Independent conformance testing raises the bar for verifiable credentials

At a glance

What this is: The article says independent conformance testing for OpenID for Verifiable Credentials is moving into a formal program to improve implementation consistency and ecosystem trust.

Why it matters: This matters to IAM practitioners because verifiable credentials introduce governance, interoperability, and assurance requirements that span identity, trust infrastructure, and policy enforcement.

By the numbers:

• As more than 60 countries pursue national digital identity initiatives and around 90 explore open data and smart data programs, schemes need to prove that their wallets, issuers, verifiers and relying parties implement standards correctly and consistently.
• Raidiam says it delivered nearly half a billion test executions for Open Finance Brasil in 2025.

👉 Read Raidiam's article on independent OpenID for Verifiable Credentials conformance testing

Context

OpenID for Verifiable Credentials is a standards-based way to issue and present credentials between wallets, issuers, verifiers, and relying parties. The governance problem is not whether the specification exists, but whether independent implementations behave the same way across schemes, jurisdictions, and assurance profiles.

That gap is familiar to IAM leaders: federation and trust frameworks only work when technical behaviour matches policy intent. For digital identity programmes, conformance testing becomes the bridge between specification compliance, operational trust, and regulatory confidence.

Key questions

Q: How should scheme operators govern OpenID for Verifiable Credentials implementations?

A: Scheme operators should require independent conformance testing, define participant onboarding rules through trust registries, and revalidate implementations as policies or assurance levels change. The goal is to ensure wallets, issuers, verifiers, and relying parties behave consistently, not just claim compliance. Governance should cover technical behaviour, metadata control, and ongoing assurance together.

Q: Why do verifiable credential ecosystems need more than self-certification?

A: Self-certification can confirm that a participant believes it follows a specification, but it does not prove that implementations behave consistently across real ecosystems. Independent testing is needed because small behavioural differences can produce interoperability failures, policy drift, or weak trust decisions. That is why conformance has become a governance issue, not a documentation exercise.

Q: What breaks when wallets, issuers, and verifiers do not implement standards consistently?

A: Inconsistent behaviour can cause credential presentation failures, rejected transactions, mismatched assurance decisions, and uneven policy enforcement across schemes. For digital identity programmes, that means the same credential may work in one context and fail in another. The result is lost trust, higher support burden, and weaker cross-border recognition.

Q: Who should be accountable for conformance in digital identity schemes?

A: Accountability should sit with scheme operators, regulators where applicable, and the participants that run wallets, issuance services, and verification services. Each role owns a different part of the trust chain, so governance must define who approves participation, who validates implementation behaviour, and who responds when conformance changes over time.

Technical breakdown

Why OpenID for Verifiable Credentials needs independent conformance testing

OpenID for Verifiable Credentials defines how credentials are issued and presented using OpenID standards, but implementation differences can still break interoperability. Independent conformance testing validates behaviour against a common test suite rather than relying only on self-certification. That matters because wallet providers, issuers, and verifiers each sit in different trust positions, and small deviations can create scheme-wide failures. In practice, conformance testing helps translate a written standard into predictable ecosystem behaviour across multiple vendors and jurisdictions.

Practical implication: scheme operators should require independent conformance evidence before allowing production participation.

How trust registries and OpenID Federation support ecosystem governance

OpenID Federation and trust registries give identity ecosystems a way to describe which organisations and software are authorised to participate. That is a governance layer, not just a technical directory, because it controls who can operate as an issuer, verifier, wallet provider, or relying party. When paired with conformance testing, federation turns static compliance into a managed trust model that can be updated as participants change, policies evolve, or local regulatory requirements differ. This is especially relevant in cross-border digital identity schemes.

Practical implication: operators should align participant onboarding, metadata governance, and testing rules in the same trust framework.

Why wallet, issuer, and verifier consistency is now a policy issue

Verifiable credential ecosystems only function if wallets, credential services, and verifiers interpret standards consistently. If one participant handles presentation, claims, or validation differently, the result can be failed transactions, inconsistent assurance, or policy drift across schemes. Independent conformance testing gives regulators and scheme owners a way to connect technical behaviour to policy goals such as privacy, security, and user control. That makes interoperability a governance control, not just a developer concern.

Practical implication: digital identity programmes should treat interoperability evidence as part of assurance, not an afterthought.

NHI Mgmt Group analysis

Independent conformance testing is becoming the missing control layer for verifiable credentials. OpenID for Verifiable Credentials can define the rules, but without third-party testing the ecosystem still depends on each participant’s self-attestation. That leaves schemes exposed to inconsistent behaviour across wallets, issuers, verifiers, and relying parties. The practical conclusion is that trust in verifiable credentials now depends on proving conformance, not merely claiming standards adoption.

Conformance has moved from developer quality assurance to ecosystem governance. In digital identity, a single implementation defect can create policy drift, failed recognition, or weak assurance across an entire scheme. The article shows why regulators and scheme operators need a repeatable way to connect technical behaviour to governance outcomes. Practitioners should treat conformance evidence as part of operating the trust framework, not as a one-time certification exercise.

OpenID Federation and trust registries are only as strong as the rules behind them. A directory of participants is not enough if onboarding, metadata, and authorisation are not tied to testable standards. The value here is not the registry itself, but the ability to continuously govern who can participate and under what conditions. The practitioner takeaway is to align participant control, trust infrastructure, and validation workflows into one operating model.

Digital identity programmes are converging with the same governance demands already familiar in IAM. Wallet ecosystems, credential issuers, and relying parties now need the same discipline that IAM teams apply to federation, assurance, and lifecycle control. The difference is that the control plane spans multiple organisations and jurisdictions, which raises the cost of inconsistency. Practitioners should expect verifiable credential governance to look less like a point product decision and more like a scheme-wide operating standard.

Interoperability is becoming the new proof point for identity assurance. As digital identity expands into finance, government, education, and open data, the market will increasingly reward schemes that can demonstrate measurable conformance at scale. That shifts the conversation from feature adoption to operational credibility. The implication for practitioners is clear: if interoperability cannot be tested, it cannot be trusted.

From our research:

• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
• A separate finding from the same report shows that only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
• For a broader governance lens, see Ultimate Guide to NHIs for lifecycle, visibility, and access control patterns that apply when identity trust must be operationalised at scale.

What this signals

Conformance testing will become a practical control for digital identity programmes that need to move from pilot to production. As wallet ecosystems scale, the real question is whether the trust model can be proven repeatedly across participants, not whether the standard exists on paper. Teams responsible for identity governance should expect more scrutiny of implementation evidence, certification scope, and scheme-level interoperability.

Lifecycle governance will matter as much as protocol compliance. Once participants, issuers, and verifiers are operating across jurisdictions, onboarding and offboarding become trust events, not administrative tasks. The control challenge is to keep metadata, authorisations, and participation status aligned with real operational behaviour.

The next phase of digital identity will reward schemes that can show measurable assurance, not just broad adoption. That shifts programme design toward repeatable testing, documented governance, and clearer accountability across the trust chain. For practitioners, the useful question is no longer whether verifiable credentials are possible, but whether they are governable at production scale.

For practitioners

• Require independent conformance evidence before production onboarding Do not accept self-certification alone for wallets, issuers, verifiers, or relying parties. Make third-party conformance results a gate for production participation in a scheme or trust framework.
• Tie federation metadata to governance controls Use OpenID Federation and trust registries to define who can participate, what software is authorised, and which profiles apply. Revalidate those records when participants, assurance levels, or regulatory requirements change.
• Build interoperability checks into operating governance Treat test coverage, failed cases, and certification status as part of scheme oversight. Track whether implementations remain consistent across jurisdictions rather than assuming initial approval is sufficient.
• Separate implementation conformance from policy acceptance A system can be technically conformant and still fail local policy, privacy, or sovereignty expectations. Review both layers together before allowing cross-border or multi-scheme use.

Key takeaways

• Independent conformance testing closes the gap between published standards and real-world interoperability for verifiable credentials.
• Digital identity governance now depends on proving participant behaviour across wallets, issuers, verifiers, and relying parties.
• Practitioners should treat trust registries, federation metadata, and certification evidence as one operating model.

Key terms

• OpenID For Verifiable Credentials: An identity standard that defines how verifiable credentials are issued and presented using OpenID-based protocols. It lets wallets, issuers, verifiers, and relying parties exchange credentials in a way that can be tested for interoperability and assurance across different ecosystems.
• Conformance Testing: A formal process for checking whether an implementation behaves according to a published standard or profile. In digital identity, it helps prove that technical behaviour matches scheme expectations, reducing interoperability failures, policy drift, and inconsistent trust decisions across participants.
• Trust Registry: A governed record of which organisations and software are allowed to participate in an identity or data ecosystem. It is not just a directory, because it also expresses policy, authorisation, and operational trust conditions that can be enforced and reviewed over time.
• OpenID Federation: A federation model that describes how entities are identified, authorised, and trusted within an OpenID-based ecosystem. It provides a structured way to manage participant metadata and relationships so that identity schemes can scale without losing governance control.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Raidiam: Raidiam joins OpenID Foundation’s independent conformance test program. Read the original.