Platform Core – DIDs

Table of Contents

Introduction

Decentralized Identifiers (DIDs) are a new type of digital identifier which is globally unique, highly available, and cryptographically verifiable. They are currently being standardized at the W3C and, when deployed responsibly, can be extremely effective at preserving user privacy, enhancing transparency and consent, enabling data portability, and enforcing user control.

DIDs are best classified according to which DID Method they belong to. Each DID Method defines a CRUD model that describes how a specific DID scheme works with a specific verifiable data registry such as a distributed ledger or blockchain. There are many dozens of DID Methods that have already defined their own specifications and contributed their DID scheme to the W3C.

DIDs provide a level of abstraction around public keys. The way DIDs are used is through a process known as DID Resolution, which locates the registry where the DID is anchored (according to its DID Method) and produces the DID Document. The DID Document contains cryptographic material like public key material as well as ways to interact with the DID subject via service endpoints.

A central feature of DIDs is that, when used in identity systems, they can replace the use of passwords and provide much better security and encryption using public/private keypairs instead. This results in DIDs having a significantly different trust model than centralized identifiers. Specifically, DIDs form the basis of a Decentralized Public Key Infrastructure (DPKI) for the web.

To learn more about our approach to DIDs, read our blog, "Intro to DIDs for people".

Usage

The MATTR Platform packages the power of DIDs into our Platform Core. Core allows our users to create, register, resolve, retrieve, manage, and delete DIDs.

DIDs are created by a user's tenant and used to establish relationships with other users. The tenant generates the keys and metadata necessary to establish the DID, and registers the DID on a public ledger if applicable. In addition to handling DID creation and registration, the tenant is always configured to resolve DIDs it receives in order to get the latest key and service information.

The platform also establishes a verifiable relationship between your tenant domain and DIDs created by your tenant, enabling linkage between an internet domain owner and a DID owner. This approach creates a bridge that connects the traditional trust model of the internet with a distributed trust model. This follows the open standard Well Known DID Configuration being developed at the Decentralized Identity Foundation (DIF).

Drivers

As a central component of Platform Core, DIDs have a set of configurable options that are part of our Platform Drivers. These parameters can be set when creating a DID.

DID Method Support

  • did:key
  • did:sov

Key Management Support

  • ed25519
  • bls12381G2 (ZKP-enabled)

NOTE: We have developed an experimental feature in our platform around Zero-Knowledge Proofs (ZKP). It's a technique to implement privacy-preserving selective disclosure in verifiable credentials using the cryptography of BBS+ signatures. As ZKPs are experimental, they only work with did:key method at this point. To experiment with this feature, use your API endpoint to create a DID with "method":"key" and "keyType":"bls12381G2" parameters set. If you create a Verifiable Credential using this new DID as the issuer DID, the platform will automatically detect this capability and issue a ZKP-enabled BBS+ credential for you. Our Mobile Wallet App can detect if ZKP is enabled in a credential, and upon request for verification, will use that information to derive a new credential presentation that selectively discloses the required info using ZKP. You can read more about our work on privacy-preserving verifiable credentials on our blog.

For more detail on our DID-related capabilities, check out the API Reference Docs.