Decentralized Identity

Self-Sovereign Identity is the foundational principle that individuals or entities should have exclusive ownership and control over their identity data. This means:

• No central registry holds the master copy of your credentials.
• Users decide what to share, with whom, and for how long.
• It is implemented using cryptographic keys held in a user's wallet, enabling them to prove ownership without relying on an intermediary.

A Decentralized Identifier is a new type of globally unique identifier that does not require a central registration authority. Key characteristics include:

• Verifiable: Resolves to a DID Document containing public keys and service endpoints.
• Persistent: Designed to be long-lived and not reliant on a single company's infrastructure.
• Cryptographically verifiable: Enables proof of ownership via digital signatures.
• Example formats: did:ethr:0x..., did:key:z6Mk... as defined by the W3C standard.

Verifiable Credentials are tamper-evident digital claims (like a driver's license or university degree) issued by an issuer to a holder. Their core features are:

• Cryptographic Proof: Integrity and origin are secured with digital signatures.
• Selective Disclosure: Holders can prove specific attributes (e.g., "over 21") without revealing the entire credential.
• Standardized Data Model: Based on the W3C Verifiable Credentials Data Model, ensuring interoperability across different systems.

Zero-Knowledge Proofs are cryptographic methods that allow a user (the prover) to prove a statement is true to a verifier without revealing the underlying data. This is critical for privacy in decentralized identity, enabling:

• Minimal disclosure: Proving you are over 18 without revealing your birth date.
• Data minimization: Sharing only the proof, not the raw credential.
• Privacy-preserving verification: Enables trustless verification while protecting user data from correlation and surveillance.

A core goal of decentralized identity is to create systems that work across different platforms, jurisdictions, and use cases. This is achieved through:

• Open Standards: Adherence to W3C's DID and Verifiable Credentials specifications.
• Portable Identifiers: Your DID is not locked to a single vendor or blockchain.
• Universal Resolvers: Software that can resolve any DID method to its corresponding DID Document, enabling cross-system verification.

Data Vaults (or Identity Wallets) are the user-controlled storage and management layer for decentralized identity assets. They provide:

• Secure Storage: Houses private keys, DIDs, and Verifiable Credentials, often using hardware security modules or secure enclaves.
• Consent Management: A user interface for managing sharing permissions and access logs.
• Agent Capability: Can run background processes to facilitate credential exchange and proof generation without constant user input.

The foundational component: a globally unique identifier (e.g., did:ethr:0xabc...) that is owned and controlled by the subject, not a central registry. It resolves to a DID Document containing public keys and service endpoints.

• Mechanism: Stored on a verifiable data registry (like a blockchain or distributed ledger).
• Use: Enables secure, cryptographic authentication and interaction. Different DID methods exist for various blockchains (e.g., did:ethr, did:ion).

Enables users to carry their reputation, achievements, and social connections across different platforms, breaking down data silos.

• Mechanism: Achievements, reviews, or follower networks are issued as Verifiable Credentials or stored in a user's decentralized profile.
• Example: A developer's contribution history on GitHub could be attested and used to gain trust in a freelance platform's reputation system without manual verification.

Streamlines regulatory compliance (like KYC/AML) by allowing users to share only the minimum required information.

• Process: A regulated exchange performs KYC once and issues a credential stating "User X is verified." The user can then present this credential to other services, which only verify the issuer's signature.
• Benefit: Enhances user privacy, reduces redundant checks, and lowers compliance costs through zero-knowledge proofs.

A Decentralized Identifier (DID) is a unique, self-owned identifier (e.g., did:ethr:0xabc123...) anchored on a blockchain or decentralized network. Verifiable Credentials (VCs) are tamper-proof digital claims (like a diploma or passport) issued by trusted entities and cryptographically signed, which can be presented to verifiers. The holder controls both the DID and which VCs to share.

DID systems shift control from service providers to the user through self-sovereign identity (SSI) principles. Users store credentials in a personal digital wallet and share only the specific, minimal data required via selective disclosure. This reduces data breaches and eliminates the need for repetitive KYC checks across different dApps and services.

• Sybil Resistance & Governance: Proving unique personhood for fair voting in DAOs using proof-of-personhood credentials.
• Access Control: Gating token-gated communities or content based on verifiable credentials like NFT ownership or membership status.
• DeFi & Compliance: Streamlining Know Your Customer (KYC) processes by allowing users to re-use verified credentials from regulated issuers.
• Reputation Portability: Building a reusable, cross-platform reputation score or history.

Interoperability is driven by W3C standards: W3C Decentralized Identifiers (DIDs) and W3C Verifiable Credentials (VCs). Implementation protocols include:

• Ethereum's ERC-725/735: Standards for managing identity and claims on-chain.
• Veramo: A framework for building DID/VC applications.
• Sidetree (ION): A layer-2 protocol for creating scalable DIDs on Bitcoin or Ethereum.
• Ceramic Network: A decentralized data network for managing dynamic, user-controlled data linked to DIDs.

Sign-In with Ethereum (EIP-4361) is a foundational DID use case. It allows users to authenticate to websites by signing a message with their Ethereum wallet, proving control of the address without intermediaries. This creates a cryptographically verifiable link between an Ethereum account and a user's identity, serving as a building block for more complex credential systems.

• Key Management: User responsibility for securing private keys; loss means loss of identity.
• Interoperability: Ensuring credentials from one issuer are accepted by verifiers in another ecosystem.
• Revocation: Efficiently revoking credentials without centralized registries.
• Privacy: Balancing selective disclosure with the inherent transparency of public blockchains, often addressed using zero-knowledge proofs (ZKPs).
• Adoption: Achieving critical mass of issuers and verifiers to create network effects.

The core security of a DID rests with the user's private key. Unlike a recoverable password, losing this key means permanent, irrevocable loss of the identity and all associated credentials. This places the burden of secure key storage—using hardware wallets, secure enclaves, or multi-party computation—directly on the user, a major point of failure for non-technical individuals.

A fundamental challenge is preventing Sybil attacks, where a single entity creates a large number of fake identities to manipulate a system. Without a central issuer, proving the uniqueness of a person (e.g., for voting or airdrops) is difficult. Solutions like proof-of-personhood protocols (e.g., Worldcoin) or trusted credential attestations introduce new trade-offs between privacy, decentralization, and security.

Revoking a compromised or expired Verifiable Credential (VC) is a complex problem in decentralized systems. Common mechanisms include:

• Status lists (e.g., W3C Status List 2021) that must be checked by verifiers.
• Accumulator-based revocation (e.g., using Merkle trees). Each method adds complexity and requires the verifier to check an external data source, potentially breaking offline verification promises.

Despite using pseudonymous Decentralized Identifiers (DIDs), poor practices can lead to identity correlation and privacy leaks. Risks include:

• Transaction graph analysis on public ledgers linking DID activities.
• Reusing the same DID across multiple contexts, creating a comprehensive profile.
• Selective disclosure mechanisms (like zero-knowledge proofs) must be correctly implemented to prevent data leakage.

DID methods built on smart contract platforms (e.g., Ethereum for ERC-725/735) inherit blockchain risks:

• Smart contract bugs in the registry or credential logic can lead to identity theft or lockup.
• Upgradability vs. immutability trade-offs: a fixable contract is centralized, while an immutable one is permanently vulnerable.
• Gas costs and network congestion can make essential operations like revocation prohibitively expensive.

Users remain the weakest link. Attackers can:

• Trick users into signing malicious transactions that transfer control of their DID (authorization phishing).
• Create fake verification sites to steal credentials.
• Exploit confusion between similar-looking DIDs or decentralized domain names (like .eth). User education on transaction signing is critical, as there is no central authority to reverse fraudulent actions.

A Zero-Knowledge Proof is a cryptographic method where one party (the prover) can prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself.

• Critical for Privacy: Enables selective disclosure in Verifiable Credentials.
• Example: Proving you are over 21 without revealing your exact birth date or other personal data.
• Technology: Implemented using protocols like zk-SNARKs and zk-STARKs.

A DID Method defines the specific operations (create, read, update, deactivate) for a particular type of Decentralized Identifier on a given verifiable data registry, such as a blockchain.

• Specification: Each method is defined in its own specification (e.g., did:ethr, did:ion, did:key).
• Registry Role: Specifies how the DID and its associated DID Document are anchored to a ledger (e.g., Ethereum, Bitcoin, IOTA).
• Interoperability: Different methods can coexist, with universal resolvers fetching documents from various ledgers.

A Verifiable Presentation is data derived from one or more Verifiable Credentials, packaged by a holder for presentation to a verifier.

• Purpose: Allows the holder to combine and selectively disclose claims from multiple credentials in a single, verifiable package.
• Contains: Includes the presented data, proof of data integrity, and proof that the presenter is the legitimate holder of the credentials.
• Flow: Completes the trust triangle between Issuer, Holder, and Verifier in the SSI model.