Digital Identity Wallet

A Decentralized Identifier (DID) is a globally unique, cryptographically verifiable identifier that is created, owned, and controlled by the user, independent of any centralized registry, identity provider, or certificate authority. It is the foundational component of a self-sovereign identity (SSI) system.

• Structure: Typically a URI like did:example:123456789abcdefghi.
• Control: Resolves to a DID Document containing public keys, authentication methods, and service endpoints.
• Examples: did:ethr:, did:key:, did:web: are common DID methods.

A Verifiable Credential (VC) is a tamper-evident digital credential whose authorship can be cryptographically verified. It is the digital equivalent of physical credentials like a passport or university degree, issued by a trusted entity to a holder.

• Structure: A standard data model (W3C VC-DM) containing claims, metadata, and proofs.
• Issuance: Created and signed by an issuer (e.g., a university).
• Verification: The cryptographic signature allows any verifier (e.g., an employer) to confirm its authenticity without contacting the issuer.

A Verifiable Presentation (VP) is a package of data, often containing one or more Verifiable Credentials, that is presented by a holder to a verifier to prove certain claims. It is the mechanism for selective disclosure of identity attributes.

• Purpose: Allows users to share only the specific credentials required for a transaction (e.g., proving age over 21 without revealing birthdate).
• Security: The presentation itself is cryptographically signed by the wallet holder, proving they consented to share the data.
• Format: Can include credentials from multiple issuers in a single, verifiable package.

The wallet's core security function is the secure generation, storage, and usage of cryptographic key pairs. The private key never leaves the user's device, enabling direct control over identity assertions.

• Private Key Custody: Securely stored in a device's hardware security module (HSM), secure enclave, or encrypted keystore.
• Operations: Used to sign Verifiable Presentations, authenticate to services (DID Auth), and authorize updates to the DID Document.
• Recovery: Often employs social recovery or multi-party computation (MPC) schemes to prevent permanent loss.

DID Resolution is the process of retrieving the current DID Document associated with a given Decentralized Identifier. This document is essential for verifiers to obtain the public keys needed to verify signatures.

• Resolver: A service or library that takes a DID string as input and returns the corresponding DID Document.
• Method-Specific: The resolution process is defined by the DID method (e.g., did:ethr resolves via Ethereum smart contracts, did:web via HTTPS).
• Result: The DID Document contains the public keys, authentication protocols, and service endpoints necessary for interaction.

Modern wallets are often built as agents that communicate using standardized interoperability protocols. This allows wallets from different vendors to interact seamlessly within the identity ecosystem.

• Agents: Software agents handle credential exchange, message routing, and protocol execution on behalf of the user.
• Key Protocols:
  • DIDComm v2: Encrypted, asynchronous messaging for peer-to-peer communication.
  • OpenID for Verifiable Credentials (OIDC4VC): Enables using VCs with standard OAuth2/OpenID Connect flows.
  • Present Proof Protocol: A standardized flow for requesting and presenting credentials.

The core security of a wallet rests on the user's exclusive control of their private keys. These keys are used to sign cryptographic proofs and authenticate the user. Loss of the private key means permanent, irrecoverable loss of the identity. Best practices include:

• Using secure, air-gapped hardware modules.
• Implementing multi-party computation (MPC) or social recovery to mitigate single points of failure.
• Never storing keys in plaintext or transmitting them over networks.

A key privacy feature is the ability to prove a claim without revealing the underlying data. Using zero-knowledge proofs (ZKPs), a user can prove they are over 18 without disclosing their birth date or other credentials. This minimizes data exposure and prevents correlation across different service providers, adhering to the principle of data minimization.

DIDs are the foundational identifier, decoupled from centralized registries. A DID is a URI that points to a DID Document containing public keys and service endpoints. Security considerations include:

• DID Method Robustness: The security depends on the specific blockchain or ledger (the DID method) it's anchored to.
• Key Rotation: The DID Document must support secure rotation of compromised public keys.
• Resolver Integrity: Applications must trust the resolution of the DID to its correct document.

Managing the issuance, storage, and revocation of credentials has distinct security phases:

• Issuance: The issuer's attestation must be cryptographically signed. The wallet must verify this signature.
• Storage: Credentials are stored locally or in encrypted, user-controlled storage. W3C Verifiable Credentials Data Model provides a standard format.
• Revocation: The wallet must check the credential status, often via a revocation registry (e.g., on a blockchain) or status list, without leaking which credential is being checked.

The user interface is a critical attack vector. Threats include:

• Malicious DApps prompting users to sign transactions that leak credentials or authorize unwanted actions.
• UI Impersonation where a fake wallet interface steals keys or recovery phrases.
• Transaction Malleability where the data a user signs is different from what they perceive. Wallets must provide clear, human-readable descriptions of signing requests.

A Decentralized Identifier (DID) is a globally unique, cryptographically verifiable identifier that an individual or entity controls without reliance on a central registry. It is the foundational component of a self-sovereign identity system.

• Format: did:method:method-specific-identifier (e.g., did:ethr:0x...).
• Control: Managed via cryptographic keys stored in a wallet.
• Purpose: Serves as a persistent, portable root for credentials and interactions.

A Verifiable Credential (VC) is a tamper-evident digital claim, such as a driver's license or university degree, issued by an authority to a holder. It is the core data object stored and presented from a Digital Identity Wallet.

• Structure: Contains claims, issuer metadata, proofs, and an expiration date.
• Standard: Defined by the W3C Verifiable Credentials Data Model.
• Example: A KYC attestation issued by a regulated entity, signed with its private key.

Self-Sovereign Identity (SSI) is a model for digital identity where individuals or entities have sole ownership and control over their identity data, without depending on centralized authorities. A Digital Identity Wallet is the primary tool for implementing SSI.

• Principles: Includes user control, portability, interoperability, and minimal disclosure.
• Contrast: Differs from federated (e.g., "Login with Google") and centralized identity models.

A Verifiable Presentation (VP) is the data format used by a holder (via their wallet) to present one or more Verifiable Credentials to a verifier. It allows for selective disclosure of information.

• Function: Packages VCs, often with a proof from the holder's wallet to demonstrate control.
• Selective Disclosure: Enables sharing only specific attributes (e.g., proving age >21 without revealing birthdate).
• Flow: The final step in the credential presentation process initiated by a verifier's request.

A Zero-Knowledge Proof (ZKP) is a cryptographic method that allows one party (the prover) to prove to another (the verifier) that a statement is true without revealing the underlying information. This is critical for privacy-preserving identity wallets.

• Use Case: Proving you are over 18 from a credential without disclosing your birth date.
• Technology: Enables minimal disclosure and data minimization, core SSI principles.
• Implementation: Often used within Verifiable Presentations to generate succinct proofs.

DIDComm is a secure, peer-to-peer messaging protocol built on DIDs and standard encryption. It enables Digital Identity Wallets to communicate privately for credential exchange, presentation requests, and other interactions.

• Transport Agnostic: Works over various carriers (HTTP, Bluetooth, etc.).
• End-to-End Encryption: Messages are encrypted for the recipient's DID.
• Role: Facilitates the standardized, interoperable "plumbing" between wallets, issuers, and verifiers.