§ Blog

Technical notes

Implementation logs from building an EUDI Wallet verifier: OID4VP conformance, the mdoc age verification profile, the Digital Credentials API, Noir circuits, and European regulatory frameworks.

• April 26, 2026

  Implementing the eu.europa.ec.av.1 blueprint profile: five concrete traps on the mdoc path

  Five subtle implementer mistakes the EU Age Verification blueprint profile lets you make and that no test fixture catches — trust store as a chain validator, MSO validityInfo gating, namespace isolation, selective disclosure on age_over_NN, and CBOR-canonical session transcript.

• April 20, 2026

  Verify a Tessaliq receipt yourself, no coordination needed

  Every Tessaliq verification returns a signed JWT receipt. This post shows how a third party — auditor, Relying Party, regulator — can verify that receipt cryptographically with just the public JWKS endpoint. Spec, library (MIT), three-line code example, and an honest list of what the receipt does NOT prove.

• April 19, 2026

  Why our verifier declares purpose and legal basis in every request

  Tessaliq now attaches a W3C Data Privacy Vocabulary (DPV) declaration — purpose, legal basis, retention — to every policy endpoint response and every signed receipt. The declaration is cryptographically attested per verification, not a free-text promise on a privacy page. Why we bothered, what's in the payload, and what we're NOT claiming.

• April 18, 2026

  Passing the 9 OpenID Foundation OID4VP 1.0 Final conformance modules: a verifier implementer's retrospective

  Nine concrete bugs I had to fix to pass 9/9 modules on the sd_jwt_vc + x509_san_dns + dcql + direct_post.jwt variant — disclosure hashing, KB-JWT audience prefixing, JWE kid routing, silent fall-through bugs found on a re-run, and more.