DID Method: did:webvh (DID Web + Verifiable History)
did:webvh is an enhancement to the did:web DID method, providing additional features to address limitations of did:web for long-lasting DIDs. It maintains backward compatibility while offering stronger security assurances through verifiable history and self-certifying identifiers.
Key features include:
- Same DID-to-HTTPS transformation as did:web
- Full history of DID Document versions with verifiable chain of updates
- Self-certifying identifier (SCID) embedded in the DID
- Optional DID portability via SCID
- Signed proofs for DID updates
- Optional pre-rotation keys for compromise recovery
- Optional witness collaboration for updates
- High assurance DNS mechanism support
- Automatic DID URL path handling
/whois capability for verifiable credentials about the DID
Technical Specifications
Purpose and Scope
- Enhances did:web with verifiable history without requiring a ledger
- Provides cryptographic verification of DID document updates
- Enables portability while maintaining verifiable history
- Supports decentralized trust registry capabilities via
/whois
Key Technical Components
- DID Log: JSON Lines file containing all DID document versions
- SCID Generation: Hash-based self-certifying identifier derived from initial state
- Entry Hash: Links each update in a verifiable chain
- Data Integrity Proofs: Signs updates using authorized keys
- Pre-rotation Keys: Optional mechanism for key compromise recovery
- Witness System: Optional collaborative verification of updates
Implementation Requirements
- Must support standard DID-to-HTTPS transformation
- Must maintain complete DID document version history
- Must verify SCID and entry hashes during resolution
- Must validate all signatures and proofs
- Must support specified DID URL resolution mechanisms
Security Considerations
- Requires secure DNS resolution with DNSSEC
- Mandates HTTPS for all communications
- Supports privacy-enhancing technologies for resolution
- Implements CORS policies for browser-based applications
- Provides key compromise mitigation through pre-rotation
Interoperability Features
- Compatible with existing did:web infrastructure
- Supports parallel publishing of did:web DIDs
- Implements standard DID URL resolution
- Uses W3C Verifiable Credentials for
/whois
- Follows IETF standards for DNS and HTTPS
Current Status
The specification is at version 0.5 (Editors Draft) and is being actively developed by the Decentralized Identity Foundation. Implementations exist in:
The method is designed for production use with focus on long-term viability and security of decentralized identifiers.