Since 2020, the Institute of Electrical and Electronics Engineers (IEEE) Identity of Things Working Group has been working with a global consortium on the development of the IEEE P2958 standard:  “According to IEEE chair of the Identity of Things working group Dr. Xinxin Fan, researchers from Lockheed Martin, Ericsson, Lenovo, Huawei, Bosch, IoTeX and the China Academy of Information and Communications Technology are developing the global standards for blockchain-based decentralized identities (DID)…” after two years of research, the six major global businesses have provided the proof-of-concept for blockchain-based decentralized identification (DID) for IoT devices, which Dr. Fan started in 2019 with the World Wide Web Consortium (W3C). 

This standard “defines a decentralized identity and access management (IAM) framework for the Internet of Things (IoT) based on emerging concepts such as decentralized identifiers (DIDs) and verifiable credentials (VCs). The framework addresses the integration of DIDs and VCs into the lifecycle of IoT devices as well as the decentralized IoT security services such as device authentication, data authorization, and access control.” 

In a previous post, we dissected  NIST’s white paper on Blockchain for Access Control Systems (NIST IR 8403) (1).  Both projects offer a great overview of the promise of blockchain technologies at the physical device layer and opportunities for the creative development of an innovative marketplace for novel defensive cybersecurity platforms.

We will now take a look at the IEEE P2958 standard, which the World Wide Web Consortium (W3C) announced in July 2022 has been recommended as an official web standard:  Decentralized Identifiers (DIDs) v1.0:  “This new type of verifiable identifier, which does not require a centralized registry, will enable both individuals and organizations to take greater control of their online information and relationships while also providing greater security and privacy.”

Why blockchain-based DIDs? 

There is a historical analog [to be found] in the evolution of mobile phone numbers. Originally these were owned by the mobile carrier and “rented” to the individual. This required individuals to change numbers if they changed carriers. With the adoption of mobile phone number portability, individuals could now “take their numbers with them” when switching carriers.  The same is true of most email addresses and social network addresses today—they are not “owned” by individuals and must be changed if the individual changes providers.

By contrast:

• W3C Decentralized Identifiers can be controlled by the individuals or organizations that create them, are portable between service providers, and can last for as long as their controller wants to continue using them
• DIDs [also] have the unique property of enabling the controller to verify ownership of the DID using cryptography. This can enable any controller of a DID—an individual, an organization, an online community, a government, or an IoT device—to engage in more trustworthy transactions online.
• For individuals in particular, DIDs can put them back in control of their personal data and consent and also enable more respectful bi-directional trust relationships where forgery is prevented, privacy is honored, and usability is enhanced.

Fundamentally, Decentralized Identifiers are a new type of globally unambiguous identifier that can be used to identify any subject (e.g., a person, an organization, a device, a product, a location, even an abstract entity, or a concept). Each DID resolves to a DID document that contains the cryptographic material and other metadata for controlling the DID. The foundational pillars of the DID specification are:

1. DIDs do not require a central issuing agency (decentralized0;
2. DIDs do not require the continued operation of an underlying organization (persistent);
3. Control of DIDs, and the information they are associated with, can be proven cryptographically (verifiable); and
4. DID metadata can be discovered (resolvable).  (2)

Decentralized Identifiers (DIDs) v1.0

Core architecture, data model, and representations

Abstract

Decentralized identifiers (DIDs) are a new type of identifier that enables verifiable, decentralized digital identity. A DID refers to any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) as determined by the controller of the DID. In contrast to typical, federated identifiers, DIDs have been designed so that they may be decoupled from centralized registries, identity providers, and certificate authorities. Specifically, while other parties might be used to help enable the discovery of information related to a DID, the design enables the controller of a DID to prove control over it without requiring permission from any other party. DIDs are URIs that associate a DID subject with a DID document allowing trustable interactions associated with that subject.

Each DID document can express cryptographic material, verification methods, or services, which provide a set of mechanisms enabling a DID controller to prove control of the DID. Services enable trusted interactions associated with the DID subject. A DID might provide the means to return the DID subject itself, if the DID subject is an information resource such as a data model.

This document specifies the DID syntax, a common data model, core properties, serialized representations, DID operations, and an explanation of the process of resolving DIDs to the resources that they represent.

Introduction 

As individuals and organizations, many of us use globally unique identifiers in a wide variety of contexts. They serve as communications addresses (telephone numbers, email addresses, usernames on social media), ID numbers (for passports, driver’s licenses, tax IDs, health insurance), and product identifiers (serial numbers, barcodes, RFIDs). URIs (Uniform Resource Identifiers) are used for resources on the Web and each web page you view in a browser has a globally unique URL (Uniform Resource Locator).

The vast majority of these globally unique identifiers are not under our control. They are issued by external authorities that decide who or what they refer to and when they can be revoked. They are useful only in certain contexts and recognized only by certain bodies not of our choosing. They might disappear or cease to be valid with the failure of an organization. They might unnecessarily reveal personal information. In many cases, they can be fraudulently replicated and asserted by a malicious third-party, which is more commonly known as “identity theft”.

The Decentralized Identifiers (DIDs) defined in this specification are a new type of globally unique identifier. They are designed to enable individuals and organizations to generate their own identifiers using systems they trust. These new identifiers enable entities to prove control over them by authenticating using cryptographic proofs such as digital signatures.

Since the generation and assertion of Decentralized Identifiers is entity-controlled, each entity can have as many DIDs as necessary to maintain their desired separation of identities, personas, and interactions. The use of these identifiers can be scoped appropriately to different contexts. They support interactions with other people, institutions, or systems that require entities to identify themselves, or things they control, while providing control over how much personal or private data should be revealed, all without depending on a central authority to guarantee the continued existence of the identifier. These ideas are explored in the DID Use Cases document [DID-USE-CASES].

This specification does not presuppose any particular technology or cryptography to underpin the generation, persistence, resolution, or interpretation of DIDs. For example, implementers can create Decentralized Identifiers based on identifiers registered in federated or centralized identity management systems. Indeed, almost all types of identifier systems can add support for DIDs. This creates an interoperability bridge between the worlds of centralized, federated, and decentralized identifiers. This also enables implementers to design specific types of DIDs to work with the computing infrastructure they trust, such as distributed ledgers, decentralized file systems, distributed databases, and peer-to-peer networks.

This specification is for:

• Anyone that wants to understand the core architectural principles that are the foundation for Decentralized Identifiers;
• Software developers that want to produce and consume Decentralized Identifiers and their associated data formats;
• Systems integrators that want to understand how to use Decentralized Identifiers in their software and hardware systems;
• Specification authors that want to create new DID infrastructures, known as DID methods, that conform to the ecosystem described by this document.

In addition to this specification, readers might find the Use Cases and Requirements for Decentralized Identifiers [DID-USE-CASES] document useful.

Design Goals

Decentralized Identifiers are a component of larger systems, such as the Verifiable Credentials ecosystem [VC-DATA-MODEL], which influenced the design goals for this specification. The design goals for Decentralized Identifiers are summarized here. (3)

Table Source:  W3C

What Next?

“In 2030, the entire $12.6 trillion potential value of a global ecosystem of interconnected networked devices…can be unlocked by defining a global DID standard through which people and machines can interoperate.” (1)

Source of Images: Mckinsey

The Work Continues at W3C

• W3C, composed of over 450 organizations, has made the investment in W3C Decentralized Identifiers and W3C Verifiable Credentials to ensure a more decentralized, privacy-respecting, and consent-based data-sharing ecosystem.
• Official standards work will continue on these technologies through the newly re-chartered W3C Verifiable Credentials 2.0 Working Group, which will focus on expanding functionality based on market feedback.
• Further incubation on future privacy-respecting technologies will occur through the W3C Credentials Community Group, which is open to participation by the general public. (2)

Markets adopting DIDs

W3C Decentralized Identifiers, coupled with W3C Verifiable Credentials, are being used across a number of markets where identification and data authenticity are a concern:

• Governments:  The US, Canada, and the EU, are exploring the use of DIDs to provide privacy-protecting digital identity documentation for their businesses and residents, which enables those entities to choose how and when their data is shared.
• Retailers:  Convenience stores, grocery stores, restaurants, bars, and consumer goods companies in the US are utilizing DIDs for new digital age verification programs to increase privacy, checkout speed, and combat the use of fraudulent identity documents when purchasing age-gated products.
• Supply chain stakeholders:  Global government regulators, trade standards institutions, vendors, shippers, and retailers—are using DIDs to explore next-generation systems that more accurately verify the origin and destination of products and services, which will streamline and enable the reporting designed to apply correct tariffs, prevent dumping, and monitor transshipment.
• Workforce: Universities, job training programs, and education standards organizations are adopting DIDs in order to issue digital learning credentials that are controlled and shared by the graduate when applying for higher education or workforce positions. (2)

https://oodaloop.com/archive/2022/03/31/web3-security-how-to-reduce-your-cyber-risk/

https://oodaloop.com/archive/2023/05/16/nist-on-blockchain-and-cybersecurity-at-the-physical-layer-access-control-systems/