DID: Decentralised Identity’s Starting Line

Keith Wako

The first step towards decentralised identity is uniquely identifying an individual. Almost all the identity frameworks which we use today rely on some type of centralised authority:

• Governments are responsible for issuing national IDs and passports
• Banks assign an account number and credit/debit cards
• Companies assign membership IDs and accounts

More than just guaranteeing that you can be uniquely identified within each ecosystem, this also means that we depend on these trusted third parties in order to operate our identity.

In order to move towards an identity framework more focused on individual empowerment, the next generation of digital identity infrastructure needs to meet the following criteria:

• Globally unique and resolvable: No identifier is duplicated and each identifier should always be discoverable
• Autonomous and portable: The individual behind the identity should always have ultimate control over their own digital identity and can easily migrate their data
• Minimal trust assumptions: No reliance on third parties where an identity can be censored arbitrarily
• Configurable privacy: Users should be able to selectively disclose the bare minimum amount of personal info required to access a service

DIDs directly addresses the first criteria which then allows the latter criteria to be achieved through adoption of the DID format.

DID: Decentralised Identifier

DIDs are essentially a unique identifier with features designed for blockchains. Although deceptively simple in its purpose, DIDs set the stage for an entirely new layer of decentralised digital identity built on top of public key cryptography.

In order to be flexible enough to accommodate existing and future protocols, the DID specification lays out a DID method and a method-specific identifier. This ensures that the user also has control over how their identities are separated by utilising different DIDs depending on the context of their interaction.

W3C docs

• Method: Defines how DIDs work with a specific blockchain (ie. the format and generation of the identifier for that particular method). For example did:ethr specifies how a DID is created, resolved, and managed on the Ethereum blockchain.
• Method-Specific Identifier: The identifier which is unique within the namespace of the method. Taking did:ethr as an example, the full DID for an Ethereum address on the mainnet will be did:ethr:0x0000000000000000000000000000000000000000.

You can view a full list of the different DID Method Registry implementations here. Regardless of the method chosen, all DIDs resolve to a DID Document.

DID Documents

The DID document describes the public keys and service endpoints necessary to bootstrap cryptographically-verifiable interactions with the subject in question. Formatted as a JSON-LD object, the DID document consists of six core components (taken from Reed and Sporny):

1. The DID itself, so the DID document is fully self-describing.
2. A set of public keys or other proofs that can be used for authentication or interaction with the identified entity.
3. A set of service endpoints that describe where and how to interact with the identified entity.
4. A set of authorized capabilities for the identified entity — or other delegated entities — to make changes to the DID document.
5. Timestamps for auditing.
6. An optional JSON-LD signature if needed for verifying the integrity of the document.

The properties of a DID document as per W3C are listed below:

W3C

First Step towards Self-Sovereign Identity

Given the pace at which the industry is evolving, the DID specifications are necessarily focused on standardising the formal representation of identifiers in the decentralised identity space. This provides sufficient flexibility for teams looking to implement a decentralised identity solution which is modular while still enabling fine-grained control within their own ecosystems.

Of note, DIDs are only meant to identify a subject within a particular namespace rather than the actual individual controlling the subject. As an example, a user can own multiple accounts on Ethereum and each of them will have a different DID according to the did:ethr method. Critically, the user still gets to decide whether or not to link these DIDs. The real value arises when DIDs are linked across different methods as this enables an identity to be portable.

While DIDs enables us to uniquely identify a subject, what is now lacking is the social reputation accompanying that subject. Put in another way, a name is only as trustworthy as what society believes it to be:

• A university requires a valid government ID for admission
• Companies place emphasis on degrees or previous employment
• Banks extend credit to salaried workers
• Companies will only conduct business with a valid bank a/c

DIDs forms the basis from which others can start to make claims about you, be it an organisation or an individual. This sets the stage for significant social value to be unlocked as the network effects are no longer limited to just organisations. In the decentralised identity space, these attestations are known as verifiable credentials and that is what we will be covering next.

• Verifiable Credentials: Growing Digital Relationships Organically

If you would like to dive deeper, I highly recommend checking out this primer which this article borrowed heavily from:

rwot5-boston/did-primer.md at master · WebOfTrustInfo/rwot5-boston

Thanks for staying till the end. Would love to hear your thought/comments so do drop a comment. I’m active on twitter @AwKaiShin if you would like to receive more digestible tidbits of crypto-related info or visit my personal website if you would like my services :)