix of browsers that do and do not include support for this technology. Some enterprises may dictate that corporate issued machines include browsers known to support DBSC, but many will not. It will be necessary for server-side implementations to take this into consideration, using DBSC when the browser responds to registration requests, and tolerating unbound session cookies when the browser does not. When building or choosing a commercial solution, ensure you consider this scenario, and include the ability to implement access control policies that strictly require DBSC in highly controlled or regulated environments or for specific applications.

At the time of writing, DBSC is in early evolution. It remains to be seen whether or not it will be widely adopted by browser vendors. The hope is that incubating and developing this standard via the W3C will result in wider adoption than previous proposals, similar to the way that the WebAuthn API has been adopted to bring passkey authentication to all major browser implementations.

4. OAuth grants

The previous section introduced DBSC as a means to protect against session cookie theft in web browsers. Thick application clients, including mobile applications and single-page web applications, typically use stateless API calls leveraging OAuth grants instead of session cookies. An OAuth grant may be established in several ways, with the  recommended pattern for thick clients being to initially use the system browser to authenticate a user, and grant access for an application to act on their behalf. Conceptually this is remarkably similar to browser-based sessions, including the ability and recommendation, to use FIDO authentication for end-user authentication when possible. At the conclusion of the browser-based authentication portion of this flow, control is returned to the thick client application or single-page web application where tokens are established for use in programmatic API calls. 

The challenge that occurs from this point forward is almost identical to that described for browsers – the OAuth tokens are bearer tokens that if exposed to a bad actor can be used to call application APIs from a remote machine instead of from the legitimate application.

This section describes the use of DPoP, a technology for protecting the “lift and shift” of credentials used in OAuth-protected API calls which, just like DBSC, makes use of an asymmetric key pair and ongoing proof of possession of the private key.

4.1 Demonstrate Proof of Possession (DPoP)

OAuth 2.0 Demonstrating Proof of Possession (DPoP) is an extension of the existing OAuth 2.0 standard for implementing device bound (or sender-constrained) OAuth access and refresh tokens. It is an application-level mechanism that allows for the tokens associated with an OAuth grant (that is, refresh tokens and access tokens) to bind with the requested client using a public and private key pair. This requires the client to prove ownership of its private key to the authorization server when performing access token refresh operations and to resource servers when using access tokens to call APIs.

6. OAuth 2.0 for Native Apps https://datatracker.ietf.org/doc/html/rfc8252

High assurance OpenID specifications, such as Financial-grade API (FAPI 2.0), mandate the use of sender-constrained tokens and DPoP is the recommended method for implementing this requirement when Mutual TLS (mTLS) is not available.

At a high level, DPoP requires that:

The client generates a per-grant public/private key pair to be used for constructing DPoP proofs. Best practice implementations should use operating system APIs to ensure the private key is non-extractable. On initial grant establishment (for example, exchanging an OAuth authorization code for the grant’s first access token and refresh token), a DPoP proof (a JWT signed by the client’s private key that contains, among other things, a copy of the public key) is used to bind a public key to the grant. Requests to a resource server using an access token obtained in this manner must also include a DPoP proof header, continuously proving possession of the private key used during grant establishment. This is done for every API request. Resource servers are required to check if an access token is sender-constrained, confirm the public key, and validate the DPoP proof header on each API call. For public clients, subsequent refresh_token flows to the authorization server’s token endpoint must also contain a DPoP proof signed with the same key used during initial grant establishment. This is particularly important as the refresh tokens are often long-lived and are also a type of bearer token (that is, if you have it you can use it). The authorization server must enforce the use of a DPoP proof for these refresh token flows and ensure signature validation occurs via the same public key registered during initial grant establishment.

Unlike a plain bearer access token which can be used by any holder, DPoP based access tokens are bound to the client that initially established the OAuth grant, since only that client can sign DPoP proofs with the private key. This approach minimizes the risks associated with malicious actors trading leaked access tokens.

Refer to DPoP RFC 9449 – OAuth 2.0 Demonstrating Proof of Possession (DPoP) for more information.

4.2 What makes DPoP a complementary technology to FIDO?

FIDO can be leveraged for phishing resistant end-user authentication during establishment of an OAuth grant. Refresh and access tokens obtained by a client following this authentication should be safeguarded against “lift and shift” attacks just like session cookies in browser-based apps. DPoP is a recommended solution for protecting these OAuth tokens from unauthorized post-authentication use. Together, FIDO for end user authentication and DPoP for binding OAuth tokens to a client device complement each other to improve the overall security posture for identities used in thick client applications.

4.2.1 DPoP alternative solutions?

RFC8705 – OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens describes a mechanism that offers a transporter layer solution to bind access tokens to a client certificate. While it has been approved for use in FAPI 2.0 for open banking solutions, it is not particularly suitable for public clients such as native mobile applications.

RFC9421 – HTTP Message Signatures defines an application-level mechanism for signing portions of an HTTP message. Key establishment and sharing between the client and verifier are not defined by this specification, although this could be performed in a trust on first user manner during initial grant establishment in a similar manner to DPoP. There is no known public specification that maps the use of HTTP message signatures to the use case of sender-constrained bearer tokens in an OAuth client application. In the absence of such a public specification, widespread adoption for this use case is unlikely.

4.2.2 Advice

Sender-constrained tokens are a good idea, and, in some deployments, they are a regulatory requirement. For example, use of the FAPI profiles of OAuth is now mandated by many sovereign open banking initiatives. DPoP is a relatively simple way to achieve this requirement and is flexible enough to cover a wide range of application client types. That said, care must still be taken to adhere to the security considerations of DPoP. Pay close attention to section 11 of RFC9449, as well as apply other application security strategies for native or browser based single page applications as your scenario dictates. Remember that DPoP is focused solely on addressing the threats associated with token exfiltration, which include trading and use by malicious actors. It should be considered part of a defense-in-depth strategy for OAuth applications.

5. Conclusion

The intent of this paper is to inspire thinking around how different web security standards fit together and how those standards relate to the use of FIDO authentication for users. There are so many standards and standards bodies that it is often hard to understand which compete in the same space and which augment one another to form part of a comprehensive defense-in-depth strategy for identity fraud protection in online applications.

This paper tackled a specific, prevalent application security problem – the malicious trading and use of stolen cookies and access tokens. This paper also showed how technologies such as DBSC and DPoP mitigate the threats associated with token theft and how these technologies are complementary to FIDO authentication. Paired with FIDO, DBSC and DPoP provide greater overall identity fraud protection for your applications.

cross-posted on the Amnesty UK blog

Community-driven change is more important than ever. Whether we are advocating for social justice, environmental sustainability, or political reform, collective action is how we create lasting impact. But how do we build a movement that starts with individual curiosity and grows into sustained activism? That’s where the Amnesty International UK (AIUK) community platform project comes in — a digital hub designed to empower individuals, support collaboration, and drive meaningful change.

This blog post outlines how the platform and community strategy work together to guide people from discovery of the AIUK community to becoming activists within it.

1. Discovery

The journey of community-driven change starts with discovery. This is the stage where individuals first come into contact with AIUK. Maybe they learn about an issue, identify it as important, and begin to consider how they might want to get involved. Or maybe they meet someone at a demonstration, and discover the community first-hand.

AIUK social media, through broadcasting, is just one tool that helps people discover Amnesty International UK. AIUK makes complex issues accessible and relatable. We want to do the same as AIUK highlights grassroots efforts and community initiatives.

We want to encourage posts that show:

Our dedicated community and highlight key grassroots initiatives and campaigns. Signposts to find local groups or events based on interests. Digital actions, such as petitions or downloading campaign guides, to help users take their first steps.

Such content ensures that even people who are new can find relevant AIUK communities and take the first steps toward engagement.

2. Intention to Engage

Once someone discovers a cause they care about, the next step is forming an intention to engage. This stage is all about commitment — moving from passive interest to active participation.

By showcasing community on the AIUK website, we both invite people in and celebrate what the community is achieving. We want to present clear pathways for involvement and help community members inspire others to take steps towards action.

We need to figure out processes that help:

Goal-setting: Encouraging community members to set personal milestones, like committing to attend 100 meetings. Sharing success: Telling success stories and finding testimonials that effectively attract new people while celebrating community achievements. Balancing information: Showcasing static information about past successes with dynamic, real-time updates on current campaigns from the community.

By making it easy for people to express their intent and take small but meaningful steps, we build confidence and lay the groundwork for deeper engagement.

3. Taking Action: Turning Intent into Impact

With intention comes action, and this is where real change begins. At this stage, people start to feel a sense of belonging and are ready to contribute to a cause they care about.

A knowledge base can help equip users with actionable tools. We’ll need clear resources and learning pathways that:

Guide people to the right information: Whether it’s organising a protest, writing letters to policymakers, or starting a local campaign, the knowledge hub can provide step-by-step guidance tailored to issues we work on. Help people collaborate: People should be able to connect with others who share their interests and work together on projects — whether virtually or in person. Best practices and community policies may also be at home in the knowledge hub. Show them into the community: Make sure that people feel supported and seen as they take action. Create an architecture of participation that brings them into the community platform.

This stage is about turning isolated actions into collective power, with the support of the community ensuring that every contribution counts.

4. Sustaining Action: Building Lasting Commitment

Sustained action is the key to creating lasting change. Too often, movements fizzle out after an initial burst of energy, but with a strong community strategy and integrated platform, we can keep momentum going.

To sustain engagement, the community platform needs to help people align with others in the AIUK movement. We need to think about:

Feedback loops: Regular check-ins with the community to understand their needs and ensure that we are adapting the community strategy and platform accordingly. A recognition ecosystem: Using digital badges and shoutouts for individuals or groups who demonstrate consistent commitment to help us make activism more visible. Storytelling opportunities: Sharing success stories and lessons learned will inspire others and keep motivation high.

By encouraging a sense of belonging and purpose, we ensure that members find reasons to continue building collective power for human rights.

5. Becoming an Activist: Empowering Future Leaders

The final stage is becoming an activist. At this point, individuals understand that community isn’t one person, but rather all of us. They begin to work on behalf of others, coordinate together and lift people up with their leadership.

These leaders will use other coordination tools and processes and that’s great! We want to empower the development of activist and leadership skills. We’ll need:

Decentralised coordination best practices: For members who are ready to take on larger roles, such as leading groups or campaigns. Mentorship programs: Connecting experienced activists with newcomers to share knowledge and build networks. Advocacy training: Workshops, webinars, and resources focused on effective communication, policy advocacy, and community organising.

Through these efforts, we can go beyond nurturing individual leaders to continue building a movement.

The Power of Community Work in Driving Change

The journey from discovery to becoming an activist is a process of gradual engagement and empowerment. There is a system of platforms, processes and content that help AIUK move people towards becoming an activist. Although we use various digital tools, the journey is an emotional and social one.

We are working hard to make sure the community platform project harnesses the collective strength of our community and makes a difference that lasts.

Designation as ISO/IEC 20153 Solidifies CSAF's Global Role in Standardized Vulnerability Reporting

Boston, MA USA; 20 May 2025 — The Common Security Advisory Framework (CSAF) Version 2.0, an open standard developed by OASIS Open, has officially been approved for release by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Now designated as ‘ISO/IEC 20153,’ the framework was successfully balloted through the Joint Technical Committee on Information Technology (JTC 1), marking a significant step forward in global security advisory standardization.

“Congratulations to OASIS on the publication of ISO/IEC 20153,” said Philip Wennblom, Chair of ISO/IEC JTC 1. “OASIS has been a valued JTC 1 partner since 2004, and this milestone highlights the strength of our collaboration in addressing critical challenges, including in cybersecurity, and advancing standards that benefit consumers, industries, and governments worldwide.”

Developed by the OASIS CSAF Technical Committee (TC) through a collaborative, cross-industry effort, CSAF v2.0 provides a modern, machine-readable framework for enhancing vulnerability reporting and response. With support for the Vulnerability Exploitability Exchange (VEX) profile, CSAF v2.0 seamlessly integrates with Software Bill of Materials (SBOM) data, allowing organizations to efficiently assess vulnerabilities and take informed actions.

“Achieving ISO/IEC recognition for CSAF 2.0 is a tremendous milestone for the global cybersecurity community,” said Omar Santos, co-chair of the OASIS CSAF TC. “This international standardization will drive broader, more consistent adoption of machine-readable vulnerability disclosures and response processes—ultimately helping organizations around the world protect their assets more effectively and streamline their cybersecurity practices. Whether vulnerabilities emerge in legacy environments or in cutting-edge AI solutions, CSAF 2.0 provides a modern framework for effective vulnerability reporting in hardware and software. We look forward to continuing our work within the OASIS CSAF TC to ensure the standard remains at the forefront of global cybersecurity efforts.”

“CISA is pleased that CSAF 2.0 is now recognized as an ISO/IEC standard, a significant achievement in strengthening global cybersecurity resilience. We value our work and ongoing partnership with OASIS,” said Justin Murphy, CISA Vulnerability Disclosure Analyst and co-chair of the OASIS CSAF TC. “CSAF 2.0 enables organizations to respond more effectively to evolving cyber threats across complex environments including critical infrastructure. We encourage and look forward to broader, global adoption of machine-readable standards for vulnerability management efforts.”

CSAF v2.0 was ratified as an OASIS Open Standard in November 2022 and subsequently submitted by OASIS to the ISO/IEC JTC 1 Information Technology body. As ISO/IEC 20153, this International Standard will continue to be maintained and advanced by the OASIS CSAF Technical Committee, which includes representatives of Cisco, Cryptsoft, Cyware, Huawei, Microsoft, Oracle, Red Hat, and others. New members are welcome, and participation in the CSAF TC is open to all through membership in OASIS.

About ISO/IEC JTC 1
ISO-IEC Joint Technical Committee (JTC 1) is a consensus based, voluntary international standards group focusing on information technology (IT). Many hundreds of experts from over 100 countries, represent their nation’s national standards body or national standards committee to mutually develop beneficial guidelines that enhance global trade, while protecting intellectual property. As one of the largest and most prolific technical committees in the international standardization community, ISO/IEC JTC 1 has had direct responsibility for the development of more than 3,500 published ISO standards, with nearly 600 currently under development. Its work in standardization also encompasses 24 subcommittees that make a tremendous impact on the global ICT industry.

About OASIS Open
One of the most respected, nonprofit open source and open standards bodies in the world, OASIS advances the fair, transparent development of open source software and standards through the power of global collaboration and community. OASIS is the home for worldwide standards in AI, emergency management, identity, IoT, cybersecurity, blockchain, privacy, cryptography, cloud computing, urban mobility, and other content technologies. Many OASIS standards go on to be ratified by de jure bodies and referenced in international policies and government procurement.
www.oasis-open.org

Media Inquiries: communications@oasis-open.org

Support for CSAF  

Cyware:
“Cyware is committed to advancing security automation through the adoption of open, machine-readable standards like CSAF. Integrating CSAF into our threat intelligence and security orchestration platforms enables real-time ingestion, normalization, and automated dissemination of vulnerability advisories, enhancing our customers’ ability to rapidly correlate threat data and initiate timely response actions.”
– Avkash Kathiriya, Sr. VP, Research and Innovation, Cyware Labs

Microsoft:
“The designation of the Common Security Advisory Framework (CSAF) as an ISO/IEC 20153 standard marks a significant milestone for the global vulnerability management ecosystem. At Microsoft, we are proud to support this advancement by publishing advisories conforming to the CSAF specification and expanding its adoption across our security practices. CSAF enhances automation, improves interoperability, and accelerates vulnerability response—empowering organizations worldwide to better protect their ecosystems.”
– Bret Arsenault, Corporate Vice President and Chief Cybersecurity Advisor, Microsoft

Disclaimer: CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked or referenced within this press release. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

The post OASIS Common Security Advisory Framework v2.0 Approved as an ISO/IEC International Standard appeared first on OASIS Open.

Thirteen years after The Intention Economy was published by Harvard Business Review Press, there are now four clear paths toward making it come true.

IEEE P7012, aka MyTerms. This will make individuals first parties in their agreements with companies, completely flipping the status quo that has been with us since industry won the Industrial Revolution and manifests today in those insincere and annoying cookie notices that interrupt your experience every time you visit a new website or open a new app. MyTerms makes each of us first parties in agreements with sites and services, and in full charge of personal privacy online. The First Person Project, or FPP  (website pending). With help on the buy side from Customer Commons and on the sell side by Ayra, we can finally replace “show your ID” with verifiable credentials presented on an as-needed basis by independent and self-sovereign individuals operating inside their own webs of trust. Visa Intelligent Commerce, which will make intentcasting happen in a big way. It will also elevate the roles of Inrupt and the open-source  Solid Project. Personal AI. This is AI that is as much yours as your shoes, your bike, and your PC. Personal, not personalized.

To explain how these will work together, start here:

Not long after The Intention Economy came out in May, 2012, Robert Thomson, Managing Editor of The Wall Street Journal, wanted the book’s opening chapter to serve as the cover essay for the Marketplace section of an upcoming issue. Harvard Business Review Press didn’t like that idea, so I wrote an original piece based on one idea in the book: that shoppers will soon be able to tell the market what they’re looking for, in safe, secure and anonymous ways—a kind of advertising in reverse that the book called “personal RFPs” and has since come to be called “intentcasting.” This became The Customer as a God: The image above was the whole cover of the Marketplace section on Monday,  July 23, 2012. The essay opened with these prophetic words: “It’s a Saturday morning in 2022…”

It is now a Friday morning in 2025, and that godly future for customers is still not here. Yes, we have more market power than in 2012, but we are digital serfs whose powers are limited to those granted by  Amazon, Apple, Facebook, Google, Microsoft, and other feudal overlords. This system is a free market only to the degree that you can choose your captor.  This has led to—

The IONBA (Internet Of Notning But Accounts) is based on a premise: that the best customers are captive ones. In this relic of the industrial age, customers are captive to every entity that requires logins and passwords. Customers also have no ways of their own to globally control what data is collected about them, or how. Or to limit how that data is used.  This is why our digital lives are infected by privacy-killing data-collection viruses living inside our computers, phones, TVs, and cars.

If you didn’t know about those last two, dig:

Consumer Reports says “All smart TVs—from Samsung, LG, you name it—collect personal data.” They also come with lame “privacy” controls, typically buried deep in a settings menu. (Good luck exhuming them. The ones in our TCL and Samsung TVs have all but disappeared.) Mozilla calls new cars “the Worst Product Category We Have Ever Reviewed for Privacy.” There is also nothing you can do to stop your car from reporting on everything your car does—and everything you do, including sexual ativity—to the carmaker, insurance companies, law enforcement, and who knows who else. This data goes out through your car’s cell phone, misleadingly called a telematics control unit. The antenna is hidden in the shark fin on your car’s roof or in an outside mirror.

Businesses are also starting to lose faith in surveillance, for at least eight reasons:

People hate it. They also fight it. By 2015 ad blocking and tracking protection were the biggest boycott in world history. It tarnishes brands. Ad fraud is a gigantic problem, and built into the system. It commits Chrysoogocide (killing golden geese, most notably publishers). Bonus link. Regulatory pressure against it is getting bigger all the time. Advertisers are finally remembering that brands are made by ads aimed at populations, while personalized ads are just digital junk mail. Customers are using AI tools for guidance toward a final purchase, bypassing marketing schemes to bias purchasing decisions along the way. For more on that, see Tom Fishburne’s cartoon, and Bain’s report about it.

So our four roads to The Intention Economy start with the final failings of the systems built to prevent it. Now let’s look at those roads.

1—IEEE P7012 “MyTerms”

MyTerms, the most important standard in development today, will be a keystone service of Customer Commons, the nonprofit spinoff of ProjectVRM. It will do for contract what Creative Commons did for copyright: give individuals a new form of control. With MyTerms, agreements between customers and companies will be far more genuine mutual, and open to new forms of innovation not based on the kind of corporate control that typifies the IONBA. For example, it can open Visa Intelligent Commerce to conversations and relationships that go far past transaction. Take for example Market intelligence that flows both ways. While this has been thinkable for a decade or more (that last link is from 2016), it’s far more do-able when customers and companies have real relationships based on equal power and mutual interests. These are best framed up on agreements that start on the customer’s side, and give customers scale across all the companies with which they have genuine relationships.

2—First Person Project (FPP)

To me, FPP begins with the vision “Big Davy” Sallis came up with while he was working for VISA Europe in 2012, and read the The Intention Economy. At the time, he wanted Visa to make VRM a real category, but assumed that would take too long. So he decided to create a VRM startup called Qredo. Joyce and I consulted Qredo until  Davy died (far too young) in 2015. Qredo went into a different business, but a draft I created for Qredo’s original website survives, and it outlines much of what the  FPP will make possible. That effort is led by Drummond Reed, another friend and collaborator of Davy’s and a participant in ProjectVRM from the start. Drummond says the FPP is inspired by Why We Need First Person Technologies on the Net, a post published here in 2014. That post begins,

We need first person technologies for the same reason we need first person voices: because there are some things only a person can say and do.

Only a person can use the pronouns  “I,” “me,” “my” and “mine.” Likewise, only a person can use tools such as screwdrivers, eyeglasses and pencils. Those things are all first person technologies. They were invented for individual persons to use.

We use first person technologies the same unique ways we use our voices.

Among other things, the First Person Project will fix how identity works on the Internet. With FPI—First Person Identity—interactions with relying parties (the ones wanting “your ID”) don’t need your drivers license, passport, birth certificate, credit card, or account information. You just give them what’s required, on an as-needed basis, in the form of verifiable credentials. The credentials you provide can verify that you are a citizen of a country, licensed to drive, have a ticket to a game, or whatever. In other words, they do what Kim Cameron outlined in his Laws of Identity: disclose minimum information for constrained uses (Law 2) to justifiable parties (Law 3) under your control and consent (Law 1). The credential you present is called a DID: a Decentralized Identifier. No account is required.

Trust in FPI also expands from individual to community. Here is how Phil Windley explains it in Establishing First Person Digital Trust:

When Alice and Bob met at IIW, they didn’t rely on a platform to create their connection. They didn’t upload keys to a server or wait for some central authority to vouch for them. They exchanged DIDs, authenticated each other directly, and established a secure, private communication channel.

That moment wasn’t just a technical handshake—it was a statement of first-person identity. Alice told Bob, “This is who I am, on my terms.” Bob responded in kind. And when they each issued a verifiable relationship credential, they gave that relationship form: a mutual, portable, cryptographically signed artifact of trust. This is the essence of first-person identity—not something granted by an institution, but something expressed and constructed in the context of relationships. It’s identity as narrative, not authority; as connection, not classification.

And because these credentials are issued peer-to-peer, scoped to real interactions, and managed by personal agents, they resist commodification and exploitation. They are not profile pages or social graphs owned by a company to be monetized. They are artifacts of human connection, held and controlled by the people who made them. In this world, Alice and Bob aren’t just users—they’re participants.

This also expands outward into community, and webs of trust. You get personal agency plus community agency.

The FPP covers a lot more ground than identity alone, but that’s where it starts. Also, Customer Commons is a funding source for the FPP, and I’m involved there as well.

3—Visa Intelligent Commerce

The press release is Find and Buy with AI: Visa Unveils New Era of Commerce. Less blah is Enabling AI agents to buy securely and seamlessly. Here’s the opening copy.

Imagine a future where an AI agent can shop and buy for you. AI commerce — commerce powered by an AI agent — is going to transform the way consumers around the world shop.

Introducing Visa Intelligent Commerce, an initiative that will empower AI agents to deliver personalized and secure shopping experiences for consumers – at scale.

From browsing and selection to purchase and post-purchase management, this program will equip AI agents to seamlessly manage key phases of the shopping process.

Visa CEO Ryan McInerney says a lot more in a 1:22 talk at Visa Product Drop 2025. The most relevant part starts about 26 minutes in, with a demo starting at about 31:30. Please watch it. Much of what you see there owes to Inrupt and Solid, which Sir Tim Berners-Lee says were inspired by The Intention Economy. For more about where Inrupt and Solid fit in Visa Intelligent Commerce, see Standards for Agentic Commerce: Visa’s Bold Move and What It Means: Visa’s investment in safe Intelligent Commerce points to a future of standards-forward personal AI, by John Bruce, Inrupt’s CEO. John briefed Joyce and me over Zoom the other day. Very encouraging, with lots to develop on and talk about.

More links:

A tweet appreciative of Inrupt by Visa’s @JackForestell Privacy for Agentic AI, by Bruce Schneier, Inrupt’s CISO (as well as the world’s leading security expert, and an old pal through Harvard’s Berkman Klein Center). Also from Bruce: What Magic Johnson and Bruce Schneier taught us at RSAC 2025 and RSAC 2025: The Pioneers of the Web Want to Give You Back Control of Your Data Visa announces AI Agent Payment APIs – and a pathway to Empowerment Tech, by Jamie Smith, who writes Customer Futures, the most VRooMy newsletter out there.

Some news being made about Visa Intelligent Commerce:

Visa partners with AI giants to streamline online shopping Visa Gives AI Shopping Agents ‘Intelligent Commerce’ Superpowers Visa launches ‘Intelligent Commerce’ platform, letting AI agents swipe your card—safely, it says How major payment companies could soon let AI spend your money for you Visa, Mastercard offer support for AI agents Visa wants to give artificial intelligence ‘agents’ your credit card Visa adds ‘unknown concept’ where AI makes purchases for you – but shoppers suspect more ‘sinister purpose’ Visa Unveils Intelligent Commerce to Power AI-Driven Payments

4—Personal AI

Reza Rassool was also inspired by The Intention Economy when he started Kwaai.ai, a nonprofit community developing open-source personal AI. I now serve Kwaai as its volunteer Chief Intention Officer.

Let’s look at what personal AI will do for this woman:

Looks great, but we’re stuck in IONBA, she has little control over her personal data in all those spaces. For example,

She doesn’t have the digital version of what George Carlin called “a place for my stuff.” (Watch that video. It’s brilliant—and correct.) She has few records of where she’s been, who she’s been with and when—even though apps on her phone know that stuff and are keeping it inside the records of her giant overlords and/or selling it to parties unknown, with no way yet for getting it back for her own use. Her finances are possibly organized, but scattered between the folders she keeps for taxes, plus the ones that live with banks, brokers, and other entities she hardly thinks about. It would be mighty handy to have a place of her own where she could easily see all her obligations, recurring payments, subscriptions, and other stuff her counterparties would rather she not know completely. Her schedules are in Apple, Google, and/or Microsoft calendars, which are well app’d and searchable, but not integrated. She has no digital calendar that is independent and truly her own. Her business and personal relationship records are scattered across her contact apps, her Linkedin page, and piles of notes and business cards. She has no place or way of her own to manage all of them. Her health care records (at least here in the U.S.) are a total mess. Some of them ares inside the MyCharts and patient portals provided by separate (and mostly unconnected) health care specialists and medical systems. Some of it is in piles of printouts she has accumulated (if she’s kept them) from all the different providers she has seen. Some of it is in fitness and wellness apps, all with exclusive ways of dealing with users. None of it is in a unified and coherent form.

So the challenge for personal AI is pulling all that data out of all her accounts, and putting it into forms that give her full agency, with the help of her personal AIs.  Personalized AIs from giants can’t do that. We need our own personal AIs.

And there we have it: Four roads to a world where free customers prove more valuable than captive ones. And we’re making it happen. Now.

The UK government has said it will roll out passkey technology across its digital services later in 2025, aiming to phase out SMS-based verification in favour of a more secure, user-friendly alternative.

Passkeys are unique digital credentials tied to a user’s personal device and offer a way to authenticate identity without the need for traditional passwords or one-time text codes.

Passkeys never leave the device and so cannot be reused across websites, which makes them resistant to phishing and other common attacks.

DIF members showcased their vision at this year's European Identity and Cloud Conference (EIC 2025), bringing together experts who are defining the future of human-centric digital identity. As AI capabilities accelerate, DIF members are tackling both the architectural foundations and philosophical implications of self-sovereign identity, and EIC provided an excellent forum to share how they are solving digital identity's most complex challenges.

The Philosophy Behind Standards: Values in Digital Identity

Markus Sabadello, CEO of Danube Tech and DIF Steering Committee member, delivered a compelling talk examining the philosophical underpinnings of digital identity standards. His presentation, "The Worldviews behind Digital Identity Standards," argued that technical choices in standards like OID4VC, DIDComm, SD-JWT-VC, and the W3C verifiable credential data model reflect deeper philosophical trajectories variously aligned with European values like Liberty, Equality, and Fraternity.

Markus Sabadello presents "The Worldviews behind Digital Identity Standards"

Sabadello illustrated how technologies like DIDComm prioritize fraternity through peer-to-peer connections, while JSON-LD enables innovation and liberty through permissionless semantic flexibility and self-publishing. As the industry standardizes wallets and verifiable credentials, he emphasized that these standards should be evaluated not only on technical merits but also on how they impact human values like sovereignty and equitable participation.

The talk concluded with an important reminder that technology is never value-neutral, highlighting the need to align digital identity standards with humanistic values while avoiding the pitfalls of fragmentation from competing, politically and commercially driven standards.

AI and Identity: A New Frontier

Another highlight of the conference was the Verifiable AI talk and panel series. In his talk "Private Personal AI and Verified Identity for AI Agents", Alastair Johnson (CEO of Nuggets) explored the challenges of implementing truly private personal AI that protects user sovereignty while creating verifiable identities for AI agents. Johnson explored how privacy-preserving technologies and self-sovereign identity frameworks can enable secure AI agent operations while maintaining individual control over personal data.

Alastair Johnson presents "Private Personal AI and Verified Identity for AI Agents"

The subsequent panel, "Verifiable AI: The New Frontier" was moderated by Ankur Banerjee, CTO of Cheqd and DIF TSC Co-chair. The panel brought together Matthew Berzinski (Ping Identity), Sebastian Rodriguez (Advisor to Privado.ID), and Alastair Johnson to explore the intersection of AI and digital identity.

The panel addressed critical questions about how private personal AI agents can securely interact with identity systems, approaches to verifying AI agent identities, and frameworks for establishing trust in AI-human interactions.

As Ankur described in his following LinkedIn post, key takeaways included:

The need for both decentralized and centralized/hybrid approaches for different scenarios, including "AI employees" like the Devin software engineering assistant The challenge of allowing "good bots" into systems designed to keep malicious automation out The emerging consensus that AI agents will need their own wallets (or at least high-stakes delegation capabilities to and from wallets, or operate inside of wallets), and what kind of unique identifiers can power these interfaces The vulnerability of AI agents to bribing, threats, and "social" engineering attacks despite (or due to their primarily) rule-based constraints The agentic "Ship of Theseus" problem: at what point is an AI agent sufficiently changed that it invalidates prior attestations? The Personhood Challenge: Humans in a World of AI

Another significant focus at the conference was the development of personhood credentials as a defense against AI-generated deepfakes. Drummond Reed, Director of Trust Services at Gen Digital, presented "First-Person Credentials: A Case Study," discussing a collaborative effort between the Ayra Association, Customer Commons, Trust Over IP, and DIF to create a people-powered, privacy-preserving proof of personhood.

Personhood Credentials Why is proof of personhood so hot? Because it sits at the intersection of AI and decentralized identity. The threat of generative AI deep fakes has accelerated the search for a sustainable… KuppingerCole

This work built on a 2024 paper titled "Personhood Credentials," which proposed using a decentralized architecture based on verifiable credentials and zero-knowledge proofs. Reed's presentation covered design goals, trust models, user experience considerations, and go-to-market strategies for this emerging approach.

Personhood Credentials: From Theory to Practice

The subsequent panel, "Personhood Credentials: From Theory to Practice," brought together Ankur Banerjee, Drummond Reed, Steven McCown (Chief Architect of Anonyome Labs), and Sebastian Rodriguez to examine real-world implementations and practical challenges in creating personhood credentials. The panel explored how technologies like zero-knowledge proofs and selective disclosure can preserve individual privacy while meeting legitimate verification requirements.

PANEL: Personhood Credentials: From Theory to Practice This panel features experts examining real-world implementations, emerging standards, and practical challenges in digital identity. They will explore how technologies such as zero-knowledge proofs… KuppingerCole Technical Innovations in Identity Infrastructure

The conference also featured several technical presentations on practical implementations of verifiable credentials and digital identity wallets:

Richard Esplin, Head of Product at Dock, presented "Biometrics and Verifiable Credentials: Balancing Security and Privacy," addressing the challenges biometric providers face as regulations become stricter. Esplin shared best practices for integrating biometrics with verifiable credentials without undermining privacy and flexibility.

Biometrics and Verifiable Credentials: Balancing Security and Privacy [Intermediate] Biometric providers are facing new challenges as regulations governing biometric data become stricter and organizations try to extend their biometric enabled business processes across ecosystems… KuppingerCole

Dr. Paul Ashley, CTO of Anonyome Labs, discussed the implementation of Hardware Security Modules (HSMs) in digital identity wallets in his talk "Digital Identity Wallet Utilizing a Hardware Security Module." The presentation explored how digital identity wallets can be enhanced through HSM integration to fulfill the requirements of the EU Digital Identity Wallet framework, with analysis of each credential standard's compatibility with various HSMs' cryptographic capabilities.

Dr. Paul Ashley presenting "Digital Identity Wallet Utilizing a Hardware Security Module" Looking Forward

The DIF community remains the leading forum for innovation in decentralized identity standards and implementations. The frameworks, protocols, and approaches discussed at the conference provide a clear architectural roadmap for solutions that protect individual autonomy while enabling secure, verified interactions between humans and AI systems. Through continued collaboration across our working groups, DIF remains committed to developing open standards that address both current and emerging identity challenges.

To learn more about these topics or to get involved with the Decentralized Identity Foundation's work, visit DIF's website.

ISL began its life as the Me2B Alliance, striving to create standards to enable greater power symmetry in the digitally facilitated relationship between consumers (“Me-s”) and the companies whose technology they use (“B-s”). We called this the M2B relationship. For mobile apps, all too often it’s a case of “Me2 Who Knows?!” People have a right to know who’s legally responsible for the apps they use, and it is anything but clear in mobile app stores today. App stores are failing to make clear the legal entity who is responsible for apps. ISL has filed responsible disclosures with Apple starting in late 2024 but our repeated attempts have been dismissed.

Anatomy of Responsible Party Info in the App Stores

Both Google and Apple allow for two kinds of developer accounts: individual and organization. The creation of either type of account requires identity validation, but it’s a lower bar for individuals than for organizations. Individuals must provide a government issued ID credential before being allowed to open a developer account. This validates the individual’s name and address. Organizations, however, must provide a DUNS number to validate the legal existence of the organization. 12

▶ Problem 1: How effective is this level of identification authentication? ISL recently found an app developer with 15 apps in the Google Play store with no verifiable legal existence whatsoever. Thus, the process is imperfect at best.

In both stores, the “Account Holder” (to use Apple’s language) is the individual/entity who is in a legal relationship with the app store [owner].

Figures 1a and 1b show two parts of an Apple App store listing. Note that the name in blue under the app name appears to be the Account Holder (Figure 1a). Note that the Information section of the app listing shows five other places where we expect to see the same Account Holder name and websites.

Figure 1a: Apple App Store Example – App Header

 

Figure 1b: Apple App Store Example – App Information

Figures 2a and 2b show a similar annotated view of the Google Play Store app listing. Between Figures 2a and 2b, there are six instances where the Account Holder name appears.

Figure 2a: Google Play Store Example – Part 1

 

Figure 2b: Google Play Store Example – Part 2

This all seems fine. What we see in practice, though, is that the various links and names presented in the app store listing that should be definitively showing the name of the legally party responsible for the app often have inconsistencies. Which brings us to additional problems.

▶ Problem 2: Account Holders can create additional user accounts within their account, including users with permissions to submit/delete apps.3 There’s seemingly no governance over this capability, left strictly in the hands of the Account Holder.

▶ Problem 3: The app store app listing doesn’t indicate if the developer of the app is an individual or a company. This information matters. People deserve to know if they’re using an app developed by an individual developer, or by a company. No matter what, so long as apps are collecting personal information, people have an unconditioned right to know who gets their data and what they’re doing with it.

▶ Problem 4: The Apple app store doesn’t disclose the location of the responsible app developer but the Google Play store does.4 The great thing about app ecosystems is that they foster worldwide participants. The problem is that the responsible developer can be oceans away from consumers, making it difficult or impossible to hold the developer accountable if there are issues.

▶ Problem 5: Apps have broken developer links. It’s wildly confusing when the name in blue or green font under the app name is different from the name that appears when you click on the developer link. Imagine if you went to a grocery store and there was a loaf of bread with no brand or company information. You wouldn’t want to eat that. When you click on the Developer Website link for the app shown in Figure 1b you find yourself not only not at a site that says Kepler47, you find a non-functional page for audiojoy.com (Figure 3).

Figure 3 Developer website URL for 12 Step AA NA Daily Meditation from the Apple App Store: https://audiojoy.com/cgi-sys/suspendedpage.cgi

▶ Problem 6: The Account Holder name from the listing header doesn’t match the name in the privacy policy OR in the App Support link. Figures 4a and 4b illustrate a case where the listed developer in the listing header is Will Aitchison (Figure 4a), but the privacy policy fails to indicate a legally responsible data controller entirely (Figure 4b).

 

Figure 4a: Account Holder name

 

Figure 4b: Privacy policy link for app by Will Aitchison: https://www.firststeporegon.org/docs/PrivacyPolicy_25-05-2018.pdf

 

Figure 4c: Privacy Policy from “Developer’s Website”

Note that there’s another layer of confusion for the First Step Oregon app, namely, the privacy policy found on the App Support page differs from the privacy policy linked in the app store (Figure 4c). This case is a case where the app developer was likely an individual affiliated with the organization who wrote and submitted the app on behalf of the company. Still, it leaves a question for users: who is responsible? Who does the user contact in the case of issues?

The Boggle: Arcade Edition app in the Apple store shows a similar situation. The Account Holder appears to be Zynga Inc. from the app store listing header (Figure 5a). But when you click on the App Support link you see the Take-Two Terms of Service (Figure 5.b). Similarly, the linked privacy policy is also Take-Two’s. Finally, this app includes a copyright showing Zynga Inc. in the information section (Figure 5c). In this instance, the original Account Holder (Zynga Inc.) was acquired by another company (Take-Two). Zynga appears to be a wholly owned subsidiary of Take-Two based on its California business registration status, but the “hybrid” information in the app store is confusing.

Figure 5a: Boggle App store listing header – Account Holder: Zynga Inc.

 

Figure 5b: Boggle App Support Link

 

Figure 5c: Boggle App store listing – Information Section

Interestingly, not all Zynga games in the app store show Take-Two info at the App Support link. Figure 6b shows the App Support link for FreeCell, another Zynga game.

Figure 6a: FreeCell App store listing header

 

Figure 6b: FreeCell App Support link

▶ Problem 7: App Information shows two different names. Figures 7a and 7b show elements of the Apple app store listing for the app, Count Money and Coins – Photo Touch Game. In the Information section of the app store listing, Innovative Investments Limited is shown as the Seller, but Grasshopper Apps is the copyright registrant.

Figure 7a: Count Money and Coins App store listing header

 

Figure 7b: Count Money and Coins app – Information section

▶ Problem 8: App store listings with broken privacy policy links. It’s relatively easy to find apps in the app stores whose privacy links are simply broken, non-functional. This is what we found with most of the Innovative Investments Limited apps (Figure 7c).

Figure 7c: http://www.grasshopperapps.com/privacy-policy

Conclusions

NONE of this should be happening today. App stores receive 30% of all app revenues and thus have ample resources to programmatically monitor these situations. Consumers should never have to conduct forensic research in order to figure out who they’re entering into a business relationship with. Here’s a recap of what the app store owners should do:

Make it crystal clear on your label who the legal entity responsible for the app is (I’ll call this “responsible developer”). Make sure ALL instances in and related to the app store listing consistently show the same responsible developer name. Make sure there is valid, working contact information for the responsible developer. Indicate if the developer is an individual or an organization.
a. Ideally, we’d like to know the organization type, as this effects their legal obligations. For instance, for-profit vs. non-profit vs. government entities.
b. It’s also important to indicate coarse location information of the developer—i.e. city, state and country. Make sure privacy policy links are functional all the time.

Here are Recommendations for app consumers:

If there isn’t a privacy policy, don’t install the app. If there are no privacy details provided in the Apple store, don’t install the app. If there’s no developer contact information provided, don’t install the app. Contact us if you find these or other problems with app store entries. Final Thoughts

We are well past the point of understanding the risks of these things, yet we see no systemic changes under development on the part of Apple and Google to put safety measures in place. Perhaps shining this light on some of the issues can help spur action.

Footnotes: https://support.google.com/googleplay/android-developer/answer/13628312?sjid=9574226792909682372-NC https://developer.apple.com/programs/enroll/ Summary of roles and permissions for Apple developer accounts: https://developer.apple.com/help/account/access/roles/ Location of the developer was met with some warranted and some dubious pushback from Android developers as shown on this Reddit thread https://www.reddit.com/r/androiddev/comments/17w3pgz/google_started_displaying_full_legal_name_and/?rdt=50889 . Mandatory disclosure of an individual developer’s location presents some risks. That said, the developer is capable of getting every user’s location information so it seems a reasonable requirement.

The post Me2B or Me2Who Knows: App Stores Fail to Provide Clear Legally Responsible Party appeared first on Internet Safety Labs.

We’re excited to introduce CATio Spaces, a new way for civil society organizations to connect with our team and talk about cybersecurity in a low pressure, friendly environment.

The post Introducing CATio Spaces: A Learning Space to Talk Cybersecurity appeared first on The Engine Room.

Blockchain Commons was pleased to receive another grant this year from Human Rights Foundation (HRF) and their Bitcoin Development Fund grant to support our work with developers and implementers to expand the usage of FROST.

To quote HRF’s press release:

“For nonprofits operating under authoritarian rule, securing Bitcoin is critical for survival. If private keys (which control access to bitcoin) are compromised, funds can be seized and movements dismantled. Blockchain Commons is a [not-for-profit] supporting the development of FROST (Flexible Round-Optimized Schnorr Threshold Signature), a protocol that strengthens multisignature wallets (bitcoin wallets with multiple private keys) by making them more secure, private, and flexible for shared custody. With this grant, Blockchain Commons will help build critical infrastructure to keep civil society groups operational and financially resilient under dictatorships.”

Blockchain Commons has previously held and documented four meetings supporting FROST in 2023 and 2024, and we plan to continue with that later in 2025. Thanks to HRF, we also are expanding that work this year with the development of a FROST signing tool and the creation of a brief “Learning FROST from the Command Line” course. Our goal, as ever, is to help support the implementers who are creating FROST and to make it easier for developers to incorporate FROST into their wallets.

For more on FROST, see our FROST developer pages.

A decentralized repository for secure, scalable genomic data sharing & AI-driven personalized healthcare insights — powered by OriginTrail Decentralized Knowledge Graph (DKG).

OriginTrail powers the future of ethical AI in healthcare with ELSA

We’re excited to announce that OriginTrail is joining forces with the ELSA (European Lighthouse on Secure and Safe AI) initiative to shape the future of decentralized, privacy-preserving artificial intelligence (AI) in healthcare. Digital healthcare today faces three pressing challenges: safeguarding patient privacy, bridging fragmented data silos for seamless interoperability, and meeting strict regulatory requirements without stifling innovation.

At the heart of this collaboration lies a DeReGenAI — a decentralized repository for secure, scalable genomic data sharing and AI-driven personalized healthcare, powered by the OriginTrail Decentralized Knowledge Graph (DKG). This initiative tackles the most pressing challenges in digital health: enabling secure, compliant, and user-sovereign sharing of sensitive genomic data while unlocking the full potential of AI-driven personalized healthcare.

Trustworthy AI needs trustworthy infrastructure

AI is transforming healthcare — but for it to do so responsibly, it must be built on a foundation of trust, transparency, and ethics. That’s exactly what OriginTrail brings to the table within the ELSA consortium: an open-source, decentralized infrastructure that ensures data privacy, ownership, and interoperability at scale.

By integrating OriginTrail DKG, DeReGenAI becomes a decentralized repository that puts patients in control of their most personal asset — their genomic data. This enables:

User-managed permissions: Patients decide who can access their data, when, and for what purpose. Privacy-preserving monetization: Individuals can opt to share their data with research institutions or health providers on their own terms. AI-ready interoperability: Seamless interaction with AI systems while maintaining the integrity and provenance of the data.

At its core, the OriginTrail DKG act as a knowledge graph of knowledge graphs — a globally distributed network where each participant maintains control over their own knowledge node. These nodes interact in a fully decentralized manner, eliminating the risks of centralized data silos and single points of failure.

Here’s why this matters:

Global scale: Access data from diverse sources without compromising security. Privacy-first architecture: Data sovereignty is seamlessly integrated into the infrastructure. Compliance-ready: Designed with GDPR and other regulatory frameworks in mind. Interoperable: Built for seamless integration with AI technologies and healthcare systems. How does DeReGenAI work?

To power the next generation of personalized healthcare, DeReGenAI employs decentralized Retrieval-Augmented Generation (dRAG) — an evolution of how Large Language Models (LLMs) interact with external data.

Instead of querying a centralized source, the LLMs in DeReGenAI leverage the OriginTrail DKG to retrieve verified, decentralized knowledge. This unlocks:

More accurate AI insights, Context-aware healthcare recommendations, Trustworthy and verifiable AI behavior.

The ELSA initiative brings together top-tier European academic, industrial, and technology partners, such as University of Oxford, The Alan Turing Institute, NVIDIA, and others, to build a future where AI is both effective and ethical. As part of the ELSA initiative, OriginTrail is used to build a trusted data ecosystem for the AI age — one where people, not platforms, control their data, and where innovation never comes at the cost of ethics.

We’re proud to be driving this change, and even prouder to be doing it alongside an incredible group of partners.

Learn how OriginTrail is powering the shift to human-centric AI at https://origintrail.io/.

Trust the source.

OriginTrail powers the future of ethical AI in healthcare with ELSA was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.

Current Landscape

The public safety sector is undergoing rapid digital transformation, embracing new technologies to enhance emergency response, law enforcement, and disaster management. However, this shift also brings challenges such as data security risks, privacy concerns, and the need for reliable information verification in critical situations.

When DIACC was established in 2012, its goal of creating a secure digital ecosystem extended to all sectors, including public safety. As a trusted authority in digital identity and authentication, DIACC’s mission is more crucial than ever as public safety agencies increasingly rely on digital systems and data sharing to protect communities.

By prioritizing digital trust, Canada can strengthen its public safety infrastructure, improve emergency response times, and enhance collaboration between various agencies. Interoperable frameworks, such as the DIACC Pan-Canadian Trust Framework (PCTF), ensure that public safety systems remain secure, adaptable, and trusted.

Advancing Digital Trust in Public Safety 1. Enhancing Emergency Response and Coordination

Implementing robust digital trust solutions can significantly improve emergency response by:

Enabling secure, real-time data sharing between agencies Verifying the authenticity of emergency communications Facilitating rapid and accurate identification of individuals in crises 2. Leveraging the DIACC PCTF for Public Safety

DIACC encourages public safety agencies to adopt the PCTF as a tool to:

Implement secure identity verification for first responders and emergency personnel Enhance the integrity of emergency alert systems Improve interagency collaboration through trusted data exchange 3. Addressing Privacy Concerns in Surveillance and Data Collection

To balance public safety needs with individual privacy rights, DIACCweDIACC recommendss:

Implementing transparent data collection and usage policies Adopting privacy-preserving technologies in surveillance systems Ensuring proper authentication and authorization for access to sensitive data 4. Combating Misinformation in Crisis Situations

Digital trust frameworks can help public safety agencies:

Verify the authenticity of information during emergencies Establish trusted channels for disseminating critical updates Collaborate with social media platforms to combat the spread of false information 5. Enhancing Cybersecurity in Critical Infrastructure

Public safety agencies can use digital trust solutions to:

Secure communication networks used in emergency response Protect critical infrastructure from cyber threats Implement robust identity and access management systems for sensitive facilities Best Practices and the Way Forward 1. Adopt Emerging Technologies

Public safety agencies should leverage technologies like Artificial Intelligence (AI) and Distributed Ledger Technologies (DLT) to enhance their digital trust capabilities and improve emergency response. AI can be used for real-time data analysis and decision-making, while DLT can ensure the integrity and immutability of critical information.

2. Foster Cross-Sector Collaboration

DIACC encourages collaboration between public safety agencies, technology providers, and other stakeholders to develop standardized digital trust practices.

3. Educate and Train

DIACC is committed to educating public safety personnel and the public about digital trust through:

Specialized training programs for emergency responders Public awareness campaigns on the importance of verified information during crises Advocacy for regulations that support the implementation of digital trust solutions in public safety Conclusion

The public safety sector urgently needs robust digital trust solutions to protect Canadians and Canadians and communities in an increasingly digital world. By adopting frameworks like the PCTF, public safety agencies can enhance their operational efficiency, build public trust, and improve their ability to respond to emergencies, providing a reassuring path forward.

Together, as public safety agency leaders, policymakers, and stakeholders in emergency management, we can create a public safety ecosystem that leverages digital trust to protect citizens, respects their privacy, and solidifies Canada’s position as a secure and effective leader in emergency management.

Download the paper here.

DIACC-Position-Advancing-Digital-Trust-to-Strengthen-Public-Safety_ENG

Play Video

Watch full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/2025-05-01-Agri-food-Data-Canada-Carly-Huitema-1.wav Summary

This briefing document summarizes a presentation about Agri-food Data Canada’s Semantic Engine, a suite of tools designed to enhance research data management in the agri-food sector by making data Findable, Accessible, Interoperable, and Reusable (FAIR). A central focus is the use of machine-readable data schemas authored with the Overlays Capture Architecture (OCA) standard, which is highlighted for its use of derived identifiers (digests) over traditional assigned identifiers for improved reproducibility and authenticity. The document also details the Semantic Engine’s practical tools and ongoing efforts to integrate these standards into existing research infrastructure, addressing challenges like data context and decentralized ecosystems.

Briefing Document: Agri-food Data Canada and the Semantic Engine

Date: May 1, 2025

Subject: Review of Agri-food Data Canada (ADC) project and its Semantic Engine, with discussion on data schemas, identifiers, and integration into research infrastructure.

Sources:

Excerpts from “2025.05.01-ToIP_EGWG.pdf” (Slides) Excerpts from “GMT20250501-145814_Recording.transcript.txt” (Transcript) Excerpts from “GMT20250501-145814_Recording_1920x1080.mp4” (Video – used for verification of content and speakers) Excerpts from “GMT20250501-145814_RecordingnewChat.txt” (Chat Log)

Attendees/Speakers: Carly Huitema (University of Guelph, ADC), Michelle Edwards (ADC, mentioned), Eric Drury (Forth Consulting), Scott Perry (Digital Governance Institute), Neil Thomson (QueryVision), Steven Milstein (Collab.Ventures), Donald Sheppard.

Overview

This briefing summarizes a presentation by Carly Huitema from Agri-food Data Canada (ADC) to the Trust over IP (ToIP) Ecosystem and Governance Working Group. The presentation focuses on ADC’s efforts to improve research data management in the agri-food sector, specifically through the development of the “Semantic Engine” suite of tools. A central theme is the importance of “FAIR” data (Findable, Accessible, Interoperable, Reusable) and how machine-readable data schemas, particularly using the Overlays Capture Architecture (OCA) standard, contribute to achieving this goal. The discussion also highlights the advantages of derived identifiers (digests) over assigned identifiers for reproducibility, authenticity, and decentralization, and ADC’s ongoing work to integrate their tools and schemas into existing research infrastructure.

Key Themes and Important Ideas Improving Research Data Management in a Decentralized Ecosystem: The research data ecosystem is described as highly decentralized with independent research groups. While guided by best practices, mandates for standardized approaches are often slow to adopt. Incentives can be conflicting, particularly the “publish or perish” culture versus the time needed for thorough data documentation. Long-term planning (e.g., 50-year repository funding) is a crucial consideration. ADC, a project at the University of Guelph funded by multiple Canadian sources (CFREF, Genome Canada, UoG, OMAFA, Compute Ontario, etc.), aims to address these challenges by working directly with researchers. Making Agri-food Data FAIR: A core objective of ADC is to make agri-food data FAIR: Findable: Ability to identify and locate data resources and their context. Accessible: Ability to access (with permission) and use data once found, often requiring open protocols. Interoperable: Using standards for data to ensure compatibility, including standard vocabularies. Reusable: Data with sufficient context (licenses, provenance, descriptions) can be reused by others for replication or new research. Carly Huitema states: “Findable is the ability to identify and find resources as well as their context. If it’s accessible that once found you can access it with permission and use it interoperable. Certainly lots of our work at Trust Over IP is about how to ensure interoperability of standards including vocabularies and reusable that that there are licenses and provenance and other things that help make this data reusable.” Data Requires Context: Data alone is insufficient; it needs context to be useful. This context includes details like sample source, analysis methods, data schemas, catalogue information, data licenses, data governance agreements, associated publications, methodologies, scripts, and contributors. The Semantic Engine: ADC is developing the Semantic Engine, a suite of tools designed to help researchers create “rich contextual and machine-readable data schemas.” The Semantic Engine aims to make the process of documenting data less daunting for researchers. It functions as a self-teaching web app, providing guidance and tutorials. The engine uses the Overlays Capture Architecture (OCA) standard for writing schemas. Data Schemas and Overlays Capture Architecture (OCA): A data schema describes the attributes of a dataset (e.g., columns in a table) and provides detailed information about them (type, units, description, format, etc.). OCA is highlighted as an international and open standard for documenting schemas, developed by the Human Colossus Foundation. Two key advantages of OCA: Embeds Digests: OCA schemas can embed derived identifiers (digests/fingerprints) for the schema itself and for its constituent parts. This is crucial for reproducibility and authenticity of digital artifacts. Organized by Features: OCA structures schemas by features (e.g., all descriptions, all units) rather than attribute by attribute (e.g., JSON-LD, XML Schema). This organization offers advantages: Task-based Governance: Allows for governance at the feature level (e.g., assigning responsibility for translation features). Optimized for Feature Management: Facilitates adding or removing features (like languages or units) without altering the identifiers of other features. Mix-and-Match: Enables easier combination and reuse of different schema components. ADC has developed an “OCA Package” which wraps the core OCA standard with extensions for community-specific features and developing standards, allowing for gradual migration of these features to the core standard as they become accepted. Assigned vs. Derived Identifiers: Assigned Identifiers (Names): Created by a governance body, linked to an object via a lookup table. Resolution requires trusting the authoritative governance body and their lookup table. “If you find an object, you cannot figure out the identifier – you must go to the authoritative body and look it up in their table.” Resolution services can only be hosted or delegated by the governance body. Derived Identifiers (Digests/Fingerprints): Calculated directly from a digital object using a hashing function. They are unique fingerprints for a specific version of the object. Key for reproducibility and authenticity: “You can identify the resource originally used. You can verify the resource is the same one that was originally used.” Anyone can calculate a derived identifier, build a resolution service, and verify the resolution service is pointing to the correct object. Derived identifiers enable objects to be hosted in multiple locations. Carly Huitema humorously quotes, “If you liked it, then you should have put a digest on it.” Derived identifiers are excellent for snapshots but do not handle dynamic content or versioning directly. Versioning requires a governing authority or a decentralized identifier (DID) system where subsequent versions are linked and controlled. Tools Provided by the Semantic Engine: Schema Authoring Web App: Guides researchers through creating machine-readable schemas. Data Entry Excel Generator: Creates an Excel spreadsheet with headers and schema descriptions based on the authored schema, helping standardize data collection. Includes the schema’s derived identifier. Data Entry on the Web / Data Verification Engine: A tool to verify data sets against the rules defined in a schema. Allows researchers to quickly check for inconsistencies before combining data from multiple sources. Integration into Research Infrastructure: ADC is working to integrate their schemas and tools into existing Canadian and international research infrastructure. Schemas can be deposited into long-term research data repositories (e.g., Borealis in Canada), often receiving assigned identifiers like DOIs. These schemas, with their embedded derived identifiers, can then be found through federated search engines that index multiple repositories (e.g., Lunaris in Canada, OpenAIRE in Europe). This allows researchers to publish papers referencing schemas by their identifiers, enabling others to find and verify the schema used. Addressing IP and Sensitive Data: The Semantic Engine itself does not store user data or schemas, reducing IP concerns related to the platform. Schemas are generally less sensitive than the actual data, allowing them to be more openly shared. This enables discovery of datasets and potential collaborations without exposing proprietary information. Schemas can include flags for sensitive data attributes (e.g., farm location). While ADC’s tools don’t currently enforce access controls based on these flags, this information in the machine-readable schema can be used by internal pipelines or other systems to manage sensitive data appropriately (e.g., triggering anonymization). Future Directions: ADC plans to continue integrating with research infrastructure, add digests as identifiers to more objects, and develop tools for other machine-readable standards (e.g., cataloging metadata, policy rules). They also aim to increase the number of features supported in the schema description process (e.g., range rules, ontology framing). Key Takeaways for ToIP The FAIR data principles are highly relevant to decentralized ecosystems and align well with ToIP goals. Derived identifiers (digests) offer significant advantages for reproducibility, authenticity, and decentralized resolution, making them a powerful tool for digital objects within a trust framework. The architecture of data schemas (feature-by-feature vs. attribute-by-attribute) has implications for governance, versioning, and the application of derived identifiers to schema components. Integrating decentralized identity and verifiable credentials concepts (like OCA) into existing research infrastructure can enhance discoverability, interoperability, and trust in scientific data. The Semantic Engine provides a practical example of building user-friendly tools to generate machine-readable metadata, addressing the challenge of widespread adoption of such standards.

For more details, including the meeting transcript, please see our wiki 2025-05-01 Agri-food Data Canada – Carly Huitema – Home – Confluence

https://www.linkedin.com/in/carly-huitema-27727011/ https://www.semanticengine.org/

The post EGWG 2025-05-01 Agri-food Data Canada – Carly Huitema appeared first on Trust Over IP.

Play Video

Watch the full recording on YouTube.

Status: Verified by Presenter

Please note that ToIP used Google NotebookLM to generate the following content, which the presenter has verified.

Google NotebookLM Podcast

https://trustoverip.org/wp-content/uploads/ToIP-EGWG-2025-03-20_-Richard-Whitt-GliaNET-1.wav

This document and podcast were generated by Google’s NotebookLM. They provide information about Richard Whitt‘s vision for a more human-centric internet built on trust, as presented to the Ecosystem & Governance Working Group (EGWG) of the Trust over IP Foundation on March 20, 2025. It also draws from materials related to the GLIA Foundation and the GliaNet Alliance, founded by Richard Whitt.

The current state of the web is characterized by surveillance capitalism, where companies prioritize data extraction and manipulation, leading to a lack of trust. Richard Whitt argues that this undermines human agency and necessitates a shift towards a web built on trustworthy intermediaries.

His proposed solution centers around the concept of Net Fiduciaries, a new category of entities that would prioritize users’ interests through the application of fiduciary duties like care and loyalty, similar to professionals in medicine and law. This would be a voluntary approach, driven by ethical considerations and good business practices, rather than imposed regulations on existing platforms.

The GliaNet Alliance is a coalition of companies and organizations committed to this vision. Its goal is to build a “web worthy of trust” by fostering ethical technology practices and using transformative governance principles. The alliance operates as a community of practice, with working groups focusing on areas like business models, policies, practices, and standards.

Key concepts discussed include:

The SEAMS cycle (Surveillance, Extraction, Analysis, Manipulation), which describes the problematic data practices prevalent on the web. Glea, the ancient Greek word for glue, symbolizing trust as the social glue. A multi-layered approach to change, encompassing governance, markets, technology (edge tech), and public policy. The importance of authentic personal AI agents that operate on behalf of the user, contrasting with the “double agent” nature of current AI assistants that primarily serve platform interests. The distinction between agenticity (capability) and agentiality (acting on behalf of) in AI systems. The potential for interoperability between AI agents across different platforms.

The alliance is exploring ways to demonstrate trust to the public, potentially through analogies (like a “doctor for your web life”), marketing that emphasizes fiduciary duties, and clear communication about data handling practices. They are also considering mechanisms for recourse in case of breaches.

Richard Whitt’s book, “Reweaving the Web,” further elaborates on these ideas, outlining the problems with the current web and proposing practical steps to create a more user-centric digital future. The book has received positive testimonials from prominent figures in the tech and policy fields.

The GliaNet Alliance is in its early stages, focused on building its community, establishing governance structures, and exploring business models that align with its ethical principles. They are also engaging with policymakers and exploring potential collaborations, including with the Trust over IP Foundation. Consumer Reports is an anchor member and is exploring branding its AI agent as a GliaNet project. Kwaai.ai, an open-source LLM project, is also part of the alliance, aiming to build a platform with fiduciary duties to developers and agents.

For more details, including the meeting transcript, please see our wiki 2025-03-20 GliaNet – Home – Confluence.

https://www.linkedin.com/in/richardwhitt/ https://www.glia.net/

The post EGWG 2025-03-20: Richard Whitt, GliaNET appeared first on Trust Over IP.

This content is password protected. To view it please enter your password below:

Password:

The post Protected: EGWG 2025-04-03: Stephan Wolf, Verifiable Trade Foundation appeared first on Trust Over IP.

The National Cyber Security Centre said moving to digital passkeys to log on to Gov.UK was a vital step in making the tech more ubiquitous.

The Government has announced plans to replace passwords as the way to access Gov.UK, its digital services platform for the public.

In contrast to using a password and then an additional text message or code sent to a user’s trusted device – known as two-factor authentication – passkeys are unique digital keys tied to a specific device that proves the user’s identity when they log in without requiring them to input any further codes.

At the 2025 RSAC Conference in San Francisco, our team met with dozens of industry experts, cybersecurity professionals, and investors to find out more about the biggest security technologies and trends that are impacting your business. 

Tech-Specific Innovation

While AI was one of the hottest topics at the show, it wasn’t the only topic of discussion; we also heard a lot about the evolving ransomware ecosystem and what organizations need to be doing today to prepare for the arrival of “Q-Day”. 

But perhaps the second-biggest discussion piece was around identity and access security. 

With the rise of AI-powered deepfakes and fraud attempts, we’re seeing more need than ever before for organizations to make the switch from passwords to more secure methods of authentication, such as Passkeys—and many experts were optimistic that this space will see a lot of adoption over the next year. 

Key Insights:

Andrew Shikiar, Executive Director and CEO of the FIDO Alliance: “We’re going to see Passkey deployment continue to grow in regulated industries. That’s really important, because addressing the higher assurance use cases and taking passwords out of play there will give greater confidence for more and more companies to deploy Passkeys at scale, which will further accelerate our journey towards putting passwords fully in the rear-view mirror.”

Microsoft has officially shifted to passkeys, such as facial recognition, fingerprint scans, and PINs, as the default sign-in method for all new accounts beginning this month, marking its most significant step yet toward a password-free future, according to TechRepublic.

The move coincides with World Password Day and aligns with the tech giant’s broader commitment to the Passkey Pledge, an industry initiative to eliminate passwords in favor of more secure, phishing-resistant login methods. In a blog post, Microsoft executives Joy Chik and Vasu Jakkal emphasized that passkey users are three times more likely to log in successfully than those using passwords. Although existing account holders can still use passwords, Microsoft is nudging them toward using biometrics or PINs by default. Nearly all Windows users already rely on Windows Hello, and the shift is backed by support from industry partners, including Apple and Google, who are also rolling out FIDO-compliant passkey systems across their platforms. The change promises to streamline security and user experience across the board.

FIDO-Based Authentication to Replace SMS-Based Verification, Says UK NCSC

The U.K. government is set to replace SMS-based verification systems for digital services with passkeys this year in a bid to shore up cyber defenses.

The initiative will be rolled out by the U.K. National Cybersecurity Center using the open authentication standard Fast IDentity Online, or FIDO, as a more “secure and cost-effective solution.”

“The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale,” the NCSC said. “In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password and SMS code,” the agency said.

Zug, Switzerland (May 6, 2025) — Umanitek AG, a Swiss-based AI company combating harmful content and the risks of artificial intelligence, today announces the launch of their first product umanitek Guardian.

Umanitek’s mission is to fight against harmful content and the risks of AI by developing and deploying technology that serves the greater good of humanity.

Umanitek’s first product is an AI agent, umanitek Guardian, that uses the Decentralized Knowledge Graph (DKG), a decentralized, trusted network for organizing and tracking immutable data and allows participating organizations to keep ownership and control of their data while supporting database queries on a need-to-know basis — allowing collaboration without compromising privacy.

The first user of umanitek Guardian will be Aylo, who will leverage the agent to allow law enforcement agents to query 7 million hashes of its verified content using natural language through an AI agent.

“Umanitek acts as the bridge. Through Decentralized Knowledge Graph (DKG) decentralized infrastructure, we can integrate advanced Internet safety technologies directly with data. Umanitek Guardian will enable companies, law enforcement, NGOs and individuals to collaborate by uploading and querying “fingerprints” of images and videos to a decentralized directory. This system will help large technology platforms track, identify and prevent the distribution of harmful content. We are committed to developing human-centric AI solutions that promote trust, protect privacy and help make internet safety the standard in the age of AI.”

– Chris Rynning, umanitek Chairman

About umanitek

Making internet safety the standard in the age of AI.

Umanitek AG is a Swiss-based AI company combating harmful content and the risks of artificial intelligence. We develop human-centric AI solutions that promote trust, protect privacy and make internet safety the standard in the age of AI.

Our founders bring deep expertise in building reliable, trusted AI systems and are connected to global networks working to reduce internet harm, and are committed to raising awareness about the importance of education and digital responsibility in the age of AI.

Umanitek’s AI infrastructure is safe by design, open by principle and trustworthy by default. With a focus on ethical innovation, umanitek is setting the standards for transparency, accountability and harm reduction in artificial intelligence.

For more information about umanitek, umanitek’s founders and products, visit www.umanitek.ai.

Contacts

For media inquiries, please contact:

Umanitek Communication

media@umanitek.ai

umanitek launches umanitek Guardian AI agent was originally published in OriginTrail on Medium, where people are continuing the conversation by highlighting and responding to this story.

We are thrilled to announce that OwnYourData has been honored with the MyData Award 2025 in the Technology category by MyData Global. This recognition celebrates our commitment to developing human-centric data solutions that empower individuals and organisations with greater control over their information, enabling them to manage, share, and benefit from their data in transparent and ethical ways.

The MyData Awards acknowledge organizations and individuals making significant strides in ethical personal data practices across various domains, including technology, business, governance, and thought leadership. This year, over 400 nominations were evaluated, highlighting the growing global emphasis on data rights and individual empowerment.

Our award in the Technology category underscores our efforts in creating interoperable and privacy-focused tools that align with the principles of the MyData Declaration. We are especially honored that both the organisation OwnYourData and our chairperson, Christoph Fabianek, were recognized with MyData Awards. This dual recognition highlights not only our collective impact as a team but also Christoph’s individual leadership and long-standing commitment to building a fair, sustainable, and prosperous digital society.

For more details on the MyData Awards and the list of 2025 recipients, visit the official MyData Awards page.

 

Der Beitrag MyData Award 2025 erschien zuerst auf www.ownyourdata.eu.

The UK government is set to roll out passkey technology for its digital services later this year as an alternative to the current SMS-based verification system, offering a more secure and cost-effective solution that could save several million pounds annually.

What does it take to grow a brand on Amazon today?

The rules have changed, and Amazon is now less of a storefront and more of a dynamic ad and data platform.

In this episode, Jason Boyce, Founder and CEO of Avenue7Media, joins host Reid Jackson to share what he’s learned over 22 years in the e-commerce world. From selling as a reseller to building a brand and leading an agency, Jayson explains why success now depends on feeding the algorithm, not pitching to buyers.

He breaks down how streaming TV is driving direct Amazon sales, the problem with locked attributes and UPCs, and why attribution is finally catching up to the promise of connected TV.

In this episode, you’ll learn:

Why traditional retail rules don’t apply to Amazon

How Connected TV can accelerate brand growth

What makes Amazon profitable when compared to DTC

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:53) From failed consulting to full-service agency

(06:26) Fixing locked attributes and bad UPC data

(09:59) Streaming ads that convert like e-commerce

(13:56) Selling to algorithms, not people

(16:34) Comparing Amazon to direct-to-consumer

(20:44) Why CTV is outperforming display ads

(26:48) How AI will change the way we shop

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Jason Boyce on LinkedInCheck out Avenue7Media

Internet Safety Labs’ Executive Director Lisa LeVasseur testified before the Maine Judiciary Committee in support of LD 1822, the Maine Online Data Privacy Act, while highlighting concerns. Informed by ISL’s 2022 K-12 Edtech safety benchmark and ongoing research, our testimony underscores the need to curb widespread commercial surveillance and risky data practices. LD 1822’s restrictions on sensitive data collection and sales are vital, yet we advocate for stronger protections, particularly for FERPA-covered data, non-profits, and medical apps. The written testimony is available to view in the pdf below:

Open PDF

 

The post Internet Safety Labs Provides Testimony in Support of LD 1822, An Act to Enact the Maine Online Data Privacy Act appeared first on Internet Safety Labs.

EdgeCon Spring 2026

Date: April 16, 2026
Time: 9 am – 5 pm
Attendee Ticket: $49

Event Location:
The College of New Jersey

More information coming soon!

The post EdgeCon Spring 2026 appeared first on NJEdge Inc.

The FIDO Alliance announced today the launch of a new Payments Working Group (PWG) focused on developing and implementing FIDO authentication solutions specifically for payment use cases. This initiative marks a significant expansion of the organization’s efforts to eliminate password dependencies in critical digital transactions.

The new working group emerges at a time of growing momentum for passwordless authentication in the payments sector. Last year, Visa implemented passkeys for online payments, allowing customers to authorize transactions using biometric authentication rather than traditional passwords.

The Alliance, which now comprises over 250 members, has been steadily expanding its influence across various sectors of digital authentication.

World Password Day is no longer. The annual day to promote secure password practices has run its course, and the FIDO Alliance (whose stated mission, to be fair, is to bring the world beyond passwords) has rebranded World Password Day as World Passkey Day – an occasion to celebrate the encrypted FIDO credentials that combine data you possess (a digital key or credential) with a biometric trait (something you are, usually a face or fingerprint).

Anyone setting up a new Microsoft account will soon find they’re encouraged to use a passkey during the sign-up process.

Microsoft introduced passkey support across most of its consumer apps last year, allowing users to sign into their accounts without the need for 2FA methods or remembering long passwords. A year later, it’s removing passwords as the default and encouraging all new signups to use passkeys.

PCMag attempted to sign up for a new Microsoft account on May 2, but it still asked for a password at the time of publication. Microsoft hasn’t shared an exact timeframe for when the change will take place, but you should expect it to happen in the coming days.

This is the first time a new account can be entirely passwordless. Previously, it had to have one alongside your passkey.

In a blog post, Microsoft says 98% of passkey attempts to log in are successful, while passwords are only at 32%. Microsoft is also introducing what it calls a “streamlined” sign-in experience for all accounts that “prioritizes passwordless methods for sign-in and sign-up.” It means some UX design changes to highlight passkey functionality.

We’re excited to announce a new partnership with Puentes, an organization dedicated to strengthening the narrative power of social justice movements in Latin America

The post Empowering narratives, strengthening ecosystems: A partnership for digital resilience appeared first on The Engine Room.

WAO is currently working on a project with the Responsible Innovation Centre for Public Media Futures (RIC), hosted by the BBC. Our focus is on AI Literacy for 14–19 year olds and you can read more context in our project kick-off blog post.

One of the deliverables for this project is to review AI Literacy frameworks, with a view to either making a recommendation, or coming up with a new one. It’s not just a case of choosing one with a pretty diagram!

Frameworks are a way in which an individual or organisation can indicate what is worth paying attention to in a given situation. Just as the definition of ‘AI Literacy’ varies by context, the usefulness of a framework depends on the situation. In this post, we share the judgements we made using criteria we developed and share our process in case it is useful for your own work.

Narrowing down the list

While there can be some commonality and overlaps between frameworks for different contexts, the diversity of possible situations is huge. There can never be a single ‘perfect’ framework suitable for every situation. For example, just imagine what ‘AI Literacy’ might look like for (adult) engineers and developers compared with children of primary school age. As with our work at Mozilla you can define what a ‘map’ of new literacies might look like, but it can only ever be one of many that describe the overall ‘territory’.

With our work on this project, we had to bear in mind our audience (14–19 year olds) and the mission of the BBC. There is a long history of Critical Media Literacy which is particularly relevant to our research here, and which was one of the factors when reviewing frameworks.

With a relatively short project timeline of three months, we needed a way to quickly classify approximately forty frameworks and related documents we have collected. We shared relevant details with Perplexity AI (using the Claude 3.7 Sonnet model) over multiple conversations. This helped us reduce our initial list of around 40 frameworks to a more manageable 25.

Coming up with criteria

Next, we came up with some criteria by which to judge them. These criteria were informed by our own work in the area for 15+ years, along with either interviews or surveys with over 35 experts in the field. While these criteria are meant as a heuristic for this project, they are also a useful starting point for asking questions about any project relating to new literacies.

Definition of AI — ensures everyone has the same starting point Development process — adds transparency and credibility Target audience — helps match the framework to its users Real-world relevance — shows how ideas work in practice AI safety and ethics — addresses both risks and responsible use Skills and competencies listed — clarifies what learners should be able to do Reputable source — increases trust in the framework

We included both safety and ethics because both are needed for using AI in a responsible and trustworthy way.

Categorising the most relevant frameworks

We used a traffic light (red/yellow/green) categorisation system to score each framework on the above criteria. Only one of the frameworks we reviewed, the OECD Framework for Classifying AI Systems, meets all criteria with a ‘green’ rating.

There are several other frameworks which we judge as meeting the criteria as ‘green’ except for one criterion (‘yellow’). Listed alphabetically by organisation, these are:

Artificial Intelligence in Education (Digital Promise) AI Literacy in Teaching and Learning: A Durable Framework for Higher Education (EDUCAUSE) Digital Competence Framework for Citizens (European Commission) Developing AI Literacy With People Who Have Low Or No Digital Skills (Good Things Foundation) AI competency framework for students (UNESCO)

There are other frameworks which we have decided to include which included two or more criterion as ‘yellow’. For example, the Open University’s Critical AI Literacy Framework, Ng, et al’s article, and Prof. Maha Bali’s blog post linked from her framework all do a good job of defining Critical AI Literacies. We would also note that the Digital Education Council’s list of skills and competencies relating to AI Literacy is useful to pair with those from EDUCAUSE, UNESCO, and the European Commission.

Next steps

As mentioned earlier, our brief for this project involves either making an informed recommendation of a framework, or to come up with our own. We’re currently leaning toward the latter, but either choice will be the subject of a future blog post.

If you have questions, concerns, comments, or indeed a particularly useful resource which you think would be useful for this project, please do get in touch. You can leave a comment here, or use the contact details on our main website to get in touch!

After supporting passwordless Windows logins for years and even allowing users to delete passwords from their accounts, Microsoft is making its biggest move yet toward a future with no passwords. Now it will ask people signing up for new accounts to only use more secure methods like passkeys, push notifications, and security keys instead, by default.

The new no-password initiative by Microsoft is accompanied by its recently launched, optimized sign-in window design with reordered steps that flow better for a passwordless and passkey-first experience.

Although current accounts won’t have to shed their passwords, new ones will try and leave them behind by not prompting you to create a password at all:

As part of this simplified UX, we’re changing the default behavior for new accounts. Brand new Microsoft accounts will now be “passwordless by default.” New users will have several passwordless options for signing into their account and they’ll never need to enroll a password. Existing users can visit their account settings to delete their password.

With today’s changes, Microsoft is renaming “World Password Day” to “World Passkey Day” instead and pledges to continue its work implementing passkeys over the coming year. This time last year, the company implemented passkeys into consumer accounts. Microsoft says it’s seeing “nearly a million passkeys registered every day,” and that passkey users have a 98 percent success rate of signing in versus 32 percent for password-based accounts.

As you’ll already know, today is World Passkey Day and the FIDO Alliance has released an independent study of over 1,300 consumers across the US, UK, China, South Korea, and Japan to understand how passkey usage and consumer attitudes towards authentication have evolved.

The results are encouraging, they find 74 percent of consumers are aware of passkeys and 69 percent have enabled passkeys on at least one of their accounts.

Among those who have used passkeys, 38 percent report enabling them whenever possible. More than half of consumers now believe passkeys are both more secure (53 percent) and more convenient (54 percent) than passwords.

This increase in passkey adoption is likely driven by the shortcomings of passwords. Last year, over 35 percent of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47 percent of consumers will abandon purchases if they have forgotten their password for that particular account.

To further encourage organizations to embrace the shift to passkeys, the FIDO Alliance has also launched the Passkey Pledge, a voluntary pledge for online service providers and authentication product and service vendors committed to embracing passkeys.

“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration, which imperil the very foundations of our connected society,” says Andrew Shikiar, executive director and CEO of the FIDO Alliance. “We’re thrilled by the fact that over 100 organizations around the world signed our Passkey Pledge, and we are pleased to support the market in their march towards passkeys through a variety of freely available assets, including our market-leading Passkey Central resource center.”

The full report is available from the FIDO Alliance site.

As the first-ever World Passkey Day replaces the traditional World Password Day, Microsoft joins the FIDO Alliance in celebrating a milestone achievement: over 15 billion online accounts now have access to passwordless authentication through passkeys.

This significant shift marks a turning point in digital security as the tech industry moves decisively away from vulnerable password-based systems.

“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods,” said Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. 

Microsoft is on a mission to delete passwords for a billion users, given that “the password era is ending.” The Windows-maker warns users that “bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” And those attacks are now making headlines weekly.

The answer is passkeys, which link your account security to your physical device security, which means unless an attacker has access to your hardware and unlock method — biometric or PIN, they can’t bypass a password to login.

More than others, Microsoft is not just promoting passkeys but also password deletion: “If a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.”

The FIDO Alliance, the organization charged with promoting passkeys has taken to the internet airwaves this time around to “launch a Passkey Pledge to further accelerate [the] global movement away from passwords.”

Its latest research found that “over 35% of people had at least one of their accounts compromised due to password vulnerabilities, [and] 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security.”

FIDO has welcomed Microsoft’s password deletion as industry leading. “This is an exciting and seminal milestone as Microsoft is taking passwords out of play for over a billion user accounts,” its CEO Andrew Shikiar told me, “who can now instead leverage user-friendly, phishing-resistant passkeys. Microsoft’s leadership in doing so today will help encourage more service providers to do the same, which moves us collectively closer to the day when passwords are fully in our rear-view mirror.”

Moving past passwords is improving brand trust

The FIDO Alliance has also recently invited companies to participate in the World Passkey Pledge to create a more secure future, and move past the vulnerability and hassle of passwords.

Simon McNally, Cybersecurity Expert at Thales said, “Passwords have long been a weak link in digital security, forcing consumers and businesses into a frustrating cycle of password resets and potential breaches. We welcome the FIDO Alliance’s commitment to World Passkey Day and its push for a passwordless future. Passkeys provide a seamless and secure authentication experience, eliminating the risks and frustrations associated with traditional passwords.

Passkeys are automatically generated and securely stored, removing the burden of creating and managing complex passwords. They also enhance privacy by allowing authentication without sharing sensitive data, reducing the risk of breaches. As trust in digital security becomes more critical, businesses must prioritise passwordless solutions to protect users and build brand confidence.”

The Passkey Pledge for a Passwordless Future

To commemorate World Password Day (or at it will henceforth be known, World Passkey Day), the FIDO Alliance has released a survey on the usage of passkeys which found that 74% of consumers are aware of passkeys, meaning that consumers are aware of the potential value a passkey login experience can bring. To support this, the survey also found that 69% of consumers have enabled passkeys on at least one of their accounts.

Furthermore, for those who have used passkeys, 38% report enabling them whenever possible suggesting that some consumers already see the added user experience and security benefits passkeys bring. In fact, more than half of consumers believe passkeys are both more secure (53%) and more convenient (54%) than passwords. Many businesses and organizations have already signed the Passkey Pledge, including Amazon, Apple, Google, Microsoft, Samsung, and many more!

A pivotal moment

Andrew Shikiar, executive director and CEO of the FIDO Alliance, commented on both the recent survey, and the Passkey Pledge:

“This year’s World Passkey Day comes at a pivotal moment for user authentication around the world – with a rapidly growing number of service providers (including nearly half of the world’s top 100 websites) offering billions of user accounts the option to sign in with passkeys instead of passwords. Well over 100 organizations have taken the Passkey Pledge, indicating their commitment towards a future free from the risk and burdens of passwords.

Consumers are not only increasingly aware of passkeys, they’re using them more frequently: 69% of respondents to our recent survey are enabling them on at least one account, and 38% are now enabling them whenever possible.

Passkeys are so intuitive to use that once users integrate passkeys, they rarely go back. This is good for consumers who are frustrated by password reliant sign-in processes — 35% of whom said they experienced account compromises as a result of password vulnerabilities last year — and e-commerce retailers alike.

This shift isn’t just about innovation or bottom lines; it’s about rebuilding digital trust and creating a safer, more efficient internet for everyone.”

NEWARK, NJ, May 2, 2025 – Dr. Forough Ghahramani, Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge, Chair of Broadening the Reach Working Group for the Ecosystem for Research Networking (ERN), and ERN Steering Committee member, welcomed an esteemed group of scientific and cyberinfrastructure researchers as co-chair of this year’s ERN Summit.

The Ecosystem for Research Networking Summit provides the scientific and cyberinfrastructure research community an opportunity to come together and discuss ERN mission and accomplishments, hear from domain researchers and CI professionals at smaller institutions about the successes and challenges related to leveraging local, regional, and national resources for projects, and learn about funding resources and partnership opportunities, as well as regional and national communities.

The Summit was a virtual event held on April 23, 2025, and reflected a shared commitment to building bridges across scientific and cyberinfrastructure communities and exploring the timely topics of advanced technologies, artificial intelligence (AI), quantum, and workforce development. Attendees heard from thought leaders who are driving AI and quantum initiatives, shaping curriculum innovation, and expanding opportunities across institutions of all sizes. Panel discussions examined the unique constraints and opportunities facing non-R1 institutions, along with the curricular innovations and partnerships shaping the future quantum workforce.

“The ERN Summit sparked dynamic conversations and showcased the perspectives of vital contributors to our national research ecosystem, including leading institutions, regional hubs, industry partners, and smaller colleges. We hope the Summit inspired new collaborations, actionable ideas, and lasting connections throughout the research and education community.”

– Dr. Forough Ghahramani
Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge
Chair of Broadening the Reach Working Group, ERN
Steering Committee Member, ERN

Keynote speaker, Dan Stanzione, Ph.D., Associate Vice President for Research, Executive Director, Texas Advanced Computer Center (TACC), led the topic, AI and HPC, or AI Ends HPC? where he discussed the evolving balance between AI and high-performance computing in future system designs. Dr. Stanzione argued that rather than replacing HPC, AI is transforming it, requiring the community to rethink architecture, software, workforce strategy, and environmental impact.

The Summit’s three panels provided insights from leading institutions, regional hubs, industry partners, and smaller institutions, including:

How regional economic and workforce initiatives are taking shape in AI and Quantum; How industry-academic partnerships are preparing the next-generation quantum workforce, and; What unique strengths and challenges are faced by non-R1 and smaller institutions in this landscape.

“It was wonderful seeing the strong attendance across all panels. The discussions addressed pressing issues relevant to research and education communities in universities and colleges nationwide and internationally as we collectively tackle the challenges of AI and emerging quantum technologies. We will continue these discussions over the next year, leading to solutions that will be reported on during our next summit,” Barr von Oehsen, Ph.D., Director Pittsburgh Supercomputing Center and Chair of the ERN Steering Committee.

The Summit closed with rich dialogue on how the ERN can continue to build a thriving, inclusive community that supports institutions of all sizes and types. The energy and ideas shared set a clear path for future action! The ERN community is energized to keep the momentum going! Additional information is available at https://ern.ci.

About Edge

Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.

The post Ecosystem for Research Networking (ERN) Summit 2025 appeared first on NJEdge Inc.

We recently updated the MyData White Paper. Unlike previous editions that stated “this is the way it should be,” this fourth edition asks questions about how MyData’s vision, principles, and […]

EdgeCon Winter 2026

Date: January 15, 2026
Time: 9 am – 5 pm
Attendee Ticket: $49

Event Location:
Princeton University

Accommodations

For those requiring overnight accommodations while attending EdgeCon Winter 2025, a Group Rate has been arranged for attendees at: Nassau Inn »

10 Palmer Square, Princeton, NJ 08542

Secure your room here »

Or, for Attendees who want to make reservations over the phone, please call the Nassau Inn Reservation Desk directly at 609-921-7500 and reference the booking #4766909 in order to receive the group rate. This rate is only valid until 12/14/25.

More information coming soon!

The post EdgeCon Winter 2026 appeared first on NJEdge Inc.

May 1, 2025

In recognition of World Passkey Day (formerly World Password Day), the FIDO Alliance is putting the spotlight on real-world passkey deployments from leading organizations around the globe. Read on for highlights of the successes companies in various industries are seeing from delivering faster, easier, and more secure sign-ins with passkeys—showcasing the global commitment to move away from passwords.

The FIDO Alliance also released today an independent study of consumers to understand how passkey usage and consumer attitudes towards authentication have evolved. The research found that in the last year, over 35% of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security. The full report is available here.

ABANCA’s mobile app serves over 1,200,000 customers a month, serving as the bank’s largest branch. Today, more than 42% of its mobile customers are using passkeys via the bank’s ABANCA Key product. As a result, more than 11,000,000 high-risk transactions have been protected without technical or service incidents, and due to the prioritization of UX, they have managed a Customer Effort Score (CES) of 4.7. 

Aflac was the first major insurance company to adopt passkeys in the U.S. Aflac partnered with Transmit Security to launch their passkey authentication initiative Today, only the first phase of the project is complete and yet more than 500,000 Aflac customers have enrolled a passkey, resulting in a 32% reduction in password recovery requests. This has yielded 30,000 fewer calls per month to the call center for identity issues. Aflac reports that the highest enrollment rates occur at the point of registration, reinforcing the FIDO Alliance’s Design Guidelines recommendation to prompt customers during account-related tasks. The steady, organic adoption of passkeys by Aflac customers continues to grow daily and directly contributes to measurable improvements in cost reduction and customer experience.

KDDI now has more than 13.6 million au ID customers that use FIDO and has seen a dramatic decrease (down nearly 35%) in calls to their customer support center as a result. KDDI manages FIDO adoption carefully for both subscribers and non-subscribers. 

LY Corporation property Yahoo! JAPAN ID now has 28 million active passkeys users. Approximately 50% of user authentication on smartphones now uses passkeys. LY Corporation said that passkeys have a higher success rate and are 2.6 times faster than SMS OTP.

Mercari has seen 9 million users enroll with passkeys, and is enforcing passkey login for users who have enrolled with synced passkeys. Notably, there have been zero phishing incidents at Mercari Shop and Mercoin (a Mercari subsidiary) since March 2023.

Microsoft began rolling out passkeys for Microsoft consumer account in 2024. They now see nearly one million passkeys registered every day. Microsoft has found that users signing in with passkeys are three times more successful at getting into their account than password users (about 98% versus 32%), passkey sign-ins are eight times faster than traditional password + MFA flows, and passwordless-preferred UX has reduced password use by over 20%. 

Nikkei rolled out passkeys in February and is already seeing thousands of customers using passkeys. Additionally, they are seeing almost no inquiries about how to use passkeys at the support desk.

NTT DOCOMO has increased its passkey enrollments and now passkeys are used for more than 50% of authentication by d ACCOUNT users. NTT DOCOMO notably reports significant decreases in successful phishing attempts and there have been no unrecognized payments at the docomo Online Shop since September 2022 where NTT DOCOMO continuously improved UX, including increasing the number of other passkey-enabled services.

Samsung Electronics’ Galaxy smartphones support fast and convenient logins through biometric authentication and FIDO protocols. Due to ease of use, speed, compatibility across services, and status as an industry standard made passkeys a compelling choice for Samsung Electronics.

VicRoads is the vehicle registration and driver licensing authority in Victoria, Australia. It registers over six million vehicles annually and licenses more than five million drivers. Within the first weeks of deployment with its passkey vendor Corbado, passkey adoption significantly exceeded VicRoads’ expectations. Users embraced the phishing-resistant authentication method, benefiting from a frictionless login experience optimized for speed and security. The exceptionally high passkey activation rate – peaking at 80% on mobile devices and over 50% across all platforms – led to 30% passkey login rate within the first seven weeks. Uptake continues to rise steadily, translating into measurable operational benefits, including reduced authentication-related support tickets, lower SMS OTP costs and improved user experience and security.

Zoho Corporation has rolled out passkeys to its 100+ million zoho.com customers and has seen a resulting 30% increase month over month in passkey adoption and a 10% drop in password reset queries. As a next step, the company will begin its rollout to Zoho Vault customers in May.

Read the full case studies from ABANCA, Microsoft, Nikkei, Samsung Electronics, VicRoads and Zoho Corporation to learn more about how these companies are discovering the benefits of passkey adoption. To learn more about passkey implementation through other documented case studies, visit the FIDO Alliance’s resource library. Have a case study to share? Contact us!

New global survey: More than two thirds of users familiar with passkeys turn to them for simpler, safer sign-ins as password pain persists

MOUNTAIN VIEW, Calif., May 1, 2025 – With digital security more critical than ever, the FIDO Alliance is commemorating World Passkey Day 2025 with the release of an independent study of consumers across the U.S., U.K., China, South Korea, and Japan to understand how passkey usage and consumer attitudes towards authentication have evolved. 

The research found that in the last year, over 35% of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security. 

World Passkey Day serves as the FIDO Alliance’s annual call to action for individuals and organizations to adopt passkey sign-ins, making the web safer and more accessible.

Highlights from the research show consumer passkey awareness is on the rise and outlines several key trends in adoption among those who are aware of passkeys, including:

74% of consumers are aware of passkeys. 69% of consumers have enabled passkeys on at least one of their accounts. Among those who have used passkeys, 38% report enabling them whenever possible. More than half of consumers believe passkeys are both more secure (53%) and more convenient (54%) than passwords. 

The survey report is available at https://fidoalliance.org/wpd-report-2025-consumer-password-passkey-trends/, which includes additional insights on how passkey adoption is trending with consumers and organizations to improve global digital access, authentication, and security.

“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration, which imperil the very foundations of our connected society,” said Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. “We’re thrilled by the fact that over 100 organizations around the world signed our Passkey Pledge, and we are pleased to support the market in their march towards passkeys through a variety of freely available assets, including our market-leading Passkey Central resource center.”

To further encourage organizations to embrace the shift away toward passkeys, the FIDO Alliance also launched the Passkey Pledge, a voluntary pledge for online service providers and authentication product and service vendors committed to embracing passkeys. The passkey pledge has received commitments from over 100 organizations in just over 20 days. A full list of companies that have taken the passkey pledge can be found here.

The availability of passkeys has steadily increased with implementation reaching 48% of the world’s top 100 websites as enterprises and service providers collectively seek to embrace a new era of faster sign-ins, higher success rates, fewer account takeovers, lower support costs, and reduced cart abandonment.

To learn how to start your organization’s passwordless journey, or to begin using passkeys today, visit: https://www.passkeycentral.org/home. 

Notes to editors: This SurveyMonkey online poll was conducted from April 13-14, 2025, among a global sample of 1,389 adults ages 18 and up. Respondents for this survey were selected from the nearly 3 million people who take surveys on the SurveyMonkey platform each day. Data for this survey has been weighted for age, race, sex, education, and geography to adequately reflect the demographic composition of the United States, United Kingdom, China, South Korea and Japan. The modeled error estimate for this survey is plus or minus 3.5 percentage points. To calculate the proportion of the world’s top websites and services that support passkeys, the FIDO Alliance combined publicly available information with its own data on passkey deployments.  About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact

press@fidoalliance.org

It feels fitting and yes, admittedly somewhat contrived, that our birthday falls on May 1st. It’s a moment when people around the world celebrate the power of collective action and the achievements of workers everywhere.

This year, our anniversary feels even more special. We’ve had our share of triumphs and certainly challenges, but nine years in (which is a long time in internet years!) we’re still here.

2025 has been named the United Nations International Year of Co-operatives, with the theme “Co-operatives Build a Better World.” The global co-operative movement deserves this spotlight, showing how co-ops like ours are making a difference by putting people and planet before profit.

https://ica.coop/en/cooperatives/facts-and-figures

At We Are Open, we believe in doing business differently. We’re a worker-owned co-op, which means we make decisions together, share responsibility, and support each other to do meaningful work. Over the past nine years, we’ve learned (and re-learned!) that openness, collaboration, and trust are at the heart of what makes co-ops so important.

So today, we’ll down tools and raise a glass to our members, clients, friends, comrades in CoTech and workers.coop and the wider co-op community. Thanks for being part of our journey so far.

Solidarity and celebration from all of us at We Are Open! If you’d like to wish us happy birthday, or have a problem we may be able to help with, email us without delay at hello@weareopen.coop

May 2025

DIF Website | DIF Mailing Lists | Meeting Recording Archive

Table of contents Decentralized Identity Foundation News; 2. Working Group Updates; 3 Special Interest Group Updates; 4 User Group Updates; 5. Announcements; 6. Community Events; 7. DIF Member Spotlights; 8. Get involved! Join DIF 🚀 Decentralized Identity Foundation News DIF Labs Beta Cohort 2 RFP is here!

Exciting news for identity innovators! DIF Labs has just announced their request for proposals for Beta Cohort 2, focused on driving high-leverage work at the intersection of identity, trust, and emerging technologies. The program seeks proposals from builders and researchers in five key focus areas: Personhood Credentials, Content Authenticity and Assertions, Applied Cryptography, Verifiable AI, and Industry-Aligned Applications. Project leads must be DIF members, with proposals due by May 20, 2025. Selected projects will receive mentorship, ecosystem support, and collaboration opportunities over a 2-3 month development period. For complete details on submission requirements, evaluation criteria, and the application process, visit the full announcement on the DIF Labs website.

DIF Hospitality & Travel Working Group is Live

The Decentralized Identity Foundation (DIF) has launched a new Hospitality & Travel Working Group focused on developing standards for self-sovereign data exchange in the travel industry. This initiative will create frameworks allowing travelers to control their personal information while enabling seamless interactions with service providers. Led by chair Douglas Rice, the group will address traveler profiles, data portability, and interoperability across the travel ecosystem. For more details, see DIF's announcement:

DIF Launches Decentralized Identity Foundation Hospitality & Travel Working Group The Decentralized Identity Foundation (DIF) has officially launched its Hospitality & Travel Working Group, evolving from the ongoing H&T Special Interest Group (SIG). This new working group will focus on developing standards, schemas, processes, and documentation to support the self-sovereign exchange of data between travelers, services, intermediaries in the hospitality Decentralized Identity Foundation - BlogDecentralized Identity Foundation Algorand Releases the Universal Chess Passport

Algorand has partnered with World Chess to develop a "Universal Chess Passport" using blockchain-based digital identity and verifiable credentials technology. This innovative system will allow chess players to maintain portable digital identities and credentials across platforms, enabling them to seamlessly transfer their achievements, rankings, and records between online platforms and in-person tournaments. The proposal aims to address fragmentation in the chess ecosystem while maintaining privacy and security through decentralized identifiers (DIDs). A live discussion about the initiative will be held on May 6th featuring representatives from Algorand, World Chess, and the Decentralized Identity Foundation. For more details, visit Algorand's announcement page:

Algorand x World Chess - Universal Chess Passport Tired of rebuilding your chess identity across every platform? A new blockchain-based system from Algorand and World Chess proposes portable, verifiable credentials for chess players—bringing fairness, reputation, and rewards into one unified ecosystem. Universal Chess PassportAlgorand Foundation 🛠️ Working Group Updates

Browse our working groups here

Hospitality & Travel Working Group

The newly-launched Hospitality & Travel Working Group started strong. They discussed their draft implementation guide and schema development, exploring the complexities of travel stages and verifiable data. They refined key terms in their glossary, including standardizing on the term "HATPro" (hospitality and travel profile). The team aims to have a substantial portion of the schema ready to announce at the HITEC Conference in mid-June.

👉 Learn more and get involved

Creator Assertions Working Group

The Creator Assertions Working Group held productive meetings in both Americas/EU and APAC time zones this month. Discussions focused on identity claims, trust profiles, and collaboration with external groups including the JPEG Trust Group and Project Origin. The group is preparing three assertion specs for approval and considering integrating first-person credentials. The group will soon hold an election for co-chairs, with Scott Perry and Alex Tweeddale as candidates.

👉 Learn more and get involved

DID Methods Working Group

The DID Methods Working Group finalized the DIF recommended methods process, agreeing to use "DIF Recommended" consistently throughout their documentation. They heard a detailed presentation on DID Peer version 4, exploring its features and advantages over other methods. The group also decided to dedicate full sessions to DID method deep dives as practice runs for their evaluation process.

👉 Learn more and get involved

Identifiers and Discovery Working Group

The DID Traits team is preparing to release version 1.0 of their specification, focusing on making traits enable easier assessment. They're adding new traits including key validation and long-term availability, while improving terminology for clarity. The team removed software trade references due to complexity and expressed satisfaction with their progress toward the 1.0 milestone.

The did:webvh team is finalizing their 1.0 specification, including updates to examples and clarification of terminology. They addressed concerns about performance with large logs, cryptographic agility, and improving DID availability through watchers. The team is developing a JSON schema for data model validation and planning a test suite, while seeking acknowledgement from the DIF Technical Steering Committee for the 1.0 release.

👉 Learn more and get involved

🪪 Claims & Credentials Working Group

The Credential Schemas team developed a new schema directory structure with community schemas, draft schemas, and recommended schemas folders to better organize their work. They refined the proof of age schema, including improvements to boolean threshold indicators and simplifying schema names for clarity and reuse. The team welcomed new members and discussed potential synergy with the Oasis working group.

👉 Learn more and get involved

Applied Crypto Working Group

The BBS+ team focused on pseudonym implementations and designing approaches for everlasting unlinkability in credential systems. They considered trade-offs between post-quantum security and privacy, concluding that their baseline approach with pseudonyms offers preferable privacy protections. Team members are exploring the potential of using Rust instead of C++ for implementation and plan to interact more with the CFRG to advance the project.

👉 Learn more and get involved

DIF Labs Working Group

DIF Labs has launched its RFP for Beta Cohort 2. Read more here

👉 Learn more and get involved

DIDComm Working Group

The DIDComm team discussed implementing binary encoding in the next version, proposing either a DIDComm version 3 with built-in binary encoding or adding optional seabore envelopes in version 2.2. They welcomed new member SwissSafe who expressed interest in contributing to standardizing CBOR for DIDcomm messaging. The team agreed to implement a flag designator in the header for different encodings.

👉 Learn more and get involved

If you are interested in participating in any of the Working Groups highlighted above, or any of DIF's other Working Groups, please click join DIF.

🌎 DIF Special Interest Group Updates

Browse our special interest groups here

DIF Hospitality & Travel SIG

The H&T SIG held multiple productive sessions in April. One meeting featured representatives from the European Digital Identity Wallet Consortium who presented on the EUDI wallet's development and potential applications in travel and hospitality. Another session discussed food model development, trip profile components, and context-specific preferences for travelers. The team continues refining their implementation guide and developing a comprehensive strategy for travel wallets that support personalization, with plans to showcase their schema at the HITEC Conference in mid-June.

👉 Learn more and get involved

DIF China SIG

👉 Learn more and get involved

APAC/ASEAN Discussion Group

The APAC/ASEAN call featured a presentation on the Verifiable Legal Entity Identifier (vLEI) and its relation to the Global Legal Entity Identifier Foundation. Steering Committee member Catherine Nabbala of Finema, a qualified vLEI issuer, detailed the vLEI ecosystem governance framework and verification processes. The group discussed implementation challenges including key management, wallet technologies, and potential applications in various industries. Participants showed particular interest in how vLEI could be integrated with traditional SSI architecture using did:webs

👉 Learn more and get involved

DIF Africa SIG

The DIF Africa SIG hosted a presentation by Karla McKenna on the Global Legal Entity Identifier Foundation (GLEIF) and Verifiable Legal Entity Identifier (vLEI). Karla discussed organizational identity in the digital world and potential applications of vLEI in various sectors. The meeting explored the process of becoming a qualified vLEI issuer and how such technology could benefit government and public services. Participants expressed interest in applying these concepts to streamline business processes, particularly in Africa.

👉 Learn more and get involved

DIF Japan SIG

The Japan SIG discussed NodeX's migration from Sidetree to the did:webvh method due to concerns about content-addressable storage stability, Bitcoin network performance, and Sidetree maintenance status. Technical discussions included DID structure, the resolve process, did:webvh method advantages, and IoT device authentication and trust. The team also explored global deployment strategies and trust framework implementation, particularly for IoT devices in critical infrastructure and energy sectors.

👉 Learn more and get involved

DIF Korea SIG

👉 Learn more and get involved

📖 DIF User Group Updates
DIDComm User Group

The DIDComm User Group explored Colton's WebRTC project that enabled browser-to-browser voice communication over DIDComm. Members discussed binary encoding implementation options for DIDComm messages, focusing on CBOR while keeping the door open to other encodings. The group also demonstrated a chat system using DIDComm's mediator capabilities for seamless communication between users, even when offline. Future discussions will focus on use case documentation templates and integrating with AI-related protocols like the Model Context Protocol.

👉 Learn more and get involved

Veramo User Group

👉 Learn more and get involved

📢 Announcements at DIF

Conference season is kicking into high gear. Explore our Events calendar to meet the DIF community at leading Decentralized Identity, Identity, and Decentralized Web events.

🗓️ ️DIF Members

👉Are you a DIF member with news to share? Email us at communication@identity.foundation with details.

🆔 Join DIF!

If you would like to get in touch with us or become a member of the DIF community, please visit our website or follow our channels:

Follow us on Twitter/X

Join us on GitHub

Subscribe on YouTube

🔍

Read the DIF blog

New Member Orientations

If you are new to DIF join us for our upcoming new member orientations. Find more information on DIF’s slack or contact us at community@identity.foundation if you need more information.

Passkeys are no longer just a concept: The future of sign-in is here and consumers are ready. Built on the open authentication standards developed by theFIDO Alliance, passkeys are quickly gaining momentum among global service providers. Why? Because they offer africtionless, phishing-resistant, passwordless sign-in experience that is redefining digital security and user convenience.

Ahead of World Passkey Day 2025, the FIDO Alliance commissioned an independent survey of1,389 peopleacross theU.S., U.K., China, South Korea, and Japan to provide additional insights into how authentication preferences are evolving in real time.

The research shows people continue to struggle with traditional passwords:

36%of respondents said they’ve had at least one account compromised due to weak or stolen passwords. 48%admitted they’ve abandoned an online purchase simply because they forgot their password.

Read the full results of the survey in this eBook.

Download the Report Read the Press Release

April 29, 2025 – The FIDO Alliance has launched a Payments Working Group (PWG) to define and drive FIDO solutions for payment use cases. The PWG will also act as subject matter experts and internal advisors within the FIDO Alliance on issues affecting the use of FIDO solutions for payment use cases. The PWG is co-chaired by Henna Kapur of Visa and Jonathan Grossar of Mastercard, with other FIDO Alliance member company participants including American Express; Cartes Bancaires; Discover; Futurae; Infineon; OneSpan; PayPal; Royal Bank of Canada – Solution Acceleration & Innovation; and Thales.

The PWG will focus on three areas:

Identify and evaluate specific requirements for payment authentication. Requirements will include those in the area of UX, security and regulation unique to payments;. Identify and evaluate existing and emerging solutions to address payment authentication requirements; and Guidelines for use of passkeys and/or proposed FIDO solutions along with existing payment technologies such as EMV® 3-D Secure or EMV® SRC.

The PWG will also work on associated projects relating to the use of FIDO solutions for payments including: collecting and publishing deployment case studies, documenting challenges and potential solutions to issues; and working with FIDO Alliance liaison partners to drive education and adoption.

Join the Payments Working Group

Organizations interested in taking part in the PWG and driving the adoption of passkeys for payments can inquire today. Participation in the PWG is open to all Board, Sponsor, and Government level members of the FIDO Alliance. Non-member organizations interested in participating should contact the FIDO Alliance to become a member; learn more by visiting https://fidoalliance.org/members/become-a-member/.

NEWARK, NJ, May 1, 2025 – Dr. Forough Ghahramani, Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge, and Vice President for Research and Collaborations, New Jersey Big Data Alliance (NJBDA), will join the 12th annual NJBDA Symposium at William Paterson University of New Jersey on May 16, 2025. This annual event is New Jersey’s premier conference for big data and advanced computing and attracts over two hundred attendees from industry, government, and academia.

This year’s theme, Empowered by AI: Innovation and the Rise of the Augmented Workforce, will allow attendees to explore the transformative power of AI and how this technology can empower workers to reach new levels of innovation and creativity. The full-day event will feature an industry panel discussing the impact of AI across multiple sectors, a workforce development panel on advanced technologies, a hands-on student workshop, and networking opportunities.

Breakout sessions include a Research Track Program led by Research Track Chair, Dr. Ghahramani, and will feature presentations on current applied research in Big Data, AI, and Machine Learning. The research session, AI Methods & LLM Innovation, will explore cutting-edge AI techniques including generative models, graph networks, and real-time Natural Language Processing (NLP) and will highlight the technical advancements driving the next wave of intelligent systems.

The session, AI in Health, Education, and Society, will explore how AI is shaping healthcare, education, and social systems, with a focus on inclusive, human-centered technologies that promote well-being and equity. In a separate session, AI in Industry, Infrastructure, and the Environment, attendees will engage with real-world examples of how AI is driving innovation in business operations, public infrastructure, and environmental sustainability.

“As we stand at the intersection of AI innovation and workforce transformation, this year’s NJBDA Symposium provides a vital forum to advance collaborative research, inform policy, and shape inclusive pathways for talent development. The research track will highlight groundbreaking work in generative AI, machine learning, and real-time analytics, showcasing the talent and innovation emerging across New Jersey’s academic institutions and their relevance to pressing societal and industry challenges.”

— Dr. Forough Ghahramani
Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge
Vice President for Research and Collaborations, NJBDA

Three student externship teams will also share insights from the Data Science Curriculum Alignment and Articulation Agreement Pathways Project, a joint effort led by the Rutgers Master of Business and Science (MBS) Externship Program, the New Jersey Big Data Alliance, and NJ Pathways. The group investigated how data science programs at New Jersey community colleges align with those at four-year universities and explored ways to make the credit transfer process more seamless for students moving from associate to bachelor’s degree programs. Following the presentation, attendees can join a Q&A panel to further explore the students’ findings and experiences.

For event information and registration, please visit the NJBDA Symposium website and explore the opportunity to collaborate, expand your knowledge, and gain insights into the evolving role of intelligent technologies in shaping our future.

About Edge

Edge serves as a member-owned, nonprofit provider of high performance optical fiber networking and internetworking, Internet2, and a vast array of best-in-class technology solutions for cybersecurity, educational technologies, cloud computing, and professional managed services. Edge provides these solutions to colleges and universities, K-12 school districts, government entities, hospital networks and nonprofit business entities as part of a membership-based consortium. Edge’s membership spans the northeast, along with a growing list of EdgeMarket participants nationwide. Edge’s common good mission ensures success by empowering members for digital transformation with affordable, reliable and thought-leading purpose-built, advanced connectivity, technologies and services.

The post Dr. Forough Ghahramani to lead the Research Track at the 12th Annual NJBDA Symposium appeared first on NJEdge Inc.

Cisco, Dell Technologies, IBM, Microsoft, Oracle, Red Hat, and Others Support New Guidance to Effectively Manage Product Lifecycles Across the Software Supply Chain

Boston, MA USA; 29 April 2025 — As organizations grapple with increasing cybersecurity risks linked to unsupported software and hardware, the need for timely, standardized End-of-Life (EoL) and End-of-Support (EoS) information is more critical than ever. In response, OASIS Open, the global open source and standards consortium, announced the publication of the OpenEoX White Paper. Developed by the OpenEoX Technical Committee (TC), the paper identifies major use cases for EoL security data, outlines current industry pain points, and introduces a roadmap for a standardized, machine-readable format for EoL disclosures. 

“Knowing when software and hardware support ends shouldn’t be a guessing game. Managing product lifecycles effectively requires collaboration across the entire ecosystem, from commercial vendors to open-source maintainers,” said Omar Santos, OpenEoX co-chair and Cisco Distinguished Engineer. “OpenEoX introduces a much-needed, unified framework designed to streamline the exchange of End-of-Life (EoL) and End-of-Security-Support (EoSSec) data that enables transparency and efficiency.”

Developed by a global coalition of cybersecurity leaders from organizations including Cisco, Dell Technologies, IBM, Microsoft, Oracle, Red Hat, and others, the white paper defines the scope and architecture for an OpenEoX data model and lays the foundation for future technical specifications. These will support integration with the Common Security Advisory Framework (CSAF), Software Bill of Materials (SBOMs), and other widely adopted cybersecurity standards.

“Standardizing how end of life, end of security support, and end of sales is handled for hardware and software makes the software supply chain more secure and efficient. This is especially important for developing and deploying AI systems securely,” said Brendan Burns, Microsoft Corporate Vice President and General Manager, Azure Cloud Native and Management Platform. “We’re pleased to contribute to this effort, increasing transparency, efficiency, and trust through better-informed consumers.”

The OpenEoX TC aims to standardize and promote OpenEoX, a unified, machine-readable approach to managing and sharing EoL/EoS information for both commercial and open source software and hardware. This approach helps vendors, consumers, and the broader security ecosystem reduce risks and improve operational resilience.

The TC encourages participation from product vendors, open source communities, security researchers, government agencies, and any organization managing EoL products. New members are welcome and participation in the TC is open to all through membership in OASIS. 

Media Inquiries:
communications@oasis-open.org

The post OASIS Members Publish White Paper to Advance Global Framework for Coordinated Product End-of-Life Security Disclosures appeared first on OASIS Open.

Kia ora,

Welcome to the April edition of the DINZ newsletter. As we navigate this period of transition, our commitment to advancing digital trust in Aotearoa remains unwavering. This month brings exciting updates on upcoming events, new members, and important industry developments.

Last Chance: DISTF Survey Closing Soon!

Don’t miss your opportunity to help shape the future of Digital Identity in New Zealand. Our Digital Identity Services Trust Framework (DISTF) survey closes next Monday, 5 May. Your insights will guide the DINZ DISTF Working Group’s priorities and advocacy efforts. This survey is open to both DINZ members and non-members. Your input is important as we work to maximise the benefits of this framework for all New Zealanders.

Take five minutes to complete the survey.

Digital Trust Hui Taumata Update

Planning for our landmark event is progressing well, with speakers now confirmed including Ministers Judith Collins and Scott Simpson, along with Deputy Privacy Commissioner Liz MacPherson. Additionally, we are well advanced with two terrific international keynote speakers thanks to DINZ member sponsors. We’re pleased to report that sponsorship commitments are tracking positively, reflecting the growing importance of digital trust in our national conversation.

Mark your calendars (12 August 2025, Te Papa, Wellington) for this premier industry gathering that will bring together leaders and innovators in the digital trust space. Register your interest here.

Member News

Kudos to MyMahi’s Stefan Charsley for his prestigious Kim Cameron award enabling him to attend IIW 40 earlier this month, wonderfully reported on by co-founder Phil Windley here. As a regular attendee on DINZ’s Coffee Chats, we hope he’ll be able to share his knowledge and perspectives gained. While on the subject of awards it was great to see MinterEllisonRuddWatts honoured in Best Lawyers.

RNZ reports that the Department of Internal Affairs has issued a tender for a “new genuine face capture solution”, and notably its Trust Framework Authority issued an RFI for digital ID services accreditation infrastructure writes Biometric Update. 

Our DINZ community continues to grow! We’re delighted to welcome Cybercure, LuminPDF and just in, OriginID and BeyondTrust. 

See all organisation members here.

Policy and Submissions

The DISTF Working Group coordinated our response to PaymentsNZ’s Next Generation Payments consultation, highlighting the critical role of digital identity in future payment ecosystems. The working group also submitted feedback on the DISTF Rules revision last week, continuing our advocacy for pragmatic and effective trust frameworks.

DINZ’s reputation for thoughtful high quality submissions continues to grow and these two above are no exception. View our submissions here.

International Engagement

We were fortunate to welcome back Zygma’s Richard Wilsher during his brief visit to New Zealand this month – two years since he delivered this highly thoughtful webinar. Richard met with both the DISTF Working Group and the Trust Framework Authority, sharing his valuable international perspectives and expertise. 

Ministerial Engagement

As part of a FinTechNZ delegation that included DINZ member Middleware, our outgoing Executive Director Colin Wallis met with Minister of Commerce and Consumer Affairs Scott Simpson. Smooth accessible digital identification is a crucial enabler for fintech innovation and the upcoming Customer Product and Data Act.

International News

International ID Day (9 April) saw attendance from several New Zealand organisations. If you missed it, catch up here. UK Digital Identity Developments: The saga currently playing out in the UK may prove the adage once again that ‘Trust Takes Years To Build, Seconds To Break And Forever To Repair’. First it was Industry stakeholders expressing concerns over the government’s digital wallet approach, which saw the Digital Identity and Attributes Trust Framework (DIATF) community advocating for alternative approaches. Then came Government facing claims of serious cyber security and data protection issues in One Login digital ID system extended by The Telegraph including commentary from DINZ Coffee Chat attendee Mark King.

Executive Director Search Update

The DINZ Executive Council is currently interviewing the candidate shortlist with an announcement expected shortly. We appreciate your patience during this transition period. 

We value your continued support and engagement as we work together to advance digital trust in Aotearoa New Zealand.

Ngā mihi nui,

The team at Digital Identity NZ

Upcoming events, new members, and industry developments.
Read full news here: Moving Forward Together

SUBSCRIBE FOR MORE

The post Moving Forward Together appeared first on Digital Identity New Zealand.

“Cypherpunks wouldn’t just critique the surveillance state—they’d also call out us technologists for enabling it. We were supposed to resist, not retrofit.”

Christopher Allen recently talked with Tereza Bízková in an interview that was published to the front page of Hackernoon. It was headlined “The Co-Writer of TLS Says We’ve Lost the Privacy Plot”. In it, Christopher talks about what privacy means to him, what he thinks about recent privacy efforts, how centralization has become a problem, and how all of this connects to work done by the cypherpunks in the ’90s.

Perhaps most importantly, Christopher answers the question: what would be non-negotiable for a new privacy-first system today? His answer unsurprisingly reflects our vision here at Blockchain Commons, built on data minimization, progressive trust, and limited scale.

Privacy is one of the fundamental Gordian Principles, but probably the one we talk about the least, as so much of our focus is on resilience (such as #SmartCustody) or on independence and openness (as reflected in our attention to interoperability). Read “The Co-Writer of TLS Says We’ve Lost the Privacy Plot” for much more on why privacy is important and what exactly it is!

The Path to Self-Sovereign Identity Links

Christopher Allen is a long-term advocate for self-sovereign identity. He popularized the term and laid out an initial set of principles in his foundational article, “The Path to Self-Sovereign Identity”, coauthored the DID spec for W3c, and founded the Rebooting the Web of Trust workshops that advanced the technology for a decade. Following are articles by him and interviews with him on the topic.

The Co-Writer of TLS Says We’ve Lost the Privacy Plot (4/24/25): An interview with Tereza Bízková for Hackernoon on how things have gone wrong. SSI Orbit Podcast: Christopher Allen Interview (1/31/25): Following up the “Has Our SSI Ecosystem Become Morally Bankrupt?” article, a discussion of the problems with the current SSI ecosystem. Echoes from History (11/15/23): How identity went horribly wrong during WWII and the warnings that offers for the future of self-sovereign identity. The Origins of Self-Sovereign Identity (8/9/23): Living Systems Theory, Ostrom’s Principles, and other foudndational ideas that led to SSI, and what they say about its intent. Private Key Disclosure (8/16/22): Digital identities are secured by private keys, but are private keys secure from the government? Principal Authority: A New Perspective on Self-Sovereign Identity (9/15/21): A new lens for looking at Self-Sovereign Identity, based on successes in the Wyoming legislature. Self-Sovereign Identity: Five Years On (4/26/21): Five years after “The Path to Self Sovereign Identity”, the successes and challenges of SSI to date. The Path to Self-Sovereign Identity (4/26/16): The initial article on SSI, including the ten principles for Self-Sovereign Identity.

Describe your service/platform/product and how it’s using FIDO authentication.

Microsoft Account (MSA) powers consumer-facing experiences across services like Xbox, Microsoft 365, Copilot, and more. In 2023, Microsoft began rolling out passkey support across these services, allowing users to sign in with a face, fingerprint, or device PIN instead of a password. By integrating FIDO credentials, we made it easier, faster, and significantly more secure for over a billion users accessing their Microsoft accounts, by removing the need for passwords.

What were the challenges you were trying to overcome?

We set out to solve three major challenges:

Security: Passwords are inherently insecure and highly vulnerable to phishing and brute force attacks. In 2024, we observed more than 7,000 password attacks per second.

User experience: Passwords are frustrating—users forget them, reuse them, or mistype them. We wanted a sign-in experience that users could succeed at the first time, every time.

Adoption at scale: We needed a solution that could work across devices and platforms while meeting high usability expectations for a global user base.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

FIDO credentials offer the ideal combination of security, usability, and interoperability. They are resistant to phishing and credential theft, and they eliminate the need for shared secrets like passwords. FIDO credentials also enable seamless cross-device and cross-platform experiences—critical for consumer use cases. In testing, we found that passkeys delivered both improved security and a dramatically better user experience. 

Describe your roll out of FIDO authentication.

Microsoft took a phased approach. We started by enabling passkeys for MSA sign-ins across consumer services like Xbox and Copilot. From there, we made UX changes to prioritize passwordless options. New Microsoft Accounts are now passwordless by default, and existing users are guided to enroll a passkey during or after sign-in. Throughout this process, we have worked closely with platform partners like Apple and Google, and continued our long-standing collaboration with the FIDO Alliance to ensure our approach aligns with industry standards. For a more detailed look at our approach, refer to Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security.

What data points can you share that show the impact FIDO authentication has had?

The impact has been significant:

We now see over one million passkeys registered every day. Users signing in with passkeys are three times more successful (95% success rate vs. 30% for passwords). Passkey sign-ins are eight times faster than traditional password + MFA flows. Our passwordless-preferred UX has already reduced password use by over 20%.

These results confirm that FIDO authentication improves security, boosts user satisfaction, and reduces operational burdens like password resets and support calls.

Read more in the Microsoft blog.

Describe your service/platform/product and how it’s using FIDO authentication.

Nikkei Inc. and the Nikkei Group pursues its mission “to be the most trusted, independent provider of quality journalism to a global community, helping our customers make better decisions.” We offer various media services, including the Nikkei, which serves as the cornerstone of our role as a news organization. The integrated ID platform supporting the Nikkei Group’s digital services, including our core service, the Nikkei Online Edition, is “Nikkei ID.”

Nikkei ID, which offers a wide range of services, has long faced the challenge of balancing security and usability. While we have implemented measures such as improving the login experience with OpenID Connect and introducing two-factor authentication and CAPTCHA (*1) to reduce the risk of unauthorized access, addressing security risks associated with password leaks and reuse, as well as countering increasingly sophisticated attacks, has been difficult.

(*1)A security authentication method to verify that a user is human.

In this context, as FIDO authentication has evolved and the threshold for introducing passkeys to services has lowered, Nikkei ID has proceeded with consideration and implementation with high expectations. Currently, we are expanding functionality to support not only web services but also mobile apps, and aiming to promote the adoption of passkeys through increased user awareness via internal and external blog posts, presentations, and guidance at the Nikkei ID Lounge Help Center.

What were the challenges you were trying to overcome?

The primary goal is to balance security and user experience. Many Nikkei ID users are not accustomed to digital services, so simply enhancing security is not enough. For example, while the introduction of CAPTCHA can prevent brute-force password attacks, it can also become a barrier for users who cannot pass the Turing test (*2), leading to increased support inquiries and added burden on customer service.

(*2) A test to determine whether something is ‘human-like’.

However, FIDO authentication (passkeys) achieves high security and user experience through integration with OS and platforms as a standard. This allows us to replace security measures that reduce risks associated with password authentication but negatively impact UX with passkeys.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

The following two options were considered as alternatives to FIDO authentication (passkeys):

Mandatory implementation of two-factor authentication such as TOTP or email verification Social login using other ID platforms

As a result of comparing these options, we believe FIDO authentication (passkeys) offers the following advantages:

It allows for gradual transition by adding authentication on top of existing password authentication  It enables the use of higher UX authentication methods such as biometric authentication  It fundamentally resolves the risks associated with passwords

When it came to actual implementation, the aspect of “additional authentication” was particularly significant. In other words, it allows for implementation in a loosely coupled and highly cohesive manner without disrupting the existing ID model. The WebAuthn specification provides simple interface libraries and APIs for both backend and frontend on each platform, making secure implementation easy. Additionally, since existing authentication methods can be retained, the advantage of not significantly increasing support workload was also substantial.

Describe your roll out of FIDO authentication.

We implemented our own solution using the open-source backend library WebAuthn4J for FIDO authentication. We chose WebAuthn4J not only for its clear data model but also because it passed the FIDO2 Test Tools provided by the FIDO Alliance. For the frontend, we developed our own implementation that directly interacts with the WebAuthn API. Additionally, we created a test library to emulate FIDO authentication, enabling 24-hour automated testing as a comprehensive test of these implementations.

The rollout of FIDO authentication (passkeys) was carried out in the following steps:

Internal beta testing to gather feedback and monitor usage White-box and black-box testing by external security companies Public release to all users

What data points can you share that show the impact FIDO authentication has had?

Since it was just released in February this year, we cannot provide detailed numbers yet, but thousands of users are already using passkeys. Additionally, we have heard that there have been almost no inquiries about how to use passkeys at the support desk, and we recognize that passkeys are being used smoothly.

Resources

The test library that emulates FIDO authentication, mentioned in the implementation section, is publicly available as Nikkei’s open-source software. You can obtain it from the following https://github.com/Nikkei/nid-webauthn-emulator

For authorization after completing FIDO authentication (passkeys), we use Authlete, an OpenID Connect platform. In this case study, we express our enthusiasm for the introduction of FIDO authentication (passkeys). (At the time of this presentation in 2023, passkeys were still under consideration) https://www.authlete.com/ja/resources/videos/20231212/02/

Technical blog article during the consideration stage of implementation: https://hack.nikkei.com/blog/advent20241221/

VicRoads achieves up to 80% industry-leading passkey activation rate for nearly 5 million users with Corbado

Background: VicRoads

VicRoads is the vehicle registration and driver licensing authority in Victoria, Australia. It registers over six million vehicles annually and licenses more than five million drivers. 

Operating as a joint venture between the Victorian State Government, Aware Super, Australian Retirement Trust, and Macquarie Asset Management, VicRoads is a critical provider of public services in the state.

Challenge: seamless and cost-effective authentication for government services 

VicRoads aims to become Australia’s most trusted digital government service providers by delivering secure, frictionless services to millions of people. 

Given the importance of the data that VicRoads holds on behalf of its customers, security has always been a primary consideration. 

In the past, to support protection of customer data, VicRoads mandated multi-factor authentication (MFA) for all user accounts via SMS one-time passwords (OTPs) and authenticator apps. 

Passkeys leverage biometrics, facial recognition, a PIN or a swipe pattern in the sign-in process. Unlike traditional MFA, passkeys require both the device storing the private key and local authentication, meaning they are both phishing-resistant and cost-effective.

Solution: Corbado provides a no-risk, passkey-first solution with minimal integration effort

 VicRoads worked with passkey vendor Corbado, prioritizing a proven approach rather than building a solution from scratch.

Corbado’s deep understanding of both customer experience and the latest authentication technology gave VicRoads confidence that customers would find using passkeys easy.  

Corbado also provided in-depth technical guidance on passkey-specific challenges, including browser compatibility, recovery flows and user experience optimizations – further solidifying VicRoads’ confidence.

“We selected Corbado because it could integrate passkey functionality into our existing infrastructure without disruption to our customers and operations”, said Crispin Blackall, Chief Technology Officer, VicRoads.

Implementation: pre-built, passkey-optimized components & SDKs enable quick integration

Corbado Connect seamlessly integrated with VicRoads’ existing infrastructure and CIAM, which is deeply embedded within the organization’s enterprise stack. This passkey enablement was achieved without requiring a migration of user data or authentication methods, ensuring a smooth and efficient transition for millions of users.

By layering passkey functionality on top of VicRoads’ current authentication system, Corbado enabled a frictionless deployment while preserving all existing user credentials. This approach eliminated the disruption and risks often associated with introducing new technology.

To ensure a smooth transition, VicRoads implemented passkeys in a phased rollout, beginning with personal customers. This gradual deployment, supported by Corbado Connect’s rollout controls, enabled VicRoads to monitor performance, address potential issues and optimize the user experience before seamlessly extending passkey authentication to partner and business customers.

Results: customers love passkeys, with up to 80% passkey activation rate in the first weeks

Within the first weeks of deployment, passkey adoption significantly exceeded VicRoads’ expectations. Users embraced the phishing-resistant authentication method, benefiting from a frictionless login experience optimized for speed and security.

The exceptionally high passkey activation rate – peaking at 80% on mobile devices and over 50% across all platforms – led to 30% passkey login rate within the first seven weeks. Uptake continues to rise steadily, translating into measurable operational benefits, including:

Reduced authentication-related support tickets Lower SMS OTP costs Improved user experience and security.

So far, VicRoads has successfully rolled out passkeys on its web portal. The next step is to integrate passkeys into its native apps – myVicRoads and myLearners – allowing users to leverage their existing passkeys without additional setup. Ultimately, once passkeys are fully implemented across all digital platforms, VicRoads aims to eliminate passwords entirely, maximizing security and fully embracing a passwordless future.

“Passkeys are easy to use, without compromising on security. We’re excited to give our customers a simpler, more secure way to handle their registration and licensing services,” said Crispin Blackall, Chief Technology Officer, VicRoads.

Opportunity: setting a new standard for government authentication 

With one of the largest public sector passkey deployments globally, VicRoads has established itself as a digital leader in authentication modernization for government applications. 

Achieving high adoption rates without disruption, VicRoads has proven that large-scale organisations can enhance security and improve user experience simultaneously. This success positions VicRoads as a benchmark for other government agencies looking to modernize their authentication strategies.

“Passkeys represent a paradigm shift in how we authenticate users to digital identity services,” said Andrew Shikiar, Chief Executive Officer of the FIDO Alliance. “VicRoads’ adoption of passkeys showcases how government agencies can leverage this industry-wide innovation to protect people’s data while simplifying access to critical services. This is a significant step towards a more secure and efficient digital future for Victoria and beyond.”

Next Steps: developing next generation authentication

VicRoads’ ongoing partnership with Corbado ensures it remains at the forefront of authentication innovation while maintaining a seamless user experience for its expanding digital service base. A key advantage of Corbado’s managed passkey service is its built-in adoption-enhancing optimisations, ensuring continuous improvements and seamless WebAuthn conformity with all future WebAuthn updates.

With this initiative, VicRoads has paved the way for broader adoption of passkeys in the government and public sector, proving that secure, frictionless authentication at scale is achievable.

About Corbado

Corbado is a leading provider of passkey solutions, enabling enterprises and government agencies to deploy passkey authentication seamlessly, without user migration. Corbado’s focus is on maximizing adoption in large-scale deployments. As a FIDO Alliance member, Corbado’s solutions ensure high adoption rates, enhanced security, and a frictionless user experience. Visit https://www.corbado.com/.

Describe your service/platform/product and how it’s using FIDO authentication.

With over 55 apps across nearly every major business category, Zoho Corporation is one of the world’s most prolific technology companies. Headquartered in Chennai, India, Zoho is privately held and profitable, employing more than 18,000 people worldwide. Zoho is committed to user privacy and does not rely on an ad-revenue business model. The company owns and operates its data centres, providing full oversight of customer data privacy and security. Over 100 million users globally—across hundreds of thousands of companies—trust Zoho to run their businesses, including Zoho itself. For more information, visit zoho.com.

What were the challenges you were trying to overcome? 

Secure and easy log in instead of traditional authentication methods. 

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

Improved security, supporting documents and community.

Describe your roll out of FIDO authentication. 

We rolled it ourselves via our IAM team. 

We first rolled out passkey authentication for zoho.com (100mn + users)

Rolling out passkey management in our password manager Zoho Vault in May, 2025

What data points can you share that show the impact FIDO authentication has had?  

30% increase MoM in passkey adoption

10% drop in password reset queries 

Resources

https://help.zoho.com/portal/en/kb/accounts/sign-in-za/articles/passkey https://www.zoho.com/vault/features/passkeys.html

Describe your service/platform/product and how it’s using FIDO authentication.

Samsung Electronics’ Galaxy smartphones support fast and convenient logins through biometric authentication and FIDO protocols.

What were the challenges you were trying to overcome?

FIDO-based passkeys are transforming the way users access websites and apps by eliminating the need for traditional usernames and passwords. Instead of being stored on a server where they could be exposed, passkeys are securely stored on the Galaxy device, enabling quick and secure sign-ins using biometric authentication.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

FIDO enables secure authentication without transmitting users’ biometric data outside the device. Its ease of use, speed, compatibility across services, and status as an industry standard made it a compelling choice for Samsung Electronics.

Describe your roll out of FIDO authentication.

We have integrated FIDO authentication directly into our devices, enabling users to access it out-of-the-box. We continue to expand FIDO support across more Galaxy models and software updates.

Resources 

https://www.samsung.com/levant/support/apps-services/how-to-create-and-use-a-passkey/ https://www.samsung.com/ca/support/apps-services/how-to-create-and-use-a-passkey/ https://news.samsung.com/in/the-knox-journals-the-passwordless-future-of-security

Describe your service/platform/product and how it’s using FIDO authentication.

Our mobile banking app is our bank’s largest branch, serving over 1,200,000 customers each month. These customers require the best protection against identity theft attacks, and we provide the most robust and innovative solutions, always prioritizing the best user experience. ABANCA Key is a new identity verification service based on FIDO standards. It was launched after years of research by leading players to prevent identity theft attacks. Using passkeys, ABANCA Key provides the highest level of protection. It is impossible to guess or reuse them, so they protect our customers’ private information from attackers. 

What were the challenges you were trying to overcome?

On one hand, there’s the security challenge. The rise of phishing through calls and SMS messages in Spain has become a plague and a real problem for administrations, mobile operators, and financial institutions but on the other hand, there was the need to maintain the best user experience with the least friction. Passkeys give us a framework for interoperability and standardization, which provides us with ease of implementation and deployment. However, above all, and for the first time in the security industry, it provides a framework of homogeneity to achieve a frictionless user experience.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

We chose FIDO for many reasons: for its future strategy, as it allows us to follow many ways, including MFA and passwordless, for trust, as the FIDO Alliance includes leading players in security, operating systems, infrastructure, and mobile ecosystem; and for the standardization and homogenization what it give us, which reduces implementation, deployment and roll out times.

Describe your roll out of FIDO authentication.

To deliver the best user experience, we’re committed to having the deepest possible understanding of the technology. This enables us to effectively identify and resolve issues, and to better understand user behavior. We became our own partner by developing our own platform based on the FIDO standard and certifying it as if it were a provider.

We rolled out the deployment in phases. In under five months, we had the development of both server and  front-end (iOS and Android) ready, and we began the rollout in an initial phase with our employees, and subsequently to end customers in batches. In just seven months, we were already in a general roll out to all customers.

What data points can you share that show the impact FIDO authentication has had?

More than 42% of our customers are already using ABANCA Key More than 11,000,000 high-risk transactions has been protected with ABANCA Key without technical or service incidents  Customer roll out ran without technical or service incidents, and most importantly, with our customer journey UX to sign in ABANCA Key and to use it, we’ve managed a Customer Effort Score (CES) of 4.7. 

Please provide any links or resources that you feel would be useful in developing this case study.

https://comunicacion.abanca.com/es/noticias/abanca-primer-banco-espanol-en-implantar-la-tecnologia-de-llaves-de-acceso-en-la-banca-movil-para-reforzar-la-seguridad-de-sus-clientes/ https://www.abanca.com/es/banca-a-distancia/llave-abanca/

Out of the blue, I received a text from my father asking me, “What’s the difference between a password and a passkey?” 

Somewhere, in his daily online journey, he was prompted by a website or application — a “relying party” in authentication lingo — to create a passkey. But the benefit wasn’t clear to him. Nor did there seem to be any urgency. He figured I’d know what passkeys are and what to do the next time he gets a nudge to set one up. I told him, “Let’s talk before you do anything.”

Your phone, computer and tablet is now at risk, as the nightmare of AI-powered attacks comes true. There are now multiple warnings into the use of mainstream AI platforms to design, develop and even execute attacks that are almost impossible to detect.

To add to recent reports from Symantec and Cofense, Guardio also now warns that “with the rise of Generative AI, even total beginners can now launch sophisticated phishing scams — no coding skills needed. Just a few prompts and a few minutes.”

And Microsoft has just told users the same. “AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate… AI-powered fraud attacks are happening globally.”

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. By: Ronni K. Gothard […]

Apple’s new Passwords app (introduced with iOS 18, iPadOS 18, and macOS Sequoia) is a big leap forward in making password management simple and user-friendly for Apple users, even if it’s not as robust as other password managers. If you’ve ever fumbled through Safari settings to find a saved login or toggled through iCloud Keychain menus to edit credentials, the Passwords app is for you. It’s designed to give you a dedicated home for all your saved login credentials, passkeys, Wi-Fi passwords and two-factor authentication codes, all in one secure, easy-to-navigate interface.

ABANCA has achieved international FIDO certification for the Llave ABANCA service, the digital identity verification technology solution developed by the bank that allows customers to validate mobile banking transactions securely and quickly by unlocking their phone.

The FIDO ( Fast IDentity Online ) certification has been granted by the FIDO Alliance, the leading international association promoting digital authentication standards that are more robust and simpler than passwords or one-time codes. This consortium is made up of the world’s leading technology companies—Google, Apple, Microsoft, Amazon, and Visa, among others—who have joined forces to promote more robust and user-friendly digital identity methods. With the FIDO certification of Llave ABANCA, this global alliance accredits that the solution implemented by the bank meets the highest standards of online identity verification.

Going passwordless is difficult for a lot of companies, even the ones with “security” in the name.

Jim Taylor, chief product and technology officer (and resident IT professional) at RSA Security, spoke with IT Brew about lessons learned as he led the deployment of passkeys, biometrics, and other non-password implementations across the organization. Two major keys to passwordless success, he said, included having lots of options and lots of patience.

“There’s no big switch. I wish there was a big red button that you could just press and go, ‘Ta-da!’ with passwordless, right? It doesn’t work like that,” Taylor told IT Brew.

Inverid has joined the FIDO Alliance. A release from the Dutch identity verification firm says it will bring expertise in document authenticity verification to FIDO users of DocAuth document authenticity specifications.

We’re excited to welcome Oír Más as one of our new Matchbox partners. Oír Más is a radio collective dedicated to amplifying the voices of diverse communities through radio experimentation.

The post From memory to action: Radio as a tool for a healthier information ecosystem appeared first on The Engine Room.

Ecosystem-Orchestrator für die Deutsche EUDI-Wallet

Die Einführung der EUDI-Wallet in Deutschland, basierend auf der novellierten eIDAS-Verordnung, stellt eine zentrale Herausforderung dar, um bis 2026 eine sichere, digitale Identitätslösung für Bürger bereitzustellen. Ziel ist es, ein umfassendes Ökosystem zu schaffen, das öffentliche Institutionen, privatwirtschaftliche Akteure und Regulierungsbehörden integriert. Dieses Ökosystem soll nicht nur technische Standards und Prozesse etablieren, sondern auch die Akzeptanz der Bürger fördern und die rechtlichen Rahmenbedingungen gewährleisten.

Die Autoren dieses Whitepapers schlagen eine Public-Private-Partnerschaft in Form einer Genossenschaft als neutralen Ecosystem-Orchestrator vor. Diese Genossenschaft soll:

Demokratische Governance bieten, mit transparenter Kontrolle und Einflussmöglichkeiten für alle Mitglieder. Kostendeckendes Finanzierungsmodell durch Mitgliedsbeiträge und Sonderzuwendungen implementieren. Zentrale Aufgaben wie Zertifizierung von Wallets, Registrierung von Verifizierungsstellen und Förderung der Kommunikation zwischen Akteuren übernehmen. Herausforderungen für die neue Bundesregierung

Die Bundesregierung ist durch die Verordnung [(EU) 2024/1183] dazu verpflichtet, bis Ende 2026 eine EUDI-Wallet für alle Bürger bereitzustellen, in der Ausweisdaten in elektronischer Form sicher gespeichert werden können. Die vollständige Umsetzung des EUDI-Wallet Ökosystem hat bis 2027 zu erfolgen. Das Bundesinnenministerium bereitet seit Mai 2023 die Konzeptionierung und Umsetzung der deutschen Wallet-Lösung federführend vor. Um die Akzeptanz bei den Bürgerinnen und Bürgern zu fördern, ist es nicht nur erforderlich, die technische Infrastruktur bereitzustellen, sondern auch ein umfassendes Ökosystem aufzubauen. In diesem Ökosystem interagieren privatwirtschaftliche Akzeptanzstellen, zertifizierte Vertrauensdienste, öffentliche Einrichtungen aus Bund und Ländern sowie Regulierungsbehörden und Zertifizierungsstellen miteinander. Der Aufbau eines solchen Ökosystems stellt eine hochkomplexe Aufgabe dar. Sie erfordert die Etablierung von Standards und Prozessen, die von allen beteiligten Privatunternehmen und öffentlichen Institutionen geteilt und umgesetzt werden können. Dabei steht die Berücksichtigung der Interessen der Bürgerinnen und Bürger im Vordergrund. Zudem müssen alle rechtlichen Rahmenbedingungen eingehalten, die missbräuchliche Nutzung persönlicher Daten verhindert und ein attraktives Investitionsumfeld für die Unternehmen der Privatwirtschaft geschaffen werden.

Aufbau des EUDI-Wallet Ökosystems als Public-Private Partnership mit neutraler Governance

Die Autoren dieses Whitepapers plädieren für eine Public-Private-Partnerschaft als Ecosystem Orchestrator, die sich in einer Genossenschaft organisiert. Die Genossenschaft hat den Zweck, die Interessen aller Genossenschaftsmitglieder – also aller Akteure im EUDI-Wallet Ökosystem – gleichermaßen zu fördern. Die Genossenschaft benötigt eine demokratische Governance, die Einfluss, Kontrolle und Transparenz ggü. den Mitgliedern ermöglicht. Sofern die Genossenschaft selbst keine Investitionen tätigt, sollte ihre Satzung eine not-for-profit Klausel beinhalten, sodass lediglich die Kosten gedeckt werden müssen, die sich am Bedarf der Mitglieder orientieren. 

Die Genossenschaft sollte durch die nachstehenden Organe gesteuert werden.

Generalversammlung: Bildet das höchste Entscheidungsgremium der Genossenschaft. Jedes Mitglied erhält ein Stimmrecht. Die Summe der Stimmen von Nicht-Europäischen bzw. investierenden Mitgliedern darf 25% nicht überschreiten. Vorstand: Führt das Tagesgeschäft und übernimmt die Verantwortung für die Umsetzung der Governance und der Strategie. Aufsichtsrat: Bildet das Kontrollorgan des Vorstands. Ecosystem Coach: Stabstelle als Mediator zwischen den Akteuren zur Offenlegung und Management von Interessenskonflikten.

Öffentliche Institutionen sollten die Genossenschaft gründen, ein Regelwerk in Form einer Satzung definieren und den Beitritt von Akteuren der Privatwirtschaft ermöglichen. Es sind dabei sämtliche Akteure der Rollen aus der eIDAS-Novelle wie bspw. PID-Provider, Pub-EAA-Provider, (Qualified) Trust Service Provider, Wallet Provider und Trust List Provider einzubinden.

Finanzierungskonzept: DieFinanzierung der Betriebskosten erfolgt durch Mitgliedsbeiträge. Werden temporärMittel für bestimmte Zwecke benötigt, kann eine Finanzierung in Form von Sonderzuwendungen der Mitglieder erfolgen.

Aufgaben: Interessen der Mitglieder fördern, Kommunikation zwischen den Mitgliedern erleichtern, Wallets zertifizieren, Verifizierungsstellen registrieren, rechtliche Fragestellungen klären, öffentliche Kommunikation bündeln, Durchdringung der EUDI-Wallet messbar machen, Schnittstellen bereitstellen, etc.

Opt-Out: Die Mitgliedschaft kann ordentlich gekündigt werden. Erkenntnisse aus einer Risikoanalyse zu Opt-Out Szenarien sollten bei der Erstellung der Satzung berücksichtigt werden.

Fazit

Um das Ökosystem für die deutsche EUDI-Wallet aufzubauen ist ein neutraler Ecosystem-Orchestrator erforderlich, der gemeinsam mit öffentlichen und privatwirtschaftlichen Organisationen ein Ökosystem für die deutsche EUDI-Wallet aufbaut. Dies kann, wie vorliegend aufgezeigt, durch eine Genossenschaft abgebildet werden, in der alle Akteure des Ökosystems kartellrechtskonform und strukturiert kooperieren.

Über die Autoren

Die IDunion SCE mbH ist die Nachfolgeorganisation eines vom BMWK-geförderten Konsortiums im Programm „Schaufenster sichere digitale Identitäten“. Die Europäische Genossenschaft wurde durch ihre Mitgliedsunternehmen mit dem Betrieb eines digitalen Vertrauensankers beauftragt.

Over the past three years, a dedicated research team from IDunion has been working intensively on the Digital Product Passport (DPP).  

In the last two years, our focus shifted from theory ( a joint publication with key partners [→ read the paper here]) to hands-on implementation resulting in a Demo –  DPP solution that is:

Data Carrier Agnostic: The product link can be embedded into any data carrier listet in Landscape of Digital Product Passport Standards | StandICT.eu 2026. Product Agnostic: Our DPP works with any type of product, whether batch-based, lot-based or individual instances. Automatic Identification of the Requester: The solution aligns with #eIDAS2.0 by supporting decentralized identification of individuals and organizations. Technology Stack Independent: The DPP can be accessed without downloading a additional app and lowers the threshold for adoption and enhances usability. Lightweight & Semantically Rich: Information is delivered  through Verifiable Credentials (VCs) and semantic data schemas, ensuring seamless interoperability. Additionally, we use W3C Decentralized Identifiers (DIDs) to guarantee unique, globally resolvable product IDs. Cryptographically Verifiable: All data within the DPP is cryptographically signed, enabling validation of authenticity and trust without central intermediaries. Trust Infrastructure Support: Establishing trust over the data and integration with Digital Identity Trust Anchors is possible, ex by using the eIDAS 2.0 mechanism and the EU Trust infrastructure proposed for natural and legal entities. Demonstration: Digital Product Passport System for Battery

Our final demo phase featured a live demonstration of a DPP tied to a battery cell used in an electric scooter.

The goal was to simulate how a real-world DPP can accompany a product through its entire lifecycle — from raw material extraction to end-of-life recycling.

We explored the perspectives and requirements of key stakeholders, including: Miners, Battery pack manufacturers, Economic operators, Consumer, Recyclers and Government and public interest organizations

Through interactive demonstrations, we answered key questions in real time, illustrating how a decentralized, interoperable, and trustworthy DPP can benefit every actor along the value chain.

For more detailed insights and demo material, check out the links below:

German: https://idunion.org/piloten/sichere-digitale-identitaeten-fuer-produkte/ English: https://idunion.org/piloten/en/sichere-digitale-identitaeten-fuer-produkte/ A Huge Thank You to Our Partners

his project would not have been possible without the creativity, technical expertise, and dedication of our fantastic partners.

Dr. Andreas Füßler (GS1 Germany), Florin Coptil ( Robert Bosch GmbH), Werner Folkendt (Robert Bosch GmbH), Dominic Hurni (SBB),  Cornelia Schalch (SBB), Johannes Ebert (Spherity GmbH) , Sebastian Schmittner (European EPC Competence Center GmbH) , Christian Fries (European EPC Competence Center GmbH), Paulina Drott (GS1 Germany), Dr. Susanne Guth-Orlowski, Ralph Troeger (GS1 Germany), Roman Winter (GS1 Germany)

Thank you for your ongoing commitment to shaping the future of product transparency and digital trust.

What’s Next?

With all project goals achieved and deliverables submitted, the DPP demo project is now officially closed.

We’re incredibly proud of what we’ve accomplished and are eager to apply these insights to future initiatives that further the digitization of sustainable and circular value chains.

How accurate is your inventory?

For many retailers, answering that question is more difficult than it appears—especially when inventory counts are only conducted once or twice a year.

In this episode, Dean Frew, President, RFID Solutions Division, SML IIS, sits down with hosts Reid Jackson and Liz Sertl to explore how RFID solves one of retail’s biggest challenges. Dean shares how real-time data at the item level drives results from return fraud to buying online and pick up in store.

He also discusses what it takes to make RFID work at scale, how adoption has changed post-COVID, and why distribution centers are the next frontier.

 

In this episode, you’ll learn:

How RFID improves inventory accuracy

Where retailers are seeing the most significant ROI

New use cases beyond the sales floor

 

Jump into the conversation:

(00:00) Introducing Next Level Supply Chain

(02:20) Dean’s background and RFID journey

(06:35) Improving inventory accuracy with RFID

(12:13) Reducing returns fraud with item-level data

(18:07) How BOPIS impacts inventory and sales

(23:01) Boosting inbound accuracy at distribution centers

(26:14) RFID in checkout and fitting room experiences

 

Connect with GS1 US:

Our website - www.gs1us.org

GS1 US on LinkedIn

 

Connect with the guest:

Dean Frew on LinkedInCheck out SML Group

In early 2025, Blockchain Commons architected and engineered a major project for the Zcash blockchain: the ZeWIF specification that allows all of its wallets to interoperate.

Interoperability is something that I consider vitally important for a technological ecosystem, so I was thrilled that Blockchain Commons could improve interoperability for Zcash. Here’s a bit more on why, what Blockchain Commons did for Zcash, and what I’d like to do for other technological communities.

The Limits of Interop

Obviously, some level of interop is necessary for any ecosystem, or it just wouldn’t work. There was a white paper and there are BIPs for Bitcoin; without them, no one could agree on how the blockchain works. We similarly have specifications, RFCs, and standards for everything from email to graphics file formats.

Unfortunately, there are limits to interop. Standards tend to cover the things that are required for the broadest level of intercommunication within an ecosystem. But when companies begin to work on their own apps, their work often turns proprietary—sometimes aggressively so—and that limits a technological ecosystem’s ability to continue to grow.

As an example, email has standards such as RFC 5322 for how mail servers communicate with each other. When mailers begin storing their mail, things become somewhat more balkanized: you might use a classic mbox format or a single-message eml format or a proprietary format such as Microsoft Outlook’s msg. Finally, there’s no consistency at all for how mailers might algorithmically filter messages: it’s hard to control whether a message ends up in the “Important”, “Everything Else”, or even “Spam” category of Gmail, even if a mailer adopts newer standards such as DKIM, DMARC, and SPF.

Yet, all of these types of interactions are important. If a mail ends up in a Spam folder, that’s almost as bad as it not being delivered at all; if mail can’t be restored from a proprietary mailbox, it’s lost as well. That’s why interop is important.

The Power of Interop

I developed four core architectural fundamentals for Blockchain Commons that I call the Gordian Principles. Of them, Privacy is only peripherally related to the question of interoperability, but the other three highlight why interop is important for the health of any technological ecosystem.

Independence is a user-focused principle. It says that users should be free from external control. This is the heart of my ideas of self-sovereign identity, and it’s the heart of interoperability too. With the ability to export or exchange data in an interoperable way, users don’t get locked into a single platform. Instead, they can choose among a variety of options to find an application, service, or pricing structure that meets their precise needs. Resilience is a data-focused principle. It says that data should be protected from loss. When data output and exchange formats are standardized for interoperability, they become widely used and widely understood. That ensures that they can be recovered far into the future. If you’ve ever tried to recover an old ClarisWorks or WordStar file, you’ve seen how much a non-interoperated file format can damage resilience. In comparison, .rtf files will never be lost and even .docx is pretty good—both because Microsoft Word has an enormous install base and because it’s an XML-based output format. Openness is a creator-focused principle. It says that infrastructure should be open so that new creators can join the ecosystem. When communication is standardized, anyone can develop in accordance with the standards, including newcomers. But, this isn’t just beneficial to creators, it’s also beneficial to users. Without new entrants, an ecosystem can become staid and stagnant. With new entrants, an ecosystem is constantly innovating and expanding. It creates an atmosphere of coopetition: members of the ecosystem cooperate to interoperate, but then compete to offer the best products within those standards.

In other words, interoperability is beneficial for the vast majority of members of the ecosystem: users get more options, more innovations, and freedom of choice; creators get the ability to fairly participate and compete; and data gets strong protections far into the future.

What We Did for Zcash

I was thrilled when members of the Zcash community started talking with me about their needs, because it showed a strong, ecosystem-wide understanding of the need for inteoperability.

But there was also a strong inciting incident that led to the Zcash work: the older zcashd server was being deprecated and so there was a need to migrate digital-asset data from its wallet to others. This also reflected a longer-term issue. Digital assets had sometimes been lost during previous migrations due to differences or even bugs in different wallets.

Obviously, a one-off migrator could have been created, likely linking zcashd with its replacement wallet, zallet. But I approached things from an architectural point of view: I wanted to create an extensible Wallet Interchange Format (that’s the “eWIF” in “ZeWIF”) that would not just enable the zcashd migration, but also allow any migration from one wallet to another within the Zcash ecosystem. I wanted to take the immediate needs and political will and turn it into something that could benefit the community for years to come.

That was the ZeWIF proposal that we put forth. It called for one month of studying Zcash wallet data as it currently exists, then another two months of developing the spec and writing libraries to convert among different wallets using that spec. (That timeline turned out to be a bit ambitious, but we’re closing out the initial design with a fourth month of work.)

As the above diagram shows, the zewif Rust crate lies at the center of the ZeWIF system. It creates in-memory representations of data from a variety of inputs and can output that abstracted data in a numbers of forms. Obviously, it can accept input from ZeWIF files and it can output to ZeWIF files. However, that’s just part of the process. Individual developers can also choose to use create front ends that import data from their wallets to zewif and back ends that export the data from zewif to their wallets.

As we release ZeWIF into the ecosystem, we should see advancements in accordance with the Gordian principles:

Independence. Users will be able to move their funds easily among Zcash wallets. Resilience. Translation of keys and seeds should be more reliable, and if conversion is done using our best practices, there should be clear warnings if anything wansn’t converted. Openness. New wallets can join the ecosystem. If they have innovative features, they can easily pick up new users if they support ZeWIF as an import format.

I’ve been thrilled to have strong support from wallet makers in the Zcash community. That type of buy-in is required to make interoperability work. Zingo Labs, the makers of the Zingo wallet, introduced us to the opportunity and have worked closely with us to fulfill our vision. Meanwhile, ECC has been our next testbed, since they’re using ZeWIF to manage conversions between zcashd and zallet. Other principals have been involved as well, and just as importantly we didn’t receive any pushback from anyone who refused to use the format. (Not everyone has adopted it yet, but we’re just finalizing the complete ZeWIF draft at this point.)

We were fortunate, because that’s not always the case.

What We Did for Bitcoin

This isn’t Blockchain Commons’ first rodeo. Creating interoperability has been Blockchain Commons’ goal since the start, and we’ve done most of our interop work to date with Bitcoin.

Our two biggest successes for Bitcoin have been Animated QRs and SSKR. Animated QRs are a standardized way to move large files across airgaps. That’s the exact sort of intercommunication that has always required interoperability. SSKR is a standardized way to shard a secret, currently focused on Shamir’s Secret Sharing. Because it isn’t just about intercommunication, getting a variety of companies to use it was a bigger victory, because it ensures those secrets will remain accessible and resilient into the far future. Both technologies are integrated with our Uniform Resources, which have been implemented by more than a dozen companies, offering true interoperability.

But these successes have unfortunately been piecemeal. There’s just one company that I’m aware of that’s adopted a pretty wide swath of Blockchain Commons’ Gordian specifications, and that’s our long-time sponsor, Foundation. We most recently worked with them to support QuantumLink, a Post-Quantum-Cryptopgraphy (PQC) method of Bluetooth communication that’s in their new Passport Prime device, but they’ve also implemented URs, Animated QRs, SSKR, and other Blockchain Commons interop specs. As a result, they’ve got well-studied, mature specifications that they didn’t roll themselves and that should be resilient and reliable far into the future. I think that adding in a variety of linked interop specs like this has a multiplicative effect.

I’d love to see more of this in the Bitcoin community, but a lot of people are resistant.

Why People Fight Interoperability

The primary reason that we see people fight interoperability is market dominance. The Bitcoin ecosystem has grown large enough that some of the bigger players have stepped back from inteoperability

I was sad to see ColdCard go this way, after they themselves built on Trezor and other open-source libraries. At least they’ve remained source-verifiable (meaning you can view their code in their repo), at least until you get now to the proprietary chip, but they were once one of maybe three hardware wallets that were fully open-source,and so fully interoperable.

But I think the recent release of Ledger Recover was even more of a tragedy. Here they were offering a big innovation: a way to recover seeds by splitting them up and distributing them off device, similar to Blockchain Commons’ own Collaborative Seed Recovery (CSR). But by keeping their protocol for distributing and recovering seed shares non-interoperable, they kept anyone else from offering seed vaults of their own, instead locking their users into their choices—which were very unpopular due to privacy-busting requirements for KYC information.

The exact opposite approach is taken by another of Blockchain Commons’ long-time developer partners, Craig Raw of the Sparrow wallet. He’s working hard to make Sparrow compatible with everything out there, but the difficulty he faces underlines the issues with the semi-interoperable state of most blockchains. He has to make NASCAR-like lists of otherwise incompatible products and introduce secret sauce to interoperate with each of them. We’re very luck to have the Sparrow wallet working with all of these different devices, but it’s something that would never happen if there weren’t someone as dedicated as Craig working on the project.

For smaller companies, interoperability is a way in. Obviously, you should do it!

For bigger companies, interoperability means both trusting your engineers to provide the best experience and trusting your customers to recognize it. That’s a leap of faith, but one that I’d hope to see most companies make in our industry. After all the idea of personal control is likely one of the reasons that your customers are working with digital assets in the first place!

The Potential for Other Blockchains

I hope that our work with Zcash (and before that with Bitcoin) is just a first step. I’d like to take that experience to other blockchains and offer new interoperability to grow those ecosystems as well.

Even after the work we’ve already done, Bitcoin may still need this sort of work the most, because it’s gotten so big. How could we make migration between wallets easier? Or just the migration of seeds or keys? How could we more widely standardize the backup of seeds with a methodology like Ledger Recover or our own CSR? How could we inteoperate third-party services such as pricing and fee lookups? Every one of these elements of interoperability would improve the ecosystem, but they require a dedication to inteoperability itself.

The same is true for other ecosystems that have gotten large enough to see multiple companies working on projects. Big changes could be the incentive for this, such as Monero’s move to Seraphis. But even without big changes on the horizon, big ecosystems grow to the point where interoperability becomes a requirement: Ethereum has a huge infrastructure built around WalletConnect, but we’ve talked with people in the ecosystem who think there’s real room for improvement. I hope that many chains (and other ecosystems) beyond Monero and Ethereum will see the advantages of improving interoperability for all the reasons I’ve laid out here, particular independence for users, resilience for data, and openness for developers.

Are you a leader working in a digital-asset ecosystem? Would you like to work with me to take lessons learned from the Zcash project to create interoperable wallet formats, data-exchange formats, service formats, or something else? Drop me a line at team@blockchaincommons.com. I’d love to talk about how we can expand your ecosystem as well.

On April 10, EdgeCon Spring 2025 brought together educators, technologists, and institutional leaders at Seton Hall University to explore the evolving landscape of digital teaching and learning. This premier event focused on the powerful intersection of EdTech, innovative pedagogy, and the administrative technologies that support institutional performance and drive student success. With forward-thinking sessions and collaborative discussions, attendees gave  the event an overall 4.7 favorable rating (out of 5) and gained fresh insights into how technology continues to shape the future of education.

Connecting with Graduate Students in the Digital Learning Era

The day’s events kicked off with the breakout session, Connecting with Graduate Students in the Digital Learning Era, presented by Georgian Court University’s Denise Furlong, Assistant Professor, and Janine Ataide, Educator and Graduate Student. As more graduate programs provide online options to meet the needs of working adults, universities must consider different ways to engage these students as valued members of the community even though they may never see the physical campus. Some students report that they feel a sense of belonging and strong collaboration within their program and others feel a sense of isolation in their learning experience. This session explored the different aspects of programs and courses that are important in engaging and empowering graduate students as truly part of the university community, as well as how course design, faculty collaboration, and peer connections can contribute to fostering a sense of belonging among online graduate students.

Navigating the Use of Generative AI in Online Classrooms

As generative AI tools become increasingly prevalent, educators face unique challenges and opportunities in the online classroom. Carol Smith-Cuevas, Associate Director, Learning Engagement & Development, Kean University, discussed effective strategies for responding to students’ use of generative AI in Navigating the Use of Generative AI in Online Classrooms. Attendees explored this topic from a professor’s perspective and learned practical approaches to integrating AI tools into coursework, setting clear guidelines, and promoting ethical use. Smith-Cuevas also explained different ways to design assignments that encourage critical thinking and originality, how to utilize AI detection tools, and resources that can help students to understand the implications of AI-generated content. Attendees left equipped with actionable practices to create a fair, engaging, and academically rigorous online classroom.

Integrating Free AI Training and Micro-Credentials into Learning Environments

Professors John Shannon, Seton Hall University, and Susan O’Sullivan-Gavin, Rider University, led the session, Unlocking the Future of Learning: Integrating Free AI Training & Micro-Credentials into Learning Environments, and explored how educators can seamlessly integrate free, high-quality AI training programs and micro-credentialing opportunities from platforms like MIT OpenCourseWare, Harvard Online, LinkedIn Learning, Google, and others into their courses. Attendees learned how to identify and incorporate free AI training and certification programs that align with course objectives, and strategies for scaffolding these resources into curriculum design to enhance student engagement and skill development. Shannon and O’Sullivan-Gavin also shared helpful methods for leveraging micro-credentials to increase student employability and lifelong learning pathways.

Demystifying AI Literacy

Attendees joined NJIT/NJII’s Learning & Development Initiative to explore critical AI literacy standards for education and beyond. Led by Stefanie Toye, Project Manager, NJIT & NJII, and Dr. Teresa Keeler, Project Manager at The Learning & Development Initiative, NJIT, this presentation shared why these standards are essential, who needs them, and how to implement them effectively. They shared specific ideas about how these standards can be constructed and adopted, and why AI literacy is crucial for K-12 and higher ed educators and administrators.

Advancing Accessible Digital Education at Hudson County Community College

Callie Martin, Senior Instructional Designer, Hudson County Community College, and Joshua M. Gaul, Ed.D., Associate Vice President & Chief Digital Learning Officer, Edge, led the presentation, Building an Inclusive Future: Advancing Accessible Digital Education at Hudson County Community College (HCCC). This breakout session highlighted HCCC’s collaborative efforts with Edge to build a more inclusive and accessible digital learning environment. Through this partnership, HCCC has embraced Universal Design for Learning (UDL) principles to remove barriers and create equitable educational experiences for all students. The session showcased how the college, supported by Edge’s expertise and resources, has implemented student-centered strategies that prioritize accessibility, engagement, and success. Attendees will learn practical approaches to designing inclusive courses and hear firsthand how institutional collaboration can drive meaningful change in digital education.

“I enjoyed the morning presentation that I attended and the Panel Session. NJEdge always does such a great job with these conferences!” Carol Smith-Cuevas
Associate Director, Kean University The Digital and Data-Driven Center for Teaching and Learning

The day continued with the second round of breakout sessions, including The Digital and Data-Driven Center for Teaching and Learning led by John Baldino, OFS, Director, Center for Teaching and Learning, Lackawanna College. He shared best practices for using communication technology, digital content and marketing platforms, artificial intelligence, and collected data to create a sustainable Center for Teaching and Learning model that can help empower CTLs to support faculty in their academic success.

Crafting Collaborative Conversations

Curiosity Catalysts: Crafting Collaborative Conversations, led by Adelphi University’s Karen Kolb, Director, Faculty Center for Professional Excellence, Jennifer Southard, Instructional Designer, and Marilena Orfanos, Instructional Designer, examined research-backed, low-effort strategies that enhance online discussions and collaboration without adding to instructor workload. Participants learned how to design thought-provoking prompts that ignite curiosity, integrate AI and digital tools to support interaction, and implement alternative discussion formats—such as multimedia responses and collaborative annotation—to foster deeper engagement. This session also covered effective ways to maintain instructor presence without micromanaging, and gave attendees ready-to-use techniques to create more engaging, inclusive, and meaningful online discussions.

Supporting Persistence in STEM Learners

Natalya Voloshchuk, Assistant Teaching Professor, and Karen Harris, Senior Instructional Designer and Assessment Specialist, from Rutgers University led the session A Learning Outcomes Strategy for Supporting Persistence in STEM Learners to demonstrate how assessment and feedback can aid in developing self-directed learners by examining an implementation of a deliberate data collection Rubric. They discussed how the Rubric is used to help students identify their strengths alongside the areas to work on toward improvement, while also offering the instructor valuable insights for supporting persistence in STEM courses. Harris and Voloshchuk shared some course-level learning data and reflected on how it might impact learning across a STEM curriculum. They also considered how incorporating learning outcomes in rubrics can help students make connections to work skills they are developing that will support them in internships and research settings. 

The Implications of AI for Next-Generation Education

Steven D’Agustino, Senior Director for Online Programs, Fordham University, joined EdgeCon to explore the transformative impact of AI on education. He began by defining key AI terms such as Machine Learning (ML), Natural Language Processing (NLP), and Neural Networks, and discussed the growing use of AI tools like ChatGPT among students for academic tasks. The presentation highlighted the challenges and opportunities of integrating technology into education, categorizing adoption methods as intentional, accidental, or unilateral, and how the COVID-19 pandemic accelerated unilateral adoption due to necessity. D’Agustino raised concerns about AI’s potential to depersonalize learning, leading to cognitive de-skilling, and creating a sense of futility among students and educators. However, he also outlined four essential tasks for educators in the AI era: curating, contextualizing, creating, and collaborating. The presentation underscored the importance of equity in AI integration and how educators must focus on humanistic ends to ensure that AI is used deliberately and equitably to benefit all students.

A Blueprint for Excellence in Short Course Development and Design

In the session, Beyond the Badge: A Blueprint for Excellence in Short Course Development and Design, Molloy University’s Dr. Amy Gaimaro, Dean of Innovative Delivery Methods, and Susan Watters, Associate Director of Blended and Online Learning, examined the blueprint development of high-quality short courses while embedding quality course design badges. Participants learned how to identify quality criteria for designing courses, establish clear learning objectives and outcomes that align with industry standards and learner needs, and how to address regular and substantive interactions in online asynchronous short courses.

This session was ideal for instructional designers, online administrators, training managers, and educators who were looking to enhance the quality and impact of their short course offerings. Attendees gained strategies for incorporating quality assurance throughout the course development lifecycle, best practices for designing and implementing effective quality badge systems, and actionable steps to improve learner engagement and course effectiveness.

Visions for Online Learning: Evolving Strategies and Institutional Growth

As online learning continues to evolve, institutions must adapt their strategies to meet shifting student expectations, market demands, and technological advancements.  EdgeCon panel discussion, Visions for Online Learning: Evolving Strategies & Institutional Growth, brought together higher education leaders to explore innovative approaches to online learning that drive institutional growth and long-term success. Panelists, Michael Ciocco, Ph.D., Associate Vice President of Online Learning, Rowan University, John F. O’Callaghan, Jr., Vice President for Transformational Learning & Chief Online Officer, Kean University, and Joshua M. Gaul, Ed.D., AVP & Chief Digital Learning Officer, Edge, discussed emerging trends, the role of data and AI in shaping digital learning experiences, strategies for scaling programs sustainably, and the balance between quality, accessibility, and financial viability. Attendees gained valuable insights into how institutions are redefining their online learning strategies to expand access, improve student outcomes, and remain competitive in an evolving educational landscape.

The Rise of Non-Degree Credentials

Afternoon sessions kicked off with The Rise of Non-Degree Credentials–The Future of Higher Education led Michael Edmondson, Associate Provost, NJIT. He shared how traditional higher education is struggling to keep pace with workforce demands and a growing number of companies now favor skills-based hiring over degree-based credentials, with 70% of job skills expected to change by 2030 due to AI and automation. Employers increasingly prefer hiring candidates with business-oriented or technical microcredentials that provide real-world experience and rapid upskilling. Attendees learned how microcredentials can offer a solution by closing the workforce gap, aligning learning with employer needs, and fostering lifelong learning. As businesses prioritize AI, data analytics, and soft skills, microcredentials are emerging as the future of education, providing professionals with the flexibility to adapt and thrive in an evolving job market.

The Growth of Online Education at Rowan University

Mike Sunderhauf, Director of Instructional Design, and William McCool, Online Course Operations Coordinator, from Rowan University led the breakout session, Shaping the Future: The Growth of Online Education at Rowan University, where they shared how Rowan University is undergoing a transformation in its approach to online education, shifting focus from traditional on-campus programs to scalable online offerings. The session explored how Rowan University is reshaping online education through a combination of strategic collaboration, program design, and faculty empowerment, ultimately fostering an engaging and dynamic learning environment for students and instructors alike. Sunderhauf and McCool shared how their learning strategy aligns with a flexible model, allowing instructors to follow a standardized framework while being empowered to update and adapt their courses to meet the needs and interests of each learner group. They showed how this balance between consistency and adaptability fosters both reliability and innovation in the learning process.

 Integrating Virtual Reality into Higher Education

Joining EdgeCon from Seton Hall University, Renee Cicchino, Director of Instructional Design and Training, and Riad Twal, Senior Instructional Designer, gave a closer look into how the University has been experimenting with Virtual Reality since the release of the Google Cardboard Viewer in 2014. In 2024, they acquired a number of Meta Quest Pro devices, allowing for an entire class to participate in a virtual experience at the same time. During the 2024 Fall semester, Seton Hall launched a pilot program examining how they can best facilitate Virtual Reality experiences for graduate and undergraduate classes.  These experiences are informing the development of a Virtual Reality Showcase to formally introduce this technology to their faculty, along with examples of how this technology can be incorporated into various course topics.

This session focused on the instructional designer’s perspective of evolving VR Technology, the introduction of the Quest for Business device management software, initial faculty and student experiences with the Meta Quest Pro devices, future plans for expanded access and utilization, and suggestions for implementation at other institutions.

“Excellent topics and sessions.” Charles Wachira
Senior Director for Teaching & Learning, John Hopkins Carey Business School Using AI in the Math Classroom for English Language Learners

Grace E. Cook, Ph.D., Program Area Lead of Computer and Mathematical Sciences, Montclair State University, has seen an increase in the number of English Language Learners (ELL) in her classroom, particularly students whose primary language is Spanish. By incorporating the use of ChatGPT and Google Notebook into the daily functions of the class, she has been able to make mathematics more accessible. In this session, Cook shared her experiences with teaching in English and Spanish with the assistance of AI and discussed the pros and cons of their uses and what her ELL students list as the positives and negatives of each resource.

Podcasting to Create Interdepartmental Collaboration

In Podcasting to Create Interdepartmental Collaboration and Showcase Faculty Innovation, Seton Hall University presenters, Kate Sierra, Instructional Designer, Teaching, Learning, and Technology Center, and Ann Oro, Senior Instructional Designer, explored how the Teaching, Learning, and Technology Center (TLTC) at Seton Hall launched a podcast series called Innovate and Educate to explore the intersection of technology and teaching. They highlighted how topics such as technology integration, accessibility tools, and other innovations are transforming learning, improving student outcomes, and addressing classroom challenges.

Attendees gained insights into the process of developing and sustaining a podcast, including identifying relevant resources, building an audience, and maintaining engagement. They also learned how this initiative has strengthened institutional resiliency by fostering a culture of innovation and shared learning. Participants were encouraged to consider how podcasting could serve as a scalable, cost-effective strategy for their own institutions to spotlight success stories and support strategic goals.

Creating an Institutional Culture of Accessibility

Many institutions approach accessibility in silos and rely on specialized offices rather than embedding responsibility across the entire campus. In Creating an Institutional Culture of Accessibility, Laura M. Romeo, Ph.D., Director of Learning Innovation, Development, and Scholarship, Edge, shared strategies for shifting to an integrated, institution-wide approach. The discussion looked at governance structures, training models, and change management strategies that can empower all departments to play a role in accessibility. Attendees gained practical insights on overcoming implementation barriers, methods to measure cultural progress in institutional accessibility efforts, and how to foster a culture that moves beyond compliance to true inclusivity.

Celebrating Achievements and Contributions

At this spring event, Edge celebrated the exceptional work of higher education institutions across the region by presenting a series of awards to recognize their impressive impact and accomplishments.

The Preserving Education Through Change Award was presented to Montclair State University (MSU) and accepted by the University’s President, Jonathan Koppell, to recognize the significant vision and leadership by one of New Jerseys signature public universities. As the educational community navigates unprecedented change, it is vital that institutions seek opportunities for collaboration and support. MSU has been a primary example of this kind of support and stewardship in recent years. As MSU itself continues to grow, the institution has also shown a capacity for significant leadership, leading a merger with the former Bloomfield College, now Bloomfield College of Montclair State University. By preserving continuity and quality of educational opportunities at an institution noted for serving first-generation students and those from diverse backgrounds, MSU has strengthened New Jersey’s educational system and the college experience for their students.

In pursuit of educational and operational excellence, institutions across the country are working tirelessly to modernize systems and processes to better serve their communities. As funding and staffing challenges continue to affect institutions of all kinds, the effort to transform the educational experience can be difficult. The Member Technology Transformation Award was given to Felician University to recognize their transformative efforts in modernization through growing engagement with Edge and the member community, as well as a dedicated strategic focus on improvements in university infrastructure, digital experience, and excellence in the delivery of diverse educational offerings. The award was accepted on Felician’s behalf by Deanna Valente, Dean of the Center for Information Systems and Technology & Learning Development.

To recognize the remarkable commitment to expanding and innovating online education, Kean University was presented with the Online Learning Growth Award. As one of New Jersey’s fastest-growing institutions in digital learning, Kean University has demonstrated strategic leadership in developing flexible, high-quality online programs that meet the evolving needs of today’s learners. Through a forward-thinking approach and investment in instructional design, technology, and student support, Kean has significantly broadened access to education for diverse student populations across the region and beyond. The award was accepted on Kean’s behalf by Jay O’Callaghan, VP for Transformational Learning & Chief Online Officer.

Through the visionary leadership of their Center for Online Learning, Hudson County Community College (HCCC) has embedded accessibility and Universal Design for Learning into the foundation of its online course development. By proactively prioritizing inclusivity, leveraging data-informed strategies, and fostering a campus-wide culture of digital equity, HCCC has created a truly inclusive online learning environment. Their work not only meets ADA Title II compliance but sets a powerful example for institutions state-and-nationwide. To celebrate this innovation, dedication, and transformative impact on student success and educational access, HCCC was given the Accessibility in Digital Education Award, which was accepted on their behalf by Executive Director, Center for Online Learning, Matthew LaBrake.

By fostering meaningful dialogue and showcasing innovative practices, EdgeCon Spring 2025 not only sparked new ideas but also strengthened the connections that can help drive higher education forward. As institutions navigate a rapidly changing landscape, the shared insights and partnerships formed at EdgeCon play a vital role in shaping a more connected, resilient, and student-centered future.

VIP Sponsors Exhibitor Sponsors

The post EdgeCon Spring 2025 appeared first on NJEdge Inc.

Panel 4 on Law and Policy for the Attention Crisis, featuring Alex Roberts (moderator), Dick Daynard, Leah Plunkett, Woody Hartzog and Zephyr Teachout.

Last Friday, April 11, three of us, Elettra Bietti, Aileen Nielsen, Laura Aade, co-organized a workshop titled “The Battle for Our Attention: Empirical, Philosophical and Legal Questions” which took place at Northeastern University School of Law, and benefited from the support of CLIC, Northeastern’s Center for Law, Information and Creativity, and the involvement of Harvard’s Berkman Klein Center community of fellows and faculty. The event brought together leading legal scholars, policymakers, economists, medical scientists, computer scientists, media scholars, and technologists to address the pressing issue of how today’s digital technologies are transforming the understanding, use, and allocation of human attention, including implications for how we spend our time and what information we consume.

The discussion was wide-ranging, interdisciplinary, and deeply enlightening. We discussed whether attention “actually exists”, how it works, the history and business models of attention capture, the challenges and findings that arise from empirical studies of attention and attention markets, the relation between attention, intimacy, convenience and the law of trademarks, possible analogies with tobacco and gambling litigation, and the policymaking associated with regulating engagement and children’s use of social media.

The event began with a panel on the political economy of attention. Yochai Benkler kicked off the discussion with an overview of the capitalist drive to capture and instrumentalize attention over time, beginning with the 19th century press and culminating in today’s digital technologies. He argued that markets won’t solve attention problems and could exacerbate attention harms, in contrast with Marshall Van Alstyne’s suggestion that a Coasean model of attention rights could help platform owners manage misinformation and reduce incentives to share inaccurate or false information. Where Benkler advocated for the decommodification of attentional experiences, Van Alstyne advocated for a market regime of incentives and individual rights to speak and listen. David Lazer, for his part, adopted a middle ground position, presenting several findings on the slow but steady decoupling of content from its sources. He showed that information has become less traceable to sources, and discussed chatbots’ role in producing knowledge that is increasingly divorced from reliable reference to authors and media sources.

The second morning panel addressed the empirics of attention. Michael Esterman discussed some of his clinical work, showing that attention is a fluctuating, fragile process deeply shaped by cognitive and environmental factors. Sustaining attention for long periods of time and across contexts remains a phenomenon that is not well understood, and Esterman presented results showing that blocking a population’s mobile phone access for two weeks could improve participants’ attention, as well as their mental health and well-being. Esterman also pointed to the need for increasing measurements outside of laboratory settings to better understand the external validity of fundamental psychological results related to attention. Elena Glassmann then approached attention from the perspective of an interface designer, emphasizing that platforms actively shape how users direct their attention — often without users realizing it. Glassmann highlighted the danger of decontextualisation, where AI-driven tools summarize content by stripping away critical context and leaving users unaware of biases or omissions, and suggested ways to help people build reality-grounded mental models that provide access to contextual information, rather than hiding complexity. Christo Wilson concluded the panel with an overview of empirical approaches to studying attention platform business models, highlighting his role with David Lazer in creating and hosting the National Internet Observatory at Northeastern, a center that offers tools for researchers to study how people behave online in response to particular design features and platform strategies over long periods of time.

During the lunch keynote, FTC Commissioner and Law Professor Alvaro Bedoya spoke of his effort building a team of doctors and psychologists at the FTC whose focus and expertise includes children’s mental health and well-being. He also spoke of his work advocating for children’s privacy under COPPA and of the analogies and differences between tobacco, sports gambling and addiction to technological devices and products. Commissioner Bedoya suggested that more research needs to be done to better understand which products, platforms and specific technological features cause addiction and other mental health disorders.

The afternoon began with a third panel on media and communication systems for attention capture. Nick Seaver presented a spirited argument that attention may, in fact, not exist at all. While holding and waving a mouse jiggler, Seaver showed that attention is primarily defined or constructed by the way it is measured. Measurement, in turn, serves primarily as a managerial tool of control. While they might appear to be measuring participation, platform designers are in reality disciplining, tracking and controlling populations. Bridget Todd spoke of her work in the podcasting world, emphasizing the relation between intimacy and attention: audiences pay attention based on proximity to particular types of content and the emotions that content generates for them. Her view is that the current digital economy prioritizes profitable outrage over thoughtful storytelling, but that we should always push for the latter. Emily West presented some of her research on Amazon through the lens of convenience. Attention and addiction to digital products are promoted by appealing to convenience: platforms engineer frictionless experiences to generate user dependencies, producing a culture of learned passivity and inattention that quietly erodes agency. Rebecca Tushnet spoke of the law of advertising and the doctrines of dilution and confusion under trademarks law, explaining that the law simultaneously invokes but misunderstands the science of, or empirical realities of, human attention, protecting only those parts of attention that can be owned under intellectual property regimes. Similar to Seaver’s argument that attention is effectively what we can measure, Tushnet’s presentation highlighted that we live in an economy of signals and containers of attention.

The day ended with a panel discussion on legal and policymaking efforts in the attention space. Richard Daynard shared key takeaways from his litigation experience fighting tobacco and gambling companies. He explained that these industries intentionally engineer their products to addict users while funding research that shows the exact opposite, namely that their products are not addictive and individuals who engage in excessive use are the ones to blame. He added that these companies often lose in product liability litigation, where strict liability regardless of intention is the standard. Zephyr Teachout then offered an overview of the evolving Supreme Court jurisprudence on the First Amendment, arguing that current shifts in the court’s composition and caselaw are opening the door to possible legislation and reform in the attention space, something that until recently seemed largely implausible. Leah Plunkett discussed state social media laws and described them as providing financial compensation, privacy safeguards for children and workplace protections. She focused on a recent Utah law that allows children to sue their parents for compensation when their image is used in their parents’ social media feed for profit and described her involvement in drafting a model law on this theme for the Uniform Law Commission. Woody Hartzog concluded the panel presentations, discussing his work with Neil Richards on wrongful engagement, a tort which would allow individuals to sue digital companies for profiting from their addiction and engagement while neglecting users’ well being.

The event ended with participants discussing potential research overlaps, future collaborations and potential for advocacy across US regions. In the words of CLIC Director Alex Roberts, who moderated the last panel, “[i]f an interdisciplinary field of “attention studies” wasn’t already a thing, it is now.”

This event would not have been possible without support and assistance from Northeastern’s CLIC, Alexandra Roberts, Jennifer Huer, Walaa Al Awad, Natalia Pifferer, Brad Whitmarsh, and Jacob Bouvier. We also thank Harvard Law’s Laura Zeng, and BKC’s Bey Woodward and Jonathan Zittrain for additional enthusiasm and assistance.

We hope to continue this important conversation in the months and years to come with all of you. If you would like to join future conversations, we have created a regional mailing list which you can sign up to here.

Reporting from “The Battle for Our Attention” Workshop @ Northeastern, April 11, 2025 was originally published in Berkman Klein Center Collection on Medium, where people are continuing the conversation by highlighting and responding to this story.

Today, we’re sharing important news about the future of Ceramic.

With the rapid rise of agents as the new critical user and interface to the web, it’s increasingly clear that supporting a healthy, trustless, decentralized model for AI is essential. Our team, part of Recall Labs after our merge with Textile, is shifting our primary focus to Recall: a platform where AI agents prove themselves, improve themselves, and earn for their intelligence.

As part of this, we’ll be repurposing parts of Ceramic, deprecating others, and introducing a standalone open source version for the community. We want to openly communicate what this means for you and your applications built on Ceramic, as well as outline the path forward.

From Ceramic to Recall

Over the years, Ceramic has been pivotal in helping us understand decentralized data, composability, and robust synchronization. It’s been the leading technology for dozens of applications and networks in need of scalable, edge-centric, verifiable data storage and replication. We spent more than five years developing and iterating on Ceramic and are immensely proud of the advancements and technology we’ve shipped.

Even more than that, we are so thankful for your partnership. Our customers and community have relentlessly innovated on brand new tech, helped us move from prototypes to stable networks, and been the driving force for our continued commitment to open, decentralized data. Thank you for all of your support, and all you’ve helped us learn.

One of the persistent challenges we’ve faced with Ceramic has been the UX of decentralized data systems: managing keys and signing data, novel access control flows, and counterintuitive patterns for data flow have been challenges for many users and developers. Interestingly, all these properties are native and intuitive for the internet’s new class of users: agents.

Recall is a cryptoeconomic platform for AI agents to prove, improve, and earn based on their intelligence. It builds heavily on the technology we’ve built previously, but is a new platform and demands our full commitment.

What This Means for Ceramic Users

We deeply appreciate the trust and investment you’ve made in Ceramic. While our priority is Recall, we remain committed to setting Ceramic users up for success as we sunset certain parts of Ceramic.Here’s exactly what you need to know:

Introducing ceramic-one

Ceramic-one is the most performant, stable, and decentralized implementation of Ceramic. There is a new client SDK for reading/writing to ceramic-one: https://github.com/ceramicnetwork/rust-ceramic/tree/main/sdk

Ceramic-one introduces Recon, enabling reliable synchronization and historical data syncing across nodes. All existing data from ComposeDB remains fully accessible and readable through ceramic-one.

Ceramic-one will continue to function independently, with no dependency on our infrastructure or any other centralized authority. Further, Ceramic-one is under an MIT license, so anyone who wants to fork it and continue developing it on their own is welcome to do so.

Anchoring and Conflict Resolution on Ceramic-one

We’re committed to completing one final critical feature for ceramic-one: self-anchoring to Recall. This allows fully decentralized timestamping without relying on our centralized CAS or Ethereum L1, making ceramic-one truly self-sufficient. This will be implemented sometime after the mainnet release of Recall.

Manual conflict resolution is currently possible through ceramic-one by exposing all stream HEADs, allowing applications to apply their own business logic to select which branch(s) of the stream's history they wish to use. We’re also considering building automated conflict resolution (based on anchor timestamps)—the only remaining functionality from js-ceramic not yet implemented in ceramic-one. If this feature is important to your use case, please reach out, as your feedback will influence our decision.

After these improvements, ceramic-one will reach a feature-complete MVP. At that point, we will only prioritize critical bug fixes. ceramic-one will continue to exist as stable software under an open MIT license—fully available for anyone who wishes to fork, improve, or independently evolve it.

Deprecation of js-ceramic and ComposeDB

Effective immediately, we’re deprecating js-ceramic and ComposeDB. We recommend migration to ceramic-one, the streamlined, performant successor, as soon as possible.

Migration Steps:

A new client SDK for ceramic-one is now available here: ceramic-one SDK Step-by-step migration guidance is provided in our upgrade guides: Migration Guide on Ceramic Blog Detailed Upgrade Instructions on GitHub

Timeline and Support

ComposeDB and the Ceramic Anchor Service (CAS) will be completely shut down at least one month after Recall’s Mainnet launch. (Exact date TBD, but expected in mid-2025.). After that date, ComposeDB-dependent apps will break if not migrated to ceramic-one.

Recall: The Future of Decentralized Intelligence

Ceramic’s legacy and your contributions have directly influenced our development of Recall. Many of Ceramic’s strengths—openness, transparency, and decentralization—live on and evolve within Recall’s cryptoeconomic framework.

Recall aims to become a vibrant ecosystem for AI builders and developers. We warmly invite Ceramic users to explore the opportunities Recall offers: building intelligent agents, participating in verifiable competitions, and earning from proven performance.

We’re grateful for your support of Ceramic and excited about this next chapter with Recall. Our team remains available to assist your migration and ensure your continued success. If you have questions related to Ceramic, please reach out to us here. If you’re interested in learning more about Recall, find us on Twitter!

Warm regards,
The Recall Labs Team

Internet Safety Labs testified in support of the Massachusetts Consumer Data Privacy Act (H78) and Massachusetts Data Privacy Act (H104), advocating for strong data minimization, restrictions on sensitive data sales, and robust enforcement to protect residents’ privacy. We’re grateful to the Massachusetts Legislature for hearing our testimony. The written testimony is available to view, along with a video of the testimony below:

Open PDF

 

The post Internet Safety Labs Provides Testimony for Massachusetts Data Privacy Acts appeared first on Internet Safety Labs.

In the MyData Matters blog series, MyData members introduce innovative solutions that align with MyData principles, emphasising ethical data practices, user and business empowerment, and privacy. The future is knocking, […]

The Compliance Symposium has been postponed. We invite you to learn more about our upcoming flagship conference, EdgeCon Autumn 2025! Learn More » About the Symposium:

As regulations evolve and technology advances, education institutions face increasing pressure to ensure compliance across:

Technologies such as AI, data analytics models, and more are reshaping compliance. This symposium brings together experts and institutional leaders to explore:

Attendees will gain practical insights to:

Strengthen institutional compliance

Protect sensitive data

Foster a secure, inclusive digital environment while navigating the complexities of modern education.

Topics to be explored during the Symposium include, but are not limited to:

Data Privacy & Governance

Digital Accessibility & Inclusive Design

Regulatory Compliance & Legal Frameworks

Regulatory Cybersecurity Compliance (GLBA, PCI, NIST, and more)

Compliance and Cyberinsurance

AI, Automation, and Risk

Institutional Risk Management & Resilience

Vendor & Third-Party Risk Compliance

Culture of Compliance: Training & Leadership

Emerging Threats & Future-Proofing Compliance

Case Studies in Compliance Success

Who should attend the Symposium

Cabinet Level Leaders

Provosts & Academic VPs

CIOs

CISOs

Compliance Officers

Risk Management Officers

Directors of Online Learning

Directors of Centers for Teaching and Learning

Register Now » Vendor/Sponsorship Opportunities

Exhibitor Sponsorships are available. Vendors may also attend the conference without sponsoring, but at a higher ticket price.

Contact Adam Scarzafava, Associate Vice President for Marketing and Communications, for additional details via adam.scarzafava@njedge.net.

Download the Sponsor Prospectus Now » Call for Proposals

Submit your presentation topic for the upcoming Compliance in Education Symposium, presented by Edge and Stockton University!

Submit Proposal » More information coming soon!

The post Compliance in Education Symposium appeared first on NJEdge Inc.

Date: October 9, 2025
Location: Rider University
Time: 9 a.m.-5 p.m.
Attendee Ticket: $49

Event Location:
Rider University

REGISTER TODAY » Vendor/Sponsorship Opportunities at EdgeCon

Exhibitor Sponsorship and Branding/Conference Meal sponsorships are available. Vendors may also attend the conference without sponsoring, but at a higher ticket price of $250.

Contact Adam Scarzafava, Associate Vice President for Marketing and Communications, for additional details via adam.scarzafava@njedge.net.

Download the Sponsor Prospectus Now » Accommodations

Hilton Garden Inn Princeton Lawrenceville
1300 Lenox Drive
Lawrenceville, NJ 08648

BOOK YOUR ROOM TODAY »

You may also reserve a room, by contacting the hotel directly via 609-895-9200. Be sure to mention that you’d like your reservation under the “EdgeCon Group Block” to obtain the conference rate.

Details of Conference Proceedings and Submissions Form are now available » Conference Agenda

8-8:30 — Check In / Registration
8:30-9:30 — Exhibitor Networking & Breakfast
9:40-10:20 — Breakout Session 1
10:30-11:10 — Breakout Session 2
11:20-12:30 — Keynote Panel & Awards
12:30-1:30 — Exhibitor Networking & Lunch
1:40-2:20 — Breakout Session 3
2:30-3:10 — Breakout Session 4
3:10-4 — Coffee & Connections: Exhibitor Networking

Breakout Sessions Protecting your Data and Reducing Institutional Risk: SaaS ERP vs. On-Premise System

As cybersecurity threats grow and data regulations evolve, the limitations of legacy on-premise ERP systems are increasingly evident. This session will explore how shifting to a modern SaaS ERP like Workday strengthens data protection, reduces institutional risk, and ensures long-term compliance.

We’ll compare SaaS and on-premise systems in terms of governance, cybersecurity, and regulatory alignment, showing how a unified cloud platform enables real-time visibility, audit readiness, and consistent policy enforcement.

The session will also highlight how AI and automation built into SaaS ERPs proactively detect and mitigate risks—capabilities often lacking in older systems. Attendees will learn how Workday supports institutional resilience through faster recovery, ongoing updates, and simplified compliance with emerging legal standards.

Whether you’re already on Workday or just exploring cloud options, this session will offer practical strategies to protect data, manage risk, and future-proof your institution.

Presenters:

Stephanie Druckenmiller, Executive Director, Enterprise Technologies, Northampton Community College Bryan McGowan, Workday Principal Enterprise Architect, Workday Using AI to Improve Data Accessibility

We know that getting timely answers from institutional data can be challenging, especially when those answers are buried in reports or require technical skills to retrieve. That’s why we’ve started developing a set of AI-powered tools to make it easier for faculty, staff, and administrators to get the information they need, when they need it.

One of our key projects is a conversational AI tool that allows users to ask everyday questions like “How many students are enrolled in a specific program this term?” or “Which majors are growing the fastest?” and get real-time answers without needing to write a single line of code or run a complex report. The goal is to put data directly into the hands of the people who use it for advising, planning, and making decisions.

Behind the scenes, this tool uses Python, ThoughtSpot, and web technologies. But on the front end, it’s about simplicity and usability, removing technical barriers so users can focus on taking action, not figuring out how to run a query applying various filters on dashboards.

Attendees will leave with practical strategies and tools they can apply in their own offices to improve data accessibility  and increase efficiency. This is a traditional presentation enhanced by live user interaction.

Presenters:

Bharathwaj Vijayakumar, Assistant Vice President, Office of Institutional Research and Analytics, Rowan University Samyukta Alapati, Associate Director, Office of Institutional Research and Analytics, Rowan University Modernizing Cybersecurity in Higher Ed: How Stevens IT Transformed User Risk Management

This session will explore the blueprint development of high-quality short courses while embedding quality Join Jeremy Livingston, CISO of Stevens Institute of Technology, and David DellaPelle, CEO of Dune Security, for a practical discussion on what it takes to replace outdated training tools with a real-time, adaptive approach to user risk.

With social engineering threats becoming more personalized and evasive, Stevens needed more than annual check-the-box training. They needed visibility into user-level risk, and a way to act on it. By onboarding Dune Security’s User Adaptive Risk Management platform, Jeremy and his team replaced static modules with role-based testing and training tailored to faculty, staff, and students.

In this session, you’ll learn how Stevens IT:

Eliminated generic compliance training in under a month Scored risk at the individual and departmental level Integrated with Workday and Okta to monitor user behavior and access Enabled campus-wide accountability without adding administrative burden

You’ll walk away with a blueprint for transitioning from awareness to action, using real-world signals, not assumptions. Whether you’re responsible for securing a university, agency, or school system, this session will show you how to build a modern human-layer defense that actually scales.

Presenters:

Jeremy Livingston, Chief Information Security Officer, Stevens Institute of Technology David DellaPelle, Chief Executive Officer, Dune Security From Data Chaos to Clarity: Evolving Toward an AI-Enabled Data Ecosystem

“As institutions face increasing demands to modernize fragmented data systems, the path forward often starts with foundational change. This session highlights lessons learned through a data modernization initiative involving Miami University and a strategic consultant to Miami. The effort focused on cloud-first infrastructure, scalable reporting environments, and readiness for AI use cases.

The presentation will discuss a non-exclusive implementation approach using commercially available platforms to support data integration across enterprise systems, including HR and financial systems. The speakers will outline how these efforts improved internal data coordination, enabled more consistent access to analytics, and set the stage for responsible exploration of AI and automation tools.

Attendees will gain:

A practical framework for evolving institutional data infrastructure Lessons from integrating enterprise platforms to streamline analytics Examples of how AI tools (e.g., forecasting and decision support) can be enabled through foundational change Insights on data governance, change management, and user enablement Reflections on navigating internal challenges in public-sector modernization efforts

This session offers applied, real-world perspectives on building a sustainable foundation for enterprise data transformation. No endorsement of any specific product or vendor is implied.”

Presenters:

Randy Vollen, Director of Data & Business Intelligence, Miami University Jon Fairchild, Director, Cloud & Infrastructure, CBTS Designing for the Whole: A Multidimensional Framework for Responsible Innovation in the Age of AI

As artificial intelligence and emerging technologies rapidly transform our world, innovation must evolve beyond efficiency and novelty to reflect deeper human, ethical, and environmental priorities.

This session introduces a multidimensional framework for responsible innovation organized around four core domains: Performance & Design, Creative & Cognitive Dimensions, Human-Centered Values, and Ethical & Governance Principles.

Each dimension includes four key attributes—from Functionality and Originality to Empathy and Integrity—that collectively offer a holistic model for evaluating and guiding innovation in the AI era.

Learning Outcomes:

Apply a four-dimensional framework to assess the responsibility of innovations. Distinguish key attributes across design, creativity, human values, and ethics. Evaluate existing practices through a multidimensional, equity-centered lens. Integrate the framework into decision-making, curriculum, or organizational strategy.

Presenter:

Michael Edmondson, Associate Provost, NJIT AI Unlocked: Resources, Policy, and Faculty Training

Ready to move your institution beyond AI buzzwords and into real-world impact? Join us for a collaborative session that demystifies AI adoption in higher education from three critical vantage points. Forough Ghahramani (Edge) will kick things off with an insider’s tour of the National AI Research Resource (NAIRR) Pilot—an invaluable toolkit now available to educators and researchers nationwide. Next, John Schiess (Brookdale/Ellucian) will tackle the often-murky waters of institutional AI policy and regulation, sharing actionable strategies for crafting guidelines that support innovation while managing risk. Rounding out the session, Mike Qaissaunee (Brookdale) will reveal lessons learned from piloting faculty training programs designed to boost AI literacy and spark creative teaching applications. This traditional presentation is packed with practical insights, but we won’t leave you empty-handed—participants will walk away with curated instructional materials and resources to jumpstart their own AI journeys.

Presenters:

Michael Qaissaunee, Professor and Co-Chair, Engineering and Technology, Brookdale Community College Forough Ghahramani, Assistant Vice President for Research, Innovation, and Sponsored Programs, Edge John Schiess, Technical Director. Office of Information Technology (OIT), Brookdale Community College Protecting Privacy in the Age of AI Infused Pedagogy

This presentation, originally designed for K-12 settings, offers a foundational understanding of the critical privacy and security considerations that arise with the increasing adoption of Artificial Intelligence in educational environments. For higher education faculty and administrators, these principles are equally, if not more, relevant given the diverse data streams and research contexts within universities.

The core content covers:

Understanding AI Applications: We explore various ways AI is being utilized in education, from personalized learning platforms and intelligent tutoring systems to automated assessment tools, content generation, and administrative analytics. In higher education, this extends to research support, student success prediction, and advanced pedagogical tools. Navigating Privacy Concerns: The presentation highlights the “data dilemma,” emphasizing the types of sensitive student and interaction data collected by AI tools. Key concerns include data storage, access protocols, the risk of de-anonymization, and the need to align with relevant data privacy regulations (e.g., GDPR, state-specific privacy laws, institutional data governance policies). Addressing Security Risks: We delve into the cybersecurity threats posed by AI, such as data breaches and sophisticated phishing attacks. Crucially, the presentation addresses the pervasive issue of algorithmic bias, explaining how biased training data can lead to unfair outcomes in areas like admissions, grading, or resource allocation. The challenge of AI-generated misinformation and its impact on academic integrity is also discussed. Implementing Safeguards & Best Practices: The presentation outlines a proactive, multi-step approach for responsible AI integration. This includes developing clear institutional policies (acceptable use, data governance, AI ethics), conducting rigorous vendor vetting, providing comprehensive training for faculty and staff, fostering digital literacy among students, and maintaining transparent communication with the university community.

Ultimately, the presentation underscores that while AI offers transformative potential for teaching, learning, and administration in higher education, its responsible and ethical implementation hinges on a deep understanding of its privacy and security implications, coupled with robust institutional frameworks.

Presenter:

Teresa Keeler, Project Manager, NJIT Are We Ready? Rethinking AI Readiness, Risk, and Responsibility in Higher Education

As artificial intelligence reshapes nearly every industry, higher education faces a pressing question – Are we truly ready to harness AI effectively, responsibly, and sustainably? By the end of this session, attendees will be able to:

Assess AI Readiness using a practical self-assessment checklist across technical, cultural, and governance dimensions. Recognize Barriers including technical, financial, and cultural challenges to adoption. Evaluate Sustainability and Ethics by analyzing environmental impact, equity, and algorithmic fairness. Formulate Strategic Questions for assessing AI vendors, platforms, and models. Design Actionable Roadmaps to move from AI interest to readiness aligned with institutional missions.

Attendees also will leave understanding that readiness ≠ awareness; AI adoption depends as much on governance and culture as on technology. Sustainability must be central, addressing cost and environmental impact. Higher education needs tailored AI models rather than retrofitted industry

Presenters:

Nandini Janardhan, Programmer Analyst/Applications Manager, Fairleigh Dickinson University Sahana Varadaraju, Senior Application Developer, Rowan University Data in Action: Empowering Decision-Making and Driving Efficiency with Tableau Online

In the dynamic environment of higher education, data-driven decision-making is not a luxury—it’s a necessity. This session explores how our community college leveraged Tableau to transform raw institutional data into interactive, insightful dashboards across key business areas including enrollment management, finance, student services, and academic affairs. By centralizing data visualization and analysis, we’ve empowered stakeholders with real-time insights that drive efficiency, support strategic planning, and uncover opportunities for process improvement.

Presenters:

Moe Rahman, AVP/CIO, Community College of Philadelphia Laura Temple, Associate Director, Community College of Philadelphia …and more sessions to be announced! Exhibitor Sponsors

The post EdgeCon Autumn 2025 appeared first on NJEdge Inc.