Decentralized identity (DID): W3C standard implementation

A Decentralized Identifier (DID) is a globally unique identifier defined by the W3C DID Core 1.0 standard that follows the format did:method:method-specific-id. Unlike traditional identifiers (email addresses, usernames) that are controlled by a centralised authority, a DID is controlled entirely by the identity subject through cryptographic keys. The DID resolves to a DID Document — a JSON-LD file containing the controller's public keys and service endpoints — which allows anyone to verify signatures made by the DID controller without trusting a central authority.

A DID is an identifier — it answers "who are you?" by providing a cryptographically verifiable handle. A Verifiable Credential (VC) is a signed claim about a DID — it answers "what do you have?" or "what are you entitled to?" Examples: a university issues a VC asserting that DID X holds a computer science degree; a government issues a VC asserting that DID X is a resident of country Y and is over 18. The DID is the anchor for identity; VCs are the claims attached to that identity, issued by trusted third parties.

eIDAS 2.0 is an EU regulation that updates the original eIDAS (electronic identification and authentication and trust services) framework to mandate that all EU member states provide citizens with a European Digital Identity (EUDI) Wallet by 2026. These wallets are designed to hold Verifiable Credentials — government-issued digital credentials for identity, driving licences, professional qualifications, and more. The specification builds on W3C VC standards and DID methods (particularly did:ebsi for the EU Blockchain Service Infrastructure). For businesses operating in the EU, eIDAS 2.0-compatible wallets will enable seamless, privacy-preserving identity verification workflows.

did:web is the recommended starting point for most enterprise use cases — it uses HTTPS and DNS (infrastructure every enterprise already operates), is simple to implement, and doesn't require blockchain infrastructure. Use did:ion when you need high-assurance, truly decentralised identifiers not dependent on any organisation's DNS. Use did:ebsi for EU regulatory compliance (eIDAS 2.0) contexts. Avoid blockchain-based DID methods unless your use case requires the specific trust properties of a public blockchain — they add operational complexity without proportional benefit for most enterprise identity scenarios.

Selective disclosure allows a credential holder to prove specific claims from a credential without revealing all its contents. For example, proving age > 18 from a government-issued credential without revealing the actual date of birth, name, or address. This is implemented using cryptographic techniques: SD-JWT (Selective Disclosure for JWTs) allows individual claims to be disclosed selectively while the credential signature remains valid. BBS+ signatures (used in Hyperledger AnonCreds) enable zero-knowledge proofs — proving a claim is true without revealing the underlying value. Selective disclosure is one of the key privacy advantages of the VC model over traditional identity document scanning.

Verifiable Credential revocation is handled through revocation registries. The most common approaches are: Status List 2021 (W3C standard) — the issuer maintains a bitstring status list published as a URL in the credential; verifiers check the status bit to confirm the credential is still valid; BitString Status List (successor to Status List 2021) — improved privacy through encoding. Blockchain-based revocation registries offer decentralised revocation without depending on the issuer's infrastructure remaining online. The revocation mechanism must be specified in the credential's credentialStatus property and checked by verifiers as part of credential validation.

Key open-source frameworks include: Veramo (JavaScript/TypeScript) — modular framework for DID and VC operations, supporting multiple DID methods and credential formats; Credo-TS (formerly Aries Framework JavaScript) — enterprise-grade framework for DID and VC workflows; Hyperledger AnonCreds — for zero-knowledge credential implementations; and DIF's Universal Resolver for multi-method DID resolution. Commercial options include Microsoft Entra Verified ID (Azure-based, enterprise SLA), MATTR (enterprise VC platform, strong NZ/AU market), and Dock.io (blockchain-anchored VC issuance). The choice depends on your DID method requirements and the level of managed infrastructure vs self-hosted control you need.

DIDs and Verifiable Credentials complement OAuth/OIDC rather than replace them. Self-Issued OpenID Provider v2 (SIOPv2) is a standard that allows DID-based identity to be used within OpenID Connect flows — users present credentials from their wallet to authenticate with OIDC-compliant relying parties without a centralised identity provider. OpenID for Verifiable Credentials (OID4VC) extends this for credential issuance and presentation. For enterprise use, the most practical path is integrating DID-based credentials into existing OIDC infrastructure using these standards, rather than replacing OIDC entirely. Microsoft Entra, for example, supports both traditional OIDC and Verifiable Credentials through the same platform.