Open standards provide the technical foundations that make policy goals achievable. When governments mandate interoperability, privacy protection, or accessibility in digital identity systems, standards define how these requirements are implemented in practice. The relationship between standards and policy is symbiotic: standards enable policy, and policy drives the adoption of standards.
Standards as policy infrastructure
Just as TCP/IP enabled the open internet and HTTPS enabled secure e-commerce, identity standards enable the issuance of trusted, verifiable digital credentials on a large scale. They create shared rules that issuers, wallets, and verifiers can follow regardless of vendor or jurisdiction.
Consider what standards accomplish: A credential issued by the California DMV can be verified at a TSA checkpoint in New York because both systems follow ISO/IEC 18013-5. A diploma issued by a university can be verified by an employer anywhere, as both parties are familiar with W3C Verifiable Credentials. This interoperability doesn't happen by accident, it's the product of deliberate standardization.
Key standards bodies
Multiple organizations develop the standards that shape digital identity policy.
The World Wide Web Consortium (W3C) develops Verifiable Credentials and Decentralized Identifiers, providing flexible frameworks for expressing and verifying identity claims across sectors.
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) develop the ISO/IEC 18013 series for mobile driver's licenses and ISO/IEC 23220 for mobile documents, establishing the technical requirements for government-issued verifiable digital credentials.
The Internet Engineering Task Force (IETF) develops protocols like SD-JWT (Selective Disclosure JSON Web Tokens) that bring privacy-preserving features to the existing enterprise identity ecosystem.
The National Institute of Standards and Technology (NIST) publishes Digital Identity Guidelines (NIST SP 800-63) that define assurance levels and best practices, serving as the baseline for federal compliance and informing state policies.
The OpenID Foundation develops protocols, such as OID4VCI and OID4VP, that define how credentials are exchanged between issuers, wallets, and verifiers, building on the OAuth 2.0 framework, which is already used for billions of secure logins.
Policy choices embedded in standards
Standards aren't neutral, they embody policy choices. For example, W3C Verifiable Credentials support selective disclosure, enabling data minimization, and SD-JWT enables holders to select which claims to disclose, thereby implementing the principle of minimal disclosure.
When policymakers mandate privacy-preserving digital identity, they're effectively requiring standards that support features like selective disclosure and offline verification. When they mandate interoperability, they require alignment with widely adopted standards, such as ISO mDLs or W3C VCs.
Standards enabling policy goals
Utah's State-Endorsed Digital Identity (SEDI) framework illustrates the interaction between policy and standards. Established under Senate Bill 260 signed by Governor Cox, SEDI is built on a constitutional insight: the state does not issue a person’s identity, but it may endorse that identity when statutory requirements are met. That endorsement can then satisfy verification and compliance needs across the economy while preserving the right to paper credentials, prohibiting government tracking, and aligning with ACLU recommendations.
The statutory requirements for privacy, unlinkability, and minimal disclosure aren't abstract principles, they're achievable because standards like ISO mDLs, SD-JWTs, and W3C VCs support the necessary technical features.
Multi-format issuance, where credentials are simultaneously issued in multiple standard formats, emerges as a best practice precisely because different standards serve different policy contexts. ISO mDLs enable TSA acceptance, W3C VCs enable cross-sector use, SD-JWTs enable enterprise integration, and all can coexist under a common governance framework.
The standards-policy feedback loop
Standards and policy evolve together. Policy requirements drive standards development: when regulators need privacy-preserving age verification, standards bodies create selective disclosure mechanisms. Standards capabilities enable policy ambitions: when cryptographic techniques mature, policymakers can mandate stronger privacy protections.
This feedback loop means that engaging with standards bodies isn't just technical work, it's policy work. The rules being written today will shape what digital identity can accomplish for decades to come.
Want to keep learning?
Subscribe to our blog.
