§ DID Traits 0.9.0 Editor’s Draft

Specification Status: Draft

Latest Draft: identity.foundation/did-traits

Ratified Versions:

identity.foundation/did-traits/v0.8.0

Editors:

Jan Christoph Ebersbach (identinet)

Authors:

Jan Christoph Ebersbach (identinet)

Otto Mora (Privado ID)

Participate:

GitHub repo

File a bug

Commit history

Except where otherwise noted, this work by the Decentralized Identity Foundation is licensed under CC BY 4.0.

§ Abstract

This document guides implementers of W3C Decentralized Identifiers (DIDs) in selecting suitable DID methods for their specific use cases by defining proven and relevant Decentralized Identifiers traits. It includes a JSON schema for representing traits of a concrete DID method in a structured, machine-readable format, enabling integration with third-party systems such as DID resolvers. This specification builds upon existing literature and specifications detailed in the References section.

§ Status of This Document

This is a draft specification being developed within the Decentralized Identity Foundation (DIF). Design work is ongoing, and participants are encouraged to open issues or otherwise contribute at the DIF-hosted github repository, whether as input to stable versions or as recommendations for future versions.

§ Terminology

Decentralized Identifiers ~ Unique ID URI string and PKI metadata document format for describing the cryptographic keys and other fundamental PKI values linked to a unique, user-controlled, self-sovereign identifier in a target system (i.e. blockchain, distributed ledger).

Traits ~ A distinct, measurable characteristic of a Decentralized Identifier method that influences its behavior, capabilities, or implementation requirements.

§ Structure of this Document

This specification is organized into three main sections:

  1. Definition of Traits: Provides detailed definitions and descriptions of identified DID method traits. Each trait is explained in terms of its significance, characteristics, and impact on DID method implementation and usage.
  2. JSON Schema Data Model: Presents a formal schema for representing DID method traits in a machine-readable format. This section includes the complete JSON schema definition along with examples illustrating its application.
  3. Comparison of DID Methods: Contains a comprehensive table comparing different DID methods based on their traits. This comparison enables implementers to evaluate and select DID methods that best match their requirements.

The specification references supporting literature and related specifications throughout these sections, with complete references provided at the end of the document.

§ Definition of Traits

This section systematically defines the characteristics that distinguish and differentiate DID methods. While all DID methods fundamentally support core operations for creating and retrieving DID documents, they exhibit diverse additional traits that reflect their unique design. These traits have been identified through analysis of existing DID methods and their real-world implementations. Each trait definition includes its name and description.

Trait Definition
Updateable DID Documents are updateable, see https://w3c.github.io/did-core/#method-operations.
Updateable Service Endpoints Service endpoints are updateable, see https://w3c.github.io/did-core/#services.
Deactivatable DIDs are deactivatable, see https://w3c.github.io/did-core/#method-operations.
Deletable DID method’s capability to permanently remove a DID and its associated DID document from the underlying system, rendering the identifier and its historical irresolvable.
Transactional Fees Indicates whether a DID method imposes mandatory transactional costs for creating, updating, or deactivating identifiers. These fees are typically associated with blockchain or distributed ledger-based methods, where computational resources and network consensus mechanisms necessitate economic compensation.
Self-Certifying DID method where the cryptographic material used to generate the DID is embedded within the identifier itself, creating an inherent and verifiable cryptographic binding between the DID, its initial DID document, and the associated cryptographic keys. This approach eliminates the need for external verification infrastructure, as the identifier’s authenticity can be cryptographically validated through its own intrinsic key material.
Rotatable Verification Methods Verification methods are updateable, allowing cryptographic keys to be replaced or updated, see https://w3c.github.io/did-core/#verification-methods.
Pre-rotation of Keys Cryptographic mechanism that enables a DID controller to securely commit to a future key rotation without revealing the actual replacement public key. This technique creates a verifiable, one-way commitment to the next cryptographic key pair, preventing malicious actors who compromise the current private key from arbitrarily rotating to a new key of their choosing.
Multi-Signature Verification Method A DID method that supports distributed control of a decentralized identifier through a cryptographic mechanism requiring multiple independent signatures to authorize critical identity operations such as updating, deactivating or using the DID.
Human-readable A DID method’s ability to generate identifiers that are cognitively accessible and memorable to humans, typically incorporating meaningful, domain-specific, or intuitive components.
Enumerable A DID method where all identifiers within the system can be comprehensively discovered and listed through a publicly accessible registry, typically implemented using a distributed ledger technology (DLT) or similar transparent infrastructure.
Locally Resolvable A DID method where identifiers and their associated DID documents are resolvable and verifiable only within a specific, transient local context.
Globally Resolvable A DID method where identifiers can be resolved from any network location, enabling universal access to the associated DID document across diverse computational environments and geographic boundaries.
DID Document History A DID method’s capability to preserve and retrieve previous versions of a DID document, enabling comprehensive historical traceability of identity metadata and modifications.
Cryptograhpically signed DID Document History A DID method’s capability to record all modifications to the DID document in an append-only, cryptographically verifiable data structure that prevents retroactive alteration or deletion of historical states.
Hosting not required DID document hosting on persistent storage is not required, at least for the initial DID document. For example: did:key and did:peer.
Centrally Hosted DID document is stored and managed and resolved through a single, centralized service infrastructure, typically implemented using a web server or controlled repository.
Decentrally Hosted DID document is stored, managed, and resolved through a distributed infrastructure, typically implemented using decentralized ledger technologies (DLT) or peer-to-peer networks.
Privacy Preserving Crypto - BBS+ A DID method’s ability to use cryptographic techniques that enable identity verification and authentication while minimizing the disclosure of sensitive personal information. Specifically by using the Selective Disclosure techniques of the BBS+ scheme as standardized in the IETF CFRG https://datatracker.ietf.org/doc/draft-irtf-cfrg-bbs-signatures/.
Privacy Preserving Crypto - niZKPs A DID method’s ability to use cryptographic techniques that enable identity verification and authentication while minimizing the disclosure of sensitive personal information. Using other cryptography that supports Non-interactive Zero Knowledge Proofs (niZKPs) such as zk-SNARKS, zk-STARKS, Bulletproofs or other similar zero knowledge protocol types.
RSA, 2048 bit key size A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
RSA, 3072 bit key size A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
RSA, 4096 bit key size A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
ECDSA, curve sec256k1 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
ECDSA, curve secp384r1 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
ECDSA, curve secp512r1 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
EdDSA, curve ed25519 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
EdDSA, curve ed448 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
Brainpool, curve BrainpoolP256r1 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
Brainpool, curve BrainpoolP384r1 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
Brainpool, curve BrainpoolP512r1 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
GOST, curve GOST-256 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
GOST, curve GOST-512 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.
SM, curve SM2 A DID method supports the cryptographic algorithm, which has been verified by any of the government entities mentioned in appendix National Cryptographic Standards Bodies.

§ JSON Schema Data Model

The specification defines a normative JSON Schema data model for documenting and representing DID method traits in a machine-readable format. The canonical schema is formally defined at https://identity.foundation/did-traits/schemas/traits.json.

DID method authors SHALL use this schema to describe their method’s trait support. The schema is structured with two primary components:

All traits are represented as boolean values with the following semantics:

Conforming implementations MUST validate their trait documentation against this JSON Schema, ensuring consistent and unambiguous representation of DID method capabilities.

§ Example

This example demonstrates a complete JSON representation of the did:web DID method, illustrating the schema’s structure.

{
  "$schema": "https://identity.foundation/did-traits/schemas/traits.json",
  "name": "web",
  "updateable": true,
  "updateableServiceEndpoints": true,
  "deactivatable": true,
  "deletable": true,
  "transactionalFees": false,
  "selfCertifying": false,
  "updateableVerificationMethods": true,
  "prerotationOfKeys": false,
  "multisigVerificationMethod": false,
  "humanreadable": true,
  "enumerable": false,
  "resolvableLocally": false,
  "resolvableGlobally": true,
  "history": false,
  "historySigned": false,
  "hostingNotRequired": false,
  "hostedCentrally": true,
  "hostedDecentrally": false,
  "cryptographyPrivacyPreservingBBSPlus": true,
  "cryptographyPrivacyPreservingNiZKPs": true,
  "cryptographicAlgorithmRsa2048": true,
  "cryptographicAlgorithmRsa3072": true,
  "cryptographicAlgorithmRSA4096": true,
  "cryptographicAlgorithmECDSAsec256k1": true,
  "cryptographicAlgorithmECDSAsecp384r1": true,
  "cryptographicAlgorithmECDSAsecp512r1": true,
  "cryptographicAlgorithmEdDSA25519": true,
  "cryptographicAlgorithmEdDSAed25519": true,
  "cryptographicAlgorithmBrainpoolP256r1": true,
  "cryptographicAlgorithmBrainpoolP384r1": true,
  "cryptographicAlgorithmBrainpoolP512r1": true,
  "cryptographicAlgorithmGOST256": true,
  "cryptographicAlgorithmGOST512": true,
  "cryptographicAlgorithmSM2": true
}

§ Comparison of DID Methods

The following table illustrates trait support across a sample of DID methods, demonstrating how traits can be used to analyze and compare method capabilities. While not exhaustive, this comparison highlights key differences in method implementations and their supported features.

Trait did:cheqd did:iden3 did:key did:peer did:web did:webvh
Updateable
Updateable Service Endpoints
Deactivatable
Deletable
Transactional Fees
Self-Certifying
Rotatable Verification Methods
Pre-rotation of Keys
Multi-Signature Verification Method
Human-readable
Enumerable
Locally Resolvable
Globally Resolvable
DID Document History
Cryptograhpically signed DID Document History
Hosting not required
Centrally Hosted
Decentrally Hosted
Privacy Preserving Crypto - BBS+
Privacy Preserving Crypto - niZKPs
RSA, 2048 bit key size
RSA, 3072 bit key size
RSA, 4096 bit key size
ECDSA, curve sec256k1
ECDSA, curve secp384r1
ECDSA, curve secp512r1
EdDSA, curve ed25519
EdDSA, curve ed448
Brainpool, curve BrainpoolP256r1
Brainpool, curve BrainpoolP384r1
Brainpool, curve BrainpoolP512r1
GOST, curve GOST-256
GOST, curve GOST-512
SM, curve SM2

§ Appendix

§ National Cryptographic Standards Bodies

List of national cryptographic standards bodies that approve cryptographic alogorithms for national use:

Country Agency Name Website
Australia Australian Signals Directorate (ASD) https://www.asd.gov.au/
Brazil Instituto Nacional de Tecnologia da Informação (ITI) https://www.gov.br/iti/pt-br
Canada Communications Security Establishment Canada (CSE) https://www.cse-cst.gc.ca
China State Cryptography Administration (SCA) http://www.sca.gov.cn
European Union European Union Agency for Cybersecurity (ENISA) & European Telecommunications Standards Institute (ETSI) https://www.enisa.europa.eu & https://www.etsi.org
Israel National Cyber Directorate https://www.gov.il/en/departments/israel_national_cyber_directorate/govil-landing-page
Japan Cryptography Research and Evaluation Committees (CRYPTREC) https://www.cryptrec.go.jp
Russia EASC - Euro-Asian Council for standardization, metrology and certification https://easc.by/
South Korea Korea Cryptographic Module Validation Program (KCMVP) & National Intelligence Service (NIS) https://eng.nis.go.kr/EAF/1_7_2_1.do
United Arab Emirates Telecommunications and Digital Government Regulatory Authority (TDRA) https://www.tdra.gov.ae
United States National Institute of Standards and Technology (NIST) https://www.nist.gov

§ References

§ Informative References

JSON Schema
JSON Schema: A Media Type for Describing JSON Documents. A. Wright, H. Andrews, B. Hutton, G. Dennis. Status: 28 January 2020. Status: Internet-Draft.

§ Patent Policy

The Decentralized Identity Foundation has adopted the W3C Patent Policy (2004), as detailed below:

§ Acknowledgements

We thank the Decentralized Identity Foundation and the Identity and Discovery working group for their support in this specification.

Table of Contents
undefined