Making it possible to connect existing systems and Decentralized Identifiers (DIDs) is an important undertaking that can aid in bootstrapping adoption and usefulness of DIDs. One such form of connection is the ability of a DID controller to prove they are the same entity that controls an Internet domain.
The DID Configuration resource provides proof of a bi-directional relationship between the controller of an Internet domain and a DID via cryptographically verifiable signatures that are linked to a DID's key material. This document describes the data format of the resource and the resource location at which Internet domain controllers can publish their DID Configuration.
Due to the location of the DID Configuration resource, discovery of associated Decentralized Identifiers against a domain is trivial. However, the inverse (i.e given a DID-URI discover the associated domains) is deemed out of scope.
DID Configuration is a draft specification being developed within the Decentralized Identity Foundation (DIF), and intended for registration with IANA as a Well-Known resource. This spec will be updated to reflect relevant changes, and participants are encouraged to contribute at the following repository location: https://github.com/decentralized-identity/.well-known
Term | Description |
---|---|
Decentralized Identifier (DID) | Unique ID string and PKI metadata document format for describing the cryptographic keys and other fundamental PKI values linked to a unique, user-controlled, self-sovereign identifier in a target system (i.e. blockchain, distributed ledger). |
DID Configuration | Well-Known resource in the format of a JSON object that includes Domain Linkage Assertions |
Domain Linkage Assertion | JSON object containing a DID string and cryptographic proof (in the form of a JWT signed with the specified DID's keys) that verifies the domain controller and the DID controller are the same entity. |
JWT | JSON Web Token, as specified in IETF RFC 7797 |
The DID Configuration resource MUST exist at the domain root, in the IETF 8615 Well-Known Resource directory, as follows: `/.well-known/did-configuration`
The DID Configuration resource MUST be a valid JSON object containing Domain Linkage Assertions, which contain cryptographically verifiable claims that prove the same entity controls both the included DIDs and the domain the resource is located under. The resource MUST NOT exceed 8 kilobytes in total size; resources that exceed this maximum size are to be ignored by the processing entity.
{
"entries": [
{
"did": "did:btcr:123...",
"jwt": "ewogICJAY29udGV4dCI..."
↑ EXAMPLE OF DECODED JWT VALUE
{
"iss": "did:btcr:123...",
"domain": "example.com",
"exp": 1475878357
}
},
{
"did": "did:ethr:456...",
"jwt": "73hf3unAY29udGc3dvH..."
},
{
"did": "did:sov:789...",
"jwt": "uC75Xsdcgbd73Cdeqc8..."
}
]
}
The following properties are defined for use at the top-level of the resource - all other properties that are not defined below MUST be ignored:
The following properties are defined for Domain Linkage Assertion objects - all other properties that are not defined below MUST be ignored:
After fetching and validating the resource via the Resource Fetch and Validation process enumerated above, the processing entity MAY choose to validate any of Domain Linkage Assertions it contains. Domain Linkage Assertions are independent from one another, thus one being valid or invalid does not affect the state of the others. For a Domain Linkage Assertions to be deemed valid, it MUST be successfully processed in accordance with the following steps:
In the case an entry fails validation against any of the criteria enumerated above, the single entry that failed will be deemed invalid, and the validation implementation MUST produce an error to that effect. If an entry fails validation during an iteration of the entries by the processing entity, there is no normative implication about the validity of other entries, and the choice to continue iteration and validation of further entries is at the election of the processing entity.
If the resource processing entity is not looking for the presence of a specific DID, or intending to validate a specific DID in the `entries` array of Domain Linkage Assertions, the resource processing entity SHOULD iterate the array of Domain Linkage Assertions beginning at 0 index. This normative iteration from 0 index is intended to allow domain controllers to order their Domain Linkage Assertions in accordance with a known processing order, in cases where order may matter to the domain controller. An example of this is the case where a domain controller has a primary signing DID that is the likely target of interest for the vast majority of relying parties who seek to validate an assertion based on the DIDs associated with a domain.