DID You Hear? Decentralized Identifiers Are Coming
The decentralized web has been a promising technology for many years now — and I’m not talking about cryptocurrencies. If anything, the hype and financial speculation around cryptocurrencies has distracted from the very real technical progress being made in decentralization. It’s even starting to be baked into web standards, as we shall explore in this post.
So why do we need to decentralize? Simply put, because of the power of “walled garden” companies like Facebook, Google and Apple. Decentralization brings the potential for users to take back control of their personal identity and data; that’s why it’s so important.
Perhaps the key to the decentralized web is identity. Think about how important your Google, Facebook and Apple logins are to nearly everything you do on the web. But ultimately, you’re not in control of your identity on any of those commercial platforms. Google or Apple could shut down your email address, which is typically used as your login, at any time. As for Facebook, it has shown over the past year that it can and will “de-platform” you if you’re deemed to have broken its rules. There’s also the fact that on any of these platforms, your data can potentially be subpoenaed (or worse) by governments without you even knowing it.
Enter DIDs: Decentralized Identifiers
If a new specification from the World Wide Web Consortium (W3C) gains traction, we could soon have a web standard that would enable users to choose a decentralized identity. Version 1.0 of the Decentralized Identifiers (DIDs) specification was released as a draft recommendation at the end of June. A DID (pronounced like the word “did”) is defined as “a new type of identifier that enables verifiable, decentralized digital identity.” A DID can refer to any subject — from a person, to an organization, to basically anything “determined by the controller of the DID.”
The DID specification is a complement to the Verifiable Credentials standard for cryptographically-verifiable digital credentials, which was approved by the W3C in November 2019.
DIDs are basically the same as a URL (Uniform Resource Locator), aka a web address. It’s an identifier for something, only in the case of a DID this identifier is based on decentralized technology (by contrast URLs are managed through domain registries, which are usually centralized).
The word “control” is key when evaluating DIDs. In an interview with a podcast called The Rubric, the co-chair of the DID working group, Daniel Burnett, talked about how the W3C working group moved away from the concept of “owning” an identity to that of “controlling” it.
“The driver for me,” said Burnett, “has always been that need, with a verifiable credential, for an identifier (particularly a subject identifier) that you could control. No one else could take it away from you and, in fact, you could mint as many of them as you want.”
Is This Blockchain Technology?
When you hear the word “mint” these days, you probably think of blockchain — and perhaps more recently, non-fungible tokens (NFTs). As it happens, both Burnett and his co-chair, Brent Zundel, have a background in blockchain technology. Burnett leads the Enterprise Ethereum Alliance, while Zundel’s LinkedIn profile states that he’s “Principle Crypto Engineer” for a digital identity company called Evernym.
But while a primer for DID published in December describes DIDs as being “cryptographically verifiable,” the just-released draft specification is more ambiguous. The spec defines a DID as a “globally unique persistent identifier that does not require a centralized registration authority and is often generated and/or registered cryptographically.”
The “often” leaves some wiggle room for a DID to not be cryptographically verifiable. Later in the spec, it states that “implementers can create Decentralized Identifiers based on identifiers registered in federated or centralized identity management systems.” So parts of a DID could potentially be centralized, although the Verifiable Credentials specification implies that the ideal situation is a cryptographically verifiable DID. The DID spec describes its language around this as “an interoperability bridge between the worlds of centralized, federated, and decentralized identifiers.”
You Make Trust Decisions
Regardless of how a DID is verified, ultimately it’s completely under your control. However, this doesn’t mean the information that the DID refers to is necessarily true. It could be “fake news!” As Burnett explained it, this was a deliberate choice when designing the DID system. The whole point of the DID is that you alone get to decide who or what you trust — there is no third party to decide it for you.
“It’s up to you as the verifier who receives a verifiable credential containing this information to decide which issuers you trust to make the claims that have been made,” said Burnett. “I think every other identity system out there tries to put a trusted party in there, and that is the mistake. That is the trap of identity systems — because what do you do when that trusted party gets hacked, or there’s some kind of fraud, or they do something that you personally disagree with?”
Use Case: Travel Pass with COVID-19 Data
While it’s early days for DIDs (the spec is still a draft recommendation), there are some intriguing use cases already. In The Rubric podcast episode, Zundel talked about a travel pass being developed by his company Evernym for the International Air Transport Association (IATA). On Evernym’s website, it’s described as follows:
“IATA Travel Pass is a digital credential solution that enables airlines, governments, and other organizations to instantly verify travel and health documents (such as COVID-19 test results) in a highly secure and privacy-preserving manner.”
A fact sheet from the IATA notes that the Travel Pass uses both the Verifiable Credentials and the DID open standards, along with a “digital credential component” from Evernym. Notably, the fact sheet makes no mention of the words “cryptographic” or “blockchain.” The key point it emphasizes for users is that they are in control of their sensitive health data:
“There is no central database. All data is stored on the user’s own phone. Passengers have full control over their own data on their phone and can choose to share it with airlines and other parties.”
Going back to Burnett’s point about trust, ultimately it’s up to the airlines and other organizations who use the Travel Pass system to decide whether they trust the DID issuers. But presumably, health or government organizations issued the COVID-19 tests and/or vaccines that the Travel Pass reports on — so the “circle of trust” (so to speak) is solid.
The Travel Pass is a great test case for DIDs; and obviously a critically important use case too, as the pandemic (hopefully) winds down. But it’ll be interesting to see if DIDs can become more of a consumer tool too, for example as a digital identity for social media services. I’m sure there will be many startups in the near future eager to route around Facebook, Google and Apple identity systems.