Identifiers in did:self are created using the thumbprint of a public key. Accordingly, DID documents are protected by a proof generated by the DID controller; this proof can be validated with the public key that was used for creating the corresponding identifier. Therefore, given a did:self DID and the corresponding DID document and proof, any entity can verify their binding, as well as the correctness and the integrity of the DID document. Similarly to self-signed digital certificates, proof vericfiation does not require any auxiliary information. A unique feature of did:self is that it supports secure DID sharing and controlled delegation. By leveraging this property, earlier versions of our DID method were used for implementing content-centric security for Information-Centric Networking architectures [ 4, 5 ], for securing IoT group communication [ 6 ], as well as for improving the security of the Inter-Planetary File System (IPFS) [ 7 ].

In this paper, we introduce an update to the did:self specification that brings the following improvements: • DIDs can have a (human-readable) sufix that provides clearer semantics about the entities that share the same identifier. • We generalize the concept of proof and introduce implicit DID documents. To this end, we propose two methods for generating DID documents using JSON Web Tokens and X.509 certificates. This enables interoperability with existing authentication and authorization systems.

The remainder of this paper is organized as follows. In Section 2 we introduce DIDs. In Section 3 we present the design of our solution. In Section 4 we discuss related work in this area. We conclude our paper in Section 5.

Decentralized Identifiers (DIDs), defined by W3C, are a new type of globally unique identifier designed to enable individuals and organizations to generate their own identifiers using systems they trust. A DID architecture can be regarded as a key-value lookup system, where the key is the Decentralized Identifier (DID) and the value is a DID document. DID specifications allow multiple DID methods to co-exist; the main diferentiating factor among existing DID methods is how the resolution from a DID to the corresponding DID document is implemented. A DID is expressed as a URI composed of three parts separated by “:”; the first part is the word “did”, the second part is the DID method name, and the third part is a method specific identifier.

A DID document contains “properties”, serialized according to a particular syntax, that may include (among other things) verification methods (e.g., public keys) and verification relationships that express a relationship between a verification method and the DID subject. Examples of verification relationships are authentication, which means that a verification method is used for authenticating the DID subject, and assertion, which means that a verification method is used for verifying assertions, e.g., digital signatures, made by the DID subject.

Listing 1 illustrates an example of a DID document. The DID of the subject is did:self:iQ9PsBKOH1nLT9FyhsUGvXyKoW00yqm_-_rVa3W7Cl0/device1 (line 2). In lines 310 a verification method is defined, which is a public key. This public key has an identifier (i.e., “#key1”), and it is encoded using the type “JsonWebKey2020” [ 3 ], which is an encoding based on RFC 7517 JSON Web Keys. Next, two verification relationship are defined, i.e., “authentication” and “assertion” which include the identifier of the defined key. Therefore, in this example “#key1” can be used for authenticating the DID subject and for verifying digital signatures it generates. "id": "did:self:iQ9PsBKOH1nLT9FyhsUGvXyKoW00yqm_-_rVa3W7Cl0/device1", "verificationMethod": [{ "id": "#key1", "type": "JsonWebKey2020", "publicKeyJwk": { "kty": "EC", "crv": "P-256", "x": "YOGmYaMKzwTFytWHN2hGC-2VpPqGqj_sDSckB2IvCgI", "y": "7iWuiXQlLXvROjdMA2WNHhGz0jxu6u41n83YupNteo" } } ], "authentication": ["#key1"], "assertion": ["#key1"],

A did:self DID4 is generated by a controller who creates a public/private key pair. The did:self identifier is the thumbprint of the JSON Web Key (JWK) representation of the controller’s public key (as defined by RFC 7638 [ 8 ]), optionally followed by a sufix. Therefore a did:self identifier has the following form:

: :<ℎ> / < >

The corresponding DID document is protected by a proof generated using the controller’s private key. A controller is not necessarily the DID holder. Our method supports multiple holders per DID, each of which may use a public/private key pair it controls for implementing a verification relationship (e.g., authentication). As a motivating example consider the case of an IoT system, where the IoT system owner is the controller and each IoT device can be a holder. IoT devices can use a key pair they control to implement a verification relationship. In this case, for each IoT device a DID document is created that defines a verification relationship based on the public key that the device controls (see for example Listing 1). The proof for this document is generated by the controller. In this use case, for each IoT device a sufix can be added to the DID. Additionally, two IoT devices may share the same DID, allowing, for example, device rotation in case of failure or representation of virtual devices composed of multiple physical ones (e.g., “smart home”). This use case is illustrated in Figure 1, which shows two drones that share the same DID, but use a diferent authentication key.

A straightforward approach for creating a proof is by generating a JSON Web Signature (JWS) [ 9 ] using the private key of the controller’s key pair. In that case, the JWS header must include the jwk ifeld, which is used as follows: • jwk The JWK representation of the controller’s public key, which can be used for verifying the proof. The thumbprint of this key must match the thumbprint included in the did:self identifier.

The payload of the JWS is the DID document. Therefore, validating such a proof is a simple three-steps process: (i) extract the public key from the JWS header, (ii) verify that the thumbprint of the extracted 4In the following we use the terms did:self DID and did:self identifier interchangeably public key is equal to the thumbprint included in the did:self identifier, and (iii) validate the JWS signature using as input the extracted public key and the DID document.

In the next sections we discuss how did:self can be used with JSON Web Tokens (JWT) and X.509 certificates.

Although DID document registries management, they create lock-in conditions, decrease DID selfsovereignty, and add communication overhead, which in some scenarios is intolerable. For this reason, various eforts propose registry-less DID systems. NaCL:did [ 12 ] and did:key [ 13 ] are two such systems that use (the hash of) a public key as the DID. Similarly, ethr-did [ 14 ] uses Ethereum addresses as DIDs. The main drawback of these systems is that they support a single verification method, which is the public key from which the DID has been derived. For this reason, they cannot not support real DID documents; instead, in these methods DID documents are implied. In contrast, did:self supports DID documents, which may include multiple verification methods.

did:peer [ 15 ] is a registry-less DID system, which allows DID documents. DID document modifications are encoded in authenticatable deltas. A DID document can be modified by multiple entities, and for this reason did:peer relies on a conflict-free replicated data type for consolidating all deltas and eventually creating the final DID document. This approach has some side-efects: it makes DID document reconstruction complex and it poses restrictions on the format of the document. Our approach is much simpler, since the only additional operation required for retrieving a DID document is the validation of at most two digital signatures. Furthermore, our approach does not pose any restriction to the ifelds a DID document may contain, therefore, our solution is sustainable and future proof; this is very important considering that DID specifications have not yet been finalized.

did:web [ 16 ] is a registry-based DID system that allows users to use any Web server as a registry. With did:web, DIDs are bound to the URL of the Web server and DID document resolution is trivially implemented using HTTPS. did:web ofers a higher degree of sovereignty compared to many existing systems, but still relies on the security of HTTPS for securely distributing DID documents. On contrary, did:self does not need any secure communication channel for distributing DID documents.

ION [ 17 ] is also a registry-based DID system that has been adopted by Microsoft.5 In ION, DID 5https://techcommunity.microsoft.com/t5/identity-standards-blog/ion-we-have-liftof/ba-p/1441555 documents are stored in a “Content-addressable storage network” (e.g. the InterPlanetary File System (IPFS) [ 18 ]). Modifications to the DID documents are stored in “delta” files, which are eventually “anchored” in a decentralized sequencing oracle (ION uses Bitcoin for this purpose). Therefore, DID documents are reconstructed by retrieving the appropriate “delta” files, following the “pointers” stored in the sequence oracle. Compared to did:web, ION relies on a more distributed trust model, but at the same time adds complexity and in some cases monetary cost.

The Key Event Receipt Infrastructure (KERI) proposal [ 19 ] considers as the primary root-of-trust self-certifying identifiers that are strongly bound at issuance to a cryptographic signing (public, private) key-pair, similar to our proposal. Key rotation is performed with a signed transfer statement. The KERI proposal considers an indirect mode where a set of witnesses (replicas) store and forward key events to any requester/validator. Although the existence of witnesses enhances fault tolerance and availability, it entails additional requirements and complexity related to witness designation and policy, witness consensus, and handling of out-of-order events. did:self avoids such complexity by focusing on use cases where it is suficient to disseminate the corresponding DID document through any method, even between untrusted parties.

Compared to all these DID methods, did:self is the only DID method that allows multiple DID documents per DID, as well as controlled DID document delegation. As we discuss in Section 4, these properties enable intriguing security and privacy features.

Due to the security and privacy characteristics of the DID paradigm, many research eforts investigate the potential of using DIDs to improve the security and privacy of emerging technologies. Chadwick et al. [ 20 ] propose the integration of DIDs and Verifiable Credentials with the FIDO Universal Authentication Framework (UAF) in order to provide safer and more private online account management. DIDs are also considered for improving the security and privacy of IoT systems (e.g., [ 21 ],[ 22 ],[ 23 ],[ 24 ]). Davie et al. [ 25 ] propose a four-layer architectural stack, based on DIDs, to establish trust between peers over the Internet and other digital networks. Lagutin et al. [26] investigate the application of DIDs and Verifiable Credentials in the OAuth 2.0 authorization process. Finally, Munoz [ 27] discusses the advantages of integrating eIDAS and DIDs. Our work is complementary to these approaches: being standard compliant, did:self could be the DID technology that these proposed systems may eventually use.

In this paper we presented the did:self DID method and introduced two new extensions: identifier sufixes and implicit DID documents. Our DID method gives controllers absolute control over their identifiers and removes any dependency on middlemen, hence increasing self-sovereignty and privacy. At the same time, did:self allows multiple DID documents per DID enabling delegation and sharing. Our solution is not only compatible with W3C specifications, but is also easier to integrate in existing systems, by removing the complexity of interacting with a DID registry.

By leveraging implicit DID documents, we presented two constructions for generating a did:self DID document: one using JSON Web Tokens and another based on X.509 certificates. This enables interoperability with existing authentication and authorization systems. At the same time however, it prevents taking advantage of the full potential of DIDs, since legacy DID documents can carry more information beyond a single public key.

Although the lack of a registry and the support for multiple DID documents per DID enable novel applications and ofer significant security and privacy advantages, they create challenges related to revocation. Currently, did:self replies mainly on the expiration time to handle revoked verification material, but other more eficient mechanisms are also being explored. [26] D. Lagutin, Y. Kortesniemi, N. Fotiou, V. A. Siris, Enabling decentralised identifiers and verifiable credentials for constrained IoT devices using oauth-based delegation, in: Proceedings of the Workshop on Decentralized IoT Systems and Security (DISS 2019), in Conjunction with the NDSS Symposium, San Diego, CA, USA, volume 24, 2019. [27] C. Munoz, SSI and eIDAS: a vision on how they are connected, 2019. URL: https://ec.europa.eu/ futurium/en/system/files/ged/eidas_supported_ssi_may_2019_0.pdf.