Decentralized Identifiers Finalized as W3C Recommendation

The nonprofit World Wide Web Consortium (W3C) on Tuesday announced that its collaborative work on Decentralized Identifiers (DIDs) is now a W3C Recommendation, which is at version 1.0.

Part of what the W3C means by declaring a Recommendation is that it is advising software makers and organizations to start implementing its guidelines for DIDs in software products. A W3C Recommendation is like a standard in that way, but the W3C avoids that term. A W3C Recommendation is also notable for being offered royalty free.

DIDs are technologies used as part of the W3C's larger Verifiable Credentials efforts. Specifically, DIDs are Uniform Resource Identifiers (URIs) used as part of an identity attestation scheme that promises to give back control to users. The idea is that users will be able to supply or revoke their identity attestations, and they won't necessarily have to rely on another party's control to do so, such as an Internet service provider (ISP).

For instance, as the W3C points out in its "Use Cases" document for DIDs, an ISP typically owns an individual user's e-mail address, and it's not transferrable if a user switches service providers. The W3C's DID framework likely would change such scenarios, since the "identifiers are not dependent on the tenure of the relationship with a service provider."

Other use cases for DIDs might be college records verifications, age verification by merchants and even film writers getting paid residuals more effortlessly. Lots more examples can be found in the "Use Cases" document.

DID Concepts
The common notion running through the W3C's DID Recommendation is that identifiers should be decentralized, persistent (not relying on an organization), cryptographically verifiable and resolvable (ability to find the identifier's metadata information).

A DID has a subject, which can be "a person, organization, thing, data model, abstract entity, etc." It has a controller, which " could be a service provider, but ideally, it's the person or thing being identified," according to Manu Sporny, founder and CEO of Digital Bazaar Inc., and the lead standards editor for Decentralized Identifiers at W3C, via e-mail. There's also a DID document, which is key to the attestation process.

"Each DID document can express cryptographic material, verification methods, or services, which provide a set of mechanisms enabling a DID controller to prove control of the DID," the W3C's Recommendation explained.

Individuals might be the ones creating these DID documents, Sporny suggested:

DID Documents are ideally created by software that an individual controls, such as a digital wallet. That is, they don't have to be created by a service provider, which is typically what's done today (Google creates and owns your Gmail address, for example).

The actual DID is just "a simple text string." It has three parts, the URI scheme identifier, the DID method identifier and a DID method-specific identifier. Here's how that's illustrated, per the W3C's Recommendation:

[Click on image for larger view.] Figure 1. The Decentralized Identifier is just a Uniform Resource Identifier text string with three parts (source: W3C's DID Recommendation document).

This DID text string is said to "resolve" to a DID document, which specifies the cryptographic authentication by a DID controller.

The W3C's DID Recommendation doesn't necessarily remove the roles of service providers, according to Sporny;

Some people will choose to manage their own DIDs, and others will not want that responsibility and will instead choose a service provider to do that for them. DIDs are an identifier that do not require a central authority, though we do expect people to use them (as they use other technology providers to store documents, send email, etc.).

DIDs and the GDPR
The W3C has considered how DIDs might work in the context of the European Union's General Data Protection Regulation (GDPR). The DID approach has an inherent privacy architecture that "also enables DID subjects and requesting parties to implement the GDPR right to be forgotten, because no personal data is written to an immutable distributed ledger," per this section of the W3C's Recommendation.

"We care deeply about data privacy and DIDs are one tool in the toolchest that can be used to address GDPR requirements," Sporny said.

Various organizations have been "exploring the use of DIDs," according the W3C's announcement. It specifically noted that the "US, Canada and the EU" governments have been examining DIDs as way to "provide privacy-protecting digital identity documentation for their businesses and residents, which enable those entities to choose how and when their data is shared."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus