RE: When Technical Standards Meet Geopolitical Reality from carsten.stoecker@spherity.com on 2025-08-10 (public-credentials@w3.org from August 2025)

From: <carsten.stoecker@spherity.com>
Date: Sun, 10 Aug 2025 16:10:34 +0200
To: "'Tim Bouma'" <trbouma@gmail.com>, "'Daniel Hardman'" <daniel.hardman@gmail.com>
Cc: "'Manu Sporny'" <msporny@digitalbazaar.com>, "'public-credentials'" <public-credentials@w3.org>
Message-ID: <04ef01dc0a00$8a3f1520$9ebd3f60$@spherity.com>
Dear colleagues, 

 

I work every day in B2B and B2G identity. Pharma, financial services, automotive, Industry 4.0, supply chain, energy, critical infrastructure, public sector. 

 

My ask to the W3C community: stop treating private-citizen ID and cypherpunk debates as the main use case and area of concern. They are „super essential“, but not sufficient.

 

We must define personhood as both, natural and legal personhood. We need a broader frame. We must understand legal compliance and how identity serves law and contracts. We must design solution patterns that cover natural persons, legal persons, solo entrepreneurs, employees, machines, and AI—while protecting privacy akin business confidentiality in B2B. We must understand the boarder macro-economic and cyber-security business case.

 

TL;DR

Digital identity must go beyond private citizens. We need two wallet tracks that coexist: personal wallets for people (e.g. EUDIW) and business wallets for organizations (e.g. EUBW). 

 

Many high-value flows require “legal proof of existence” (more precise from my POV than “proof of personhood” for legal use) anchored in government registers and IDs—for both natural and legal persons. We are heavily using the term legal proof of existence for legal persons and recommend defining it for natural persons as well. Government issuers are required where legal effect is needed. 

 

At the same time, use privacy tech (selective disclosure, no phone-home, PETs) and allow multiple issuers to avoid single-point control. The Solo-Entrepreneur continuum (BST→RSP) shows why personal-only thinking fails: many one-person businesses need role, license, audit, and delegation as well as much more advanced business logic and credential integration with legacy systems and processes. B2B/B2G delivers the macro-economic benefit and will drive wallet adoption; trusted AI and machine identity must be first-class. 

 

Note: As Daniel Hardman noted in another discussion, identity for natural persons must serve citizens, non-citizens, and stateless people. The solution must be inclusive in technology and in law. Without a way to provide a “legal proof of existence” for stateless people, gaps remain. In many regulated use cases, they cannot use a wallet without such proof. We must solve this with lawyers and governments. This is a very hard problem. Because stateless people do not vote, the electoral incentive is weak; many governments may not prioritise it.

 

Summary of my findings over the years

 

Shift the center of gravity: 
Wallet business case adoption will be driven by B2B/B2G. These flows need verified legal person identity, roles, mandates, seals, and automation. Private-person use alone will not scale decentralised identity infrastructure. 

 

Legal proof of existence is non-optional: 
Contracts, KYC/AML, procurement, licensing, and due diligence require an anchor in law. For people: civil ID. For companies: commercial registers (EBRA, BRIS/EUID, EUCC, HGB). For legal effect, credentials must be issued from—or derived from—governmental sources. There is no way around this. 

 

Coexistence model: two wallets, one identity system design:

   * Citizen Wallets such as EUDIW for natural persons (including professional attributes, QES integration).

   * Business Wallets such as EUBW for legal persons (LPID/EUID, VAT, licenses, QSeal integration).
       Shared standards (W3C VC/VP) and trust lists; cross-recognition across the EU, US (see recent NIST Special Publication 800–63–4 Digital Identity Guidelines), other jurisdictions.


Solo-Entrepreneur continuum (BST → RSP):
Many solos are voters and are frustrated by bureaucracy (e.g., Germany). Therefore, solos are an extremely important identity stakeholder group. A wallet ecosystem that ignores them is incomplete. And they offer an excellent space to test our models.

   * BST: simple business attributes in EUDIW; occasional QES.

   * RSP: licenses (QEAA), retention, audit, delegated roles, 24x7, automation, often a cloud business wallet. Step-up rules as assurance and complexity rise. 

 

Source vs. issuer (from the email thread below), aligned with compliance:
Keep government as the authoritative source of legal existence. Allow accredited providers as issuers. Use PETs and unlinkable presentations so issuers do not “phone home.” This preserves rights while meeting legal needs. 


Roles, mandates, and workforce controls:
Bind employees to companies with verifiable roles/PoA (scope, value, time). Support joint signatures, policy checks, and revocation/status at scale. 

 

Machines and AI as first-class actors:
Issue credentials to systems and AI agents with chains back to a responsible person or legal entity. Log authority use; enable revocation and audit. If identity is not AI-ready, the solution will fail. 

 

2×2 Matrix to pick the right controls:
Axes: Assurance requirements × Operational complexity.
   Q1: low/low (private individual use, BST).
   Q2: high/low (RSP, high-trust individual actions).
   Q4: high/high (SMEs/enterprises with automation and deep system integration). 

 

Government issuers + multi-issuer ecosystem:
Use government-backed credentials for legal existence (PID, EUID/LPID, business licenses). Allow QTSPs and other accredited bodies to issue attributes. Keep verification privacy-preserving. 


Solution patterns to standardize:
Personhood-minimal schema; LPID/EUID corporate credential; role/PoA and delegation chains (incl. AI); revocation/status lists; offline, unlinkable VPs; LTV for signatures (XAdES-LT/LTA, PAdES); reference flows for BST and RSP. 

 

CTA: 
If we don’t expand beyond private-person use, we fail.



We will miss the macro-economic use cases, under-serve solo entrepreneurs, block enterprise automation, and be unfit for AI-driven operations. The result: poor adoption, limited funding, and policy drift away from decentralised identity patterns. 

 

Demand for trusted AI is super high. AI identity will set the standard for the agent-based internet. We must act now: five weeks, not five years.

 

 

From: Tim Bouma <trbouma@gmail.com> 
Sent: Sonntag, 10. August 2025 00:01
To: Daniel Hardman <daniel.hardman@gmail.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>; public-credentials (public-credentials@w3.org) <public-credentials@w3.org>
Subject: Re: When Technical Standards Meet Geopolitical Reality

 

Personally, I’ve come to the conclusion that we require a protocol where the core primitive is ‘issuance’ (signing) such that there is no privileged role of ‘issuer’ and/or ‘verifier’. Anyone using this so-called protocol, no matter how disadvantaged they might be, must be on equal footing with the strongest of users, namely government. 

 

As things stand now, the current protocols simply reinforce the status quo, and for the majority that’s ok, or don’t know anything differently. That’s also ok, for the current generation of solutions, but we need to start looking past that horizon.

 

Tim

 

 

On Sat, Aug 9, 2025 at 5:50 PM Daniel Hardman <daniel.hardman@gmail.com <mailto:daniel.hardman@gmail.com> > wrote:

>> I would like to share an experience so that my strong words have some softening context.
>I wanted to come back to this email, as it's been echo'ing in my head

Thank you for the kind and thoughtful response, Manu.

>> I think it is dangerous to build an ecosystem where proof of personhood is largely assumed to come from governments.
>Yes, agreed; that should not be the only source, but I expect it will be a primary source for some time to come.

I'd like to clarify my mental model, because there seems to be both important alignment and important divergence between mine and yours, Manu.

 

Speaking of government, you used the phrase "be the only source". My language was similarly general "proof of personhood comes from". In a sense, it might seem that we're saying almost the same thing. But Let me get more granular.

 

I have no problem at all with the idea that a government-governed process should be the common/default "source" or where "proof of personhood comes from" -- in the near term or into the infinite future. My beef is with the easy conflation of "source" and "issuer". A government process can produce personhood evidence, but I don't want the identifier of the government to be used as the *issuer* of that evidence. EVER. Hard stop, exclamation point, non-negotiable human rights core principle that we don't stray from even in version 0.1 of a system. And I believe we can actually achieve and enforce this by being very careful with our definitions, which is why I'm trying to be so picky about language.

 

On what basis could we maintain the distinction between "source" and "issuer"? In my mind, an acceptable process for issuing personhood evidence would be whatever the government designs, and could use whatever infrastructure the government provides -- but would result in issuance by a named human being who has a publicly known legal identity endorsed by that government for issuance of personhood credentials. This would make proof of personhood just like an adoption decree -- signed by an individual human judge who has delegated legal authority from the government -- NOT signed by "the government" as an impersonal bureaucracy.

 

I also don't want any fields in a personhood credential to attest to any characteristics of legal identity, because legal identity characteristics are changeable, whereas humanity is not. Conflating the two is dangerous. The only fields that should exist in a personhood credential are various biometrics and metadata about the issuance/level of assurance. A government credential that attests to legal identity for a person is derivative of, not equivalent to, proof of personhood, and modeling it any other way is both a concept error and a human rights violation. It elevates government opinion about legal identity facts to a place those facts do not belong, which is on the level of human dignity. 

 

If we do it the way I'm recommending, then tribal elders or doulas in remote highlands somewhere naturally function as peers of judges, which is factually accurate, reasonable, just, and inclusive. The only difference between their evidence output is whether you like the governance -- again, factually accurate, reasonable, just, and inclusive. If, on the other hand, "the government" is the issuer of proof of personhood -- or if we have fields in the schema of such a credential that only governments can attest to -- we permanently prevent humans from becoming peers of institutions on the question of humanness. 

 

--Daniel

 

On Sat, Aug 9, 2025 at 11:40 AM Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com> > wrote:

On Sun, Jul 20, 2025 at 6:40 PM Daniel Hardman <daniel.hardman@gmail.com <mailto:daniel.hardman@gmail.com> > wrote:
> I would like to share an experience so that my strong words have some softening context.

I wanted to come back to this email, as it's been echo'ing in my head
for the past several weeks and I wanted to acknowledge the sharing of
a personal experience, thank Daniel for sharing it, and recognize
where Daniel is coming from... which is from one of many acutely human
experiences, which I hope is what we're all trying to improve with our
work.

For those of you that might have visited countries where you show
your, or your child's, only form of international identification, only
to have (without warning) security personnel walk away with it or
suggest that they will keep it, is terrifying. The flush of
adrenaline; the heat on your face, hits you before you can process
what's going on. I'm sorry you had that experience, and I'm glad it
worked out in the end... and both you and I know it does not always
work out in the end.

> How does this relate to personhood credentials? I think it is dangerous to build an ecosystem where proof of personhood is largely assumed to come from governments.

Yes, agreed; that should not be the only source, but I expect it will
be a primary source for some time to come.

> If we raise the stakes further -- governments now decide who the rest of the world can/should believe is human (and thus worthy of human rights), I think we are truly in scary territory.

I agree.

> Doctors or nurses who sign birth certificates should be able to attest humanness. Tribal elders should be able to attest humanness. Government vetting processes that prove humanness should be signed by a human employee, not by the government itself, because it is the human rather than the bureaucracy that is safely definitive on this question. We should NEVER forget this.

Yes, also agree.

I would hope that most in this community would agree with all of the
above. What concrete set of things to do about it is the question...

My hope is that focusing on a few things help:

* Ensure that one can prove things about your or others in a way that
is so broadly disseminated that "confiscating the original documents"
becomes something that cannot happen. That is, ensure broad
dissemination, true ownership, and consent over transmission of
digital credentials.

* Ensure that one can prove things about yourself at the proper level
of pseudonymity for the transaction. That is, no phone home, prove
things in zero knowledge, etc.

* Ensure that fundamental human rights are not centralized purely with
government bureaucracies. That is, enable a broad base of issuers and
many equivalent roots of trust.

I think the folks in this community endeavoring to standardize stuff
are actively working on at least the three items above, but at levels
that are frustratingly slow. We're putting a lot of effort into the
first bullet item, trying as hard as we can to move the second one
forward (but have been slowed by the painfully slow IETF CFRG review
process and a disinterest by a number of governments and private
industry in funding the work), and are missing a truly compelling
solution for the last item (though birth certificates and notaries do
provide for alternate, positive paths forward... alongside local
government agencies).

I don't expect any of this will reduce the feeling of concern about
proof of personhood and government intervention in that regard. I just
wanted to note that we are working on technologies that I hope align
more with addressing your concerns than ceding all authority on
human-ness to large and indifferent bureaucracies of any kind.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/


-- 




Spherity GmbH <https://www.spherity.com/>  |  Emil-Figge-Straße 80  |  
44227 Dortmund

LinkedIn <https://www.linkedin.com/company/spherity>   |  X 
<https://twitter.com/spherity>   |  YouTube 
<https://www.youtube.com/@spherity2407>

Managing Directors: Dr. Carsten 
Stöcker, Dr. Michael Rüther

Registered in Dortmund HRB 31566
Received on Sunday, 10 August 2025 14:10:40 UTC