DIDComm

DIDComm is the standard protocol for peer-to-peer presentation and verification of credentials. A user's wallet can securely request a credential (like a proof of age) from an issuer and later present it to a verifier, all via encrypted DIDComm messages. This enables selective disclosure and eliminates the need for centralized verification services.

• Example: A user proves they are over 21 to access a service without revealing their birthdate or other personal data.
• Protocols Used: Issue Credential, Present Proof.

At its core, DIDComm provides end-to-end encrypted communication between software agents acting on behalf of DIDs. Messages are encrypted to the recipient's public key, ensuring privacy and integrity. This forms the foundation for all other use cases.

• Mechanism: Uses authcrypt (authenticated encryption) or anoncrypt for privacy-preserving routing.
• Example: Two digital wallets exchanging messages to negotiate a connection or coordinate a transaction without a central server.

Mobile and web identity wallets use DIDComm as their primary communication layer. They act as user-controlled agents that manage keys, store credentials, and communicate with other entities (issuers, verifiers, other wallets) in a secure, interoperable manner.

• Key Functions: Establishing DIDComm connections, receiving credential offers, responding to proof requests.
• Interoperability: Wallets from different vendors can interact because they adhere to the same DIDComm protocols.

DIDComm is the glue of the Self-Sovereign Identity (SSI) ecosystem, enabling different components to work together. Issuers, verifiers, holders, and hubs (cloud agents) all use standardized DIDComm messages to create a decentralized trust network.

• Role of Protocols: Standardized protocols like DID Exchange and Discover Features ensure agents can discover each other's capabilities and establish connections.
• Impact: Breaks down vendor lock-in and enables a composable identity landscape.

DIDComm can provide secure, identifiable communication for Internet of Things (IoT) devices and autonomous agents. Each device can have a DID and use DIDComm to authenticate itself and share data with authorized entities, enabling decentralized machine ecosystems.

• Use Case: A smart meter (with a DID) securely transmitting usage data to a utility company's verifier agent.
• Benefit: Provides a cryptographic foundation for device identity and data provenance beyond traditional PKI.

Not all agents (like mobile wallets) are always online. Mediators or Cloud Agents act as always-online message relays using DIDComm. A mobile wallet can connect to a cloud agent, which holds encrypted messages on its behalf until it comes online, ensuring reliable asynchronous communication.

• Key Concept: DIDComm message packing (JWM) allows encryption for multiple recipients, enabling the relay to forward messages without being able to read them.
• Enables: 24/7 availability for services needing to reach intermittently connected user agents.

DIDComm is a secure messaging protocol built on W3C Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). It enables encrypted, authenticated communication directly between two parties, known as agents, without relying on a central server. The protocol uses DID Documents to discover public keys and service endpoints for routing messages, ensuring privacy and data sovereignty.

Communication occurs between software agents (e.g., mobile wallets, cloud agents) acting on behalf of identity holders. This architecture supports:

• Peer-to-peer routing via mediators or relays.
• Asynchronous messaging for offline interactions.
• Multiple encryption layers (e.g., anoncrypt for confidentiality, authcrypt for authenticated encryption). Agents handle key management, message packing/unpacking, and protocol coordination.

A primary use case is the secure issuance, presentation, and verification of Verifiable Credentials. The flow involves:

• Credential Offer: An issuer proposes a credential.
• Credential Request: A holder requests the credential.
• Credential Issuance: The issuer sends the signed VC.
• Proof Presentation: The holder presents a Verifiable Presentation to a verifier. This enables trusted digital interactions like KYC, diplomas, and access permissions.

DIDComm is specified by the Decentralized Identity Foundation (DIF) and is a core component of major SSI ecosystems. Key implementations and adopters include:

• Aries Framework (Hyperledger): Open-source toolkits for building interoperable agents.
• Indy Catalyst: Agent implementations for the Hyperledger Indy blockchain.
• W3C CCG: Collaboration on standards for DID Communication. Its design ensures transport agnosticism, working over HTTP, Bluetooth, or QR codes.

The protocol embeds strong privacy by design principles:

• End-to-end encryption: Messages are encrypted for the recipient's key.
• Sender authentication: Messages can be signed to prove origin.
• Minimal metadata leakage: Routing is separated from content.
• Forward secrecy: Supported through key rotation protocols.
• Selective disclosure: Holders can reveal specific credential attributes without exposing the entire document.

DIDComm enables practical decentralized identity solutions:

• Digital Driver's Licenses: Issued by governments, stored in a mobile wallet.
• Employee Credentials: For secure, remote workplace access.
• Healthcare Credentials: Patient-controlled health records and vaccination proofs.
• Supply Chain Provenance: Verifiable credentials for product origin and handling.
• Decentralized Finance (DeFi): On-chain credential verification for compliant transactions.

A DID Document is a JSON-LD document that describes the cryptographic material, verification methods, and service endpoints associated with a Decentralized Identifier (DID). It is essential for DIDComm's key resolution and routing.

• Contents: Lists public keys, authentication mechanisms, and service endpoints (like a DIDComm messaging inbox).
• Resolution: Fetched from a decentralized ledger or other resolver when a sender needs to communicate with a DID.
• Function: Provides the necessary data to encrypt messages for the DID's controller and discover how to deliver them.

Agent-to-Agent (A2A) communication is the core interaction model of DIDComm, where software agents acting on behalf of DIDs exchange encrypted messages directly, without intermediaries.

• Agents: Can be mobile wallets, cloud services, or IoT devices that manage keys and process protocols.
• Direct Routing: Messages are encrypted for the recipient's DID and routed peer-to-peer or via minimal relays.
• Contrast: Differs from client-server models, giving users full control over their data and interactions.

DIDComm Protocols are standardized, machine-readable sequences of messages that define specific interactions, such as issuing a credential or proving a presentation. They ensure interoperability between different agents.

• Examples: The Issue Credential protocol, Present Proof protocol, and Basic Message protocol.
• Structure: Defined by a protocol URI, roles (issuer/holder), and a state machine for message flow.
• Purpose: Enable predictable, secure, and composable workflows for decentralized identity and data exchange.

AnonCreds (Anonymous Credentials) and the W3C Verifiable Credentials Data Model are the two primary data formats and cryptographic suites used with Verifiable Credentials in the DIDComm ecosystem.

• W3C VC: A flexible, JSON-LD-based standard supporting various cryptographic proofs (e.g., JSON Web Signatures).
• AnonCreds: A ZKP-based credential system offering strong privacy guarantees like selective disclosure and unlinkability.
• Interoperability: DIDComm agents may support one or both standards, influencing the privacy and feature set of credential exchanges.