This repository has been archived by the owner on Oct 29, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 45
/
index.html
3033 lines (2686 loc) · 100 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html>
<head>
<title>
Decentralized Identifiers (DIDs) v0.13
</title>
<meta http-equiv="refresh" content="0;URL='https://w3c.github.io/did-core/'" />
<meta content='text/html; charset=utf-8' http-equiv='Content-Type'><!--
=== NOTA BENE ===
For the three scripts below, if your spec resides on dev.w3 you can check them
out in the same tree and use relative links so that they'll work offline.
-->
<script class='remove'
src='https://www.w3.org/Tools/respec/respec-w3c-common'>
</script><!--script src='./respec-w3c-common.js' class='remove'></script-->
<script src="./common.js">
</script>
<script class="remove" type="text/javascript">
var respecConfig = {
// specification status (e.g., WD, LCWD, NOTE, etc.). If in doubt use ED.
specStatus: "CG-FINAL",
// the specification's short name, as in http://www.w3.org/TR/short-name/
shortName: "did",
// subtitle
subtitle: "Data Model and Syntaxes",
// if you wish the publication date to be other than today, set this
// publishDate: "2009-08-06",
// if there is a previously published draft, uncomment this and set its YYYY-MM-DD date
// and its maturity status
// previousPublishDate: "1977-03-15",
// previousMaturity: "WD",
// extend the bibliography entries
localBiblio: ccg.localBiblio,
github: "https://github.com/w3c-ccg/did-spec",
includePermalinks: false,
// if there a publicly available Editor's Draft, this is the link
edDraftURI: "https://w3c-ccg.github.io/did-spec/",
// if this is a LCWD, uncomment and set the end of its review period
// lcEnd: "2009-08-05",
// editors, add as many as you like
// only "name" is required
editors: [{
name: "Drummond Reed",
url: "https://www.linkedin.com/in/drummondreed/",
company: "Evernym",
companyURL: "https://evernym.com/"
},
{
name: "Manu Sporny",
url: "http://manu.sporny.org/",
company: "Digital Bazaar",
companyURL: "https://digitalbazaar.com/"
},
{
name: "Markus Sabadello",
url: "https://www.linkedin.com/in/markus-sabadello-353a0821",
company: "Danube Tech",
companyURL: "https://danubetech.com/"
}
],
// authors, add as many as you like.
// This is optional, uncomment if you have authors as well as editors.
// only "name" is required. Same format as editors.
authors: [{
name: "Drummond Reed",
url: "https://www.linkedin.com/in/drummondreed/",
company: "Evernym",
companyURL: "https://evernym.com/"
},
{
name: "Manu Sporny",
url: "http://manu.sporny.org/",
company: "Digital Bazaar",
companyURL: "https://digitalbazaar.com/"
},
{
name: "Dave Longley",
url: "",
company: "Digital Bazaar",
companyURL: "https://digitalbazaar.com/"
},
{
name: "Christopher Allen",
url: "https://www.linkedin.com/in/christophera",
company: "Blockchain Commons",
companyURL: "https://www.BlockchainCommons.com"
},
{
name: "Ryan Grant",
url: "",
company: "",
companyURL: ""
},
{
name: "Markus Sabadello",
url: "https://www.linkedin.com/in/markus-sabadello-353a0821",
company: "Danube Tech",
companyURL: "https://danubetech.com/"
}
],
// name of the WG
wg: "Credentials Community Group",
// URI of the public WG page
wgURI: "https://www.w3.org/community/credentials/",
// name (with the @w3c.org) of the public mailing to which comments are due
wgPublicList: "public-credentials",
// URI of the patent status for this WG, for Rec-track documents
// !!!! IMPORTANT !!!!
// This is important for Rec-track documents, do not copy a patent URI from a random
// document unless you know what you're doing. If in doubt ask your friendly neighbourhood
// Team Contact.
wgPatentURI: "https://www.w3.org/community/about/agreements/cla/",
maxTocLevel: 4,
inlineCSS: true
};
</script>
<style>
pre .highlight {
font-weight: bold;
color: green;
}
pre .comment {
color: SteelBlue;
-webkit-user-select: none;
-moz-user-select: none;
-ms-user-select: none;
user-select: none;
}
</style>
</head>
<body>
<section id='abstract'>
<p>
Decentralized Identifiers (DIDs) are a new type of identifier for
verifiable, decentralized digital identity. These new identifiers
are designed to enable the controller of a DID to prove control over
it and to be implemented independently of any centralized registry,
identity provider, or certificate authority. DIDs are URLs that relate
a <a>DID subject</a> to means for trustable interactions with that subject.
DIDs resolve to DID Documents — simple documents that describe how to
use that specific DID. Each DID Document may express cryptographic
material, verification methods, and/or service endpoints. These provide
a set of mechanisms which enable a <a>DID controller</a> to prove control of the
DID. Service endpoints enable trusted interactions with the <a>DID subject</a>.
</p>
<p>
This document specifies a common data model, format, and operations that
all DIDs support.
</p>
</section>
<section id='sotd'>
<p>
Comments regarding this document are welcome. Please file issues
directly on <a href="https://github.com/w3c-ccg/did-spec/issues/">GitHub</a>, or send them
to <a href="mailto:public-credentials@w3.org">public-credentials@w3.org</a> (
<a href="mailto:public-credentials-request@w3.org?subject=subscribe">subscribe</a>,
<a href="https://lists.w3.org/Archives/Public/public-credentials/">archives</a>).
</p>
<p>
Portions of the work on this specification have been funded by the
United States Department of Homeland Security's Science and Technology
Directorate under contracts HSHQDC-16-R00012-H-SB2016-1-002 and
HSHQDC-17-C-00019. The content of this specification does not
necessarily reflect the position or the policy of the U.S. Government
and no official endorsement should be inferred.
</p>
<p>
Work on this specification has also been supported by the Rebooting the
Web of Trust community facilitated by Christopher Allen, Shannon
Appelcline, Kiara Robles, Brian Weller, Betty Dhamers, Kaliya Young,
Kim Hamilton Duffy, Manu Sporny, Drummond Reed, Joe Andrieu, and
Heather Vescent.
</p>
</section>
<section class="informative">
<h1>
Introduction
</h1>
<p>
Conventional <a href="https://en.wikipedia.org/wiki/Identity_management">identity
management</a> systems are based on centralized authorities such as
corporate <a href="https://en.wikipedia.org/wiki/Directory_service">directory
services</a>, <a href="https://en.wikipedia.org/wiki/Certificate_authority">certificate
authorities</a>, or <a href="https://en.wikipedia.org/wiki/Domain_name_registry">domain name
registries</a>. From the standpoint of cryptographic trust
verification, each of these centralized authorities serves as its own
<a href="https://en.wikipedia.org/wiki/Trust_anchor">root of
trust</a>. To make identity management work across these systems
requires implementing <a href="https://en.wikipedia.org/wiki/Federated_identity">federated identity
management</a>.
</p>
<p>
The emergence of distributed ledger technology (DLT), sometimes
referred to as blockchain technology, provides the opportunity for
fully <a>decentralized identity management</a>. In a decentralized
identity system, entities (in the sense of discrete identifiable units
such as — but not limited to — people, organizations, and
things) are free to use any shared root of trust.
Globally distributed ledgers, decentralized P2P networks, or other systems
with similar capabilities, provide the means for managing a root of
trust without introducing a centralized authority or a single point of
failure. In combination, DLTs and decentralized identity systems
enable any entity to create and manage their own identifiers on any
number of distributed, independent roots of trust.
</p>
<p>
Entities are identified by decentralized identifiers (DIDs), and
may authenticate via proofs (e.g., digital signatures,
privacy-preserving biometric protocols, etc.). DIDs point to DID
Documents. A DID Document contains a set of service endpoints for
interacting with the entity the DID identifies (aka the <a>DID subject</a>).
Following the dictums of
<a href="https://en.wikipedia.org/wiki/Privacy_by_design">Privacy by
Design</a>, any entity may have as many DIDs as necessary (and
corresponding DID Documents and service endpoints), to respect the
entity’s desired separation of identities, personas, and contexts.
</p>
<p>
DID methods are the mechanism by which a DID and its associated DID
Document are created, read, updated, and deactivated on a specific
distributed ledger or network. DID methods are defined using separate
DID method specifications.
</p>
<p>
This design eliminates dependence on centralized registries for
identifiers as well as centralized certificate authorities for key
management — the standard pattern in hierarchical
<a href="https://en.wikipedia.org/wiki/Public_key_infrastructure">PKI
(public key infrastructure</a>). In cases where the <a>DID Registry</a>
is a distributed ledger, each entity may serve as its own root authority
— an architecture referred to as
<a href="https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/final-documents/dpki.pdf">DPKI
(decentralized PKI)</a>.
</p>
<p>
Note that DID methods may also be developed for identifiers
registered in federated or centralized identity management systems.
For their part, all types of identifier systems may add support for
DIDs. This creates an interoperability bridge between the worlds of
centralized, federated, and decentralized identifiers.
</p>
<p>
The first purpose of this specification is to define the generic
DID scheme and a generic set of operations on DID Documents that can be
implemented for any <a>DID Registry</a>. The second
purpose of this specification is to
define the conformance requirements for a DID method
specification — a separate specification that defines a specific DID
scheme and specific set of DID Document operations for a specific
<a>DID Registry</a>.
</p>
<p class="note">
Conceptually, the relationship of this specification and a DID
method specification is similar to the relationship of the IETF
generic URI specification ([[RFC3986]]) and a specific URI scheme
([[IANA-URI-SCHEMES]] (such as the http: and https: schemes
specified in [[RFC7230]]). It is also similar to the relationship
of the IETF generic URN specification ([[RFC8141]]) and a specific URN
namespace definition (such as the UUID URN namespace defined in
[[RFC4122]]). The difference is that a DID Method specification, in
addition to defining a specific DID scheme, also specifies the
methods for resolving and deactivating DIDs and writing DID Documents on the
appropriate <a>DID Registry</a>.
</p>
<p>
The hierarchical design of a generic DID specification with specific DID method
specifications introduces some of the same concepts as the URI specification:
</p>
<ul>
<li>
DIDs from different DID methods may not be interoperable, just as URIs from
different URI schemes may not be interoperable.
</li>
<li>
Entities may need multiple DIDs to support different relationships, as the other
party may only support certain DID methods, just as some browsers may only
support certain URI schemes.
</li>
<li>
Entities may need multiple DIDs to support the different cryptographic schemes
of different DID methods, as not all parties will support the same cryptographic
schemes, just as not all browsers support the same URI schemes.
</li>
<li>
Managing multiple DIDs, and tracking which DID belongs to which relationship,
under which cryptographic scheme, introduces similar logistical challenges as
managing multiple web addresses and tracking which address belongs to which
website, or tracking which email address belongs to which relationship.
</li>
</ul>
<p>
For a list of DID Methods and their corresponding specifications,
see the DID Method Registry [[DID-METHOD-REGISTRY]].
</p>
<section class="informative">
<h2>
A Simple Example
</h2>
<p>
A DID is a simple text string that consists of three parts: 1) the URL scheme
identifier (<code>did</code>), 2) the identifier for the
DID Method, and 3) the DID Method-specific identifier.
</p>
<pre class="example nohighlight" title="A simple example of a Decentralized Identifier (DID)">
did:example:123456789abcdefghi
</pre>
<p>
The DID above resolves to a DID Document. A DID Document contains information
associated with the DID such as ways to cryptographically authenticate the
entity in control of the DID, as well as services that can be used to
interact with the entity.
</p>
<pre class="example nohighlight" title="Minimal self-managed DID Document">
{
"@context": "https://www.w3.org/2019/did/v1",
"id": "did:example:123456789abcdefghi",
"authentication": [{
<span class="comment">// used to authenticate as did:...fghi</span>
"id": "did:example:123456789abcdefghi#keys-1",
"type": "RsaVerificationKey2018",
"controller": "did:example:123456789abcdefghi",
"publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----\r\n"
}],
"service": [{
<span class="comment">// used to retrieve Verifiable Credentials associated with the DID</span>
"id":"did:example:123456789abcdefghi#vcs",
"type": "VerifiableCredentialService",
"serviceEndpoint": "https://example.com/vc/"
}]
}
</pre>
</section>
<section class="informative">
<h2>
Design Goals
</h2>
<p>
Decentralized Identifiers are a component of larger systems, such as
the Verifiable Credentials ecosystem [[?VC-DATA-MODEL]], which have driven
the design goals for this specification. This section summarizes the
primary design goals for this specification.
</p>
<table class="simple">
<thead>
<tr>
<th>
Goal
</th>
<th>
Description
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
Decentralization
</td>
<td>
Eliminate the requirement for
centralized authorities or single points of failure in
identifier management, including the registration of globally
unique identifiers, public verification keys, service
endpoints, and other metadata.
</td>
</tr>
<tr>
<td>
Control
</td>
<td>
Give entities, both human and
non-human, the power to directly control their digital
identifiers without the need to rely on external authorities.
</td>
</tr>
<tr>
<td>
Privacy
</td>
<td>
Enable entities to control the privacy
of their information, including minimal, selective, and
progressive disclosure of attributes or other data.
</td>
</tr>
<tr>
<td>
Security
</td>
<td>
Enable sufficient security for relying
parties to depend on DID Documents for their required level of
assurance.
</td>
</tr>
<tr>
<td>
Proof-based
</td>
<td>
Enable the <a>DID subject</a> to provide
cryptographic proof when interacting with other entities.
</td>
</tr>
<tr>
<td>
Discoverability
</td>
<td>
Make it possible for entities to
discover DIDs for other entities to learn more about or
interact with those entities.
</td>
</tr>
<tr>
<td>
Interoperability
</td>
<td>
Use interoperable standards so DID
infrastructure can make use of existing tools and software
libraries designed for interoperability.
</td>
</tr>
<tr>
<td>
Portability
</td>
<td>
Be system and network-independent and
enable entities to use their digital identifiers with any
system that supports DIDs and DID Methods.
</td>
</tr>
<tr>
<td>
Simplicity
</td>
<td>
Favor a reduced set of simple features in order to make the technology
easier to understand, implement, and deploy.
</td>
</tr>
<tr>
<td>
Extensibility
</td>
<td>
When possible, enable extensibility
provided it does not greatly hinder interoperability,
portability, or simplicity.
</td>
</tr>
</tbody>
</table>
</section>
<section>
<h3>Interoperability</h3>
<p>Interoperability of implementations for DIDs and DID Documents will be tested by evaluating an implementation's ability to create and parse DIDs and DID Documents that conform to the specification. Interoperability for DID methods will be determined by evaluating each DID method's specification to determine, at a minimum, </p>
<ol>
<li> the DID method name is unique and not used by an existing, incompatible DID method, </li>
<li> the required operations are supported,</li>
<li> operations requiring descriptions are described,</li>
<li> the specification is specific, detailed, and complete enough for independent implementation, and</li>
<li> the specification contains sections describing security and privacy considerations.</li>
</ol>
<p>Interoperability for producers and consumers of DIDs and DID Documents is provided by ensuring the DIDs and DID Documents conform. Interoperability for method specifications is provided by the details in each method specification. It is understood that, just like a web browser is not required to implement all known URI schemes, conformant software that works with DIDs is not required to implement all known DID methods. However, all implementations of a given DID method must be interoperable for that method.</p>
</section>
</section>
</section>
<section class="informative">
<h1>
Terminology
</h1>
<div data-include="terms.html" data-oninclude="restrictReferences">
</div>
</section>
<section class="informative">
<h1>
Data Model
</h1>
<p>
This section outlines the Decentralized Identifier data model concepts,
in particular how keys, services, and the <a>DID Subject</a> are related to the
<a>DID Document</a>.
</p>
<p>
For information about how the data model can be extended, see
<a href="#extensibility"></a>.
</p>
<section>
<h2>
Document
</h2>
<p>
A DID resolves to a <a>DID Document</a>. This is the concrete serialization of
the data model, according to a particular syntax (see
<a href="#did-document-syntax"></a>). The <a>DID Document</a> contains attributes
or claims about the <a href="#did-subject"></a>, and the DID itself is
contained in the <code>id</code> property.
</p>
<p>
The properties that can be present in a <a>DID Document</a> are detailed
further in <a href="#did-documents"></a>.
</p>
<p>
The properties present in a <a>DID Document</a> can be updated according to
the applicable <a href="#did-methods"></a>.
</p>
</section>
<section>
<h2>
Keys
</h2>
<p>
One or more <a href="#public-keys"></a> can be included in a <a>DID
Document</a> using, for example, the <code>publicKey</code> or <code>authentication</code>
properties depending on what they are to be used for. Each public key
has an identifier (<code>id</code>) of its own, a <code>type</code>,
and a <code>controller</code>, as well as other properties which
depend on what type of key it is.
</p>
</section>
<section>
<h2>
Services
</h2>
<p>
A <a>DID Document</a> can contain pointers to services using the <code>
service</code> property. Services can be anything the <a>DID Subject</a>
wishes to advertise, for example other ways to interact with
the <a>DID Subject</a>. Each service has its own <code>id</code> and
<code>type</code>, as well as a <code>serviceEndpoint</code> with a
URI or further properties describing the service.
</p>
<p>
For more information see <a href="#service-endpoints"></a>.
</p>
</section>
</section>
<section>
<h1>
Decentralized Identifiers (DIDs)
</h1>
<p>
The concept of a globally unique <a>decentralized identifier</a> is not
new; <a href="https://en.wikipedia.org/wiki/Universally_unique_identifier">Universally
Unique Identifiers</a> (UUIDs) were first developed in the 1980s and
later became a standard feature of the Open Software Foundation’s
<a href="https://en.wikipedia.org/wiki/Distributed_Computing_Environment">Distributed
Computing Environment</a>. UUIDs achieve global uniqueness without a
centralized registry service by using an algorithm that generates
128-bit values with sufficient entropy that the chance of collision are
infinitesimally small. UUIDs are formally specified in [[RFC4122]] as a
specific type of Unified Resource Name (URN).
</p>
<p>
A DID is similar to a UUID except: (a) like a URL, it can be resolved
or dereferenced to a standard resource describing the subject (a <a>DID
Document</a> — see Section <a href="#did-documents"></a>), and (b) unlike
a URL, the DID Document typically contains cryptographic material that
enables authentication of the <a>DID subject</a>.
</p>
<section>
<h2>
Generic DID Syntax
</h2>
<p>
The generic <a>DID scheme</a> is a URI scheme conformant with
[[RFC3986]]. The DID scheme specializes only the scheme and
authority components of a DID URI — the <code>path-abempty</code>,
<code>query</code>, and <code>fragment</code> components are
identical to the ABNF rules defined
in [[RFC3986]].
</p>
<p class="note">
The term <a>DID</a> refers only to the URI
conforming to the <code>did</code> rule in the ABNF below. A
DID always identifies the <a>DID subject</a>. The term <a>DID URL</a>,
defined by the <code>did-url</code> rule,
refers to a URL that begins with a DID followed by one or more
additional components. A DID URL always identifies the resource to
be located.
</p>
<p>
The following is the ABNF definition using the syntax in [[RFC5234]]
which defines <code>ALPHA</code> and <code>DIGIT</code>. All other
rule names not defined in this ABNF are defined in [[RFC3986]].
</p>
<pre class="nohighlight">
did = "did:" method-name ":" method-specific-id
method-name = 1*method-char
method-char = %x61-7A / DIGIT
method-specific-id = *idchar *( ":" *idchar )
idchar = ALPHA / DIGIT / "." / "-" / "_"
did-url = did *( ";" param ) path-abempty [ "?" query ]
[ "#" fragment ]
param = param-name [ "=" param-value ]
param-name = 1*param-char
param-value = *param-char
param-char = ALPHA / DIGIT / "." / "-" / "_" / ":" /
pct-encoded
</pre>
<p class="issue" data-number="198">
The grammar currently allows an empty <code>method-specific-id</code>,
e.g., <code>did:example:</code> would be a valid DID that could identify
the DID method itself.
</p>
</section>
<section>
<h2>
Method-Specific Syntax
</h2>
<p>
A DID method specification MUST further restrict the generic DID
syntax by defining its own <code>method-name</code> and its own
<code>method-specific-id</code> syntax. See Section <a href="#did-methods"></a>.
</p>
</section>
<section>
<h2>
Generic DID Parameter Names
</h2>
<p>
DID URL syntax supports a simple, generalized format for parameters based on the
matrix parameter syntax ([[MATRIX-URIS]]).
The ABNF above does not specify any parameter names (the <code>param-name</code>
rule).
</p>
<p>
Some generic DID parameter names (e.g., for service selection) are completely
independent of any specific DID method and MUST always function the same way
for all DIDs.
Others (e.g., for versioning) MAY be supported by
certain DID methods, but MUST operate uniformly across those DID methods that
do support them.
</p>
<p>
Parameter names that are completely method-specific are covered in
<a href="#method-specific-did-parameter-names"></a>.
</p>
<p>
The following table defines a set of generic DID parameter names:
</p>
<table class="simple">
<thead>
<tr>
<th>Generic DID Parameter Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>hl</code>
</td>
<td>
A resource hash of the DID Document to add integrity
protection, as specified in [[HASHLINK]].
</td>
</tr>
<tr>
<td>
<code>service</code>
</td>
<td>
Identifies a service from the DID Document by service id.
</td>
</tr>
<tr>
<td>
<code>version-id</code>
</td>
<td>
Identifies a specific version of a DID Document to be resolved (the version ID
could be sequential, or a UUID, or method-specific). Note: This parameter may
not be supported by all DID methods.
</td>
</tr>
<tr>
<td>
<code>version-time</code>
</td>
<td>
Identifies a certain version timestamp of a DID Document to be resolved (i.e.,
the DID Document that was valid for a DID at a certain time). Note: This
parameter may not be supported by all DID methods.
</td>
</tr>
</tbody>
</table>
<p>
The exact processing rules for these parameters are specified in [[DID-RESOLUTION]].
</p>
<p class="note">
Note that there may be additional parameters or options that are not part
of the DID URL but instead passed to a DID resolver "out of band", i.e.,
using a resolution protocol or some other mechanism. Such options could
for example control caching or the desired format of a resolution result.
This is similar to HTTP, where caching or result format are expressed as
HTTP headers rather than as part of an HTTP URL. The important distinction
is that DID parameters that are part of the DID URL specify what resource
is being identified, whereas DID resolver options that are not part of the
DID URL control how that resource is dereferenced.
</p>
</section>
<section>
<h2>
Method-Specific DID Parameter Names
</h2>
<p>
A DID method specification MAY specify additional method-specific parameter
names. A method-specific parameter name MUST be prefixed by the method name
as defined by the <code>method-name</code> rule.
</p>
<p>
For example, if the method <code>did:foo:</code> defines the parameter bar,
the parameter name must be <code>foo:bar</code>. An example DID URL using
this method and this method-specific parameter would be:
</p>
<p>
<code>did:foo:21tDAKCERh95uGgKbJNHYp;foo:bar=high</code>
</p>
<p class="issue" data-number="199">
Consider using kebab-case style instead of colon separator,
e.g., <code>foo-bar</code> instead of <code>foo:bar</code>.
</p>
<p>
A method-specific parameter name defined by one DID method MAY
be used by other DID methods. For example:
</p>
<p>
<code>did:example:21tDAKCERh95uGgKbJNHYp;foo:bar=low</code>
</p>
<p>
Method-specific parameter names MAY be combined with generic parameter
names in any order.
</p>
<p>
<code>did:example:21tDAKCERh95uGgKbJNHYp;service=agent;foo:bar=high</code>
</p>
<p>
Both DID method namespaces and method-specific parameter
namespaces MAY include colons, so they may be partitioned hierarchically
as defined by a DID method specification. Here is an example DID URL that
illustrates both:
</p>
<p>
<code>did:foo:baz:21tDAKCERh95uGgKbJNHYp;foo:baz:hex=b612</code>
</p>
</section>
<p class="issue" data-number="200">
Review what exactly we want to say about method-specific parameters
defined by one method but used in a DID URL with a different method.
Also discuss hierarchical method namespaces in DID parameter names.
</p>
<section>
<h2>
Path
</h2>
<p>
A generic <a>DID path</a> is identical to a URI path and MUST
conform to the <code>path-abempty</code> ABNF rule in [[RFC3986]]. A
DID path SHOULD be used to address resources available via a DID
service endpoint. See Section <a href="#service-endpoints"></a>.
</p>
<p>
A specific DID scheme MAY specify ABNF rules for DID paths that are
more restrictive than the generic rules in this section.
</p>
<pre class="example nohighlight">
did:example:123456/path
</pre>
</section>
<section>
<h2>
Query
</h2>
<p>
A generic <a>DID query</a> is identical to a URI query and MUST
conform to the <code>query</code> ABNF rule in [[RFC3986]]. A
DID query SHOULD be used to address resources available via a DID
service endpoint. See Section <a href="#service-endpoints"></a>.
</p>
<p>
A specific DID scheme MAY specify ABNF rules for DID queries that are
more restrictive than the generic rules in this section.
</p>
<pre class="example nohighlight">
did:example:123456?query=true
</pre>
</section>
<section>
<h2>
Fragment
</h2>
<p>
A generic <a>DID fragment</a> is identical to a URI
fragment and MUST conform to the <code>fragment</code> ABNF rule in
[[RFC3986]]. Implementers are strongly discouraged from using a DID fragment
for anything other than a method-independent
reference into the DID Document to identify a component of a DID Document
(e.g. a unique key description or service endpoint). To resolve this reference,
the complete DID URL including the DID fragment MUST be used as input to the
DID URL dereferencing algorithm (see [[DID-RESOLUTION]]) for the target
component in the DID Document object.
</p>
<p>
A specific DID scheme MAY specify ABNF rules for DID fragments that
are more restrictive than the generic rules in this section.
</p>
<p>
It is desirable that we enable tree-based processing of DIDs that include
DID fragments (which resolve directly within the DID Document) to locate
metadata contained directly in the DID Document or the service resource
given by the target URL without needing to rely on graph-based processing.
</p>
<p>
Implementations SHOULD NOT prevent the use of JSON pointers ([[RFC6901]]).
</p>
<pre class="example nohighlight">
did:example:123456#oidc
</pre>
</section>
<section>
<h2>
Normalization
</h2>
<p>
For the broadest interoperability, DID normalization should be as
simple and universal as possible. Therefore:
</p>
<ol start="1">
<li>
The did: scheme name MUST be lowercase.
</li>
<li>
The method name MUST be lowercase.
</li>
<li>
Case sensitivity and normalization of the value of the
<code>method-specific-id</code> rule in Section <a href="#generic-did-syntax">
</a> MUST be defined by the governing DID method specification.
</li>
</ol>
</section>
<section>
<h2>
Persistence
</h2>
<p>
A DID is expected to be persistent and immutable, i.e., bound exclusively
and permanently to its one and only subject. Even after a DID has been
deactivated, it is intended that it never be repurposed.
</p>
<p>
Ideally a DID would be a completely
abstract decentralized identifier (like a UUID) that could be bound
to multiple underlying <a>DID Registries</a> over time,
thus maintaining its persistence independent of any particular system.
However registering the same identifier on multiple
<a>DID Registries</a> introduces extremely hard entityship and
<a href="https://en.wikipedia.org/wiki/List_of_DNS_record_types%23SOA">start-of-authority</a>
(SOA) problems. It also greatly increases implementation complexity
for developers.
</p>
<p>
To avoid these issues, it is RECOMMENDED that <a>DID method</a>
specifications only produce DIDs and <a>DID methods</a> bound to strong,
stable <a>DID Registries</a> capable of making the highest level of
commitment to persistence of the DID and DID method over time.
</p>
<p class="note">
Although not included in this version, future versions of this
specification may support a DID Document equivID property to
establish verifiable equivalence relations between DIDs
representing the same subject on multiple <a>DID
Registries</a>. Such equivalence relations can produce the practical
equivalent of a single persistent abstract DID. See Future Work
(Section <a href="#future-work"></a>).
</p>
</section>
</section>
<section>
<h1>
DID Documents
</h1>