How Open Standards Strengthen State Digital Identity Governance

Open standards are the backbone of any trustworthy digital identity ecosystem. When states choose protocols that are transparent, globally supported, and freely implementable, they create systems that protect privacy by design, support long-term interoperability, and mitigate the risks associated with proprietary or restricted technologies. Open standards aren’t just a technical choice, they are a policy commitment to resident rights, market competition, and sustainable public infrastructure.

In this post, we explore how open standards strengthen digital identity systems by enforcing privacy, supporting competition, and ensuring long-term interoperability without relying on proprietary technology.

Open Standards as a Public Interest Imperative

We believe that states should require or at least express strong preference that the technical standards used in a state digital identity program be open, freely available, and implementable by the public and private sector without proprietary licensing restrictions. Open standards are critical to ensuring transparency, interoperability, and long-term sustainability.

They allow agencies, citizens, and vendors to independently verify that the technology operates as intended, building public trust in a system where privacy and unlinkability must be enforced by protocol rather than policy alone.

Freely available standards also support interoperability across jurisdictions and with federal programs, and they also allow for smaller vendors to more easily meet the requirements. If state digital identity credentials can rely upon open protocols, holders are far more likely to be able to use their credentials beyond state borders, verifiers can more readily adopt the technology without prohibitive costs or licensing fees, and states avoid lock-in to a single vendor or proprietary solution due to a competitive market of solution providers.

Aligning Standards With Statutory Principles

Standards should be evaluated not only for accessibility but also for alignment with the statutory principles in state code, including individual control, technological compliance, and data minimization. We believe a state’s role should be to publish a clear state digital identity profile that specifies which open standards are suitable and how they must be configured to enforce privacy-preserving features.” 

To maintain relevance and adaptability, states should also establish a governance process for updating the state digital identity profile. This process should include structured input from public agencies, private vendors, civil society, and technical experts, and ensure that updates are guided by both statutory principles, technology maturity, and real-world market adoption. 

This approach ensures that the state benefits from the innovation and global adoption that open standards enable while maintaining control over the protections that are uniquely important to residents.

Open Protocols for Transparency and Trust

States should rely on open protocols to the greatest extent feasible in a state digital identity program. Adoption will be far faster if states align with protocols already in use because verifiers and private-sector partners (in the United States and globally) are already beginning to adopt those standards. Adoption is ultimately driven by how many verifiers are able and willing to accept a credential, and using open standards that already have traction will help de-risk the program by ensuring compatibility with the broadest set of verifiers.

Open protocols also ensure that the methods of issuance, holding, and verification can be independently reviewed, tested, and implemented by both public and private actors. This reduces the risk of vendor lock-in, enhances interoperability, and strengthens transparency by demonstrating that features such as unlinkability and minimal disclosure are built directly into the technology.

Balancing Open Source With Security and Maturity

Open source can increase accountability and public confidence, allowing security researchers, civil society organizations, and other stakeholders to inspect implementations for compliance with relevant standards and codes. It can also increase the ability of small firms to enter the market that provide differentiated solutions for specific use cases, while also meeting state digital identity credential requirements.

However, not all open source projects are developed or maintained at the same level of maturity. If states were to release or ordain immature open source implementations as “official,” it could create new risks through rushed or under-resourced deployments that could contain security flaws or bugs.

To mitigate this risk, states should require that any open source software used in the state digital identity ecosystem demonstrate active community support, regular updates, and independent security audits. States should maintain even higher standards for software they release officially, such that it does not “pick technology winners” and create adverse incentives in competitive markets meant to deliver the best solutions at the lowest costs. Where projects do not meet these maturity thresholds for open source software, states should consider certification requirements or mandate third-party audits to ensure confidence. This balance allows states to demonstrate transparency while still protecting sensitive operational components. Even when open source software is audited, it does not obviate the requirement for end-to-end systems which incorporate them as components to go through their own audit, as security models are extremely sensitive and dependent upon contextualized use.

Finally, states should focus on open standards and projects with well-established, actively supported ecosystems that are able to reach long-term sustainability. Technical standards with broad governance and multiple implementers encourage innovation, ensure interoperability across jurisdictions, and reduce the risk of states relying on under-supported technologies. By combining reliance on open protocols, balanced use of open source, and rigorous independent audits, states can build a program that maximizes adoption, transparency, and security in equal measure.

Interoperability Through Open, Multi-Format Standards

To ensure that state digital identity credentials can be accepted in other jurisdictions, states should ensure that the state digital identity framework is compatible with data formats and protocols that have received large investments and are broadly acceptable, to the extent they are compatible with state digital identity principles. Credential formats such as W3C Verifiable Credentials, mdocs found in the ISO/IEC 18013-5/7 specifications for mobile driver’s licenses, the forthcoming ISO/IEC 23220 which describe mdocs standalone, or SD-JWTs from IETF have received significant investments and growing adoption in the United States and abroad.

By ensuring that state digital identity credentials are compatible with these particular formats without compromising on its principles, states maximize the likelihood that other states, federal agencies, and private-sector entities will be able to validate and trust state-issued credentials without requiring custom integrations. A best practice emerging in the field is multi-format issuance, where credentials are simultaneously provisioned in both ISO mDL (ISO/IEC 18013-5/-7), IETF SD-JWT, W3C VC, and/or other formats. This ensures acceptance in federal and regulated contexts that require ISO compliance, such as TSA checkpoints, while still supporting broader digital use cases like online eligibility verification and cross-border interoperability.

It is important to note that adoption in other jurisdictions is not automatic simply because a credential is standards-compliant. Verifiers in other states and federal agencies will only integrate technologies that align with the ecosystems they are already adopting. If states did not support major protocols, the program could face significant delays in recognition and limited utility outside the state. By taking a framework approach to state digital identity that can create protections in a way compatible with dominant standards today, states reduce their adoption risk and accelerate acceptance across both government and private-sector contexts, towards providing usable, efficient, and cost-effective solutions for its residents.

Building Trustworthy Identity Infrastructure for the Long Term

Open standards provide states with the strongest foundation for a trustworthy digital identity. They safeguard privacy through protocol-level protections, ensure systems remain interoperable across agencies and jurisdictions, and create a healthy marketplace where multiple vendors can compete. Openly governed standards aren’t just a technical preference, they are the only way to build digital identity infrastructure that endures, evolves, and earns public trust.

If your organization is exploring how to build digital identity systems grounded in open, privacy-preserving standards, SpruceID can help translate policy requirements and open standards into secure, interoperable implementations.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions. We build privacy-preserving digital identity infrastructure that empowers people and organizations to control their data. Governments, financial institutions, and enterprises use SpruceID’s technology to issue, verify, and manage digital credentials based on open standards.