Skip to main content

2026-02-20 1145 AEDT

Feb 20, 2026

UN CEFACT GTR - AEST / PST

Attendees:

  • Mark Lizar
  • Sankarshan Mukhopadhyay
  • Jo Spencer
  • John Phillips

Summary

Project Schedule and Deliverables
The project timeline was relaxed following the cancellation of the May forum, allowing the team to focus on developing specifications and standards rather than pursuing a formal recommendation immediately. The immediate goal is to finalize current documents to a stable version and prepare them for review by the UN/CEFACT bureau.

Document Structure and Data Schema
Key improvements were made to the document layout, including elevating the Glossary, and technical changes were implemented to formalize the registrar data schema into a machine-readable JSON file. This formalization provides rigor for participating registrars and supports the project's focus on company registration artifacts within international trade law.

Transparency and Governance Requirements
A presentation proposed the need for 'governance grade transparency evidence' and recommended implementing a machine-readable controller identification record to address legal transparency, specifically referencing international instruments like Convention 108+ over GDPR. While the project scope remains focused on corporate trade, the suggestion was that inclusion of digital identity technology for people inherently triggers governance requirements related to personal data.

Details

Decisions

NEEDS FURTHER DISCUSSION

  • Atomic DIA Definition Proposed The Digital Identity Anchor (DIA) definition will narrow down to a simple, 'atomic DIA' structure, encompassing the identifier, DID(s) submitted by the applicant, and a verifiable credential wrapper.

  • Adopt ISO 29100 Standard ISO 29100 (Security and Privacy Framework), being open and fit for purpose, should be adopted as the international governance instrument for the project, replacing the proprietary ISO 27001.

  • Map Registrar Data to CIR Schema Registrar controller information should be mapped to the Controller Identification Record (CIR) schema (aligned with international laws) and published in a well-known location, such as a notice.ext file at Ayanna.

  • ANCR work group liaison proposal The ANCR work group at Kantara proposes establishing a liaison to contribute the controller identification record work to the project.

ALIGNED

  • Project Document Completion Process Set The project document baseline process will involve baselining existing documents, improving them for several weeks (until late March/April), and then declaring a version available for review by the UN/CEFACT bureau.

  • Recommendation Decision and Visualization Plan The decision on whether to work on a formal UN/CEFACT recommendation is deferred until after the inital release of documents for review. Two separate schedule visualizations (document production and recommendation pursuit) will be produced for the project page.

  • Project Scope Excludes Personal Identifiers The UN/CEFACT Grid project scope will strictly exclude individuals and personal identification information (PII), focusing only on corporate law, entities, and artifacts of international trade.

  • Share Mark Lizar's document link The link to Mark Lizar’s document should be shared in the minutes for others to review once it is ready for read-only use.

  • Create fresh issue for DIA materials Mark Lizar must create a fresh, separate issue in the repository to present his specific points, challenges, and materials regarding the DIA specification.

More details:

  • Project Overview and Governance: John Phillips welcomed attendees to the UN/CEFACT Global Trust Registry Project meeting and briefly reviewed the code of conduct and IPR rules, noting that the project operates under an open development process with all collateral meant to be under a royalty-free license. The agenda used for the prior meeting was briefly walked through, reviewing what was discussed and agreed upon [00:00:00].

  • Access to Meeting Records: John Phillips confirmed that the document for the current meeting will be publicly available in a specific folder, as is material from previous meetings, including a transcript that is currently being edited for accuracy [00:00:54].

  • Project Schedule and Recommendation Status: The project schedule was discussed, including the determination that the May deadline is no longer necessary due to the cancellation of the May forum. The team does not need to pursue a recommendation right now, which carries the weight of a UN resolution to all member states, but can instead produce specifications and standards without that burden [00:01:56].

  • Revised Schedule and Deliverables: The updated plan involves relaxing the schedule, with documents being reviewed by the UN/CEFACT bureau at any time [00:01:56]. The immediate next steps are to baseline the current documents, continue improvements for several weeks (potentially into April), and then declare a version (e.g., version 0.7) finished and available for review. A future consideration will be whether to work on a recommendation, advised by the UN/CEFACT bureau [00:02:50].

  • Schedule Visualization: John Phillips plans to produce two visualizations on the project's "about" page: one showing the current plan for document production and a second, yet-to-be-decided (TBD) visualization for what a recommendation schedule would look like [00:02:50].

  • Document Structure Improvements: Two key merge requests were discussed, including one (Merge Request 18) that improved document layout structure and the "target operating model" [00:03:39]. This change elevated the Glossary to the second-highest document, reflecting the importance of defining terms clearly for the remaining documents [00:04:40].

  • Eligibility and Legal Governance Updates: Within the legal governance and target operating model section, improvement was made to section four regarding eligibility requirements, as previously agreed upon with Alina. John Phillips noted that further refinement of this text is still encouraged [00:04:40].

  • Registrar Data Schema Formalization: A more technical merge was implemented regarding the registrar data schema, which introduced a separate, machine-readable file called registar v1 json. This JSON structure provides rigor, replacing a less formal markdown text table, and allows participating registrars to check their data structure against the file, enabling the running of code against pilot data [00:05:46] [00:11:09].

  • Registrar Record Details: The registrar record, an example of which was outlined for Australia, captures key information such as the country code (AUS), the registrar name (ASIC), the register name (ABN), and other related data. This structure accounts for the typical scenario where one registrar might operate many registers, and a member state will have many registrars [00:06:48].

  • Legal Transparency and Data Quality: John Phillips explained that the legal transparency component aims to provide a reference to the legal framework that defines the registrar's role, allowing users to gauge the rigor of the organization ID within that jurisdiction [00:07:44]. They clarified that this initiative is only about the grid, serving as a directory of recognized registrars, and not about what registrars issue or how organizations communicate [00:08:50].

  • Digital Identity Anchor (DIA) Simplification: The discussion focused on the necessary level of information within the Digital Identity Anchor concept [00:11:09]. John Phillips indicated a movement toward a simpler, "atomic DIA" definition, comprising the identifier, the DID or DID submitted by the applicant, and that information wrapped in a cryptographically protected verifiable credential and recorded by the registrar [00:12:14].

  • Mark Lizar’s Presentation on Transparency: Mark Lizar began their presentation, expressing enthusiasm for the project and confirming their support for public transparency infrastructure [00:15:00]. They introduced the concept of "governance grade transparency evidence," referred to as transparency, and emphasized that current digital identity frameworks often overlook the human judgment component of trust [00:16:13] [00:18:27].

  • The Controller Identity Record and Legal Basis: Mark Lizar introduced the "controller identification record" as a machine-readable, human-expectable artifact that makes the accountable controller and its authority context visible before identification begins [00:22:07]. They noted that notice, specifically the identity of the person in control of information, is the only consistent requirement across all international privacy instruments [00:23:21].

  • Governance and Data Protection Law: Mark Lizar highlighted that existing data protection regulation, such as that stemming from the 1967 Helsinki declaration, is not modernized for the context of digital identification and the invisible policy added at the moment of use [00:20:29]. They strongly recommended referencing Convention 108+, an international instrument that provides governance for this area, as GDPR is not an international law and therefore not fully relevant for global digital identity management [00:24:44] [00:27:52].

  • Relying Party Role and Transparency Factor: Mark Lizar explained that splitting the "relying party" role from the "controller" role, as seen with large platforms, creates systemic risk because there is no transparency, and data protection law lacks a concept for this [00:26:09]. They described the "rinparency factor" [sp?] as the ungoverned authority, where data is used for a secondary purpose, and emphasized the need for governance guardrails at the infrastructure level [00:30:24].

  • Application of Reciprocity and Proportionality: Mark Lizar stressed that reciprocity and proportionality must be applied to digital identity transparency to create the necessary governance guardrails that match the technology [00:39:22]. They connected the controller record to international digital identifier transparency notice requirements, which trigger expanded notice requirements when using digital identifiers across domains (regionally, nationally, and internationally) [00:40:47].

  • Suitability of International Standards: Mark Lizar noted the existence of a transparency code of conduct profile (27560) and standard for governing identity management internationally, but cautioned that ISO 27001 is not open or free to access and is unsuitable for public infrastructure [00:42:21]. They argued that only ISO 29100 (security and privacy framework) is open, free to access, and fit for purpose for this project [00:43:39].

  • The Role of PII Controller: A clarifying discussion occurred regarding the use of the term PII controller, with John Phillips expressing concern about including anything related to people in the GRID work, as their focus is on corporate trade [00:49:40] [00:51:33]. Mark Lizar clarified that PII controller refers to the legal entity, but the law requires transparency and accountability regarding the person controlling that entity, even in trade contexts [00:50:26] [00:53:18].

  • Scope of the Grid Project: John Phillips reiterated that the project's focus remains strictly on the artifacts of trade and verifying that a company is duly registered by an authoritative registrar [00:54:24]. They acknowledged Mark Lizar’s point that digital identification technology itself triggers governance requirements, but stressed that the current UNCCFACT grid project is focused on companies and international trade law, not personal identity law [00:51:33] [00:57:59].

  • Next Steps for Integrating Mark Lizar’s Concepts: John Phillips concluded that Mark Lizar provided a substantial amount of information that needs to be digested by the team [00:47:36]. The team will need to consider how the pattern of a UN body with recognized registrars could offer international translation and recognition for mutuality and reciprocity, potentially informing related work beyond the current UN/CEFACT GRID [00:49:40].

  • Document Sharing and Review: John Phillips expressed appreciation for Mark Lizar's sharing and asked for permission to share a version of the document in the minutes when it is ready for read-only or limited public use. Mark Lizar acknowledged the request, indicating they had prepared a short presentation that covered challenges, recommendations, and the benefits of their approach, but they were unable to present all of it. John Phillips encouraged Mark Lizar to share a link to the document when they deem it appropriate for others to view [00:59:09].

  • Next Steps for Contribution: John Phillips suggested that Mark Lizar raise a separate, fresh issue in the project's repository to discuss the details of their work, potentially concerning the DIA specification, to avoid entanglement with existing issues. Mark Lizar stated that the ANCR work group at Kantara wishes to establish a liaison and contribute their controller identification record work to the project, as they believe it is the appropriate venue for that work [00:59:55]. They also noted that digital identification fundamentally involves personal data, but if one root thing is done properly, personal data might not be needed in the rest of the approach [01:00:49].

  • Addressing DIA Document Feedback: Mark Lizar acknowledged that they had struggled to find the right place or time to send their comments and recommendations on the DIA document without exposing potentially sensitive information publicly [01:01:44]. John Phillips reiterated the value of using public issues for challenging feedback and encouraged Mark Lizar to carry on by creating a fresh issue in the repository to put forth their points and materials [01:00:49]. The meeting was concluded by John Phillips, noting that they were running late and thanking Mark Lizar for their participation [01:01:44].

Suggested next steps

  • John Phillips will produce two visualizations of the schedule on the “About” project page: one showing document production and another showing what it looks like if a recommendation is pursued after document production.

  • Project Team to digest what Mark Lizar is saying and think about if and how to map it into the work the group is doing.