Decentralized Public Key Infrastructure (DPKI)

DPKI replaces centralized Certificate Authorities (CAs) with a decentralized network of validators or a blockchain itself as the root of trust. This eliminates single points of failure and censorship, as no single entity controls the issuance or revocation of credentials. Trust is established through cryptographic consensus rather than organizational hierarchy.

Users hold and control their own verifiable credentials and Decentralized Identifiers (DIDs) in a personal wallet, rather than having them managed by a service provider. This enables selective disclosure, where users can prove specific claims (e.g., age > 18) without revealing their entire identity document. It forms the basis for user-centric data ownership.

All assertions and credentials in a DPKI system are secured with digital signatures (e.g., using EdDSA or ECDSA). Any party can cryptographically verify the authenticity and integrity of a credential without querying a central database. This creates cryptographic proof of issuance and ensures credentials cannot be tampered with.

Key events—such as the issuance, suspension, or revocation of DIDs and credentials—are recorded on a public blockchain or distributed ledger. This creates a permanent, tamper-evident history that anyone can audit. It provides non-repudiation and transparency for all trust operations within the system.

DPKI relies on open W3C standards like Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) to ensure systems from different providers can interact. These standards define data models and protocols, enabling a globally interoperable ecosystem for decentralized identity, unlike the siloed nature of traditional PKI.

Because the trust framework is distributed across a peer-to-peer network, DPKI systems have no central service to be taken offline via DDoS attacks or administrative action. This provides censorship resistance and high availability, ensuring identity verification functions even if parts of the network are compromised or unreachable.

A Decentralized Identifier (DID) is the foundational identifier in DPKI, a globally unique string (e.g., did:ethr:0xabc123...) that an entity controls without a central registry. It resolves to a DID Document containing public keys, service endpoints, and authentication protocols. This enables self-sovereign identity, where users prove ownership cryptographically.

Verifiable Credentials are tamper-evident digital claims (like a driver's license or university degree) issued by an authority to a holder. Built on DIDs, they use cryptographic signatures to allow the holder to present proofs without revealing the underlying data. This enables selective disclosure and zero-knowledge proofs, forming the basis for trustless verification in DPKI ecosystems.

In DPKI, a public blockchain (e.g., Ethereum, Bitcoin) serves as the immutable, decentralized root of trust. It anchors DID documents and credential status registries (like revocation lists). This eliminates single points of failure and censorship, as trust is derived from the network's consensus and cryptographic security instead of a central Certificate Authority (CA).

DPKI shifts key management responsibility to the user. Methods include:

• Smart Contract Wallets: Social recovery via guardians.
• Hardware Security Modules (HSMs): Secure key storage.
• Decentralized Key Escrow: Shamir's Secret Sharing across a network. This contrasts with CA-issued certificates, where revocation and re-issuance are centrally managed.

DPKI is built on open standards to ensure interoperability. Key specifications include:

• W3C DID Core: Defines the DID data model and resolution.
• W3C Verifiable Credentials Data Model: Standardizes credential format and proof types.
• DID Methods: Implementation-specific rules (e.g., did:ethr, did:web) for different blockchains or networks.

DPKI enables new trust models:

• Self-Sovereign Identity (SSI): User-controlled digital IDs.
• Decentralized Access Control: Logging into dApps and services without passwords.
• Supply Chain Provenance: Verifiable credentials for product authenticity.
• Decentralized Autonomous Organizations (DAOs): Member verification and voting.

The traditional, centralized system for managing digital certificates that bind public keys to entity identities (e.g., websites, individuals). It relies on a hierarchy of trusted Certificate Authorities (CAs) like DigiCert or Let's Encrypt to issue and revoke certificates. This model creates single points of failure and control, which DPKI aims to decentralize.

A foundational component of DPKI. DIDs are a new type of identifier that are globally unique, persistent, and verifiable without a central registry. They are controlled by the identity holder (e.g., did:ethr:0xabc123...). DIDs resolve to DID Documents, which contain public keys and service endpoints, forming the core of a self-sovereign identity system.

Tamper-evident digital credentials whose authorship and integrity can be cryptographically verified. Built on top of DPKI and DIDs, they enable trusted data exchange. For example, a university could issue a Verifiable Credential (a diploma) to a student's DID, which the student can then present to an employer without involving the university in the verification process.

A common implementation pattern for DPKI where a blockchain (e.g., Ethereum, Bitcoin) acts as the decentralized, tamper-proof anchor for identity data. It is used to:

• Record the creation and control of DIDs.
• Anchor cryptographic proofs (like Merkle roots) of credential schemas or revocation registries.
• Provide a global, consensus-driven state for key management events.

The secure generation, storage, and usage of cryptographic key pairs without a central authority. In DPKI, this often involves:

• Hierarchical Deterministic (HD) Wallets for deriving multiple keys from a single seed.
• Distributed Key Generation (DKG) protocols for creating keys across multiple parties.
• Secure enclaves or hardware security modules for private key protection, shifting trust from institutions to technology.

An alternative, non-hierarchical trust model to PKI, where trust is established through a network of peer-to-peer attestations (e.g., PGP/GPG). Users sign each other's public keys to create a decentralized trust graph. While conceptually similar to DPKI, WoT often lacks the global verifiability and scalable automation that blockchain-based DPKI systems provide.