An autonomous and decentralized management of one’s digital identity corresponds to a necessary adaptation of the roles within the identity management system:

• holder: who possesses one or more verifiable credentials and generates presentations from them
• issuer: the role of the person who affirms the statements of one or more subjects, creating verifiable credentials and transmitting them to the holder
• subject: the entity to which the statements refer. In most cases it coincides with the holder, but not always. (E.g .: the parent has the child’s credentials)
  
• vérifier: the role of whoever receives one or more credentials, possibly within a presentation, to process and verify

An autonomous and decentralized management of one’s digital identity corresponds to a necessary adaptation of the roles within the identity management system:

• holder: who possesses one or more verifiable credentials and generates presentations from them
• issuer: the role of the person who affirms the statements of one or more subjects, creating verifiable credentials and transmitting them to the holder
• subject: the entity to which the statements refer. In most cases it coincides with the holder, but not always. (E.g .: the parent has the child’s credentials)
  
• vérifier: the role of whoever receives one or more credentials, possibly within a presentation, to process and verify
• verifiable data registry: the system that mediates the creation and verification of identifiers and other relevant data, such as diagrams of verifiable credentials, revocation registers, and the issuer’s public keys.

Decentralized Identifiers (DIDs) constitute a new type of unique identifiers, similar to URIs with signatures and encryption, created to allow individuals and organizations to generate and own their identifiers, without the need for a fiduciary counterpart. DID, necessary to keep various identities and interactions separate.

DIDs can represent and be associated with legal entities and objects as well.

Decentralized Identifiers (DIDs) constitute a new type of unique identifiers, similar to URIs with signatures and encryption, created to allow individuals and organizations to generate and own their identifiers, without the need for a fiduciary counterpart. DID, necessary to keep various identities and interactions separate.

DIDs can represent and be associated with legal entities and objects as well.

In this section, we look at the various components in the DID architecture and how they work with each other.

DID and DID URL

A DID is an alphanumeric string that represents our identity.

Technically, a DID is an ad hoc URI made up of three parts: the did: schema, a method identifier, and a unique identifier specified by the DID method.

A DID may also have associated a DID URL.

A DID URL extends the syntax of the base DID in order to incorporate other standard URI components to place other specific resources related to the entity that holds the DID.

To produce a resource from the DID URL, the software is used which takes the URL of the DID as input and produces a resource as output (this process is called dereferencing).

In this section, we look at the various components in the DID architecture and how they work with each other.

DID and DID URL

A DID is an alphanumeric string that represents our identity.

Technically, a DID is an ad hoc URI made up of three parts: the did: schema, a method identifier, and a unique identifier specified by the DID method.

A DID may also have associated a DID URL.

A DID URL extends the syntax of the base DID in order to incorporate other standard URI components to place other specific resources related to the entity that holds the DID.

To produce a resource from the DID URL, the software is used which takes the URL of the DID as input and produces a resource as output (this process is called dereferencing).

DID resolvers and DID resolution

The DID solver is a system component that takes the DID as input and outputs a compliant DID document. This process is called DID Resolution. The steps for resolving a specific type of DID are defined by the relevant DID method.

To be solvable into DID documents, DIDs are registered on an underlying system or network. Regardless of the technology used, any system that supports DID registration and the return of data to create a DID document is called a verifiable data registry.

DID resolvers and DID resolution

The DID solver is a system component that takes the DID as input and outputs a compliant DID document. This process is called DID Resolution. The steps for resolving a specific type of DID are defined by the relevant DID method.

To be solvable into DID documents, DIDs are registered on an underlying system or network. Regardless of the technology used, any system that supports DID registration and the return of data to create a DID document is called a verifiable data registry.

There is a clear distinction to be made between “who controls” the DID and “who is associated” with the DID, especially in parental situations and/or with limitations in the public sphere.

DID controllers

The controller of a DID is an entity (person, organization or standalone server) that has the ability to make changes to a DID document.

This capability is typically affirmed by checking a series of cryptographic keys used by the software acting on behalf of the controller.

A DID can also have more than one controller and the DID subject can be the controller itself.

There is a clear distinction to be made between “who controls” the DID and “who is associated” with the DID, especially in parental situations and/or with limitations in the public sphere.

DID controllers

The controller of a DID is an entity (person, organization or standalone server) that has the ability to make changes to a DID document.

This capability is typically affirmed by checking a series of cryptographic keys used by the software acting on behalf of the controller.

A DID can also have more than one controller and the DID subject can be the controller itself.

DID subjects

By definition, the subject of a DID is the entity identified by the DID.

The subject of the DID does not have to be a person, it can also be identified with an organization, a group, an object or a concept.

To deepen the subject, here is the link of the W3C document, where it sets the standards to be followed for the various protocols and networks.

• Encryption is not obsolescent – Identifiers can be updated as technology evolves.
• Survive the disappearance of organizations – Identifiers survive the disappearance of the organizations that issued them.
• Survives deployment end-of-life – These identifiers are usable even after the systems used by the parties become obsolete.
• Surviving relationship with the service provider – The identifiers are independent, they remain even if the service provider’s mandate fails.
• Cryptographic authentication and communication – Identifiers allow the authentication of individuals using cryptographic techniques, and also allow secure communications with the subject to which the identifier refers, using public-private keys.
• Service discovery – These identifiers allow the parties to search for services available to communicate with the person to whom the identifier refers.
• Registry agnostic – These identifiers can be on any registry that has a compatible interface.

• Encryption is not obsolescent – Identifiers can be updated as technology evolves.
• Survive the disappearance of organizations – Identifiers survive the disappearance of the organizations that issued them.
• Survives deployment end-of-life – These identifiers are usable even after the systems used by the parties become obsolete.
• Surviving relationship with the service provider – The identifiers are independent, they remain even if the service provider’s mandate fails.
• Cryptographic authentication and communication – Identifiers allow the authentication of individuals using cryptographic techniques, and also allow secure communications with the subject to which the identifier refers, using public-private keys.
• Service discovery – These identifiers allow the parties to search for services available to communicate with the person to whom the identifier refers.
• Registry agnostic – These identifiers can be on any registry that has a compatible interface.

The figure on the left shows the complete representation of a previous presentation, where the user demonstrates that he has a university credential, without showing his name. Log in to the library, without leaving sensitive data in the library.

The first graphic expresses a verifiable presentation, containing the respective metadata. The presentation refers to one or more credentials, contained in the second chart.

The third chart corresponds to the digital signature referring to the credential, while the fourth contains the signature proving the verifiable presentation.

The figure on top shows the complete representation of a previous presentation, where the user demonstrates that he has a university credential, without showing his name. Log in to the library, without leaving sensitive data in the library.

The first graphic expresses a verifiable presentation, containing the respective metadata. The presentation refers to one or more credentials, contained in the second chart.

The third chart corresponds to the digital signature referring to the credential, while the fourth contains the signature proving the verifiable presentation.

The model of trust between actors using verifiable credentials provides that:

• The verifier expects the issuer to issue the credential it has received. To establish this trust, the credential should:
• include a signature proving that the issuer generated the credential
  or
• be transmitted in a clear way, which establishes that the issuer has generated the verifiable credential and that the credential has not been tampered with.

All entities count on the data log to be tamper-proof and to be a correct record of entity-controlled data.

The model of trust between actors using verifiable credentials provides that:

• The verifier expects the issuer to issue the credential it has received. To establish this trust, the credential should:
• include a signature proving that the issuer generated the credential
  or
• be transmitted in a clear way, which establishes that the issuer has generated the verifiable credential and that the credential has not been tampered with.

All entities count on the data log to be tamper-proof and to be a correct record of entity-controlled data.

• The owner and the verifier count on the issuer to issue true credentials regarding the subject and to revoke them if they are inappropriate.
• The owner expects that the credentials are stored securely, that they are not released to third parties, and that they are not tampered with or lost.

This model differs from the others in that the issuer does not need to know the verifier.

These technologies are included in the broader family of Distributed Ledgers, which can be read and modified by multiple nodes on a network.

Within the business model of the SSI, the register can be used for the following purposes:

• Verify a verifiable credential
• Revocation of a verifiable credential
• Creation of a DID, based on the DID Method of the protocol
• Blacklisting of a DIDs
• Verification of DID Document and data related to DID controller and DID Subject

These technologies are included in the broader family of Distributed Ledgers, which can be read and modified by multiple nodes on a network.

Within the business model of the SSI, the register can be used for the following purposes:

• Verify a verifiable credential
• Revocation of a verifiable credential
• Creation of a DID, based on the DID Method of the protocol
• Blacklisting of a DIDs
• Verification of DID Document and data related to DID controller and DID Subject

To improve the solvers of the DID documents and ensure greater interoperability, the Universal Resolver technology has been designed. This is important, because the identifiers are the basis for the communication and identification systems; without identifiers, we cannot have relationships, transactions, and data sharing between entities.

The Universal Resolver allows us to build architectures and protocols on self-sovereign identifiers. There is no longer a need for a central authority to issue, maintain or revoke identifiers.

A DID-based blockchain that supports the Universal Resolver must define and implement a DID driver that connects the Resolver to the DID method used to read DID documents.

To improve the solvers of the DID documents and ensure greater interoperability, the Universal Resolver technology has been designed. This is important, because the identifiers are the basis for the communication and identification systems; without identifiers, we cannot have relationships, transactions, and data sharing between entities.

The Universal Resolver allows us to build architectures and protocols on self-sovereign identifiers. There is no longer a need for a central authority to issue, maintain or revoke identifiers.

A DID-based blockchain that supports the Universal Resolver must define and implement a DID driver that connects the Resolver to the DID method used to read DID documents.

The Resolver’s job is to discover and recover this additional information. This information contains elements such as services for communicating with entities and the cryptographic keys associated with them.

This allows the construction of data formats and multi-layer protocols, regardless of the blockchain used to register the identifier. Internally, the Universal Resolver achieves this goal through its architecture consisting of a driver for each type of supported identifier.

The DKMS architecture brings the following benefits:

1. No single point of failure
2. Interoperability
3. Strong and flexible infrastructure
4. Key recovery

The DKMS architecture is based on three levels:

The DID level is the fundamental one, made up of DIDs registered and solved through distributed ledgers.

The cloud level is made up of wallets and agents that allow communication and mediation between the DID level and the edge level. This layer allows peer-to-peer communication for exchanges and verification of DIDs, public keys and verifiable credentials.

The edge layer is made up of mobile devices, agents, and wallets used directly by the identity holders to generate and store private keys and perform management operations.

The DKMS architecture brings the following benefits:

1. No single point of failure
2. Interoperability
3. Strong and flexible infrastructure
4. Key recovery

The DKMS architecture is based on three levels:

The DID level is the fundamental one, made up of DIDs registered and solved through distributed ledgers.

The cloud level is made up of wallets and agents that allow communication and mediation between the DID level and the edge level. This layer allows peer-to-peer communication for exchanges and verification of DIDs, public keys and verifiable credentials.

The edge layer is made up of mobile devices, agents, and wallets used directly by the identity holders to generate and store private keys and perform management operations.

• Sharing of credentials in a single transaction – Self-Issued OP directly represents the user, so they can have a huge set of information that a traditional OP does not have.
• Aggregation of multiple services under one self-issued OP – End users usually use different Hosted Open ID Providers for different third parties. This use can create friction if the user returns at a later time and does not remember the OP used previously.

The Self-issued single OP model, on the other hand, allows you to meet a need for privacy and ease of use, using the credential issuer’s reputational trust.

• Sharing of credentials in a single transaction – Self-Issued OP directly represents the user, so they can have a huge set of information that a traditional OP does not have.
• Aggregation of multiple services under one self-issued OP – End users usually use different Hosted Open ID Providers for different third parties. This use can create friction if the user returns at a later time and does not remember the OP used previously.

The Self-issued single OP model, on the other hand, allows you to meet a need for privacy and ease of use, using the credential issuer’s reputational trust.