Decentralized
identifiers
(DIDs)
are
a
new
type
of
identifier
for
verifiable,
"self-sovereign"
digital
identity.
DIDs
are
fully
under
the
control
of
the
DID
controller,
independent
from
any
centralized
registry,
identity
provider,
or
certificate
authority.
DIDs
resolve
to
DID
Documents
—
simple
documents
that
describe
how
to
use
that
specific
DID.
This
document
specifies
the
algorithms
and
guidelines
for
resolving
DIDs
and
dereferencing
DID
URLs.
Additionally,
this
document
describes
the
input
and
output
metadata
related
to
the
DID
resolution
processes
and
further
describes
the
data
structures
that
may
be
returned
from
a
DID
resolution
request.
This
document
relies
on
the
core
DID
specification,
Decentralized
Identifiers
(DIDs)
v1.1
,
which
describes
the
underlying
DID
architecture
in
full
detail.
Status
of
This
Document
This
is
a
preview
Do
not
attempt
to
implement
this
version
of
the
specification.
Do
not
reference
this
version
as
authoritative
in
any
way.
Instead,
see
https://w3c.github.io/did-resolution/
for
the
Editor's
draft.
This
section
describes
the
status
of
this
document
at
the
time
of
its
publication.
A
list
of
current
W3C
publications
and
the
latest
revision
of
this
technical
report
can
be
found
in
the
W3C
standards
and
drafts
index
.
Portions
of
the
work
on
this
specification
have
been
funded
by
the
United
States
Department
of
Homeland
Security's
Science
and
Technology
Directorate
under
contracts
HSHQDC-17-C-00019.
The
content
of
this
specification
does
not
necessarily
reflect
the
position
or
the
policy
of
the
U.S.
Government
and
no
official
endorsement
should
be
inferred.
Work
on
this
specification
has
also
been
supported
by
the
Rebooting
the
Web
of
Trust
community
facilitated
by
Christopher
Allen,
Shannon
Appelcline,
Kiara
Robles,
Brian
Weller,
Betty
Dhamers,
Kaliya
Young,
Kim
Hamilton
Duffy,
Manu
Sporny,
Drummond
Reed,
Joe
Andrieu,
and
Heather
Vescent.
Publication
as
an
Editor's
Draft
does
not
imply
endorsement
by
W3C
and
its
Members.
This
is
a
draft
document
and
may
be
updated,
replaced,
or
obsoleted
by
other
documents
at
any
time.
It
is
inappropriate
to
cite
this
document
as
other
than
a
work
in
progress.
DID
resolution
is
the
process
of
obtaining
a
DID
document
for
a
given
DID
.
This
is
one
of
four
required
operations
that
can
be
performed
on
any
DID
("Read";
the
other
ones
being
"Create",
"Update",
and
"Deactivate").
The
details
of
these
operations
differ
depending
on
the
DID
method
.
Building
on
top
of
DID
resolution
,
DID
URL
dereferencing
is
the
process
of
retrieving
a
representation
of
a
resource
for
a
given
DID
URL
.
Software
and/or
hardware
that
is
able
to
execute
these
processes
is
called
a
DID
resolver
.
This
specification
defines
common
requirements,
algorithms
including
their
inputs
and
results,
architectural
options,
and
various
considerations
for
the
DID
resolution
and
DID
URL
dereferencing
processes.
Note
that
while
this
specification
defines
some
base-level
functionality
for
DID
resolution,
the
actual
steps
required
to
communicate
with
a
DID's
verifiable
data
registry
are
defined
by
the
applicable
DID
method
specification.
Note
The
difference
between
"resolving"
a
DID
and
"dereferencing"
a
DID
URL
is
being
thoroughly
discussed
by
the
community.
For
example,
see
this
comment
.
1.1
Implementer
Overview
This
section
is
non-normative.
By
invoking
a
DID
resolver
using
the
standard
resolve(did,
resolutionOptions)
interface
(as
defined
in
the
DID
Resolution
section
)
one
can
obtain
a
DID
document
and
accompanying
metadata
(e.g.,
contentType
,
proof,
versioning)
which
an
application
can
use
to
validate
a
user's
cryptographic
keys,
service
endpoints,
or
status.
For
example,
a
wallet
app
could
resolve
did:example:123?versionTime=2021-05-10T17:00:00Z
(see
here
for
detailed
example
)
using
the
versionTime
parameter
to
retrieve
the
state
of
that
DID
at
a
past
time,
or
a
client
could
dereference
a
DID
URL
like
did:example:123?service=files&relativeRef=/resume.pdf
did:example:123/resume.pdf
(see
here
for
detailed
example
)
to
fetch
a
user's
resume
stored
via
a
service
declared
in
the
DID
document.
Further,
the
specification's
DID
URL
dereferencing
algorithm
shows
how
a
client
can
follow
a
fragment
(e.g.,
#key-1
)
to
extract
a
particular
verification
method
from
the
DID
document
(see
here
for
detailed
example
).
In
practice,
implementers
validate
their
resolver
against
the
DID
Resolution
Test
Suite
which
exercises
normative
MUSTs
and
error
conditions
(such
as
invalid
DIDs,
deactivated
DIDs,
unsupported
methods,
relative
URL
expansion,
etc.)
to
ensure
that
client
applications
can
reliably
depend
on
correct
resolution
behavior
across
different
DID
methods.
1.2
Conformance
As
well
as
sections
marked
as
non-normative,
all
authoring
guidelines,
diagrams,
examples,
and
notes
in
this
specification
are
non-normative.
Everything
else
in
this
specification
is
normative.
The
key
words
MAY
,
MUST
,
MUST
NOT
,
OPTIONAL
,
RECOMMENDED
,
REQUIRED
,
SHOULD
,
and
SHOULD
NOT
in
this
document
are
to
be
interpreted
as
described
in
BCP
14
[
RFC2119
]
[
RFC8174
]
when,
and
only
when,
they
appear
in
all
capitals,
as
shown
here.
A
conforming
DID
resolver
is
any
algorithm
realized
as
software
and/or
hardware
that
complies
with
the
relevant
normative
statements
in
4.
3.
DID
Resolution
.
A
conforming
DID
URL
dereferencer
is
any
algorithm
realized
as
software
and/or
hardware
that
complies
with
the
relevant
normative
statements
in
5.
4.
DID
URL
Dereferencing
.
1.3
Audience
This
section
is
non-normative.
This
specification
has
three
primary
audiences:
implementers
of
conformant
DID
methods;
implementers
of
conformant
DID
resolvers;
and
implementers
of
systems
and
services
that
wish
to
resolve
DIDs
using
DID
resolvers.
The
intended
audience
includes,
but
is
not
limited
to,
software
architects,
data
modelers,
application
developers,
service
developers,
testers,
operators,
and
user
experience
(UX)
specialists.
Other
people
involved
in
a
broad
range
of
standards
efforts
related
to
decentralized
identity,
verifiable
credentials,
and
secure
storage
might
also
be
interested
in
reading
this
specification.
1.4
Use
Cases
This
section
is
non-normative.
The
DID
resolution
specification
is
intended
to
support
a
broad
range
of
use
cases
by
defining
a
standardized
interface
to
resolve
DIDs
and
dereference
DID
URLs
independent
of
the
DID
method
of
any
particular
DID.
These
usecases
include:
A
decentralized
address
book:
By
using
DIDs
as
identifiers
for
people
and
organizations
within
an
address
book,
the
controllers
of
those
DIDs
can
independently
update
the
contents
of
their
DID
documents.
Through
DID
resolution
these
DIDs
can
be
resolved
to
obtain
the
current
state
of
the
DID
document
for
any
given
contact,
enabling
persistent
stable
identifiers
with
updatable
services
and
verification
material
necessary
for
continued
verifiable
interactions.
Verifying
a
Verifiable
Credential:
Verifiable
Credentials
are
signed
by
an
issuer
and
given
to
a
holder.
The
holder
can
then
create
a
Verifiable
Presentation
that
is
presented
to
a
verifier.
Within
the
credential,
if
issuers
and
holders
are
identified
using
a
DID,
the
verifier
can
use
DID
resolution
to
resolve
the
DID
documents
of
the
identified
issuer
and
holder
to
obtain
the
verification
material
necessary
to
verify
the
signatures
on
the
Verifiable
Presentation.
Auditability:
DID
resolution
can
be
used
to
obtain
the
historical
state
of
a
DID
document
either
at
a
specific
point
in
time
or
for
a
specific
version.
This
can
be
used
to
audit
the
historical
verifiable
actions
of
a
DID
controller.
For
example,
the
issuance
of
a
verifiable
receipt
or
the
signing
of
a
contract.
DID
URL
based
resource
retrieval:
A
DID
controller
can
add
service
endpoints
to
their
DID
document
that
point
to
resources
they
control,
for
example
a
profile
picture.
By
referencing
these
resources
using
a
DID
URL,
a
web
application
can
use
DID
resolution
and
DID
URL
dereferencing
to
retrieve
the
current
version
of
the
resource.
The
DID
URL
can
act
as
a
persistent,
dereferencable
identifier
for
this
resource,
while
the
DID
controller
can
independently
change
the
resource
over
time.
2.
Terminology
This
section
defines
the
terms
used
in
this
specification
and
throughout
decentralized
identifier
infrastructure.
A
link
to
these
terms
is
included
whenever
they
appear
in
this
specification.
authenticate
Authentication
is
a
process
by
which
an
entity
can
prove
it
has
a
specific
attribute
or
controls
a
specific
secret
using
one
or
more
verification
methods
.
With
DIDs
,
a
common
example
would
be
proving
control
of
the
cryptographic
private
key
associated
with
a
public
key
published
in
a
DID
document
.
A
globally
unique
persistent
identifier
that
does
not
require
a
centralized
registration
authority
and
is
often
generated
and/or
registered
cryptographically.
The
generic
format
of
a
DID
is
defined
in
Decentralized
Identifiers
(DIDs)
v1.0
.
A
specific
DID
scheme
is
defined
in
a
DID
method
specification.
Many—but
not
all—DID
methods
make
use
of
distributed
ledger
technology
(DLT)
or
some
other
form
of
decentralized
network.
DID
controller
An
entity
that
has
the
capability
to
make
changes
to
a
DID
document
.
A
DID
might
have
more
than
one
DID
controller.
The
DID
controller(s)
can
be
denoted
by
the
optional
controller
property
at
the
top
level
of
the
DID
document
.
Note
that
a
DID
controller
might
be
the
DID
subject
.
DID
delegate
An
entity
to
whom
a
DID
controller
has
granted
permission
to
use
a
verification
method
associated
with
a
DID
via
a
DID
document
.
For
example,
a
parent
who
controls
a
child's
DID
document
might
permit
the
child
to
use
their
personal
device
in
order
to
authenticate
.
In
this
case,
the
child
is
the
DID
delegate
.
The
child's
personal
device
would
contain
the
private
cryptographic
material
enabling
the
child
to
authenticate
using
the
DID
.
However,
the
child
might
not
be
permitted
to
add
other
personal
devices
without
the
parent's
permission.
The
portion
of
a
DID
URL
that
begins
with
and
includes
the
first
forward
slash
(
/
)
character
and
ends
with
either
a
question
mark
(
?
)
character,
a
fragment
hash
sign
(
#
)
character,
or
the
end
of
the
DID
URL
.
DID
path
syntax
is
identical
to
URI
path
syntax.
See
Decentralized
Identifiers
(DIDs)
v1.0
.
The
process
that
takes
as
its
input
a
DID
and
a
set
of
resolution
options
and
returns
a
DID
document
in
a
conforming
representation
plus
additional
metadata.
This
process
relies
on
the
"Read"
operation
of
the
applicable
DID
method
.
The
inputs
and
outputs
of
this
process
are
defined
in
4.
3.
DID
Resolution
.
The
formal
syntax
of
a
decentralized
identifier
.
The
generic
DID
scheme
begins
with
the
prefix
did:
as
defined
in
Decentralized
Identifiers
(DIDs)
v1.0
.
Each
DID
method
specification
defines
a
specific
DID
method
scheme
that
works
with
that
specific
DID
method
.
In
a
specific
DID
method
scheme,
the
DID
method
name
follows
the
first
colon
and
terminates
with
the
second
colon,
e.g.,
did:example:
DID
subject
The
entity
identified
by
a
DID
and
described
by
a
DID
document
.
Anything
can
be
a
DID
subject:
person,
group,
organization,
physical
thing,
digital
thing,
logical
thing,
etc.
A
non-centralized
system
for
recording
events.
These
systems
establish
sufficient
confidence
for
participants
to
rely
upon
the
data
recorded
by
others
to
make
operational
decisions.
They
typically
use
distributed
databases
where
different
nodes
use
a
consensus
protocol
to
confirm
the
ordering
of
cryptographically
signed
transactions.
The
linking
of
digitally
signed
transactions
over
time
often
makes
the
history
of
the
ledger
effectively
immutable.
resource
As
defined
by
[
RFC3986
]:
"...the
term
'resource'
is
used
in
a
general
sense
for
whatever
might
be
identified
by
a
URI."
Similarly,
any
resource
might
serve
as
a
DID
subject
identified
by
a
DID
.
representation
As
defined
for
HTTP
by
[
RFC9110
]:
"information
that
is
intended
to
reflect
a
past,
current,
or
desired
state
of
a
given
resource,
in
a
format
that
can
be
readily
communicated
via
the
protocol.
A
representation
consists
of
a
set
of
representation
metadata
and
a
potentially
unbounded
stream
of
representation
data."
A
DID
document
is
a
representation
of
information
describing
a
DID
subject
.
See
Decentralized
Identifiers
(DIDs)
v1.0
.
Means
of
communicating
or
interacting
with
the
DID
subject
or
associated
entities
via
one
or
more
service
endpoints
.
Examples
include
discovery
services,
agent
services,
social
networking
services,
file
storage
services,
and
verifiable
credential
repository
services.
service
endpoint
A
network
address,
such
as
an
HTTP
URL,
at
which
services
operate
on
behalf
of
a
DID
subject
.
A
system
that
facilitates
the
creation,
verification,
updating,
and/or
deactivation
of
decentralized
identifiers
and
DID
documents
.
A
verifiable
data
registry
might
also
be
used
for
other
cryptographically-verifiable
data
structures
such
as
verifiable
credentials
.
For
more
information,
see
the
W3C
Verifiable
Credentials
specification
[
VC-DATA-MODEL
].
verification
method
A
set
of
parameters
that
can
be
used
together
with
a
process
to
independently
verify
a
proof.
For
example,
a
cryptographic
public
key
can
be
used
as
a
verification
method
with
respect
to
a
digital
signature;
in
such
usage,
it
verifies
that
the
signer
possessed
the
associated
cryptographic
private
key.
"Verification"
and
"proof"
in
this
definition
are
intended
to
apply
broadly.
For
example,
a
cryptographic
public
key
might
be
used
during
Diffie-Hellman
key
exchange
to
negotiate
a
shared
symmetric
key
for
encryption.
This
guarantees
the
integrity
of
the
key
agreement
process.
It
is
thus
another
type
of
verification
method,
even
though
descriptions
of
the
process
might
not
use
the
words
"verification"
or
"proof."
A
type
of
globally
unique
identifier
defined
by
[
RFC4122
].
UUIDs
are
similar
to
DIDs
in
that
they
do
not
require
a
centralized
registration
authority.
UUIDs
differ
from
DIDs
in
that
they
are
not
resolvable
or
cryptographically-verifiable.
Uniform
Resource
Identifier
(URI)
The
standard
identifier
format
for
all
resources
on
the
World
Wide
Web
as
defined
by
[
RFC3986
].
A
DID
is
a
type
of
URI
scheme.
3.
DID
Parameters
The
DID
URL
syntax
supports
a
simple
format
for
parameters
(see
section
Query
in
[
DID-CORE
]).
Adding
a
DID
parameter
to
a
DID
URL
means
that
the
parameter
becomes
part
of
the
identifier
for
a
resource
.
Example
1
:
A
DID
URL
with
a
'versionTime'
DID
parameter
did:example:123?versionTime=2021-05-10T17:00:00Z
Example
2
:
A
DID
URL
with
a
'service'
and
a
'relativeRef'
DID
parameter
did:example:123?service=files&relativeRef=/resume.pdf
Some
DID
parameters
are
completely
independent
of
any
specific
DID
method
and
function
the
same
way
for
all
DIDs
.
Other
DID
parameters
are
not
supported
by
all
DID
methods
.
Where
optional
parameters
are
supported,
they
are
expected
to
operate
uniformly
across
the
DID
methods
that
do
support
them.
The
following
table
provides
common
DID
parameters
that
function
the
same
way
across
all
DID
methods
.
Support
for
all
DID
Parameters
is
OPTIONAL
.
Parameter Name
Description
service
Identifies
a
service
from
the
DID
document
by
service
ID.
If
present,
the
associated
value
MUST
be
an
ASCII
string
.
serviceType
Identifies
a
set
of
one
or
more
services
from
the
DID
document
by
service
type.
If
present,
the
associated
value
MUST
be
an
ASCII
string
.
relativeRef
A
relative
URI
reference
according
to
RFC3986
Section
4.2
that
identifies
a
resource
at
a
service
endpoint
,
which
is
selected
from
a
DID
document
by
using
the
service
parameter.
If
present,
the
associated
value
MUST
be
an
ASCII
string
and
MUST
use
percent-encoding
for
certain
characters
as
specified
in
RFC3986
Section
2.1
.
versionId
Identifies
a
specific
version
of
a
DID
document
to
be
resolved
(the
version
ID
could
be
sequential,
or
a
UUID
,
or
method-specific).
If
present,
the
associated
value
MUST
be
an
ASCII
string
.
versionTime
Identifies
a
certain
version
timestamp
of
a
DID
document
to
be
resolved.
That
is,
the
most
recent
version
of
the
DID
document
that
was
valid
for
a
DID
before
the
specified
versionTime
.
If
present,
the
associated
value
MUST
be
an
ASCII
string
which
is
a
valid
XML
datetime
value,
as
defined
in
section
3.3.7
of
W3C
XML
Schema
Definition
Language
(XSD)
1.1
Part
2:
Datatypes
[
XMLSCHEMA11-2
].
This
datetime
value
MUST
be
normalized
to
UTC
00:00:00
and
without
sub-second
decimal
precision.
For
example:
2020-12-20T19:17:47Z
.
hl
A
resource
hash
of
the
DID
document
to
add
integrity
protection,
as
specified
in
[
HASHLINK
].
This
parameter
is
non-normative.
If
present,
the
associated
value
MUST
be
an
ASCII
string
.
Implementers
as
well
as
DID
method
specification
authors
might
use
additional
DID
parameters
that
are
not
listed
here.
For
maximum
interoperability,
it
is
RECOMMENDED
that
DID
parameters
use
the
DID
Document
Properties
Extensions
mechanism
[
DID-EXTENSIONS-PROPERTIES
],
to
avoid
collision
with
other
uses
of
the
same
DID
parameter
with
different
semantics.
DID
parameters
might
be
used
if
there
is
a
clear
use
case
where
the
parameter
needs
to
be
part
of
a
URL
that
references
a
resource
with
more
precision
than
using
the
DID
alone.
It
is
expected
that
DID
parameters
are
not
used
if
the
same
functionality
can
be
expressed
by
passing
input
metadata
to
a
DID
resolver
.
Note
:
DID
parameters
and
DID
resolution
The
DID
resolution
and
the
DID
URL
dereferencing
functions
can
be
influenced
by
passing
4.1
DID
Resolution
Options
or
5.1
DID
URL
Dereferencing
Options
to
a
DID
resolver
that
are
not
part
of
the
DID
URL
.
This
is
comparable
to
HTTP,
where
certain
parameters
could
either
be
included
in
an
HTTP
URL,
or
alternatively
passed
as
HTTP
headers
during
the
dereferencing
process.
The
important
distinction
is
that
DID
parameters
that
are
part
of
the
DID
URL
should
be
used
to
specify
what
resource
is
being
identified
,
whereas
input
metadata
that
is
not
part
of
the
DID
URL
should
be
used
to
control
how
that
resource
is
resolved
or
dereferenced
.
Conforming
DID
resolver
implementations
do
not
alter
the
signature
of
this
function
in
any
way.
DID
resolver
implementations
might
map
the
resolve
function
to
a
method-specific
internal
function
to
perform
the
actual
DID
resolution
process.
DID
resolver
implementations
might
implement
and
expose
additional
functions
with
different
signatures
in
addition
to
the
resolve
function
specified
here.
The
input
variables
of
the
resolve
function
are
as
follows:
A
metadata
structure
consisting
of
input
options
to
the
resolve
function
in
addition
to
the
did
itself.
This
structure
is
further
defined
in
4.1
3.1
DID
Resolution
Options
.
This
input
is
REQUIRED
,
but
the
structure
MAY
be
empty.
This
function
returns
multiple
values,
and
no
limitations
are
placed
on
how
these
values
are
returned
together.
The
return
values
of
resolve
are
didResolutionMetadata
,
didDocument
,
and
didDocumentMetadata
.
These
values
are
described
below:
didResolutionMetadata
A
metadata
structure
consisting
of
values
relating
to
the
results
of
the
DID
resolution
process.
This
structure
is
REQUIRED
,
and
in
the
case
of
an
error
in
the
resolution
process,
this
MUST
NOT
be
empty.
This
structure
is
further
defined
in
4.2
3.2
DID
Resolution
Metadata
.
If
the
resolution
is
unsuccessful,
this
structure
MUST
contain
an
error
property
describing
the
error.
See
Section
10.
9.
Errors
.
The
possible
properties
within
this
structure
and
their
possible
values
SHOULD
be
registered
in
the
DID
Resolution
Extensions
[
DID-EXTENSIONS-RESOLUTION
].
This
specification
defines
the
following
common
input
options:
URLs,
IP
addresses,
and/or
other
networking
information
about
the
verifiable
data
registry
that
was
used
during
the
DID
resolution
process.
The
possible
properties
within
this
structure
and
their
possible
values
SHOULD
be
registered
in
the
DID
Resolution
Extensions
[
DID-EXTENSIONS-RESOLUTION
].
This
specification
defines
the
following
common
metadata
properties:
contentType
The
Media
Type
of
the
returned
didDocument
.
This
property
is
OPTIONAL
.
If
present,
the
value
of
this
property
MUST
be
an
ASCII
string
that
is
the
Media
Type
of
the
conformant
representations
.
In
this
case,
the
caller
of
the
resolve
function
MUST
use
this
value
when
determining
how
to
parse
and
process
the
didDocument
.
error
An
error
data
structure
defined
in
[
RFC9457
].
This
property
is
REQUIRED
when
there
is
an
error
in
the
resolution
process.
The
errors
defined
by
this
specification
and
can
be
found
in
Section
10.
9.
Errors
.
Additional
errors
SHOULD
be
registered
in
the
DID
Resolution
Extensions
[
DID-EXTENSIONS-RESOLUTION
].
DID
resolution
metadata
MAY
include
a
proof
property.
If
present,
the
value
MUST
be
a
set
where
each
item
is
a
map
that
contains
a
proof.
The
use
of
this
property
and
the
types
of
proofs
are
DID
method
-independent.
Metadata
about
controllers,
capabilities,
delegations,
etc.
Method-specific
metadata,
such
as
block
number,
index,
transaction
hash,
number
of
confirmations,
etc.,
of
a
record
in
the
blockchain
or
other
verifiable
data
registry
.
The
possible
properties
within
this
structure
and
their
possible
values
SHOULD
be
registered
in
the
DID
Document
Properties
Extensions
[
DID-EXTENSIONS-PROPERTIES
].
This
specification
defines
the
following
common
metadata
properties.
created
DID
document
metadata
SHOULD
include
a
created
property
to
indicate
the
timestamp
of
the
Create
operation
.
The
value
of
the
property
MUST
be
a
string
formatted
as
an
XML
Datetime
normalized
to
UTC
00:00:00
and
without
sub-second
decimal
precision.
For
example:
2020-12-20T19:17:47Z
.
updated
DID
document
metadata
SHOULD
include
an
updated
property
to
indicate
the
timestamp
of
the
last
Update
operation
for
the
document
version
which
was
resolved.
The
value
of
the
property
MUST
follow
the
same
formatting
rules
as
the
created
property.
The
updated
property
is
omitted
if
an
Update
operation
has
never
been
performed
on
the
DID
document
.
If
an
updated
property
exists,
it
can
be
the
same
value
as
the
created
property
when
the
difference
between
the
two
timestamps
is
less
than
one
second.
deactivated
If
a
DID
has
been
deactivated
,
DID
document
metadata
MUST
include
this
property
with
the
boolean
value
true
.
If
a
DID
has
not
been
deactivated,
this
property
is
OPTIONAL
,
but
if
included,
MUST
have
the
boolean
value
false
.
nextUpdate
DID
document
metadata
MAY
include
a
nextUpdate
property
if
the
resolved
document
version
is
not
the
latest
version
of
the
document.
It
indicates
the
timestamp
of
the
next
Update
operation
.
The
value
of
the
property
MUST
follow
the
same
formatting
rules
as
the
created
property.
versionId
DID
document
metadata
SHOULD
include
a
versionId
property
to
indicate
the
version
of
the
last
Update
operation
for
the
document
version
which
was
resolved.
The
value
of
the
property
MUST
be
an
ASCII
string
.
nextVersionId
DID
document
metadata
MAY
include
a
nextVersionId
property
if
the
resolved
document
version
is
not
the
latest
version
of
the
document.
It
indicates
the
version
of
the
next
Update
operation
.
The
value
of
the
property
MUST
be
an
ASCII
string
.
equivalentId
A
DID
method
can
define
different
forms
of
a
DID
that
are
logically
equivalent.
An
example
is
when
a
DID
takes
one
form
prior
to
registration
in
a
verifiable
data
registry
and
another
form
after
such
registration.
In
this
case,
the
DID
method
specification
might
need
to
express
one
or
more
DIDs
that
are
logically
equivalent
to
the
resolved
DID
as
a
property
of
the
DID
document
.
This
is
the
purpose
of
the
equivalentId
property.
DID
document
metadata
MAY
include
an
equivalentId
property.
If
present,
the
value
MUST
be
a
set
where
each
item
is
a
string
that
conforms
to
the
rules
in
Section
Decentralized
Identifiers
(DIDs)
v1.0
.
The
relationship
is
a
statement
that
each
equivalentId
value
is
logically
equivalent
to
the
id
property
value
and
thus
refers
to
the
same
DID
subject
.
Each
equivalentId
DID
value
MUST
be
produced
by,
and
a
form
of,
the
same
DID
method
as
the
id
property
value.
(e.g.,
did:example:abc
==
did:example:ABC
)
A
conforming
DID
method
specification
MUST
guarantee
that
each
equivalentId
value
is
logically
equivalent
to
the
id
property
value.
A
requesting
party
is
expected
to
retain
the
values
from
the
id
and
equivalentId
properties
to
ensure
any
subsequent
interactions
with
any
of
the
values
they
contain
are
correctly
handled
as
logically
equivalent
(e.g.,
retain
all
variants
in
a
database
so
an
interaction
with
any
one
maps
to
the
same
underlying
account).
If
a
requesting
party
does
not
retain
the
values
from
the
id
and
equivalentId
properties
and
ensure
any
subsequent
interactions
with
any
of
the
values
they
contain
are
correctly
handled
as
logically
equivalent,
there
might
be
negative
or
unexpected
issues
that
arise.
Implementers
are
strongly
advised
to
observe
the
directives
related
to
this
metadata
property.
canonicalId
The
canonicalId
property
is
identical
to
the
equivalentId
property
except:
a)
it
is
associated
with
a
single
value
rather
than
a
set,
and
b)
the
DID
is
defined
to
be
the
canonical
ID
for
the
DID
subject
within
the
scope
of
the
containing
DID
document
.
A
conforming
DID
method
specification
MUST
guarantee
that
the
canonicalId
value
is
logically
equivalent
to
the
id
property
value.
A
requesting
party
is
expected
to
use
the
canonicalId
value
as
its
primary
ID
value
for
the
DID
subject
and
treat
all
other
equivalent
values
as
secondary
aliases
(e.g.,
update
corresponding
primary
references
in
their
systems
to
reflect
the
new
canonical
ID
directive).
If
a
resolving
party
does
not
use
the
canonicalId
value
as
its
primary
ID
value
for
the
DID
subject
and
treat
all
other
equivalent
values
as
secondary
aliases,
there
might
be
negative
or
unexpected
issues
that
arise
related
to
user
experience.
Implementers
are
strongly
advised
to
observe
the
directives
related
to
this
metadata
property.
DID
document
metadata
MAY
include
a
proof
property.
If
present,
the
value
MUST
be
a
set
where
each
item
is
a
map
that
contains
a
proof.
The
use
of
this
property
and
the
types
of
proofs
are
DID
method
-specific.
Validate
that
the
input
DID
conforms
to
the
did
rule
of
the
DID
Syntax
.
If
not,
the
DID
resolver
MUST
return
the
following
result:
didResolutionMetadata
:
error
object
with
type
set
to
INVALID_DID
didDocument
:
null
didDocumentMetadata
:
«[
]»
Determine
whether
the
DID
method
of
the
input
DID
is
supported
by
the
DID
resolver
that
implements
this
algorithm.
If
not,
the
DID
resolver
MUST
return
the
following
result:
didDocumentMetadata
:
«[
"contentType"
→
output
DID
document
media
type
,
...
]»
Issue
Should
we
define
functionality
that
enables
discovery
of
the
list
of
DID
methods
or
other
capabilities
that
are
supported
by
a
DID
resolver
?
Or
is
this
implementation-specific
and
out-of-scope
for
this
spec?
For
example,
see
here
and
here
.
5.
4.
DID
URL
Dereferencing
The
DID
URL
dereferencing
function
dereferences
a
DID
URL
into
a
resource
with
contents
depending
on
the
DID
URL
's
components,
including
the
DID
method
,
method-specific
identifier,
path,
query,
and
fragment.
This
process
depends
on
DID
resolution
of
the
DID
contained
in
the
DID
URL
.
DID
URL
dereferencing
might
involve
multiple
steps
(e.g.,
when
the
DID
URL
being
dereferenced
includes
a
fragment),
and
the
function
is
defined
to
return
the
final
resource
after
all
steps
are
completed.
The
following
figure
depicts
the
relationship
described
above.
The
top
left
part
of
the
diagram
contains
a
rectangle
with
black
outline,
labeled
"DID".
The
bottom
left
part
of
the
diagram
contains
a
rectangle
with
black
outline,
labeled
"DID
URL".
This
rectangle
contains
four
smaller
black-outlined
rectangles,
aligned
in
a
horizontal
row
adjacent
to
each
other.
These
smaller
rectangles
are
labeled,
in
order,
"DID",
"path",
"query",
and
"fragment.
The
top
right
part
of
the
diagram
contains
a
rectangle
with
black
outline,
labeled
"DID
document".
This
rectangle
contains
three
smaller
black-outlined
rectangles.
These
smaller
rectangles
are
labeled
"id",
"(property
X)",
and
"(property
Y)",
and
are
surrounded
by
multiple
series
of
three
dots
(ellipses).
A
curved
black
arrow,
labeled
"DID
document
-
relative
fragment
dereference",
extends
from
the
rectangle
labeled
"(property
X)",
and
points
to
the
rectangle
labeled
"(property
Y)".
The
bottom
right
part
of
the
diagram
contains
an
oval
shape
with
black
outline,
labeled
"Resource".
A
black
arrow,
labeled
"resolves
to
a
DID
document",
extends
from
the
rectangle
in
the
top
left
part
of
the
diagram,
labeled
"DID",
and
points
to
the
rectangle
in
the
top
right
part
of
diagram,
labeled
"DID
document".
A
black
arrow,
labeled
"refers
to",
extends
from
the
rectangle
in
the
top
right
part
of
the
diagram,
labeled
"DID
document",
and
points
to
the
oval
shape
in
the
bottom
right
part
of
diagram,
labeled
"Resource".
A
black
arrow,
labeled
"contains",
extends
from
the
small
rectangle
labeled
"DID"
inside
the
rectangle
in
the
bottom
left
part
of
the
diagram,
labeled
"DID
URL",
and
points
to
the
rectangle
in
the
top
left
part
of
diagram,
labeled
"DID".
A
black
arrow,
labeled
"dereferences
to
a
DID
document",
extends
from
the
rectangle
in
the
bottom
left
part
of
the
diagram,
labeled
"DID
URL",
and
points
to
the
rectangle
in
the
top
right
part
of
diagram,
labeled
"DID
document".
A
black
arrow,
labeled
"dereferences
to
a
resource",
extends
from
the
rectangle
in
the
bottom
left
part
of
the
diagram,
labeled
"DID
URL",
and
points
to
the
oval
shape
in
the
bottom
right
part
of
diagram,
labeled
"Resource".
All
conforming
DID
URL
dereferencers
implement
the
function
below,
which
has
the
following
abstract
form:
While
it
is
valid
for
any
didUrl
to
be
passed
to
a
DID
URL
dereferencer,
implementers
are
expected
to
refer
to
5.
4.
DID
URL
Dereferencing
to
further
understand
common
patterns
for
how
a
DID
URL
is
expected
to
be
dereferenced.
dereferencingOptions
A
metadata
structure
consisting
of
input
options
to
the
dereference
function
in
addition
to
the
didUrl
itself.
This
structure
is
further
defined
in
5.1
4.1
DID
URL
Dereferencing
Options
.
This
input
is
REQUIRED
,
but
the
structure
MAY
be
empty.
This
function
returns
multiple
values,
and
no
limitations
are
placed
on
how
these
values
are
returned
together.
The
return
values
of
dereference
are
dereferencingMetadata
,
contentStream
,
and
contentMetadata
.
These
values
are
described
below:
dereferencingMetadata
A
metadata
structure
consisting
of
values
relating
to
the
results
of
the
DID
URL
dereferencing
process.
This
structure
is
REQUIRED
,
and
in
the
case
of
an
error
in
the
dereferencing
process,
this
MUST
NOT
be
empty.
This
structure
is
further
defined
in
5.2
4.2
DID
URL
Dereferencing
Metadata
.
If
the
dereferencing
is
unsuccessful,
this
structure
MUST
contain
an
error
property
describing
the
error.
See
Section
10.
9.
Errors
.
contentStream
If
the
dereferencing
function
was
called
and
successful,
this
MUST
contain
a
resource
corresponding
to
the
DID
URL
.
The
contentStream
MAY
be
a
resource
such
as
a
DID
document
that
is
serializable
in
one
of
the
conformant
representations
,
a
verification
method
,
a
service
,
or
any
other
resource
format
that
can
be
identified
via
a
Media
Type
and
obtained
through
the
resolution
process.
If
the
dereferencing
is
unsuccessful,
this
value
MUST
be
empty.
Conforming
DID
URL
dereferencing
implementations
do
not
alter
the
signature
of
these
functions
in
any
way.
DID
URL
dereferencing
implementations
might
map
the
dereference
function
to
a
method-specific
internal
function
to
perform
the
actual
DID
URL
dereferencing
process.
DID
URL
dereferencing
implementations
might
implement
and
expose
additional
functions
with
different
signatures
in
addition
to
the
dereference
function
specified
here.
The
possible
properties
within
this
structure
and
their
possible
values
SHOULD
be
registered
in
the
DID
Resolution
Extensions
[
DID-EXTENSIONS-RESOLUTION
].
This
specification
defines
the
following
common
input
options:
accept
The
Media
Type
that
the
caller
prefers
for
contentStream
.
The
Media
Type
MUST
be
expressed
as
an
ASCII
string
.
The
DID
URL
dereferencer
implementation
SHOULD
use
this
value
to
determine
the
contentType
of
the
representation
contained
in
the
returned
value
if
such
a
representation
is
supported
and
available.
verificationRelationship
The
verificationRelationship
for
which
the
caller
expects
the
verificationMethod
dereferenced
from
the
DID
URL
to
be
authorized.
If
present,
the
associated
value
MUST
be
an
ASCII
string
.
If
the
DID
URL
does
not
dereference
to
a
verificationMethod,
or
the
DID
document
does
not
authorize
the
verificationMethod
for
the
specified
verificationRelationship,
then
an
error
MUST
be
raised.
This
metadata
typically
changes
between
invocations
of
the
DID
URL
Dereferencing
function
as
it
represents
data
about
the
dereferencing
process
itself.
The
possible
properties
within
this
structure
and
their
possible
values
SHOULD
be
registered
in
the
DID
Resolution
Extensions
[
DID-EXTENSIONS-RESOLUTION
].
This
specification
defines
the
following
common
metadata
properties:
contentType
The
Media
Type
of
the
returned
contentStream
SHOULD
be
expressed
using
this
property
if
dereferencing
is
successful.
The
Media
Type
value
MUST
be
expressed
as
an
ASCII
string
.
error
An
error
data
structure
defined
in
[
RFC9457
].
This
property
is
REQUIRED
when
there
is
an
error
in
the
dereferencing
process.
The
errors
defined
in
this
specification
can
be
found
in
Section
10.
9.
Errors
.
Additional
errors
SHOULD
be
registered
in
the
DID
Resolution
Extensions
[
DID-EXTENSIONS-RESOLUTION
].
DID
URL
dereferencing
metadata
MAY
include
a
proof
property.
If
present,
the
value
MUST
be
a
set
where
each
item
is
a
map
that
contains
a
proof.
The
use
of
this
property
and
the
types
of
proofs
are
DID
method
-independent.
This
metadata
typically
does
not
change
between
invocations
of
the
DID
URL
Dereferencing
function
unless
the
content
changes,
as
it
represents
data
about
the
content.
The
possible
properties
within
this
structure
and
their
possible
values
SHOULD
be
registered
in
the
DID
Resolution
Extensions
[
DID-EXTENSIONS-RESOLUTION
].
This
specification
defines
no
common
properties.
5.4
4.4
DID
URL
Dereferencing
Algorithm
Components
Handling
The
following
A
DID
URL
dereferencing
algorithm
consists
of
a
DID
,
optionally
followed
by
additional
URL
components
—
any
combination
of
a
path,
zero
or
more
query
parameters,
and/or
a
fragment
identifier
—
as
defined
in
RFC3986
.
This
section
defines
how
these
components
MUST
be
implemented
interpreted
by
DID
Resolvers
when
dereferencing
a
DID
URL.
The
interpretation
of
DID
URL
components
is
conceptually
similar
to
that
of
HTTP
URLs
having
the
same
components:
A
DID
Resolver
is
comparable
to
a
web
server
—
responsible
for
interpreting
the
request
and
returning
a
representation
of
the
identified
resource.
Unlike
general-purpose
HTTP
servers,
DID
Resolvers
are
more
constrained
in
their
behavior,
typically
implementing
DID
Method
-specific
resolution
rules.
A
client
of
a
conformant
DID
resolver
.
In
accordance
with
Resolver
is
comparable
to
a
web
browser
—
responsible
for
constructing
the
DID
URL
and
processing
the
response.
DID
Resolver
clients
are
generally
more
flexible
than
browsers,
applying
deployment-specific
handling
of
the
resolved
resource
by
media
type,
including
metadata
and
fragment
(if
any).
The
similarity
ends
there.
DID
Resolvers
do
not
support
arbitrary
server
logic
or
content
negotiation.
Instead,
the
interpretation
of
DID
URL
components
is
deterministic
and
governed
by
this
specification,
the
applicable
DID
method
specification,
and
any
DID
Document
Properties
Extensions
[
RFC3986
DID-EXTENSIONS-PROPERTIES
],
it
consists
]
supported
by
the
DID
Resolver
.
This
section
describes
the
structure,
constraints,
and
required
handling
of
each
DID
URL
component.
These
rules
form
the
following
three
steps:
resolving
basis
for
the
DID;
DID
URL
dereferencing
algorithm
.
4.4.1
Fragment
A
DID
URL
MAY
include
not
more
than
one
fragment
component,
as
specified
in
RFC3986
Section
3.5
.
If
present,
the
resource;
and
dereferencing
fragment
component
appears
after
all
other
components
of
the
DID
URL.
As
with
HTTP/S
dereferencing,
the
fragment
(only
is
not
processed
by
the
DID
Resolver
.
Instead,
its
interpretation
is
the
responsibility
of
the
client
that
receives
the
dereferenced
resource
from
the
resolver.
The
meaning
of
the
fragment
depends
on
the
media
type
of
the
resolved
content
and
may
be
used
to
reference
a
specific
node
in
a
DID
Document
or
a
part
of
another
structured
resource.
For
example,
if
the
input
resolved
resource
is
a
DID
URL
Document,
the
fragment
may
be
used
to
identify
a
verification
method
to
be
used
by
the
client
in
processing
a
cryptographic
signature.
DID
Method
-specific
and
DID
Document
Properties
Extensions
[
contains
DID-EXTENSIONS-PROPERTIES
]
MUST
define
guidance
for
how
a
DID
fragment
Resolver
Client
):
should
process
a
node
in
a
DID
Document
that
is
referenced
by
a
fragment.
Such
guidance
can
specify
how
to
interpret
the
node's
structure,
expected
data
type,
or
its
use
in
further
processing
(for
example,
verifying
a
signature
or
retrieving
related
resources).
5.4.1
4.4.2
Dereferencing
the
Resource
Query
Parameters
Validate
that
the
input
A
DID
URL
conforms
to
the
did-url
rule
of
MAY
include
one
or
zero
query
component(s),
which,
if
present,
MAY
include
zero
or
more
query
parameters,
as
defined
in
RFC3986
Section
3.4
.
Query
parameters
appear
after
the
DID
and
any
path
component,
and
their
structure
and
encoding
MUST
follow
standard
URL
Syntax
.
If
not,
syntax
conventions.
Their
interpretation
depends
on
the
context
in
which
the
DID
URL
dereferencer
is
used
and
can
influence
the
dereferencing
result.
Unlike
HTTP
query
parameters,
which
are
interpreted
by
customized
web
server
implementations,
DID
parameters
in
DID
URLs
MUST
return
the
following
result:
dereferencingMetadata
:
error
object
with
type
set
to
INVALID_DID_URL
have
predefined
semantics.
A
DID
Resolver
contentStream
:
null
contentMetadata
:
«[
]»
Obtain
MUST
process
only
recognized
query
parameters
—
specifically
those
defined
in
this
specification
(see
the
DID
document
Parameter
definitions
for
),
the
input
applicable
DID
method
specification,
and/or
DID
Document
Properties
Extensions
[
DID-EXTENSIONS-PROPERTIES
by
executing
the
].
All
other
query
parameters
MAY
be
passed
through
unchanged
for
downstream
processing,
such
as
dereferencing
a
DID
resolution
URL
algorithm
path.
Query
parameters
may
affect
dereferencing
behavior,
such
as
by
specifying
a
versioned
resource
or
by
influencing
how
a
path
is
to
be
processed.
The
impact
of
specific
query
parameters
defined
in
this
specification
in
combination
with
a
DID
URL
path
is
described
in
the
next
section
of
this
specification
.
4.
4.4.3
Path
A
DID
Resolution
URL
MAY
include
not
more
than
one
path
component,
as
defined
in
RFC3986
Section
3.3
.
All
dereferencing
options
If
present,
the
path
component
appears
immediately
after
the
DID
and
before
any
query
or
fragment
component(s).
Its
structure
and
encoding
MUST
conform
to
URI
syntax
rules.
When
a
DID
URL
path
is
present,
the
following
processing
steps
MUST
be
followed:
If
the
DID
Method
specifies
its
own
path
handling
algorithm,
it
MUST
be
passed
as
resolution
options
to
applied,
and
the
rest
of
this
algorithm
skipped.
Creators
of
DID
Resolution
method
algorithm.
specifications
are
encouraged
to
use
this
algorithm
where
possible
to
increase
interoperability.
Match
the
extracted
path
against
the
prefix
attribute
of
each
relevant
service
entry
in
the
DID
Document
that
includes
such
an
attribute.
If
the
input
service
and/or
serviceType
DID
Parameters
does
not
exist
in
the
VDR,
are
present,
the
DID
URL
dereferencer
Resolver
MUST
return
the
following
result:
dereferencingMetadata
:
error
object
consider
only
services
with
the
respectively
specified
id
and/or
type
set
to
NOT_FOUND
values.
Otherwise,
all
service
entries
MUST
be
considered
in
the
matching
process.
In
matching
the
path
and
prefix
,
the
DID
Resolver
MUST
track
the
length
of
the
match
for
each
service.
contentStream
:
Select
the
null
service
with
the
longest
matching
prefix.
contentMetadata
:
If
two
or
more
«[
]»
services
have
the
same
longest
matching
prefix,
the
resolver
MUST
fail
resolution
with
an
appropriate
error.
If
no
matching
service
is
found,
the
resolver
MUST
return
an
error
indicating
that
no
applicable
service
was
found.
Otherwise,
Use
the
didDocument
result
type
of
the
selected
service
to
determine
how
the
DID
resolution
URL
algorithm
path
is
called
to
be
used
in
assembling
the
resolved
URL
of
the
resource
to
be
resolved.
The
algorithm
for
assembling
this
URL
MUST
be
defined
in
the
corresponding
service
type
specification.
A
service
type
specification
MAY
appear
in
the
DID
document
Service
Types
.
If
present,
separate
section
of
this
document,
the
applicable
DID
fragment
method
from
specification,
or
in
the
input
DID
URL
Document
Properties
Extensions
[
DID-EXTENSIONS-PROPERTIES
and
continue
with
].
The
FileService
type
is
currently
the
adjusted
input
DID
URL
only
service
type
defined
in
this
specification.
See
the
FileService
Service
Type
.
section
for
its
definition.
If
Return
the
input
DID
assembled
URL
contains
no
DID
path
and
no
DID
query
:
Example
3
for
processing.
did:example:1234
The
DID
URL
dereferencer
MUST
return
the
resolved
DID
document
and
resolved
4.3
4.4.3.1
DID
Document
Metadata
Examples
as
follows:
dereferencingMetadata
:
Example
1
—
Basic
path
resolution
using
a
«[
...
]»
FileService
with
a
root
(/)
prefix
// DID URL:did:web:example.com/path/to/file.txt// DID Document service section:
{
"service": [
{
"type": "FileService", "serviceEndpoint": "https://example.com/", "prefix": "/"
}
]
}
// Resulting URL:
https
:
//example.com/path/to/file.txt
contentStream
:
resolved
DID
document
contentMetadata
:
«[
resolved
Example
2
—
Path
maps
directly
to
a
single
resource
(e.g.,
a
Verifiable
Presentation
describing
the
DID
document
metadata
subject)
// DID URL:did:webvh:example.com/whois// DID Document service section:
{
"service": [
{
"type": "FileService", "serviceEndpoint": "https://example.com/whois.vp", "prefix": "/whois"
}
]
}
// Resulting URL:
https
:
//example.com/whois.vp
]»
Example
3
—
Use
of
a
non-FileService
type
that
performs
content
verification
(
ExampleVerifiedFileService
)
If
This
demonstrates
a
(currently)
fictitious
service
type
that
behaves
like
FileService
,
but
with
additional
content
verification
logic.
The
final
segment
of
the
input
DID
URL
contains
path
is
treated
as
a
hash,
removed
before
URL
assembly,
and
used
to
verify
the
DID
parameter
hl
:
Example
4
did:example:1234?hl=zQmWvQxTqbG2Z9HPJgG57jjwR154cKhbtJenbyYTWkjgF3e
integrity
of
the
resolved
content.
// DID URL:did:web:example.com/example/resume.pdf/<hash>
// DID Document service section:
{
"service": [
{
"type": "ExampleVerifiedFileService", "serviceEndpoint": "https://example.com/example/files/", "prefix": "/example/"
}
]
}
Issue
// Resulting URL:
https
:
//example.com/example/files/resume.pdf
TODO:
Specify
The
resource
is
resolved
from
the
algorithm
for
processing
assembled
URL.
Its
content
is
hashed
and
compared
with
the
hl
DID
parameter.
If
<hash>
value
from
the
input
DID
URL
path
to
verify
integrity.
contains
the
Example
4
—
Multiple
services
supporting
different
types
of
resources
under
distinct
path
prefixes
This
example
shows
a
DID
parameter
Document
with
two
service
and/or
the
DID
parameter
entries:
one
using
serviceType
,
FileService
for
general
file
access,
and
optionally
another
using
the
DID
parameter
relativeRef
:
Example
5
ExampleVerifiedFileService
from
the
previous
example
for
integrity-verified
files.
The
path
prefix
determines
which
service
to
use.
// DID URLs:did:web:example.com/path/to/file.txtdid:web:example.com/example/resume.pdf/<hash>// DID Document service section:
{
"service": [
{
"type": "FileService", "serviceEndpoint": "https://example.com/", "prefix": "/"
},
{
"type": "ExampleVerifiedFileService", "serviceEndpoint": "https://example.com/example/files/", "prefix": "/example/"
}
]
}
// Resulting URLs:https://example.com/path/to/file.txt
https
:
//example.com/example/files/resume.pdf
(with
hash
verification
after
resolution)
4.5
DID
URL
Dereferencing
Algorithm
did:example:1234?service=files&relativeRef=%2Fmyresume%2Fdoc%3Fversion%3Dlatest
From
Parse
the
DID
parameter
URL
service
:
Select
into
the
service
if
its
following
components:
id
did
property
matches
the
value
of
the
service
path
DID
parameter.
If
the
id
query
parameters
property
or
the
(stored
as
a
working
set
service
qp
DID
parameter
or
both
contain
relative
references,
)
fragment
Handle
Fragments:
As
noted
in
the
corresponding
absolute
URIs
DID
URL
fragment
handling
section,
if
a
DID
URL
contains
a
fragment,
a
DID
Resolver
MUST
SHOULD
NOT
be
process
or
interpret
it.
Fragment
handling
is
the
client's
responsibility,
based
on
the
resolved
document
and
used
for
determining
the
match,
using
its
media
type.
Resolve
the
rules
specified
in
RFC3986
Section
5:
Reference
DID:
Use
these
to
resolve
the
service
if
its
type
did
property
matches
the
value
of
the
into
a
serviceType
didDocument
DID
parameter.
The
selected
services
are
a
list
called
the
selected
services
.
and
didResolutionMetadata
.
If
the
input
resolution
fails,
return
an
error
and
abort
dereferencing.
Remove
any
consumed
DID
URL
parameters
contains
from
the
DID
parameter
relativeRef
:
For
each
selected
service
:
qp
working
set.
No
Path
Component:
If
the
value
of
the
no
serviceEndpoint
path
property
of
is
present,
resolution
is
complete
and
the
selected
service
path-handling
step
is
a
map
,
skip
this
selected
service
.
skipped.
Remove
any
consumed
query
parameters
from
the
serviceEndpoint
qp
property
of
the
selected
service
is
a
string
,
add
this
value
to
a
list
of
selected
service
endpoint
URLs
.
working
set.
If
the
value
of
the
there
are
unused
query
parameters
in
serviceEndpoint
property
of
the
selected
service
is
a
set
,
qp
,
add
all
its
items
that
are
strings
them
to
a
list
of
selected
service
endpoint
URLs
.
For
each
selected
service
endpoint
URL
,
execute
the
algorithm
specified
in
constructed
URL
as
query
parameters,
ensuring
they
are
formatted
according
to
RFC3986
Section
5:
Reference
Resolution
as
follows:
3.4
.
The
base
URI
value
is
Attempt
to
resolve
the
selected
service
endpoint
resulting
URL
.
to
retrieve
the
resource
and
metadata
to
be
returned
to
the
client.
The
relative
reference
is
If
the
value
resolution
of
the
DID
parameter
relativeRef
.
URL
fails,
an
error
MUST
be
returned.
Update
If
the
selected
service
endpoint
DID
Resolver
URL
is
unable
to
resolve
the
result
of
the
"Reference
Resolution"
algorithm.
URL,
an
error
MUST
be
returned.
Note
Resolving
an
assembled
URL
from
a
service
endpoint
—
particularly
one
that
is
a
DID
—
path
might
result
in
a
resolution
cycle
,
which
is
a
set
of
steps
that
result
in
an
infinite
loop.
For
example,
a
service
endpoint
URL
assembled
from
a
path
might
indirectly
point
back
through
a
sequence
of
resolutions
to
a
previously
dereferenced
identifier.
URL.
A
DID
resolver
recursively
resolving
a
service
endpoint
is
advised
expected
to
detect
and
handle
such
recursive
cycles
when
resolving
a
cycle
URL
assembled
from
a
path,
to
prevent
an
infinite
loop
or
other
resolution
failure.
For
further
guidance,
see
Section
Resolution
Cycles
.
If
Return
the
accept
input
DID
dereferencing
option
is
missing,
or
if
its
value
is
the
Media
Type
of
a
representation
of
a
DID
document
:
result:
dereferencingMetadata
:
«[
...
]»
content
:
:
the
resolved
DID
document
with
selected
services
contentMetadata
:
«[
contentMetadata
:
metadata
about
the
resolved
DID
document
metadata
]»
dereferencingMetadata
:
any
metadata
about
the
dereferencing
process
If
the
value
of
the
accept
input
DID
resolution
option
result
is
text/uri-list
:
Return
a
resource
resolved
via
DID
URL
path
processing,
return
the
following
result:
following:
dereferencingMetadata
:
«[
...
]»
content
:
the
resolved
resource
content
:
«
selected
service
endpoint
URLs
»
contentType
:
the
media
type
of
the
resolved
resource
contentMetadata
:
«[
"contentType"
→
"text/uri-list",
...
]»
dereferencingMetadata
:
any
metadata
about
the
dereferencing
process
Otherwise,
return
the
following
result:
dereferencingMetadata
:
error
object
with
type
set
to
REPRESENTATION_NOT_SUPPORTED
content
:
null
4.6
Query
Parameters
and
Service
Types
These
values
are
not
DID
method
Method
MAY
specify
how
to
dereference
the
-specific.
All
DID
path
Methods
and/or
DID
that
are
capable
of
implementing
these
query
parameters
and
service
types
SHOULD
recognize
and
correctly
process
them.
DID
Methods
of
that
do
not
support
the
input
capabilities
required
for
a
specific
query
parameter
(e.g.,
historical
DID
URL
Document
version
resolution)
SHOULD
recognize
these
query
parameters
and
return
an
appropriate
error.
.
Example
7
4.6.1
Query
Parameters
did:example:1234/resources/1234
4.6.1.1
versionID
An
extension
specification
Identifies
a
specific
version
of
a
DID
Document
to
be
resolved.
If
present,
the
associated
value
MAY
MUST
specify
how
to
dereference
be
an
ASCII
string.
If
the
DID
path
Method
does
not
support
updating
or
the
tracking
of
DID
Document
versions,
or
if
the
input
specified
version
does
not
match
any
DID
URL
Document
.
Example
8
's
versionId
property,
the
DID
Resolver
did:example:1234/whois
An
extension
specification
MAY
MUST
specify
how
to
dereference
return
a
Not
Found
error
indicating
that
the
DID
query
of
requested
version
could
not
be
found.
Example:
did:example:123456789abcdefghi?versionId=5e3b
Resolves
the
input
DID
URL
Document
with
the
specific
version
ID
"5e3b".
.
Example
9
4.6.1.2
versionTime
did:example:1234?transformKey=JsonWebKey
Identifies
a
point
in
time
to
resolve
the
version
of
the
DID
Document
active
at
that
timestamp.
The
client
value
MAY
MUST
be
able
a
valid
XML
datetime
normalized
to
dereference
UTC
and
without
sub-second
precision.
If
the
input
DID
URL
Method
in
an
application-specific
way.
If
neither
this
algorithm,
nor
does
not
support
updating
or
the
applicable
tracking
of
DID
method
,
nor
an
extension,
nor
Document
versions
or
version
times,
or
if
the
client
is
able
to
dereference
DID
did
not
exist
at
the
input
specified
time
the
DID
URL
Resolver
,
MUST
return
the
following
result:
dereferencingMetadata
:
error
object
with
type
set
to
NOT_FOUND
contentStream
:
a
null
Not
Found
error
indicating
that
the
requested
version
could
not
be
found.
contentMetadata
:
Example:
«[
]»
did:example:123456789abcdefghi?versionTime=2025-10-01T12:00:00Z
Resolves
the
DID
Document
valid
on
October
1,
2025
at
noon
UTC.
5.4.2
4.6.1.3
Dereferencing
the
Fragment
service
If
Indicates
that
only
the
input
service
entry
or
entries
with
the
specified
id
are
to
be
considered
when
processing
the
path
component
of
a
DID
URL
.
If
present,
each
value
MUST
be
an
ASCII
string
that
is
percent-encoded
as
required
by
RFC3986
Section
2.1
,
and
MAY
be
either
a
relative
or
absolute
URI
contains
reference.
The
service
query
parameter
MAY
appear
multiple
times
in
a
DID
fragment
,
then
URL
.
If
no
matching
services
are
found,
the
dereferencing
of
process
MUST
fail.
A
service
query
parameter
can
also
be
used
in
conjunction
with
the
fragment
is
dependent
on
deprecated
relativeRef
parameter.
See
the
media
type
([
RFC2046
relativeRef
section
for
more
details.
])
of
Example:
did:example:123456789abcdefghi/path/to/file.txt?service=%23files
Considers
only
the
resource,
i.e.,
on
service
in
the
result
resolved
DID
Document
with
the
specified
id
value
of
(percent
decoded)
#files
in
determining
how
to
process
the
DID
URL
path.
5.4.1
4.6.1.4
Dereferencing
serviceType
Indicates
that
only
the
Resource
service
entry
or
entries
with
the
specified
type
are
to
be
considered
when
processing
the
path
component
of
a
DID
URL
.
If
present,
each
value
MUST
be
an
ASCII
string.
The
service
query
parameter
MAY
appear
multiple
times
in
a
DID
URL
.
If
no
matching
services
are
found,
the
result
of
dereferencing
process
MUST
fail.
5.4.1
Dereferencing
Example:
did:example:123456789abcdefghi/path/to/file.txt?serviceType=FileService
Considers
only
the
Resource
is
an
output
service
in
the
resolved
DID
document
Document
,
and
with
the
input
type
value
of
FileService
in
determining
how
to
process
the
DID
URL
dereferencing
options
path.
contain
the
4.6.1.5
relativeRef
(deprecated)
A
relative
URI
reference
to
a
resource
at
a
selected
service
endpoint.
This
parameter
is
deprecated
and
replaced
by
explicit
path-based
dereferencing
.
If
present,
each
value
MUST
be
an
ASCII
string
representing
a
relative
URL
path
that
is
percent-encoded
as
required
by
RFC3986
.
The
verificationRelationship
relativeRef
option:
Let
verificationRelationship
query
parameter
MUST
be
used
in
conjunction
with
a
single
service
query
parameter.
The
service
query
parameter
is
used
to
identify
a
specific
service
entry
in
the
DID
Document
,
and
the
value
of
the
verificationRelationship
relativeRef
option.
Let
verificationMethod
be
query
parameter
is
percent-decoded
and
appended
to
the
result
serviceEndpoint
of
dereferencing
the
DID
fragment
from
selected
service
.
The
resulting
URL
is
then
resolved,
and
if
successful,
the
output
resolved
resource
and
metadata
are
returned.
If
there
is
no
service
parameter,
or
no
service
is
identified
in
the
resolved
DID
document
Document
,
the
dereferencing
process
MUST
fail
with
an
error.
according
Example:
did:example:123456789abcdefghi&service=storage&relativeRef=invoices%2Fnov2025.pdf
Append
"invoices/nov2025.pdf"
to
the
rules
serviceEndpoint
of
the
media
type
storage
service
and
attempt
to
retrieve
the
resource
at
that
URL,
returning
the
resulting
resource
and
metadata
or
an
error.
4.6.1.6
hl
The
value
of
the
DID
document
.
If
verificationMethod
parameter
is
not
a
conforming
verification
method
,
an
error
hashlink
(as
defined
in
Hashlink
).
If
present,
it
MUST
be
raised
and
an
ASCII
string
representing
the
expected
multihash
of
the
resource
content.
The
DID
Resolver
SHOULD
MUST
convey
an
error
type
calculate
the
multihash
of
INVALID_VERIFICATION_METHOD
.
the
dereferenced
content
using
the
steps
below
and
compare
the
result
to
the
provided
hashlink.
If
verificationMethod
is
not
associated,
either
by
reference
(URL)
or
by
value
(object),
the
values
match,
proceed
with
returning
the
verification
relationship
array
in
resource
and
metadata.
If
the
output
values
do
not
match,
the
DID
document
Resolver
identified
by
verificationRelationship
,
an
error
MUST
be
raised
and
SHOULD
convey
return
an
error
type
of
INVALID_RELATIONSHIP_FOR_VERIFICATION_METHOD
.
error.
Hash
calculation
steps:
Determine
from
the
query
parameter
multihash
value's
prefix
which
hashing
algorithm
and
encoding
to
use
for
the
calculation.
Return
Calculate
the
verificationMethod
.
hash
of
the
resource
content
using
the
same
hashing
algorithm
and
encoding.
Verify
that
the
calculated
multihash
and
hl
value
match.
If
they
do
not
match,
return
an
error.
If
the
result
hashes
match,
continue
with
the
processing
of
the
resource.
5.4.1
Dereferencing
Example:
did:example:123456789abcdefghi?hl=hl:zQmYw5...oTwD
Ensures
the
Resource
is
a
selected
service
endpoint
URL
,
and
integrity
of
the
input
DID
URL
resolved
content
by
verifying
that
it
matches
the
specified
hashlink.
A
FileService
is
a
service
endpoint
URL
contains
defined
in
a
DID
Document
that
includes
a
fragment
prefix
component,
raise
an
error.
Append
attribute
that
enables
participation
in
the
deterministic
mapping
of
the
DID
fragment
URL
path
component
to
the
select
service
endpoint
a
resolvable
resource
URL
.
In
other
words,
as
described
in
the
select
service
endpoint
DID
URL
"inherits"
Path
handling
section.
When
a
service
of
type
FileService
is
selected
during
that
process,
the
DID
fragment
Resolver
of
MUST
perform
the
following
steps
to
construct
resource
URL
and
dereference
that
URL.
Remove
the
matching
prefix
value
from
the
input
DID
URL
.
path.
Return
Append
the
select
service
endpoint
URL
.
remaining
path
segment
to
the
serviceEndpoint
URL.
Attempt
to
resolve
the
resulting
URL.
Otherwise,
dereference
If
resolution
is
successful,
return
the
DID
fragment
resulting
content
and
dereferencing
metadata.
If
resolution
fails,
return
an
appropriate
error.
The
prefix
value
MUST
begin
with
a
forward
slash
(
/
)
and
MUST
represent
a
valid
path
as
defined
by
RFC3986
Section
3.3
.
The
serviceEndpoint
value
must
be
a
valid
URL
as
defined
by
the
media
type
([
RFC2046
RFC3986
])
of
and
serves
as
the
resource.
For
example,
if
base
for
resources
referenced
by
the
resource
is
a
representation
of
a
DID
document
with
media
type
URL
Path
.
See
DID
URL
Path
Examples
for
practical
usage
of
application/did
FileService
,
then
the
fragment
is
treated
according
to
the
rules
associated
including
cases
with
the
JSON-LD
1.1:
application/ld+json
media
type
[JSON-LD11].
overlapping
prefixes,
non-root
mappings,
and
multi-service
DID
Documents.
Note
4.7
Examples
This
use
section
provides
illustrative
examples
of
the
DID
fragment
URLs
is
consistent
with
the
definition
of
the
and
their
corresponding
dereferencing
behavior.
An
optional
fragment
identifier
in
[
RFC3986
].
It
identifies
#fragment
may
be
appended
to
any
of
these
examples
to
reference
a
secondary
resource
which
specific
node
within
the
returned
resource.
Fragment
processing
is
a
subset
of
performed
by
the
primary
resource
(the
client
and
is
not
handled
by
the
DID
Resolver
.
The
following
is
the
DID
document
).
that
is
used
in
all
of
the
following
examples.
DID
URL:
This
behavior
of
the
did:example:123456789abcdefghi
Dereferencing
result:
The
full,
most
recent
DID
fragment
Document
version
and
DID
metadata
is
analogous
to
the
handling
of
a
returned.
A
fragment
in
an
HTTP
URL
in
the
case
when
dereferencing
it
returns
an
HTTP
(
3xx
#keys-1
(Redirection)
response
with
)
could
be
appended
to
direct
the
client
to
use
a
Location
header
(see
section
7.1.2
of
[
RFC7231
specific
verification
method
]).
within
the
DID
Document
after
resolution
5.5
4.7.2
Examples
DID
with
versionTime
Query
Parameter
DID
URL:
did:example:123456789abcdefghi?versionTime=2025-10-01T12:00:00Z
Dereferencing
result:
The
DID
Document
as
it
existed
at
the
given
time
is
returned,
if
DID
Document
versioning
is
supported
by
the
DID
Method
.
If
the
DID
Method
does
not
support
versioning,
an
error
is
returned.
5.5.1
4.7.3
Example:
Dereferencing
to
verification
method
DID
with
Path
and
versionTime
Query
Parameter
Given
the
following
input
DID
URL
URL:
did:example:123456789abcdefghi/path/to/file.txt?versionTime=2025-10-01T12:00:00Z
:
Example
13
{
"@context": "https://www.w3.org/ns/did/v1.1",
"id": "did:example:123456789abcdefghi#keys-1",
"type": "Multikey",
"controller": "did:example:123456789abcdefghi",
"publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
}
Figure
2
Dereferencing
a
DID
URL
to
a
verification
method.
5.5.2
4.7.4
Example:
Dereferencing
to
service
endpoint
URL
DID
With
Path
with
Multiple
Candidate
Services
Given
the
following
input
DID
URL
URL:
did:example:123456789abcdefghi/example/resume.pdf
:
Example
14
Dereferencing
result:
The
full,
most
recent
DID
Document
did:example:123456789abcdefghi?service=messages&relativeRef=%2Fsome%2Fpath%3Fquery#frag
...
version
and
DID
metadata
is
returned.
The
path
component
/example/resume.pdf
is
processed
using
the
same
resolved
rules
defined
by
DID
document
as
URL
path
handling
,
using
the
full
set
of
services
in
the
previous
section.
...
then
DID
Document
.
This
results
in
the
result
use
of
the
5.
DID
URL
Dereferencing
algorithm
service
with
"type":
"ExampleFileService"
and
"prefix":
"/example/"
being
selected.
The
ExampleFileService
processing
steps
(which,
for
this
example,
we'll
assume
are
the
same
as
for
FileService
)
are
followed
and
the
resource
found
at:
https://example.com/files/resume.pdf
is
resolved.
If
successful,
the
following
selected
service
endpoint
URL
:
resolved
resource
and
related
metadata
is
returned.
DID
URL:
Figure
3
did:example:123456789abcdefghi/example/resume.pdf?service=FileService
Dereferencing
a
result:
The
full,
most
recent
DID
Document
version
is
resolved.
The
path
component
/resume.pdf
is
processed
using
the
rules
defined
by
DID
URL
path
handling
,
with
the
serviceType
query
parameter
limiting
the
service
entries
from
the
DID
Document
to
a
be
considered
to
those
with
"type":
"FileService"
.
This
results
in
the
use
of
the
service
endpoint
URL.
with
"type":
"FileService"
and
"prefix":
"/"
being
selected.
The
FileService
Service
Type
processing
steps
are
followed
and
the
resource
found
at:
https://example.com/example/resume.pdf
is
resolved.
If
successful,
the
resolved
resource
and
related
metadata
is
returned.
6.
5.
Metadata
Structure
Input
and
output
metadata
is
often
involved
during
the
DID
Resolution
,
DID
URL
dereferencing
,
and
other
DID-related
processes.
The
structure
used
to
communicate
this
metadata
MUST
be
a
map
of
properties.
Each
property
name
MUST
be
a
string
.
Each
property
value
MUST
be
a
string
,
number
,
map
,
list
,
set
,
boolean
,
or
null
.
The
values
within
any
complex
data
structure
such
as
a
map
or
list
MUST
be
one
of
these
data
types
as
well.
All
metadata
property
definitions
registered
in
the
DID
Resolution
Extensions
[
DID-EXTENSIONS-RESOLUTION
]
MUST
define
the
value
type,
including
any
additional
formats
or
restrictions
to
that
value
(for
example,
a
string
formatted
as
a
date).
It
is
RECOMMENDED
that
property
definitions
use
strings
for
values.
The
entire
metadata
structure
MUST
be
serializable
according
to
the
JSON
serialization
rules
in
the
[
INFRA
]
specification.
Implementations
MAY
serialize
the
metadata
structure
to
other
data
formats.
Note
All
implementations
of
functions
that
use
metadata
structures
as
either
input
or
output
are
able
to
fully
represent
all
data
types
described
here
in
a
deterministic
fashion.
As
inputs
and
outputs
using
metadata
structures
are
defined
in
terms
of
data
types
and
not
their
serialization,
the
method
for
representation
is
internal
to
the
implementation
of
the
function
and
is
out
of
scope
of
this
specification.
The
next
example
demonstrates
a
JSON-encoded
metadata
structure
that
might
be
used
as
DID
document
metadata
to
describe
timestamps
associated
with
the
DID
document
.
TODO:
Describe
how
DID
resolvers
are
implemented
and
used,
describe
the
relevance
of
DID
methods
.
Explain
the
difference
between
"method
architectures"
and
"resolver
architectures".
Every
DID
method
defines
this
method
operation,
i.e.,
how
a
DID
resolver
can
obtain
a
DID
document
from
a
DID.
The
underlying
data
formats,
protocols,
technical
infrastructures,
and
processes
can
vary
considerably
among
DID
methods
.
Examples
of
DID
method
considerations
include
the
following:
A
DID
method
might
use
an
immutable
blockchain,
distributed
ledger,
distributed
file
system,
peer-to-peer
network,
or
other
decentralized
infrastructure
as
(part
of)
its
verifiable
data
registry
.
A
DID
method
might
use
any
combination
of
the
above
technical
infrastructures.
A
DID
method
might
store
an
actual
DID
document
in
plain-text
form
in
a
verifiable
data
registry
and
might
simply
retrieve
that
document
during
the
"Read"
operation.
A
DID
method
might
define
its
"Read"
operation
in
a
more
complex
way
that
could
involve
intermediate,
partial,
or
temporary
DID
documents
,
and
use
multi-step
processes
that
construct
the
DID
document
"on-the-fly".
A
DID
method
might
require
interaction
with
remote
servers
or
networks
during
execution
of
the
"Read"
operation.
A
DID
method
might
execute
the
"Read"
operation
in
an
entirely
local
way
that
does
not
require
any
interaction
with
remote
servers
or
networks.
For
example,
in
the
[
DID-KEY
]
method,
the
DID
itself
wraps
a
public
key,
and
the
"Read"
operation
is
simply
a
trivial,
local
transformation
process.
A
verifiable
read
maximizes
confidence
in
the
integrity
and
correctness
of
the
result
of
the
"Read"
operation,
to
the
extent
possible
under
the
applicable
DID
method
.
This
can
be
accomplished
in
a
number
of
ways,
such
as
the
following:
For
example,
in
blockchain-based
DID
methods
,
a
verifiable
read
might
be
accomplished
if
a
blockchain
full
node
is
deployed
on
a
local
server.
If
access
to
the
verifiable
data
registry
happens
via
a
remote
server,
a
verifiable
read
might
still
be
accomplished
if
the
remote
server
is
trusted,
and
if
it
can
be
accessed
via
a
secure
channel.
For
example,
in
blockchain-based
DID
methods
,
even
if
direct
access
to
a
blockchain
full
node
is
not
available,
a
verifiable
read
may
still
be
possible
by
using
a
light
client
that
processes
metadata
to
verify
the
data.
An
unverifiable
read
does
not
have
such
guarantees
and
is
therefore
less
desirable,
for
example:
For
example,
in
the
case
of
blockchain-based
DID
methods
,
a
remote
blockchain
explorer
API
operated
by
an
third
party
may
be
used
to
look
up
data
from
the
blockchain.
The
guarantees
associated
with
a
verifiable
read
are
always
limited
by
the
architecture(s),
protocol(s),
cryptographic
element(s),
and
other
aspects
of
the
DID
method's
underlying
verifiable
data
registry
.
The
forms
of
verifiable
read
implementation
that
are
considered
strongest
are
those
that
require
no
interaction
with
any
remote
network
(for
example,
see
[
DID-KEY
]),
and
those
that
minimize
dependencies
on
specific
network
infrastructure,
reducing
the
"root
of
trust"
to
proven
entropy
and
cryptography
(for
example,
see
[
KERI
]).
To
enable
verifiable
reads
,
many
DID
methods
use
digital
signatures,
state
proofs,
proofs
of
inclusion
in
Merkle
trees,
cryptographic
event
logs,
or
other
types
of
proofs.
If
a
DID
method
uses
such
proofs,
it
MUST
specify
in
its
DID
method
specification
how
they
are
used
for
verification
of
the
correctness
of
the
result
of
a
"Read"
operation.
Those
algorithms
are
implemented
by
DID
resolvers
and
DID
URL
dereferencers
,
which
are
invoked
by
a
client
via
a
binding
.
Bindings
define
how
the
abstract
functions
are
accessed
using
concrete
programming
or
communication
interfaces.
Examples
of
bindings
include
the
following:
A
DID
resolver
might
be
invoked
within
an
application
by
calling
a
software
library
or
SDK.
Whenever
possible,
local
bindings
are
preferred,
as
they
minimize
dependencies
on
third
parties
and
intermediaries,
reduce
security
risks,
and
maximize
confidence
in
the
integrity
and
correctness
of
the
results
of
the
DID
resolution
and
DID
URL
dereferencing
functions.
In
some
cases,
it
might
not
be
possible
to
use
a
local
binding
;
for
example,
in
constrained
IoT
(Internet
of
Things)
environments,
or
when
a
DID
method
requires
complex
infrastructure,
or
when
many
different
DID
methods
should
be
supported.
Note
that
proofs
originating
from
a
DID
resolver
are
DID
method
-independent
and
can
be
universally
applied
by
a
DID
resolver
,
across
all
DID
methods.
These
proofs
help
to
verify
the
integrity
and
authenticity
of
the
results
of
a
DID
Resolution
process
as
far
as
the
DID
resolver
itself
is
concerned.
However,
they
do
not
guarantee
that
the
result
from
the
"Read"
operation
of
the
applicable
DID
method
is
itself
correct.
See
also
7.1
6.1
Method
Architectures
.
When
using
proxied
resolution,
a
"downstream"
resolver
SHOULD
preserve
all
DID
resolution
metadata
and
DID
document
metadata
from
an
"upstream"
resolver
in
a
transparent
manner,
including
any
proofs
that
may
be
present.
In
this
process,
the
"downstream"
resolver
MAY
add
its
own
DID
resolution
metadata
,
including
any
metadata
about
the
proxied
resolution
process
itself.
This
is
similar
to
a
"stub
resolver"
invoking
a
"recursive
resolver"
in
DNS
architecture,
although
the
concepts
are
not
entirely
comparable
(DNS
Resolution
uses
a
single
concrete
protocol,
whereas
DID
resolution
is
an
abstract
function
realized
by
different
DID
methods
and
different
bindings
).
Need
to
define
how
this
data
structure
works
exactly,
and
whether
it
always
contains
a
DID
document
or
can
also
contain
other
results.
Issue
For
certain
data,
it
may
be
debatable
whether
it
should
be
part
of
the
DID
document
(i.e.,
data
that
describes
the
DID
Subject),
or
whether
it
is
metadata
(i.e.,
data
about
the
DID
document
or
about
the
DID
resolution
process).
For
example
the
URL
of
the
"Continuation
DID
document"
in
the
BTCR
method.
The
algorithms
described
in
this
specification
throw
specific
types
of
errors.
Implementers
might
find
it
useful
to
convey
these
errors
to
other
libraries
or
software
systems.
This
section
provides
specific
URLs
and
descriptions
for
the
errors,
such
that
an
ecosystem
implementing
technologies
described
by
this
specification
might
interoperate
more
effectively
when
errors
occur.
Additionally,
this
specification
uses
some
errors
defined
in
Section
3.5
Processing
Errors
of
the
[
CID
]
specification.
Implementers
SHOULD
use
[
RFC9457
]
to
encode
the
error
data
structure.
If
[
RFC9457
]
is
used:
The
type
value
of
the
error
object
MUST
be
a
URL.
Where
the
values
listed
in
the
section
below
do
not
define
a
URL,
the
values
MUST
be
prepended
with
the
URL
https://www.w3.org/ns/did#
.
The
title
value
SHOULD
provide
a
short
but
specific
human-readable
string
for
the
error.
The
detail
value
SHOULD
provide
a
longer
human-readable
string
for
the
error.
The
DID
resolver
does
not
support
the
requested
feature.
The
value
of
the
detail
field
SHOULD
provide
a
longer
description
of
the
feature
that
is
not
supported
by
the
resolver.
The
byte
length
of
rawPublicKeyBytes
did
not
match
the
expected
public
key
length
for
the
associated
multicodecValue
during
DID
Resolution
or
DID
URL
dereferencing
.
The
HTTP(S)
binding
requires
a
known
HTTP(S)
URL
where
a
DID
resolver
can
be
invoked.
This
URL
is
called
the
DID
resolver
HTTP(S)
endpoint
.
This
binding
is
generally
considered
a
remote
binding
,
but
could
also
be
a
local
binding
if
the
HTTP(S)
endpoint
is
run
in
a
local
environment,
such
as
on
localhost
.
GET https://resolver.example/1.0/identifiers/did%3Aexample%3A1234%3Fservice%3Dfiles%26relativeRef%3D%2Fresume.pdf?option1=value1&option2=value2 HTTP/1.1
Accept:
application/did-url-dereferencing
For
the
HTTP(S)
POST
binding:
If
any
other
resolution
options
or
dereferencing
options
than
accept
are
provided:
Encode
all
resolution
options
except
accept
as
a
JSON
structure
in
the
HTTP
request's
POST
body.
If
the
DID
resolution
or
DID
URL
dereferencing
function
returns
an
error
metadata
property
in
the
didResolutionMetadata
or
dereferencingMetadata
,
then
the
HTTP
response
status
code
MUST
correspond
to
the
value
of
the
error
metadata
property,
according
to
the
following
table:
error
HTTP
status
code
INVALID_DID
400
INVALID_DID_URL
400
INVALID_OPTIONS
400
NOT_FOUND
404
REPRESENTATION_NOT_SUPPORTED
406
INVALID_DID_DOCUMENT
500
METHOD_NOT_SUPPORTED
501
INVALID_PUBLIC_KEY
500
INVALID_PUBLIC_KEY_LENGTH
500
INVALID_PUBLIC_KEY_TYPE
500
UNSUPPORTED_PUBLIC_KEY_TYPE
501
INTERNAL_ERROR
500
(any
other
value)
500
If
the
DID
resolution
or
DID
URL
dereferencing
function
returns
a
deactivated
metadata
property
with
the
value
true
in
the
didDocumentMetadata
or
contentMetadata
:
If
the
function
is
successful
and
returns
a
didDocument
:
The
HTTP
response
status
code
MUST
be
200
.
The
HTTP
response
MUST
contain
a
Content-Type
HTTP
response
header
.
Its
value
MUST
be
the
value
of
the
contentType
metadata
property
in
the
didResolutionMetadata
(see
4.2
3.2
DID
Resolution
Metadata
).
The
HTTP
response
body
MUST
contain
the
didDocument
that
is
the
result
of
the
DID
resolution
function,
in
the
representation
corresponding
to
the
Content-Type
HTTP
response
header
.
If
the
function
is
successful
and
returns
a
contentStream
and
a
contentType
metadata
property
with
the
value
text/uri-list
in
the
dereferencingMetadata
:
The
HTTP
response
status
code
MUST
be
303
.
The
HTTP
response
MUST
contain
an
Location
header.
The
value
of
this
header
MUST
be
the
selected
service
endpoint
URL
.
the
HTTP
response
body
MUST
be
empty.
If
the
function
is
successful
and
returns
a
contentStream
with
any
other
contentType
:
The
HTTP
response
status
code
MUST
be
200
.
The
HTTP
response
MUST
contain
a
Content-Type
HTTP
response
header
.
Its
value
MUST
be
the
value
of
the
contentType
metadata
property
in
the
dereferencingMetadata
(see
5.2
4.2
DID
URL
Dereferencing
Metadata
).
The
HTTP
response
body
MUST
contain
the
contentStream
that
is
the
result
of
the
DID
URL
dereferencing
function,
in
the
representation
corresponding
to
the
Content-Type
HTTP
response
header
.
Note
See
here
for
an
OpenAPI
definition
corresponding
to
the
HTTP(S)
binding.
DID
resolution
and
DID
URL
dereferencing
do
not
involve
any
authentication
or
authorization
functionality.
Similar
to
DNS
resolution,
anybody
can
perform
the
process,
without
requiring
any
credentials
or
non-public
knowledge.
The
spec
should
clarify
whether
or
not
conformant
resolvers
MUST
be
public
or
MAY
restrict
access
via
some
authentication
and
authorization
scheme.
The
current
language
doesn't
make
it
clear
if
authentication
is
just
out
of
scope
or
if
it
is
disallowed.
Issue
Explain
that
DIDs
are
not
necessarily
globally
resolvable,
such
as
pairwise
or
N-wise
"peer"
DIDs.
See
[
RFC3339
]:
URIs
have
a
global
scope
and
are
interpreted
consistently
regardless
of
context,
though
the
result
of
that
interpretation
may
be
in
relation
to
the
end-user's
context.
An
advanced
idea
is
that
the
result
of
DID
resolution
could
be
contextual
or
depend
on
policies,
see
this
comment
.
Issue
A
related
topic
is
whether
(parts
of)
DID
document
could
be
encrypted,
e.g.,
w3c/did-core/issues/25
.
Also
see
the
use
of
the
fragment
in
the
IPID
DID
method.
Caching
behavior
can
be
controlled
by
configuration
of
the
DID
resolver
,
by
the
noCache
resolution
option,
or
by
contents
of
the
DID
document
(e.g.,
a
cacheMaxTtl
field),
or
by
a
combination
of
these
properties.
Resolvers
that
implement
noCache
might
be
more
vulnerable
to
denial
of
service
attacks,
as
malicious
clients
can
bypass
caching
to
force
expensive
network
requests
and
resource
consumption.
Clients
requesting
resolution
with
noCache
expect
that
some
resolvers
will
reject
resolution
requests
that
bypass
caching.
Resolvers
that
deny
resolution
without
caching
MUST
respond
with
a
FEATURE_NOT_SUPPORTED
error
that
makes
it
clear
that
bypassing
the
cache
was
not
permitted
so
the
client
can
attempt
to
resolve
without
using
noCache
.
Perhaps
we
can
re-use
caching
mechanisms
of
other
protocols
such
as
HTTP.
12.3
11.3
JSON-LD
Context
Integrity
If
JSON-LD
Context
files
are
fetched
from
a
remote
location,
an
attacker
could
alter
the
context
file
(for
example,
by
compromising
the
server
or
intercepting
the
request
via
a
man-in-the-middle
attack).
Therefore,
any
DID
resolver
which
performs
remote
retrieval
of
JSON-LD
Context
URLs
is
strongly
advised
to
use
a
registry
of
context
files
and
corresponding
hashes
(or
a
functionally
equivalent
mechanism)
to
help
ensure
end-to-end
security.
Implementations
are
expected
to
throw
errors
if
the
cryptographic
hash
value
for
a
resource
does
not
match
the
expected
hash
value.
The
use
of
the
versionId
DID
parameter
is
specific
to
the
DID
method
.
Its
possible
values
may
include
sequential
numbers,
random
UUIDs,
UUID
s,
content
hashes,
etc..
DID
document
metadata
MAY
contain
a
versionId
property
that
changes
with
each
Update
operation
that
is
performed
on
a
DID
document.
DID
methods
that
use
a
distributed
system
(such
as
a
distributed
ledger)
as
a
VDR
(
verifiable
data
registry
)
need
to
manage
the
potential
that
network
forks
may
occur.
Therefore,
the
specification
of
a
DID
method
that
uses
a
distributed
system
as
a
VDR
SHOULD
specify
a
means
by
which
the
VDR
they
are
using
can
be
disambiguated
from
such
forks.
There
is
discussion
on
the
relationship
between
DID
resolution
and
resolution
of
non-DID
identifiers
such
as
domain
names,
HTTP
URIs,
or
e-mail
addresses.
This
includes
the
questions
how
DIDs
can
be
discovered
from
non-DID
identifiers,
and
how
links
between
identifiers
can
be
verifiable.
12.7
11.7
Resolution
Cycles
When
a
DID
resolver
client
dereferences
identifiers
and
linked
resources
in
a
DID
document
—
especially
fields
like
verificationMethod
,
controller
,
or
alsoKnownAs
—
it
might
encounter
a
resolution
cycle
.
These
can
occur
when
a
DID
document
references
another
DID
(or
URL)
that
eventually
leads
back
to
a
previously
dereferenced
identifier,
forming
a
loop.
A
DID
resolver
can
also
encounter
such
a
situation
when
dereferencing
a
DID
URL
that
references
a
service
endpoint
.
DID
resolvers
and
their
clients
that
perform
recursive
dereferencing
are
expected
to
expect,
detect,
and
handle
such
cycles
.
Security
and
performance
risks:
If
cycles
are
not
detected
and
mitigated,
recursive
dereferencing
could
lead
to:
Infinite
loops
or
stack
overflows
in
software.
Resource
exhaustion
(e.g.,
memory,
network,
or
CPU).
Denial-of-service
(DoS)
vulnerabilities
in
clients
or
intermediaries.
Mitigation
guidance:
Components
that
recursively
follow
external
DID
document
references
are
encouraged
to
track
identifiers
that
have
already
been
dereferenced
and
to
detect
when
a
cycle
has
occurred
and
take
appropriate
action.
In
addition,
developers
might
wish
to
limit
recursion
depth
or
breadth
to
reduce
the
potential
attack
surface.
13.
12.
Privacy
Considerations
Issue
TODO:
Define
privacy
considerations
for
DID
resolution
13.1
12.1
Profiling
of
DID
Resolution
and
Dereferencing
Requesters
DID
resolvers
and
DID
URL
dereferencers
will
be
able
to
log
requests
to
their
services
for
resolution
and
dereferencing.
Over
time,
these
logs
could
be
used
to
track
and
profile
the
clients
making
requests
for
these
services.
To
mitigate
this
privacy
risk,
clients
should
make
such
requests
to
services
they
trust,
for
example,
because
of
an
existing
business
relationship
or
because
the
service
is
running
on
infrastructure
they
control.
Clients
can
also
take
steps
to
obfuscate
their
requests
to
a
service
in
order
to
limit
the
possibilities
of
correlation
and
profiling.
A.
Relationship
to
Other
Technologies
One
of
the
most
common
mechanisms
used
to
resolve
an
identifier
to
an
address
on
the
Internet
is
the
global
Domain
Name
System
(DNS)
described
in
[
RFC1034
].
The
DNS
and
the
processes
and
systems
used
to
map
a
Domain
Name
to
an
Internet
Protocol
address
is
a
common
requirement
for
hosting
a
website.
The
Decentralized
Identifiers
(DIDs)
v1.0
specification
introduced
a
new
type
of
identifier
that
lacks
any
dependency
on
the
global
Domain
Name
System
and
introduced
the
concept
of
an
identifier
resolution
process
that
does
not
require
the
centralization
of
any
part
of
the
architecture.
This
new
architecture
allows
the
decentralized
creation
and
management
of
globally-resolvable
identifiers
that
combat
identifier
rent-seeking
and
censorship.
It
enables
individuals
to
fully
own
and
control
their
identifiers
instead
of
renting
the
identifiers
from
a
third
party.
Individuals
that
acquire
DID
URLs
use
them
in
their
software
much
like
they
continue
to
use
DNS-based
URLs.
The
software
uses
a
DID
resolver
interface
(defined
in
this
specification)
to
determine
the
location
of
the
resources
to
be
retrieved.
The
process
of
DID
resolution
,
much
like
the
process
of
DNS
resolution,
is
opaque
to
the
individual
and
happens
within
the
software
without
needing
any
direct
involvement
of
the
individual.
Infra
Standard
.
Anne
van
Kesteren;
Domenic
Denicola.
WHATWG.
Living
Standard.
URL:
https://infra.spec.whatwg.org/
[RFC2046]
Multipurpose
Internet
Mail
Extensions
(MIME)
Part
Two:
Media
Types
.
N.
Freed;
N.
Borenstein.
IETF.
November
1996.
Draft
Standard.
URL:
https://www.rfc-editor.org/rfc/rfc2046
