DIDs (Decentralized Identifiers)

What is a DID?

A Decentralized Identifier (DID) is a globally unique identifier controlled by its owner through cryptography, without depending on a central registry.

did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK
└─┘ └─┘ └──────────────────────────────────────────────┘
 │   │    └─ Method-specific identifier (public key encoding)
 │   └─ DID method
 └─ DID scheme

DID methods

Method	Resolution	Infrastructure	Best for
did:key	Key in identifier	None	Quick setup, ephemeral identities
did:web	HTTPS from domain	Web server	Organizations with a domain
did:peer	Exchanged between peers	None	DIDComm, private channels
did:webvh	HTTPS + history log	Web server + log	Long-lived organizational IDs
did:jwk	JWK in identifier	None	OID4VC flows

Key types

Key type	Algorithm	Speed	Use case
Ed25519	EdDSA	Fastest	Default, general purpose
P-256	ES256	Fast	WebAuthn, FIDO2, Apple/Google
P-384	ES384	Moderate	HAIP, government standards
secp256k1	ES256K	Fast	Bitcoin/Ethereum
BLS12-381	BBS+	Slow	Zero-knowledge proofs

DID Document

Resolution returns a DID Document with public keys and service endpoints:

{
  "id": "did:key:z6Mk...",
  "verificationMethod": [{
    "id": "did:key:z6Mk...#z6Mk...",
    "type": "Ed25519VerificationKey2020",
    "publicKeyMultibase": "z6Mk..."
  }],
  "authentication": ["did:key:z6Mk...#z6Mk..."],
  "assertionMethod": ["did:key:z6Mk...#z6Mk..."]
}

Field	Purpose
`verificationMethod`	Public keys
`authentication`	Keys for login
`assertionMethod`	Keys for signing credentials
`keyAgreement`	Keys for encryption (DIDComm)

Lifecycle

Create → Use → Rotate → Deactivate

Create: Generate key pair, derive DID
Use: Sign credentials, authenticate, DIDComm
Rotate: Create new DID, migrate, deactivate old
Deactivate: Stop issuing; old credentials remain verifiable