was deep in the digital wallet and checking my BITCOIN and ETHEREUM savings when i saw a spec last night and something kept pulling at me that the documentation glosses over 😂
honestly? non-custodial sounds like a guarantee
your credentials live on your device
no central server holds them. you control them
thats the pitch and on the surface it holds
but non-custodial is not the same as safe
and it is definitely not the same as recoverable.
here is how the wallet actually works.
credentials are stored in the device secure enclave - hardware-backed encryption, iOS Secure Enclave or Android Trusty. biometric authentication gates access. the private keys that prove your credentials are yours never leave the device.
for a national identity system this is the right architecture. putting citizen identity data on a central server creates a single point of attack for every identity in the country.
the trust registry sits on the other side of this. issuers - government agencies, authorized institutions - register their DIDs and public keys on-chain. when a verifier checks your credential they query the trust registry to confirm the issuer is legitimate. the credential in your wallet plus the issuer record on-chain equals a verified identity. neither half works without the other.
what i kept circling back to is the device dependency.
your national identity credential lives on your phone. your phone breaks. your phone is stolen. your phone is lost. your phone manufacturer stops supporting the operating system that runs the secure enclave
in every one of those cases your credential is gone
not suspended
not locked. gone. the whitepaper mentions social recovery for key management - HSM-backed with FIPS 140-3 Level 3 for issuers. what it doesnt fully describe is what recovery looks like for a citizen whose wallet device is simply destroyed.
the enrollment process exists.
a citizen can go back to the issuing authority and get re-enrolled. but re-enrollment requires the same documentation and verification process as initial enrollment
for the populations this system is designed to reach - rural, underbanked, limited connectivity - getting back to an enrollment point after losing a device is not a small ask.
the architecture is correct. local storage beats central server. hardware-backed encryption is the right call. the trust registry model is clean.
the gap is that non-custodial shifts custody risk from the institution to the individual. and the individual has fewer recovery options than any institution would.
honestly dont know if device-local credential storage is the right tradeoff for sovereign identity infrastructure, or whether shifting that much responsibility onto individual citizens creates a fragility that hits hardest exactly where the system is supposed to help most.
non-custodial identity that protects citizens from institutional data breaches - or a model that trades one risk for another and leaves recovery as an unsolved problem?? 🤔
#SignDigitalSovereignInfra @SignOfficial $SIGN
