DID Auth

The foundational standard defining the data model for Decentralized Identifiers (DIDs) and their associated DID Documents. A DID Document is a JSON-LD file containing public keys, verification methods, and service endpoints, enabling cryptographic proof of control. It is the core resource that DID Auth protocols query and verify.

A W3C standard for tamper-evident credentials that can be cryptographically verified. DID Auth is often used to prove control over the DID that issued or holds a VC. Key components:

• Issuer: Signs the credential with their DID.
• Holder: Presents the credential, proving control of their DID.
• Verifier: Uses DID Auth to verify the holder's proof and the issuer's signature.

Self-Issued OpenID Connect Provider v2 is a profile of OIDC that uses DIDs. It allows users to act as their own identity provider. In this flow:

• The Relying Party requests authentication.
• The user's SIOP wallet creates a Verifiable Presentation signed with their DID.
• The RP verifies the signature against the user's public key in their DID Document, achieving DID Auth within the familiar OIDC framework.

Simple, widely used DID methods for prototyping and certain production uses.

• did:key: Generates a DID directly from a public key (e.g., did:key:z6Mk...). It's self-contained, with the DID Document derivable from the key itself. Perfect for peer-to-peer DID Auth.
• did:web: Resolves a DID to a JSON document hosted at a predictable HTTPS URL (e.g., did:web:example.com). Provides a bridge to web infrastructure while using the DID Auth verification model.

A DID method using Ethereum addresses and smart contracts. The did:ethr method (e.g., did:ethr:0x...) enables DID Auth where:

• The user's Ethereum account (EOA or smart contract) is the DID controller.
• Verification methods are Secp256k1 keys or EIP-712 typed data signatures.
• A global Ethereum DID Registry smart contract (like 0xdca7ef...) manages public key updates and delegates, allowing for key rotation and recovery.

The Credential Handler API is a browser API that facilitates communication between websites and identity wallets. It standardizes the request/response flow for DID Auth and Verifiable Credentials. When a site requests a credential, CHAPI prompts the user's wallet, which then performs the necessary cryptographic signing (proving DID control) and returns the Verifiable Presentation to the site for verification.

A Decentralized Identifier (DID) is a globally unique, persistent identifier that does not require a centralized registry. It is the foundational component referenced in DID Auth. A DID is typically a URI that points to a DID Document, which contains the public keys and service endpoints necessary for authentication and interaction.

• Structure: did:method:method-specific-identifier (e.g., did:ethr:0xabc...).
• Control: Owned and controlled by the subject (user, organization, device) via cryptographic keys.
• Resolution: The process of fetching the associated DID Document from a verifiable data registry (like a blockchain).

A Verifiable Credential is a tamper-evident digital claim issued by an authority that can be cryptographically verified. DID Auth is often used to prove control of the DID that is the subject of a VC or that is authorized to present it.

• Components: Contains claims, metadata, and cryptographic proofs.
• Presentation: A Verifiable Presentation is the data format used to share one or more VCs, often secured by a DID Auth proof.
• Use Case: A university issues a degree VC to a student's DID. The student uses DID Auth to prove control of that DID when presenting the VC to an employer.

DIDComm is a secure, peer-to-peer messaging protocol built on DIDs and Verifiable Credentials. It provides a transport layer for DID Auth interactions and other identity operations.

• Encryption: Messages are encrypted end-to-end using keys from the participants' DID Documents.
• Protocols: Defines standard sequences for interactions like connection establishment, credential issuance, and proof presentation, which rely on DID Auth for authentication.
• Agent-Based: Typically implemented by wallets or agents that handle cryptographic operations on behalf of the DID controller.

Self-Sovereign Identity (SSI) is a model for digital identity where individuals or entities have sole ownership and control over their identity data without relying on centralized authorities. DID Auth is a critical technical mechanism enabling SSI.

• Principles: Includes user control, portability, interoperability, and minimal disclosure.
• Architecture: Built on the triad of DIDs, Verifiable Credentials, and Verifiable Data Registries.
• Role of Auth: DID Auth allows the SSI principal to cryptographically prove control of their identity (DID) to any verifier, fulfilling the core tenet of self-sovereignty.

A Verifiable Presentation is the data format in which a holder (the subject of a credential) presents one or more Verifiable Credentials to a verifier. DID Auth is the mechanism that cryptographically binds the presentation to the presenter's DID.

• Structure: Packages VCs and includes a proof section.
• Authentication Proof: This proof is generated using the private key of the presenter's DID, demonstrating they are the legitimate holder.
• Selective Disclosure: Enables the holder to reveal only specific attributes from their VCs within the presentation.

OAuth 2.0 and OpenID Connect are incumbent centralized authorization and authentication protocols. DID Auth and the broader SSI stack are often positioned as decentralized alternatives or extensions to these models.

• Comparison: OIDC relies on a centralized Identity Provider (IdP). DID Auth uses a user-controlled DID as the identity anchor.
• SIOPv2: The Self-Issued OpenID Provider v2 profile bridges these worlds, allowing a DID to act as its own OpenID Provider, using DID Auth for the core proof.
• Integration: This enables DIDs to be used for logging into existing OAuth/OIDC-reliant applications.