Re: When Technical Standards Meet Geopolitical Reality

Where are the five key use cases? As I keep reading this excellent thread,
I’m reminded of the years of intense work we did on use-cases for DID and
VC. So much work! Did something go wrong or did the world change?

-Adrian

On Mon, Aug 11, 2025 at 10:03 AM Robin Wilton <wilton@isoc.org> wrote:

> Really good post. Will, thank you - and thanks also for including the
> hand-written notes, which add a whole other dimension!
> “Gradients of trust” are always a thing when we do something that’s
> mediated by someone/something else… and everything we do online is mediated
> by multiple “others”. I was sure I’d written about this some time ago, and
> sure enough, managed to find a copy of the 2005 (!) paper online, thanks to
> my amazing former colleague, Andrew “Pat” Patterson:
> https://blog.superpat.com/images/NotJustASpectatorSport.pdf
>
> I can personally chart a few data points from the evolution of this
> socio-technical topic over the last 29 (😳) years…
>
> 1996 - Visa and Mastercard convene a consortium of tech/trust companies to
> develop secure multi-party protocols based on X.509 certificates
> 1999 - the Identrus consortium starts to develop PKI-based infrastructure
> for secure multi-party payment transactions: they spent more than 50% of
> their efforts on defining the liability mechanisms, and less than 50% on
> the technical specs
> 2001 - the Liberty Alliance creates technical and business frameworks for
> federated identity and trustworthy assertions, built on SAML-based protocols
> 2009 - the Kantara Initiative adds the governance layer, developing a
> formalised assurance framework for federated identity infrastructures
>
> These are by no means the only workstreams over that period to focus on
> distributed trust architectures - for instance, Microsoft and IBM’s WS-Fed
> work parallels much of the Liberty Alliance, as did the development of
> U-Prove and Idemix, from the same companies - but it’s sobering to reflect
> how long it can take for this kind of innovation to diffuse to the extent
> of achieving critical mass, not just in adoption, but in understanding.
> (And thinking on “the diffusion of innovation” has been rumbling along for
> even longer! https://en.wikipedia.org/wiki/Diffusion_of_innovations.)
>
> Yrs,
> Robin
>
> Robin Wilton, Senior Director - Internet Trust
> wilton@isoc.org
>
> [image: image001.png]
> internetsociety.org | @internetsociety
>
>
>
> On 11 Aug 2025, at 13:30, Will Abramson <will@legreq.com> wrote:
>
> Thanks to everyone who has participated in this thread. I think it is a
> wonderful example of the CCG doing what it does best,
> a diversity of perspectives debating a gnarly topic whilst remaining civil
> and respectful. It is appreciated!
>
> I had been meaning to write something similar to what Tim is saying here
> ever since attending a session at the Global Digital Collaboration.
> Tim's email finally motivated me to do just that.
>
> I published it as a blog on my substack:
> https://www.wordsfromwip.com/p/trust-in-transition
>
> But I will also include the text in this email thread, because I
> appreciate the archival nature of the W3C mailing lists.
>
> Read wherever you prefer.
>
> Trust in Transition Reflecting on a powerful session at the Global
> Digital Collaboration conference in Geneva and a epic CCG email thread that
> has followed
>
> I have been meaning to write something up about a fantastic session I
> attended on Day 2
> of the GDC conference in Geneva, convened by Dr Emry's Schoemaker
> <https://caribou.global/people/emrys-schoemaker/> and [Dr Margie
> Cheeseman](https://about.me/cheesman.
> The session was titled Trust in Transition and explored identity and
> systems of identification within the context of war, climate disasters
> and human migration. Critical conversations for our work at the Credentials
> Community Group and the wider commuity of technologists working on
> identity.
> The humanitarian sector is a sector where systems of identification are
> undoubtedly and justifiably required. It is also a sector with vastly
> imbalanced power dynamics where vulnerable humans far from home must
> subject themselves to the identification systems of a state or/and a
> multitude of non-governmental organisations (NGOs). Additionally, the
> humanitarian sector is vastly under resourced and oversubscribed. Even
> conservatives projections into the future must accept that these challenges
> are only going to be further excacerbated by our collapsing climate
> stability, wars around the world and the terrifying rise in authoritarian
> regimes we see today.
> Many of these NGOs were represented in the room for this session including the
> UN Refugee Agency (UNHCR) <https://www.unhcr.org/> and the International
> Federation of Red Cross and Red Crescent Societies (IFRC)
> <https://www.ifrc.org/>. State actors less so, although there were a few
> big hitters from for profit organisations in the mix.
> I made a decision to attend this session because of Emry's of Caribou
> Digital. I have so much respect for him and the rest of the Caribou team.
> Throughout my PhD I read much of the research and case studies that they
> pushed out. In fact that research formed the backbone of one of my chapters
> in my thesis <https://napier-repository.worktribe.com/output/3050571>
> titled Identification Systems.
> Some of their content that remains highly relevant and I that I cannot
> recommend highly enough are:
>
>    - The difference between digital identity, identification and ID
>    <https://medium.com/caribou-digital/the-difference-between-digital-identity-identification-and-id-41580bbb7563>
>    by Johnathan Donner precisely articulates the Caribou Digital style guide
>    for talking about identity in the digital age.
>    - The Identities Report <https://www.identitiesproject.com/report/>,
>    an excellent, detailed report produced by Caribou Digital as part of the
>    Identities Project. Stories of real people, with real experiences and real
>    challenges navigating systems of identification in the digital age. From
>    India to the world.
>
> These outputs, and many, many more are deep and insightful. They
> definitely helped to shape my thinking and perspectives of identity that
> continues to this day.
> Anyway, I finally motivated to write these words after the latest round of
> responses on the CCG email thread - When Technical Standards Meet
> Geopolitical Reality - kicked off by Christopher Allen's call to action
> <https://lists.w3.org/Archives/Public/public-credentials/2025Jul/0082.html>
> and concerns of the direction our community and technologies seem to be
> being pulled in.
> I don't agree with everything Christopher is saying, but I agree with the
> sentiment and appreciate his voice and deep expertise in the space.
> Christophers call to action kicked off a mammoth and fascinating email
> thread that really highlights the strengths and the heart of the
> Credentials Community Group. I am proud to be able to contribute to this
> community as one of its chairs during this time.
> The whole thread is worth a read, it contains a diversity of persepctives,
> personal lived experiences and well-informed opinions from many of the
> leaders in this space.
> The latest round of emails were in responses to a series of blog
> <https://kyledenhartog.com/centralized-ssi/> posts by Kyle raising
> serious and thoughtful concerns about the centralization of power that
> these technical architectures for identification enable, especially when
> the focus is on *some authoratative* issuer issuing credentials to mere
> holders and subjects of identification systems.
> Over the weekend, after digesting Kyles words for some time Manu replied
> with an excellent summary
> <https://lists.w3.org/Archives/Public/public-credentials/2025Aug/0041.html>
> .
>
> If I had to summarize the core of your message, you're suggesting that
> we have over-optimized for large government issuers and have therefore
> further entrenched traditional power dynamics (that some in this
> community don't like). You are saying that when we identify use cases
> that we want to address, we need to focus on the power dynamics
> created by the solutions. Does it shift too much power and authority
> to the issuer, a guardian, the holder, or the verifier? You're
> suggesting that we need to explore architectures that don't
> over-optimize for the issuer, and then you used an example with age
> verification where we put the decision making power in the hands of a
> guardian (the parent) instead of the verifier (the website).
>
> ...
>
> What I was thinking that you and Christopher were saying was something
> along the lines of: Decentralized Identifiers are broken and we should
> abandon them. Verifiable Credentials are broken and we should abandon
> those too... and so on. When I think what you're saying is that we
> need to reevaluate how these primitives are put together into a
> functioning architecture; specifically, what credentials are issued by
> whom and who depends on those -- decentralize the issuers, if
> possible.
>
> A wonderful example of how in the heat of the moment we can mistakenly
> infer intentions. Sometimes pausing for breath and coming back with a
> considered response is far more fruitful. Manu is a master of this. It is
> worth reading his full email response
> <https://lists.w3.org/Archives/Public/public-credentials/2025Aug/0041.html>
> in full if you have the time.
> So as you might see this discussion on the imbalances of power felt highly
> relevant to the Trust in Transition session at GDC. Inbalances in power are
> a fact of the fabric of the societies that we live in today, but these
> inbalances can, and are being, be further entrenched by information
> technologies. And especially information technologies designed for the
> purposes of recognising, remembering and responding to people and things.
> Identity is powerful, just look at how it is weilded across the political
> spectrum.
> Not only that, information technologies are distrupting and
> disintermediating some of the institutions whose role in society has been
> to trust within the systems and activity across a domain which they
> oversee. This is the OG (original) way societies have scaled trust to meet
> the demands of increasingly complex fields of social activity. I tried to
> write something to this effect in an earlier email response
> <https://lists.w3.org/Archives/Public/public-credentials/2025Jul/0118.html>
> on this thread.
> Anyway, I digress.
> What finally tipped me into writing this piece was a response from Tim
> Bouma
> <https://lists.w3.org/Archives/Public/public-credentials/2025Aug/0046.html>
> over the weekend.
>
> Personally, I’ve come to the conclusion that we require a protocol where
> the core primitive is ‘issuance’ (signing) such that there is no privileged
> role of ‘issuer’ and/or ‘verifier’. Anyone using this so-called protocol,
> no matter how disadvantaged they might be, must be on equal footing with
> the strongest of users, namely government.
>
> As things stand now, the current protocols simply reinforce the status quo,
> and for the majority that’s ok, or don’t know anything differently. That’s
> also ok, for the current generation of solutions, but we need to start
> looking past that horizon.
>
> This reminded me of something I wrote in my notebook towards the end of
> the Trust in Transition session as we turned our attention towards the
> futures for the humanitarian sector in relation to identity systems.
> We were asked for our vision. Our aspirations.
> What paths are we trying to navigate towards?
> What futures are we striving to avoid?
> These hooks sparked a great conversation around the room. One that, as
> very much a guest in this space, I was mostly happy to listen to and
> digest. As a wise man once told me, seek first to understand then to
> integrate.
> I did have a vision to propose though. A vision that I attempted to
> articulate towards the end of the discussion. One less rooted in the
> current reality, more in the adjacent possible. It very much rhymes with
> what Tim shared on the email thread.
> Simply put: SIGN ALL THE THINGS.
> Individuals should be capable of being the source authority over the
> reality of their digital lives.
> My vision is one of accountability and intersubjectivity between humans
> and the systems which identify them and attempt to represent some facet or
> fragement of their identity. Humans should be able to understand the web of
> accountabilities between them and the systems that what to identify them.
> We have much work to go before this is a reality.
> However, unlike some voices on this thread, I still have hope. We are
> laying the foundations, refining the primitives and exploring the building
> blocks and their configurations.
> I firmly believe these components open up a whole new possibility space
> for designing, building and interacting with digital systems.
> It is a possibility space we are only just starting to explore.
> Sure, within that possibility space, over in some uninteresting corner, is
> all the same systems and approaches we know and dislike today. But that is
> tiny compared to what else might be possible.
> I think it will take imagination, creativity and courage to bring some of
> these possibilities into reality.
> It will also take compromise. In certain situations and sectors. The state
> isn't going away anytime soon. Like it or not, they are in a certain
> position of authority over some of the facts of our lives. In these cases
> we should look to gently nudge the framing, like Utah has done wonderfully.
> States endorse identity, they do not issue it.
> <https://le.utah.gov/~2025/bills/static/SB0260.html>
> No one can issue you your identity, and if anyone trys to tell you
> otherwise gentle correct them and point to some facets of the multitude of
> identities that you contain.
> That is probably enough for now.
> I will close with an invitation and much encouragement to playfully
> explore the possibilities enabled by decentralized technologies like
> Decentralized Identifiers and the associated privacy-preserving
> cryptography primitives.
> New digital realms possible. I firmly believe this.
>
> Thanks for reading,
> Best,
> Will
>
>
>
> On Sat, Aug 9, 2025 at 11:02 PM Tim Bouma <trbouma@gmail.com> wrote:
>
>> Personally, I’ve come to the conclusion that we require a protocol where
>> the core primitive is ‘issuance’ (signing) such that there is no privileged
>> role of ‘issuer’ and/or ‘verifier’. Anyone using this so-called protocol,
>> no matter how disadvantaged they might be, must be on equal footing with
>> the strongest of users, namely government.
>>
>> As things stand now, the current protocols simply reinforce the status
>> quo, and for the majority that’s ok, or don’t know anything differently.
>> That’s also ok, for the current generation of solutions, but we need to
>> start looking past that horizon.
>>
>> Tim
>>
>>
>> On Sat, Aug 9, 2025 at 5:50 PM Daniel Hardman <daniel.hardman@gmail.com>
>> wrote:
>>
>>> >> I would like to share an experience so that my strong words have some
>>> softening context.
>>> >I wanted to come back to this email, as it's been echo'ing in my head
>>>
>>> Thank you for the kind and thoughtful response, Manu.
>>>
>>> >> I think it is dangerous to build an ecosystem where proof of
>>> personhood is largely assumed to come from governments.
>>> >Yes, agreed; that should not be the only source, but I expect it will
>>> be a primary source for some time to come.
>>>
>>> I'd like to clarify my mental model, because there seems to be both
>>> important alignment and important divergence between mine and yours, Manu.
>>>
>>> Speaking of government, you used the phrase "be the only source". My
>>> language was similarly general "proof of personhood comes from". In a
>>> sense, it might seem that we're saying almost the same thing. But Let me
>>> get more granular.
>>>
>>> I have no problem at all with the idea that a government-governed
>>> process should be the common/default "source" or where "proof of personhood
>>> comes from" -- in the near term or into the infinite future. My beef is
>>> with the easy conflation of "source" and "issuer". A government process can
>>> produce personhood evidence, but I don't want the identifier of the
>>> government to be used as the *issuer* of that evidence. EVER. Hard stop,
>>> exclamation point, non-negotiable human rights core principle that we don't
>>> stray from even in version 0.1 of a system. And I believe we can actually
>>> achieve and enforce this by being very careful with our definitions, which
>>> is why I'm trying to be so picky about language.
>>>
>>> On what basis could we maintain the distinction between "source" and
>>> "issuer"? In my mind, an acceptable process for issuing personhood evidence
>>> would be whatever the government designs, and could use whatever
>>> infrastructure the government provides -- but would result in issuance by a
>>> named human being who has a publicly known legal identity endorsed by that
>>> government for issuance of personhood credentials. This would make proof of
>>> personhood just like an adoption decree -- signed by an individual human
>>> judge who has delegated legal authority from the government -- NOT signed
>>> by "the government" as an impersonal bureaucracy.
>>>
>>> I also don't want any fields in a personhood credential to attest to any
>>> characteristics of legal identity, because legal identity characteristics
>>> are changeable, whereas humanity is not. Conflating the two is dangerous.
>>> The only fields that should exist in a personhood credential are various
>>> biometrics and metadata about the issuance/level of assurance. A government
>>> credential that attests to legal identity for a person is derivative of,
>>> not equivalent to, proof of personhood, and modeling it any other way is
>>> both a concept error and a human rights violation. It elevates government
>>> opinion about legal identity facts to a place those facts do not belong,
>>> which is on the level of human dignity.
>>>
>>> If we do it the way I'm recommending, then tribal elders or doulas in
>>> remote highlands somewhere naturally function as peers of judges, which is
>>> factually accurate, reasonable, just, and inclusive. The only difference
>>> between their evidence output is whether you like the governance -- again,
>>> factually accurate, reasonable, just, and inclusive. If, on the other hand,
>>> "the government" is the issuer of proof of personhood -- or if we have
>>> fields in the schema of such a credential that only governments can attest
>>> to -- we permanently prevent humans from becoming peers of institutions on
>>> the question of humanness.
>>>
>>> --Daniel
>>>
>>> On Sat, Aug 9, 2025 at 11:40 AM Manu Sporny <msporny@digitalbazaar.com>
>>> wrote:
>>>
>>>> On Sun, Jul 20, 2025 at 6:40 PM Daniel Hardman <
>>>> daniel.hardman@gmail.com> wrote:
>>>> > I would like to share an experience so that my strong words have some
>>>> softening context.
>>>>
>>>> I wanted to come back to this email, as it's been echo'ing in my head
>>>> for the past several weeks and I wanted to acknowledge the sharing of
>>>> a personal experience, thank Daniel for sharing it, and recognize
>>>> where Daniel is coming from... which is from one of many acutely human
>>>> experiences, which I hope is what we're all trying to improve with our
>>>> work.
>>>>
>>>> For those of you that might have visited countries where you show
>>>> your, or your child's, only form of international identification, only
>>>> to have (without warning) security personnel walk away with it or
>>>> suggest that they will keep it, is terrifying. The flush of
>>>> adrenaline; the heat on your face, hits you before you can process
>>>> what's going on. I'm sorry you had that experience, and I'm glad it
>>>> worked out in the end... and both you and I know it does not always
>>>> work out in the end.
>>>>
>>>> > How does this relate to personhood credentials? I think it is
>>>> dangerous to build an ecosystem where proof of personhood is largely
>>>> assumed to come from governments.
>>>>
>>>> Yes, agreed; that should not be the only source, but I expect it will
>>>> be a primary source for some time to come.
>>>>
>>>> > If we raise the stakes further -- governments now decide who the rest
>>>> of the world can/should believe is human (and thus worthy of human rights),
>>>> I think we are truly in scary territory.
>>>>
>>>> I agree.
>>>>
>>>> > Doctors or nurses who sign birth certificates should be able to
>>>> attest humanness. Tribal elders should be able to attest humanness.
>>>> Government vetting processes that prove humanness should be signed by a
>>>> human employee, not by the government itself, because it is the human
>>>> rather than the bureaucracy that is safely definitive on this question. We
>>>> should NEVER forget this.
>>>>
>>>> Yes, also agree.
>>>>
>>>> I would hope that most in this community would agree with all of the
>>>> above. What concrete set of things to do about it is the question...
>>>>
>>>> My hope is that focusing on a few things help:
>>>>
>>>> * Ensure that one can prove things about your or others in a way that
>>>> is so broadly disseminated that "confiscating the original documents"
>>>> becomes something that cannot happen. That is, ensure broad
>>>> dissemination, true ownership, and consent over transmission of
>>>> digital credentials.
>>>>
>>>> * Ensure that one can prove things about yourself at the proper level
>>>> of pseudonymity for the transaction. That is, no phone home, prove
>>>> things in zero knowledge, etc.
>>>>
>>>> * Ensure that fundamental human rights are not centralized purely with
>>>> government bureaucracies. That is, enable a broad base of issuers and
>>>> many equivalent roots of trust.
>>>>
>>>> I think the folks in this community endeavoring to standardize stuff
>>>> are actively working on at least the three items above, but at levels
>>>> that are frustratingly slow. We're putting a lot of effort into the
>>>> first bullet item, trying as hard as we can to move the second one
>>>> forward (but have been slowed by the painfully slow IETF CFRG review
>>>> process and a disinterest by a number of governments and private
>>>> industry in funding the work), and are missing a truly compelling
>>>> solution for the last item (though birth certificates and notaries do
>>>> provide for alternate, positive paths forward... alongside local
>>>> government agencies).
>>>>
>>>> I don't expect any of this will reduce the feeling of concern about
>>>> proof of personhood and government intervention in that regard. I just
>>>> wanted to note that we are working on technologies that I hope align
>>>> more with addressing your concerns than ceding all authority on
>>>> human-ness to large and indifferent bureaucracies of any kind.
>>>>
>>>> -- manu
>>>>
>>>> --
>>>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>>>> Founder/CEO - Digital Bazaar, Inc.
>>>> https://www.digitalbazaar.com/
>>>>
>>>
>