The thing that pushed Sigil off the road came out of Germany, in a sentence I read twice to make sure I had it right. Their mobile driver’s license, the country’s official state-issued mDL, would REQUIRE Apple or Google’s wallet to function. Not as a recommended client. As a requirement.

I closed the tab and didn’t open it again for a while.

This is an honest accounting of why Thurin Labs has quietly shelved its first product, why the math being right wasn’t enough (zero-knowledge math, mind you), and what I think people building privacy-preserving identity systems should be paying attention to in 2026.

What Sigil Was Supposed to Be

Sigil’s pitch was small and clean: prove you’re a unique human being, without revealing who you are. Connect a wallet. Share your mobile driver’s license. Choose what gets revealed. A zero-knowledge circuit, written in Noir and verified via UltraHonk (always fun to say and write), generates a proof of personhood with a nullifier. A one-time, unlinkable claim that yes, this is a real person, and no, this isn’t the same person twice. The proof mints a soulbound token. No KYC database. No PII stored. The state-issued credential never leaves the device.

It was meant to slot into a fourth category that Vitalik’s proof-of-personhood taxonomy didn’t quite cover. Not biometric. Not social-graph. Document-backed. A real credential, signed by a real DMV, proven without ever being shown. It was the version of the system I would have wanted as a user. Use the credential I already carry. Throw away everything else.

I built it. The circuits compiled. The contract verified. The flow worked. You can prove YOU.

And then the world began re-arranging the input pipeline underneath it.

The First Crack

The first sign was Apple. To read an mDL from an iOS device, you have to go through Apple’s “Verify with Wallet” API. It is closed. It is proprietary. It is mediated entirely by a company whose business model has shifted, year by year, toward becoming the identity arbiter of the consumer internet.

So we pivoted. The Android path, via the W3C Digital Credentials API and OID4VP, used open web standards instead of vendor APIs. I told myself this was actually more aligned with what Thurin was for. The cypherpunk path over the locked one. Not a workaround. The principled implementation.

I still believe that’s true, in the narrow technical sense.

But then I started reading the implementation guidance more carefully. The announcements out of various states. The eIDAS 2.0 timelines. The fine print of Germany’s mDL rollout.

And what is now plainly visible, if you read the documents instead of the press releases, is that the credential root is being captured at the operating system level. Not by accident. Not as a transitional detail. By design. The phone vendors are becoming the holders of state-issued identity, and the states are signing off on it because it solves their distribution problem in one move.

The Input Is the Problem

Here is the sentence I kept writing in my own notes:

Sigil’s ZKP layer is sound. The input to that layer is the problem.

You can write the most rigorous zero-knowledge circuit ever published. You can prove personhood, age, residency, anything you like, without revealing a single bit beyond what’s asked. And if the credential you’re proving over arrives at your device through Apple’s or Google’s wallet, gated by their attestation, signed under their key, presentable only when their software allows it, then your privacy guarantee is downstream of two surveillance companies.

That isn’t privacy. It’s compliance dressed in privacy-preserving aesthetics.

A ZKP on top of a captured input pipeline doesn’t fix the capture.

It launders it.

It makes the resulting credential look sovereign (auditable, math-backed, on-chain) while the actual moment of holding and presenting identity remains the property of someone else. The user is back inside the walled garden, just with a nicer view from the window.

I am not willing to ship that and call it Thurin.

What Forced Digital Identity Actually Looks Like in 2026

This is the part I’d ask people in the privacy space to internalize, because I think it’s still being discussed as something that might happen rather than something that is shipping right now. And it isn’t just Germany. It is shipping in the United States, with very little visible resistance.

The architecture is already built. Not “coming.” Built.

Federally, REAL ID enforcement went live in May 2025. Non-compliant state IDs are no longer accepted at airport checkpoints. Starting February 2026, the TSA introduced ConfirmID, a $45 fee for travelers without acceptable physical identification, with explicit acceptance of Apple Digital ID, Google ID pass, and Clear ID as alternatives. The federal government has, in practice, onboarded the consumer identity duopoly into air travel itself.

At the state level the rollout is faster than the public conversation. Thirteen states and Puerto Rico already have a mobile driver’s license available in Apple Wallet, with seven more committed. The TSA accepts these mDLs at over 250 airports. Georgia’s HB296 went a step further. It mandates that law enforcement accept the mDL at traffic stops, and that every officer carry a reader by mid-2027. The mDL is becoming, by statute, the way the state recognizes you.

The website side of this is moving faster still. Twenty-five U.S. states, half the country, now require a government-issued ID, a credit card, or a facial scan to access whole categories of legal websites. After the Supreme Court’s 2025 ruling in Free Speech Coalition v. Paxton, those laws survive on intermediate scrutiny, the lowest constitutional bar that still permits a law to stand. Nebraska’s age-verification statute takes effect July 1, 2026. California’s SB 976 takes full effect December 31, 2026. More are in flight in more states.

Internationally, eIDAS 2.0 is deploying its digital wallet framework across the EU. Germany’s mDL rollout will not function without Apple or Google.

The two viable mobile holders, for the vast majority of citizens of the vast majority of countries that are rolling any of this out, are Apple Wallet and Google Wallet. The “Verify with Wallet” and Digital Credentials APIs that downstream applications use to read these credentials route through, and can be revoked by, those same vendors.

There is no version of this stack where the user is in control of their own credential root. There is only the version where Apple and Google are. The cryptography downstream of that point is decoration. Beautiful decoration, in some cases. But decoration.

This isn’t a slippery slope argument. The slope already ended. We’re standing in the place the slope was supposed to lead.

Why Thurin Keeps Going Without Sigil at the Front

Putting Sigil down was hard. It was the showcase project, the one that demonstrated the most. It was also the one downstream of architecture I do not control and cannot reform from where I sit.

What I do control are the other two pieces of the Thurin stack. And they are, I think, more interesting precisely because they refuse the mDL pipeline entirely.

Signet doesn’t ask permission from any wallet vendor. It links a PGP key (one you generated, on a machine you control) to an Ethereum address you also control, with a mutual on-chain attestation. The credential root is you. Not a DMV. Not a phone OS. Not a corporate signer. The cryptography you publish is the cryptography you made.

Scry is the explorer that makes those self-issued identities discoverable and verifiable, client-side, without a server. It surfaces the PGP web of trust, on-chain attestations, social proofs, and the EFP social graph. Everything you’ve voluntarily made public, none of what you haven’t.

Together they describe a different architecture: identity that starts at the user and builds outward, instead of starting at a state-or-corporate root and trickling down. PGP is old. Bottom-up identity is old. The new piece is that on-chain attestation finally gives PGP a global, censorship-resistant verifiability layer it never had. Exactly the layer Vitalik gestured at in Make Ethereum Cypherpunk Again when he noted that cryptocurrency was the first thing to give PGP keys mass adoption.

It is slower. It is less shiny than a soulbound proof-of-personhood NFT. There is no government signature anywhere in the chain. That is the point.

On Putting It Down Rather Than Shipping It Compromised

I want to be honest about this last part, because I think it matters.

There was a version of Sigil I could have shipped. iOS first, Apple Wallet API, slick onboarding, growth chart. There would have been users. There would have been writeups. The math really is sound, the demo really does work, and nobody pulling out their phone to mint a soulbound token would have been thinking about credential root architecture while they did it.

I don’t want to be the person who ships well-encrypted compliance and calls it sovereignty. Cypherpunk is not an aesthetic. Build tools, not empires is not a brand tagline. If the credential root for the entire identity layer is being annexed by the two largest empires the consumer internet has ever produced, then the right answer is not to build a beautiful ZK frontend for that annexation. It is to refuse, and to build elsewhere.

Sigil is private now. The code still exists. The circuits still verify. If the credential root ever gets free of OS vendor capture (and this is a real if), I will pick it back up. Until then, it sits.

In the meantime, the work continues. Just not from the captured end of the pipeline.

If you want to see the bottom-up version of this, Signet is where you start. Generate a PGP key, link it to your wallet, publish the attestation. Or look around in Scry to see what an identity graph that doesn’t pass through Apple looks like. Questions, pushback, corrections: bendoubleu.eth, or via my Scry profile.