CorpID — A Digital Name for Every Company

Real-Time Cryptographic Identity, Not a Number Painted on a Truck

The Identity Problem

Ask a truck "who are you?" and it answers with a number painted on its door.

That's it. A USDOT number — digits applied with vinyl lettering or, in many cases, a removable magnetic sign. The same number appears on every truck in the fleet. The number identifies the carrier, not the truck. And magnetic signs are explicitly allowed by FMCSA regulations.

The Khasanov ring didn't hack anything. They didn't exploit a zero-day vulnerability. They printed the right numbers on magnetic signs, stuck them on leased trucks, and drove up to loading docks. The dock workers checked the number against the dispatch. It matched. They loaded $5 million in cargo onto trucks operated by criminals.

A $12 magnetic sign defeated the entire carrier identification system.

What MOTUS Gets Right — and What It Misses

FMCSA's new MOTUS system is a real step forward. It uses IDEMIA biometric verification — the same technology used for passport applications and TSA PreCheck. When a carrier registers, the person behind the MC number proves their identity with facial recognition and document verification.

This solves the registration problem. The person who registers as DOT 12345 is verified as a real person with a real identity.

But registration-time identity is not dispatch-time identity. MOTUS proves who registered. It does not prove who is asking right now.

When a carrier calls a broker to accept a load, MOTUS cannot verify that the caller is the registered carrier. When a truck arrives at a shipper's dock, MOTUS cannot verify that the truck belongs to the carrier on the dispatch. When documents are submitted for payment, MOTUS cannot verify that the submitter is the carrier who performed the work.

MOTUS is a credential — like a driver's license. It proves you registered with the government. But your driver's license doesn't prove you're the person standing at the door. Your fingerprint does.

CorpID: The Digital Fingerprint

A CorpID is a cryptographic identity for a company. Not a number. Not a credential. An identity — with keys that prove who you are in real time.

What a CorpID contains:

  • Cryptographic keys — a public/private key pair. The company holds the private key. Anyone can verify the public key. To prove you're DOT 12345, you sign a challenge with your private key. No password. No phone call. No magnetic sign. Math. Everything rests on protecting that key. Where it lives — a phone, a secure element, a hardware token — and how it is backed up, rotated, and recovered is the heart of the design, not a footnote. With a hardware-held key, stealing the identity means stealing the hardware; held carelessly in software, the key simply becomes the new thing to steal. The honest claim is "as strong as your key custody," and the roadmap is hardware-rooted keys — the lesson of the TPM.
  • DNS anchor — the company's domain (e.g., smithtrucking.com) publishes the CorpID's public key in DNS records (like DKIM for email), protected by DNSSEC and mirrored to an independent revocation/transparency log. This ties the identity to the company's web presence. DNS is the discovery layer, not the entire root of trust: because domains can lapse and registrars can be compromised, the durable identity is anchored to the EIN/MC plus issuer attestations — so a hijacked or expired domain can't silently inherit a carrier's reputation.
  • Corporate records — state filing, EIN, registered agent. Not self-reported. Linked from authoritative sources.
  • MOTUS attestation — yes, the government-verified registration. But as an ATTRIBUTE of the CorpID, not the identity itself. MOTUS says "this entity registered." CorpID says "this entity is here, right now, provably."

    • How It Works in Practice

    Accepting a load: The carrier signs the acceptance with their CorpID. The broker verifies the signature. In milliseconds, the broker knows: this acceptance came from the holder of DOT 12345's private key — not from someone who knows the password, not from someone on the phone, not from someone with a magnetic sign. From the actual keyholder.

    Arriving at a dock: The truck's onboard system signs a presence attestation with the CorpID. The shipper's system verifies: this truck is operated by the entity that holds DOT 12345's private key — not by someone with the right number on the door. (Strictly, a signature proves the key authorized the message. Proving the right truck is physically present means binding that key to the vehicle's hardware and answering a fresh, location-stamped challenge — which is exactly why the key wants to live in the truck's secure controller, not in a copyable file.)

    Submitting for payment: The invoice is signed with the CorpID. The factor or broker verifies: this invoice was submitted by the carrier who accepted and performed the load. Not by someone who intercepted the paperwork.

    Every interaction is a signed transaction. Every signed transaction is verifiable. Every verification builds reputation.

    FIG. 1 — DISPATCH-TIME IDENTITY: SIGN THE CHALLENGE Broker verifies signature pubkey via DNS Carrier holds DOT 12345 key 🔑 private key challenge: 9f3a-c20e signature ✓ the real DOT 12345, right now Not a phone call you can deepfake. Not a sign you can buy. Math.

    MOTUS + CorpID Together

    MOTUS and CorpID are not competitors. They are two layers of the same system.

  • MOTUS answers: "Is this a real company with a real person behind it?" (Registration-time identity)
  • CorpID answers: "Is this the same company, right now, in this transaction?" (Real-time identity)

    • MOTUS is the background check. CorpID is the badge scan at the door. You need both.

    In technical terms: the MOTUS verification becomes a Verifiable Credential issued by FMCSA and attached to the carrier's CorpID. "FMCSA attests that the person behind DOT 12345 was biometrically verified on March 15, 2026." That attestation is one attribute of many in the carrier's digital identity — important, but not sufficient alone.

    Concrete Actions

    For carriers: Get a CorpID. It's a digital wallet — like a company credit card, but for identity instead of money. You hold the private key. You sign transactions. Your reputation accumulates automatically from every verified interaction.

    For brokers: Require CorpID verification at dispatch. Not at onboarding — at dispatch. Every load. Every time. A carrier whose identity is cryptographically verified at every transaction is a carrier whose identity is far harder to steal or impersonate — as strong as that carrier's protection of their key.

    For FMCSA: Extend MOTUS from registration to real-time. Issue Verifiable Credentials that carriers can attach to their CorpIDs. Publish a CorpID standard so the industry has one interoperable identity layer — not fifteen proprietary ones.

    For load boards: Require CorpID signing for load postings and acceptances. A load posted by a verified CorpID cannot be impersonated. A load accepted by a verified CorpID confirms the carrier is who they claim to be. The impersonation attack surface — stolen identities, magnetic-sign spoofing, deepfaked phone calls — shrinks dramatically. (Be precise: identity is not intent. A legitimately verified carrier can still choose to re-broker a load. CorpID closes the "who are you?" gap, not the "what will you do?" gap — but by tying every action to a key, it makes each actor accountable, which is where reputation and enforcement finally get traction.)

    Next: The Digital VIN — A Data Wallet for Every Truck →