NEW
Report & API Now Live! Data insights report and open data API endpoints live as of September 23, 2025

did:x509 Method Specification

type
Standard
Documentation

Description

Description
Source

The did:x509 Method Specification is a technical standard that bridges traditional X.509 certificates with Decentralized Identifiers (DIDs). This method enables interoperability between existing X.509 infrastructure and the emerging DID ecosystem, particularly valuable for organizations that cannot fully transition to DIDs immediately.

The key innovation of did:x509 is its ability to operate without additional infrastructure, as both creation and resolution are local operations. It relies on X.509 chain validation and matches DID elements to certificate properties within the chain. A distinctive feature is the requirement for a certificate chain to be passed using the x509chain resolution option during DID resolution.

Here's a comprehensive technical analysis:

Purpose and Scope

  • Enables hybrid solutions combining X.509 certificates with DIDs
  • Supports both X.509-only verifiers and DID-based verifiers
  • Operates without requiring additional infrastructure
  • Provides backward compatibility with existing X.509 systems

Key Technical Specifications

  • Identifier Syntax: did:x509:<version>:<ca-fingerprint-alg>:<ca-fingerprint>::<policy>
  • Supported Hash Algorithms:
    • sha256
    • sha384
    • sha512
  • Policy Types:
    • subject
    • san (Subject Alternative Name)
    • eku (Extended Key Usage)
    • fulcio-issuer

Implementation Requirements

  1. Certificate Chain Validation:

    • Minimum two certificates required
    • Must follow RFC 5280 validation procedures
    • Trust anchor is last certificate in chain
  2. Data Model:

    • JSON-based representation of X.509 certificate chains
    • Supports multiple certificate attributes
    • Includes fingerprint, issuer, subject, and extensions

Security Considerations

  • Trust Model:

    • Does not require traditional X.509 trust stores
    • Supports both direct DID trust and third-party endorsements
    • Compatible with traditional chain validation
  • Identity Management:

    • Careful consideration needed for policy selection
    • Risk of over-broad identity matching if policies are too loose
    • Recommended to follow CA-published field usage guidelines

Interoperability Features

  • Supports both X.509 and DID verification methods
  • Compatible with existing X.509 infrastructure
  • Integrates with:
    • JSON Web Keys (JWK)
    • Verifiable Credentials
    • Standard X.509 validation tools

Current Adoption Status

  • Specification is in v1.0 Draft status
  • Developed under the Trust over IP Foundation
  • Derived from Microsoft's initial draft specification

Statistics

Projects Following
Source
0

Under Management at

Project
Website
Source

Projects Following or working on this Standard

If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page