Decentralized Identifiers (DIDs) v1.0

1.4 Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY, MUST, MUST NOT, OPTIONAL, RECOMMENDED, REQUIRED, SHOULD, and SHOULD NOT in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

This document contains examples that contain JSON, CBOR, and JSON-LD content. Some of these examples contain characters that are invalid, such as inline comments (//) and the use of ellipsis (...) to denote information that adds little value to the example. Implementers are cautioned to remove this content if they desire to use the information as valid JSON, CBOR, or JSON-LD.

Some examples contain terms, both property names and values, that are not defined in this specification. These are indicated with a comment (// external (property name|value)). Such terms, when used in a DID document, are expected to be registered in the DID Specification Registries [DID-SPEC-REGISTRIES] with links to both a formal definition and a JSON-LD context.

Interoperability of implementations for DIDs and DID documents is tested by evaluating an implementation's ability to create and parse DIDs and DID documents that conform to this specification. Interoperability for producers and consumers of DIDs and DID documents is provided by ensuring the DIDs and DID documents conform. Interoperability for DID method specifications is provided by the details in each DID method specification. It is understood that, in the same way that a web browser is not required to implement all known URI schemes, conformant software that works with DIDs is not required to implement all known DID methods. However, all implementations of a given DID method are expected to be interoperable for that method.

A conforming DID is any concrete expression of the rules specified in § 3. Identifier which complies with relevant normative statements in that section.

A conforming DID document is any concrete expression of the data model described in this specification which complies with the relevant normative statements in § 4. Data Model and § 5. Core Properties. A serialization format for the conforming document is deterministic, bi-directional, and lossless, as described in § 6. Representations.

A conforming producer is any algorithm realized as software and/or hardware that generates conforming DIDs or conforming DID Documents and complies with the relevant normative statements in § 6. Representations.

A conforming consumer is any algorithm realized as software and/or hardware that consumes conforming DIDs or conforming DID documents and complies with the relevant normative statements in § 6. Representations.

A conforming DID resolver is any algorithm realized as software and/or hardware that complies with the relevant normative statements in § 7.1 DID Resolution.

A conforming DID URL dereferencer is any algorithm realized as software and/or hardware that complies with the relevant normative statements in § 7.2 DID URL Dereferencing.

A conforming DID method is any specification that complies with the relevant normative statements in § 8. Methods.

9.1 Choosing DID Resolvers

The DID Method Registry (see [DID-SPEC-REGISTRIES]) contains an informative list of DID method names and their corresponding DID method specifications. Implementers need to bear in mind that there is no central authority to mandate which DID method specification is to be used with any specific DID method name, but can use the DID Method Registry to make an informed decision when choosing which DID resolver implementations to use.

9.2 Binding of Identity

The following sections describe binding identities to DIDs and DID documents.

9.3 Authentication Service Endpoints

If a DID document publishes a service intended for authentication or authorization of the DID subject (see Section § 5.4 Services), it is the responsibility of the service endpoint provider, subject, or requesting party to comply with the requirements of the authentication protocols supported at that service endpoint.

9.4 Non-Repudiation

Non-repudiation of DIDs and DID document updates is supported under the assumption that the subject:

• Is monitoring for unauthorized updates (see Section § 9.5 Notification of DID Document Changes).
• Has had adequate opportunity to revert malicious updates according to the access control mechanism for the DID method (see Section § 5.3.1 Authentication).

Non-repudiation is further supported if timestamps are included (see Section § 7.1.3 DID Document Metadata) and the target DLT system supports timestamps.

9.5 Notification of DID Document Changes

One mitigation against unauthorized changes to a DID document is monitoring and actively notifying the DID subject when there are changes. This is analogous to helping prevent account takeover on conventional username/password accounts by sending password reset notifications to the email addresses on file.

In the case of a DID, there is no intermediary registrar or account provider to generate such notifications. However, if the verifiable data registry on which the DID is registered directly supports change notifications, a subscription service can be offered to DID controllers. Notifications could be sent directly to the relevant service endpoints listed in an existing DID.

If a DID controller chooses to rely on a third-party monitoring service (other than the verifiable data registry itself), this introduces another vector of attack.

9.6 Key and Signature Expiration

In a decentralized identifier architecture, there are no centralized authorities to enforce key or signature expiration policies. Therefore DID resolvers and requesting parties need to validate that keys were not expired at the time they were used. Because some use cases have legitimate reasons why already-expired keys can be extended, make sure key expiration does not prevent any further use of the key. Implementations of a resolver ought to be compatible with such extension behavior.

9.7 Verification Method Rotation

Verification method rotation is a proactive security measure.

Verification method rotation applies only to the current or latest version of a DID Document.

When a verification method has been active for a long time, or used for many operations, a controller might wish to perform a rotation.

It is considered a best practice to perform verification method rotation on a regular basis.

Proofs or signatures that rely on verification methods that are not present in the latest version of a DID Document are not impacted by rotation, and might require additional information to mitigate compromise.

Section § 8.2 Method Operations specifies the DID operations to be supported by a DID method specification, including update which is expected to be used to perform a verification method rotation.

A controller performs a rotation when they add a new verification method that is meant to replace an existing verification method after some time.

Not all DID Methods support verification method rotation.

Rotation is a key management process that enables the private cryptographic material associated with an existing verification method to be deactivated or destroyed once a new verification method has been added to the DID Document. Going forward, any new proofs that a controller would have generated using the old cryptographic material can now instead be generated using the new material and can be verified using the new verification method.

Rotation is a useful mechanism for protecting against verification method compromise, since frequent rotation of a verification method by the controller reduces the value of a single compromised verification method to an attacker. Performing revocation immediately after rotation is useful for verification methods that a controller designates for short-lived verifications, such as those involved in encrypting messages and authentication.

9.8 Verification Method Revocation

Verification method revocation is a reactive security measure.

Verification method revocation applies only to the current or latest version of a DID Document.

If a verification method is no longer exclusively accessible to the controller or parties trusted to act on behalf of the controller, it is expected to be revoked immediately to reduce the risk of masquerading, theft, and fraud.

It is considered a best practice to support key revocation.

A controller is expected to immediately revoke any verification method that is believed to be compromised.

Revocation is expected to be understood as a controller expressing that proofs or signatures associated with a revoked verification method might have been created by an attacker. Verifiers, however, might still choose to accept or reject such proofs or signatures at their own discretion.

§ 8.2 Method Operations specifies the DID operations to be supported by a DID method specification, including update and deactivate which might be used to remove verification method from a DID Document.

Not all DID Methods support verification method revocation.

Even if a verification method is present in a DID Document, additional information, such as a public key revocation certificate, or an external allow or deny list, might be used to determine whether a verification method has been revoked.

9.9 DID Recovery

Recovery is a reactive security measure, whereby a controller is able to regain the ability to perform DID operations.

Recovery is advised when a controller or services trusted to act on their behalf no longer have the exclusive ability to perform DID operations as described in § 8.2 Method Operations.

It is considered a best practice to never reuse a verification method or key material associated with recovery for any other purposes.

Recovery is commonly performed in conjunction with verification method rotation and verification method revocation.

There are no common recovery mechanisms that apply to all DID Methods.

DID method specifications might choose to enable support for a quorum of trusted parties to facilitate recovery. Some of the facilities to do so are suggested in Section § 5.1.2 DID Controller.

Not all DID method specifications will recognize control from DIDs registered using other DID methods and they might restrict third-party control to DIDs that use the same method.

Access control and recovery in a DID method specification can also include a time lock feature to protect against key compromise by maintaining a second track of control for recovery.

9.10 The Role of Human-Friendly Identifiers

DIDs achieve global uniqueness without the need for a central registration authority. This comes at the cost of human memorability. The algorithms capable of generating globally unique identifiers produce random strings of characters that have no human meaning (see also Zooko's Triangle).

There are use cases where it is desirable to discover a DID when starting from a human-friendly identifier. For example, a natural language name, a domain name, or a conventional address for a DID controller, such as a mobile telephone number, email address, social media username, or blog URL. However, the problem of mapping human-friendly identifiers to DIDs (and doing so in a way that can be verified and trusted) is outside the scope of this specification.

Solutions to this problem should be defined in separate specifications that reference this specification. It is strongly recommended that such specifications carefully consider the:

• Numerous security attacks based on deceiving users about the true human-friendly identifier for a target entity.
• Privacy consequences of using human-friendly identifiers that are inherently correlatable, especially if they are globally unique.

9.11 DIDs as Enhanced URNs

If desired by a DID controller, a DID is capable of acting as an enhanced Uniform Resource Name (URN) as defined by [RFC8141], i.e., "a persistent, location-independent resource identifier". DIDs used in this way provide a cryptographically secure, location-independent identifier for a digital resource, while also providing metadata that enables retrieval. Because of the indirection between the DID document and the DID itself, the DID controller can adjust the actual location of the resource — or even provide the resource directly — without adjusting the DID. DIDs of this type can definitively verify that the resource retrieved is, in fact, the resource identified.

A DID controller who intends to use a DID for this purpose is advised to follow the security considerations in [RFC8141]. In particular:

• The DID controller is expected to choose a DID method that supports the controller's requirements for persistence. The Decentralized Characteristics Rubric [DID-RUBRIC] is one tool available to help implementers decide upon the most suitable DID method.
• The DID controller is expected to publish its operational policies so relying parties can determine the degree to which they can rely on the persistence of a DID controlled by that DID controller. In the absence of such policies, relying parties are not expected to make any assumption about whether a DID is a persistent identifier for the same DID subject.

9.12 Immutability

Many cybersecurity abuses hinge on exploiting gaps between reality and the assumptions of rational, good-faith actors. Immutability of DID documents can provide some security benefits. Individual DID methods ought to consider constraints that would eliminate behaviors or semantics they do not need. The more locked down a DID method is, while providing the same set of features, the less it can be manipulated by malicious actors.

As an example, consider that a single edit to a DID document can change anything except the root id property of the document. But is it actually desirable for a service to change its type after it is defined? Or for a key to change its value? Or would it be better to require a new id when certain fundamental properties of an object change? Malicious takeovers of a website often aim for an outcome where the site keeps its identifier (the host name), but is subtly changed underneath. If certain properties of the site were required by the specification to be immutable (for example, the ASN associated with its IP address), such attacks might be much harder and more expensive to carry out, and anomaly detection would be easier.

For DID methods tied to a global source of truth, a direct, just-in-time lookup of the latest version of a DID document is always possible. However, it seems likely that layers of cache might eventually sit between a DID resolver and that source of truth. If they do, believing the attributes of an object in the DID document to have a given state when they are actually subtly different might invite exploits. This is particularly true if some lookups are of a full DID document, and others are of partial data where the larger context is assumed.

9.13 Encrypted Data in DID Documents

Encryption algorithms have been known to fail due to advances in cryptography and computing power. Implementers are advised to assume that any encrypted data placed in a DID document might eventually be made available in clear text to the same audience to which the encrypted data is available. This is particularly pertinent if the DID document is public.

Encrypting all or parts of DID documents is not an appropriate means to protect data in the long term. Similarly, placing encrypted data in DID documents is not an appropriate means to include personal data.

Given the caveats above, if encrypted data is included in a DID document, implementers are advised to not encrypt with the public keys of entities that do not wish to be correlated with the DID.

9.14 Equivalence Properties

The three equivalence properties—alsoKnownAs, equivalentId, and canonicalId—are subject to special security considerations related to attacks against DIDs that are asserted to be equivalent.

The equivalentId and canonicalId properties that constrain equivalence assertions to variants of a single DID produced by the same DID method (e.g., did:foo:123 ≡ did:foo:hash(123)) can be trusted to the extent the requesting party trusts the DID method (and a conforming producer) itself.

The alsoKnownAs property that permits an equivalence assertion to URIs that are not governed by the same DID method (or may not be DIDs at all) cannot be trusted without performing verification steps outside of the governing DID method. See additional guidance in § 5.1.3 Also Known As.

As with any other sensitive properties in the DID document (e.g., public key references), parties relying on any equivalence statement in a DID document should guard against the values of these properties being substituted by an attacker after the proper verification has been performed. Any write access to a DID document stored in memory or disk after verification has been performed is an attack vector that will circumvent verification unless the DID document is re-verified.

9.15 Content Integrity Protection

DID documents which include external JSON-LD contexts (see § 6.3 JSON-LD) or any other links to external machine-readable content are vulnerable to tampering.

DID document consumers can cache local static copies of JSON-LD contexts and/or verify the integrity of external contexts against the cryptographic hash for the context as registered in the DID Specification Registries (see the registration process for more detail) [DID-SPEC-REGISTRIES].

9.16 Persistence

DIDs are designed to be persistent such that a controller need not rely upon a single trusted third party or administrator to maintain their identifiers. No administrator can take control away from the controller, nor can an administrator prevent their identifiers' use for any particular purpose such as authentication, authorization, and attestation. No third party can act on behalf of a controller to remove or render inoperable an individual's (or an organization's) identifier without the controller's consent.

However, it is important to note that in all DID Methods that enable cryptographic proof-of-control, the means of proving control can always be transferred to another party by transferring the cryptographic secrets. Therefore, it is vital that systems relying on the persistence of an identifier over time regularly check to ensure that the identifier is, in fact, still under the control of the intended party.

Unfortunately, it is impossible to determine from the cryptography alone whether or not the private key material associated with a given proof mechanism has been compromised. It might well be that the expected controller still has access to the private keys — and as such can execute a proof-of-control as part of a verification process — while at the same time, a bad actor also has access to (or a copy of) those same keys.

As such, cryptographic proof-of-control is expected to only be used as one factor in evaluating the level of identity assurance for a given service. DID-based authentication provides much greater assurance than a username and password, thanks to the ability to determine control over a secret without transmitting that secret between systems. However, it is not infallible. Services that perform sensitive, high value, or life-critical operations should use additional factors as appropriate.

In addition to potential ambiguity from use by different controllers, it is impossible to guarantee, in general, that a given DID is being used in reference to the same subject at any given point in time. It is technically possible for the controller to reuse a DID for different subjects and, more subtly, for the precise definition of the Subject to either change over time or be misunderstood.

For example, consider a DID used for a sole proprietorship, receiving various credentials used for financial transactions. To the controller, that identifier referred to the business. As the business grows, it eventually gets incorporated as an LLC. The controller continues using that same DID, because to them the DID refers to the business. However, to the state, the tax authority, and the local municipality, the DID no longer refers to the same entity. Whether or not the subtle shift in meaning matters to a credit provider or supplier is necessarily up to them to decide. In many cases, as long as the bills get paid and collections can be enforced, the shift is immaterial.

Because of these potential ambiguities, DIDs should be considered valid contextually rather than absolutely. Their persistence does not imply that they refer to the exact same Subject, nor that they are under the control of the same controller. Instead, one needs to understand the context in which the DID was created, how it is used, and consider the likely shifts in their meaning, and adopt procedures and policies to address both potential and inevitable semantic drift.

9.17 Level of Assurance

Additional information about the security context of authentication events is often required for compliance reasons, especially in regulated areas such as the financial and public sectors. Examples include but are not limited to protection of secret keys, the identity proofing process, and the form-factor of the authenticator. For example, Payment services (PSD 2) and eIDAS introduce such requirements to the security context. Level of Assurance (LoA) frameworks are classified and defined by, for example, eIDAS, NIST 800-63-3 and ISO/IEC 29115:2013, including their requirements for the security context, and making recommendations on how to achieve them. This might include strong user authentication and FIDO2/WebAuthn can be potential implementations. A LoA represents the level of confidence that an entity is in fact that entity. Some regulated use cases require the implementation of a certain LoA. Since verification relationships such as assertionMethod and authentication might be used in some of these use cases, information about the applied security context might need to be expressed and provided to a verifier. Whether and how to encode this information in the DID document data model is out of scope for this specification, but it should be noted that the DID document data model can be extended if necessary (see Extensibility section). Section Privacy Considerations remains applicable for such extensions.

10.1 Keep Personal Data Private

If a DID method specification is written for a public verifiable data registry where all DIDs and DID documents are publicly available, it is critical that DID documents contain no personal data.

Personal data can instead be placed behind service endpoints under control of the DID subject or DID controller. Due diligence should be taken around the use of URLs in service endpoints to prevent leakage of personal data or correlation within a URL of a service endpoint. For example, a URL that contains a username is dangerous to include in a DID Document because the username is likely to be human-meaningful in a way that can reveal information that the DID subject did not consent to sharing. With this privacy architecture, personal data can be exchanged on a private, peer-to-peer basis using communications channels identified and secured by public key descriptions in DID documents. This also enables DID subjects and requesting parties to implement the GDPR right to be forgotten, because no personal data is written to an immutable distributed ledger.

10.2 DID Correlation Risks and Pseudonymous DIDs

Like any type of globally unique identifier, DIDs might be used for correlation. DID controllers can mitigate this privacy risk by using pairwise unique DIDs, that is, sharing a different private DID for every relationship. In effect, each DID acts as a pseudonym. A pseudonymous DID need only be shared with more than one party when the DID subject explicitly authorizes correlation between those parties. If pseudonymous DIDs are the default, then the only need for a public DID (a DID published openly or shared with a large number of parties) is when the DID subject explicitly desires public identification.

10.3 DID Document Correlation Risks

The anti-correlation protections of pseudonymous DIDs are easily defeated if the data in the corresponding DID documents can be correlated. For example, using same public key descriptions or bespoke service endpoints in multiple DID documents can provide as much correlation information as using the same DID. Therefore the DID document for a pseudonymous DID also needs to use pairwise unique public keys. It might seem natural to also use pairwise unique service endpoints in the DID document for a pseudonymous DID. However, unique endpoints allow all traffic between two DIDs to be isolated perfectly into unique buckets, where timing correlation and similar analysis is easy. Therefore, a better strategy for endpoint privacy might be to share an endpoint among thousands or millions of DIDs controlled by many different subjects. See also § 10.5 Herd Privacy.

10.4 Assigning a type to the DID subject

It is dangerous to add properties to the DID document that can be used to indicate, explicitly or through inference, what type or nature of thing the DID subject is, particularly if the DID subject is a person.

Not only do such properties potentially result in personal data (see § 10.1 Keep Personal Data Private) or correlatable data (see §  10.2 DID Correlation Risks and Pseudonymous DIDs and § 10.3 DID Document Correlation Risks) being present in the DID document, but they can be used for grouping particular DIDs in such a way that they are included in or excluded from certain operations or functionalities.

Including type information in a DID Document can result in personal privacy harms even for DID Subjects that are non-person entities, such as IoT devices. The aggregation of such information around a DID Controller could serve as a form of digital fingerprint and this is best avoided.

To minimize these risks, all properties in a DID document ought to be for expressing cryptographic material, endpoints, or verification methods related to using the DID.

10.5 Herd Privacy

When a DID subject is indistinguishable from others in the herd, privacy is available. When the act of engaging privately with another party is by itself a recognizable flag, privacy is greatly diminished.

DIDs and DID methods need to work to improve herd privacy, particularly for those who legitimately need it most. Choose technologies and human interfaces that default to preserving anonymity and pseudonymity. To reduce digital fingerprints, share common settings across requesting party implementations, keep negotiated options to a minimum on wire protocols, use encrypted transport layers, and pad messages to standard lengths.

10.6 Service Privacy

The ability for a controller to optionally state at least one service endpoint in the DID document increases their control and agency. Each additional endpoint in the DID document adds privacy risk either due to correlation (e.g., across endpoint descriptions) or because the services are not protected by an authorization mechanism, or both.

DID documents are often public and will be stored and indexed efficiently by their very standards-based nature. This risk is worse if DID documents are published to immutable Verifiable Data Registries. Access to a history of the DID documents referenced by a DID represents a form of traffic analysis made more efficient through the use of standards.

The degree of additional privacy risk caused by using multiple service endpoints in one DID document can be difficult to estimate. Privacy harms are typically unintended consequences. DIDs can identify documents, services, schemas, and other things that may be associated with individual people, households, clubs, and employers — and correlation of their service endpoints could become a powerful surveillance and inference tool. An example of this is that including multiple common country-level top level domain such as https://example.co.uk could be used to infer the approximate location of the DID Subject with a greater degree of probability.

The variety of possible endpoints makes it particularly challenging to maintain herd privacy, in which no information about the DID subject is leaked.

First, because service endpoints may be specified as URIs, they could unintentionally leak personal information because of the architecture of the service. For example, a service endpoint of http://example.com/MyFirstName is leaking the term MyFirstName to everyone who can access the DID Document. When linking to legacy systems, this is an unavoidable risk and care should be taken in such cases. We encourage new, DID-aware endpoints to use nothing more than the DID itself for any identification necessary, e.g., http://example.com/did%3Aexample%3Aabc123. Since that did:example:abc123 is already exposed in the DID Document, it leaks no additional information.

Second, because a DID document can list multiple service endpoints, it is possible to irreversibly associate services that are not associated in any other context. This correlation on its own may lead to de-anonymization, revealing information about the DID subject even if the URIs used did not.

Third, because some types of DID subjects may be more or less likely to list specific endpoints, e.g., a DID for an automobile may include a pointer to a public title record at the Department of Motor Vehicles, while a DID for an individual would not. As such, the listing of a given service could, by itself, leak information that can be used to infer something about the subject.

It is the goal of herd privacy to ensure that the nature of specific subjects is obscured by the population of the whole. To maximize herd privacy, implementers need to rely on one — and only one — service endpoint, with that endpoint providing a proxy or mediator service that the controller is willing to depend on to protect such associations and that blinds requests to the ultimate service.

Toward this end, consider any of the following:

• Negotiator Endpoint — Service for negotiating mutually agreeable communications channels, preferably using private set intersection. The output of negotiation is a communication channel and whatever credentials may be needed to access it.
• Tor Endpoint (Tor Onion Router) — Provide a privacy-respecting address for reaching service endpoints. Any service that can be provided online can be provided through TOR for additional privacy.
• Mediator Endpoint — Mediators provide a generic endpoint, for multiple parties, receive encrypted messages on behalf of those parties, and forward them to the intended recipient. This avoids the need to have a specific endpoint per subject, which could create a correlation risk. Also called a proxy.
• Confidential Storage — Proprietary or confidential personal information may need to be kept off-registry to provide additional privacy and/or security guarantees, especially for those methods where DID documents are published on a public ledger. Pointing to external resource services provides a means for authorization checks and deletion.
• Polymorphic Proxy — A proxy endpoint that can act as any number of services, depending on how it is called. For example, the same URL could be used for both negotiator and mediator functions, depending on a mechanism for re-routing.

These service endpoint types continue to be an area of innovation.