Announcement: Sphereon’s Well Known DID client
As part of our continuing development of SSI-specification compliant components, we’re happy to announce the release of a client for Well Known DIDs.
Available now on https://github.com/Sphereon-Opensource/wellknown-did-client
Why do we need Well Known DIDs?
The use case for DIDs is that a user, organisation, or device can own it and prove that they control it. But if a verifier doesn’t know ‘who’ the DID belongs to, then just a DID isn’t very useful.
Linking a DID to an organisation’s domain solves this problem: you can cryptographically verify the link between the DID and a Domain.
This enables Wallet vendors to present and display the domain and other organisational information from the Issuer. And the same for Verifiers when they request data from the Holder.
Well-known DIDs can be used for any DID method. So it does not matter whether it is a DID with blockchain or without. This is because the serviceEndpoint from a DID is used to point to the well-known location.
The well-known location then contains Domain Linkage Credentials, which are simply Verifiable Credentials with a special context. Since these again point to the DID and are also signed by that DID, you have a double link that is signed.
Because the DID Configuration Resource is hosted on the domain with these Domain Linkage credentials, you can be sure that the holder of the DID belongs to the domain.
In addition, we will expand it even further so that you can immediately get the data from the certificate at the domain, since this must be and is an https link.
With DID Web you can also store a DID in the domain (well-know location), but:
- DID web actually has no history in terms of keys and stores the whole DID in the well-known location.
- In addition, it is 1 DID per location, which can also be variable with DID web, which results in a security risk.
Well Known DID
- Has Key history of your DID (something signed two years ago with a key that has since been deactivated can just be verified).
- Is independent of the DID method.
- Has Key rotation in the DID without having to update the well-known location. As long as the signing key of the DomainLinkage credential remains in it. If not, then of course a new Domain Linkage Credential. must be set at the well-known location.
The Sphereon Well Known DID client is conforming to the DIF specification for Well-known DID Configurations.
Many thanks go out to the Editors for their hard work on this and other DIF specifications!
The Sphereon Well Known DID client is written in TypeScript and can be integrated or used with various libraries for Verifiable Credentials.
The client is open source (Apache 2.0) and available now on https://github.com/Sphereon-Opensource/wellknown-did-client