did:web

The did:web method is a decentralized identifier solution that leverages existing web infrastructure and domain reputation instead of blockchain technology. This method enables organizations to create DIDs using their established web domains, making it particularly suitable for entities that already have a web presence and want to participate in decentralized identity systems.

The method works by storing a did.json document at a well-known location on a web server, secured by standard TLS/SSL certificates. Unlike blockchain-based DIDs, did:web relies on traditional web security infrastructure and DNS systems. This approach offers several advantages:

• Immediate usability with existing web infrastructure
• Leveraging established domain reputation systems
• No blockchain transaction costs
• Familiar security and maintenance processes
• Simple integration with existing web services

However, this also means the method inherits both the strengths and limitations of centralized web infrastructure, including dependency on DNS and certificate authorities. The method is particularly well-suited for organizations that want to issue verifiable credentials or participate in SSI ecosystems while maintaining control over their identity infrastructure.

Key Technical Components:

1. DID Generation and Structure

• Format: did:web:<domain-name>[:<path>]
• Supports optional paths for multiple DIDs on single domain
• Domain name must match SSL/TLS certificate
• Example: did:web:example.com or did:web:example.com:user:alice

2. Resolution Process

3. Convert DID to HTTPS URL by:

   • Replacing ":" with "/" in method identifier
   • Prepending "https://"
   • Appending "/.well-known/did.json" for bare domains

4. Perform HTTPS GET request

5. Verify DID document ID matches requested DID

6. Process document according to JSON-LD or JSON rules

7. Security Features

• TLS/SSL certificate validation
• Support for multiple verification methods:
  • JsonWebKey2020
  • EcdsaSecp256k1RecoveryMethod2020
• DNSSEC recommended for DNS security
• Requires strong cipher suites:

  ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305

4. Key Management

• Supports multiple key types:
  • Ed25519
  • X25519
  • P-256
  • secp256k1
• Flexible verification relationship definitions
• Key rotation through DID document updates

5. Technology Stack

• Web Infrastructure:
  • HTTPS protocol
  • DNS system
  • TLS/SSL certificates
• Document Formats:
  • JSON-LD
  • JSON
• Security Protocols:
  • RFC8484 for DNS privacy
  • DNSSEC for DNS security
  • CORS policies for browser support