Inferensys

Glossary

Decentralized Identifier (DID)

A globally unique persistent identifier that does not require a centralized registration authority and is often used to identify subjects in a verifiable, decentralized identity system.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
SOVEREIGN IDENTITY MANAGEMENT

What is Decentralized Identifier (DID)?

A foundational component of self-sovereign identity, enabling persistent, cryptographically verifiable identifiers independent of centralized registries.

A Decentralized Identifier (DID) is a globally unique, persistent identifier that does not require a centralized registration authority and is often used to identify subjects in a verifiable, decentralized identity system. It is a new type of URI scheme defined by the W3C, enabling a cryptographically verifiable, self-owned digital identity.

Unlike traditional identifiers like email addresses or usernames, a DID is fully under the control of the DID subject, independent of any organization. The identifier resolves to a DID Document stored on a Verifiable Data Registry, which contains the cryptographic public keys and service endpoints necessary to authenticate the owner and establish secure, peer-to-peer communication.

Architectural Pillars

Core Characteristics of DIDs

Decentralized Identifiers are not merely addresses; they are a new cryptographic primitive for identity. The following characteristics define their technical architecture and distinguish them from federated or centralized identity models.

01

Permanent & Persistent

A DID is designed to be a globally unique, long-lived identifier that does not require a centralized registration authority. Once generated, it persists indefinitely without the need for a third-party intermediary to renew or maintain it.

  • Cryptographic Root of Trust: The identifier is generated from a public-private key pair, ensuring the controller can prove ownership without a certificate authority.
  • No Vendor Lock-in: Unlike email addresses or domain names, the identifier is not leased from a service provider and cannot be revoked arbitrarily by an administrator.
  • Portability: The DID remains valid across different networks and service endpoints, allowing the subject to migrate between identity providers without losing their identifier.
02

Resolvable to a DID Document

A DID is a URI that dereferences to a DID Document. This document is a JSON-LD resource containing the cryptographic material and service endpoints necessary to interact with the DID subject.

  • Public Key Descriptions: Lists the public keys associated with the identifier for verification and authentication.
  • Service Endpoints: Specifies URLs for interacting with the identity owner, such as credential repositories or secure messaging gateways.
  • Resolution Process: The resolve(DID) function fetches the document from a Verifiable Data Registry (like a distributed ledger or decentralized database), abstracting the underlying storage mechanism.
03

Cryptographically Verifiable

The relationship between a DID and its controller is established through asymmetric cryptography, not a database lookup. The controller proves ownership by signing challenges with the private key associated with the public key in the DID Document.

  • Proof of Control: Authentication relies on standard digital signature algorithms (Ed25519, Secp256k1) rather than shared secrets.
  • Key Rotation: The DID Document supports updating public keys, allowing the controller to rotate compromised keys while maintaining the same identifier.
  • Delegation: The controller can delegate specific capabilities to other DIDs, enabling fine-grained access control for autonomous agents and services.
DECENTRALIZED IDENTIFIER FUNDAMENTALS

Frequently Asked Questions

Clear, technically precise answers to the most common questions about the architecture, resolution, and security of Decentralized Identifiers.

A Decentralized Identifier (DID) is a globally unique, persistent identifier that does not require a centralized registration authority and is formatted as a Uniform Resource Identifier (URI). It works by associating a subject (a person, organization, device, or software agent) with a DID Document. This document, typically stored on a Verifiable Data Registry (like a distributed ledger), contains cryptographic material such as public keys and service endpoints. To prove control, the subject uses the associated private key to sign a challenge, a process known as DID Authentication. The core mechanism is the did:method syntax, where the method specifies how to read, write, and resolve the identifier on a specific underlying system, enabling interoperability across different networks without a central root of trust.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.