Understanding Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs)
By Amir Hameed Mir
In the evolving landscape of digital identity, Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) have emerged as foundational technologies for self-sovereign identity systems. Let's dive deep into how these technologies work together.
What are Decentralized Identifiers (DIDs)?
DIDs are a new type of identifier that enables verifiable, decentralized digital identity. Unlike traditional identifiers (email addresses, usernames), DIDs are:
- Self-Sovereign: You control your DID, not any centralized authority
- Verifiable: Cryptographic proofs enable trust without intermediaries
- Decentralized: No central registry or controlling organization
- Persistent: Designed to last indefinitely, not tied to any specific service
Anatomy of a DID
A DID consists of three main parts:
- The Scheme: Always begins with
did:to indicate it's a Decentralized Identifier - The Method: Identifies the specific DID method and registry system
- The Method-Specific Identifier: A unique string generated by and meaningful within that specific DID method
Detailed Breakdown:
1. Scheme (did:)
This is the fixed prefix that distinguishes DIDs from other types of identifiers. The did: scheme is registered in the URI scheme registry and follows the same structural rules as other URIs (like http: or mailto:).
2. Method The method identifies the particular DID method specification being used. Each method defines:
- How the DID is created
- How it's resolved to a DID Document
- How it's updated
- How it's deactivated
Common DID methods include:
did:ethr: Ethereum-based DIDsdid:key: Simple cryptographic key DIDsdid:web: Web domain-based DIDsdid:ion: ION (Sidetree protocol on Bitcoin)did:sov: Sovrin network DIDsdid:btcr: Bitcoin-based DIDs
3. Method-Specific Identifier This portion is unique to each DID method and typically contains:
- Network identifiers (mainnet, testnet)
- Account addresses or public key hashes
- Path components or query parameters
- Unique identifiers within the method's namespace
Examples of Complete DIDs:
1did:ethr:0x1234abcd...ef5678 # Ethereum address2did:key:z6Mkf5rGM4rFpQ7XQ7XQ7XQ7XQ7XQ7 # Public key in multibase format3did:web:example.com:users:alice # Web domain with path4did:ion:EiClkZMDxPKqC9c-um... # ION decentralized identifier5did:sov:STNvSUSW45A7d5zQyVZMo # Sovrin network identifier6 Method-Specific Identifier Patterns:
For did:ethr:
1did:ethr:[chain_id]:[ethereum_address]2did:ethr:0x1234abcd...ef5678 # Mainnet3did:ethr:0x5:0x1234abcd...ef5678 # Goerli testnet (chain_id: 5)4 For did:key:
1did:key:[multibase_encoded_public_key]2did:key:z6Mkf5rGM4rFpQ7XQ7XQ7XQ7XQ7XQ7XQ7XQ7XQ73 For did:web:
1did:web:[domain_name][:path][:fragment]2did:web:example.com3did:web:example.com:users:alice4did:web:example.com:users:alice#key-15 The Complete DID URL:
DIDs can also include additional components to form DID URLs:
1did:example:123456789abcdefghi/path/to/resource2did:example:123456789abcdefghi#key-13did:example:123456789abcdefghi?version-id=14did:example:123456789abcdefghi/service-endpoint5 These DID URLs allow direct reference to specific:
- Keys within the DID Document (
#fragment) - Service endpoints (
/path) - Specific versions (
?query) - Other resources associated with the DID
Characteristics of Method-Specific Identifiers:
- Uniqueness: Must be globally unique within the method namespace
- Persistence: Should remain valid indefinitely
- Resolvable: Must map to exactly one DID Document
- Cryptographically Verifiable: Often derived from public keys
- Method-Defined: Structure varies by method specification
This three-part structure provides both standardization (through the did: scheme) and flexibility (through method-specific implementations), enabling DIDs to work across different blockchain networks, decentralized systems, and identity platforms while maintaining interoperability through the common W3C DID Core specification.