Credential Issuer Decentralized Identifiers
W3C defines Decentralized IDs (DIDs) as a means to identify an entity in a decentralized ecosystem. See the W3C DIDs spec for details. An entities DID is represented as a string and used in the different ID fields, such as issuer, subject, audience, or holder, for Java Web Tokens (JWTs), Verifiable Credentials (VCs), and other JSON objects. The DID is used to find public keys for the entity as well as optional information about how to interact with the entity.
The DID specification supports multiple ways to store and represent the DID. Every DID is a colon-separated string with the literal did, a method name, and method-specific data. W3C maintains a list of all of the current DID methods.
When PingOne Credentials issues a credential, it uses the Ping Native format as a delivery mechanism to provision the credential to the Wallet SDK app. The credential contains the data in two formats: the Ping Native format and the W3C Verifiable Credential format. The W3CVC format uses DIDs as identifiers for the issuer and for the holder or subject.
PingOne Credentials uses did:web for the issuer and verifier and did:ion for the holder or subject. PingOne also supports did:ion for all parties for backwards compatibility.
PingOne hosted issuer did:web
The service supports retrieving the did:web documents of issuers hosted by PingOne on both the standard auth.pingone.com domain (and regional variants by top level domain, TLD) and custom domains. The DID document contains the public keys for the issuer and optional information about how to interact with the issuer. To retrieve the DID document:
-
The DID of an issuer hosted on the standard
auth.pingone.comdomain is in the format:-
did:web: -
auth.pingone.com: -
UUID of the issuer’s environment
-
# -
UUID of the signing key
For an environment UUID
8fd6a2f0-c568-4de8-a319-eb8ddff49dff, the corresponding URL to retrieve the DID document is:https://auth.pingone.com/8fd6a2f0-c568-4de8-a319-eb8ddff49dff/did.json
-
-
The DID of an issuer hosted on a custom domain is in the format:
-
did:web: -
the issuer’s custom domain
-
# -
UUID of the signing key
For a custom domain
issuer.customerdomain.com, the corresponding URL to retrieve the DID document is:https://issuer.customerdomain.com/.well-known/did.json
-
Credential issuer DID data models
| Property | Type | Required? | Mutable? | Description |
|---|---|---|---|---|
|
String |
N/A |
Read-only |
URL to the DID scheme |
|
String |
N/A |
Read-only |
A unique identifier that conforms to DID Syntax |
|
String |
N/A |
Read-only |
A unique identifier that conforms to DID URL Syntax |
|
String |
N/A |
Read-only |
The entity that controls the DID in DID Syntax. In PingOne Credentials, the method-specific data is always equal to the domain part of the request URL |
|
String |
N/A |
Read-only |
Name for the type of JWK represented |
|
String |
N/A |
Read-only |
A JSON Web Key that conforms to JSON Web Key (JWK). The contents vary by algorithm as discussed in JSON Web Algorithms (JWA). |
|
String |
N/A |
Read-only |
A unique identifier that conforms to DID Syntax including in its fragment a UUID for the key of the |
|
String |
N/A |
Read-only |
A unique identifier that conforms to DID Syntax including in its fragment a UUID for the key of the |