DID Rotation
Understanding DID Rotation: Transitioning between DID Methods
In the realm of digital identity, the concept of Decentralized Identifiers (DIDs) stands as a cornerstone. DIDs are a new type of identifier that enables verifiable, self-sovereign digital identities. This blog post explores possibilities to transition between different DID Methods and invites DID method implementors to join this journey towards more robust, interoperable, and secure digital identities.
What is DID Rotation?
DID Rotation refers to the process of updating or changing a Decentralized Identifier (DID) while maintaining the continuity and integrity of the digital identity it signifies. This procedure is essential for various reasons, including enhancing security, adhering to emerging standards, or transitioning to a more sophisticated infrastructure. To facilitate DID Rotation effectively, we have identified three fundamental requirements for a DID method:
- DID Rotation Requirements
- DID-ROT #1: The original DID must include a reference to the new DID.
(Motivation: enable resolver to switch between DID methods) - DID-ROT #2: The new DID must include a reference to the original DID.
(Motivation: provide provenance & legitimacy) - DID-ROT #3: There must be a proof that the original DID is deactivated upon rotation.
(Motivation: prohibit forks)
An Example Implementation: did:oyd to did:ebsi
did:oyd
was developed by OwnYourData and provides a self-sustained environment for managing decentralised identifiers. The did:oyd
method links the identifier cryptographically to the DID Document and through also cryptographically linked provenance information in a public log it ensures resolving to the latest valid version of the DID Document. This is in contrast to other DID methods which are based on blockchain technology and provide a trust anchor based on the respective governance of the used ledger for handling sensitive data.
did:ebsi
is part of the European Union’s efforts to build a secure and interoperable blockchain infrastructure. It operates on a pan-European network of nodes, ensuring robustness and security. The technology encompasses APIs, smart contracts, and a decentralized ledger, which are used across various use cases to provide trusted information for business processes.
The did:oyd
method offers a low-entry barrier for generating a large number of DIDs) proving particularly useful in scenarios where blockchain access is impractical. However, there are instances where the requirements and conditions evolve, necessitating existing identifiers to meet specific governance standards that are beyond the capabilities of this DID method.
Process
A process that meets the aforementioned requirements can be outlined in the following four steps, as illustrated below:
- Start with an existing/original DID
- Create New DID: establish a new DID to replace the old one
- Update Original DID: link the old DID to the new one for resolvers to find the new DID
- Deactivate Original DID: deactivate the original DID to avoid forks
- Update New DID: finally, update the new DID with references to the original, ensuring a seamless transition
Example
The following DID demonstrates resolving a did:oyd
to a did:ebsi
document:
did:oyd:zQmZ7wwgCxkExNeXHm9XLxAKs7Y7pubTKCHQLTxRrA3Fz51
And as reference here links to the respective DID Documents:
Resolution Process
The resolution process for DID Rotation involves extending implementations with a follow-alsoKnownAs=TRUE
flag that instructs the resolver to correctly interpret the alsoKnownAs
attribute in DID Documents. This flag ensures that when a DID is updated or rotated, the resolution process continues to recognize and track the previous DID, linking it to the new one. Essentially, by setting follow-alsoKnownAs=TRUE
, the system maintains a connection between the old and new DIDs, thereby preserving the continuity and historical integrity of the digital identity throughout the rotation process.
Call to Action
The DID community is invited to provide more general support for DID Rotation. Whether you’re a developer, policy-maker, or just an enthusiast in the field of digital identities, your insights and contributions are vital! We encourage the community to:
- Provide Feedback: Share your experiences, challenges, and suggestions. Your input is crucial for the continuous improvement.
- Support DID Rotation in your preferred DID method: Implementing DID Rotation is straight forward – it only requires the respective resolver to process information in the
alsoKnownAs
attribute. - Stay Informed and Educated: With the fast-evolving nature of DIDs, staying updated with the latest trends and advancements is essential.
DID Rotation is more than just a technical upgrade. It’s a step towards a future where digital identities are more secure, private, and user-centric. Let’s embrace this change together, contributing to a digital world that respects and empowers individual identity.
The work on DID Rotation has received funding from the European Union’s Horizon 2020 research and innovation program through the NGI TRUSTCHAIN program under cascade funding agreement No 101093274. For more information visit our project website here.