by Julian Vergel de Dios, Nick Dazé, and the Heirloom team
<aside> ✍️ This is version 1.2 of a living document, published Feb 26, 2024. This whitepaper is intended to be a conceptual guide to did:x and self-sovereign identity. Edits, additions, or changes are likely to occur and will be versioned appropriately.
</aside>
Names are powerful things. They are a key part of our identities and serve as a way to identify and address us. This paper proposes a system of universal name registration, ownership, and resolution called did:x.
did:x aims to be the equivalent of DNS for decentralized identifiers (DIDs), simplifying how DIDs are used and accessed, similar to how DNS simplifies navigating to websites instead of using their naked IP addresses.
1.1. DIDs
Decentralized Identifiers (DIDs) are a system for creating and managing unique identifiers that are independent of any central authority. DIDs provide a way to establish self-sovereign identity, allowing individuals to control and manage their own digital identities without relying on third parties.
1.2. DNS
The Domain Name System (DNS) is a hierarchical decentralized naming system that translates domain names (e.g., www.heirloom.io) into IP addresses. It was designed to simplify the process of accessing websites by providing a human-readable naming structure instead of relying on numerical IP addresses. DNS plays a crucial role in the functioning of the internet, enabling users to easily navigate and access websites using familiar domain names.
1.3. Passwords as a threat vector
DNS shares a critical security weakness with many other services—it is controlled by accounts that are secured by passwords. Even in scenarios where a domain name owner uses two-factor authentication (2FA), there is a meaningful risk that a valuable domain name can be stolen.
1.4. Disruption of service as a threat vector
Relying on subscription services for identification is fundamentally risky and insecure.
Consider what happens if you fail to make a subscription payment, for example, in the scenario of an expired credit card number. After a brief attempt to secure payment, the service is cut off. For something minor, like a video streaming service, the impact is minimal. But for critical services, missing a payment can have serious consequences.
Consider the implications if our analog identification systems behaved this way. Imagine a world in which the interruption of a payment method led not only to the loss of identification but potentially the re-sale of your identity to a new party. It sounds ridiculous, yet this is the status quo of web domains, email addresses, and the identities associated with them.
1.5. Alternative approaches
Services like the Ethereum Name Service (ENS), Handshake, and did:web all aim to solve some or all of these problems, but most fall short.
ENS allows the owner of a unique name to control it with private-key cryptography—but ENS names expire periodically and require the owner to renew them.
Handshake lets users own and manage unique top-level domains (TLDs), but the TLDs add complexity to the namespace and psychologically conflict with widely supported TLDs like “.com”. Furthermore, domains are not root users in and of themselves. They represent categories of users. The same person can maintain addresses at [email protected] and [email protected].
did:web has similar weaknesses to Handshake. Web domain names are used to construct DIDs, enabling the DID documents to be hosted on web servers. To limit the risks associated with losing control of the web domain, the did:web method does not inherently provide a solution for the scenario where the domain owner loses control of the domain. The security and continuity of a did:web identifier are closely tied to the domain ownership and control maintained through traditional web domain registration and management practices. If the domain is lost or expires, the DID based on that domain could become unreachable or potentially be claimed by a new owner of the domain, leading to issues of trust and control.