did:self is a DID method that enables DID document management without registries. A did:self identifier is the thumbprint of a JWK as defined in RFC 7638. The corresponding DID document is protected by a JSON Web Signature generated by the private key that corresponds to the did:self identifier. The payload of this signature is the DID document itself.
A Python3 implementation
- The SECOND project that uses did:self.
- The SCN4ND project that uses did:self.
- Application of did:self in IPFS N. Fotiou, V.A. Siris, G.C. Polyzos, "Enabling self-verifiable mutable content items in IPFS using Decentralized Identifiers", in DI2F: Decentralising the Internet with IPFS and Filecoin, IFIP Networking 2021 workshop
- Application of did:self in securing routing in Named Data Networking N.Fotiou, Y. Thomas, V.A. Siris, G. Xylomenos and G.C. Polyzos, "Securing Named Data Networking routing using Decentralized Identifiers," in Proc. SARNET-21 workshop, IEEE International Conference on High Performance Switching and Routing (HPSR), Paris, France, June 2021
- Application of did:self in securing IoT group communication N. Fotiou, V.A. Siris, G. Xylomenos and G.C. Polyzos, "IoT Group Membership Management Using Decentralized Identifiers and Verifiable Credentials", in Future Internet, MDPI, vol. 4, iss. 6, 2022
- The SNDS project that uses did:self
The name of this DID method is: self
The method specific identifier is represented as the thumbprint of a JWK, as defined in RFC 7638, e.g.,
did:self:iQ9PsBKOH1nLT9FyhsUGvXyKoW00yqm_-_rVa3W7Cl0
The DID document is a JSON-encoded file that must include at least
the id property.
The integrity of a DID document is verified using a JSON Web Signature (JWS).
The header of the proof must include the jwk field, which is used as follows:
jwkThe JWK that can be used for verifying the proof. The thumbprint of this key must match the did:self identifier
The payload of the proof is the DID document.
Given a did:self DID, a DID document and the corresponding JWS any entity can attest whether or not the DID document is a valid document for the given DID using the following protocol.
- Verify that the thumbprint of the
jwkfield of the header ofproofis equal to the DID. - Verify the signature of the
proofusing thejwkfield of the header.
The DID document resolution process of did:self DID is application specific. Given that DID documents in did:self are self-certified there is no need for a secure registry. DID documents can be included in message exchanges, they can be stored in file system, or they can be provided as DNS records.
CRUD operations should implemented by the user. Our Python3 implementation can be used for this purpose.
The Create operation initializes a did:self DID and creates a DID document. The JWS of the DID document is signed using the using the private key that corresponds to the did:self DID.
The following is a valid DID document
{
"id": "did:self:t_Mi-DsXvoOwL8igf7mlu2VSAJIKqhKhWIZTrYAG8XI",
"authentication": [
{
"id": "#key1",
"type": "JsonWebKey2020",
"publicKeyJwk": {
"kty": "EC",
"crv": "P-256",
"x": "YOGmYaMKzwTFytWHN2hGC-2VpPqGqj_sDSckB2IvCgI",
"y": "k7iWuiXQlLXvROjdMA2WNHhGz0jxu6u41n83YupNteo"
}
}
]
}The following is the corresponding proof in Compact Serialization format with detached payload.
eyJhbGciOiAiRVMyNTYiLCAiandrIjogeyJrdHkiOiAiRUMiLCAiY3J2IjogIlAtMjU2IiwgIngiOiAiWU9HbVlhTUt6d1RGeXRXSE4yaEdDLTJWcFBxR3FqX3NEU2NrQjJJdkNnSSIsICJ5IjogIms3aVd1aVhRbExYdlJPamRNQTJXTkhoR3owanh1NnU0MW44M1l1cE50ZW8ifX0..T1WGz3wTmWLZer0_40hkGrZ6Qky_17dbR3y0G_kIsNvuLXlDhAdUoGnMitOGBYMN4J0vy91TPyqx0ENKTRY5aQ
The following is the decoded JWS header
{
"alg": "ES256",
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "YOGmYaMKzwTFytWHN2hGC-2VpPqGqj_sDSckB2IvCgI",
"y": "k7iWuiXQlLXvROjdMA2WNHhGz0jxu6u41n83YupNteo"
}
}The DID document may include an arbitrary number of verification methods and relationships. The public key(s) used as verification methods do not have to be the same as the DID identifier, although using the same key is allowed.
The Read operation should output the DID document and JWS. The DID document should be then validated using the process described in DID document validation
With the update operation, the DID document is replaced with a new one. A new JWS is also generated.
Since there is no registry the deactivate method is not supported.
This method considers two types of cryptographic keys: the key that corresponds to the identifier, which is used for generating the DID document proofs, and the keys used as verification methods. Although the same key can be used in both cases, it is recommended to use different keys so that verification keys can be rotated.
This method does not provide an 1:1 relationship between a did:self DID identifier and the corresponding DID document: there can be multiple valid DID documents for the same identifier. This is a design choice that enables applications that require identifier sharing, e.g., IoT group communication.
A did:self DID identifier can be used for correlating the actions of a user.