Allen Lab Fellowship Meeting · 2026.04.17 01 / 16

Working Paper · Digital Civic Infrastructure

From State Credentials
to Civic Proofs

Digital Identity in Digital Civic Infrastructure — a two-layer trust model, four types of proof, and what happens when systems gate action.

Author mashbean Taipei · Allen Lab Policy Fellow

Contents

01Why identity matters in DCI
02Two-layer trust model
03Four types of civic proof
04Global comparison
05Taiwan deep dive: MOICA & TW DIW
06Age assurance as a stress test
07Full identity vs. minimal proof
08Civic & subnational experiments
09Public blockchain as trust layer
10Policy agenda & open questions

CC BY-NC 4.0 · mashbean 2026 · 中文版 · Chinese version

mashbean.net

§ 01 · Why identity matters in DCI 02 / 16

Identity matters most when systems gate action.

DCI frames civic participation as Connect → Learn → Act. Digital identity intervenes most strongly at the Act layer — where public decision-making begins.

STEP 01

Connect

Community, persistence, role allocation. Trust through long-term contribution. Identity is a symbolic anchor — often weak-identity is enough.

STEP 02

Learn

Information access, discussion. Anonymous reading and low-threshold participation work fine. Identity rarely required.

STEP 03

Act

Petition, vote, join, collaborate, whistleblow. The political pressure lands here.

QUALIFICATION

Does the system require you to qualify?

If yes → identity enters core governance. Uniqueness, attribute, accountability, procedure all become institutional questions.

Proposition 1

Mainstream digital identity is already successful at service delivery, signatures, compliance, and fraud reduction.

Proposition 2

Once it moves into age verification and platform governance, it decides who may enter which public spaces.

Proposition 3

Wallets, selective disclosure, ZK, and browser APIs make democratic identity feasible — but governance lags behind.

Frame: Ash Center · Digital Civic Infrastructure · Connect–Learn–Act

02 / 16

§ 02 · Two-layer trust model 03 / 16

Separate issuer legitimacy from exchange architecture.

PKI, VCs, wallets, browsers, and trust lists operate at different layers. Pull them apart and most debates get clearer.

Upper layer

Issuance Legitimacy

State / legal authorization

Trusted institution / community rules

Legal effect · sovereignty · accountability · revocation authority

Lower layer

Exchange Architecture

Credential / Wallet

Browser / OS / App

Trust list / Registry / Verifier

How credentials are held, presented, verified, revoked, and reused.

OUTPUT

Civic Proof

Vote · Petition · Credential verification · Membership governance · Whistleblowing

Four normative conditions

Anonymity

Real-world identity is not required to be exposed.

II.

Unlinkability

Uses cannot be joined across contexts.

III.

Verifiability

Claims can be independently confirmed.

IV.

Accountability

Post-hoc audit and redress remain possible.

Accountability does not require real names.

W3C VC 2.0 Recommendation (2025) · Chrome Digital Credentials API · NIST SP 800-63 Rev. 4 subscriber-controlled wallets

03 / 16

§ 03 · Four types of civic proof 04 / 16

Four distinct proof needs — not one identity problem.

If we don't separate these, every debate about whether digital identity needs to be strong gets muddy.

Requirement type	Typical scenarios	Upper layer Legitimacy needed	Lower layer Exchange needed	Minimum privacy
Legal Identity Statutory	Tax filing · legally binding signatures · statutory benefits	State-rooted or legally authorized root identity	High assurance · revocable · prosecutable	Verifiable, with redress
Attribute Proof Selective	Age · residency · student status · membership	Verifiable attribute source	Selective & minimal disclosure	Unlinkable · no-phone-home
Uniqueness Proof Sybil-resistant	One person one account · one vote · forum blue check	Trusted uniqueness source	Deduplication · low disclosure	Pseudonymous · unlinkable
Pseudonymous Participation Sensitive	Whistleblowing · sensitive consultation · political discussion	Procedural legitimacy & post-hoc accountability	Preserve anonymity · preserve audit	Anonymous · accountable

Every later debate about “strong identity” really depends on which of these four you have in mind.

Taxonomy: mashbean's synthesis

04 / 16

§ 04 · Global comparison — main cases 05 / 16

Root identity still comes from the state. Exchange is where paths diverge.

Over the last decade the competitive focus has expanded from “who issues identity” to “who controls the trust list and the presentation interface.”

	Upper · Issuance legitimacy	Lower · Exchange architecture	Current strengths	DCI gap
Taiwan	MOICA has legal effect · TW DIW multi-issuer ecosystem	PKI + wallet / VC dual track	Clear legal effect, rising experimentation flexibility	Ecosystem integration friction and civic burden coexist
European Union	eIDAS trust services · national trusted lists	EUDI Wallet · attestation · selective disclosure	Complete legal framework · formal cross-border interop	Complex rules; wallet/browser becomes new gatekeeper
Sweden	Commercial BankID as de facto · government supplementing	High daily adoption · mature platformization	High usage frequency · deep social penetration	Single-operator dependency · inclusion risk
United States	State-level mDL · state law · state-level wallets	Mature standards · fragmented deployment	Strong OS and market influence	Nationally fragmented · large interstate variation

The key to identity entering DCI is not whether a root exists — it is what exchange architecture that root sits inside.

eIDAS = electronic IDentification, Authentication and trust Services · EUDI = European Union Digital Identity · TW DIW = Taiwan Digital Identity Wallet

05 / 16

§ 04 · Global comparison — supplementary 06 / 16

Supplementary cases: scale, modularity, sovereignty.

	Upper · Issuance legitimacy	Lower · Exchange architecture	Current strengths	DCI gap
MOSIP Platform	Modular identity infrastructure self-built by each country	Open source · modular · locally deployable	Cost & sovereignty appeal for multiple states	Whether it supports civic rights depends on each country's governance
Aadhaar · India	National-scale root identity	Authentication / eKYC oriented	Extremely high scale and coverage	High scale does not equal high freedom guarantees
Bhutan NDI	Sovereignty-backed National Digital Identity	Trusted wallet · VC oriented	National-level innovation direction	International interop & governance maturity still forming

Observation 1

MOSIP separates software stack from political ownership — states can adopt it while designing their own governance.

Observation 2

Aadhaar is a reminder: coverage is not a civic-rights proof. Scale without redress is a warning, not a model.

Observation 3

Bhutan's NDI is high-signal: a small state has already put wallet + VC + public chain into production.

mDL = Mobile Driver's License · MOSIP = Modular Open Source Identity Platform · NDI = National Digital Identity · mosip.io

06 / 16

§ 05 ·

Taiwan deep dive 07 / 16

MOICA concentrates friction before entry. TW DIW concentrates friction inside operation.

A warning case and a testbed, side by side.

MOICA · Citizen Digital Certificate

Issuer-centric · strong legal effect

DESIGN CENTER

Issuer-centric · legal effect · identification · digital signature

TYPICAL TASKS

Identification · digital signature · encryption/decryption

INTEGRATION

Requires formal application, review, approval

DISCLOSURE LOGIC

Tends toward high-assurance, even full identity verification

MAIN FRICTION

In-person counter · eligibility · API review · integration cost

TW DIW · Digital Identity Wallet

Holder-centric · scenario-based reuse

DESIGN CENTER

Holder-centric · credential reuse across scenarios

TYPICAL TASKS

Attribute presentation · cross-scenario credentials · selective disclosure

INTEGRATION

More open sandbox · wider entry for issuers / verifiers

DISCLOSURE LOGIC

Scenario-based authorization · minimal disclosure

MAIN FRICTION

User comprehension · verifier integration · trust list governance

TW DIW redistributes civic burden — from a central gate to a distributed landscape of issuers, verifiers, and citizens.

MOICA = Ministry of the Interior Certification Authority · moica.nat.gov.tw · TW DIW GitHub

07 / 16

§ 05 ·

Taiwan civic cases 08 / 16

Two live experiments — state credential → civic proof, and wallet → civic ecosystem.

CASE A

State credential → civic proof

PTT × MOICA × ZK Blue Checkmark

PTT, Taiwan's largest BBS, uses citizen digital certificates to generate ZK proofs — users obtain a “blue checkmark” without revealing their real identity, reducing coordinated information attacks during elections.

The proof

A state root credential can serve as the trust root — without the full identity being handed over to the platform.

CASE B

Wallet → civic ecosystem

g0v Summit 2026 × TW DIW

The biennial conference of Taiwan's largest civic tech community uses TW DIW to issue entry credentials, with non-governmental third parties acting as issuer and verifier.

The proof

A holder-centric ecosystem can be operated not only by government, but by civic communities too.

g0v Summit 2026 · ZK = Zero-Knowledge Proof

mashbean · Bond for the Future ↗

§ 06 · Age assurance as a stress test 09 / 16

Age verification is the clearest stress test in this whole discussion.

Identity infrastructure — once in the back end — is pushed right up to the front door of public space. Users prove themselves before they can enter.

	Regulatory development	Key timeline	Core tension
United Kingdom	Ofcom requires highly effective age assurance; multiple tech paths allowed	From 2025-07, adult-content sites must implement strong age checks	High regulatory intensity; privacy standards not necessarily consistent
Australia	Social-media minimum-age restriction; platforms required to take reasonable steps	Effective 2025-12 · compliance update 2026-03	Platform responsibility, effectiveness, false blocks
European Union	Age verification app / blueprint aligned with EUDI roadmap	2025 blueprint · deployable 2026-04	Whether minimal disclosure can be institutionalized
United States	From state-level content gates toward device / OS / app-store age signals	2025-06 Paxton case · 2025-10 CA AB1043	Sliding from “adult-content gate” toward “infrastructure-layer age signal”

Legislation has outpaced technical standards and human-rights assessment. ISO/IEC 27566-1 did not exist when the first laws took effect.

Ofcom · CA AB1043 = California Assembly Bill 1043 (Digital Age Assurance Act)

mashbean · Prove You're Old Enough ↗

§ 06 · Age assurance — four rights at stake 10 / 16

Will age assurance expand from content control into a general-purpose identity gate?

Rights at risk

Privacy

ID documents, age, biometrics centrally processed.

Anonymity

Conflict with lawful browsing and the right to anonymity.

Free speech

Adults forced into self-censorship — the chilling effect.

Digital divide

Those without ID or bank accounts are excluded.

Incident · 2025-10

Discord × third-party vendor 5CA — government ID photos of ~70,000 users potentially exposed.

Where the proof flow can go

Child safety pressure

Rapid legislative push

PATH A

Per-site verification

PATH B

OS / App Store age signal

PATH C

Privacy-preserving proof

Tracking · Leaks · Chilling effect · Exclusion

Risk reduced, not eliminated

→ Expand into general-purpose identity gate?

The question is not only who gets to protect children — it is what kind of proof flow we use to do it.

mashbean · Research report ↗

§ 07 · Full identity vs. minimal proof 11 / 16

From full identity to minimal proof.

Selective disclosure · unlinkability · no-phone-home · browser politics — the technology is no longer the blocker.

Question	Full identity approach	Minimal proof approach
Are you over 18?	Present date of birth · full ID	Prove only “over 18”
Do you live here?	Present full address or household registration	Prove only residency eligibility
Are you the same person?	Hand over real name · ID number	Uniqueness proof or pseudonymous credential
Do you have a qualification?	Hand over the entire credential	Present only the specific attribute

Is a wallet necessary?

Conditional. For single-service login, federation or passkeys are enough. Multi-issuer, cross-context, minimal-disclosure, cross-border interoperability — that is where the wallet's institutional value rises sharply.

The new gatekeepers

Wallets, operating systems, and browsers become the default presentation layer. Competition expands from who issues identity to who controls the consent interface.

W3C VC 2.0 · Chrome Digital Credentials API (over-18 without revealing DOB) · Google Wallet 2025 open-sourced ZKP libraries · Ethereum Foundation PSE — client-side proving · EUDI ARF browser/OS restrictions

11 / 16

§ 08 · Civic & subnational experiments 12 / 16

These cases are evidence of demand — not evidence of a complete substitute.

Case	Trust root	What need it reveals	Where it remains weak
Vocdoni Catalonia	Local government · organizational membership · passport	Verifiable, auditable, privacy-first digital voting	Legal effect · adoption · cross-jurisdiction scalability
Rarimo Freedom Tool RO · RU · IR	Passport-rooted · ZK proof	Anonymous credential proof in exile & authoritarian contexts	High dependency on passports & specific tech stacks
QuarkID Buenos Aires	City-level government · public-sector trust framework	City-level public digital trust frameworks	City → national extrapolation requires caution

The more plausible future is a combination of state-rooted credentials and civic-layer participation tools — not wholesale replacement.

The deeper political question

How do you make citizens believe that a government-issued credential will not become a tool for government tracking? — this is why no-phone-home and unlinkability matter so much.

vocdoni.io · Rarimo Freedom Tool · decentralized privacy-preserving online voting · QuarkID · Buenos Aires digital trust framework

mashbean.net · extended reading ↗

§ 09 · Public blockchain as trust layer 13 / 16

Not personal data on-chain — status anchoring on-chain.

Only Bhutan and Taiwan have actually deployed public blockchain at the national digital-identity level. Its institutional value is trust-layer anchoring, not legitimacy itself.

Where each component belongs

Component	Recommended position	Reason
Personal data	Off-chain · local wallet	Protect privacy; avoid irreversible linkage
Issuer DID / public key	Public registry or on-chain anchor	Cross-org independent verification
Trust list anchor	Publicly verifiable infrastructure	Auditable · resistant to single-point failure
Individual verification event	Avoid per-transaction callback to issuer	Reduce phone-home risk

Federated trust-list architecture

Issuer

Trust list / Registry

C · TRUST LAYER

Public blockchain anchoring

DID · public key · trust-list anchor · status-list commitment

Holder

Verifier

⌫ verifier avoids per-transaction callback to issuer

A federated trust-list alliance — not one global trust root — is the most workable future.

DID = Decentralized Identifier · EBSI = European Blockchain Services Infrastructure

13 / 16

§ 10 · Policy agenda 14 / 16

From rights to deployment — five operational moves.

A system can be excellent at digital government and still inadequate for digital civic action. The difference is whether rights baselines, open ecosystems, and procurement governance are affirmatively addressed.

Layer	Specific policy action	Corresponding cases	Why it matters
01 Rights baseline	Minimal disclosure · unlinkability · no-phone-home · voluntariness · alternative paths · redress	ACLU · EFF · CDT No Phone Home · EU browser restrictions	Without a baseline, new use cases default to maximum visibility.
02 Platforms & standards	Open wallets · standardized provisioning · avoid single-platform lock-in	Chrome DC API · TW DIW OID4VC / OID4VP · CA OpenCred	The presentation layer will become the new gatekeeper.
03 Procurement & rollout	Procurement sandbox · third-party testing · exit clauses · incident response	Verifier onboarding · module replacement testing	If rights are not translated into procurement language, they vanish at rollout.
04 Public-interest pilots	Small-scale trials with specific civic use cases	Forum blue checkmark · event credentials · local consultation	First prove civic proof is useful — then discuss full rollout.
05 AI delegation	Scope limitation · revocable · auditable · human override	OpenID agent identity · NIST AI agent concept	Shifts from who logs in to who can act on whose behalf.

ACLU = American Civil Liberties Union · EFF = Electronic Frontier Foundation · CDT = Center for Democracy & Technology · OID4VC / OID4VP = OpenID for Verifiable Credentials / Presentations

mashbean · Agentic ID governance ↗

§ 11 · Conclusion 15 / 16

One sentence to leave behind

A democratic digital identity system should determine when I can act without exposing more than necessary.

Mainstream state systems are very good at government service, signatures, compliance, and platform onboarding. They are weaker at pseudonymous participation, unlinkability, redress, and low-threshold civic reuse. The core problem is not how to make people easier to identify — it is how to turn legitimate qualification into civic proof that is low-friction, low-exposure, and redressable.

Open questions

Q.01 Which civic acts require legal identity, and which need only attribute or uniqueness proof?
Q.02 Have browsers, operating systems, and wallets already become new public infrastructure?
Q.03 If state-rooted credentials remain mainstream, what exchange architecture supports privacy, portability, redress, and inclusion?
Q.04 How should this research converge to avoid becoming overly dispersed?
Q.05 What are the next steps for practitioners, policy advocates, and researchers — respectively?

mashbean · mashbean.net · Allen Lab Policy Fellow

15 / 16

From State Credentials to Civic Proofs