Client-managed secret mode for DIDs
Creation and management of Decentralized Identifiers (DIDs), while keeping cryptographic keys at the edge.
In this project, we improve the Universal Registrar tool, which is a well-known open-source project at the Decentralized Identity Foundation (DIF). Parallel to the Universal Resolver (which allows resolution of DIDs), the Universal Registrar allows creation of DIDs across different DID methods and networks. It offers an abstraction layer with a universal interface, which means that clients of this tool can create DIDs without having to know or implement details of the underlying DID method (which may involve blockchains, web servers, or any other technology). This tool can be self-hosted, it should not be operated by a single centralized authority. The Universal Registrar currently supports 9 different DID methods, however there is a serious drawback of the current implementation: DIDs are typically controlled by private/public cryptographic key pairs, and in the current design, creation and management of these key pairs are handled by the same architectural component that also performs the actual DID operations, i.e. the Universal Registrar component itself. We call this “internal secret mode”.
This proposal will expand on an idea called “client-managed secret mode”, which offers a clean separation of key management operations and DID operations. With this approach, wallets can simply manage keys, and communicate with a Universal Registrar service for the purpose of creating DIDs. Some early design and implementation work of this idea exists, but it needs to be completed for the most popular DID methods such as did:indy, did:ebsi, did:ion, did:web, etc. In this proposal, we will further develop this “client-managed secret” mode to the point where it will be available for creating DIDs across several popular DID methods, and we will document and communicate the process to encourage others in the community to contribute additional support for more DID methods.
Image taken from: https://identity.foundation/did-registration/
- Motivation for the project: Decentralized Identifiers (DIDs) are the technical basis for almost every initiative in the emerging decentralized identity space. Our work on “client-managed secret mode” will make working with DIDs easier, more interoperable, and less dependent on trusted third-party intermediaries.
- Generic use case description: “Client-managed secret mode” allows users to create new decentralized identities across different networks, such as EBSI, IDunion, Cheqd, ION, etc., and to access use cases in each one of these ecosystems, in a seamless, interoperable way.
- Essential functionalities: The essential functionality we are introducing is the ability to create and manage DIDs in a way where many different DID methods (and therefore ecosystems) can be supported, while keeping all control of cryptographic keys at the edge.
- How these functionalities can be integrated within the software ecosystem: This functionality can be integrated via the open-source component “Universal Registrar”, which exposes a simple API that is based on an open specification developed at the Decentralized Identity Foundation (DIF). Clients can remain agnostic to details of individual DID methods and blockchains. We have successfully integrated the Universal Registrar with other TRUSTCHAIN projects, such as MUSAP. This showcases the potential for synergies within the ecosystem and how our solution can enable advanced use cases like secure signing with hardware devices.
- Gap being addressed: The main gap is that decentralized identity applications are often limited to one or two underlying networks, such as EBSI or Hyperledger Indy. Our solution creates an abstraction layer that makes it possible to work with all of the available DID methods.
- Expected benefits achieved with the novel technology building blocks: The benefit will be that decentralized identity applications and services will be understood as a universal, global infrastructure that can be interoperable and shared by all, as opposed to building regional or sector-specific “silos” that are effectively disconnected from one another.
- Potential demonstration scenario: A demonstration will potentially involve one or more concrete digital identity wallet applications that can be installed on one’s smart phone. With out contribution, such wallets can be demonstrated to use different identity networks such as EBSI or Hyperledger Indy in a seamless way.
Repositories:
GitHub: https://github.com/NGI-TRUSTCHAIN/CLIENT-DIDS
Currently open to the TrustChain community only. Reach out if you need access.
Relevant external resources:
Team
Markus Sabadello
Markus’ main expertise is core DID technology, and his role in the project is to work on the architecture of client-managed secret mode and the implementation of the project.
Azeem Ahamed
Azeem is a blockchain developer with experience in the European Blockchain Service Infrastructure (EBSI), and he works on the implementation of “drivers” that support client-managed secret mode for DIDs.
Bernhard Fuchs
Bernhard has experience managing the Universal Registrar open-source project, and his role is to design and deploy infrastructure components needed in this project.
Zaïda Rivai
Zaïda is a data scientist and analyst who has spent much time analyzing the differences between DID methods, and her role in the project is to help understand differences in how certain DID methods are implemented.
Stevan Eraković
Stevan is an experienced front-end developer who is intimately familiar with building UIs that allow the creation and management of DIDs.
Entity
Danube Tech GmbH
Danube Tech is a pioneer in decentralized identity technologies, building both open-source tools and commercial products, and involved in various use cases and projects in the EU, US, and around the world.
Website: www.danubetech.com