DID has been designed to give users and organizations greater security and privacy

W3C launches Decentralized Identifiers as a web standard

Decentralized Identifiers (DID) is now an official web standard, according to a news release from the World Wide Web Consortium (W3C).

DIDs are cryptographic digital identifiers not tied to any central authority. They provide individuals and organizations with greater security and privacy, along with more control over their online information.

Instead of having your identity tied to an email address or a social media account controlled by a big tech company, you can have a DID that can be stored and transferred across different types of digital infrastructure, including blockchains.

DIDs can represent individuals, organizations, online communities, governments, IoT devices, or anything else that needs an online identity.

Better identity security

“I would summarize the overall impact of DIDs on cybersecurity as making digital signing and encryption much more widely available than today’s conventional X.509-based public key infrastructure (PKI),” Drummond Reed, director of trust services at Avast and co-editor of the DID specification, told The Daily Swig.

“This is because generating and using one or more public/private key pairs that can be verified as belonging to you will no longer require using a certificate authority (CA).”


BACKGROUND Decentralized Identifiers: Everything you need to know about the next-gen web ID tech


One frequently discussed area where DIDs can make a huge difference is phishing, according to Reed.

“One of the root causes of phishing attacks is that most electronic communications addresses today (caller IDs, SMS, email addresses) are not cryptographically verifiable,” they said. “They are easy to spoof. By contrast, control of a DID is cryptographically verifiable – the sender of a message can prove they control the private key for the DID.”

DIDs make it easier for a messaging agent to verify the authenticity of incoming messages by checking whether they really came from the controller of a DID. They also make it possible to verify the sending DID against your own DID trust list, a corporate DID trust list, or against publicly maintained DID trust lists, Reed says.

Integrations already underway

“A significant portion of the community believes that people will use applications that utilize DIDs behind the scenes – that is, DIDs will have about the same level of visibility that cryptographic keys and IP addresses have today in the browser (which is not much visible at all),” Manu Sporny, Founder and CEO of Digital Bazaar and lead standards editor for DID at W3C, told The Daily Swig.

“There is a variety of work that is currently being incubated that would enable the use of DIDs through the web browser (and beyond),” Sporny said.


Read more of the latest encryption news


Some of these efforts include the Credential Handler API (CHAPI), integrations with OIDC, and DIDComm Messaging, a secure, private communication methodology built atop the decentralized design of DIDs.

“All of this work is currently being incubated and explored before taking it to the standards track, much in the same way that WebAuthn was incubated in the FIDO Alliance before being taken standards track at W3C,” Sporny said.

Challenges ahead

With the recommendation status being official, standards work will continue on DID technologies through the newly re-chartered W3C Verifiable Credentials 2.0 Working Group, which will focus on expanding functionality based on market feedback.

“The next step will be to standardize Decentralized Identifier Methods,” Sporny said. “DID Methods utilize a variety of modern technologies to provide DIDs with varying degrees of decentralization.”

For example, did:key is a DID method that is truly decentralized, and any software system can create it without needing a storage location. “They are as decentralized as you can get, but you can't update the cryptographic material (public keys) once they're created,” Sporny said.

On the other hand, did:web allows anyone with a website to publish their public keys on that website. You can update your public keys with did:web. “They are as decentralized as the web is, which is arguably not as decentralized as some people would like,” Sporny said.

Then there are other DID Methods that are based on blockchains, which are more decentralized than the web but are still comparatively new technologies and still a little too experimental for some people.

Resolving conflicts

The DID Core specification had been debated for more than a year and was pushed to recommendation status in June, despite objections from Mozilla and Google.

“The key objections from Google and Mozilla centered mostly on their desire to see at least a few DID methods standardized because they see the current 120+ registered DID methods as a barrier to interoperability,” Reed said.

“The DID Working Group disagrees – as a whole, we have always felt that a market-driven approach to a winnowing down of DID methods is preferable, both to encourage innovation and to let the market judge which DID methods best meet its needs.”

The working group has developed a tool, the DID Rubric, which will assist in selecting the best DID methods and their most relevant use cases.


YOU MIGHT ALSO LIKE ‘Endemic’ Log4j bug set to persist in the wild for at least a decade