Every physical object you own has a name problem. Your car has a VIN stamped into the dashboard and the driver's door jamb. The cereal on your shelf has a barcode -- a GTIN encoded in EAN-13 or UPC-A format. The pallet that cereal arrived on had an SSCC label. The shipping container that pallet rode in had a BIC code. None of these identifiers talk to each other. None of them were designed by the same standards body. And none of them answer the question that actually matters for long-lived object tracking: how do you refer to a specific physical thing, unambiguously, for decades, across organizational boundaries, without a central authority that might disappear?
This article surveys the major physical identifier standards in use today -- GS1, ISO 15459, and VIN -- examines what each was designed to solve, where each breaks down, and what you can learn from their successes and failures if you are designing a new identifier system. It is not a standards compliance guide. It is a field survey written for engineers who need to understand the landscape before committing to an architecture.
Why Physical Identifiers Matter
Software engineers tend to underestimate the difficulty of naming physical things. In software, you can generate a UUID, store it in a database, and refer to it forever. The identifier has no physical form. It does not wear off, get painted over, or become unreadable after twenty years of UV exposure. It does not need to be printed in a font that a scanner can read from a meter away. It does not need to survive a warehouse fire, a customs inspection, and a forklift scraping it across concrete.
Physical identifiers have all of these constraints and several more. They must be short enough to encode in a barcode or QR code without making the symbol too large to print. They must be structured enough that a scanner can parse them without ambiguity. They must be globally unique -- or at least unique within a namespace that does not collide with other namespaces in the same supply chain. And they must persist for the lifetime of the object, which for a car is 20 years, for a building component is 50 years, and for a piece of infrastructure is potentially a century.
The standards that address these problems were developed over decades by different industries with different priorities. The result is a set of overlapping, partially compatible, sometimes contradictory systems that all work reasonably well within their intended domain and all fail in predictable ways at the boundaries.
The GS1 System
GS1 is the most widely deployed identifier system on Earth. If you have ever scanned a barcode at a grocery store, you have used GS1. The organization (originally the Uniform Code Council in the US and EAN International in Europe, merged in 2005) manages a family of identifier standards, encoding standards, and data sharing standards that collectively cover most of the global supply chain.
The Identifier Family
GS1 defines several identifier types, each scoped to a different level of granularity.
GTIN (Global Trade Item Number). This is the barcode number on consumer products. GTINs come in four lengths: GTIN-8 (8 digits, for very small packages), GTIN-12 (the American UPC-A), GTIN-13 (the European EAN-13), and GTIN-14 (for cases and pallets). A GTIN identifies a product type, not a specific item. Every can of the same brand of tomato soup has the same GTIN. The GTIN tells you what something is. It does not tell you which one.
SSCC (Serial Shipping Container Code). An 18-digit number that identifies a specific logistic unit -- a pallet, a case, a parcel. Unlike the GTIN, the SSCC is a serial identifier. Each pallet gets its own SSCC. This is the identifier that makes warehouse management systems work. When a pallet arrives at a distribution center, the SSCC on its label connects it to the advance ship notice, the purchase order, and the inventory record.
GLN (Global Location Number). A 13-digit number that identifies a physical or organizational location. A warehouse, a loading dock, a legal entity, a department within a company. GLNs are used in EDI transactions to specify ship-from, ship-to, and bill-to parties.
SGTIN (Serialized GTIN). A GTIN plus a serial number, creating a unique identifier for a specific item instance. This is the bridge between "what is it" and "which one is it." SGTIN is used in pharmaceutical serialization, high-value goods tracking, and anywhere you need to identify individual items rather than product types.
GS1 Encoding: From Number to Symbol
An identifier is useless if you cannot read it. GS1 defines several encoding standards that map identifiers to physical symbols.
EAN-13 / UPC-A. The classic linear barcode on consumer products. Encodes a GTIN-12 or GTIN-13. Fast to scan. Limited to one data element. This is the barcode every consumer recognizes.
GS1-128. A linear barcode that uses the Code 128 symbology with a special start character (FNC1) to signal that the data follows GS1 formatting conventions. Can encode multiple data elements using Application Identifiers. Widely used in logistics, healthcare, and B2B supply chains. Longer than EAN-13, which means it requires more label space and more precise printing.
GS1 DataMatrix. A two-dimensional matrix barcode that encodes the same data as GS1-128 in a much smaller space. Required for pharmaceutical serialization in many jurisdictions (the EU's Falsified Medicines Directive mandates DataMatrix on every prescription drug package). Can encode up to 2,335 alphanumeric characters, though typical usage is under 50.
GS1 Digital Link. A URI-based encoding that embeds GS1 identifiers in a web address. A GTIN becomes part of a URL: https://id.gs1.org/01/09520123456788. The URI can be encoded in a QR code, making it both machine-scannable and human-clickable. This is GS1's answer to the question "how do we bridge the physical and digital worlds?" The identifier resolves to a web resource that can serve different content depending on who is asking -- a consumer gets a product page, a retailer gets supply chain data, a regulator gets compliance documentation.
What GS1 Gets Right
GS1 has been in production for over fifty years. The original UPC barcode was scanned at a Marsh supermarket in Troy, Ohio, in 1974. The system has survived the transition from linear barcodes to 2D symbols, from EDI to the internet, from local retail to global e-commerce. That longevity is not an accident. Several design decisions have aged well.
Hierarchical allocation. GS1 does not assign individual GTINs. It assigns Company Prefixes -- a block of numbers allocated to a specific organization. The organization then assigns individual GTINs within its prefix. This means GS1 does not need to know about every product. It only needs to know about every company. The management burden scales with the number of organizations, not the number of products.
Self-describing data. Application Identifiers make GS1 barcodes parseable without external context. A scanner reading a GS1-128 barcode can determine the structure of the data from the data itself. This is a significant advantage over opaque identifier formats that require the reader to already know the format before parsing.
Separation of identifier and carrier. A GTIN is a number. It can be encoded in a linear barcode, a DataMatrix, a QR code, an RFID tag, or an NFC chip. The identifier is independent of how it is physically represented. This allowed GS1 to adopt new encoding technologies without changing the identifier structure.
Where GS1 Breaks Down
Cost of entry. A GS1 Company Prefix is not free. Pricing varies by country and by the number of unique products, but annual fees in the US start around $250 and scale into the thousands. For a manufacturer with millions of SKUs, this is negligible. For a small artisan, a community organization, or an open-source project, it is a meaningful barrier. This pricing model assumes that identifier users are commercial entities in a supply chain. It does not accommodate non-commercial use cases well.
Namespace governance is centralized. GS1 is the single authority for Company Prefix allocation. If GS1 ceased to operate, no new prefixes could be allocated, and the resolution infrastructure for Digital Link URIs would go dark. The identifiers themselves -- being just numbers -- would remain valid, but the governance layer that ensures uniqueness would be gone. For a system designed to outlast the organizations that use it, centralized governance is a single point of failure.
Instance-level tracking is bolted on. GS1 was designed for class-level identification -- telling you what a product is, not which specific unit it is. SGTIN adds serial numbers, but the serial component is managed entirely by the company that owns the GTIN. There is no global registry of serial numbers. Two companies could theoretically assign the same serial number within their respective GTINs, and while the combination of GTIN + serial is globally unique, the serial alone is not. This means that if you lose the GTIN context -- if the label is partially damaged, or the data is truncated in transmission -- the serial number alone is useless.
ISO 15459: Unique Identification
ISO 15459 takes a different approach to the identifier problem. Where GS1 provides a tightly integrated system of identifiers, encodings, and data sharing standards, ISO 15459 provides a framework for unique identification that is agnostic to the identifier format, the encoding, and the application domain.
The standard has multiple parts. Part 1 covers individual transport units (packages). Part 2 covers registration procedures. Part 3 covers common rules. Part 4 covers individual items. Part 5 covers returnable transport items (pallets, containers). Part 6 covers groupings. The unifying principle across all parts is the concept of an Issuing Agency Code (IAC).
Issuing Agency Codes
An IAC is a short prefix that identifies which organization issued a particular identifier. ISO 15459 does not define the identifier format itself -- it delegates that to the issuing agency. What it provides is a meta-namespace: a way to determine, from the first few characters of an identifier, which system the rest of the identifier belongs to.
GS1 is one of several registered issuing agencies under ISO 15459. The US Department of Defense has its own IAC. The Odette automotive industry association has one. The IATA has one for air cargo. Each issuing agency manages its own namespace, its own allocation rules, and its own identifier formats. ISO 15459 just ensures that the prefixes do not collide.
This design is elegant in theory. It allows heterogeneous identifier systems to coexist without collision. A scanner encountering an unknown identifier can at least determine which system it belongs to by reading the IAC prefix, even if it cannot parse the rest. In practice, the elegance creates a different kind of fragmentation: every issuing agency has its own rules, its own data structures, and its own resolution infrastructure. Interoperability between agencies requires bilateral agreements, not just compliance with the standard.
What ISO 15459 Gets Right
Namespace delegation without format prescription. By separating the namespace authority (the IAC) from the identifier format, ISO 15459 avoids the trap of mandating a single structure for all use cases. Military equipment, airline baggage, and pharmaceutical products have different identification requirements. ISO 15459 allows each domain to use the format that works for it, while ensuring that identifiers from different domains do not collide.
Longevity through indirection. If a new identifier system emerges -- say, a cryptographic hash-based system for IoT devices -- it can be registered as an issuing agency under ISO 15459 and immediately coexist with existing systems. The standard does not need to be revised. The registry just grows.
Where ISO 15459 Falls Short
Registration is opaque and slow. Becoming a registered issuing agency under ISO 15459 requires application to the registration authority (currently the Association for Automatic Identification and Mobility, AIM). The process is not transparent, the timeline is unpredictable, and the documentation is sparse. For a startup or a small standards body, the administrative overhead can be prohibitive.
Resolution is not specified. ISO 15459 tells you how to structure an identifier so it is globally unique. It says nothing about how to resolve that identifier to useful data. There is no equivalent of DNS, no lookup protocol, no specified resolution infrastructure. Each issuing agency builds its own resolution system, or does not build one at all. A globally unique identifier that nobody can look up is only marginally better than a locally unique one.
VIN: The Automotive Model
The Vehicle Identification Number is perhaps the most successful physical identifier system in terms of penetration and longevity. Every car, truck, motorcycle, and trailer sold in North America since 1981 has a 17-character VIN assigned according to a standardized structure. The VIN is stamped into the vehicle's body, printed on a label visible through the windshield, encoded in the OBD-II diagnostic port, and recorded in insurance, registration, and title databases.
VIN Structure
A VIN is 17 characters, using digits 0-9 and uppercase letters A-Z, excluding I, O, and Q (to avoid confusion with 1, 0, and 9). The structure is rigidly defined:
Positions 1-3: World Manufacturer Identifier (WMI). These three characters identify the manufacturer and the country of origin. The first character encodes the region (1-5 for North America, S-Z for Europe, etc.). The second and third characters are assigned by the Society of Automotive Engineers (SAE) to specific manufacturers. A WMI of 1G1 means a General Motors vehicle built in the United States. WDC means a Mercedes-Benz built in Germany.
Positions 4-8: Vehicle Descriptor Section (VDS). These five characters describe the vehicle attributes -- model, body type, engine type, restraint system, transmission. The encoding is manufacturer-specific. There is no standard mapping from VDS characters to attributes. Each manufacturer publishes (or does not publish) its own VDS decoding tables.
Position 9: Check digit. A single character computed from the other 16 using a weighted sum algorithm. This allows any system reading a VIN to detect single-character transcription errors. It does not detect transpositions, and it does not detect deliberate fraud -- a forger can compute a valid check digit for any fabricated VIN.
Position 10: Model year. A single character encoding the model year. The encoding wraps: A=2010, B=2011, ... 9=2009, A=2010 again. This means the model year character is ambiguous on a 30-year cycle. A VIN with a model year character of "A" could be from 1980, 2010, or 2040. The disambiguation comes from context -- the other characters in the VIN, the registration records, or the physical condition of the vehicle.
Position 11: Plant code. Identifies the specific manufacturing plant. Assigned by the manufacturer.
Positions 12-17: Sequential production number. A six-character serial number assigned sequentially by the manufacturer at the assembly plant. This is what makes the VIN unique within a given manufacturer-plant-year combination.
What VIN Gets Right
Fixed width, fixed structure. A VIN is always 17 characters. Always. There is no variable-length encoding, no optional fields, no ambiguity about where the identifier ends. Any system that reads VINs knows exactly how many characters to expect. This simplicity has made VIN parsing trivially easy to implement in every programming language, every database, and every scanner firmware. The fixed width also means VINs can be stamped into metal, etched into glass, and printed on labels with predictable space requirements.
Error detection built in. The check digit at position 9 catches the most common data entry errors: mistyped characters and dropped digits. This is a small thing, but in a world where VINs are frequently transcribed by hand -- during insurance claims, police reports, and title transfers -- it prevents a meaningful number of errors from propagating through the system.
Physical permanence. The VIN is stamped into the vehicle's body at the factory. It is not a label that can peel off, a tag that can be removed, or a code that can be painted over. The physical identifier is literally part of the object. This is a design constraint that most digital-first identifier systems do not consider. If your identifier only exists as a printed label or an NFC tag, it can be separated from the object it identifies. The VIN's stamped presence on the body is a deliberate anti-fraud measure.
Where VIN Falls Short
Manufacturer-specific VDS encoding. Positions 4 through 8 describe the vehicle, but the encoding is determined by each manufacturer independently. There is no universal VDS decode table. If you want to extract the engine type from a Ford VIN, you need Ford's VDS specification. If you want the same information from a Toyota VIN, you need Toyota's specification. These specifications are not always public, not always consistent across model years, and not always maintained after the manufacturer ceases production. For a system that needs to decode arbitrary VINs programmatically, this is a significant obstacle.
No resolution infrastructure. A VIN identifies a vehicle. It does not point to a service where you can look up that vehicle's history, specifications, or current registration. The NHTSA operates a VIN decoder API that provides basic vehicle attributes, but comprehensive history (accident reports, service records, title transfers) is fragmented across private databases -- Carfax, AutoCheck, state DMV records -- with no standard API and no universal access. The identifier exists. The resolution is balkanized.
Geographic and temporal limitations. The 17-character VIN standard applies to vehicles sold in North America since 1981. Vehicles sold in other markets may use different formats. Vehicles manufactured before 1981 have shorter or non-standardized VINs. The standard assumes a specific scope of applicability and does not generalize cleanly outside it.
Comparison of Approaches
Looking at GS1, ISO 15459, and VIN side by side, several patterns emerge.
All three systems use hierarchical allocation. GS1 allocates Company Prefixes. ISO 15459 allocates Issuing Agency Codes. VIN allocates World Manufacturer Identifiers. This pattern -- delegate namespace management to the organization closest to the identified objects -- is clearly the right approach for physical identifiers. Central allocation of individual identifiers does not scale to billions of objects.
All three systems separate the identifier from the carrier. A GTIN can live in a barcode, a DataMatrix, an RFID tag, or a URL. A VIN can be stamped in metal, printed on a label, stored in a database, or encoded in an OBD-II response. ISO 15459 is explicitly carrier-agnostic. This separation is essential for longevity -- the identifier must outlast the current generation of reading technology.
All three systems struggle with resolution. GS1 Digital Link is the most ambitious attempt to solve this, but it is still young and not universally adopted. VIN resolution is fragmented. ISO 15459 does not address resolution at all. The persistent gap across all three systems is the same: they define how to name things, not how to look things up.
Namespace Collision Problems
The silent killer of identifier systems is namespace collision -- two different objects assigned the same identifier by two different authorities who did not know about each other.
Within a single system, collisions are prevented by design. GS1 Company Prefixes are unique. WMIs are unique. ISO 15459 IACs are unique. The problem arises at the boundaries between systems.
Consider a warehouse that receives products from three different supply chains. One uses GS1 GTINs. One uses a proprietary internal numbering system. One uses ISO 15459 identifiers issued by a defense-sector agency. The warehouse management system needs to scan a barcode and determine which system the identifier belongs to. If the systems use different barcode symbologies, the symbology itself provides the disambiguation. But if two systems both use Code 128 barcodes with numeric payloads, and one payload happens to be a valid GTIN while actually being a defense identifier, the WMS will misparse it.
GS1's FNC1 start character in GS1-128 barcodes exists precisely to prevent this. A scanner that sees the FNC1 character knows the data is GS1-formatted. A barcode without FNC1 is not GS1, regardless of whether its numeric payload looks like a GTIN. But not all systems use GS1-128. And in environments where identifiers are transmitted as plain text -- in EDI messages, database records, or API payloads -- the FNC1 disambiguator is lost. The number 09520123456788 could be a GTIN-14 or it could be a coincidentally 14-digit identifier from an entirely different system.
The practical defense against namespace collision is context. Store identifiers with their namespace -- not just the number, but the system it belongs to. A database record should contain ("GS1:GTIN-14", "09520123456788"), not just "09520123456788". URIs solve this naturally -- https://id.gs1.org/01/09520123456788 is unambiguous. Bare numbers are not.
Longevity and Persistence
The hardest requirement for a physical identifier is outlasting the organization that issued it. A VIN must be meaningful for as long as the vehicle exists -- 20 to 30 years, sometimes longer for collector vehicles. A building component identifier might need to last 75 years. An identifier on a piece of nuclear waste needs to last for millennia, though that is a problem beyond the scope of this article and possibly beyond the scope of human civilization.
What Happens When Issuers Disappear
Companies go bankrupt. Standards bodies merge or dissolve. Government agencies are restructured. When the entity that issued an identifier ceases to exist, what happens to the identifiers?
For VINs, the answer is surprisingly robust. The VIN is physically stamped into the vehicle. It does not need the issuing manufacturer to exist for the VIN to remain valid and decodable. The WMI database (maintained by SAE and NHTSA) records historical manufacturer codes. When a manufacturer goes bankrupt, its WMI is not reassigned. The codes become historical entries in a reference database. The VIN on a defunct manufacturer's vehicle remains unambiguous because the WMI was unique at the time of issuance and is never reused.
For GS1, the picture is more complicated. A GS1 Company Prefix is leased, not owned. If a company stops paying its GS1 membership fees, the prefix could theoretically be reassigned. In practice, GS1 does not immediately reassign prefixes, and most GS1 Member Organizations have policies to prevent rapid reassignment. But the identifier's uniqueness depends on the governance of the registry. If GS1 were to disappear entirely, the prefixes would freeze in their last known state, and uniqueness would be preserved only to the extent that the last snapshot of the registry survives.
For ISO 15459, persistence depends on the issuing agency. If the agency continues to operate, identifiers remain valid and decodable. If the agency ceases operations, the IAC is retained in the ISO registry as a historical entry, and the identifiers remain globally unique (because the IAC prefix distinguishes them from all other systems). But resolution -- the ability to look up what an identifier refers to -- dies with the agency unless the resolution data has been archived elsewhere.
QR Codes and NFC as Carriers
An identifier is an abstract string. A carrier is the physical medium that makes it readable. The choice of carrier determines the scanning distance, the durability, the data capacity, and the cost per unit.
QR codes are the dominant carrier for consumer-facing applications. They are cheap to print (a standard laser printer works), can encode up to 4,296 alphanumeric characters (far more than any identifier requires), are resilient to damage (up to 30% of the symbol can be destroyed and still be readable, depending on the error correction level), and are readable by every smartphone manufactured in the last decade. Their weakness is environmental: QR codes do not survive immersion, abrasion, or extended UV exposure without lamination or other protection. For indoor use on consumer products, they are ideal. For outdoor use on infrastructure, they are a temporary solution at best.
NFC tags (ISO 14443 and ISO 15693) offer a different tradeoff. The identifier is stored in a passive silicon chip and read wirelessly at short range (typically under 10 cm). NFC tags can be embedded inside objects -- inside the case of a tool, under the label of a bottle, inside the wall of a building component. This makes them resistant to surface damage. They are rewritable (for updatable identifiers) or one-time-programmable (for tamper-evident identifiers). Their weaknesses: higher per-unit cost than printed codes, reading requires a phone or dedicated reader within a few centimeters, and metal objects interfere with the radio signal unless special on-metal tags are used.
RFID tags (ISO 18000-6, the EPCglobal standard) extend the reading range to meters rather than centimeters, making them suitable for scanning at warehouse dock doors and in supply chain transit points. The cost per tag has dropped below $0.10 for high-volume UHF tags. But the reading infrastructure -- UHF RFID readers -- is not ubiquitous. Unlike QR codes and NFC, RFID reading is not built into consumer smartphones.
The choice of carrier affects the identifier system design. A QR code has enough capacity to carry a full URI, a signature, and metadata. An NFC tag has 48 to 888 bytes depending on the tag type -- enough for an identifier and a URL, but not enough for rich metadata. A barcode may have as few as 20 characters of usable capacity. If your identifier system assumes rich data in the carrier, you have excluded low-capacity carriers. If your system assumes only a short identifier in the carrier, you can use any carrier but need a resolution service for the rest of the data.
The Gap Between Identifier and Identity
This is the conceptual chasm that trips up every engineer who comes to physical identifiers from a software background. In software, identity and identifier are usually the same thing. A database primary key identifies a row and is the row's identity. A UUID identifies an entity and is its identity.
In the physical world, an identifier names a thing. Identity is the thing. And the link between them can be broken.
A VIN identifies a specific car. But if someone removes the VIN plate and puts it on a different car (VIN cloning is a real fraud vector), the identifier now points to the wrong physical object. The identifier is intact. The identity link is broken. The VIN did not change. The object it refers to did.
A GTIN identifies a product type. If a counterfeiter prints the same barcode on a fake product, the identifier is valid. It resolves correctly in every database. The product is still fake. The identifier provides naming. It does not provide authentication.
This gap -- between naming and authenticating -- is the fundamental limitation of all the standards we have discussed. GS1, ISO 15459, and VIN all solve the naming problem: they give you a globally unique string that refers to a specific thing. None of them solve the authentication problem: they cannot prove that the physical object bearing the identifier is the object the identifier was originally assigned to.
Designing a New Identifier System
If you are building a system that tracks physical objects over long time horizons and across organizational boundaries -- and the existing standards do not fit your requirements -- you will need to design your own identifier. Here is what the history of GS1, ISO 15459, and VIN teaches about what works.
Lesson 1: Separate the Namespace from the Instance
Every successful identifier system uses hierarchical allocation. Define a namespace authority (equivalent to GS1's Company Prefix, ISO 15459's IAC, or VIN's WMI) and delegate instance allocation to the organizations closest to the objects. This is not optional. Central allocation of individual identifiers does not scale, and flat namespaces (where every identifier must be checked against every other identifier for uniqueness) require a global coordination mechanism that becomes a single point of failure.
Lesson 2: Fixed Width or Self-Describing Length
Either make every identifier the same length (like VIN's 17 characters) or include an explicit length or type field (like GS1's Application Identifiers). Variable-length identifiers without length metadata create parsing ambiguity when identifiers are concatenated, stored in fixed-width database columns, or transmitted in protocols that do not preserve whitespace boundaries. VIN chose fixed width. GS1 chose self-describing structure. Both work. Unstructured variable-length does not.
Lesson 3: Build Error Detection In
VIN's check digit catches transcription errors. GS1's GTINs include a check digit. Any identifier that will be read by humans -- typed into a form, read aloud over a phone, transcribed from a damaged label -- needs an error detection mechanism. Luhn mod 10, Damm algorithm, or a CRC are all fine. The specific algorithm matters less than having one at all. An identifier system without error detection will accumulate phantom records from typos, and those phantom records will cost more to clean up than the check digit cost to implement.
Lesson 4: Design for Resolution from Day One
The biggest gap in the existing standards landscape is resolution -- turning an identifier into useful data. If you are designing a new system, do not treat resolution as a future enhancement. Build it into the identifier structure. The simplest approach is to make the identifier a URI, or to define a canonical URI template that converts any identifier into a resolvable address. GS1 Digital Link does this for GTINs. DNS does this for domain names. The identifier itself should contain enough information to determine where to look up the rest.
Lesson 5: Plan for the Issuer's Death
Your identifier system will outlast some of the organizations that use it. Design for this. Make the identifier self-contained enough that it can be parsed without consulting the issuer. Make the resolution infrastructure federated or decentralized so that it does not depend on any single entity's continued operation. And establish a policy for namespace retirement -- what happens to prefixes allocated to organizations that no longer exist? VIN's approach (never reassign, maintain historical records) is the right one.
Cryptographic Binding
The gap between identifier and identity -- between naming and authenticating -- can be partially closed with cryptography. The approach is straightforward in concept: derive the identifier from the object's properties using a cryptographic hash, so that the identifier is not just a name but a commitment to what the object is.
Hash-Based Identifiers
Content addressing -- using the hash of an object's data as its identifier -- is well established in software. Git uses SHA-1 (migrating to SHA-256) to identify commits, trees, and blobs. IPFS uses multihash-encoded content identifiers (CIDs). Docker uses content-addressable storage for image layers.
Applying this to physical objects is more complex. A physical object does not have a canonical byte representation. You cannot compute SHA-256 of a bicycle. But you can compute SHA-256 of a structured record that describes the bicycle: its serial number, manufacturer, model, color, weight, and the hash of a photograph taken at the factory. The resulting hash is both an identifier and a commitment to the descriptive record. If the record changes (because someone altered the description), the hash changes, and the identifier becomes invalid.
This approach has a powerful property: the identifier is self-authenticating. Given the descriptive record and the identifier, anyone can verify that the identifier matches the record by recomputing the hash. No authority needs to be consulted. No certificate chain needs to be validated. The mathematics are the authentication mechanism.
The weakness is that the descriptive record must be available. A hash-based identifier is opaque -- you cannot extract any useful information from it without the original data. And the descriptive record introduces its own integrity problem: who creates the record, how is it verified, and where is it stored so it is available for the lifetime of the object?
Signed Identifiers
A step beyond hash-based identifiers is to sign the descriptive record with the issuer's private key. The identifier becomes the public key (or a hash of it) plus the signed commitment to the object's properties. Verification requires the issuer's public key, which can be distributed separately and does not need to be kept secret.
This pattern is essentially what the W3C Verifiable Credentials specification does for digital credentials. Applied to physical identifiers, it creates a system where:
The issuer creates a structured description of the object. The issuer signs the description with their private key. The identifier is derived from the public key and the signed description. Anyone with the public key can verify the signature and confirm that the description has not been altered since the issuer signed it.
The issuer's public key becomes the namespace authority. Any object whose identifier is rooted in that public key was (presumably) issued by the holder of the corresponding private key. This is decentralized namespace management -- no registry is needed, because the public key itself is the namespace.
The tradeoff is key management. If the issuer loses their private key, they cannot issue new identifiers in the same namespace. If the private key is compromised, an attacker can issue fraudulent identifiers. The issuer's operational security becomes the security of the identifier system.
Content Addressing for Physical Things
The most radical departure from traditional identifier systems is full content addressing: the identifier is the hash of the object's complete digital representation, and the digital representation is stored in a content-addressable network that anyone can query.
In this model, the identifier is not assigned by an authority. It is computed from the object's properties. Uniqueness is guaranteed by the collision resistance of the hash function, not by a registration authority. Resolution is provided by the content-addressable network -- give it the hash, get back the data. Persistence depends on the network retaining the data, which is a replication and incentive problem rather than a governance problem.
This model is not mature for physical identifiers. The tooling does not exist. The standards do not exist. The adoption is zero outside of research projects and niche applications. But it represents the logical endpoint of the trends visible in the existing standards: from centralized allocation to federated allocation to no allocation at all; from authority-dependent resolution to self-authenticating identifiers; from naming to authentication.
Whether the physical world moves in this direction depends on whether the engineering community can solve the bootstrapping problem: you need a critical mass of identifiers in the system before the system is useful, and you need the system to be useful before anyone will invest in creating identifiers. GS1 solved this bootstrapping problem by mandating barcode use in retail supply chains. VIN solved it by regulation. A new system built on cryptographic identifiers will need its own bootstrapping mechanism, and it is not obvious what that will be.
Closing Observations
The physical identifier landscape is a patchwork of domain-specific standards, each well-suited to its origin industry and each struggling at the boundaries. GS1 dominates retail and logistics but charges for access and centralizes governance. VIN is a model of fixed-structure simplicity but is locked to one object type and one geographic scope. ISO 15459 provides the most flexible framework but the least operational infrastructure.
What none of them provide is authentication -- the ability to verify that a physical object is what its identifier claims. This is the gap that cryptographic approaches aim to close, and it is the gap that matters most for any system where counterfeiting, fraud, or misidentification has real consequences.
If you are designing a system that needs to track physical objects, start with the standards that exist. Use GS1 if you are in a supply chain that already uses it. Use VIN if you are in automotive. Register an IAC under ISO 15459 if you need a globally unique namespace that interoperates with existing systems. Do not invent a new identifier format unless the existing ones genuinely do not fit your requirements.
But when you do need to build something new -- when the object lifetimes are measured in decades, when the organizational boundaries are unclear, when the issuers may not exist for the lifetime of the identifier -- look at what the existing systems get right (hierarchical allocation, carrier independence, error detection) and what they get wrong (resolution, authentication, persistence beyond the issuer's lifetime). Build the resolution in from the start. Make the identifiers self-authenticating if you can. And plan for the day when the organization that issued them is gone and the identifiers are all that remain.