Inferensys

Glossary

Decentralized Identifier

A globally unique, persistent identifier that does not require a centralized registration authority and is often generated and registered using cryptographic systems like distributed ledgers.
Engineer deploying small language model to edge device, IoT sensor visible on desk, technical hardware setup in bright workspace.
SELF-SOVEREIGN IDENTITY

What is a Decentralized Identifier?

A foundational component of self-sovereign identity, enabling verifiable, user-controlled digital identities without reliance on centralized registries.

A Decentralized Identifier (DID) is a globally unique, persistent identifier that does not require a centralized registration authority and is generated and registered using cryptographic systems like distributed ledgers. It is a new type of URI defined by the W3C standard, enabling a verifiable, self-sovereign digital identity that the subject controls independently of any organization.

The core mechanism involves a DID document, a JSON-LD file stored on a verifiable data registry (e.g., a blockchain) that contains the public keys, authentication protocols, and service endpoints associated with the identifier. This architecture allows the DID subject to prove control over the identifier through cryptographic proofs without an intermediary, establishing a root of trust for verifiable credentials and decentralized reputation systems.

DECENTRALIZED IDENTIFIER ARCHITECTURE

Core Properties of DIDs

Decentralized Identifiers (DIDs) are a new type of globally unique identifier that enables verifiable, self-sovereign digital identity. Unlike traditional identifiers (email addresses, usernames) that depend on centralized registrars, DIDs give entities permanent control over their cryptographic keys and associated metadata.

02

Cryptographic Verification

Every DID is intrinsically linked to asymmetric cryptography, enabling the DID controller to prove ownership and sign verifiable credentials without an intermediary.

  • Public/private key pairs: The DID Document lists public keys that verifiers use to authenticate signatures from the controller.
  • Authentication proofs: A challenge-response protocol proves control of the private key without revealing it.
  • Key rotation: Controllers can update cryptographic material in the DID Document while retaining the same identifier, enabling security upgrades without identity loss.
03

DID Document and Service Endpoints

Resolving a DID returns a DID Document—a JSON-LD file that describes the subject and its capabilities. This document is the operational core of the DID architecture.

  • Verification methods: Lists public keys and their intended purposes (authentication, assertion, key agreement).
  • Service endpoints: Declares URLs where agents can interact with the DID subject (e.g., credential repositories, messaging inboxes).
  • Example endpoint: { "id": "#vcs", "type": "VerifiableCredentialService", "serviceEndpoint": "https://agent.example.com/vc" }
04

DID Methods and Syntax

DIDs follow a standardized URI syntax: did:<method>:<method-specific-identifier>. The method defines how the DID is created, resolved, and managed on a specific verifiable data registry.

  • Method specification: Each method (e.g., did:web, did:key, did:indy) has its own rules for CRUD operations.
  • Interoperability: A universal resolver can process any DID method, returning a standard DID Document.
  • Common methods:
    • did:key: Self-contained, generated directly from a public key.
    • did:web: Resolved via HTTPS from a domain's .well-known endpoint.
    • did:ethr: Anchored on Ethereum, using smart contracts for management.
05

Self-Sovereignty and Portability

DIDs are the foundational layer of self-sovereign identity (SSI), where individuals and organizations control their identity data independently of any administrative authority.

  • No vendor lock-in: The DID controller can migrate their identifier across different service providers without losing their identity or reputation.
  • Reputation portability: Trust scores, verifiable credentials, and interaction histories remain bound to the DID, not a platform.
  • Privacy-preserving: Controllers can generate multiple pairwise DIDs for different relationships, preventing correlation across contexts.
DECENTRALIZED IDENTIFIER FAQ

Frequently Asked Questions

Clear, technically precise answers to the most common questions about the architecture, resolution, and security of Decentralized Identifiers (DIDs).

A Decentralized Identifier (DID) is a globally unique, persistent identifier that does not require a centralized registration authority and is formatted as a URI conforming to the W3C DID Core specification. A DID functions by associating a DID subject (the entity identified) with a DID document, a JSON-LD file stored on a Verifiable Data Registry (VDR) such as a distributed ledger. The DID document contains cryptographic material—primarily public keys—and service endpoints that enable secure, authenticated interactions. The resolution process involves a DID resolver that accepts a DID as input, fetches the corresponding DID document from the VDR, and returns it to the caller, allowing any party to verify digital signatures and establish a trust relationship without an intermediary. The generic DID syntax is did:method:method-specific-identifier, where the method defines the underlying VDR (e.g., did:ethr for Ethereum, did:web for web domains).

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.