Client-managed secret mode for DIDs

Creation and management of Decentralized Identifiers (DIDs), while keeping cryptographic keys at the edge.

In this project, we improve the Universal Registrar tool, which is a well-known open-source project at the Decentralized Identity Foundation (DIF). Parallel to the Universal Resolver (which allows resolution of DIDs), the Universal Registrar allows creation of DIDs across different DID methods and networks. It offers an abstraction layer with a universal interface, which means that clients of this tool can create DIDs without having to know or implement details of the underlying DID method (which may involve blockchains, web servers, or any other technology). This tool can be self-hosted, it should not be operated by a single centralized authority. The Universal Registrar currently supports 9 different DID methods, however there is a serious drawback of the current implementation: DIDs are typically controlled by private/public cryptographic key pairs, and in the current design, creation and management of these key pairs are handled by the same architectural component that also performs the actual DID operations, i.e. the Universal Registrar component itself. We call this “internal secret mode”. 

This proposal will expand on an idea called “client-managed secret mode”, which offers a clean separation of key management operations and DID operations. With this approach, wallets can simply manage keys, and communicate with a Universal Registrar service for the purpose of creating DIDs. Some early design and implementation work of this idea exists, but it needs to be completed for the most popular DID methods such as did:indy, did:ebsi, did:ion, did:web, etc. In this proposal, we will further develop this “client-managed secret” mode to the point where it will be available for creating DIDs across several popular DID methods, and we will document and communicate the process to encourage others in the community to contribute additional support for more DID methods.


Markus Sabadello

Markus’ main expertise is core DID technology, and his role in the project is to work on the architecture of client-managed secret mode and the implementation of the project.

Azeem Ahamed

Azeem is a blockchain developer with experience in the European Blockchain Service Infrastructure (EBSI), and he works on the implementation of “drivers” that support client-managed secret mode for DIDs.

Bernhard Fuchs

Bernhard has experience managing the Universal Registrar open-source project, and his role is to design and deploy infrastructure components needed in this project.

Zaïda Rivai

Zaïda is a data scientist and analyst who has spent much time analyzing the differences between DID methods, and her role in the project is to help understand differences in how certain DID methods are implemented.

Stevan Eraković

Stevan is an experienced front-end developer who is intimately familiar with building UIs that allow the creation and management of DIDs.


Danube Tech GmbH

Danube Tech is a pioneer in decentralized identity technologies, building both open-source tools and commercial products, and involved in various use cases and projects in the EU, US, and around the world.