The State of Security Industry Standards: An Update From the World Wide Web Consortium

On Feb. 11, 2025, the Security Industry Association (SIA) Standards Committee hosted a webinar on the state of security industry standards. In a discussion moderated by SIA Standards Committee Chair Peter Boriskin (chief technology officer at ASSA ABLOY Opening Solutions, experts from SIA and fellow industry-related standards development organizations (SDOs) highlighted their most recent developments. Here, two leaders from the World Wide Web Consortium (W3C) share updates on the organization’s standards initiatives.

Pierre-Antoine Champin, Data Strategist, W3C:

Credentials are a part of our daily lives: driver’s licenses are used to assert we are capable of operating vehicles, university degrees can be used to assert our level of education and government-issued passports enable us to travel between countries. The family of recommendations for verifiable credentials provides a mechanism to express these sorts of credentials on the web in a way that is cryptographically secure, privacy respecting and machine verifiable.

The Verifiable Credentials Data Model v2.0 specification, which defines the core concepts that all other specifications depend on, plays a central role. The model is defined in abstract terms, and applications express their specific credentials using a serialization of the data model. The current specifications mostly use a JSON serialization; the community may develop other serializations in the future.

When Verifiable Credentials are serialized in JSON, it is important to trust that the structure of a Credential may be interpreted in a consistent manner by all participants in the verifiable credential ecosystem. The Verifiable Credentials JSON Schema Specification defines how JSON-SCHEMA can be used for that purpose.

Credentials can be secured using two different mechanisms: enveloping proofs or embedded proofs. In both cases, a Credential is cryptographically secured by a proof (for example, using digital signatures). In the enveloping case, the proof wraps around the Credential, whereas embedded proofs are included in the serialization, alongside the Credential itself.

A family of enveloping proofs is defined in the Securing Verifiable Credentials using JOSE and COSE document, relying on technologies defined by the IETF. Other types of enveloping proofs may be specified by the community.

The general structure for embedded proofs is defined in a separate Verifiable Credential Data Integrity 1.0 specification. Furthermore, the Working Group also specifies some instances of this general structure in the form of the “cryptosuites”: Data Integrity EdDSA Cryptosuites v1.0, Data Integrity ECDSA Cryptosuites v1.0, and Data Integrity BBS Cryptosuites v1.0. Other cryptosuites may be specified by the community.

The Bitstring Status List v1.0 specification defines a privacy-preserving, space-efficient, and high-performance mechanism for publishing the status of a specific Verifiable Credential, such as its suspension or revocation, through the use of bitstrings.

Finally, the Controlled Identifiers v1.0 specification defines some common terms (e.g., verification relationships and methods) that are used not only by other Verifiable Credential specifications, but also other Recommendations such as Decentralized Identifiers (DIDs) v1.0.

Harrison Tang, CEO of Spokeo and Co-Chair of the W3C Credentials Community Group (CCG):

The W3C CCG is a community group under World Wide Web Consortium that incubates open digital identity standards such as Verifiable Credentials, Decentralized Identifiers, secure data storage, identity wallet protocols and more. Here is a summary of the group’s latest progress and upcoming milestones:

• The Verifiable Credentials API supports issuance, verification, presentation and status modification and is used in production deployments like TruAge and the California Department of Motor Vehicles/OpenCred. The CCG plans to propose this for the standards track in Q2 of 2025.
• The Verifiable Credentials Test Suites have been expanded with new implementations and cryptographic suites (ECDSA, EdDSA, BBS). New contributors include Digital Bazaar, SpruceID and Procivis One Core.
• The Quantum-Safe Digital Integrity Signature Suite implements postquantum cryptographic methods ML-DSA-44 and Dilithium2. Prototype sign/verify microservices have been developed, running on AWS EC2+S2. Future developments include multikey support, data integrity and API test suite.
• Verifiable Credentials Traceability: The CCG published Traceability Vocabulary v1.0 and Traceability Interoperability v1.0.
• The Verifiable Credentials Render Method is a secure way for issuers to convey how they want their verifiable credentials displayed. The CCG conducted production deployments in Singapore for Open Attestation Renderer, and standardization is expected by Q2 2025.
• Verifiable Credential Barcodes improve cryptographic security for physical credentials and uses ecdsa-xi cryptosuite for digital signing of verifiable credentials and optically readable data. Implementations are in progress, with production use at the California DMV and the U.S. Department of Homeland Security and a planned proposal for the standard track in Q2 2025.
• Verifiable Issuers and Verifiers: The group is developing a standardized data model based on ETSI eIDAS v1 trust lists, with the first version expected by December 2025.
• DID-Linked Resources link digital files to decentralized identifiers and support status lists, trust registries and schemas. The CCG has published a draft specification.

Read more highlights from the State of Industry Standards webinar and watch the video here.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association (SIA).