Decentralized Identifiers (DIDs)
A Beginners Guide!
As conceptualised and standardised by the W3C, the Decentralized Identifiers, or DIDs, protocol is one of the three pillars of Self-Sovereign Identity, together with the Verifiable Credentials protocol and Distributed Ledger Technology (or Blockchain)
For the past 4 years Tykn has been developing Self-Sovereign Identity solutions for organisations such as the Turkish Ministry of Foreign Affairs and the United Nations Development Programme. In this blog, our team of Decentralized Identifiers experts compiled everything you need to get started on this technology.
After this post you’ll know exactly what Decentralized Identifiers are, the difference between Public DIDs and Private DIDs, how they are used and more.
Let’s dive in.
What problem do Decentralized Identifiers (DIDs) solve?
Currently, we are reliant on the identifiers from intermediaries such as Google, Facebook, email providers or mobile network operators to connect us. This has big consequences for our privacy, since the (meta)data gathered by those parties from the interactions over those connections are not within our control.
Even when using a messaging service such as WhatsApp, where your communication is encrypted, the intermediary (Facebook) can still see and collect your metadata. This alone could tell them: who you messaged, at what time, for how long, in which intervals, from what location, while using which apps.
By then taking that data and combining it with other (meta)data from you and the friend you messaged, these intermediaries can create a much more accurate profile. For instance, if your friend was talking to you about race bikes, it might just be that you get targeted ads for race bikes as well, even though your conversation was end-to-end encrypted, just because your friend searched for race bikes around the time you talked!
While ads about race bikes are mostly harmless (mostly), these data correlation practices at scale have also been used to interfere in elections. This is in part a result of having the power over these identifiers be in the hands of a centralised few, with near unrestricted access to your private information.
What are Decentralized Identifiers?
Decentralized Identifiers are globally, unique and persistent identifiers.
- They allow for the creation of unique, private and secure peer-to-peer connections between two parties.
- Their decentralized nature makes credentials always available for verification.
- Each party – an individual or organization – can create as many different DIDs as they wish. Using separate DIDs for different digital relationships and contexts prevents data correlation.
- They are entirely controlled by the identity owner. DIDs are independent of centralised registries, authorities or identity providers.
The relationship between Decentralized Identifiers, Verifiable Credentials and Blockchain.
When an organisation issues you a Verifiable Credential, they attach their Public DID to that credential. That same Public DID is also stored on the blockchain, an immutable record of data. When someone wants to verify the authenticity/validity of the Credential, they can check the DID on the blockchain to see who issued it without having to contact the issuing party.
The Blockchain acts as a verifiable data registry. A “phonebook” that anyone can consult to verify what organisation a specific Public DID belongs to.
Decentralized Identifiers are what enable Verifiable Credentials to be verified anywhere, at any time. Even if the issuer does not exist anymore (with the exception of situations where the issuance of credentials happened using Private DIDs and the DID of the issuer was not written to the ledger).
Important Note: in a scenario where blockchain is used for identity management, no Personally Identifiable Information is stored on the blockchain. This is crucial as a distributed ledger is immutable, meaning anything that is put on the ledger can never be altered nor deleted, and thus no personal data should ever be put on the ledger. Only the issuer’s Public DID is stored on the ledger.
Types of Decentralized Identifiers (DIDs)
We can make a distinction between two types of DIDs: Public DIDs & Private DIDs (sometimes called “peer”, “pairwise”, “pseudonymous” or “pairwise-pseudonymous” DIDs).
Private DIDs can be exchanged between two parties to create a secure channel that no one else is privy to.
This means no third party has knowledge of what happens across that channel or who is behind it.
The best part? You can spin up as many separate DIDs for as many separate relationships as you see fit to prevent correlation of your private information, without relying on a single central authority. No more unsolicited race bike ads! (Or election meddling, hopefully).
In a world where private DIDs are the default, public DIDs, then, are strictly for when a subject wants to be publicly identifiable (e.g. a government office issuing passports).
They could also be used to kick off the exchange of private DIDs between two parties.
Benefits of Decentralized Identifiers (DIDs)
DIDs benefit institutions and organisations who issue or verify credentials.
- Their decentralized nature makes credentials always available for verification. As opposed to a system where credentials are in a centralized database that may be rendered useless if it becomes offline for any reason (or, in a worst case scenario, destroyed).
- They enable two parties to create a secure channel for data exchange. A channel that one else is privy to.
So, what does this mean in practice? Imagine the government wants to issue you a digital version of your passport alongside your physical copy. You intend to leave the physical version in a safe at home and use the digital version for practical matters.
At the municipal service desk, you are asked to scan a QR-code. Here, the DIDs are exchanged, creating the secure connection. Through this secure connection, the clerk now issues you your digital passport in the form of a Verifiable Credential. You accept, storing it in your (digital) wallet.
Now, on your way home, you decide to pick up a bottle of wine for dinner, and because you use night cream, the cashier asks for your ID. Not wanting to share a host of private information with a stranger (i.e. full name, date of birth, place of birth, document number, etc.), you generate a QR-code from your wallet that proves you are of legal drinking age!
The cashier scans it (again, exchanging DIDs, creating a secure connection) and verifies that this proof is indeed true and derived from a valid form of identification, issued by a valid authority.
This is all done automatically on the backend, in part by checking the public DID of the municipality, as well as the schema, credential definition and revocation registry, all registered to the verifiable data registry, or blockchain. Hello, private dinner-time vino!
How do Decentralized Identifiers work?
Let us give you an example of Decentralized Identifiers in action.
Recently we piloted our Self-Sovereign Identity technology in Turkey with the Ministry of Foreign Affairs, the United Nations Development Programme and the Istanbul Chamber of Commerce.
The objective? With more than 3 million refugees in the country, Turkey wants to implement Self-Sovereign Identity to help increase refugee employability and financial independence.
This is how the pilot played out:
- (Syrian) Entrepreneurs need to complete a Work Permit application in order to hire refugees. Currently, this process is lengthy and paper-based.
- Several Syrian Entrepreneurs physically verified their ID with the Chamber of Commerce. The Chamber of Commerce used our SSI Portal to establish a secure peer-to-peer connection with the Entrepreneurs. In the picture above you can see the Entrepreneurs using Tykn’s SSI Mobile Wallet app to scan a QR Code on our SSI Portal. Once they scan it, the Entrepreneurs’ and the Chamber of Commerce’s DIDs are exchanged, establishing that secure connection. Through that connection the Chamber of Commerce issues them a digital cryptographic proof, a Verifiable Credential, attesting that they have a registered business.
- The Syrian Entrepreneurs stored those credentials in their digital identity wallets. Our SSI Mobile Wallet.
- Without leaving the Mobile Wallet, the Entrepreneurs were able to start a Work Permit Application and use their Verifiable Credentials to prove their identity and that they own a registered business.
Now, if any organisation – The Ministry of Labour, for example – wants to verify the authenticity of the Entrepreneur’s Proof of Business Ownership they don’t have to contact the Chamber of Commerce to do so.
They can check the Public DID attached to the Credential and verify that it’s the same stored on the blockchain. Giving certainty to the Ministry that this Proof is authentic and hasn’t been tampered with.
W3C and Verifiable Credentials
The World Wide Web Consortium, W3C, is the main international standards organization for the World Wide Web. They are the ones that created the URL standard, amongst others.
As conceptualised and standardised by the W3C, the Decentralized Identifiers protocol is one of the three pillars of Self-Sovereign Identity, together with the Verifiable Credentials protocol and Distributed Ledger Technology (or Blockchain).
The Decentralized Identifiers (DIDs) Data Model 1.0 specifies that “Decentralized identifiers (DIDs) are a new type of identifier that enables verifiable, decentralized digital identity. A DID identifies any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) that the controller of the DID decides that it identifies. In contrast to typical, federated identifiers, DIDs have been designed so that they may be decoupled from centralized registries, identity providers, and certificate authorities.”
Would you like to dive deeper into Self-Sovereign Identity and Verifiable Credentials?
Take a look at our other guides: