Advancing Sustainability and Consumer Trust: Integrating GS1 Standards in Digital Product Passports for Verifiable Provenance

Exploring GS1-Compliant Digital Product Passport Implementations for Enhanced Sustainability and Circular Economy

Published in

Spherity

17 min readDec 18, 2023

This article is a republication of the IDunion Whitepaper “Empowering Sustainable Products and Consumer Confidence through Verifiable Credentials” which is co-authored by a variety of project colleagues from European EPC Competence Center GmbH (EECC), GS1 Germany GmbH, Robert Bosch GmbH, SBB, and Siemens AG.

Authors:
European EPC Competence Center GmbH (EECC): Christian Fries, Dr Sebastian Schmittner
GS1 Germany GmbH: Dr Andreas Füßler, Dr Paulina Drott, Anna Klapper, Dr Ralph Tröger, Roman Winter
Robert Bosch GmbH: Florin Coptil, Werner Folkendt SBB, Cornelia Schalch, Dominic Hurni
Siemens AG: Marquart Franz
Spherity GmbH: Dr Susanne Guth-Orlowski

Abstract

The European Green Deal underscores the importance of sustainable and circular approaches in the lifecycle of products. Upcoming legislation, notably the Eco-design for Sustainable Products Regulation (ESPR) and the “New Battery Regulation,” mandates the adoption of digital product passports (DPPs) to foster sustainability, circularity, and resource efficiency in sectors like batteries, textiles, electronics, and construction. These regulations necessitate a thorough understanding of supply chain CO2 emissions, raw material usage, product circularity, and adherence to environmental, social, and governance (ESG) standards. This knowledge is vital for companies to manage their supply chains responsibly and make eco-friendly decisions. In addition to ESG compliance, DPPs offer new forms of direct brand-to-customer engagement, cross- and up-selling opportunities, as well as value-added services

The ESPR requires that DPP information be verifiable, prompting the industry to develop digital solutions for providing trustworthy and verifiable product data. Such solutions must track product information throughout the supply chain, aiding in sustainable decision-making. Commonly used in industries like FMCG, Healthcare, Apparel, and DIY, the Global Trade Item Number (GTIN) is expected to play a central role in these digital solutions.

This paper focuses on the integration of GS1 standards, particularly using the GS1 Digital Link, with Self-Sovereign Identity (SSI) technology, including Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). This integration aims to showcase how GS1 standards can facilitate efficient implementation of digital product information, while SSI technology ensures verification and potential certification of vital product details. The paper explores the combined strengths of these technologies in enhancing digital product identification and verification processes, contributing to more sustainable and circular product lifecycles.

High-level Solution Architecture

In alignment with the ESPR guidelines, our proposed solution architecture ensures that every product and operator identifier is globally unique and interoperable, as stipulated by the EU commission’s recommended standard, ISO/IEC 15459. This standard is pivotal in ensuring seamless interoperability of identification systems — including databases, registries, barcodes, RFID tags, labels, and online platforms — across diverse sectors. ISO/IEC 15459 acts as a comprehensive framework for global identification schemes, catering to the needs of all industries.

The architecture further mandates that identifiers must be operational at various levels of specificity: the model, batch/lot, or individual item. Additionally, they must be web-enabled, meaning any identifier physically marked on a product (such as within a 2D barcode) serves as a gateway for accessing pertinent online data about the product.

This approach is in harmony with the Verifiable Credentials (VC) Data Model recommended by the World Wide Web Consortium (W3C), which stipulates that all identifiers (including credential ID, issuer ID, subject ID, etc.) should be structured as Uniform Resource Identifiers (URIs). The criteria for an effective identifier within this model are as follows:

The “ID” attribute must represent a unique identifier that is utilized by others to make statements about the entity identified by that identifier.
The “ID” attribute must be singular in value.
The value of the “ID” attribute must be formatted as a URI.

This architecture not only adheres to the essential regulatory requirements but also paves the way for a more interconnected and accessible digital ecosystem for product information.

Now, let’s go deeper into two key concepts that are fundamental to this discussion: Self-Sovereign Identity (SSI) and GS1 Digital Link (GS1 DL).

Self-Sovereign Identity (SSI)

SSI represents a technological paradigm that empowers individuals and entities to maintain control over their data. This data encompasses personal information like ID cards, driver’s licenses, diplomas, and extends to legal entities issuing credentials for products such as a product’s carbon footprint. Key characteristics of SSI include:

Decentralized Control: Users manage their data using Verifiable Credentials (VCs) from their SSI wallet, presenting these credentials as required, rather than relying on central platforms for authentication (data sovereignty).
Enhanced Trust and Accountability: Cryptographic signatures in VCs increase trust in DPP data, holding issuers accountable for the information they claim (non-repudiation, attributeability).
Accessibility and Public Verification: SSI enables easy discovery and verification of public product information by any supply chain actor, facilitated by various agents that connect to decentralized infrastructures.
Authorization Credentials for Secure Access Control: These credentials are vital for managing secure access to sensitive product data and systems. They ensure that only authorized personnel or systems have access to sensitive information, thereby maintaining data integrity and security across the supply chain. This approach enhances protection against unauthorized data breaches and ensures compliance with data privacy regulations.
Provenance Credentials for Verifiable Assertions: These credentials are essential for confirming product authenticity and ESG compliance. They include assertions on authenticity, comprehensive product documentation, and certificates. This integration enables transparent tracking of a product’s journey, ensuring regulatory and sustainability compliance, thus bolstering consumer trust and supply chain integrity.
No Central System Requirements: It eliminates the need for building, maintaining, and developing a central system for data exchange.
Business Confidentiality: It allows control over shared data, minimizing access to essential information. It removes the need for centralized databases and registries that gain supply chain transparency by collecting collecting and analyzing meta-data.
Interoperability and Low Barriers: Promotes interoperability using standard protocols and keeps participation barriers low with open-source implementations (e.g., Gaia-X Federation Services).

A Verifiable Credential is a tamper-evident set of claims and metadata, cryptographically proving its issuance. For more information on SSI, you can visit the W3C Decentralized Identifiers (DIDs) and W3C Verifiable Credentials pages.

GS1 Digital Link (GS1 DL)

GS1 DL represents a versatile syntax form for representing GS1 keys and related attributes, often encoded in data carries such as QR codes on product packaging.

Example GS1 Data Carriers: Barcode, 2D Data Matrix, QR Code; Source: GS1

The GS1 DL provides mechanisms for a simple look-up infrastructure so that a supply chain actor can scan a QR code or read out an identifier and/or a GS1 DL domain via RFID and then resolve the endpoint and request product information.

Simple resolution of a Web URI; Source: GS1

Key aspects of GS1 DL include:

Various Encodings: Depending on application and business needs, GS1 identifiers can be expressed in different encodings, such as GS1 DataMatrix, EPC Binary Strings, or plain syntax.
Web-Enabled Links: GS1 Element Strings are embedded in URLs (GS1 Digital Link URIs), linking identifiers to web resources.
Flexible Domain Usage: GS1 DL URIs can use any domain, including a company’s own or the canonical ‘id.gs1.org’.
Ecosystem Layers: GS1 DL includes link types, GS1 DL resolvers, and linked data, providing a comprehensive ecosystem.
Resolver Service Requirement: A GS1 DL resolver is essential for the GS1 Digital Link to refer to varied online content.
Broad Application Spectrum: GS1 DL supports all GS1 keys, covering a wide range of business applications beyond product identification.

For detailed insights into GS1 Digital Link, visit the GS1 Digital Link information page.

The subsequent sections will explore the technical feasibility of integrating the SSI concept for products with existing GS1 Standards-based technology.

Customer & Participant Experiences: Exploring Use Cases of Decentralized Identity and GS1 Digital Link in Consumer Interactions

In this chapter, we go deeper into the applications of the Self-Sovereign Identity (SSI) approach combined with the GS1 Digital Link. We will map out various use cases that occur during the customer journey and the actions performed by multiple parties, presenting them as customer and participant journeys. The recurring example used here is the purchase of an electric screwdriver.

Different data-related scenarios demand varying levels of trust and depth of information. For instance, trading partners and consumers might seek reliable verification of a carbon footprint certificate’s authenticity, which isn’t typically necessary for resources like promotional videos, washing instructions, or disposal information.

To provide guidance, the following list offers a non-exhaustive list of web resources, categorized by the level of trust they require. This categorization may vary based on specific conditions, and regulatory or customer requirements within different industry sectors.

Low Level of Trust Assurance:

Product Information Page (e.g., carbon efficiency)
Related Video
Promotion
Nutrition Information
Manual
Recipe
Social Media Channel
Frequently Asked Questions

High Level of Trust Assurance:

Instructions for Authenticity Checks
Certificates (e.g., carbon footprint), Warranty
Repair Service
Supply Chain Due Diligence
Recycling / Remanufacturing-Relevant Information
Legally Required Information by Authorities

4 Customer & Participant Journeys — Use Cases

In this chapter, we delve into the diverse applications of the Self-Sovereign Identity (SSI) approach combined with the GS1 Digital Link. We will map out various use cases that occur during the customer journey and the actions performed by multiple parties, presenting them as customer and participant journeys. The recurring example used here is the purchase of an electric screwdriver.

Low(er) Level of Trust (Primarily Public Information):

Product Information Page (e.g., carbon efficiency)
Related Video
Promotion
Nutrition Information
Authenticity Check
Manual
Recipe
Social Media Channel
Frequently Asked Questions

High(er) Level of Trust (Primarily Restricted Information):

Certificate (e.g., carbon footprint), Warranty
Repair Service
Raw Material Certificates
Remanufacturing-Relevant Information
Legally Required Information by Authorities

Use cases can be categorized based on the required level of trust:

High-Trust Use Cases: Information revelation is based on a verifiable presentation using a trusted infrastructure, often necessitating a wallet to store additional information for trusted processes.
Low Trust Use Cases: Information revelation is public and does not require a wallet.

In the first scenario, data is requested by the verifying party via a proof request and revealed through a verifiable presentation.

Consider the case of customer Jo, who intends to install flooring in her loft and needs to buy a new electric screwdriver. There are two main methods for Alice to access digital product information about electric screwdrivers in the market. In both scenarios, the digital product passport (DPP) is issued as Verifiable Credentials (VCs). Some attributes of the product passport might be common across multiple product categories, while others are specific to each category. Credential schemas are defined accordingly, following proposed regulations for each product category such as batteries, textiles, electronics, etc. The data from the product pass credentials contain the information required to assemble the DPP.

The proposed product passport setup can cater to two main customer journeys:

Customer Journey for Navigating Product Information without Authentication or Authorization
Customer and Participant Journey with Authentication or Authorization

Customer Journey: Navigating Product Information without Authentication or Authorization

In this section, we explore the customer journey of Jo, who interacts with product information without needing authentication or authorization. At the store, Alice uses QR codes embedded with GS1 Digital Links on various electric screwdrivers to access public information. These QR codes include both the domain of the resolver and the GTIN of the screwdriver (e.g., https://id.gs1.de/01/04012345999990/10/20210401-A/21/XYZ123421). The GS1 resolver service processes the request and redirects it to the destination set by the brand owner. Incorporating a verifiable Digital Product Passport, created from verifiable credentials, enhances the existing capabilities of the digital link:

Purchase: Authenticity and Certificate Verification at Retail
At the store, Alice aims to ensure her chosen screwdriver meets her quality standards. Scanning the GS1 Digital Link leads her to the manufacturer’s product page via the GS1 resolver. This page displays manufacturer-provided, digitally signed credentials. The presence of digitally signed credentials, especially third-party audited certificates (e.g., by TÜV), bolsters the trustworthiness of the information. Alice can verify the product’s authenticity, authorized retail sale, serial number, certified raw material origin, repairability, ecological footprint, and performance features.
Post-Purchase: Accessing Product Data from Home
After her purchase, Alice seeks the best tool for her flooring project. The GS1 Digital Link quickly directs her to relevant technical information or DIY tutorials on the product information page. By accessing verifiable information, she ensures that she’s following manufacturer-approved instructions rather than unreliable online advice.
Post-Purchase: Warranty Case
If the screwdriver malfunctions within its warranty period, the warranty process can be digitized in a trustworthy, data-efficient manner. Verifiable Credentials (VCs) can be used to establish trust in various ways, like identifying nearby repair shops certified by the manufacturer for necessary repairs or replacements. Information about warranty handling is a new service that can be added to a digital product passport, requiring a trusted relationship.

Customer and Participant Journey with Authentication or Authorization

In scenarios where product information cannot be publicly shared, both the information provider (manufacturer) and the requester may require authentication and authorization. This chapter explores cases where only authorized parties, like border control or specific service providers, can access detailed Digital Product Passport (DPP) data. Additionally, the DPP might offer extra services to authenticated users.

Assuming Alice uses an SSI Wallet, such as a smartphone app, to receive, hold, and present verifiable credentials, different post-purchase scenarios unfold:

Online Purchase Warranty Case: If Alice purchases the screwdriver online, she receives proof of purchase as a Verifiable Credential (VC) in her wallet. This digital certificate allows the manufacturer to verify the purchase without direct communication with the seller. All information exchange is controlled by Alice, who can choose to reveal only necessary data, like the purchase date. In case of a warranty issue, Alice can use her online warranty service to initiate a replacement or repair process, facilitated through digital credentials.
Receiving the Warranty Certificate: Upon delivery of a new screwdriver under warranty, Alice scans its QR code to initiate a credential exchange for the warranty certificate. This process involves presenting her proof of purchase and then receiving the new warranty certificate in her wallet, which directly links to a warranty claim service.
Authorized Information Access for Various Stakeholders: Access to specific DPP information can be granted to various actors along the value chain, such as distributors, public authorities, repairers, remanufacturers, or recyclers.
Pre-Purchase CO2 Evidence by Manufacturer: Entities like companies, customers, customs, or public authorities may need to verify specific product information, such as the CO2 footprint. Authorized entities can establish a connection to the manufacturer’s wallet to request this sensitive information.
Repair Process: If the screwdriver malfunctions, Alice can initiate a warranty claim directly through her wallet. The authorized repair shop validates its credentials to handle warranty cases, and Alice provides proof of warranty, enabling the repair service.
Raw Material Validation for Recycling: When the screwdriver reaches its end of life, Alice takes it to a recycling center. The recycler requires access to the screwdriver’s raw material data, which they request from the manufacturer after providing the necessary credentials.
Information Needs in the Circular Economy: Remanufacturers or other actors in the circular economy might require specific information about products. They can request this data from the manufacturer’s wallet after proving their credentials and rationale for needing the information.

These scenarios illustrate the multifaceted applications of SSI and GS1 Digital Link in authenticating and authorizing information exchange, ensuring that sensitive data is shared securely and only with verified parties.

Technical Solution Design

This section outlines the technical design for utilizing verifiable credentials (VCs) to certify product attributes, as detailed in this paper. The approach involves assigning a unique URI to each product at the model-, batch/lot-, or instance-level, and ensuring these products, which are passive entities without their wallets, are identifiable through these URIs.

Key Components of the Technical Design:

a) URI for Product Identification:

Each product is identified with a URI, preferably resolvable, in line with the VC Data Model. The GS1 Digital Link, formatted as a URL, is ideal as the subject ID of a verifiable credential.
Products are identified using a GTIN within a GS1 Digital Link URI, and, where relevant, combined with batch/lot or serial references.

b) GS1 Digital Link Resolver:

The resolver points to VC-compliant resources containing the DID of the product or the company responsible for it, aligning with the W3C data model.

c) Storing and Accessing Verifiable Credentials:

Addressing questions on where product data VCs are stored, how they can be accessed or queried, and how information flow is managed across supply chain partners, each contributing a VC for their process step.
Ensuring linkage of product data from multiple issuers in VC without a central platform, using a single access point (URI).

d) Design Features of the Proposed Solution:

Product Independence: Applicable to any product type or packaging.
Technology and Network Independence: Compatible across various devices and platforms, leveraging scalable data exchange.
Trust Infrastructure Independence: Interoperable with various trust ecosystems, not reliant on a specific one.
Flexibility for Future Services: Allows defining additional services or endpoints supported by the holder.

Practical Application and Steps:

Illustrative Example — Using a screwdriver as a sample product and supply chain ecosystem.

Technical System Architecture; Source: IDunion Project

Technical Steps for Defining the DPP:

Attribute Definition: Following the ESPR, attributes of the DPP are defined to comply with various regulatory proposals, making them available in the business ecosystem.
Manufacturer Preparation: Manufacturers prepare attributes as per relevant legislation and can offer additional services through the DPP, like Digital Twin Information, by publishing or defining new credentials based on selected schemes.
Product Introduction: Manufacturers introduce products to the market, issuing VCs according to the defined credentials, and making them visibly available (e.g., via QR Code).
Stakeholder Access: Once in the market, stakeholders can access production information from the DPP.

By adhering to these steps, companies can implement a standardized DPP that aligns with EU regulations, offering stakeholders insights into the environmental and sustainability aspects of their products. The subsequent paragraphs will detail the technical paths for use cases without and with user authentication.

Product Verification without Client Authentication and/or Authorization

This section explores the process of accessing verifiable data using a GS1 Digital Link request without requiring client authentication. The key is appending the GS1 Digital Link URI with an appropriate ‘Link Type’, a feature that is yet to be standardized. The verifier, hosted by any trusted party, is responsible for managing credentials and verification handling.

Process Overview:

GS1 Digital Link Request: Users can request verifiable data by appending the GS1 Digital Link URI with a ‘Link Type’. This triggers the verification process managed by a verifier entity.
W3C Verifiable Credentials: The subject is publicly identified within the credential by its identifier. These credentials are discovered by querying various registries and can be verified locally due to their zero-trust architecture.
Practical Application: For verifying credentials, an exchange interaction with the data provider or issuer is necessary. In W3C’s case, the verifier is a convenient feature, as verification can be done locally by the client in a wallet-less fashion.
Implementation and Demonstration: The process flow based on zero-trust W3C credentials has been implemented in a demonstration case to provide a practical experience of VC technology. This approach allows users to access and verify product information seamlessly, without needing to authenticate themselves, enhancing the user experience and trust in product data.

Example Flow with Alice:

Alice wants to retrieve public information about a screwdriver.
She scans a QR code, which decodes the embedded GS1 Digital Link (GS1 DL).
The scan triggers a GS1 DL request, directing her to an online resource, like a product information page specified by the brand owner.
On the product page, Alice selects a verifier service, leading her to the DPP front end of the verifier service.
The verifier collects relevant VCs and necessary verification information (e.g., DID documents of issuers, schemas, context files).
For W3C credentials, VCs and context are fetched from a public internet resource, and the verifier is optional.
The product information and VC are processed into a human-readable format on the DPP front end.
Alice can view the verified and certified product information on her mobile phone.

Accessing Digital Product Passport with Client Authentication and/or Authorization

This section focuses on accessing the Digital Product Passport (DPP) with necessary client authentication and/or authorization. The DPP, created by manufacturers, provides verified information about products for various stakeholders, including customers, economic operators, and national authorities. It facilitates access to product-related services and is accessible to actors across the value chain, as outlined in the Digital Product Passport Regulation (Article 7/8).

Process Flow:

QR Code Scanning by Requestor: The requestor uses a wallet or brand app to scan the product’s QR code.
GS1 Digital Link URI Processing: The QR code contains a GS1 Digital Link URI, which is forwarded to a GS1 Digital Link resolver. This resolver then forwards the request to the manufacturer’s registered endpoint (manufacturer’s wallet).
Manufacturer Wallet Interaction: The manufacturer wallet generates an invitation and sends it to the requester. The requester reviews and accepts this invitation.
Transmission of Product Passport Entitlement: The manufacturer’s wallet transmits the product passport entitlement to the requester via the established channel.
Request for Specific Information/Services: The requestor can then request specific information or services (e.g., CO2 certificate, raw material information, warranty claim, repair claim) through this open channel with the manufacturer.
Identity Verification of Requester: The manufacturer’s wallet generates a verification request to confirm the identity of the requester. The requestor must present the required credentials, such as personal or organizational identification, and additional use-case-specific credentials (e.g., proof of purchase, recycler certificate from authorities).
Validation and Information Generation: Upon validating the credentials, the manufacturer’s wallet creates the requested information in the form of credentials. This allows for peer-to-peer communications between the requester and the manufacturer, bypassing a central entity. An example of this process is the transmission of transparent information, like notifications about the status of a complaint, directly to the requester’s wallet.

This method ensures secure and controlled access to the DPP, with authentication and authorization steps to protect sensitive product information. It enables stakeholders to access detailed, verified product data and services, fostering transparency and trust along the supply chain.

Concluding Insights and Future Perspectives on Verifiable Credentials in Supply Chains

This paper has explored a range of use cases in commercial procedures that could be significantly enhanced through the use of verifiable credentials (VCs). These advancements align closely with the objectives of the European Green Deal, particularly in smoothing the integration of current product identification processes and ecological product information verification.

Value for Supply Chain Actors:

OEMs/Brands: For Original Equipment Manufacturers (OEMs) or brands, the adoption of VCs offers a path to more transparent, efficient, and trustworthy supply chains. By leveraging VCs, OEMs can ensure product authenticity, track sustainability efforts, and enhance consumer trust. This can lead to improved brand reputation and potentially increase market share in environmentally conscious demographics.
Other Supply Chain Actors: Distributors, retailers, repairers, remanufacturers, and recyclers also stand to gain significantly. VCs facilitate easier access to accurate product information, streamline warranty and repair processes, and enable more effective recycling and remanufacturing efforts. This can result in operational efficiencies and contribute to the broader sustainability goals of the supply chain.

Integration with Established Standards:

The integration of VCs with established standards like GS1 offers a practical approach to implementing these solutions in current industry settings. GS1 standards, already widely adopted across various sectors, can act as a catalyst for adopting new technologies, especially crucial for scaling the Digital Product Passport in industries like FMCG, Healthcare, Apparel, or DIY.

Technological Development and Industry Potentials:

The technological landscape of VCs is evolving rapidly, offering immense potential for various industries. This paper serves as a resource for interested stakeholders, aiming to inform and guide decision-making processes. As industries continue to evolve and seek sustainable and efficient solutions, the role of VCs and their integration with existing standards will become increasingly significant.

Future Outlook:

Looking ahead, the continuous development and refinement of VCs will likely unlock new possibilities for supply chain management and product verification. The focus will be on creating more streamlined, transparent, and sustainable supply chains, aligning with global ecological objectives and regulations.

The adoption of VCs, particularly when integrated with established standards like GS1, represents a forward-thinking approach to meeting the challenges of modern supply chains. This approach not only facilitates compliance with environmental regulations but also offers tangible benefits for OEMs, brands, and other supply chain actors, paving the way for a more sustainable and efficient future.

The document was built upon the work of the IDunion Whitepaper “Empowering Sustainable Products and Consumer Confidence through Verifiable Credentials” and edited for clarity and abstraction.

About Spherity

Spherity is a German decentralized digital identity software provider, bringing secure identities to enterprises, machines, products, data, and even algorithms. Spherity provides the enabling technology to digitalize and automate compliance processes in highly-regulated technical sectors. Spherity’s products for enterprise wallets and object identity empower cyber security, efficiency, and data interoperability among digital value chain actors.

Stay sphered by joining Spherity’s Newsletter list and following us on LinkedIn. For press relations, contact info@spherity.com.