What are Decentralized Identifiers?

As of now, emails and phone numbers remain the primary identifiers for internet users. These sets of identifiers are controlled by third parties, issued to users, and can be terminated based on the issuer’s discretion. Due to the possibility of these identifiers being revoked or having been revoked once, users have multiple emails and phone numbers. 2019 DMA data shows that an average user owns 2.5 emails. Although no one owns two and a half emails (i.e., 2.5), the average (data) shows that some users have one or two emails while others have more. This may also be relevant to you. Do you have more than one email?

The limitations of the current third-party identifiers raise some questions regarding identifiers suitable for the Web3 decentralized ecosystem. Can a user have an identifier not owned and controlled by a third party? Can internet users control their identities, especially their identifiers, and not be at the mercy of service providers, whether it be emails or phone numbers? 

The lack of absolute control of one’s identifier has led to bad actors gaining access to users’ emails which has been responsible for many identity theft and financial frauds. How can identity theft be solved by ensuring that these identifiers are decentralized and not stored in a central registry? How can identifiers be secured with top encryption programs or cryptography? How can these identifiers remain permanent and consistent?

The decentralized nature of Web3 frameworks and blockchains can be used to solve identity management in the 21st century. The Web 3.0-based digital identifier can be better understood by gaining a comprehensive understanding of “decentralized identifiers” with a glance at “decentralized identity.“.

What is Decentralized Identity?

With decentralized identities, individuals can control their identity and choose how their personal information is used and shared, which enhances privacy and enables trusted interaction between users. Decentralized Identity gives users independence from third parties or service providers. Despite their differences, decentralized Identity and decentralized Identifiers are like conjoined twins; they are two entities linked in reality and operation.

Identity refers to a set of information about an individual; it can be changed or updated over time, just as a child’s identity keeps evolving as they progress through school, employment, promotions, and more. As the child moves from one educational level to another, more certifications are added to their list of credentials. While identity is defined above, Identifier is a unique piece of information that helps identify a particular entity (person, organization, pet, IoT, etc.). Identity can change, be updated, or modified, but an identifier always relates to an individual, entity, or thing (i.e., an identity). The job of an identifier is to point to an identity.

What are Decentralized Identifiers (DIDs)?

Building on the above understanding, “Decentralized Identifiers (DIDs)” are unique global identifiers built on a decentralized database. They are built on the blockchain framework in contrast to the centralized database used by the federated identifiers. DIDs make it possible for a user or an entity to be identified and verified on the blockchain. Digital signatures are used alongside other Web3 components to verify the authenticity and integrity of entities. A decentralized identity holds a user’s details and information. In contrast, a decentralized identifier is how a subject, entity, or identity owner can be identified and their authenticity verified on the blockchain.

Cryptography is the bedrock on which Decentralized Identifiers (DIDs) are built. The public encryption program makes it secure and verifiable. It also gives a unique feature of a “controller” — this is the person with full control over the identity. While the public can only access or verify the identity, the controller updates the DIDs document when necessary.

The Core Properties of DIDs:

Four core components make DIDs outstanding and different from other Uniform Resource Identifiers (URI). So unique that World Wide Web Consortium (W3C) undertook the specification for its development. Below are the four properties of DIDs:

1. Permanent — Designed to be long-lasting, it is referred to as a persistent identifier. DIDs do not experience link rots.
2. Resolvable — DIDs are unique and are also known as resolvable identifiers because the information, details, service, or identity attached to each DID in the form of a DID document can be located each time the DID is queried or accessed.
3. Cryptographically Verifiable — Cryptographic algorithms play a huge role in the security and authenticity of DIDs. Any public individual can easily verify them via the attached public keys.
4. Decentralized Database — Operating on a decentralized database out of the reach of centralized authority shows the true nature of decentralized identifiers (DIDs).

What is Cryptography?

DIDs and Web 3.0 generally are hinged on how privacy-friendly they are and how secure users’ information can be. Still, all these wouldn’t have been possible without cryptography as the foundation of the ecosystem. Cryptography is a technique of protecting data, messages, or communication using codes or computer algorithms so that only the recipient(s) can access the information or the content of the message. This message can be transmitted through different communication channels, but the information or message conveyed is disguised and made non-readable through rule-based mathematical algorithms. The recipient can interpret the message upon receiving it into a human-readable version through cryptographical keys.

Encryption means converting a message or information into a non-readable version that protects the content while it is being sent to a recipient(s). Reversing the process to get the original information in a human-readable version is called Decryption. Encryption and Decryption are crucial in the world of cryptography as it relates to decentralized identities, DIDs, and verifiable credentials. Below are the four main cryptography standards that align perfectly with the goals of DIDs and Web 3.0 in general:

1. Confidentiality — Only the intended recipient(s) has access to the decrypted information; hence, the only entity or person that can understand the message. This strengthens the privacy of information and data.
2. Integrity — The content of the information, message, or package can’t be changed while in storage or transit without being detected.
3. Non-repudiation — The sender or creator of the message cannot deny sending or creating it because the process of encrypting the message leaves a digital signature that cannot be disputed.
4. Authentification — Cryptography allows the sender and receiver to verify each other’s identity, which proves the message’s origin and destination at the same time.

In decentralized identifiers, the third and fourth cryptography standards as written above play an important role. Non-repudiation means the identity of an information sender or receiver is digitally and permanently signed on the information, which can not be denied. On the other hand, authentication shows that this identity can be easily verified; this is how “decentralized identifiers” work. 

Cryptography can be classified into two types, symmetric and asymmetric. Symmetric encryption, also known as single-key encryption, encrypts information and requires a secret key from the sender to decrypt it.

In asymmetric encryption or public-key cryptography, two keys are used: a private key and a public key. With this type of encryption, DIDs can decrypt messages without sending any secret key to the receiver. The creator or sender encrypts the message with the receiver’s public key, and the message is decrypted with the receiver’s private key (this means only the receivers can access the message since they are the only ones with their private key).

Focusing on the crux of the discussion, which is DIDs, the public key makes it possible to create and manage an identifier effortlessly. This way, a verifier can easily confirm the authenticity of the identifier behind an identity. The details about this identifier can easily be managed by a “DID controller,” knowing that the private key is only known by the identity’s creator and/or owner.

Who is a DID Controller?

A DID controller is a person, organization, or autonomous software that manages the identifier for the owner, entity, or connected subject. At creation, the controller determines what an identifier is meant for — for a person, organization, abstract entity, etc. The concept of the “controllers of DIDs” was developed to empower controllers to have complete control over an identity without needing permission from a third party apart from the one given by the owner or creator. A DID might have more than one controller, as defined by the “DID method,” with the owner not necessarily being the only controller. 

A practical example of the above is a mother that created a decentralized identifier for her newborn, which would be connected to other credentials issued to the baby, like birth certificates and immunization cards. Definitely, the child can’t be the DID controller until he is of age; this automatically makes the mother the controller. The father could also be added as a controller; remember that a DID can have one or more controllers.

DIDs are unique resource identifiers (URIs) that connect an entity or DID subject with a DID document and a controller that updates the DID document. The controller helps the public or the verifier to confirm or authenticate the connected identity.

What is a DID Document?

A DID document describes the connected DID subject. It contains cryptographic keys that a DID subject can use to authenticate itself and show its connection to a decentralized identifier. Anyone in the public domain can access a DID document, but only the controllers can make changes to it. Since this document is available to the public, sensitive information about the identifier should not be included. The DID document should contain information to aid verification, authentication, and interaction between entities.

DID documents are graph-based data structures that can be expressed using multiple compatible data formats, but JSON-LD is the most popular. Below is an example of a DID document in JSON representation from W3C.

{
“id”: “did:example:123456789abcdefghi”,
“authentication”: [{
“id”: “did:example:123456789abcdefghi#keys-1”,
“type”: “Ed25519VerificationKey2018”,
“controller”: “did:example:123456789abcdefghi”,
“publicKeyBase58”: “H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV”
}]
}

DID document is an essential component of decentralized identifiers because the combination of DID documents over time form the record base of a decentralized identifier. This helps to prove its authenticity and consistency over time to a verifier. A typical DID document contains the following:

1. Public keys and other verification methods needed to authenticate the DID subject during an interaction or verification process by a verifier.
2. Services associated with the DID subject that can be used to verify the entity’s identity.
3. References to service endpoints that help the issuer achieve the associated services listed above.
4. Additional information such as digital signatures, timestamps, past resolved keys, and other cryptographic proofs or metadata about delegation and authorization.

What is DID Resolution?

A DID resolution is the process of obtaining the DID document associated with a DID. In this process, a DID resolver (a software or hardware component) takes a DID as input data and produces a corresponding DID document as the output data.

In computer programming, there are four basic operations associated with persistent storage. The same can be said of DIDs as persistent identifiers: “create, read, update and deactivate.” DID resolution falls into one of these four operations, and these operations have unique differences according to the DID method associated with each DID.

What is a DID Method?

Unlike other unique resource identifiers (URIs), DIDs are not created on one network and database, so there are different methods for different databases. For example, some are developed and maintained on the Bitcoin and Ethereum networks. A DID Method describes how a DID is resolved in a specific blockchain or distributed ledger and how DID documents are written and updated.

All types of DIDs support basic functionalities, but the difference is in how the method schemes are implemented. Each DID method is defined by its method specification, which specifies how the DID document is created, updated, resolved, and deactivated from the identifier. A typical DID method structure follows this pattern — did:example:123456789abcdefghi. The DID method structure is broken down into three parts, highlighted in black below with their corresponding names:

1. did:example:123456789abcdefghi = Scheme 
2. did:example:123456789abcdefghi = DID Method
3. did:example:123456789abcdefghi = DID Method-specific Identifier

There are 103 experimental DID Method specifications and 32 experimental DID Method driver implementations, according to W3C publication on July 19th, 2022. Below are some examples of DID methods structure:

 

did:example:123456789abcdefghi
did: sov:NRfXPgBdantKVUbEJH8pW
did:btcr:xz35-]zv2-qqs2-owjt
did:v1:test:nym: 3AEJTOMSxDOQpyUft juoez2Bazp4Bswj1ce7F JGybcuu
did:ethr:0xE6Fe788d8ca2144080b0f6aC7F48480b2AEfa9a6
did: jolo: 1fb352353ff51248C5104b407f9c04c3666627fcf 5a167d693c9fC84b75964e2

Types of DIDs 

DIDs come in various types with different mechanisms and operations in resolving these DIDs from their respective identifiers. However, some have shared features and patterns. Below are the most common or leading types of DIDs:

1. Ledger-based DIDs: The first set of DID methods fall under the blockchain category or other distributed ledger technology (DLT), such as Bitcoin and Ethereum networks. Initially, the idea was that if DIDs were decentralized, then they should be built on decentralized systems instead of hierarchical, centralized systems.
2. Ledger Middleware (“Layer 2”) DIDs: This is still based on blockchain and distributed ledger technology but coupled with an additional storage mechanism (layer) that is cheaper and more efficient. This could be distributed hash table (DHT) or classic database replication that can accommodate large numbers of DIDs. Thousands of DIDs can be created and updated on this second layer of storage, and only a few transactions need to be anchored in the blockchain. Hence, these types of DIDs are more efficient, faster, and cheaper than others.
3. Peer DIDs: All DIDs are to be resolvable, including peer DIDs. The two types of DIDs above are globally resolvable. Still, peer DIDs are not because they only exist within a  few participants. Therefore, they can only be resolved within that territory or network. These DIDs are exchanged and maintained between two or more people using agent protocols. They still fulfill all of DIDs’ core properties and functionalities but are limited to the immediate users. This way, Peer DIDs provide greater privacy, secrecy, and security since they do not record traces of shared information on the public ledger..
4. Static DIDs: These are very limited types of DIDs as they do not support all the functionalities of DIDs. They can only be created and resolved but not updated or deactivated. These are just public keys wrapped into DIDs format.

What is The Use of DIDs?

A DID identifies any subject as prescribed by the controller. Using DIDs, a controller is able to prove the identity of a person, organization, pet, device, etc., without the help of the government, third parties, or centralized databases.

Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs)

Decentralized identifier is a technological development that allows a credential to be digitally tied to a user through cryptography. The name “Verifiable Credentials” primarily refers to typical credentials. The name was derived from the fact that through DIDs, the authenticity of credentials can be verified, and the owner’s (holder’s) identity can be confirmed.

Verifiable Credentials (VCs) are cryptographically enabled digital credentials. VCs aren’t just digital versions of physical credentials; they are secure and tamper-evident through decentralized identifiers. Therefore, they can’t be forged or faked without proof of tampering. Verifiable Credentials can be presented to organizations or individuals for verification purposes, and their validity and authenticity can be verified within seconds directly from the issuer. With this technological development, VCs are no longer limited to digitized copies of existing credentials; new credentials can easily be issued from certified authorities. VCs are usually stored and easily sharable through digital wallets. Learn more about Verifiable Credentials in this article titled “What are Verifiable Credentials (VCs)?”.

Digital Wallets

Wallets are applications used by individuals or entities to control and manage their digital identity and verifiable credentials. It fulfills the following functions:

1. It manages identifiers and the cryptographic keys attached to that identifiers/identities. This primary functionality makes it comparable to password managers, e.g., LastPass, Dashlane, NirdPass, Zoho Vault, Google Password Manager, etc.
2. It manages public keys and other information published to the distributed ledger. This enables a network module, allowing people, organizations, services, and devices in the same ledger to interact and transact with each other.
3. It exchanges credentials between the holder, issuer, and verifier. This is the peak of decentralized identities and the usefulness of digital wallets, as it allows for trusted identity-enabled transactions between individuals and entities while preserving privacy.

Conclusion

In an increasingly digital world where all aspects of communication, transactions, and social engagements are digital, the way people and organizations are identified online has to be re-evaluated. Digital Identifiers came at a time when identity theft, credentials forgery, and a shift away from centralized databases were unquestionably needed.

DID is just one piece of a Lego toy collection, one solid foundation for a skyscraper. DID will revolutionize the identity, credentials, and web ecosystems. This development will impact many other ecosystems since it relies on blockchain and decentralized ledger technologies (DLT).). One thing to pay attention to that supports this claim is the continuous growth of blockchain technology and its increasing applications. You are officially welcome to the decentralized world and, more importantly, to the possibilities that await in the future.

Identity.com

Verifying a user’s identity and the authenticity of their credentials has become increasingly important in the 21st century. DIDs were founded on the framework of the decentralized ecosystem, which makes this possible, and it equally gives users the power to manage their identity. It is impressive to see Identity.com contributing to this desired future as a member of the World Wide Web Consortium (W3C), the standards body for the World Wide Web.

The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please refer to our docs for more info about how we can help you with identity verification and general KYC processes.