Copyright © 2019 the Contributors to the Decentralized Identifiers (DIDs) v0.11 Specification, published by the Credentials Community Group under the W3C Community Contributor License Agreement (CLA). A human-readable summary is available.
Decentralized Identifiers (DIDs) are a new type of identifier for verifiable, "self-sovereign" digital identity. DIDs are fully under the control of the DID subject, independent from any centralized registry, identity provider, or certificate authority. DIDs are URLs that relate a DID subject to means for trustable interactions with that subject. DIDs resolve to DID Documents — simple documents that describe how to use that specific DID. Each DID Document may contain at least three things: proof purposes, verification methods, and service endpoints. Proof purposes are combined with verification methods to provide mechanisms for proving things. For example, a DID Document can specify that a particular verification method, such as a cryptographic public key or pseudonymous biometric protocol, can be used to verify a proof that was created for the purpose of authentication. Service endpoints enable trusted interactions with the DID controller.
This document specifies a common data model, format, and operations that all DIDs support.
This specification was published by the Credentials Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups.
Comments regarding this document are welcome. Please file issues directly on GitHub, or send them to public-credentials@w3.org ( subscribe, archives).
Portions of the work on this specification have been funded by the United States Department of Homeland Security's Science and Technology Directorate under contracts HSHQDC-16-R00012-H-SB2016-1-002 and HSHQDC-17-C-00019. The content of this specification does not necessarily reflect the position or the policy of the U.S. Government and no official endorsement should be inferred.
Work on this specification has also been supported by the Rebooting the Web of Trust community facilitated by Christopher Allen, Shannon Appelcline, Kiara Robles, Brian Weller, Betty Dhamers, Kaliya Young, Kim Hamilton Duffy, Manu Sporny, Drummond Reed, Joe Andrieu, and Heather Vescent.
If you wish to make comments regarding this document, please send them to public-credentials@w3.org (subscribe, archives).
This section is non-normative.
Conventional identity management systems are based on centralized authorities such as corporate directory services, certificate authorities, or domain name registries. From the standpoint of cryptographic trust verification, each of these centralized authorities serves as its own root of trust. To make identity management work across these systems requires implementing federated identity management.
The emergence of distributed ledger technology (DLT), sometimes referred to as blockchain technology, provides the opportunity for fully decentralized identity management. In a decentralized identity system, entities are free to use any shared root of trust. Globally distributed ledgers (or a decentralized P2P network that provides similar capabilities) provide a means for managing a root of trust with neither centralized authority nor a single point of failure. In combination, DLTs and decentralized identity systems enable any entity to create and manage their own identifiers on any number of distributed, independent roots of trust.
The entities are identified by decentralized identifiers (DIDs). They may authenticate via proofs (e.g., digital signatures, privacy-preserving biometric protocols, etc.). DIDs point to DID Documents. A DID Document contains a set of service endpoints for interacting with the entity. Following the dictums of Privacy by Design, each entity may have as many DIDs as necessary, to respect the entity’s desired separation of identities, personas, and contexts.
To use a DID with a particular distributed ledger or network requires defining a DID method in a separate DID method specification. A DID method specifies the set of rules for how a DID is registered, resolved, updated, and revoked on that specific ledger or network.
This design eliminates dependence on centralized registries for identifiers as well as centralized certificate authorities for key management—the standard pattern in hierarchical PKI (public key infrastructure). Because DIDs reside on a distributed ledger, each entity may serve as its own root authority—an architecture referred to as DPKI (decentralized PKI).
Note that DID methods may also be developed for identifiers registered in federated or centralized identity management systems. For their part, all types of identifier systems may add support for DIDs. This creates an interoperability bridge between the worlds of centralized, federated, and decentralized identifiers.
The growing need for decentralized identifiers has produced two specific requirements for a new type of URL that still fits Web Architecture and has a few additional requirements that more traditional URLs, like HTTP-based URLs, do not have:
DIDs achieve global uniqueness without the need for a central registration authority. This comes, however, at the cost of human memorability. The algorithms capable of generating globally unique identifiers automatically produce random strings of characters that have no human meaning. This demonstrates the axiom about identifiers known as Zooko's Triangle: "human-meaningful, decentralized, secure—pick any two".
There are of course many use cases where it is desirable to discover a DID when starting from a human-friendly identifier—a natural language name, a domain name, or a conventional address for a DID controller such as a mobile telephone number, email address, Twitter handle, or blog URL. However, the problem of mapping human-friendly identifiers to DIDs (and doing so in a way that can be verified and trusted) is out-of-scope for this specification.
Solutions to this problem (and there are many) should be defined in separate specifications that reference this specification. It is strongly recommended that such specifications carefully consider: (a) the numerous security attacks based on deceiving users about the true human-friendly identifier for a target entity, and (b) the privacy consequences of using human-friendly identifiers that are inherently correlatable, especially if they are globally unique.
The first purpose of this specification is to define the generic DID scheme and a generic set of operations on DIDs that can be implemented for any distributed ledger or network capable of supporting DIDs. The second purpose of this specification is to define the conformance requirements for a DID method specification—a separate specification that defines a specific DID scheme and specific set of DID record operations for a specific distributed ledger or network.
Conceptually, the relationship of this specification and a DID method specification is similar to the relationship of the IETF generic URI specification ([RFC3986]) and a specific URI scheme ([IANA-URI-SCHEMES] (such as the http: and https: schemes specified in [RFC7230]). It is also similar to the relationship of the IETF generic URN specification ([RFC8141]) and a specific URN namespace definition (such as the UUID URN namespace defined in [RFC4122]). The difference is that a DID method specification, in addition to defining a specific DID scheme, must also specify the methods for reading, writing, and revoking DID records on the network for which it is written.
For a list of DID Methods and their corresponding specifications, see the DID Method Registry [DID-METHOD-REGISTRY].
This section summarizes the design goals and principles of DID architecture.
Goal | Description |
---|---|
Decentralization | DID architecture should eliminate the requirement for centralized authorities or single points of failure in identifier management, including the registration of globally unique identifiers, public verification keys, service endpoints, and other metadata. |
Self‑Sovereignty | DID architecture should give entities, both human and non-human, the power to directly own and control their digital identifiers without the need to rely on external authorities. |
Privacy | DID architecture should enable entities to control the privacy of their information, including minimal, selective, and progressive disclosure of attributes or other data. |
Security | DID architecture should enable sufficient security for relying parties to depend on DID Documents for their required level of assurance. |
Proof-based | DID architecture should enable an entity to provide cryptographic proof of authentication and proof of authorization rights. |
Discoverability | DID architecture should make it possible for entities to discover DIDs for other entities to learn more about or interact with those entities. |
Interoperability | DID architecture should use interoperable standards so DID infrastructure can make use of existing tools and software libraries designed for interoperability. |
Portability | DID architecture should be system and network-independent and enable entities to use their digital identifiers with any system that supports DIDs and DID Methods. |
Simplicity | To meet these design goals, DID architecture should be (to paraphrase Albert Einstein) "as simple as possible but no simpler". |
Extensibility | When possible, DID architecture should enable extensibility provided it does not greatly hinder interoperability, portability, or simplicity. |
This section is non-normative.
This is a simple example of a DID:
did:example:123456789abcdefghi
Following is an example of a DID Document that describes the DID above. This example assumes that the entity that controls the private keys for this identifier is authoritative for the DID Document.
{ "@context": "https://w3id.org/did/v1", "id": "did:example:123456789abcdefghi", "authentication": [{ // this key can be used to authenticate as did:...fghi "id": "did:example:123456789abcdefghi#keys-1", "type": "RsaVerificationKey2018", "controller": "did:example:123456789abcdefghi", "publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----\r\n" }], "service": [{ "id": "did:example:123456789abcdefghi#service123", "type": "ExampleService", "serviceEndpoint": "https://example.com/endpoint/8377464" }] }
This section is non-normative.
This document attempts to communicate the concepts outlined in the Decentralized Identifier space by using specialized terms to discuss specific concepts. This terminology is included below and linked to throughout the document to aid the reader:
DIDs have a foundation in URLs, so it's important to understand how the W3C clarified the terms URI (Uniform Resource Identifier, [RFC3986]), [URL] (Uniform Resource Locator), and URN (Uniform Resource Name, [RFC8141]) in September 2001. The key difference between these three categories of identifiers are:
This specification is dependent on a number of base specifications. The dependencies and their purpose are listed below.
The concept of a globally unique decentralized identifier is not new; Universally Unique Identifiers (UUIDs) were first developed in the 1980s and later became a standard feature of the Open Software Foundation’s Distributed Computing Environment. UUIDs achieve global uniqueness without a centralized registry service by using an algorithm that generates 128-bit values with sufficient entropy that the chance of collision are infinitesimally small. UUIDs are formally specified in [RFC4122] as a specific type of Unified Resource Name (URN).
A DID is similar to a UUID except: (a) like a URL, it can be resolved or dereferenced to a standard resource describing the entity (a DID Document—see Section § 4.3 DID Documents), and (b) unlike a URL, the DID Document typically contains cryptographic material that enables authentication of an entity associated with the DID.
The generic DID scheme is a URI scheme conformant with [RFC3986]. It consists of a DID method name, followed by a method-specific identifier. The term DID refers only to the identifier conforming to the did rule in the ABNF below. Additionally, a DID can be used as a component in a DID Reference, described in the DID Reference section below.
The following is the ABNF definition using the syntax in [RFC5234]
which defines ALPHA
and DIGIT
.
did = "did:" method ":" method-specific-idstring method = 1*methodchar methodchar = %x61-7A / DIGIT method-specific-idstring = idstring *( ":" idstring ) idstring = 1*idchar idchar = ALPHA / DIGIT / "." / "-"
DID References are used for two main purposes: to refer to sections inside a DID Document (via DID Fragments), and as a portable way to refer to Service Endpoint resources, queries, and fragments.
did-reference = did (did-fragment-reference / did-service-reference) did-fragment-reference = "#" did-fragment did-service-reference = ";" service-id [ "/" service-path ] [ "?" service-query ] [ "#" service-fragment ] service-id = ALPHA / DIGIT / "." / "-" / "_"
A generic DID fragment (the did-fragment
rule in Section
§ 4.2 DID Reference) is identical to a URI
fragment and MUST conform to the ABNF of the fragment ABNF rule in
[RFC3986]. A DID fragment MUST be used only as a method-independent
pointer into the DID Document to identify a unique key description or
other DID Document component. To resolve this pointer, the complete
DID reference including the DID fragment MUST be used as the value of
the id key for the target JSON object.
A specific DID scheme MAY specify ABNF rules for DID fragments that are more restrictive than the generic rules in this section.
It is desirable that we enable tree-based processing of DIDs that include DID fragments (which resolve directly within the DID document) to locate metadata contained directly in the DID document or the service resource given by the target URL without needing to rely on graph-based processing.
Implementations SHOULD NOT prevent the use of JSON pointers ([RFC6901]).
A DID Reference service path (the service-path
rule in Section
§ 4.2 DID Reference) is
identical to a URI path and MUST conform to the ABNF of the path-rootless ABNF
rule in [RFC3986]. The path is used to address resources available via a DID
service endpoint. See Section § 4.3.6 Service Endpoints.
A specific DID scheme MAY specify ABNF rules for DID Reference service paths that are more restrictive than the generic rules in this section.
The DID Reference service query and service fragment
(the service-query
and service-fragment
rules
in Section § 4.2 DID Reference) parts are
identical to their URI counterparts and MUST conform to the ABNF of the query
and fragment rules in [RFC3986].
For the broadest interoperability, DID normalization should be as simple and universal as possible. Therefore:
method-specific-idstring
rule in Section
§ 4.1 The Generic DID Scheme MUST be defined by the governing DID method specification.
A DID MUST be persistent and immutable, i.e., bound to an entity once and never changed (forever).
Ideally a DID would be a completely abstract decentralized identifier (like a UUID) that could be bound to multiple underlying distributed ledgers or networks over time, thus maintaining its persistence independent of any particular ledger or network. However registering the same identifier on multiple ledgers or networks introduces extremely hard entityship and start-of-authority (SOA) problems. It also greatly increases implementation complexity for developers.
To avoid these issues, it is RECOMMENDED that DID method specifications only produce DIDs and DID methods bound to strong, stable ledgers or networks capable of making the highest level of commitment to persistence of the DID and DID method over time.
Although not included in this version, future versions of this specification may support a DID Document equivID property to establish verifiable equivalence relations between DID records representing the same entity on multiple ledgers or networks. Such equivalence relations can produce the practical equivalent of a single persistent abstract DID. See Future Work (Section § 4.8 Future Work).
If a DID is the index key in a key-value pair, then the DID Document is the value to which the index key points. The combination of a DID and its associated DID Document forms the root record for a decentralized identifier.
A DID Document MUST be a single JSON object conforming to [RFC7159]. For purposes of this version of the DID specification, the format of this JSON object is specified in JSON-LD, a format for mapping JSON data into the RDF semantic graph model as defined by [JSON-LD]. Future versions of this specification MAY specify other semantic graph formats for a DID Document such as JXD (JSON XDI Data), a serialization format for the XDI graph model.
The following sections define the properties of this JSON object, including whether these properties are required or optional.
JSON objects in JSON-LD format must include a JSON-LD context statement. The rules for this statement are:
@context
.
https://w3id.org/did/v1
.
Example (using an example URL):
{ "@context": "https://w3id.org/did/v1" }
DID method specifications MAY define their own JSON-LD contexts. However it is NOT RECOMMENDED to define a new context unless necessary to properly implement the method. Method-specific contexts MUST NOT override the terms defined in the generic DID context.
The DID subject is the identifier that the DID Document is about, i.e., it is the DID described by DID Document. The rules for a DID subject are:
Example:
{ "id": "did:example:21tDAKCERh95uGgKbJNHYp" }
DID Method specifications MAY create intermediate representations of
a DID Document that do not contain the id
key, such as
when a DID Resolver is performing resolution. However, the fully
resolved DID Document MUST contain a valid id
property.
Public keys are used for digital signatures, encryption and other cryptographic operations, which in turn are the basis for purposes such as authentication (see Section § 4.3.4 Authentication) or establishing secure communication with service endpoints (see Section § 4.3.6 Service Endpoints). In addition, public keys may play a role in authorization mechanisms of DID CRUD operations (see Section § 4.4.2 DID Operations). This may be defined by DID Method specifications.
If a public key does not exist in the DID Document, it MUST be assumed the key has been revoked or is invalid. The DID Document MAY contain revoked keys. A DID Document that contains a revoked key MUST also contain or refer to the revocation information for the key (e.g., a revocation list). Each DID Method specification is expected to detail how revocation is performed and tracked.
The rules for public keys are:
publicKey
property.
publicKey
property MUST be an array of
public keys.
id
and type
properties, and exactly one value property. The array of public keys
SHOULD NOT contain duplicate entries with the same id
and
different value properties with different formats.
controller
property, which
identifies the entity that controls the corresponding private key.
publicKeyPem
, publicKeyJwk
,
publicKeyHex
, publicKeyBase64
,
publicKeyBase58
, publicKeyMultibase
, depending
on the format and encoding of the public key.
Example:
{ "@context": ["https://w3id.org/did/v1", "https://w3id.org/security/v1"], "id": "did:example:123456789abcdefghi", ... "publicKey": [{ "id": "did:example:123456789abcdefghi#keys-1", "type": "RsaVerificationKey2018", "controller": "did:example:123456789abcdefghi", "publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----\r\n" }, { "id": "did:example:123456789abcdefghi#keys-2", "type": "Ed25519VerificationKey2018", "controller": "did:example:pqrstuvwxyz0987654321", "publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" }, { "id": "did:example:123456789abcdefghi#keys-3", "type": "Secp256k1VerificationKey2018", "controller": "did:example:123456789abcdefghi", "publicKeyHex": "02b97c30de767f084ce3080168ee293053ba33b235d7116a3263d29f1450936b71" }], ... }
A key may be embedded or referenced in a DID
Document. For example, the authentication
property
may refer to keys in both ways:
{ ... "authentication": [ // this key is referenced, it may be used for more than one proof purpose "did:example:123456789abcdefghi#keys-1", // this key is embedded and may *only* be used for authentication { "id": "did:example:123456789abcdefghi#keys-2", "type": "Ed25519VerificationKey2018", "controller": "did:example:123456789abcdefghi", "publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" } ], ... }
The algorithm to use when processing a publicKey
property in a DID Document is:
publicKey
property and initialize result to
null
.
publicKey
properties associated with the URL (e.g., process the
publicKey
property at the top-level of the
dereferenced document).
id
property of the object matches
value, set result to the object.
id
,
type
, and controller
properties as well as any
mandatory public cryptographic material, as determined by the
result's type
property, throw an error.
While the controller
field may seem redundant in some of the
examples above, keys may be expressed in a DID Document where the
controller is described in another DID Document. Linked Data Proof
libraries typically expect the controller
field to always
exist and may throw an exception if it is missing. Futhermore, per
the requirement that DID Documents be interpretable as either a graph
or a tree, a default controller
field cannot be inferred by
using a key's position in a tree.
Caching and expiration of the keys in a DID Document is entirely the responsibility of DID resolvers and other clients. See Section § 4.5 DID Resolvers.
Authentication is the mechanism by which an entity can cryptographically prove that they are associated with a DID and DID Description. See Section § 4.6.2 Binding of Identity. Note that Authentication is separate from Authorization because an entity may wish to enable other entities to update the DID Document (for example, to assist with key recovery as discussed in Section § 4.6.7 Key Revocation and Recovery) without enabling them to prove control (and thus be able to impersonate the entity).
The rules for Authentication are:
authentication
property.
authentication
property should be
an array of verification methods.
Example:
{ "@context": "https://w3id.org/did/v1", "id": "did:example:123456789abcdefghi", ... "authentication": [ // this method can be used to authenticate as did:...fghi "did:example:123456789abcdefghi#keys-1", // this method can be used to authenticate as did:...fghi "did:example:123456789abcdefghi#biometric-1", // this method is *only* authorized for authentication, it may not // be used for any other proof purpose, so its full description is // embedded here rather than using only a reference { "id": "did:example:123456789abcdefghi#keys-2", "type": "Ed25519VerificationKey2018", "controller": "did:example:123456789abcdefghi", "publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" } ], ... }
In addition to publication of authentication and authorization mechanisms, the other primary purpose of a DID Document is to enable discovery of service endpoints for the entity. A service endpoint may represent any type of service the entity wishes to advertise, including decentralized identity management services for further discovery, authentication, authorization, or interaction. The rules for service endpoints are:
service
property.
service
property should be an array
of service endpoints.
id
,
type
, and serviceEndpoint
properties, and
MAY include additional properties.
serviceEndpoint
property MUST be a
JSON-LD object or a valid URI conforming to [RFC3986] and
normalized according to the rules in section 6 of [RFC3986] and to
any normalization rules in its applicable URI scheme specification.
Example:
{ "service": [{ "id": "did:example:123456789abcdefghi#openid", "type": "OpenIdConnectVersion1.0Service", "serviceEndpoint": "https://openid.example.com/" }, { "id": "did:example:123456789abcdefghi#vcr", "type": "CredentialRepositoryService", "serviceEndpoint": "https://repository.example.com/service/8377464" }, { "id": "did:example:123456789abcdefghi#xdi", "type": "XdiService", "serviceEndpoint": "https://xdi.example.com/8377464" }, { "id": "did:example:123456789abcdefghi#agent", "type": "AgentService", "serviceEndpoint": "https://agent.example.com/8377464" }, { "id": "did:example:123456789abcdefghi#hub", "type": "HubService", "serviceEndpoint": "https://hub.example.com/.identity/did:example:0123456789abcdef/" }, { "id": "did:example:123456789abcdefghi#messages", "type": "MessagingService", "serviceEndpoint": "https://example.com/messages/8377464" }, { "id": "did:example:123456789abcdefghi#inbox", "type": "SocialWebInboxService", "serviceEndpoint": "https://social.example.com/83hfh37dj", "description": "My public social inbox", "spamCost": { "amount": "0.50", "currency": "USD" } }, { "id": "did:example:123456789abcdefghi#authpush", "type": "DidAuthPushModeVersion1", "serviceEndpoint": "http://auth.example.com/did:example:123456789abcdefg" }] }
See Sections § 4.4.1 DID Method Schemes and § 4.3.4 Authentication for further security considerations regarding authentication service endpoints.
Standard metadata for identifier records includes a timestamp of the original creation. The rules for including a creation timestamp are:
Example:
{ "created": "2002-10-10T17:00:00Z" }
Standard metadata for identifier records includes a timestamp of the most recent change. The rules for including an updated timestamp are:
Example:
{ "updated": "2016-10-17T02:41:00Z" }
A proof
on a DID Document is cryptographic proof of the
integrity of the DID Document according to either:
This proof is NOT proof of the binding between a DID and a DID Document. See Section § 4.6.2 Binding of Identity. The rules for a proof are:
proof
.
Example:
{ "proof": { "type": "LinkedDataSignature2015", "created": "2016-02-08T16:02:20Z", "creator": "did:example:8uQhQMGzWxR8vw5P3UWH1ja#keys-1", "signatureValue": "QNB13Y7Q9...1tzjn4w==" } }
One of the goals of the Decentralized Identifiers Data Model is to enable permissionless innovation. This requires that the data model is extensible in a number of different ways:
This approach to data modeling is often called an "open world assumption", meaning that any entity can say anything about any other entity. This approach often feels in conflict with building simple and predictable software systems. Balancing extensibility with program correctness is always more challenging with an open world assumption than it is with closed software systems.
The rest of this section describes how both extensibility and program correctness are achieved through a series of examples.
Let us assume that we start with the following DID Document:
{ "@context": "https://example.org/example-method/v1", "id": "did:example:123456789abcdefghi", "publicKey": [{ ... }], "authentication": [{ ... }], "service": [{ ... }] }
The contents of the publicKey
,
authentication
, and service
properties are
not important for the purposes of this section. What is important is
that the object above is a valid DID Document. Let's assume
that a developer wanted to extend the DID Document to express
an additional piece of information: the subject's public photo
stream.
The first thing that a developer would do is create a JSON-LD Context containing the new term:
{ "@context": { "PhotoStreamService": "https://example.com/vocab#PhotoStreamService" } }
Now that the JSON-LD Context has been created, the developer MUST
publish it somewhere that is accessible to any DID Document
processor. For this example, let us assume that the JSON-LD Context
above is published in the decentralized ledger at the following URL:
did:example:contexts:987654321
. At this point, extending
the first example in this section is a simple matter of including the
context above and adding the new property to the DID Document.
{
"@context": "https://example.org/example-method/v1",
"id": "did:example:123456789abcdefghi",
"authentication": [ ... ],
"service": [{
"@context": "did:example:contexts:987654321",
"id": "did:example:123456789abcdefghi#photos",
"type": "PhotoStreamService",
"serviceEndpoint": "https://example.org/photos/379283"
}]
}
The examples so far have shown that it is easy to extend the Decentralized Identifiers Data Model in a permissionless and decentralized way. The mechanism also ensures that Decentralized Identifiers created in this way prevent namespace conflicts and semantic ambiguity.
An extensibility model that is this dynamic does increase implementation burden. Software written for such a system will have to determine if accepting DID Documents with extensions is acceptable based on the risk profile of the application. Some applications may choose to accept but ignore extensions, others may choose to only accept certain extensions, while highly secure environments may disallow extensions. These decisions are up to the application developers and are specifically not the domain of this specification.
Implementations MUST produce an error when an extension JSON-LD
Context overrides the expanded URL for a term specified in this
specification. To avoid the possibility of accidentally overriding
terms, developers are urged to scope their extensions. For example,
the following extension scopes the new
PhotoStreamService
term so that it may only be used
within the service
property:
{
"@context": {
"service": {
"@id": "https://w3id.org/did#service",
"@context": {
"PhotoStreamService": "https://example.com/vocab#PhotoStreamService"
}
}
}
}
Developers are urged to ensure that extension JSON-LD Contexts are highly available. Implementations that cannot fetch a context will produce an error. Strategies for ensuring that extension JSON-LD Contexts are always available include using content-addressed URLs for contexts, bundling context documents with implementations, or enabling aggressive caching of contexts.
A DID method specification MUST define exactly one specific DID
scheme identified by exactly one method name (the method
rule in
Section § 4.1 The Generic DID Scheme). Since DIDs are
intended for decentralized identity infrastructure, it is NOT RECOMMENDED to establish a registry of unique DID method names.
Rather the uniqueness of DID method names should be established via
human consensus, i.e., a specific DID scheme MUST use a method name
that is unique among all DID method names known to the specification
authors at the time of publication.
A list of known DID method names and their associated specifications is provided in Appendix § 4.9 Registries.
Since the method name is part of the DID, it SHOULD be as short as practical. A method name of five characters or less is RECOMMENDED. The method name MAY reflect the name of the distributed ledger or network to which the DID method specification applies.
The DID method specification for the specific DID scheme MUST specify
how to generate the method-specific-idstring
component of a DID. The
method-specific-idstring
value MUST be able to be generated without
the use of a centralized registry service. The
method-specific-idstring
value SHOULD be globally unique by itself.
The DID as defined by the did
rule in Section
§ 4.1 The Generic DID Scheme MUST be globally unique.
If needed, a specific DID scheme MAY define multiple
method-specific-idstring
formats. It is RECOMMENDED that a specific
DID scheme define as few method-specific-idstring
formats as
possible.
To enable the full functionality of DIDs and DID Documents on a particular distributed ledger or network (called the target system), a DID method specification MUST specify how each of the following CRUD operations is performed by a client. Each operation MUST be specified to the level of detail necessary to build and test interoperable client implementations with the target system. Note that, due to the specified contents of DID Documents, these operations can effectively be used to perform all the operations required of a CKMS (cryptographic key management system), e.g.:
The DID method specification MUST specify how a client creates a DID record—the combination of a DID and its associated DID Document—on the target system, including all cryptographic operations necessary to establish proof of control.
The DID method specification MUST specify how a client uses a DID to request a DID Document from the target system, including how the client can verify the authenticity of the response.
The DID method specification MUST specify how a client can update a DID record on the target system, including all cryptographic operations necessary to establish proof of control.
Although a core feature of distributed ledgers is immutability, the DID method specification MUST specify how a client can revoke a DID record on the target system, including all cryptographic operations necessary to establish proof of revocation.
A DID resolver is a software component with an API designed to accept requests for DID lookups and execute the corresponding DID method to retrieve the authoritative DID Document. To be conformant with this specification, a DID resolver:
This section is non-normative.
NOTE TO IMPLEMENTERS: During the Implementer’s Draft stage, this section focuses on security topics that should be important in early implementations. The editors are also seeking feedback on threats and threat mitigations that should be reflected in this section or elsewhere in the spec. As the root identifier records for decentralized identifiers, DIDs and DID Documents are a vital component of decentralized identity management. They are also the foundational building blocks of DPKI (decentralized public key infrastructure) as an augmentation to conventional X.509 certificates. As such, DIDs are designed to operate under the general Internet threat model used by many IETF standards. We assume uncompromised endpoints, but allow messages to be read or corrupted on the network. Protecting against an attack when a system is compromised requires external key-signing hardware. See also section § 4.6.7 Key Revocation and Recovery regarding key revocation and recovery. For their part, the DLTs hosting DIDs and DID Documents have special security properties for preventing active attacks. Their design uses public/private key cryptography to allow operation on passively monitored networks without risking compromise of private keys. This is what makes DID architecture and decentralized identity possible.
Discussions at Rebooting the Web of Trust 5 resulted in consensus to move Authorization to DID Method specifications. It is currently expected that there will be an attempt to create a generalized authorization mechanism that is build on object capabilities.
At least the following forms of attack MUST be considered: eavesdropping, replay, message insertion, deletion, modification, and man-in-the-middle. Potential denial of service attacks MUST be identified as well. If the protocol incorporates cryptographic protection mechanisms, it should be clearly indicated which portions of the data are protected and what the protections are (i.e., integrity only, confidentiality, and/or endpoint authentication, etc.). Some indication should also be given to what sorts of attacks the cryptographic protection is susceptible. Data which should be held secret (keying material, random seeds, etc.) should be clearly labeled. If the technology involves authentication, particularly user-host authentication, the security of the authentication method MUST be clearly specified.
Signatures are one method to allow DID Documents to be cryptographically verifiable.
By itself, a verified signature on a self-signed DID Document does not prove control of a DID. It only proves the following:
Proving control of a DID, i.e., the binding between the DID and the DID Document that describes it, requires a two step process:
It should be noted that this process proves control of a DID and DID Document regardless of whether the DID Document is signed.
Signatures on DID Documents are optional. DID Method Specs SHOULD explain and specify their implementation if applicable.
It is RECOMMENDED to combine timestamps with signatures.
There are two methods for proving control of the private key corresponding to a public key description in the DID Document: static and dynamic. The static method is to sign the DID Document with the private key. This proves control of the private key at a time no later than the DID Document was registered. If the DID Document is not signed, control of a public key described in the DID Document may still be proven dynamically as follows:
A DID and DID Document do not inherently carry any PII (personally-identifiable information). The process of binding a DID to a real-world entity such as a person or company, for example with credentials whose subject is that DID, is out of scope for this specification. However this topic is the focus of the verifiable claims standardization work at the W3C (where the term "DID" originated).
If a DID Document publishes a service endpoint intended for authentication or authorization of an entity (section § 4.3.6 Service Endpoints), it is the responsibility of the service endpoint provider, entity, and/or relying party to comply with the requirements of the authentication protocol(s) supported at that service endpoint.
Non-repudiation of DIDs and DID Document updates is supported under the assumption that: (1) the entity is monitoring for unauthorized updates (see Section § 4.6.5 Notification of DID Document Changes) and (2) the entity has had adequate opportunity to revoke malicious updates according to the DID method's access control mechanism (section § 4.3.4 Authentication). This capability is further supported if timestamps are included (sections § 4.3.7 Created (Optional) and § 4.3.8 Updated (Optional)) and the target DLT system supports timestamps.
One mitigation against unauthorized changes to a DID Document is monitoring and actively notifying the entity when there are changes. This is analogous to helping prevent account takeover on conventional username/password accounts by sending password reset notifications to the email addresses on file. In the case of a DID, where there is no intermediary registrar or account provider to generate the notification, the following approaches are RECOMMENDED:
In a decentralized identifier architecture, there are no centralized authorities to enforce key or signature expiration policies. Therefore DID resolvers and other client applications SHOULD validate that keys were not expired at the time they were used. Since some use cases may have legitimate reasons why already-expired keys can be extended, a key expiration SHOULD NOT prevent any further use of the key, and implementations of a resolver SHOULD be compatible with such extension behavior.
Section § 4.4.2 DID Operations specifies the DID operations that must be supported by a DID method specification, including revocation of a DID Document by replacing it with an updated DID Document. In general, checking for key revocation on DLT-based methods is expected to be handled in a manner similar to checking the balance of a cryptocurrency account on a distributed ledger: if the balance is empty, the entire DID is revoked. DID method specifications SHOULD enable support for a quorum of trusted parties to enable key recovery. Some of the facilities to do so are suggested in section 6.5, Authorization. Note that not all DID method specifications will recognize control from DIDs registered using other DID methods and they MAY restrict third-party control to DIDs that use the same method. Access control and key recovery in a DID method specification MAY also include a time lock feature to protect against key compromise by maintaining a second track of control for recovery. Further specification of this type of control is a matter for future work (see section § 4.8.4 Time Locks and DID Document Recovery).
This section is non-normative.
It is critically important to apply the principles of Privacy by Design to all aspects of decentralized identifier architecture, because DIDs and DID Documents are—by design—administered directly by their controllers. There is no registrar, hosting company, or other intermediate service provider to recommend or apply additional privacy safeguards. The authors of this specification have applied all seven Privacy by Design principles throughout its development. For example, privacy in this specification is preventative not remedial, and privacy is an embedded default. Furthermore, decentralized identifier architecture by itself embodies principle #7, "Respect for user privacy—keep it user-centric." This section lists additional privacy considerations that implementers, delegates, and entities should bear in mind.
If a DID method specification is written for a public ledger or network where all DIDs and DID Documents will be publicly available, it is STRONGLY RECOMMENDED that DID Documents contain no PII. All PII should be kept off-ledger behind service endpoints under the control of the entity. With this privacy architecture, PII may be exchanged on a private, peer-to-peer basis using communications channels identified and secured by key descriptions in DID records. This also enables entities and relying parties to implement the GDPR right to be forgotten, as no PII will be written to an immutable ledger.
Like any type of globally unique identifier, DIDs may be used for correlation. DID controllers can mitigate this privacy risk by using pairwise unique DIDs, i.e., by sharing a different private DID for every relationship. In effect, each DID acts as a pseudonym. A pseudonymous DID need only be shared with more than one party when the entity explicitly authorizes correlation between those parties. If pseudonymous DIDs are the default, then the only need for a public DID—a DID published openly or shared with a large number of parties—is when the entity explicitly desires public identification.
The anti-correlation protections of pseudonymous DIDs are easily defeated if the data in the corresponding DID Documents can be correlated. For example, using same public key descriptions or bespoke service endpoints in multiple DID Documents can provide as much correlation information as using the same DID. Therefore the DID Document for a pseudonymous DID SHOULD also use pairwise-unique public keys. It might seem natural to also use pairwise-unique service endpoints in the DID Document for a pseudonymous DID. However, unique endpoints allow all traffic between to DIDs to be isolated perfectly into unique buckets, where timing correlation and similar analysis is easy. Therefore, a better strategy for endpoint privacy may be to share an endpoint among thousands or millions of DIDs owned by many different entities.
When an entity is indistinguishable from others in the herd, privacy is available. When the act of engaging privately with another party is by itself a recognizable flag, privacy is greatly diminished. DIDs and DID methods SHOULD work to improve herd privacy, particularly for those who legitimately need it most. Choose technologies and human interfaces that default to preserving anonymity and pseudonymity. In order to reduce digital fingerprints, share common settings across client implementations, keep negotiated options to a minimum on wire protocols, use encrypted transport layers, and pad messages to standard lengths.
This section is non-normative.
The current specification does not take a position on maximum length of a DID. The maximum interoperable URL length is currently about 2K characters. QR codes can handle about 4K characters. Clients using DIDs will be responsible for storing many DIDs, and some methods would be able to externalize some of their costs onto clients by relying on more complicated signature schemes or by adding state into DIDs intended for temporary use. A future version of this specification should set reasonable limits on DID character length to minimize externalities.
Including an equivalence property, such as equivID, in DID Documents whose value is an array of DIDs would allow entities to assert two or more DIDs that represent the same entity. This capability has numerous uses, including supporting migration between ledgers and providing forward compatibility of existing DIDs to future DLTs. In theory, equivalent DIDs should have the same identifier rights, allowing verifiable claims made against one DID to apply to equivalent DIDs. Equivalence was not included in the current specification due to the complexity of verifying equivalence across different DLTs and different DID methods, and also of aggregating properties of equivalent DID Documents. However equivalence should be supported in a future version of this specification.
Verifiable timestamps have significant utility for identifier records. This is a good fit for DLTs, since most offer some type of timestamp mechanism. Despite some transactional cost, they are the most censorship-resistant transaction ordering systems in the world, so they are nearly ideal for DID Document timestamping. In some cases a DLT's immediate timing is approximate, however their sense of "median time past" (see Bitcoin BIP 113) can be precisely defined. A generic DID Document timestamping mechanism could would work across all DLTs and might operate via a mechanism including either individual transactions or transaction batches. The generic mechanism was deemed out of scope for this version, although it may be included in a future version of this specification.
Section § 4.6.7 Key Revocation and Recovery mentions one possible clever use of time locks to recover control of a DID after a key compromise. The technique relies on an ability to override the most recent update to a DID Document with Authorization applied by an earlier version of the DID Document in order to defeat the attacker. This protection depends on adding a time lock (see Bitcoin BIP 65) to protect part of the transaction chain, enabling a Authorization block to be used to recover control. We plan to add support for time locks in a future version of this specification.
Not all DLTs can support the Authorization logic in section 6.5. Therefore, in this version of the specification, all Authorization logic must be delegated to DID method specifications. A potential future solution is a Smart Signature specification that specifies the code any conformant DLT may implement to process signature control logic.
Although DIDs and DID Documents form a foundation for decentralized identity, they are only the first step in describing an entity. The rest of the descriptive power comes through collecting and selectively using verifiable claims. Future versions of the specification will describe in more detail how DIDs and DID Document can be integrated with—and help enable—the verifiable claims ecosystem.
This version of the specification relies on JSON-LD and the RDF graph model for expressing a DID Document. Future versions of this specification MAY specify other semantic graph formats for a DID Document, such as JXD (JSON XDI Data), a serialization format for the XDI graph model as defined by the OASIS XDI Core 1.0 specification.
There are multiple registries that define DID Methods and extensions to this specification. These registries are:
Registry | Purpose |
---|---|
DID Method Registry | Defines all known DID Methods and contains links to their specifications. |
Linked Data Cryptography Suite Registry | Defines all known Linked Data Cryptography Suites and Key Formats. |
A future-facing real-world context is provided below:
{ "@context": "https://w3id.org/future-method/v1", "id": "did:example:123456789abcdefghi", "publicKey": [{ "id": "did:example:123456789abcdefghi#keys-1", "type": "RsaVerificationKey2018", "controller": "did:example:123456789abcdefghi", "publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----\r\n" }, { "id": "did:example:123456789abcdefghi#keys-3", "type": "Ieee2410VerificationKey2018", "controller": "did:example:123456789abcdefghi", "publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----\r\n" }], "authentication": [ // this mechanism can be used to authenticate as did:...fghi "did:example:123456789abcdefghi#keys-1", // this mechanism can be used to biometrically authenticate as did:...fghi "did:example:123456789abcdefghi#keys-3", // this mechanism is *only* authorized for authentication, it may not // be used for any other proof purpose, so its full description is // embedded here rather than using only a reference { "id": "did:example:123456789abcdefghi#keys-2", "type": "Ed25519VerificationKey2018", "controller": "did:example:123456789abcdefghi", "publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" } ], "service": [{ "id": "did:example:123456789abcdefghi#oidc", "type": "OpenIdConnectVersion1.0Service", "serviceEndpoint": "https://openid.example.com/" }, { "id": "did:example:123456789abcdefghi#vcStore", "type": "CredentialRepositoryService", "serviceEndpoint": "https://repository.example.com/service/8377464" }, { "id": "did:example:123456789abcdefghi#xdi", "type": "XdiService", "serviceEndpoint": "https://xdi.example.com/8377464" }, { "id": "did:example:123456789abcdefghi#hub", "type": "HubService", "serviceEndpoint": "https://hub.example.com/.identity/did:example:0123456789abcdef/" }, { "id": "did:example:123456789abcdefghi#messaging", "type": "MessagingService", "serviceEndpoint": "https://example.com/messages/8377464" }, { "type": "SocialWebInboxService", "id": "did:example:123456789abcdefghi#inbox", "serviceEndpoint": "https://social.example.com/83hfh37dj", "description": "My public social inbox", "spamCost": { "amount": "0.50", "currency": "USD" } }, { "type": "DidAuthPushModeVersion1", "id": "did:example:123456789abcdefghi#push", "serviceEndpoint": "http://auth.example.com/did:example:123456789abcdefghi" }, { "id": "did:example:123456789abcdefghi#bops", "type": "BopsService", "serviceEndpoint": "https://bops.example.com/enterprise/" }] }