What is a Decentralized Identifier?

July 17, 2023 - 6 min read

DIDs are your on-chain, cryptographic fingerprints- made possible by powerful cryptographic primitives for decentralized, trustless verification.

Identity and Ownership

One’s identity is everything. Ownership of oneself is the essence of freedom, and ownership of one’s property seems to fall under this umbrella. Opening a bank account, registering employment, voting in elections, buying real estate—all of these things require an individual proving their identity.

Until recently, we couldn’t control how our personal information was stored, shared, or disposed of – or have proof that our data was mishandled or compromised. That is, our personally identifiable information has been subject to opaque and centralized control. This could be brought to a swift end by leveraging the security of cryptographic primitives and decentralization regarding data storage, verification, and transparency.

The Problem with Digital IDs

What’s worse, the digital space has become crowded with anonymous bots and other malicious actors who create chaos without incurring any real cost to themselves. Considering the damage that DDoS or other bot-like attacks can inflict on civil discourse and the functionality of web services, debates on the pros and cons of anonymity have become more prominent. Perhaps requiring digital IDs to use online services could make such attacks costly by identifying perpetrators and holding them accountable.

Implementing a system of decentralized identity would not be as simple as minting a token. No, it must be interoperable amongst disparate ecosystems. A proper DID would allow individuals to manage their identity-related information without relying on a single network nor any central authorities except for the sovereign jurisdictions in which they live.

However, protecting individuals from privacy infringements and identity theft while also delivering a slick UX is no simple task. In order to deliver the best results, a vertically integrated stack of powerful cryptographic primitives will need to be leveraged so as to optimize outcomes and minimize any drawbacks. DIDs must be stored via decentralized blockchains, persistent over time, globally resolvable, and cryptographically verifiable.

Key Value Database or Keystore Contract

One way to do this would be for users to store their DIDs into their own personal databases, or keystore contracts. These would essentially be like storage facilities for cryptographic keys and certificates, with permissioned pools of data. That means you would only reveal only the required KYC information during an interaction without revealing anything else about yourself.

The keystore contract could contain all of the KYC information needed to verify a human with a digital signature. That way, you would use your keystore contract as a source-level, primary identifier. The primary function would be to contain the public keys, authentication protocols, identifying metadata, timestamps and signatures for auditing, and endpoint addresses necessary to verify entities intending to interact with Web3 infrastructure requiring KYC access.

However, their digital assets would be held in various accounts or wallets that can be generated or verified via their DID keystore. The keystores would be private, while subsequently allowing for counterfactual instantiation, meaning one can generate new addresses which can demonstrate provenance from the original keystore contract.

For example, each user would need to generate their DID on one chain which could subsequently allow for other interactions to point back to the origin keystore contract. This would be the root of all on-chain interactions so long as other blockchains can call upon one’s DID from the target chain or L2. Transacting from newly generated wallets or addresses would require a cryptographic proof demonstrating provenance from the user’s DID keystore contract.

Decentralized Identifiers and Privacy

While privacy is understood to be an essential concept for identity management solutions, it is especially crucial for decentralized, automated systems like smart contract platforms- and the immutability of a public blockchain’s recorded history. That is to say that mistakes are unforgiving in this space.

As there are no centralized authorities to abuse their power in DeFi, there are also no benevolent customer service reps which can fix a mistake you made by reversing an erroneous transaction. Losing access to your credentials or allowing a malicious actor to gain undue access could be catastrophic. Therefore, both privacy controls and recovery solutions need to be adjusted so that new users will onboard themselves confidently.

Fortunately, DID infrastructure can incorporate Privacy by Design into its security infrastructure from the ground up. From generating temporary public addresses to storing personally identifiable information (PII) off-chain, there are several clever privacy-preserving layers which can future-proof the security of most our sensitive data:

Pairwise-pseudonymous identifiers
- DIDs can be used as private identifiers issued on a per-relationship basis. One can thus have multiple pairwise-pseudonymous DIDs which protect the root DID, yet have their permissions easily managed by users.
Off-chain private data
- Publication or storage of PII on public blockchains, even encrypted or hashed, is risky because even if security measures are state-of-the-art quality for the time being, advances in technology could soon make them obsolete. If encryptions are ever broken via quantum computing, identifiable or otherwise correlating metadata would become vulnerable via their public ledgers. Storing private data off-chain or in keystore contracts and exchanging them via permissioned access in private, P2P interactions makes the most sense.
Data minimization
- DIDs give individuals greater control over their personal data than ever before. Aside from having their credentials encrypted, zero-knowledge proofs ensure that only relevant data is shared during interactions, lending itself to data minimization. One way to conceptualize this would be to prove your citizenship without revealing your name, or vice versa. It would be difficult to accomplish such a task with the traditional passports we carry nowadays.

The Paradox of Decentralized Responsibility

One often forgotten concept by digital natives and the Web3 crowd more specifically is that regular users need to understand how this stuff works and be able to operate it without frustration (or catastrophic loss, for that matter). That is to say that DIDs need to be understandable to and comfortable for users like say, your parents or grandparents.

Nobody except for the most risk-tolerant individuals will accept the risk of catastrophic failure when it comes to the loss of their assets or their identity in the form of DIDs. It is not just about technical feasibility but about actual accessibility for regular users. This is a paradox which may haunt Web3 enthusiasts for some time to come. With great decentralization comes great responsibility.

Thus, decentralized private key storage, secret sharing schemes, or social recovery methods could be used to distribute the risks of loss without compromising on security in meaningful ways. Ironically, a physical device like a hardware ID could still be used to store private keys with PIN code access for daily conveniences while recovery seeds could be kept offline for recovery efforts.

Despite the challenges in a workable DID implementation, scalability, security, and privacy for our users has to take precedence above convenience. Too often we accept centralized solutions for the sake of cost savings, brevity of development, or quicker adoption. The hard work has to be done without any corners being cut, even if it takes years of development. Our patience will be rewarded in time.