Currently, email addresses and phone numbers remain the primary identifiers for internet users. However, these identifiers are controlled by third-party issuers and can be revoked at their discretion. Consequently, users often have multiple emails and phone numbers, with the average user owning 2.5 emails according to 2019 DMA data. This raises questions about identifiers suitable for the decentralized Web3 ecosystem. Can users have identifiers not controlled by third parties? Can users control their identities and identifiers instead of being at the mercy of service providers?
The lack of control over identifiers has led to bad actors gaining access to users’ emails, resulting in identity theft and financial fraud. Decentralized identifiers stored on blockchains can provide a solution to this problem. By ensuring that identifiers are decentralized and secured with encryption or cryptography, identity theft can be mitigated. Additionally, decentralized identifiers can remain permanent and consistent, without the need for a central registry.
The decentralized nature of Web3 frameworks and blockchains makes them ideal for solving identity management in the 21st century. Decentralized identifiers (DIDs) and decentralized identity (DID) offer a promising solution. Understanding DIDs is key to understanding decentralized identity on the Web 3.0 platform.
What is Decentralized Identity?
Decentralized identities offer a solution to the current limitations of centralized identity management. With decentralized identities, users have greater control over their personal information, allowing them to choose how it’s used and shared. This results in enhanced privacy and increased trust between users. Decentralized Identity also frees users from third-party control and service providers.
Although decentralized identity and decentralized identifiers are distinct concepts, they are closely related. They are like conjoined twins, functioning together to provide users with greater control over their identities. An identifier is a unique piece of information that identifies an individual, entity, or thing. An identity, on the other hand, is a set of information about an individual that can change or be updated over time.
For example, a child’s identity evolves as they progress through school, employment, and other milestones. As the child gains new certifications and credentials, their identity changes. However, their identifier remains constant and serves as a reference point to their evolving identity. This distinction between identity and identifier is important in understanding how decentralized identity management works.
What are Decentralized Identifiers (DIDs)?
Expanding on the previous points, Decentralized Identifiers (DIDs) are unique identifiers operating on a decentralized database, distinguishing them from federated identifiers using centralized databases. DIDs allow for the identification and verification of individuals or entities on the blockchain using cryptographic techniques such as digital signatures. Unlike a decentralized identity that holds a user’s details, a decentralized identifier is used to verify the authenticity and integrity of a subject, entity, or identity owner on the blockchain.
Cryptography plays a critical role in the development of DIDs, providing a secure and verifiable way of storing information. Additionally, DIDs have a unique feature known as the “controller,” which is the person with complete control over the identity. The public can access or verify the identity, but the controller can update the DID’s document when necessary. This ensures that the identifier remains relevant and up-to-date with the latest information about the entity it represents. By using DIDs, individuals and entities can maintain complete control over their identity and how it is used and shared on the blockchain.
The Core Properties of DIDs:
Four core components make DIDs outstanding and different from other Uniform Resource Identifiers (URI). So unique that World Wide Web Consortium (W3C) undertook the specification for its development. Below are the four properties of DIDs:
- Permanent — Designed to be long-lasting, it is referred to as a persistent identifier. DIDs do not experience link rots.
- Resolvable — DIDs are unique and are also known as resolvable identifiers because the information, details, service, or identity attached to each DID in the form of a DID document can be located each time the DID is queried or accessed.
- Cryptographically Verifiable — Cryptographic algorithms play a huge role in the security and authenticity of DIDs. Any public individual can easily verify them via the attached public keys.
- Decentralized Database — Operating on a decentralized database out of the reach of centralized authority shows the true nature of decentralized identifiers (DIDs).
What is Cryptography?
DIDs and Web 3.0 rely heavily on privacy and security, which are made possible by cryptography, the foundation of the ecosystem. Cryptography involves using codes or computer algorithms to protect data, messages, or communication, making them accessible only to intended recipients. This is achieved through mathematical algorithms that disguise the message and make it non-readable, with the recipient able to interpret the message through cryptographic keys.
Encryption involves converting a message or information into a non-readable version to protect its content during transmission. At the same time, decryption reverses encryption to retrieve the original information in a human-readable version. These concepts are essential to decentralized identities, DIDs, and verifiable credentials in the world of cryptography. Below are the four main cryptography standards that align perfectly with the goals of DIDs and Web 3.0 in general:
- Confidentiality — Only the intended recipient(s) has access to the decrypted information; hence, the only entity or person that can understand the message. This strengthens the privacy of information and data.
- Integrity — The content of the information, message, or package can’t be changed while in storage or transit without being detected.
- Non-repudiation — The sender or creator of the message cannot deny sending or creating it because the process of encrypting the message leaves a digital signature that cannot be disputed.
- Authentification — Cryptography allows the sender and receiver to verify each other’s identity, which proves the message’s origin and destination at the same time.
In the world of decentralized identifiers, non-repudiation and authentication, the third and fourth cryptography standards mentioned earlier, play critical roles. Non-repudiation involves digitally and permanently signing the identity of an information sender or receiver on the information, making it impossible to deny. Authentication, on the other hand, ensures that the identity can be easily verified. This is how decentralized identifiers work.
Cryptography can be broadly classified into two types: symmetric and asymmetric. Symmetric encryption, also known as single-key encryption, encrypts information and requires a secret key from the sender to decrypt it. Asymmetric encryption, also known as public-key cryptography, involves using two keys: a private key and a public key. With this type of encryption, DIDs can decrypt messages without sending any secret key to the receiver. The creator or sender encrypts the message with the receiver’s public key, and the message is decrypted with the receiver’s private key. This ensures that only the receiver, who possesses the private key, can access the message.
The public key in asymmetric encryption plays a crucial role in creating and managing a decentralized identifier. This enables a verifier to confirm the authenticity of the identifier behind an identity easily. The details about this identifier can be effortlessly managed by a “DID controller,” knowing that the identity’s creator and/or owner only knows the private key.
Who is a DID Controller?
A DID controller manages the identifier for the owner, entity, or subject, whether it be a person, organization, or abstract entity. At creation, the controller specifies the purpose of the identifier, such as identifying an individual or organization. The concept of DID controllers was developed to provide complete control over an identity without requiring permission from a third party, except for that given by the owner or creator. It’s worth noting that a DID can have multiple controllers, as defined by the DID method, and the owner isn’t necessarily the only controller.
Let’s consider a practical example to illustrate this concept. A mother creates a DID for her newborn, which is linked to other credentials like birth certificates and immunization records. Since the child is too young to be the DID controller, the mother automatically becomes the controller. The father can also be added as a controller, as a DID can have one or more controllers.
DIDs are unique resource identifiers (URIs) that connect an entity or subject with a DID document and a controller that updates the document. The controller helps the public or verifier authenticate the connected identity.
What is a DID Document?
A DID document plays a crucial role in the DID ecosystem. It describes the connected DID subject and includes cryptographic keys that the subject can use to authenticate itself and establish its connection to a decentralized identifier. While anyone in the public domain can access a DID document, only the controllers have the authority to change it. Therefore, it’s important to ensure that the document does not include sensitive information about the identifier. Instead, the DID document should contain information facilitating verification, authentication, and entity interaction.
DID documents are graph-based data structures that can be expressed using multiple compatible data formats, but JSON-LD is the most popular. Below is an example of a DID document in JSON representation from W3C.
DID document is an essential component of decentralized identifiers because the combination of DID documents over time form the record base of a decentralized identifier. This helps to prove its authenticity and consistency over time to a verifier. A typical DID document contains the following:
- Public keys and other verification methods needed to authenticate the DID subject during an interaction or verification process by a verifier.
- Services associated with the DID subject that can be used to verify the entity’s identity.
- References to service endpoints that help the issuer achieve the associated services listed above.
- Additional information such as digital signatures, timestamps, past resolved keys, and other cryptographic proofs or metadata about delegation and authorization.
What is DID Resolution?
A DID resolution is a crucial aspect of decentralized identifiers that involves retrieving the DID document associated with a specific DID. This process requires the involvement of a DID resolver, which can be either software or hardware, and it takes the DID as input and generates the corresponding DID document as output.
In programming, persistent storage involves four primary operations: create, read, update, and deactivate. Similarly, DIDs function as persistent identifiers and their operations fall under one of these categories. DID resolution is one such operation, and the specific differences between these operations depend on the DID method used for each DID.
What is a DID Method?
DIDs have a unique structure that sets them apart from other URIs. Since DIDs are not tied to a single network or database, different methods are used for different databases. For instance, some DIDs are developed and maintained on the Bitcoin and Ethereum networks. A DID method is a framework that describes how a DID is resolved in a specific blockchain or distributed ledger and how DID documents are created and updated.
While all DIDs have basic functionalities, the way method schemes are implemented can differ. Each DID method specifies how the DID document is created, updated, resolved, and deactivated from the identifier. A typical DID method structure follows this pattern – did:example:123456789abcdefghi. The DID method structure is broken down into three parts, highlighted in black below with their corresponding names:
- did:example:123456789abcdefghi = Scheme
- did:example:123456789abcdefghi = DID Method
- did:example:123456789abcdefghi = DID Method-specific Identifier
There are 103 experimental DID Method specifications and 32 experimental DID Method driver implementations, according to W3C publication on July 19th, 2022. Below are some examples of DID methods structure:
did:v1:test:nym: 3AEJTOMSxDOQpyUft juoez2Bazp4Bswj1ce7F JGybcuu
did: jolo: 1fb352353ff51248C5104b407f9c04c3666627fcf 5a167d693c9fC84b75964e2
Types of DIDs
DIDs come in various types with different mechanisms and operations in resolving these DIDs from their respective identifiers. However, some have shared features and patterns. Below are the most common or leading types of DIDs:
- Ledger-based DIDs: The first set of DID methods fall under the blockchain category or other distributed ledger technology (DLT), such as Bitcoin and Ethereum networks. Initially, the idea was that if DIDs were decentralized, then they should be built on decentralized systems instead of hierarchical, centralized systems.
- Ledger Middleware (“Layer 2”) DIDs: This is still based on blockchain and distributed ledger technology but coupled with an additional storage mechanism (layer) that is cheaper and more efficient. This could be distributed hash table (DHT) or classic database replication that can accommodate large numbers of DIDs. Thousands of DIDs can be created and updated on this second layer of storage, and only a few transactions need to be anchored in the blockchain. Hence, these types of DIDs are more efficient, faster, and cheaper than others.
- Peer DIDs: All DIDs are to be resolvable, including peer DIDs. The two types of DIDs above are globally resolvable. Still, peer DIDs are not because they only exist within a few participants. Therefore, they can only be resolved within that territory or network. These DIDs are exchanged and maintained between two or more people using agent protocols. They still fulfill all of DIDs’ core properties and functionalities but are limited to the immediate users. This way, Peer DIDs provide greater privacy, secrecy, and security since they do not record traces of shared information on the public ledger..
- Static DIDs: These are very limited types of DIDs as they do not support all the functionalities of DIDs. They can only be created and resolved but not updated or deactivated. These are just public keys wrapped into DIDs format.
What is The Use of DIDs?
A DID identifies any subject as prescribed by the controller. Using DIDs, a controller is able to prove the identity of a person, organization, pet, device, etc., without the help of the government, third parties, or centralized databases.
Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs)
A decentralized identifier is a technological advancement that enables a user’s credentials to be digitally linked through cryptography. Verifiable Credentials (VCs) are digital credentials that are cryptographically enabled. The name “Verifiable Credentials” refers to traditional credentials, and the authenticity of the credentials can be confirmed through DIDs, while the holder’s identity can be verified.
VCs are not just digital versions of physical credentials but are also secure and tamper-evident through decentralized identifiers. Thus, VCs cannot be forged or faked without proof of tampering. VCs can be presented to individuals or organizations for verification purposes, and their validity and authenticity can be verified directly from the issuer within seconds. With this technological development, new credentials can be easily issued from certified authorities, and VCs can be stored and shared through digital wallets. To learn more about Verifiable Credentials, check out the article “What are Verifiable Credentials (VCs)?”
Wallets are applications used by individuals or entities to control and manage their digital identity and verifiable credentials. It fulfills the following functions:
- It manages identifiers and the cryptographic keys attached to that identifiers/identities. This primary functionality makes it comparable to password managers, e.g., LastPass, Dashlane, NirdPass, Zoho Vault, Google Password Manager, etc.
- It manages public keys and other information published to the distributed ledger. This enables a network module, allowing people, organizations, services, and devices in the same ledger to interact and transact with each other.
- It exchanges credentials between the holder, issuer, and verifier. This is the peak of decentralized identities and the usefulness of digital wallets, as it allows for trusted identity-enabled transactions between individuals and entities while preserving privacy.
In today’s digital world, where all forms of communication, transactions, and social interactions are digital, the way people and organizations are identified online needs to be re-examined. Digital Identifiers (DIDs) emerged as a solution to address issues such as identity theft, forgery of credentials, and the need to move away from centralized databases.
DID is not a standalone solution, but rather a critical component of a larger ecosystem. It serves as a solid foundation for a skyscraper of innovations that will revolutionize the identity, credentials, and web ecosystems. The impact of this development will be felt beyond these ecosystems as it relies on blockchain and decentralized ledger technologies (DLT), which are increasingly being adopted in various industries.
The continuous growth of blockchain technology and its applications is a testament to the potential of DID and the possibilities that await in the future. We welcome you to the decentralized world and encourage you to explore the endless opportunities that await.
Verifying a user’s identity and the authenticity of their credentials has become increasingly important in the 21st century. DIDs were founded on the framework of the decentralized ecosystem, which makes this possible, and it equally gives users the power to manage their identity. It is impressive to see Identity.com contributing to this desired future as a member of the World Wide Web Consortium (W3C), the standards body for the World Wide Web.
The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please refer to our docs for more info about how we can help you with identity verification and general KYC processes.