AI and Identity

[W3C] AI Agent Protocol Community Group

The mission of the AI Agent Protocol Community Group is to develop open, interoperable protocols that enable AI agents to discover, identify, and collaborate efficiently across the Web. As AI agents increasingly participate in Web-based activities, there is a growing need for standardized mechanisms to support secure, reliable, and scalable interactions.

MCP is RSS for AI

MCP’s simplicity means that, like RSS autodiscovery and OpenSearch, it’s the kind of thing that can catch on quickly and deliver powerful leverage. Because MCP pipes JSON-RPC over stdio you can talk to a server by just echoing commands to it, and that’s how I always want to interact with simple protocols in order to grok how they work.

Tangled Tokens and Authorized Agents

This work is bringing to light some of the limitations and assumptions of the OAuth protocol. Some of these are solved by things that we built into GNAP, especially the notion of ephemeral clients, but even with GNAP it’s not a simple world.

There are many questions still left to be answered, but I, for one, am excited that they’re being asked and discussed right now. I look forward to being part of the conversation, and I hope you can join in. Maybe we’ll even invite the bots to help.

DIF at EIC 2025: Advancing Digital Identity at the Crossroads of AI and Self-Sovereignty

• The Philosophy Behind Standards: Values in Digital Identity. Markus Sabadello, CEO of Danube Tech and DIF Steering Committee member, delivered a compelling talk examining the philosophical underpinnings of digital identity standards.

• In his talk "Private Personal AI and Verified Identity for AI Agents", Alastair Johnson (CEO of Nuggets) explored the challenges of implementing truly private personal AI that protects user sovereignty while creating verifiable identities for AI agents.

• Richard Esplin, Head of Product at Dock, presented "Biometrics and Verifiable Credentials: Balancing Security and Privacy," addressing the challenges biometric providers face as regulations become stricter. Esplin shared best practices for integrating biometrics with verifiable credentials without undermining privacy and flexibility.

AI News

The Pulse #134: Stack overflow is almost dead [Because of GenAI]

RSAC 2025: AI is Everywhere. Trust? Not So Much.

Identity is fragmenting fast: Humans, bots, APIs, and AI agents now live in parallel – each with its own lifecycle, permissions, and risks. Traditional IAM isn’t cutting it. Identity Security was one of the main themes, but few people outside of the identity bubble can properly define it. NHIs are taking over the world (hopefully not in the literal sense). Folks by and large understand that identity is key, and are paying increased attention, especially to delegated authorization, agent-specific policy enforcement, and fine-grained data access controls.

‘Unethical’ AI Study Reveals Terrifying New Threat to All Digital Discourse

Researchers at the University of Zurich have been formally reprimanded by the university after not disclosing their use of AI in a fascinating and scarily conclusive study:

AI can change people’s minds 6X more effectively than humans can.

Bots now make up nearly half of all internet traffic globally. Half! That doesn’t tell us how much of social media is bots, however, but it’s likely close to that

Real World Deployment

Understanding Swiss eID: Future of Digital Identity

We recently hosted an insightful webinar on the Swiss eID, featuring Rolf Rauschenbach (Deputy Head of the eID Department in Switzerland), Michael Doujak, (Product Manager at Ergon) and Karim Nemr (Chief Business Officer at PXL Vision). In this article, we will summarise the most important information from the webinar.

Infosys Boosts Efficiency, Security, and Privacy of Credential Verification with Hyperledger Indy and ACA-Py

Infosys transformed its internal employee training platform Lex from issuing simple electronic badges to creating blockchain-based Verifiable Credentials (VCs) using Hyperledger Indy and ACA-Py frameworks to solve verification challenges for its 300,000+ employees. The new system automatically generates cryptographically signed, tamper-proof credentials when employees complete courses, which they can store in digital wallets and share securely through a public verification portal while maintaining control over their data through Self-Sovereign Identity (SSI) technology. This solution not only improves trust and security for internal credentialing but also has broader applications for verifying professional qualifications across industries like oil and gas, manufacturing, and government licensing.

(Algorand) Using Blockchain-Based Digital Identity & Verifiable Credentials for Chess

With this new whitepaper, we present the chess community with yet another opportunity to demonstrate what is possible with cutting-edge technology – all while improving the user experience of the chess ecosystem in the process.

Five Million Italian Digital Wallet Users

My friend Giuseppe De Marco shared the article “Documenti su IO: 5 milioni di attivazioni per IT-Wallet” with me about how five million people are now using the Italian digital wallet. It adds the information that 4.3 million health cards, 4 million driver’s licenses and 100,000 European Disability Cards have been issued to those wallets. These are significant accomplishments!

Decentralized Identity Standards News

W3C Verifiable Credentials 2.0 Specifications are Now Standards

As announced by the W3C, the Verifiable Credentials 2.0 family of specifications is now a W3C Recommendation. The new W3C Recommendations that I was an editor for are:

• Verifiable Credentials Data Model v2.0

• Securing Verifiable Credentials using JOSE and COSE

• Controlled Identifiers v1.0

From TOIP

The C2PA Conformance Program, Scott Perry

Facing a critical need to operationalize and govern this specification to ensure market trust and adoption, the C2PA has adopted the ToIP governance metamodel. This framework provides the necessary structure to establish a conformance program, define roles and responsibilities, manage risks, and create trust lists for compliant products and certification authorities. The program is set to officially launch on June 4th, initially focusing on self-assertion for conformance and introducing two levels of implementation assurance, with plans for independent attestation and higher assurance levels in the future.

Agri-food Data Canada – Carly Huitema

This briefing document summarizes a presentation about Agri-food Data Canada’s Semantic Engine, a suite of tools designed to enhance research data management in the agri-food sector by making data Findable, Accessible, Interoperable, and Reusable (FAIR). A central focus is the use of machine-readable data schemas authored with the Overlays Capture Architecture (OCA) standard, which is highlighted for its use of derived identifiers (digests) over traditional assigned identifiers for improved reproducibility and authenticity.

Richard Whitt, GliaNET Bringing Trust-Based Human Governance to the Web

Introducing GliaNet - Bringing trust-based human governance to the Web

An exploration of how Web companies can instantiate fiduciary duties of care and loyalty into successful business models

Figuring it out

So you want to use Digital Credentials? You’re now facing a myriad of choices!

I then upped the ante by talking about the criticality of usability, the challenges of building ecosystems (something Andrew Nash first explained to me most of two decades ago!), and how digital credentials are not an end in and of themselves; they’re a tool to help us solve real-world problems.

Mocking [Phone Home] Surveillance (Timothy Ruff)

So if you care about digital identity, you love privacy and liberty, and you loathe tracking and surveillance, The Phone Home Song is for you…Link to song: https://youtube.com/shorts/9XvsHoZjBHI

Self-Sovereign Identity: Key to Secure Student Credentials in Europe

Self-Sovereign Identity is emerging as a critical solution for Europe’s education sector, just as its traditional credentialing systems begin to show their age. European education is evolving fast, but its credentialing systems are stuck in the past. Universities, employers, and governments are still relying on centralized platforms and manual checks to verify qualifications. This outdated approach is opening the door to fraud, delays, and privacy risks.

TrustED advances in self-sovereign identity development and enhances European digital privacy

The 10 European partners of TRUSTED (Enabling Trustworthy European Data Spaces through Self-Sovereign Identity and Privacy Preserving Technologies) are meeting in Istanbul for the first time in person since the project began, to assess the initial six months of progress and map out the path ahead. This European alliance, led by Gradiant, focuses on strengthening data protection protocols.

10 years is a Long Time Dept. Congratulations

Ten Years of JSON Web Token (JWT) and Preparing for the Future

Ten years ago this week, in May 2015, the JSON Web Token (JWT) became RFC 7519. This was the culmination of a 4.5 year journey to create a simple JSON-based security token format and underlying JSON-based cryptographic standards.

Essential Moments in the OAuth and OpenID Connect Timeline

OpenID Federation Interop Event at SUNET in Stockholm

At the end of April, I had the privilege of gathering in Stockholm with 30 participants to perform interoperability testing among 14 different OpenID Federation implementations. Leif Johansson and SUNET were fabulous hosts for the meeting at their offices in Stockholm. People from 15 countries participated, coming from as far as Australia and New Zealand! We performed eight different classes of tests between the implementations plus tested the OpenID Certification tests being developed for OpenID Federation.

Fully-Specified Algorithms Specification Addressing IESG Feedback

Orie Steele and I have updated the “Fully-Specified Algorithms for JOSE and COSE” specification to address feedback received through directorate reviews and from Internet Engineering Steering Group (IESG) members. This prepares us for consideration of the specification by the IESG during its “telechat” on Thursday. This is an important milestone towards progressing the specification to become an RFC.

Fully-Specified Algorithms are now the Law of the Land

I’m thrilled to be able to report that, from now on, only fully-specified algorithms will be registered for JOSE and COSE. Furthermore, fully-specified signature algorithms are now registered to replace the previously registered polymorphic algorithms, which are now deprecated. For example, you can now use Ed25519 and Ed448 instead of the ambiguous EdDSA.

Phil is leaving AWS

Leaving AWS

So, what’s next? I’m not retired—but for now, my time is my own. I’m working on a book for Manning about authorization, a topic that’s increasingly critical as digital systems become more interconnected and identity-aware. I’m also staying engaged with the identity community through the Internet Identity Workshop (IIW), which continues to be a wellspring of innovation and collaboration.

Legislative Progress

Internet Safety Labs Provides Testimony in Support of LD 1822, An Act to Enact the Maine Online Data Privacy Act

Internet Safety Labs’ Executive Director Lisa LeVasseur testified before the Maine Judiciary Committee in support of LD 1822, the Maine Online Data Privacy Act, while highlighting concerns. Informed by ISL’s 2022 K-12 Edtech safety benchmark and ongoing research, our testimony underscores the need to curb widespread commercial surveillance and risky data practices.

Research

IOTA-Assisted Self-Sovereign Identity Framework for Decentralized Authentication and Secure Data Sharing

This paper introduces ISIF (IOTA-Assisted Self-Sovereign Identity Framework), a decentralized authentication protocol that addresses the scalability and centralization limitations of traditional PKI systems in IoT environments by using Self-Sovereign Identity principles, Decentralized Identifiers (DIDs), and Verifiable Credentials (VCs) managed through the IOTA Tangle distributed ledger. Experimental results demonstrate that ISIF maintains efficient performance even as network size scales from 50 to 250 nodes, with DID generation times increasing from 1.85 ms to 10.81 ms and overall end-to-end delays remaining low (0.16–0.33 ms), confirming its feasibility for large-scale IoT authentication without performance degradation.

The Right to (Digital) Identity Sarah M. Snow in Fordham Intellectual Property, Media and Entertainment Law Journal

This Note argues that the ability to prove one’s identity is a protected interest. It proposes adoption of a federal Self-Sovereign Identity (SSI) as a legal and technological mechanism to guarantee all Americans have access to a legally recognizable identity.

In its comprehensive analysis, this Note demonstrates that the need for secure, inclusive access to a legally recognizable identity is not only necessary to combat systemic inequity, but also to safe-guard the exercise of fundamental rights.

A Self-Sovereign Identity based on Zero-Knowledge Proof and blockchain

This research proposes a new Self-Sovereign Identity (SSI) system that uses two Zero-Knowledge Proof protocols based on discrete logarithm difficulty to create secure, decentralized digital identities while addressing key reuse problems found in existing protocols. The system enables users to prove their identity to service providers without revealing any personal information and complies with European regulations like eIDAS and GDPR by minimizing data disclosure to trusted third parties.

Compact and Selective Disclosure for Verifiable Credentials

This paper proposes a novel mechanism designed to achieve Compact and Selective Disclosure for VCs (CSD-JWT). Our method leverages a cryptographic accumulator to encode claims within a credential to a unique, compact representation. We implemented CSD-JWT as an open-source solution and extensively evaluated its performance under various conditions. CSD-JWT provides significant memory savings, reducing usage by up to 46% compared to the state-of-the-art.

A Systematic Review of Identity and Access Management Requirements in Enterprises and Potential Contributions of Self-Sovereign Identity

Next Generation Authentication for Data Spaces: An Authentication Flow Based On Grant Negotiation And Authorization Protocol For Verifiable Presentations (GNAP4VP)

The paper provides a detailed technical design, outlining the implementation considerations, and demonstrating how the proposed flows guarantee verifiable, secure, and efficient interactions between participants. This work contributes towards the establishment of a more trustworthy and sovereign digital infrastructure, in alignment with emerging European data governance initiatives.

Share Sovereign Identity Updates