For Utah’s digital ID program, OpenID recommends proven open standards

The OpenID Foundation has weighed in on Utah’s State-Endorsed Digital Identity (SEDI) program, with a reply to the state’s Request for Information (RFI) that emphasizes proven standards, interoperability with the financial sector, open testing and privacy by design.

“The OpenID Foundation recognizes that the State of Utah is a thought leader on both privacy and digital identity, and we applaud their proactive approach to ensure protections for individuals are in place,” says a statement from Executive Director of the OpenID Foundation Gail Hodges.

“Utah’s approach is strongly aligned with our longstanding vision to help people assert their identity wherever they choose, and our development of specifications that enable consent based and privacy enabling capabilities.” Hodges says shared goals include security, privacy, and autonomy for Utah residents, and she notes the recommendation to “{foster engagement with industries, such as the financial sector and wallet providers.”

By proven standards, OpenID means specifications already deployed in production, including OpenID4VP, OpenID4VCI, and HAIP, paired with ISO/IEC 18013-5/-7 to ensure broad compatibility. Interoperability in the financial sector would “give Utah residents faster access to using state issued credentials with federally regulated financial institutions.” Open course testing tools enable conformance at no cost. And privacy by design means verification systems that enable selective disclosure and data minimization.

Endorsing an inherent identity, not one bestowed by the state

Utah’s optional SEDI initiative was mandated with the passage of SB 260 in June 2025. Intended for accessing government services, airport security checks and private sector transactions, it aims to reimagine the framework that dictates its existing mDL and digital identity tech (provided by GET Group, Scytáles and FaceTec) by “endorsing” an individual’s inherent identity, rather than bestowing it. As the bill puts it, “the state does not define an individual’s identity,” but “states may recognize and acknowledge an individual’s identity in certain circumstances.”

OpenID applauds Utah for doing due diligence that “addresses concerns broadly similar to those of over 60 countries currently developing digital identity programs.” The OpenID Foundation has offered guidance to the European Commission, Australia, New Zealand, the UK, Japan and the U.S. National Institute of Standards and Technology (NIST), among others.

Spruce ID checklist aims to assist with state digital ID strategies

Wayne Chang, Founder and CEO of SpruceID, is also watching developments in Utah. “We’re excited to see the State of Utah take an approach in the spirit of constitutional rights to ensure freedom in the digital world,” he says. “This aligns with our mission to let people control their data across the web, and also the work on verifiable digital credentials protocols from the OpenID Foundation, which allow for more decentralized and privacy-preserving modes of digital interaction.”

SpruceID has published a “Practical Checklist to Future-Proof Your State’s Digital Infrastructure.” The document aims to be “a clear, actionable framework for state technology decision-makers” to evaluate tech against open standards. “By embracing these principles, states can make informed choices that foster sustainable innovation and avoid costly pitfalls, aligning with a broader vision for open, secure, and interoperable digital systems that empower citizens and governments alike.”

Open standards, says SpruceID, help avoid siloing and vendor lock-in by measuring tech against publicly accessible specifications developed and maintained through a collaborative and consensus-driven process. “For verifiable digital credentials, this includes critical specifications like the ISO mDL standard for mobile driver’s licenses (ISO 18013-5 and 18013-7), W3C Verifiable Credentials, and IETF SD-JWTs.”

“The principles of open standards, however, extend far beyond digital credentials to all critical IT infrastructure decisions.” Spruce argues that open standards can drive innovation, spur adoption, and enhance interoperability and security.

Does it support ZKPs? KYC? Age assurance? Scalability?

So what’s on SpruceID’s checklist? Broadly, it recommends states ask the following when shaping their digital ID strategy:

• Can a technology support privacy controls and enable privacy-preserving techniques like selective disclosure and zero-knowledge proofs?
• Does the standard align with real-life use cases, such as age assurance and KYC?
• Is the ecosystem developed enough, with demonstrated investment from both public and private sectors?
• Are there multiple independent vendors supporting the standard, to create a competitive market?
• Is there clear evidence of sustained investment in tools, reference implementations, and commercial deployments?
• Is the standard governed by a credible and recognized standards development organization like ISO, W3C, IETF, and the OpenID Foundation?
• Has the standard demonstrated successful cross-vendor and cross-jurisdictional  implementations?
• How does the technology handle worst-case scenarios like stolen private keys or lost devices?
• Has it proven to be scalable in production use cases?

“By adopting this forward-thinking mindset and leveraging the provided checklist,” says Spruce, “state IT leaders can confidently navigate the complexities of digital identity procurement. This approach empowers states to build resilient, secure, and adaptable IT infrastructure that truly future-proofs public services.”

Article Topics

digital ID  |  digital identity  |  mDL (mobile driver's license)  |  open standards  |  OpenID Foundation  |  SpruceID  |  Utah  |  Utah State-Endorsed Digital Identity (SEDI)