Portable Identity Profile XR Implementation Path

This guide gives implementers an actionable path for Portable Identity Profile behavior across XR surfaces.

Boundary

• Normative contract: Spec v0.1, Spec v0.2, Conformance v0.2
• This page: non-normative operational guidance

Consumer sequence

1. Validate required UM fields.
2. Enforce freshness (expiresAt).
3. Verify v0.2 signature when policy requires it.
4. Read only supported Portable Identity Profile overlays.
5. Enforce consent gates with default deny.
6. Resolve pointers only after consent pass.
7. Apply pairwise subject handling.
8. Apply revocation checks for extended policy tier.
9. Emit decision/audit event.

Issuer checklist

• Keep required UM fields valid and time-bounded.
• Use pointer-first design for avatar/wearables/proof bundles.
• Emit explicit consent values for sensitive actions.
• Use pairwise/pseudonymous subject strategy where privacy requires it.
• Include v0.2 signature metadata for trust-sensitive paths.

Revocation policy tiers

baseline

• TTL checks required.
• Signature and revocation checks policy-driven.

extended

• TTL checks required.
• Signature verification required.
• statusRef and revocationCursor freshness required.

Offline behavior

• Never use expired manifests.
• Restrict sensitive actions when revocation freshness cannot be checked.
• Re-resolve authoritative state on reconnect before re-enabling full behavior.

Verify with fixtures and journeys

cd packages/universal-manifest
npm test
npm run journeys

Primary journey evidence:

• J12 projection + consent
• J13 pairwise privacy
• J14 revocation-aware policy

Next

• Metaverse integration
• Quick Reference
• Implementation Guide
• MUM Synchronization Profile