DID Rotation

The primary security use case. When a private key is lost, stolen, or suspected to be compromised, DID rotation allows the controller to generate a new key pair and deactivate the old DID document. This action severs the attacker's access while preserving the identity's relationships and verifiable credentials, which can be re-issued to the new DID. This is analogous to revoking a compromised credit card and issuing a new one with a different number.

A best practice for minimizing attack surfaces. Organizations and users can implement scheduled, periodic rotations to limit the cryptographic exposure window of any single key pair. This practice, often mandated in enterprise security policies, reduces the impact of undetected key leaks and aligns with cryptographic agility principles, ensuring identities can migrate to newer, more secure algorithms (e.g., from RSA to Ed25519) as standards evolve.

Enables fine-grained control over authorization. A single entity (person or organization) can rotate a DID to create distinct identifiers for different roles or contexts. For example:

• A developer DID for committing code.
• A deployer DID for signing smart contract transactions.
• A governance DID for voting in a DAO. Rotation allows these roles to be managed independently, revoked separately, and audited clearly, implementing the principle of least privilege.

Manages identity continuity during corporate or structural changes. When departments merge, subsidiaries are spun off, or legal entities change, the controlling organization can rotate the DID to reflect the new administrative authority. The new DID document can list updated endpoints, legal names, or service endpoints, while cryptographic proofs can link the new DID to the legacy one, providing an auditable chain of custody for the identity's assets and permissions.

Mitigates correlation and tracking across different services. A user can rotate their DID between interactions with different verifiers or relying parties. This prevents these parties from colluding to build a comprehensive profile of the user's activities across the web. Techniques like pairwise pseudonymous DIDs often use rotation under the hood, generating a unique DID for each relationship to enhance user privacy.

Facilitates adherence to data protection laws like GDPR's right to erasure ('right to be forgotten'). While blockchain data is often immutable, DID rotation provides a mechanism to deactivate an old DID that is associated with personal data. The controller can point to a new, active DID, effectively rendering the old identifier and its linked data obsolete and non-operational for future interactions, helping to satisfy regulatory obligations.

The primary security function of DID rotation is to recover from a compromised private key. This process involves:

• Revoking the verification methods (public keys) in the current DID document that are suspected to be compromised.
• Adding new, secure verification methods to the DID document.
• Updating the DID document's controller or authentication section to use the new keys, effectively transferring control.

Beyond key compromise, rotation manages changes in ownership or delegation. This includes:

• Transferring Control: Changing the controller property of a DID document to a new entity (e.g., transferring asset ownership).
• Updating Delegates: Rotating the DIDs of delegated authorities or guardians authorized to make updates on behalf of the primary controller, common in organizational or multi-sig scenarios.

The specific mechanics of rotation are defined by the DID method (e.g., did:ethr, did:key, did:ion). Common patterns include:

• On-Chain Updates: For blockchain-based methods (e.g., did:ethr), rotation is a transaction that updates a smart contract or registry.
• Sidetree Protocol: Methods like did:ion use an append-only ledger and conflict-free resolution to create a new DID document version, anchoring proof in a blockchain.
• Verifiable Data Registry: The updated DID document is published to the method's designated registry, providing cryptographic proof of the change.

Rotation leverages DID URLs with versioning parameters to reference specific states of the DID document.

• A basic DID (e.g., did:example:123) resolves to the latest version.
• A version-specific DID URL (e.g., did:example:123?versionId=5) pins to a historical document, allowing verifiers to check signatures against the key active at the time of signing.
• This is crucial for long-term verifiability of credentials and transactions signed under previous key rotations.

To prevent lockout during rotation (e.g., losing all keys), DIDs often incorporate recovery schemes:

• Recovery Keys: Designated keys, stored separately, with sole power to rotate the primary keys.
• Guardian DIDs: A set of trusted DIDs (friends, institutions) that can collectively authorize a recovery operation via a threshold signature.
• Social Recovery Models: Popularized by systems like Ethereum Name Service (ENS) and certain blockchain wallets, allowing a pre-defined group to facilitate account recovery.

DID rotation has direct implications for higher-layer protocols:

• Verifiable Credentials (VCs): Issuers and holders must manage rotations to ensure VCs remain verifiable. An issuer's rotation requires re-issuance or selective disclosure of proof methods.
• Decentralized SSO: Authentication systems relying on DIDs (e.g., Sign-In with Ethereum) must handle key rotation seamlessly for users, often by checking the latest DID document during the authentication challenge.
• Protocol Support: Standards like DIDComm and OIDC4VP are being extended to signal and handle key rotation events.

A Decentralized Identifier (DID) is a globally unique, persistent identifier that does not require a centralized registry. It is the foundational component that gets rotated. DIDs are typically stored on a verifiable data registry like a blockchain and are controlled by the subject via cryptographic keys.

• Example: did:ethr:0xabc123...
• Purpose: Enables self-sovereign identity without relying on a central authority.

A Verifiable Credential (VC) is a tamper-evident digital claim issued by one party to another. DID rotation requires re-binding these credentials to the new DID. VCs are cryptographically signed and can be independently verified.

• Key Role: Credentials must be re-issued or re-linked to the new DID after rotation.
• Standard: Defined by the W3C Verifiable Credentials Data Model.

A DID Document is a JSON-LD document containing the public keys, authentication mechanisms, and service endpoints associated with a DID. It is the target of a rotation update.

• Content: Contains the publicKeyMultibase and verificationMethod entries for the new keys.
• Update Mechanism: Rotation is executed by publishing a new DID Document to the underlying registry, superseding the old one.

A DID Method defines the specific operations (create, read, update, deactivate) for a particular blockchain or network. It specifies the precise rules for how DID rotation is performed on that ledger.

• Examples: did:ethr (Ethereum), did:ion (Bitcoin/Sidetree), did:key.
• Governance: Each method has its own specification for updating the DID Document, which dictates the rotation procedure.

Key Rotation is the cryptographic practice of periodically replacing an existing cryptographic key pair with a new one. DID rotation is a specific application of this practice at the identifier level.

• Core Security Practice: Mitigates risk from key compromise or cryptographic weakening over time.
• Difference: Key rotation changes the authentication mechanism; DID rotation changes the identifier itself, though they often occur together.

Recovery Mechanisms are protocols or smart contracts that allow a DID controller to regain control if their primary keys are lost. These are crucial for planning rotations and managing key lifecycle.

• Common Patterns: Use of guardians, social recovery, or time-locked backups.
• Purpose: Ensures the new DID and keys from a rotation process can be securely managed and are not permanently lost.