A Digital Product Passport has to stay verifiable for ten years and longer. A software platform rarely lasts that long. This contradiction has a clear consequence: trust in a DPP must not hang on the provider, but must stick to the data set itself. Trust in the artefact, not in the company.
What this looks like in practice can be shown through four building blocks.
Every DPP version is signed
Before freezing, Transpareo checks the data set against the category-specific mandatory fields (SHACL validation). If this check fails, publication is refused - only a complete, rule-compliant passport is signed.
When a DPP is published, Transpareo freezes its content as a DPP version and signs it with two independent keys: one from the issuer, one from Transpareo. With Bring Your Own Key (BYOK) the manufacturer runs its own signing endpoint - Transpareo never holds the private key and only adds the independent counter-signature, so that the issuer signature is one that Transpareo cannot itself produce.
The method used is Ed25519 over a canonical form of the data set (the JSON Canonicalization Scheme, RFC 8785). Two signatures, two mutually independent authorities.
Verification happens in the viewer’s browser. The open-source renderer Transpareo Time Machine loads the bytes, recomputes the hash and checks both signatures, without contacting a server of ours. Anyone who is suspicious can read the code.
The issuer identity stands on its own domain
So that a verifier finds the public keys, every issuer publishes its identity as a DID:web on its own domain, resolvable via a well-defined address under /.well-known/. Deliberately not a classic certificate in the X.509 sense: certificate chains expire over decades, an HTTPS address on your own domain stays robust and under your control.
If a key is rotated, older signatures remain verifiable - the old key continues to verify what it once signed, without signing new passports. And because an issuer might take its domain along after a change of provider, Transpareo mirrors every public key at the moment of publication to a permanent address. So every DPP version stays verifiable, even if the original host disappears at some point.
The EU registration carries a qualified seal
The submission to the coming EU DPP register requires more than an ordinary signature: every registration must be provided with a qualified electronic seal (QES) under the eIDAS Regulation 910/2014. A QES is hardware-backed and bound to a verified legal person - the highest level of trust that EU law knows.
This qualified-seal capability is planned for as soon as the eIDAS legal act and the register interface are final; the connection is planned via a qualified trust-service provider. For mid-sized manufacturers that do not run their own seal infrastructure, this is the decisive advantage: the obligation to use a QES will be fulfillable without your own hardware.
An archive that outlives the provider
As soon as the DPPs are registered with the EU register, every DPP version is additionally archived immutably for ten years - neither the manufacturer nor Transpareo can change it afterwards. So that this archive remains reachable even if Transpareo were one day to cease to exist, its financing is secured via a notarial escrow in Switzerland. The promise is therefore not only technical, but also contractually designed for longevity.
This is how a third party verifies the passport - entirely without us
The decisive test for trust in the artefact is whether someone can verify the passport without our infrastructure. The procedure:
- fetch the bytes of the DPP version from any source (a CDN, a public archive, the EU register or a third-party archive)
- canonicalise the data set and compute its hash
- retrieve the public keys of the issuer and of Transpareo via the addresses named in the passport
- check both signatures against the hash - if both match, the passport is genuine and unchanged
No login, no call to Transpareo, no dependency on a running platform.
What runs today and what is prepared
Signatures, browser verification, DID:web identity and Bring Your Own Key (BYOK) are in use. The immutable ten-year archive is in place and takes effect as soon as the DPPs are registered with the EU register. The qualified-seal capability (QES) for the EU registration is planned for as soon as the eIDAS legal act and the register interface are final.
The principle remains the same in every case: what is once signed and archived stays verifiable, regardless of who runs the platform tomorrow.