Decentralised Identifiers

Good to know: DIDs are a new type of identifier that are not necessary for Verifiable Credentials to be useful, but they are powerful tools when used as personal and organizational identifiers. DIDs are globally unique, resolvable with high availability, and cryptographically verifiable.

Once Verifiable Credentials existed as a trustworthy method for sharing achievements and capabilities, those in the standards community turned their attention to creating Decentralised Identifiers (DIDs). Having a unique identifier based on Public Key Infrastructure (PKI) would allow for issuers, recipients and relying parties to exchange credentials in private.

"When expressing statements about a specific thing, such as a person, product, or organization, it is often useful to use some kind of identifier so that others can express statements about the same thing. This specification defines the optional id property for such identifiers. The id property is intended to unambiguously refer to an object, such as a person, product, or organization. Using the id property allows for the expression of statements about specific things in the verifiable credential." - Verifiable Credentials Data Model v1.0, Section on Identifiers

DIDs are intended as the basis for decentralized Public Key Infrastructure. Despite the tremendous success of SSL (and its successor TLS) as protocols for encrypted Web traffic, these are centralised in hierarchical 'certificate authority' systems. There is extraordinary potential for global cybersecurity and cyberprivacy if identity protocols can become decentralised.

The need for globally unique identifiers that do not require a centralized registration authority is not new, nor is the need to make these identifiers persistent. But decentralisation was a new requirement, and it was suggested (by RWOT co-founder Christopher Allen) that DIDs could be universal if they followed the same basic pattern as URIs and URNs (of which ordinary web URLs are a subtype), with the addition of a method specification.

Supporting this new identity infrastructure would be a decentralised blockchain-based registry of DID names and corresponding DID documents. These DID documents would contain the public key information of the represented individual or organisation and perhaps specific protocols which should be used to establish communications.

Defining how a DID and DID document are created, resolved, and managed on a specific blockchain or 'target system' is the role of a DID method specification. There have been more than 100 DID methods created by various vendors, and this has become a source for much debate in the standards community. The key issue is whether the DID standard should be prescriptive and suggest the best method for each use case, or leave it entirely up to industry to decide.

As of this writing, a working draft of the W3C DID standard is available online and it is widely implemented by vendors. But it has not yet become a formal standard due to opposition from some participants in the process, specifically Apple, Google and Mozilla. Note that Apple & Google are not only browser vendors but (along with Facebook) are operators of the 'siren servers' which perform most online identification today.

Last updated