Most of this site argues that documents should carry their own proof. If you sell verification — degree checks, employment confirmations, document authentication, parts of the KYC and background-check stack — that argument is a threat to a revenue line, and you already know it. So here is the unsentimental version, with the quiet part said first.
Live Verify lets the holder of a document prove it's genuine without phoning anyone. The protocol
is text → normalize → SHA-256 → GET: the issuer publishes a hash, and any
recipient checks it for free, on-device, with no intermediary. Where your product is
“we'll phone the university for you, for £30,” that specific transaction has a
marginal cost approaching zero once the issuer publishes. We are not going to pretend otherwise. The
bottom tier of paid verification — the rote “is this real?” lookup — gets
commoditized, the way Domain Validation certificates did after Let's Encrypt.
This has happened before, and the record is public. Free, automated TLS certificates commoditized the bottom of the certificate-authority market within a decade. The incumbents who fought it lost; the ones who moved up-stack to certificate management (DigiCert today) thrive. The full episode — who funded it, how incumbents reacted, and where the analogy breaks — is documented in Let's Encrypt as precedent. We'd rather you read it than have it deployed against you.
A hash check is a feature, not a business. The hard, sticky, defensible work sits around the free rails — and it is work the incumbent who already holds the relationships, the data, and the compliance posture is best placed to do:
Notice the shape: the lookup gets cheap, but being the party institutions trust to operate the lookup at scale gets more valuable, because there is now a standard worth operating against. That is the DigiCert move — conceding the commodity and owning the management layer above it.
The incumbent playbook against open trust standards is on the record, and it failed last time:
| The defensive move | Why it fails here |
|---|---|
| FUD — “unaudited”, “no liability framework”, “who stands behind this?” | Attacking free fraud-prevention infrastructure looks exactly as bad as it sounds. The Let's Encrypt FUD aged badly within two years. |
| Name or standard capture — trademark grabs, accredited-provider-only schemes | The spec is Apache-2.0 and already public on thousands of machines. It cannot be acquired, shelved, or patent-blocked. Comodo tried to trademark “Let's Encrypt” and retreated under public outcry. |
| Wait and see | The standard's beachhead is the documents no one verifies today — the unserved long tail, where you have no position to defend. By the time it reaches your tier, the integration relationships are already someone's. |
| Be the IdenTrust — lend early legitimacy, anchor a chain, backfill your own records first | This is the one that works. One incumbent certifier cross-signed Let's Encrypt and bridged it into every browser. The equivalent move here makes you the trusted operator of the layer that does survive — on your terms, while the terms are still open. |
If you hold verification-services assets in a portfolio, the standard reframes the question from “do we adopt this?” to “which side of it does our portfolio end up on?” Document-emitting SaaS, issuers, insurers and banks who bear fraud losses gain; pure verification toll booths get commoditized from below. The standard exists publicly now and is not contingent on anyone's permission — so the live decision is whether your portfolio owns the integration and operations layer that survives, or watches a competitor take it. That is the disrupt-yourself-before-someone-else-does argument, and it is stronger precisely because the genie is already out of the bottle.
The Let's Encrypt incumbents were substantially PE-owned through the disruption — Thoma Bravo took DigiCert, Francisco Partners rolled Comodo's CA business into Sectigo. Private equity didn't stop the open standard; it rolled up the survivors and repositioned them around the up-stack services. That is the playbook that worked. The full history is in the precedent write-up.
Two reasons. First, saying the quiet part first is the cheapest defense against FUD — it is hard to spread doubt about a project that has already published the case against itself. Second, this is genuinely not winner-take-all in the way a proprietary product would be: an open standard wins by being adopted, and an incumbent who operates the durable layer well is an asset to it, not a casualty. The only outcome that serves no one is a year of slow-walking while the long tail gets verified by someone else and your relationships quietly migrate.
If your honest read is “our entire product is the commodity lookup and there is no up-stack for us,” that's worth knowing now too — and worth a candid conversation rather than a pitch.
This page is print-friendly — forward it to whoever owns the verification P&L.