Digital Wallet Certification: The Foundation for Interoperable State Identity Systems

As states move toward private, interoperable, and resident-controlled digital identity systems, certification of wallets and issuers becomes a cornerstone of trust. Certification doesn’t just validate technical conformance; it enforces privacy, supports procurement flexibility, and enables multiple vendors to participate under a consistent trust framework. This blog post outlines recommendations to meet these goals, with statutory guardrails and governance practices built in from the start.

The Case for Certification

We believe that states should require certification of Digital Wallets that are capable of holding a state digital identity. Certification provides assurance that wallet providers comply with key requirements such as privacy preservation, unlinkability, minimal disclosure, and security of key material, which are enforced by design.

SpruceID believes that additional legislation should be enacted to establish a formal certification program for wallets, issuers, and potentially verifiers participating in a state digital identity ecosystem. The legislation should specify that the designated regulating entity may conduct audits and certify providers directly, or delegate certification responsibilities to qualified external organizations, provided such delegation is formally approved by the appropriate higher authority.

Enforcing Privacy and Minimization

A certification program would mandate compliance with privacy-preserving technical standards, restrict verifiers from requesting or storing more information than is legally required, and require wallets to obtain clear user consent before transmitting credential data. Wallets would also need to provide plain-language explanations of how data is used in each transaction. By creating a statutory basis for certification and oversight, states can ensure that unlinkability and data minimization are not just principles, but enforceable requirements with technological and governance safeguards.

Pilot Programs to Support Innovation

We recommend that states enact a pilot program allowing provisional, limited, and expiring operating approvals of issuers, wallets, and verifiers, preceding the establishment and full operation of its formal certification programs, for the purpose of encouraging market solutions to operate in real-world environments and generate learnings. The appropriate oversight agency would be able to adapt the resulting learnings towards creating the formal certification programs. Today’s best practice in the software industry has been to take an iterative “agile” approach towards implementation, and we believe this would be the best approach to creating certification programs for software as well, to fully engage industry early and often in a limited operating capacity, instead of attempting to fully specify rules a priori, which may become irrelevant if not created with perfect knowledge.

Clarifying Responsibilities Across the Ecosystem

Clear allocation of liability and responsibility is essential for the trust and sustainability of any state digital identity program. A state's role is to establish statutory guardrails, oversee governance, and authorize a certification framework that ensures all ecosystem participants meet consistent standards. This includes creating a certification program for both digital wallet providers and credential issuers, verifying that they comply with statutory principles for privacy, unlinkability, minimal disclosure, and security.

Wallet Provider Responsibilities

Digital wallet providers bear responsibility for ensuring acceptable security mechanisms, proper user consent, presenting clear and plain-language disclosures which meet accessibility requirements, and ensuring features like personal data licenses and privacy-protective technical standards are honored in practice. Certified wallets must also support recovery mechanisms for key loss or compromise, ensuring that holders are not permanently locked out of identity credentials due to technical failures. Digital wallet providers should coordinate with issuers, designing solutions which anticipate that wallets and keys will be lost, stolen, and compromised.

Issuer Responsibilities

Issuers are responsible for creating a strong operational environment that ensures the accuracy of the attributes they release, and for maintaining correct and untampered authoritative source records. They are also responsible for ensuring that state digital identity credentials are issued to the correct holders, and to any acceptable wallets, free of unreasonable delay, burden, or fees. They must provide accessibility to holders, such as providing workable paths for holders who lose their credentials, wallets, and/or keys. Their certification ensures that state digital identity credentials are issued only under audited processes that meet required levels of identity proofing and revocation safeguards.

Legislating Technical Safeguards and Liability

In addition, states should require certification of wallets against a published state digital identity protection profile and create clear liability rules. Legislation should establish that wallet providers are responsible for implementing technical safeguards, that Holders maintain control over disclosure decisions, and that verifiers may only request attributes that are legally permitted. By legislating these aspects, states will ensure that residents can trust any certified wallet to uphold their rights, while fostering a competitive ecosystem of providers who innovate on usability and design within a consistent regulatory baseline.

Enabling Interoperability and Competition

Certification also creates a mechanism for interoperability and trust across the ecosystem. By publishing a clear “state digital identity Wallet Protection Profile” and certifying wallets against it, states can ensure that wallets from different vendors operate consistently while still allowing for competition and innovation.

Building Public Confidence Through Transparency

Finally, certification helps build public confidence. Residents will know that any wallet bearing a certification mark has been independently tested and approved to uphold privacy and prevent surveillance, while verifiers will know they can safely interact with those wallets. At the same time, states should keep certification processes lightweight and transparent to avoid excluding smaller vendors, ensuring that certification supports security and privacy without stifling innovation.

Establishing the Guardrails of a Trusted Ecosystem

Certification is more than a checkbox, it's how we turn principles like unlinkability and minimal disclosure into an enforceable reality. By embedding privacy protections in wallet and issuer certification, states can foster innovation without compromising trust. The foundation for interoperable, people-first digital identity isn’t a single app or provider, it’s a standards-aligned ecosystem, governed responsibly and built to last.

SpruceID works with governments and standards bodies to build privacy-preserving, interoperable infrastructure designed for public trust from day one. Contact us to start the conversation.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions. We build privacy-preserving digital identity infrastructure that empowers people and organizations to control their data. Governments, financial institutions, and enterprises use SpruceID’s technology to issue, verify, and manage digital credentials based on open standards.