Authors: Zaïda Rivai (Danube Tech), Kim Duffy (DIF)
Decentralized Identifiers (DIDs), offer an often overlooked benefit: they function as an identifier metasystem, enabling future-proofing and interoperability across diverse identity systems. This concept was the central focus of Sam Curren's session at the Internet Identity Workshop (IIW), titled "DID or not? The Value of an Identifier Metasystem; Is eIDAS wrong?"
What is an Identifier Metasystem?
An identifier metasystem intermediates different digital identity systems and mechanisms, promoting interoperability and preventing conflicts. It provides a layer of abstraction above individual identifier systems, enabling them to work together seamlessly.
Starting with identifiers and identifier systems, examples you may be familiar with include:
- National identification systems (e.g., Social Security Numbers, National ID cards)
- Domain Name System (DNS) for internet addresses
- International Standard Book Numbers (ISBNs) for books
- Universally Unique Identifiers (UUIDs) for software systems
Decentralized Identifiers (DIDs) are also identifiers that can further act as an identifier metasystem. The DID spec defines a common structure and syntax for identifiers, along with methods for resolving them to retrieve associated metadata (such as public keys and service endpoints). This allows different DID methods, each with their own specific implementation details, to be used interchangeably within a single system.
The Difference Between General Identifiers and DIDs
In general, identifiers – often stored in organization or application databases – lack context, making it difficult to determine their scope and uniqueness. In contrast, DIDs are globally unique identifiers that provide clear context. This difference is akin to the distinction between a web page describing content at another page and a hyperlink – with the latter, you are guaranteed to reach the source and obtain the latest information.
At an IT systems level, the lack of context and uniqueness in general identifiers can cause headaches for companies when merging or migrating systems, as conflicts may arise.
Key Benefits of the Identifier Metasystem
The identifier metasystem provided by DIDs offers several key benefits:
- Interoperability: Different systems using different DID methods can still interact and exchange data without conflicts or the need for extensive customization.
- Flexibility: Organizations can choose the DID method that best suits their needs and constraints, while still maintaining compatibility with other systems.
- Future-proofing: As new DID methods are developed, they can be easily integrated into existing systems without requiring major changes to the underlying infrastructure.
- Normalized and Auditable Data Storage: DIDs enable organizations and applications to store identifiers in a normalized and auditable manner, facilitating easier rotation and updates to identity systems without substantial overhauls.
- Enhanced Privacy: DIDs offer a way to bind credentials privately and securely, proving that certain credentials were indeed issued to a specific user without compromising privacy.
Addressing Common Misconceptions
Some common hurdles to adopting DIDs result from the following misconceptions:
- Belief that you have to support all DID methods: There are numerous DID methods, but implementers can choose which method(s) to support based on their requirements and restrictions.
- Uncertainty around which DID method(s) to use and support: Implementers often hesitate because they're unsure which DID method to choose. The straightforward advice is to pick one that's appropriate to your use case, which aids in future-proofing and simplifies integration across diverse systems.
- Belief that there are simpler ways to achieve the same results: The benefits of DIDs as an identifier metasystem can be overlooked due to the technical details of DIDs themselves. However, focusing on the benefits of the identifier metasystem provides clearer business value and future-proofing.
Another potential concern around use of DIDs is the lack of an advanced standard (“W3C Recommendation” status or similar) for DID resolution and dereferencing. This is addressed as part of the DID WG Charter update, effective 25 April 2024, in which the DID Working Group will take over the DID resolution work currently underway at the W3C Credentials Community Group.
DIDs as Future-proofed Variants of Existing Tokens or Identifiers
Even if a system is currently required to use JSON Web Keys (JWKs), adopting the `did:jwk` method could serve as a bridge, allowing easier rotation and updates to identity systems without substantial overhauls. This approach enables organizations to store identifiers in a normalized and auditable manner while ensuring compatibility and avoiding potential conflicts in the future.
The European Union (EU) Perspective
Privacy Concerns
Some pushback towards DIDs has resulted from the perception that they can contribute to privacy violations and tracking. In some frameworks, this has led to the rejection of DIDs. However, employing DIDs is not inherently riskier than corresponding mechanisms; for example did:jwk offers the same privacy characteristics as JWK. And in the general case, DIDs have the potential to offer significantly improved privacy protection (see point 5 under Key Benefits of the Identifier Metasystem, above).
Regulatory Challenges and Recommendations
Regulatory recommendations around traditional identifiers like X.509 certificates are well-established, and moving away from them may not be an option. However, even in this environment, `did:x509` could be used to adhere to the existing requirements while future-proofing through the identifier metasystem and improving the ability to migrate in the future.
Implementing DIDs: Decisions Across an Organization
The benefits of DIDs as an identifier metasystem sometimes get lost due to the technical details of DIDs themselves. However, focusing on the benefits of the identifier metasystem provides clearer business value and future-proofing.
- System architects should view the adoption of DIDs as a strategic decision that aligns with long-term business goals, focusing on the overarching benefits of DIDs.
- Product managers need to determine requirements, restrictions, and other characteristics relevant for the use case's regulatory requirements (e.g., inability to use blockchain) or user requirements.
- Architects and developers should select the appropriate DID method(s) based on the above requirements, as well as any other operational considerations (tool support).
The choice of DID method is also influenced by the role of participants. For institutions, the `did:x509` or `did:web` method can be preferred, while for individuals, the `did:jwk` method may be more appropriate, allowing for a cycle through various credentials while maintaining privacy and future-proofing.
Implementers should focus on building technical systems that support DIDs regardless of the environment, ensuring that the broad range of considerations is addressed, such as open standards/source, possible cost to users, whether other elements support DIDs, and whether DIDs are simply stored or if the ecosystem has first-class support for them.
Potential Risks and Concerns
While DIDs offer significant benefits as an identifier metasystem, there are potential risks and concerns to consider:
- Incentive for Migration: While DIDs make sense as a consideration when designing new systems, there may not be enough incentive for organizations to rewrite or migrate existing systems to adopt DIDs, given the potential costs and effort involved.
- Control and Governance of DID Methods: There are questions around who gets to determine the "method" part of a DID (e.g., `did:method`), how to ensure there are no collisions or name squatting, and who gets to control and govern the various DID methods.
Organizations should carefully evaluate these risks and concerns alongside the potential benefits of DIDs as an identifier metasystem when making decisions about adoption and implementation.
While the concerns around migration incentives and control of DID methods are valid, they should not overshadow the significant advantages DIDs offer in terms of interoperability, flexibility, future-proofing, and enhanced privacy.
To mitigate these risks, organizations can:
- Conduct a thorough cost-benefit analysis to determine the long-term value of adopting DIDs, considering factors such as reduced integration complexity, improved data normalization, and enhanced privacy capabilities.
- Engage with the DID community and participate in the governance processes of relevant DID methods to ensure that their concerns and requirements are addressed.
- Develop a phased adoption plan that prioritizes the implementation of DIDs in new systems and gradually migrates existing systems over time, minimizing disruption and spreading out the costs.
- Collaborate with industry partners, standards bodies, and regulatory authorities to establish best practices and guidelines for DID adoption and governance, promoting a more stable and predictable ecosystem.
By proactively addressing these risks and concerns, organizations can confidently adopt DIDs as an identifier metasystem, leveraging its benefits to build more resilient, interoperable, and future-proof identity solutions that enhance privacy, simplify integration, and provide a solid foundation for the evolving digital identity landscape.
Conclusion
As the digital identity landscape continues to evolve, DIDs are well-positioned to play a crucial role in shaping a more connected, secure, and user-centric future. Organizations that recognize the value of an identifier metasystem and embrace DIDs will be at the forefront of building a more resilient and innovative digital identity ecosystem.
Thank you
We would like to thank Sam Curren for leading this session and all IIW attendees who contributed. Thank you to Damian Glover, Andor Kesselman, and Markus Sabadello for their valuable input to this article.