Title: How 7Block Labs Is Tackling Decentralized Identity Security

That annoying technical issue you’re probably dealing with right now.

• So, you need to set up a decentralized identity system that meets SOC 2 controls and NIST SP 800-63 assurance levels. It sounds a bit overwhelming with all the jargon, right? The protocol options out there, like W3C VCDM 2, can feel like a real alphabet soup sometimes! It feels like the landscape is constantly changing, right? With all these things like OIDC4VCI, OID4VP, SD-JWT VC, StatusList2021, and various DID methods, it can be tough to keep up, especially as mobile platforms keep evolving. It's like trying to hit a moving target! Hey there! Just a heads up--Android has started natively handling OpenID4VCI/4VP through its Credential Manager. If you want to keep a smooth user experience and maintain good relationships with your partners, it’s definitely something you’ll want to include in your plans. Ignoring it could really mess things up! (android-developers.googleblog.com).
• Procurement is looking for a timeline that matches up with eIDAS 2. Hey there! So, here’s the scoop: by the end of 2026, all EU countries need to roll out their own digital wallets and also be cool with accepting wallets from other countries. Pretty interesting move, right? It looks like your current KYC vendor APIs and SSO setups aren't really set up to handle verifiable credentials or zero-knowledge proofs. This could put you at risk for non-compliance, especially for your subsidiaries in the EU. It might be worth looking into some updates to avoid any headaches down the line! (consilium.europa.eu). There’s definitely a divide in engineering when it comes to on-chain versus off-chain stuff. Some teams are all about those Solidity-based “soulbound” attestations, while others are leaning towards W3C/OIDC credentials that offer selective disclosure (you know, the SD-JWT VC kind). It’s interesting to see the different preferences out there! In the meantime, Ethereum rolled out its Pectra upgrade, which brought some shifts in cost and performance. We got the BLS12‑381 precompiles, plus there were some updates to how calldata pricing works. However, it seems like no one has taken the time to update the cost models for ZK verifications since then. (blog.ethereum.org).
• Wallet confusion: So, Sign-In with Ethereum (SIWE) is great for externally owned accounts (EOAs), but it can get tricky with smart contract wallets. If you want it to work there, you'll need to implement ERC‑1271. And if you're dealing with counterfactual accounts, you might even have to throw in ERC‑6492 too. Your authentication gateway won't be able to securely verify signatures on both sides without some custom logic and regular audits. (eips.ethereum.org).

Agitation--What's at stake if you decide to delay things for another quarter? If you miss those eIDAS/EUDI deadlines, you're going to have to go back and redo those processes later, and trust me, it won’t be a walk in the park with the auditors breathing down your neck. So, here’s the deal: when procurement delays happen, they can totally affect revenue down the line. Lately, we’ve noticed that partner requests for proposals (RFPs) are increasingly requiring support for OpenID4VCI and OID4VP, along with the need to check the status of verification credentials--like whether they’ve been revoked or suspended. Android has already rolled out its verifier/holder APIs, which means competitors can easily integrate them once and then use them everywhere. How cool is that? (android-developers.googleblog.com). Let’s talk about governance and those tricky SOC 2 gaps. If you're not aligning your approach with the NIST SP 800-63-4 guidelines (which are set to be finalized around July to August 2025), you're going to struggle when it comes to demonstrating your choices for Identity Assurance Levels (IAL), Authentication Assurance Levels (AAL), and Federation Assurance Levels (FAL). Plus, it’ll be tough to show that you’ve set up the right fraud controls and that you’re managing biometric and machine learning risks effectively. These are the types of issues that often trip people up with modern identity systems and result in those pesky SOC 2 exceptions. (pages.nist.gov). So, here's the deal: after the whole Pectra EIP-7623 thing, the cost for calldata has really shot up. Plus, if you're just going the easy route with on-chain ZK verification, you're totally missing out on the new BLS12-381 precompiles and the MSM precompiles. It's definitely something to keep in mind! So, when you're running a Groth16 verify on BN254, it typically costs around 181k gas just for the pairings and some scaffolding. But here’s the kicker: if you’re doing a lot of high-queries-per-second checks, those costs can really add up quickly, especially if you don’t batch your processes or switch to off-chain proof verification while keeping just a few key anchors on-chain. (eip.directory).

• Crypto agility update: We’ve officially standardized PQC with ML‑KEM, ML‑DSA, and SLH‑DSA! If your system for issuing and verifying keys isn’t set up to regularly rotate keys and handle hybrid suites, you might end up facing unexpected costs when audits roll around or when you’re going through government procurement. (nist.gov).

The solution? Well, it’s all about 7Block Labs and their complete approach. They make sure to deliver everything right on schedule and ensure it passes all the necessary audits. Pretty solid, right?

So, here’s the plan: we’re kicking things off with a pilot phase that lasts about 90 days. After that, we’ll roll things out more broadly over the next 180 to 270 days. Sound good?

1. Start with standards for issuing and verifying things.

• Data models and protocols:
• The W3C's Verifiable Credentials Data Model version 2. You’ve got data that's been updated until October 2023. We treat v2. 0 serves as the standard or main layout for the schema. (w3.org). So, we're diving into OpenID for Verifiable Credential Issuance, or OIDC4VCI for short. This is the first step in understanding how it all works! Final version approved on September 16, 2025. OpenID for Verifiable Presentations (OID4VP) is making great progress and is now in the final stages. It's also working smoothly with Android's Credential Manager, which is pretty exciting! (openid.net). We're working with SD-JWT (RFC 9901) to make selective disclosure easier, and we've got some drafts for SD-JWT VCs to help JWT-native systems smoothly integrate VCs. If your setup leans toward JSON-LD Data Integrity, we’ve got your back there too! (rfc-editor.org).
• Revocation/suspension at scale:
• StatusList2021: Bitstring Status List, version 1. To keep things from getting tangled up with individual credentials, using bitstrings that are hosted by the issuer and cached on a CDN allows for quick status checks with minimal delay. (w3.org).
• DID method selection: If you want to quickly get your enterprise up and running, check out did:web. It’s great for situations where you already have control over your TLS and DNS. On the other hand, if you’re looking for a way to have ledger independence and want to handle a lot of writes, give did:ion a shot. It’s built on Sidetree and Bitcoin, making it a solid choice for those specific needs. We keep track of the tradeoffs, like how much control we have over operations, the time it takes to switch things around, and how accessible the registry is. (w3c-ccg.github.io).
• Delivery artifacts: We've got our issuer and verifier services all set for production. Plus, we've put together some conformance test reports that align with the OpenID DCP suites. On top of that, we've been working on Android verifier integration proof of concepts (POCs) using the Credential Manager, which covers both holder and verifier APIs. (developer.android.com).

1. ZK-backed selective disclosure--used only when it really matters. Here’s a quick rundown of the use cases we’re focusing on strengthening: So, just to break it down: you need to be over 18, but you don’t have to provide your exact date of birth. We’ll do some background checks based on where you live, and we also need some proof that you’re in a “permitted market.” Plus, to keep things fair, we use these Semaphore nullifiers to make sure that only one account per person is allowed, which helps prevent any double-dipping without linking identities. Hope that clears things up! (docs.semaphore.pse.dev).

• Solidity and gas modeling: So, when it comes to Solidity and gas modeling, it's all about understanding how smart contracts work on the Ethereum blockchain. Solidity is the programming language you'll use to write your contracts, giving you the flexibility to create everything from simple token transactions to complex decentralized applications.

As for gas modeling, that's where things get interesting. Each operation in your smart contract costs a certain amount of gas, which is the fuel for running transactions on the Ethereum network. A great way to think of it is like the gas you put in your car; the more complex your code, the more gas you’ll burn. So, keeping an eye on how much gas your transactions use is super important for efficiency and cost-effectiveness. Balancing these aspects is key to building scalable and well-performing applications! Okay, so if you're looking at the Baseline Groth16 for BN254, you're looking at around 181,000 gas just to handle the pairings and the scaffolding. And if you throw in any public inputs, just know you’ll need to add about 7,160 gas for each one. It's good to keep this in mind while planning! When we're dealing with big volumes, we usually go for off-chain verification while keeping a record of nullifiers on-chain or using batch verification. If we do need to use on-chain proofs, we take a good look at BLS12-381 (thanks to EIP-2537) verifiers and MSM precompiles after Pectra to help keep the verification costs down. (medium.com).

• Privacy‑preserving anti‑abuse:
• It's all about a Semaphore-style setup for group memberships, where we use nullifiers for one-time actions. This way, you can stay anonymous while still being eligible, and we avoid any messy situations with Soulbound Tokens that might give away connections. We send out audited contracts that collect nullifiers to stop any re-use and ensure personal information stays off the chain. (docs.semaphore.pse.dev).

1. Integrating your wallet with the operating system to streamline the procurement process.

• Android: Alright, so here's the plan: we need to set up the Credential Manager DigitalCredential APIs for two main flows. First up, we’ve got the verifier flows--this part involves the OpenID4VP request coming from the app or web, which then leads to an OS selector, and finally passes everything over to the wallet.

Next, we've got the holder flows. This is where we'll handle wallet registration and matching, making sure everything runs smoothly. Let’s dive in and get this done! This helps to keep the user experience consistent across different wallets, which is super important when it comes to managing procurement risks. (android-developers.googleblog.com).

• Web3 wallets: Hey there! So, we’ve got SIWE (that’s EIP-4361 for those in the know) working alongside the ERC-1271 extension tailored for smart contract wallets. Plus, there’s also ERC-6492, which is all about counterfactual signatures before deployment. Pretty cool stuff, right? We've got this super handy reference verifier that gives 1271/6492 a shot before using ecrecover. It’s a smart way to steer clear of phishing scams and keep the user experience smooth! (eips.ethereum.org).

1. We've got compliance and crypto-agility built right into the mix, covering standards like SOC 2, ISO 27001, and NIST SP 800-63-4. So, here's the scoop: we're taking a good look at how we handle identity proofing and the different authenticator options. We're tying everything back to SP 800-63-4's IAL, AAL, and FAL standards. Plus, we're putting a spotlight on fraud controls--like how to deal with liveness and forgery issues. We're also focusing on continuous evaluation metrics and making sure we're keeping the user experience privacy-friendly. It's all part of the new emphasis in the latest revision!

4. Templates can really speed up the process of gathering SOC 2 evidence. (pages.nist.gov).

• PQC readiness plan:
• Let's take a look at those inventory algorithms and KMS boundaries. We need to come up with a solid definition for hybrid chains--like using ML-DSA combined with ECDSA for signing by the issuer. And don’t forget, we also need to create some handy rotation runbooks to keep everything running smoothly! We're on the same page with the FIPS 203/204/205 timelines and keep in mind the ACVP validation needs when it comes to federal procurement. (nist.gov).

1. You can really get your hands on integration and delivery services. We connect seamlessly with your Identity Provider (IdP) and APIs by using standard OAuth and OIDC bridges, along with SCIM. And if blockchain comes into play, we make sure to keep things efficient by minimizing on-chain state and routing everything through secure services. Here are some 7Block services you can easily integrate into your Statements of Work (SOWs):

• Web3 Engineering: Check out our complete suite of web3 development services. We're here to help you with everything from front to back!
• Alright, so when it comes to protocols and platforms, check out these awesome blockchain development services. They’ve got some really cool stuff going on!
• Security hardening: Check out our security audit services for a thorough review of your systems.
• Systems plumbing: Check out our blockchain integration services!
• Smart Contracts: Check out our smart contract development services!

Just a heads up, this is for folks who are 18 and older, and it's all about keeping things fair by preventing any double-dipping or revocations.

• Issuance:
• Alright, so here’s the scoop: you’ve got a credential that’s a SD-JWT VC, and it identifies as the “AgeOver18” type. Right now, the issuer is signing it using P-256/ES256. But there’s a plan in the works to roll out a hybrid ML-DSA option once your HSM is ready for it.
• Status: There's a bit of a hiccup with the StatusList2021/Bitstring Status List entry. This means that the verifier can check if something is “active” without needing to reach out to an issuer endpoint for verification. (w3.org).
• Presentation (for mobile and web): So, here’s what happens: when you make an OpenID4VP request using the Android verifier APIs, you’ll get an OS chooser pop-up. After that, your digital wallet will send back an SD-JWT. This JWT will just have a simple "over18: true" statement and a proof of possession key that’s tied to the issuance. Easy peasy! (developer.android.com).
• Abuse prevention:
• To keep things fresh and avoid any duplication in promotions, we've got two options for you:
• Off-chain: make sure to include a hidden nonce for each relying party and save a salted hash on the server side.
• On-chain: For public airdrops, you'll need to create a Semaphore proof. The contract will keep track of the nullifier specifically for “promo-Q1-2026.” There's no personally identifiable information (PII) stored on the blockchain, so your privacy is safe. Plus, just a heads up: users can only redeem once, so make sure you make the most of it! (docs.semaphore.pse.dev).
• So, what makes this “money”? Well, let’s break it down. So, there's no need for a date of birth or any personal info that sticks around. Plus, revoking access is a breeze! This means you can dive into European markets without the hassle of creating your own wallet. Pretty convenient, right? Android's built-in support really helps cut down on that extra clutter from SDKs, which can be a lifesaver when it comes to avoiding those annoying app store rejections. (android-developers.googleblog.com).

Credentialing for employees who need special access (great for SOC 2 proof).

• Issuance: So, here's the deal: the HRIS kicks off the issuance of an "EmploymentAffiliation" Verifiable Credential through OIDC4VCI. This VC includes role claims that follow the least privilege principle and it comes with a short validity period. The verifier needs to see some proof that you have what you say you do, along with your current status.
• Verification: So, the service app shoots off an OID4VP request that lays out the specific VCT and claims it needs. Then, the verifier steps in to take a look and see what's what.
• Signature and proof of possession (SD-JWT).
• The status is active (it hasn’t been revoked or suspended).
• Freshness (like nonce, issued-at, validity) (w3.org).
• Let's dive into SOC 2 and how it lines up with NIST SP 800-63-4. So, when we talk about audit evidence, we’re looking at things like issuance logs, conformance reports, and how the cryptographic stuff is set up. It's all about making sure assurance levels line up with the different access tiers. For instance, we have AAL2 for those internal admin tools that use synced passkeys, and then there’s AAL3, which steps it up a notch with hardware-bound factors when we’re making changes in production. (pages.nist.gov).
• Integration deliverables: So, we've got this reference verifier microservice that we've set up, along with Terraform to handle our status registry hosting. We're using S3 or Azure Blob for storage, plus a CDN to make sure everything loads quickly. And don’t forget, we’ve got runbooks ready for key rotation and incident response, just in case anything goes sideways!

We've got SIWE that really works with smart contract wallets!

• Problem: So, it looks like Vanilla SIWE doesn’t work too well with ERC‑1271 accounts. There's also a bit of a phishing risk out there if wallets don’t keep a close eye on those origin fields. Just something to watch out for!
• Implementation: So, when a relying party sends out EIP-4361 messages, it’s important that they include the right domain or origin. And then there’s the verifier...

1. It checks if the signer is a contract, and if it is, it goes ahead and calls the ERC‑1271 isValidSignature function. So, if the contract is counterfactual, it goes ahead and unwraps ERC-6492 to check out those deploy-data-anchored signatures. Pretty cool, right?
   1. Otherwise, uses ecrecover. We've got a streamlined library and some examples to help you out. If you're using Android or desktop browsers, you'll notice that everything runs smoothly after Pectra, thanks to the improvements from EIP-7702. (eips.ethereum.org).

• Outcome:
• Just one login process for all your wallet types! This takes away a big support factor and helps eliminate fraud from issues like signature replay and phishing by sticking to the origin rules laid out in the specs. (eips.ethereum.org).

Here are the technical specs you can share with your engineering team.

• Protocols and formats
• VCDM 2. You're all set with the latest updates! You've got the scoop on 0 (REC), SD‑JWT (RFC 9901), and the OIDC4VCI Final 1. So, let’s dive into these topics! So, just a heads up, the OID4VP is in its final stages, and when it comes to the Android Credential Manager, it’s pretty versatile. It handles both the issuance and presentation aspects like a champ. (w3.org).
• Status and revocation
• Alright, so the plan is to go with the StatusList2021/Bitstring lists. We’ll stick with the default bitstring size of 131,072 entries. To make things snappier, we’ll compress everything using GZIP and then serve it through a CDN. This way, we can dodge any correlation issues and keep those checks under 100ms. Easy peasy! (w3.org).
• DID method choices
• So, if you're looking to go live quickly with enterprise governance, think about using did:web. It’s a solid option! You can also leverage TLS and DNS ownership while rotating your keys through continuous integration. And if you ever find yourself needing anchoring without tying it to just one web origin, did:ion is the way to go. It's super handy! (w3c-ccg.github.io).
• Let's take a look at the cost baselines for ZK proofs, especially in the context of what's happening after Pectra. Alright, so when you're using the BN254 Groth16 for verification, you can expect the pairing gas to be around 45,000 plus an extra 34,000 for every k you have. If you’re working with k equal to 4, that ramps the gas up to about 181,000. Now, if you want to keep it simple, a good rule of thumb for the total is roughly 207,700 plus 7,160 times the number of public inputs (that’s l). So, just keep that in mind as you calculate your gas needs! Let's take a look at BLS12-381 verifiers and MSM precompiles to help cut down on computing needs. Also, keep in mind how calldata plays into this, especially since EIP-7623 has made those costs a bit higher. (eip.directory).
• PQC roadmap Sure thing! So, we’re talking about a few standardized things here: there’s ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). We create issuance and signing services that come with customizable JOSE/Data-Integrity suites and HSM policies. These are designed to support hybrid signatures and allow for scheduled rotations that fit right into NIST timelines. (nist.gov).

GTM proof: Here’s the game plan for the metrics we’ll focus on, track, and commit to during our 90-day pilot.

• Integration velocity Hey there! So, when it comes to integrating the Android verifier, we’re looking at a couple of options. One approach is to go with a single Credential Manager codepath, while the other involves creating separate SDKs for each wallet. Ideally, we want to aim for a “one API, many wallets” setup. It’s all about simplifying things and making it easier to manage, right? We keep track of the dev-hours you save and how long it takes to get that first verification for your top three mobile apps. (android-developers.googleblog.com).
• Compliance readiness
• So, when it comes to the SP 800-63-4 mapping, make sure to jot down your choices for IAL, AAL, and FAL, along with your fraud checks and the metrics you'll use for ongoing evaluation. Also, let’s save some time with that SOC 2 evidence grind by centralizing our logs for issuance and verification, plus any cryptographic setups we have. We provide a control matrix along with a sample evidence pack. (pages.nist.gov).
• A cost model that comes with on-chain guardrails. Hey there! So, if you need to check something on-chain, just a heads-up: we limit the gas per check by using batching and BLS12-381 verifiers when it fits. Just so you know, the standard BN254 verification runs at around 181k pairing gas. We're running some simulations based on your L1/L2 fee assumptions before the cutover happens. The financial owners will receive a spreadsheet that connects the gas ceilings to the traffic forecasts. (eip.directory).
• Risk reduction We've ramped up the security on SIWE by implementing ERC-1271 and 6492 to make sure we have strong path and origin enforcement. Plus, we’re keeping a close eye on any authentication failures related to phishing and monitoring help desk tickets both before and after we go live. (eips.ethereum.org).

So, let’s talk about why this approach actually makes sense for businesses--it's not just about jumping into the whole crypto craze for the sake of it. We're on board with the regulatory deadlines (like eIDAS/EUDI 2026) and stick to the standard protocols that your partners and OS vendors are already using.
This really keeps things simple and minimizes any hassle for auditors. (consilium.europa.eu). We're all about keeping personal info off the blockchain. We stick to the best practices for revocation, and we only bring in zero-knowledge technology when it comes to eliminating data while still ensuring we have strong anti-abuse measures. This way, we manage to minimize data collection without giving up on control. (w3.org). We focus on building crypto agility right from the start, so we can stay ahead of any changes with post-quantum cryptography (PQC). This approach makes it a lot smoother for future purchases and sales in the federal space. (nist.gov).

Here’s what you can expect from 7Block Labs.

• Architecture and implementation So, we’ve got the whole package here! We offer end-to-end design, issuer and verifier services, and we can easily integrate with Android for both verifiers and holders. Plus, our web flows are wallet-agnostic, which means they work with different wallets seamlessly. And if we need to dive into on-chain logic, we’ve got Solidity covered too, especially for things like Semaphore gates, verifiers, and nullifier registries. It’s a pretty comprehensive setup!
• Making sure everything's secure and ready to roll. So, when it comes to threat modeling, we're looking at things like how different threats connect (you know, correlation), checking for phishing attacks, and making sure we're not reusing stuff in a risky way. We're also diving into code reviews for the ERC-1271 and ERC-6492 paths, running checks to ensure ZK verifiers are doing their job right, and keeping an eye on the integrity of the status registry. It's all about making sure everything’s secure and running smoothly! Check out our security audit services when you get a chance!
• Bringing everything together and providing ongoing support.
• Integration tools for Identity Providers (IdPs), HRIS, and CRM systems; incident response playbooks to manage key rotation and revocation; and user-friendly operational dashboards.
  Check out our awesome blockchain integration options and dive into our web3 development services. You’ll find some really cool stuff there!

Let’s dive into some key design choices and see how they shape the overall outcome!

First off, the color palette you pick can totally set the mood. Bright colors might give off a fun, energetic vibe, while softer tones might create a more calming atmosphere. It’s amazing how a simple choice like this can completely change how people feel about your design.

Next, think about the layout. A well-organized layout can make everything so much easier to navigate. If things are cluttered and chaotic, it’ll be frustrating for users. On the flip side, a clean and intuitive layout can make their experience smooth and enjoyable.

Also, don’t forget about typography! The fonts you choose can really communicate personality. A playful font might be perfect for a children’s brand, while a sleek, modern font could be right for a tech company. This choice impacts readability too, so it’s essential to strike the right balance.

Finally, let’s talk about functionality. Design isn’t just about how things look; it’s also about how they work. Making sure that everything is user-friendly and easy to access can make a huge difference in how well your design performs.

In a nutshell, every design decision has a ripple effect that can influence the user experience, so it’s important to think carefully about each choice you make!

• did:web vs. did:ion Alright, so here’s the scoop: did:web is pretty much the quickest solution out there for companies that manage their own DNS and TLS. Plus, it can be easily accessed via HTTPS, making things super smooth. And if you're into continuous integration, you’ll love how straightforward it is to rotate your keys whenever you need to. I just learned about this cool process called "anchoring" that combines Bitcoin and IPFS using something called Sidetree batching. It really boosts decentralization and helps with write aggregation. Plus, there's way more infrastructure behind it all. Pretty interesting stuff! We usually kick things off with did:web and then throw in did:ion for certain partners or specific areas. (w3c-ccg.github.io). Let’s chat about SD-JWT VC and JSON-LD data integrity. These two terms can sound a bit technical, but they’re super important when it comes to handling digital credentials and ensuring their security. SD-JWT VC, or Self-Declaring JSON Web Token Verifiable Credentials, focuses on creating a way to verify details without needing a centralized authority all the time. On the flip side, JSON-LD data integrity makes sure that the information shared in the JSON-LD format stays intact and trustworthy. So, both play a crucial role in maintaining the reliability and authenticity of the data we use online! So, the SD-JWT VC is designed to simplify things when it comes to JSON-LD tooling and works really well with JOSE stacks. Plus, it’s great to know that selective disclosure is standardized now with RFC 9901. Data Integrity comes into play when you're dealing with Linked Data ecosystems or when you have existing JSON-LD credentials that you need to stick to. We've got adapters for both directions. (rfc-editor.org).
• On‑chain proof verification If your business really needs strong on-chain enforcement, like for things such as airdrop gating or on-chain allowlisting, we usually lean towards using nullifier registries and batched verification. After Pectra, take some time to check out the BLS12-381 verifiers and MSM precompiles. If they don’t fit your needs, it might be best to just stick with BN254 since it keeps the calldata low and works well with the tools you already have. Just remember to model both options based on your traffic and gas limitations to see what works best for you. (blog.ethereum.org).
• SIWE hardening Hey there! So, here’s the plan: we need to break down and implement the EIP‑4361 ABNF. It’s important to check the origin against the scheme and domain too. Plus, let’s make sure we’re on board with ERC‑1271 and ERC‑6492. Oh, and we should also set up an allowlist for developers and local hosts, but let’s keep it smart with warnings rather than letting anything slip through the cracks. Sound good? So, let’s break down what “works in dev” really means versus when something “passes a security audit.”

When we say something “works in dev,” we’re talking about how it functions in the development environment. This is where developers are busy tweaking and testing things out. It might be running smoothly there, but that doesn’t guarantee it’s all good to go in the real world.

Now, on the flip side, when we say it “passes a security audit,” we’re looking at a much deeper dive into its safety and security measures. This means that experts have checked it out thoroughly to make sure it’s secure and doesn’t have any vulnerabilities that could be exploited.

In a nutshell, working fine in development is great, but passing a security audit is a whole other level of reassurance that it’s safe for everyone. ” (eips.ethereum.org).

• PQC transition
• Set up a PKI/KMS that can handle hybrid suites, like ES256 and ML-DSA, and make sure it can rotate keys without having to reissue all the credentials. Keep an eye on how ready vendors are for ACVP-validated PQC in HSMs. This way, you won't find yourself in a last-minute rush when it matters most! (nist.gov).

Next steps

• If you’re looking to get this through Procurement smoothly, we usually kick things off with a well-defined 90-day pilot.
• Weeks 1 and 2: We'll kick things off by diving into requirements and hosting a risk workshop focused on SOC 2, ISO 27001, and SP 800-63-4. Plus, we’ll set some key performance indicators (KPIs) to keep us on track!
• Weeks 3 to 6: We’ll be getting our issuer and verifier set up to match OIDC4VCI and OID4VP standards. We're also diving into the Android proof of concept and working on the status registry during this time. Hey there! So for weeks 7 through 10, we're diving into some serious stuff. We're focusing on hardening the SIWE/1271/6492 systems, and there’s also an optional Semaphore gate we can check out. Plus, we'll be working on gas modeling and laying out a roadmap for our Post-Quantum Cryptography (PQC) initiatives. Exciting times ahead!
• Weeks 11 to 12: We’ll be diving into the penetration testing and putting together the audit evidence pack. Plus, we’ll have an executive briefing where we’ll discuss the ROI model and the rollout plan. Sounds like a busy couple of weeks ahead!

Hey there, folks! If you're part of an enterprise and looking to take things to the next level, now's the time to act! Don't miss out on the opportunity to boost your efficiency and drive your success forward. Whether it's adopting new tech or streamlining your processes, we've got the tools and expertise to help you thrive. So why wait? Let’s connect and explore how we can make great things happen for your business! Reach out today! Let’s set up a 90-Day Pilot Strategy Call!

Sources

• W3C VCDM 2. 0 Recommendations and What’s Happened So Far. (w3.org). Hey there! Just a quick update for you: we've got the final green light on OpenID OIDC4VCI and OID4VP is all set to wrap up as well. Plus, we're excited to share that the Android Credential Manager is now on board with both OID4VCI and OID4VP. Pretty cool stuff happening! (openid.net).
• eIDAS 2. So, here’s the scoop on the EUDI Wallet: the Council’s all set to adopt it, and the Commission has some timelines in place too. We can expect these wallets to roll out by the end of 2026. Exciting stuff ahead! (consilium.europa.eu). Hey there! So, just a heads up, we’ve got the NIST SP 800-63-4 (final version) to talk about, along with some updates on its context and revisions. Plus, we’ll dive into the latest on conformance and the roadmap too. It’s good stuff to keep an eye on! (pages.nist.gov).
• Check out the SD-JWT (RFC 9901) and the drafts for SD-JWT VC. (rfc-editor.org).
• StatusList2021 / Bitstring Status List specifications. (w3.org).
• So, let's talk about Ethereum Pectra! It’s all about the contents and the mainnet activation, which will include big updates like EIP-2537 and EIP-7623. (blog.ethereum.org). So, we're talking about the BN254 pairing gas repricing, which is part of EIP‑1108, along with the Groth16 cost baselines. (eip.directory).
• You might want to check out the SIWE spec (that's EIP-4361), along with ERC-1271 and ERC-6492 for some extra context. (eips.ethereum.org).
• Check out the Semaphore protocol docs for handling anonymous, one-time actions. (docs.semaphore.pse.dev).
• So, we've got the latest updates on NIST's PQC, along with their FIPS 203, 204, and 205 approvals and guidance. (nist.gov).

Schedule a 90-Day Pilot Strategy Call!