Why Decentralized Identifiers (DIDs) Are Not a Silver Bullet

DIDs need a root-of-trust to be useful. On-chain, this defaults to capital or existing credentials, creating a new class of gatekeepers.

• Proof-of-Stake wallets become the default DID, reinforcing wealth-based identity.
• Off-chain attestations from governments or corporations reintroduce centralization.
• Without a cost, DIDs are worthless for spam prevention (see: Gitcoin Passport's evolving model).

W3C standards are a starting point, not a solution. Real-world adoption requires protocol-level integration, which is fragmented.

• Ethereum's EIP-712 signatures are a de facto standard, but rollups and alt-L1s create silos.
• Verifiable Credentials lack a universal revocation registry, making them brittle.
• Projects like ENS and Unstoppable Domains compete, not collaborate, on resolution standards.

Zero-knowledge proofs (ZKPs) enable selective disclosure, but regulatory frameworks like GDPR's 'Right to be Forgotten' are fundamentally incompatible with immutable ledgers.

• On-chain DIDs are permanent. Deletion is impossible, only revocation.
• ZK DIDs (e.g., Sismo, Polygon ID) shift trust to the prover, requiring constant cryptographic overhead.
• True privacy requires complex, expensive tech, while regulators demand simple audit trails.

Beyond airdrop farming, DIDs lack killer apps because they solve a backend problem, not a user problem.

• DeFi protocols prioritize capital efficiency, not identity (see: MakerDAO's real-world asset reliance on TradFi legal entities).
• Social graphs (Lens, Farcaster) are walled gardens; portable identity doesn't equal portable network effects.
• Until a major protocol mandates a DID for >50% cost savings, adoption will be niche.

DIDs don't solve Sybil attacks; they externalize the problem to centralized verifiers. The DID document is just a pointer, not proof of humanity.

• Key Risk: Reliance on KYC providers like Civic or proof-of-personhood oracles (Worldcoin) reintroduces centralization.
• Key Risk: Attackers can generate infinite DIDs for ~$0.01 in gas fees, forcing protocols to build secondary reputation layers.

DID resolution depends on the availability of its method's driver (e.g., did:ethr, did:web). This creates a critical liveness dependency.

• Key Risk: If the IPFS gateway for a did:web endpoint or the Ethereum RPC for did:ethr fails, identity verification halts.
• Key Risk: Resolution latency of 500ms-5s is unacceptable for high-frequency DeFi or gaming interactions, forcing local caching that defeats freshness.

DIDs shift complexity to key custody, where UX failures cause catastrophic loss. The average user cannot securely manage Ed25519 or secp256k1 private keys.

• Key Risk: Social recovery systems (e.g., ERC-4337 smart accounts) become mandatory, creating a meta-layer of centralized guardians or complex multisigs.
• Key Risk: This creates a protocol design trap: you either accept key loss or rebuild a centralized recovery service, negating DID's sovereignty promise.

W3C DID standards promise interoperability, but in practice, each method (did:ion, did:key, did:jwk) creates a silo. Verifiers must support a growing suite of drivers.

• Key Risk: Fragmentation forces aggregators like SpruceID or Veramo to act as centralized translation layers.
• Key Risk: Selective disclosure (e.g., BBS+ signatures) and zero-knowledge proofs are method-specific, preventing universal privacy-preserving verification.

Storing or verifying DIDs on-chain is prohibitively expensive for mass adoption. Every signature check or state lookup consumes gas.

• Key Risk: A single EIP-1271 signature verification for a smart contract wallet can cost ~100k gas, scaling linearly with users.
• Key Risk: Forces architectures towards off-chain attestations with on-chain pointers (e.g., EAS), trading transparency for cost and creating a separate data availability problem.

DID Method governance is often centralized (e.g., a foundation, a corporate entity). Control over the method specification is control over all dependent identities.

• Key Risk: A method update can brick or censor DIDs, as seen in domain name or CA certificate governance failures.
• Key Risk: Creates meta-governance: protocols must now vote on which DID methods to trust, replicating the political battles of ICANN or W3C.

A DID alone proves nothing. Without a costly attestation layer from Verifiable Credentials (VCs) or Proof of Personhood (PoP) protocols like Worldcoin, DIDs are just empty wallets. The real cost is in the verification, not the identifier.

• Key Insight: DID + VC = ~$2-5/user in attestation costs.
• Key Risk: Unattested DIDs enable Sybil attacks on airdrops and governance.

W3C DID standards are a starting point, not a guarantee. Competing methods from Microsoft ION, Ethereum ENS, and Sovereign chains create fragmented identity silos. Universal resolvers are a theoretical solution with ~500ms+ latency and unresolved governance.

• Key Insight: Portability requires standardized schema and revocation mechanisms.
• Key Risk: Vendor lock-in with proprietary attestation networks.

Zero-knowledge proofs (ZKPs) for selective disclosure (e.g., zk-SNARKs) add ~100-500ms of computation and complex key management. Fully private DIDs are useless for compliance (e.g., FATF Travel Rule), while public DIDs leak correlation data.

• Key Insight: Choose your poison: privacy-preserving (high friction) or compliance-ready (low privacy).
• Key Risk: User error in key custody destroys the identity permanently.

Storing VCs or DID documents on-chain (e.g., Ethereum, Solana) is prohibitively expensive at scale. ~$1-10 per credential update makes frequent attestations unrealistic. Off-chain storage with on-chain pointers (e.g., IPFS, Ceramic) introduces latency and pinning dependency.

• Key Insight: Cost scales with attestation freshness, not user count.
• Key Risk: Centralized pinning services become critical failure points.

Managing seed phrases, signing prompts for every action, and recovery mechanisms cripples adoption. Wallets like MetaMask struggle with key abstraction. Account Abstraction (ERC-4337) and MPC wallets solve key management but add centralization vectors.

• Key Insight: The average user cannot distinguish a DID signature from a transaction approval.
• Key Risk: UX friction leads to custodial solutions, defeating the purpose.

DIDs are infrastructure, not a product. Successful implementations like Gitcoin Passport (sybil-resistant scoring) and Civic (KYC credentials) target narrow problems. Start with the attestation, not the identifier.

• Key Insight: Soulbound Tokens (SBTs) and VCs are the valuable payload; the DID is just the address.
• Key Action: Integrate existing attestation networks (Bloom, Ontology) before rolling your own.