RE: When Technical Standards Meet Geopolitical Reality from steve.e.magennis@gmail.com on 2025-07-22 (public-credentials@w3.org from July 2025)

From: <steve.e.magennis@gmail.com>
Date: Mon, 21 Jul 2025 17:31:15 -0700
To: "'Christopher Allen'" <ChristopherA@lifewithalacrity.com>, "'Credentials Community Group'" <public-credentials@w3.org>
Message-ID: <005e01dbfa9f$ef3036a0$cd90a3e0$@gmail.com>
Apologies for yelling out from the cheap seats after Christopher has so nicely and thoughtfully consolidated and landed this topic. I found this discussion compelling and insightful, unfortunately I just wasn’t able to read it in dept until now. Going through the replies I tried to identify each of the different perspectives that were offered up to contextualize the problem space and set the stage for potential solutions and approaches. I failed after about a dozen which I think just goes to show the depth and richness of this topic. From my perspective, the lens with which I found myself thinking about this was that of the Verifier. Personally, I want to believe that neither the Issuer, Holder, or Verifier role is inherently or should inherently be subordinate to any other. I also suspect in practice this is probably not the case and is likely to ebb and flow across use case and time. That said, from the perspective of a verifier, it is ultimately their role to determine what credential is valuable and which issuers they trust or don’t trust. A government may insist that a verifier bend to their will in determining the usefulness of a credential or a legal system may provide assurances to a verifier that a particular type or source of a credential is safe to use. Either way these are forces that exist outside of the credential architecture as this community generally defines it. The broader ‘ecosystem’ in which we hope the designs will be used is another story entirely which is why I think it is great that these discussions take place with input that includes not just technical plumbing but perspectives on how the tech is likely to interact with legal issues, societal issues, financial issues, personal motivations, institutions, etc. 

 

-S

 

From: Christopher Allen <ChristopherA@lifewithalacrity.com> 
Sent: Monday, July 21, 2025 12:29 AM
To: Credentials Community Group <public-credentials@w3.org>
Subject: Re: When Technical Standards Meet Geopolitical Reality

 

Thank you all for the thoughtful engagement with my "Musings of a Trust Architect" post.

With over 58 replies between this thread (https://lists.w3.org/Archives/Public/public-credentials/2025Jul/0082.html) and Adrian Gropper's "De-platforming humans" sub-thread (https://lists.w3.org/Archives/Public/public-credentials/2025Jul/0095.html), the depth and variety of perspectives demonstrates why this community remains essential to the future of digital identity infrastructure.

I want to highlight additional responses that emerged beyond this list:

* Carsten Stöcker's detailed "Cyber Storm Rising: Designing for the Warzone" (https://medium.com/@cstoecker/cyber-storm-rising-designing-for-the-warzone-ba83440d8cfe)
* Jaromil's analysis on "Privacy in EUDI" (https://news.dyne.org/privacy-in-eudi/)
* Various technical perspectives shared in Signal groups and other forums

What strikes me most about our discussion is what we're not talking about - alternative models where the fundamental relationships are different.

I'm particularly interested in approaches where governments explicitly reject the issuer role. Utah's new SSI law offers a compelling counterexample to prevailing narratives. Their statute (§ 63A-16-1202(1)(b)/(c)) clearly states that "the state does not establish an individual's identity" and instead "the state may, in certain circumstances, recognize and endorse an individual's identity."

For details, see: https://blog.spruceid.com/utahs-digital-id-law-sb260-is-the-new-frontier-for-user-controlled-identity/


This represents a fundamental architectural difference. Rather than government-as-issuer or platform-as-mediator, Utah positions the state as a recognizer of identity claims made by individuals themselves. This aligns more closely with the original vision of self-sovereign identity - where the individual is the root of trust, not merely a recipient of credentials from authorities.

The tension between Daniel's human rights framework and Manu's pragmatic incrementalism might find resolution in such alternative models. Kyle's concerns about "hierarchical centralization of issuance" become less pressing when the state explicitly disclaims the issuer role. Carsten's cybersecurity imperatives for resilient infrastructure could be better served by systems that don't create single points of failure or control.

As Will noted, advanced privacy-preserving cryptography is becoming practical. But the question remains: will we deploy it in service of human autonomy or platform efficiency? The Utah model suggests there are unexplored paths between the purist and pragmatist positions.

I'm working on a longer exploration of these alternative architectures - examining not just technical standards but the legal and institutional frameworks that either invert or preserve human agency in digital systems. This includes both building new models AND advocating for policy constraints on existing power structures. For those interested in the policy side, see "Building a Trustworthy Digital Future - Digital Identity in the Land of the Free," a white paper I contributed to on preserving individual agency in digital systems: https://www.btcpolicy.org/articles/building-a-trustworthy-digital-future-digital-identity-in-the-land-of-the-free

Beyond the recognizer model, patterns are emerging around:

* Duties under Agency Law for those holding digital personal identity data (based on principles of bailment, entrustment, or even fiduciary responsibility in cases like Apple and Google), such as duties to resolve problems, preserve access, and act in users' best interests.
* Human-scale coordination systems that sidestep the platform/government binary
* Exit rights that preserve actual data and relationships, not just the theoretical ability to leave
* Community-based verification that doesn't require hierarchical trust anchors
* Infrastructure explicitly designed to resist capture by limiting what power can accumulate

The conversations here have sharpened my thinking considerably, particularly around how architectural choices encode power relationships that legal frameworks alone cannot remedy.

Thank you again for engaging so substantively. These discussions matter because, as our community knows well, architecture is politics - and the architectures we build today will shape the politics of tomorrow.

-- Christopher Allen

   Blockchain Commons

P.S. For those interested in following the broader conversation, I'll maintain additional links and discussions with a synopsis of each at the bottom of the original post: https://www.blockchaincommons.com/musings/gdc25/
Received on Tuesday, 22 July 2025 00:31:22 UTC