November brings enhanced security capabilities and expanded credential query support, with new HAIP profile implementation and improved authorisation mechanisms.

Authorizer

Keystore and Certificate Management: Introduced dedicated keystore functionality with private key derivation and key resolution, enabling secure key management across different operational contexts.

Certificate Chain Support: Authorisation request JWTs now include full certificate chains, providing enhanced trust verification for relying parties validating authorisation requests.

HAIP Profile Support: Authorisation requests can now be created based on High Assurance Interoperability Profile (HAIP) definitions, ensuring compliance with high-assurance credential presentation requirements.

x509_hash Client Identifier: Added support for x509_hash as a client identifier prefix, allowing client identification based on certificate hash values for improved security in certificate-based authentication flows.

Authorisation URI Schema Improvements: Refactored authorisation endpoint URI schema to support profile-based defaults whilst maintaining flexibility for custom implementations.

Response Mode Validation: Authorisation responses now enforce strict response_mode matching, preventing mismatched response delivery methods between requests and responses.

Streamlined Authorisation Requests: Removed the non-standard client_id_schema parameter from authorisation requests, aligning with OpenID4VP specifications.

Validator

DCQL Trusted Authorities: Digital Credential Query Language (DCQL) now supports Authority Key Identifier (AKI) for specifying trusted credential issuers, giving you more precise control over which credential authorities to trust during validation.

Enhanced API Documentation: Updated OpenAPI specifications include detailed descriptions of validation processes, supported formats (DIF Presentation Exchange, DCQL, mDL Device Requests), and comprehensive error response documentation.

Verifier

Enhanced API Documentation: Updated OpenAPI specifications provide clearer descriptions of verification processes and detailed error responses across all status codes, making integration easier for developers.

Enhanced authorization framework, modernized certificate handling, and added various improvements across the Vidos identity platform.

Authorization Framework

TypeScript Policy Engine: Replaced the Open Policy Agent (OPA) with a native TypeScript-based policy engine for authorization decisions

• Implemented PolicyEngine class with comprehensive evaluateAllow and evaluateMustDeny methods
• Added detailed resource and action matching using glob patterns for flexible policy rules
• Removed OPA-related dependencies
• Streamlined policy evaluation logic and test coverage

Authorizer Testing:

• Enhanced the Authorizer Tester with improved request handling and visualization
• Fixed date handling in authorization to properly handle the "now" parameter
• Added comprehensive testing samples for various authorization scenarios, used throughout documentation and dashboard testers

Cryptography and Verification

X.509 Certificate Generation: Refactored X.509 certificate handling

• Completed upgrade of legacy certificate generation
• Updated validity period handling to use explicit notBefore and notAfter dates
• Improved test coverage for certificate generation and validation

Mobile Document Support: Fixed date fetching for mDOC format when applying notBefore and notAfter policies

Wallet Integration: Enhanced support for Multipaz/Valera wallets

• Additional OpenID4VP compatibility and conformance testing to ensure better interoperability with wallet providers
• Added custom test credentials for more comprehensive end-to-end testing

Documentation and Developer Experience

W3C Verification Guides: Improved documentation and examples for W3C verification standards

Documentation Site: Migrated documentation site to a more modern and maintainable architecture

Verifier Configuration: Added comprehensive documentation for verifier configuration options

Database and Infrastructure

SSL Database Support: Enhanced database connection configurations and improved connection pooling

Security Enhancements:

• Updated authorization logic in viewer-request.js
• Enhanced helmet security configuration in application setup

Error Handling and Logging

• Gateway Errors: Improved gateway error reporting for clearer troubleshooting
• Instance Configuration: Enhanced instance configuration UI with improved validation
• Error Handling: Fixed resource ID checking in applicableForTestingOptions function
• Logging Framework: Implemented a logging wrapper for verifier and validator services

‍

Vidos has achieved certification under the UK Digital Identity and Attributes Trust Framework (UK DIATF) as:

• Orchestration Service Provider,
• Component Service Provider, and
• Attribute Service Provider.

The company is listed on the GOV.UK register of digital identity and attribute services.

What This Means

UK DIATF certification validates our verification infrastructure against government requirements for digital identity services. This independently certified framework ensures:

• Compliance with UK government rules for identity verification
• Support for GOV.UK Wallet credentials and existing certified providers
• Standards-compliant verification across multiple credential formats
• Regulatory alignment for UK digital identity verification

Our Compliance Portfolio

This certification joins our existing security and quality certifications:

• ISO 27001 - Information Security Management
• UK Cyber Essentials - Cyber Security Standards
• ISO 9001:2015 - Quality Management Systems
• UK DIATF - Digital Identity Verification Services

Technical Scope

Vidos verification services operate under UK DIATF-certified processes. The service supports mdoc (ISO 18013-5), W3C Verifiable Credentials Data Model 2.0, and OpenID protocols.

Visit our UK DIATF certification page for certification details.

We've enhanced our authorization capabilities with DCQL support, improved developer experience with new testing infrastructure, and strengthened our security compliance framework.

Authorizer Service

Features

• DCQL Query Support: Added support for Digital Credential Query Language (DCQL) in the Authorizer Service, enabling more flexible and structured credential requests alongside existing DIF Presentation Exchange support
• Additional Configuration Options: Expanded Authorizer configuration capabilities with new parameters for authorization endpoints and client ID prefix support, providing greater flexibility in deployment scenarios

Improvements

• X509 Certificate Handling: Fixed x509_san_dns prefix handling and clientId generation to properly support DNS name extraction from URLs, ensuring correct certificate-based authentication
• Response Alignment: Aligned authorizer responses with OpenID4VP specifications for better standards compliance to 1.0.0
• CORS Configuration: Fixed CORS handling for resolver paths, improving cross-origin request support

Infrastructure & Testing

Security & Compliance

• Security Compliance Page: Added dedicated security and compliance documentation page with updated ISO9001 certification details
• Terms of Service Updates: Incorporated equality and accessibility clauses into terms of service, demonstrating commitment to inclusive practices
• Log Retention: Implemented automated log lifecycle policies for log storage, improving log management and compliance

Developer Experience

Dashboard Interface

• Tester Components: Replaced diagnostic tabs with new tester components and restructured documentation for improved user experience

Vidos has successfully achieved ISO 9001:2015 certification under the scope "The facilitation of the provision of the Vidos product providing online verifiable identity services globally."

What This Means

ISO 9001:2015 certification validates our commitment to quality management systems and continuous improvement across all aspects of our identity verification services. This internationally recognised standard ensures:

• Consistent delivery of high-quality verification services
• Systematic approach to customer satisfaction
• Continuous improvement of our processes and systems
• Enhanced operational efficiency

Our Growing Compliance Portfolio

This certification joins our existing security and quality certifications:

• ISO 27001 - Information Security Management
• UK Cyber Essentials - Cyber Security Standards
• ISO 9001:2015 - Quality Management Systems

Impact on Our Services

All Vidos services, including our Universal Resolver, Verifier, Validator, and Authorizer, operate under certified quality management processes. This ensures predictable, reliable service delivery for enterprise clients preparing for eIDAS 2.0 compliance and digital identity transformation.

‍

Visit our security and compliance page to find out more.

We've enhanced our DID resolver capabilities, improved service specifications compliance, and strengthened our infrastructure with better error handling and testing.

Vidos Universal Resolver

Features

• WebVH DID Method Support: Added support for the did:webvh resolver method, expanding our DID resolution capabilities to include Verifiable History specifications (learn more here: https://vidos.id/blog/vidos-now-supports-did-webvh-the-next-generation-of-verifiable-digital-identity)
• ‍W3C DID Specification Compliance: Add additional resolver service to W3C-compliant endpoints at /w3c/did/1.0/identifiers/, maintaining backward compatibility with deprecated paths
  

Vidos Verifier

Improvements

• Enhanced Proof Policy Processing: More consistent and clearer error reporting when verification fails, allow you to diagnose the problem easier.
  

Vidos Validator

Improvements

• Better Error Reporting: Enhanced credential format policy errors with detailed problem details following RFC 9457 standard.
• ‍Base64 and JWT Schema Validation: Improved validation accuracy with dedicated handling for base64 and JWT formats

Security & Compliance

Improvements

• DID:DHT Removal: Removed support for did:dht method (learn more here: https://vidos.id/blog/understanding-the-deprecation-of-did-dht)

We've enhanced regional compliance, improved documentation coverage, and strengthened security across our services.

Legal and Compliance

Regional Terms of Service

• Clearer Legal Entity Selection: Users can now easily identify which legal entity (EU or UK) they contract with based on their location, ensuring compliance with regional regulations and providing clear recourse for service complaints.

Documentation and Site

API Documentation

• API documentation: Added Authorizer and Gateway service OpenAPI specifications to documentation, ensuring all core services have comprehensive API documentation
• Streamlined Documentation Structure: Standardized page titles across management and services documentation for improved navigation.
• Authorizer policy documentation: Documented Authorizer policies meaning that all service policies are now documented.
• Validator error documentation: Clear documentation for each error that the validator returns. Each error is described, including possible causes and suggested resolutions.

Services

• Validator: created improved error handling to return clearer more consistent errors that link to documentation.
• Validator: now supports combining trusted sources, e.g. a Vical and provided trust certificates.

Security and Infrastructure

ISO 27001

• Surveillance Audit: Completed the scheduled ISO 27001 surveillance audit in July 2025 with no nonconformities raised.

Security Enhancements

• Critical Vulnerability Patched: Updated @cef-ebsi/ebsi-did-resolver to address CVE-2025-7783, eliminating predictable boundary value generation in form-data requests.
• API Documentation: explicitly indicated public endpoints on API documentation.

Simplified verification workflows, enhanced credential validation, and improved developer experience with new logging capabilities.

API Improvements

• Combined Verifier and Validator Endpoint: Created a unified endpoint that streamlines the verification and validation process for credentials, reducing integration complexity and improving response times.
• Enhanced Error Messaging: Improved request validation with more descriptive error messages, making debugging and integration significantly easier for developers.

Credential Validation

• Trusted Issuer Configuration: Improved AAMVA VICAL updates with a more intuitive policy configuration system:
  • Renamed configuration parameters for better clarity (e.g., "VICAL TAG" is now "PREDEFINED TAG")
  • Added support for direct CBOR VICAL provision, eliminating the need for URL-accessible hosting
  • Implemented TTL-based caching to more efficiently keep VICAL’s up to date.

We've made significant improvements to our validation infrastructure, enhanced configuration capabilities, and improved credential format support.

Validation and Policy Enhancements

Validator Service

• Enhanced Multi-Credential Support: Refactored validator flow to support both DIF Presentation Exchange (PE) and Digital Credential Query Format (DCQL) credential queries.
• Improved Policy Processing: Validator policies are now executed individually for each presentation in a submission, with results flattened for easier navigation.

Mobile Driving License (mDL) Support

• Independent mDL Processing: Made it easier to use Mobile Driving Licenses independently with both validator and verifier services.

Configuration and User Experience

Dashboard Improvements

• Enhanced Configuration Labels: Added comprehensive internationalization labels for all service configuration forms, making every configurable field more intuitive.
• Service-Specific Labels: Added detailed labels for resolver DID methods, verifier status lists, validator policies, authorizer OpenID4VP settings, and gateway service configurations.

API and Data Format Improvements

JSON Schema Enhancements

• Enhanced API Validation: Applied improved schemas to verifier and validator APIs for improved input validation and error handling.

Security and Authentication

Authorizer Service

• X.509 Certificate Support: Added support for X.509 certificates in JWT headers.
• Enhanced Key Handling: Improved support for EC (P-256, P-384, P-521, secp256k1), RSA, and OKP (Ed25519, Ed448) key types.

We have successfully renewed our UK Cyber Essentials certification, demonstrating our continued commitment to cybersecurity best practices.

‍What's New:

‍UK Cyber Essentials Certification Renewed

Our certification has been renewed and is valid through May 13, 2026 (Certificate ID: 5d412176-2bb4-47bf-9b9c-c001bd05dcbd)

All Vidos services and our organizational infrastructure are covered by this certification, reinforcing our dedication to maintaining robust security controls and protecting our customers' data.

For more information on our security certifications and compliance, please visit our Trust Centre (https://trust.vidos.id).

‍

Credential Format Support

• Added support for IETF OAuth Status List verification
• Added support for IETF StatusList CWT format
• Enhanced ECDSA JCS 2019 verification capabilities

Documentation and User Experience

• Added presentation definition error displays for improved debugging capabilities
• Enhanced authorizer tester policies with detailed results display
• Added organisational identity presentation definition samples
• Added comprehensive DIF Presentation Exchange documentation
• Restructured our documentation site for improved clarity and usability

Credential Standards

• Added support for IETF Digital Credential proof verification
• Improved support for IETF Digital Credential format
• Added JWT-SD Key Binding verification

Authentication and Protocol Enhancements

• Added client metadata support to OpenID4VP response
• Improved authorization flows with structured errors and examples
• Enhanced configuration capabilities with detailed error handling

Service Management

• Added Service Roles UI for simplified access management
• Implemented service role management and policies

Credential Format Enhancements

• Added support for Selective Disclosure SD-JWT credentials
• Added support for JWT-based Verifiable Presentations
• Added ISO 18013-5:2021 Mobile Driving License (mDL) verification
  

API Improvements

• New APIs supporting JSON-LD, JWTs, and M-DOCs formats
• Improved credential validation and verification processes
  

Verification Enhancements

• "Valid At" replaced with "Not Before" and "Not After" for clearer credential validity
• New "Handle As" setting allows missing optional fields to be warnings or errors
• Enhanced schema validation for JSON-LD credentials
  

Status List Expansion

• JWT-signed status lists now supported alongside JSON-LD
• Enhanced revocation and suspension interoperability with EBSI collaboration
  

Logging and Validator Improvements

• Audit logs for tracking policy changes and configurations
• Implemented usage logs for resolution, verification, and validation activities
• Created fallback mechanism to correct invalid submissions and support wallet variations

Ping Identity Connector

• Official Vidos Ping Connector released for PingOne DaVinci.
• Ping Identity users can now extend their capabilities to include decentralized identities.

Dashboard and UI Updates

• Introduced service and account logs display within the dashboard.
• Improved dashboard navigation to accommodate new logging features.

Identity Credential Enhancements

• Added support for Selective Disclosure SD-JWT credentials.
• Introduced core support for Mobile Driver’s License (mDL) verification.
• Improved interoperability checks for Verifiable Credential (VC) and Verifiable Presentation (VP) standards.

VLEI (Verifiable Legal Entity Identifier) Implementation

• Implemented API endpoint definitions for VLEI services.
• Instantiated internal services to support future expansion.

Logging and Infrastructure Updates

The logging system reached an important milestone with several key developments:

• Logging Alpha finalized and deployed to production.
• Logging read services prepared for customer access.

Verifier and Credential Enhancements

• Added support for JWT-based Verifiable Presentations.
• Implemented Power of Attorney Proof-of-Concept in the Verifier, expanding use case coverage.

Decentralized Identity Standardization

• Integrated EBSI conformance testing into the authorizer.
• Deployed initial version of EBSI-compliant verification processes.

‍

Verifier Enhancements

The Verifier service received major updates to improve credential validation:

• Implemented support for MDL (Mobile Driver’s License) verification.
• Enhanced validity period handling by replacing "Valid At" with "Not Before" and "Not After."
• Finalized status check policy, ensuring revoked and suspended credentials are properly processed.

Resolver and API Improvements

• DHT resolver deployed to production.
• Introduced support for JWT format credentials, expanding compatibility with different credential standards.

Security and Compliance

• Initiated AWS Vendor Insights review for advanced listing.

Billing System Enhancements

Significant progress was made in implementing a robust billing system, streamlining subscription management for users. Key updates include:

• Stripe billing integration completion.
• AWS Marketplace listing. You can now purchase Vidos services through AWS Marketplace!
• UI elements introduced for billing and paymentsflow.

Decentralized Identity Improvements

• Developed a dynamic credential status system, supporting revoked, suspended, and message states.
• Implemented the initial version of presentation definition frameworks for better credential validation.
• Completed the DHT resolver implementation, improving credential resolution reliability.

Configuration and Logging Enhancements

• Added preliminary logging infrastructure, including audit and monitoring capabilities.