Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Masterclass on the DID Universal Resolver
1. Masterclass on the DID Universal Resolver
Markus Sabadello
Danube Tech, Decentralized Identity Foundation,
Sovrin Foundation, W3C VCWG, W3C CCG, OASIS XDI TC
https://danubetech.com/
Identiverse, Boston, 27th
June 2018
2. Masterclass on the DID Universal Resolver
1. Decentralized Identifiers (DIDs)
2. DID Universal Resolver
3. What to do with DIDs?
3. Decentralized Identifiers (DIDs)
Motivation:
Emerging paradigm of “self-sovereign identity” (SSI).
Digital identity that does not depend on central authorities or intermediaries.
Digital identity, relationships, data sharing, messaging, etc. requires identifiers.
Today’s identifiers are not “self-sovereign” (they can be taken away from you).
DIDs are:
“Self-sovereign” identifiers for individuals, organizations, things.
Persistent, decentralized, dereference-able, cryptographically verifiable.
Registered using wallets and blockchains, or other decentralized architectures.
DIDs are not:
DNS-based identifiers.
A standard or broadly adopted (yet).
Human-memorable (like usernames or e-mail addresses).
4. Decentralized Identifiers (DIDs)
Background:
W3C Web Payments Working Group and Verifiable Claims Task Force
OASIS XDI TC Registry Working Group
Internet Identity Workshop, Rebooting-the-Web-of-Trust
Grant by U.S. Department of Homeland Security
Decentralized Public Key Infrastructure DPKI (December 2015)
Decentralized Identifiers 1.0 Implementer’s Draft 01 (November 2016)
More Community Drafts (2017-2018)
W3C Working Group (2019)
5. Decentralized Identifiers (DIDs)
Example DID:
Registered in a blockchain or other decentralized network, without intermediary.
Generation and control over DID lies with identity owner (e.g. through private keys in a wallet).
Ledger-agnostic.
6. DID Resolution
DID Resolution: DID → DID Document
Set of public keys
Set of service endpoints
Timestamps, proofs
Other identifier metadata
May be dynamically constructed
rather than actually stored in this form.
Resolution parameters can select
parts of the DID document.
{
"@context": "https://w3id.org/did/v1",
"id": "did:sov:WRfXPg8dantKVubE3HX8pw",
"service": {
"type": "hub",
"serviceEndpoint":
"https://azure.microsoft.com/dif/hub/did:sov:WRfXPg8dantKVubE3H"
},
"publicKey": [
{
"id": "did:sov:WRfXPg8dantKVubE3HX8pw#key-1",
"type": "Ed25519VerificationKey2018",
"publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDmqPV"
}
],
"authentication": {
"type": "Ed25519SignatureAuthentication2018",
"publicKey": [
"did:sov:WRfXPg8dantKVubE3HX8pw#key-1"
]
}
}
Example DID Document:
7. DID Methods
Different DID “methods”:
did:sov, did:btcr, did:v1, did:uport, …
Different methods have different strengths
Define method-specific syntax
Define CRUD for DIDs:
Create, Read (Resolve), Update, Delete (Revoke)
All methods need:
A DID method specification (W3C)
An implementation of a “resolver”
Method DID Prefix
Sovrin did:sov:
Veres One did:v1:
uPort did:uport:
Bitcoin did:btcr:
Blockstack did:stack:
ERC725 did:erc725:
IPFS did:ipid:
8. Masterclass on the DID Universal Resolver
1. Decentralized Identifiers (DIDs)
2. DID Universal Resolver
3. What to do with DIDs?
9. DID Universal Resolver
Looks up (“resolves”) DID to its
DID Document.
Provides a universal API that works
with all DID methods.
Uses a set of configurable “drivers”
that know how to connect to the
target system.
Can return metadata about the
resolution process.
https://uniresolver.io/
10. DID Universal Resolver
Open Source maintained by Decentralized Identity Foundation.
Can be built and deployed using Docker containers.
Can be deployed and used in different ways:
as a hosted service.
from a command line.
integrated in client applications.
Community maintains “drivers”.
https://uniresolver.io/
14. DID Auth
DID-based authentication protocol.
Identity owner interacts with a
relying party.
Prove control over a DID using a
cryptographic challenge/response
protocol.
Uses “publicKey” and “authentication”
blocks in a DID document.
Different architectures and scenarios.
See RWoT did_auth_draft.md
15. Agents, Hubs, Personal Data Stores, etc.
Identity Owner Layer
Edge/App Layer
Cloud/Agent Layer
Blockchain/DLT Layer
Things
Companies,
Public Institutions
Individuals
DIDs DIDs
16. Other Topics
Decentralized Key Management System: DKMS
Encryption protocols: DID-TLS, DID-PGP, DID-SSH
Human-readable names: DID Names, ENS, BNS, e.g. “markus.id”
Off-ledger DIDs: stored only on peer-to-peer microledgers; GDPR compliance
Pairwise-pseudonymous DIDs: support “directed identity”; avoid correlation
Integration of DIDs with OAuth 2, OpenID Connect, FIDO WebAuthn, UMA
Integration of DIDs with HTTP URIs, Semantic Web, Linked Data Platform, ActivityPub,
WebID, Solid, XDI
Other DID tools: Universal Registrar, did-client CLI
17. Rebooting-the-Web-of-Trust
Internet Identity Workshop
DIDs: W3C Credentials CG
v0.10 Draft Community Report
DIDs: W3C DID WG
Charter now being written
Yadis, XRI, XRD, XRDS,
JRD, Webfinger
DID registered
prov. URI scheme
DID method specs
W3C Web Payments CG
OASIS XDI TC
W3C JSON-LD 1.1
W3C Cryptographic Suites
RFC 7517: JWK
Verifiable Credentials
DKMS, DID Auth
Hubs, Agents, XDI