Decentralizing Identity Management for Enhanced Control and Security

In the contemporary digital realm, identifiers such as email addresses and phone numbers have become the primary means of identifying internet users. However, these identifiers are controlled by third-party issuers who can revoke them at will. This has led to a situation where users often possess multiple emails and phone numbers. According to 2019 DMA data, the average user owns 2.5 emails. This scenario prompts a critical question: Can we have identifiers that are not controlled by third parties, suitable for the decentralized Web3 ecosystem? Can users control their identities and identifiers without being at the mercy of service providers? The answer lies in the concept of decentralized identifiers (DIDs).

The Rise of Decentralized Identifiers: A Solution to Identity Theft

The lack of control over identifiers has led to bad actors gaining access to users’ emails, resulting in identity theft and financial fraud. Decentralized identifiers, stored on blockchains, can provide a solution to this problem. By decentralizing identifiers and securing them with encryption or cryptography, we can mitigate identity theft. Furthermore, decentralized identifiers can remain permanent and consistent, eliminating the need for a central registry.

The decentralized nature of Web3 frameworks and blockchains makes them ideal for solving identity management in the 21st century. DIDs and decentralized identity offer a promising solution. Understanding DIDs is key to understanding decentralized identity on the Web 3.0 platform.

Understanding Decentralized Identity in the Web 3.0 Era

Decentralized identities offer a solution to the current limitations of centralized identity management. With decentralized identities, users exercise greater control over their personal information and decide how to use and share it. This results in enhanced privacy and increased trust between users. Decentralized Identity also frees users from third-party control and service providers.

Although decentralized identity and decentralized identifiers are distinct concepts, they are closely related. They are like conjoined twins, functioning together to provide users with greater control over their identities. An identifier is a unique piece of information that identifies an individual, entity, or thing. An identity, on the other hand, is a set of information about an individual that can change or be updated over time.

For example, a child’s identity evolves as they progress through school, employment, and other milestones. As the child gains new certifications and credentials, their identity changes. However, their identifier remains constant and serves as a reference point to their evolving identity. This distinction between identity and identifier is important in understanding how decentralized identity management works.

What are Decentralized Identifiers (DIDs)?

Decentralized Identifiers (DIDs) are unique identifiers operating on a decentralized database, distinguishing them from federated identifiers using centralized databases. DIDs allow for the identification and verification of individuals or entities on the blockchain using cryptographic techniques such as digital signatures. Unlike a decentralized identity that holds a user’s details, a decentralized identifier is used to verify the authenticity and integrity of a subject, entity, or identity owner on the blockchain.

Cryptography plays a pivotal role in the development of DIDs, providing a secure and verifiable way of storing information. Additionally, DIDs have a unique feature known as the “controller,” which is the person with complete control over the identity. The public can access or verify the identity, but the controller can update the DID’s document when necessary. This ensures that the identifier remains relevant and up-to-date with the latest information about the entity it represents. By using DIDs, individuals and entities can maintain complete control over their identity and how it is used and shared on the blockchain.

The Core Properties of DIDs

Four core components make DIDs outstanding and different from other Uniform Resource Identifiers (URI). So unique that World Wide Web Consortium (W3C) undertook the specification for its development. Below are the four properties of DIDs:

1. Permanent — Designed to be long-lasting, it is referred to as a persistent identifier. DIDs do not experience link rots.
2. Resolvable —DIDs are unique and often referred to as resolvable identifiers because users can locate the information, details, service, or identity associated with each DID in the form of a DID document whenever the DID is queried or accessed.
3. Cryptographically Verifiable — Cryptographic algorithms play a huge role in the security and authenticity of DIDs. Any public individual can easily verify them via the attached public keys.
4. Decentralized Database — Operating on a decentralized database out of the reach of centralized authority shows the true nature of decentralized identifiers (DIDs).

What is Cryptography? The Backbone of Decentralized Identifiers

Cryptography is the foundation of the DID ecosystem, ensures the privacy and security that DIDs and Web 3.0 heavily rely on. Cryptography involves using codes or computer algorithms to protect data, messages, or communication, making them accessible only to intended recipients. Mathematical algorithms accomplish this by disguising the message and making it non-readable. The recipient can then interpret the message using cryptographic keys.

Encryption involves converting a message or information into a non-readable version to protect its content during transmission. At the same time, decryption reverses encryption to retrieve the original information in a human-readable version. These concepts are essential to decentralized identities, DIDs, and verifiable credentials in the world of cryptography.

Cryptography Standards

Below are the four main cryptography standards that align perfectly with the goals of DIDs and Web 3.0 in general:

1. Confidentiality — Only the intended recipient(s) has access to the decrypted information; hence, the only entity or person that can understand the message. This improves the privacy of information and data.
2. Integrity — Any changes made to the content of the information, message, or package while in storage or transit would be detectable.
3. Non-repudiation — The sender or creator of the message cannot deny sending or creating it, as the encryption process leaves an indisputable digital signature.
4. Authentification — Cryptography allows the sender and receiver to verify each other’s identity, which proves the message’s origin and destination at the same time.

In the world of decentralized identifiers, non-repudiation and authentication, the third and fourth cryptography standards mentioned earlier, play critical roles. Non-repudiation involves digitally and permanently signing the identity of an information sender or receiver on the information, making it impossible to deny. However, Authentication, ensures that the identity can be easily verified. This is how decentralized identifiers work.

Types of Cryptography

Cryptography can be broadly classified into two types: symmetric and asymmetric.

Symmetric encryption, also known as single-key encryption, encrypts information and requires a secret key from the sender to decrypt it.

Asymmetric encryption, also known as public-key cryptography, involves using two keys: a private key and a public key. With this type of encryption, DIDs can decrypt messages without sending any secret key to the receiver. The creator or sender encrypts the message using the receiver’s public key, and the receiver decrypts the message with their private key. This ensures that only the receiver, who possesses the private key, can access the message.

The public key in asymmetric encryption plays a crucial role in creating and managing a decentralized identifier. This enables a verifier to confirm the authenticity of the identifier behind an identity easily. The details about this identifier can be effortlessly managed by a “DID controller,” knowing that the identity’s creator and/or owner only knows the private key.

The Role of the DID Controller in Decentralized Identity Management

A DID controller manages the identifier for the owner, entity, or subject, whether it be a person, organization, or abstract entity. At creation, the controller specifies the purpose of the identifier, such as identifying an individual or organization. The idea of DID controllers offers total control over an identity, making them important. They achieve this without needing permission from anyone other than the owner or creator. It’s worth noting that a DID can have multiple controllers, as defined by the DID method, and the owner isn’t necessarily the only controller.

For example, let’s consider a practical example to illustrate this concept. A mother links a DID she creates for her newborn to credentials like birth certificates and immunization records. As the child is too young to control the DID, the mother automatically assumes control. Also, the father can be added as a controller because a DID can have one or more controllers.

DIDs are unique resource identifiers (URIs) that connect an entity or subject with a DID document and a controller that updates the document. The controller helps the public or verifier authenticate the connected identity.

What is a DID Document?

A DID document plays a crucial role in the DID ecosystem. It describes the connected DID subject and includes cryptographic keys that the subject can use to authenticate itself and start its connection to a decentralized identifier. While anyone in the public domain can access a DID document, only the controllers have the authority to change it. Therefore, it’s important to ensure that the document does not include sensitive information about the identifier. Instead, the DID document should contain information facilitating verification, authentication, and entity interaction.

DID documents are graph-based data structures that can be expressed using multiple compatible data formats, but JSON-LD is the most popular. As an example, below is a DID document in JSON representation from W3C.

{
“id”: “did:example:123456789abcdefghi”,
“authentication”: [{
“id”: “did:example:123456789abcdefghi#keys-1”,
“type”: “Ed25519VerificationKey2018”,
“controller”: “did:example:123456789abcdefghi”,
“publicKeyBase58”: “H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV”
}]
}

The Components of a DID Document

DID document is an essential component of decentralized identifiers because the combination of DID documents over time form the record base of a decentralized identifier. Moreover, this helps to prove its authenticity and consistency over time to a verifier. A typical DID document contains the following:

1. Public keys and other verification methods needed to authenticate the DID subject during an interaction or verification process by a verifier.
2. Services connected with the DID subject that can be used to verify the entity’s identity.
3. References to service endpoints that help the issuer achieve the associated services listed above.
4. Additional information such as digital signatures, timestamps, past resolved keys, and other cryptographic proofs or metadata about delegation and authorization.

DID Resolution: How Decentralized Identifiers Retrieve Information

A DID resolution is a crucial aspect of decentralized identifiers that involves retrieving the DID document associated with a specific DID. This process requires the involvement of a DID resolver. The resolver can be either software or hardware and takes the DID as input to generate the corresponding DID document as output.

In programming, persistent storage involves four primary operations: create, read, update, and deactivate. Similarly, DIDs function as persistent identifiers and their operations fall under one of these categories. DID resolution is one such operation, and the specific differences between these operations depend on the DID method used for each DID.

What is a DID Method?

DIDs have a unique structure that sets them apart from other URIs. Different databases apply various methods to DIDs as they are not tied to a single network or database. For example, developers maintain some DIDs on the Bitcoin and Ethereum networks. A DID method constitutes a framework detailing the resolution of a DID in a specific blockchain or distributed ledger, as well as the creation and updating of DID documents.

Although all DIDs possess basic functionalities, the implementation of method schemes can vary. Additionally, each DID method outlines the processes for creating, updating, resolving, and deactivating the DID document from the identifier. A typical DID method structure follows this pattern – did:example:123456789abcdefghi. The DID method structure is broken down into three parts, highlighted in black below with their corresponding names:

• did:example:123456789abcdefghi = Scheme 
• did:example:123456789abcdefghi = DID Method
• did:example:123456789abcdefghi = DID Method-specific Identifier

There are 103 experimental DID Method specifications and 32 experimental DID Method driver implementations, according to W3C publication on July 19th, 2022. Below are some examples of DID methods structure:

• did:example:123456789abcdefghi
• did: sov:NRfXPgBdantKVUbEJH8pW
• did:btcr:xz35-]zv2-qqs2-owjt
• did:v1:test:nym: 3AEJTOMSxDOQpyUft juoez2Bazp4Bswj1ce7F JGybcuu
• did:ethr:0xE6Fe788d8ca2144080b0f6aC7F48480b2AEfa9a6
• did: jolo: 1fb352353ff51248C5104b407f9c04c3666627fcf 5a167d693c9fC84b75964e2

Types of Decentralized Identifiers (DIDs)

DIDs come in various types with different mechanisms and operations in resolving these DIDs from their respective identifiers. However, some have shared features and patterns. Below are the most common or leading types of DIDs:

1. Ledger-based DIDs

The first set of DID methods fall under the blockchain category or other distributed ledger technology (DLT), such as Bitcoin and Ethereum networks. Considering their decentralized nature, the initial concept of DIDs recommends building them on decentralized systems instead of centralized ones.

2. Ledger Middleware (“Layer 2”) DIDs

This is still based on blockchain and distributed ledger technology but coupled with an additional storage mechanism (layer) that is cheaper and more efficient. A distributed hash table (DHT) or classic database replication could hold large numbers of DIDs. Moreover, the second layer of storage enables the creation and updating of thousands of DIDs. Only a few transactions need to be anchored in the blockchain. Hence, these types of DIDs are more efficient, faster, and cheaper than others.

3. Peer DIDs

All DIDs are to be resolvable, including peer DIDs. The two types of DIDs above are globally resolvable. Still, peer DIDs are not because they only exist within a  few participants. As a result, only within that territory or network can these DIDs be resolved. Using agent protocols, two or more people exchange and maintain these DIDs. They fulfill all the core properties and functionalities of DIDs but remain limited to the immediate users. Moreover, peer DIDs provide greater privacy, secrecy, and security. They do not record traces of shared information on the public ledger.

4. Static DIDs

Limited DIDs support only basic functions like creation and resolution, but not updating or deactivating. Essentially, they are public keys that convert into the DID format.

What is The Use of DIDs?

A DID identifies any subject as suggested by the controller. By using DIDs, a controller is able to prove the identity of a person, organization, pet, device, etc., without the help of the government, third parties, or centralized databases.

The Intersection of Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs)

A decentralized identifier is a technological advancement that enables a user’s credentials to be digitally linked through cryptography. Verifiable Credentials (VCs) are digital credentials that are cryptographically enabled. The name “Verifiable Credentials” refers to traditional credentials, and DIDs can confirm their authenticity, while also verifying the holder’s identity.

Verifiable credentials are not simply digital copies of physical credentials. They are also secure and tamper-evident due to the use of decentralized identifiers. This means that verifiable credentials cannot be forged or faked without clear evidence of tampering. Individuals or organizations can receive VCs for verification purposes, and the issuer can verify their validity and authenticity within seconds. With this technological development, new credentials can be easily issued from certified authorities, and VCs can be stored and shared through digital wallets. To learn more about Verifiable Credentials, check out the article “What are Verifiable Credentials (VCs)?”

What Are Digital Wallets?

Wallets are applications used by individuals or entities to control and manage their digital identity and verifiable credentials. It fulfills the following functions:

1. It manages identifiers and the cryptographic keys attached to that identifiers/identities. This primary functionality makes it similar to password managers, e.g., LastPass, Dashlane, NirdPass, Zoho Vault, Google Password Manager, etc.
2. It manages public keys and other information published to the distributed ledger. This enables a network module, allowing people, organizations, services, and devices in the same ledger to interact and transact with each other.
3. It exchanges credentials between the holder, issuer, and verifier. This is the peak of decentralized identities and the usefulness of digital wallets. It allows for trusted identity-enabled transactions between individuals and entities while keeping privacy.

Conclusion

In today’s digital world, all forms of communication, transactions, and social interactions take place online. Consequently, re-evaluating how people and organizations are identified becomes crucial. Digital Identifiers (DIDs) emerged as a solution to address issues such as identity theft, forgery of credentials, and the need to move away from centralized databases.

DID is not a standalone solution, but rather a critical component of a larger ecosystem. It serves as a solid foundation for a skyscraper of innovations that will transform the identity, credentials, and web ecosystems. Moreover, this development will have an impact beyond these ecosystems. It relies on blockchain and decentralized ledger technologies (DLT), which various industries are increasingly adopting.

The continuous growth of blockchain technology and its applications is a testament to the potential of DID and what it could offer in the future. We welcome you to the decentralized world and encourage you to explore the endless opportunities that await.

Identity.com

Verifying a user’s identity and the authenticity of their credentials has become increasingly important in the 21st century. The decentralized ecosystem framework, on which DIDs are based, enables this possibility and empowers users to manage their identities. It is impressive to see Identity.com contributing to this desired future as a member of the World Wide Web Consortium (W3C), the standards body for the World Wide Web.

The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please refer to our FAQs page for more info about Identity.com and how we can help you with identity verification and general KYC processes.