DID Rotation

In the realm of digital identity, the concept of Decentralized Identifiers (DIDs) stands as a cornerstone. DIDs are a new type of identifier that enables verifiable, self-sovereign digital identities. This blog post explores possibilities to transition between different DID Methods and invites DID method implementors to join this journey towards more robust, interoperable, and secure digital identities.

DID Rotation refers to the process of updating or changing a Decentralized Identifier (DID) while maintaining the continuity and integrity of the digital identity it signifies. This procedure is essential for various reasons, including enhancing security, adhering to emerging standards, or transitioning to a more sophisticated infrastructure. To facilitate DID Rotation effectively, we have identified three fundamental requirements for a DID method:

did:oyd was developed by OwnYourData and provides a self-sustained environment for managing decentralised identifiers. The did:oyd method links the identifier cryptographically to the DID Document and through also cryptographically linked provenance information in a public log it ensures resolving to the latest valid version of the DID Document. This is in contrast to other DID methods which are based on blockchain technology and provide a trust anchor based on the respective governance of the used ledger for handling sensitive data.

did:ebsi is part of the European Union’s efforts to build a secure and interoperable blockchain infrastructure. It operates on a pan-European network of nodes, ensuring robustness and security. The technology encompasses APIs, smart contracts, and a decentralized ledger, which are used across various use cases to provide trusted information for business processes.

The did:oyd method offers a low-entry barrier for generating a large number of DIDs) proving particularly useful in scenarios where blockchain access is impractical. However, there are instances where the requirements and conditions evolve, necessitating existing identifiers to meet specific governance standards that are beyond the capabilities of this DID method.

A process that meets the aforementioned requirements can be outlined in the following four steps, as illustrated below:

0. Start with an existing/original DID
1. Create New DID: establish a new DID to replace the old one
2. Update Original DID: link the old DID to the new one for resolvers to find the new DID
3. Deactivate Original DID: deactivate the original DID to avoid forks
4. Update New DID: finally, update the new DID with references to the original, ensuring a seamless transition

The following DID demonstrates resolving a did:oyd to a did:ebsi document:

did:oyd:zQmZ7wwgCxkExNeXHm9XLxAKs7Y7pubTKCHQLTxRrA3Fz51

And as reference here links to the respective DID Documents:

• Original did:oyd
• New did:ebsi

The resolution process for DID Rotation involves extending implementations with a follow-alsoKnownAs=TRUE flag that instructs the resolver to correctly interpret the alsoKnownAs attribute in DID Documents. This flag ensures that when a DID is updated or rotated, the resolution process continues to recognize and track the previous DID, linking it to the new one. Essentially, by setting follow-alsoKnownAs=TRUE, the system maintains a connection between the old and new DIDs, thereby preserving the continuity and historical integrity of the digital identity throughout the rotation process.

The DID community is invited to provide more general support for DID Rotation. Whether you’re a developer, policy-maker, or just an enthusiast in the field of digital identities, your insights and contributions are vital! We encourage the community to:

• Provide Feedback: Share your experiences, challenges, and suggestions. Your input is crucial for the continuous improvement.
• Support DID Rotation in your preferred DID method: Implementing DID Rotation is straight forward – it only requires the respective resolver to process information in the alsoKnownAs attribute.
• Stay Informed and Educated: With the fast-evolving nature of DIDs, staying updated with the latest trends and advancements is essential.

DID Rotation is more than just a technical upgrade. It’s a step towards a future where digital identities are more secure, private, and user-centric. Let’s embrace this change together, contributing to a digital world that respects and empowers individual identity.

The work on DID Rotation has received funding from the European Union’s Horizon 2020 research and innovation program through the NGI TRUSTCHAIN program under cascade funding agreement No 101093274. For more information visit our project website here.