Credential Verifier Decentralized Identifiers
W3C defines Decentralized IDs (DIDs) as a means to identify an entity in a decentralized ecosystem. See the W3C DIDs spec for details. An entities DID is represented as a string and used in the different ID fields, such as issuer, subject, audience, or holder, for Java Web Tokens (JWTs), Verifiable Credentials (VCs), and other JSON objects. The DID is used to find public keys for the entity as well as optional information about how to interact with the entity.
The DID specification supports multiple ways to store and represent the DID. Every DID is a colon-separated string with the literal did, a method name, and method-specific data. W3C maintains a list of all of the current DID methods.
A did:web identifier is used in the signed JWT that is returned by Credentials Verifications when the wallet requests the Authorization Request. The wallet then resolves the did:web to get the public keys and verify the JSON Web Token (JWT) signature. This supports environments with and without custom domains.
Unlike in Credentials Issuance, a different DID identifier is used for every presentation session because the JSON Web Key Set (JWKS) used is different for each session.
PingOne Credentials uses did:web for the issuer and verifier and did:ion for the holder or subject. PingOne also supports did:ion for all parties for backwards compatibility.
PingOne hosted verifier did:web
The service supports retrieving the did:web documents of verifiers hosted by PingOne on both the standard auth.pingone.com domain (and regional variants by top level domain, TLD) and custom domains. The DID document contains the public keys for the verifier and optional information about how to interact with the verifier. To retrieve the DID document:
-
The DID of a verifier hosted on the standard
auth.pingone.comdomain is in the format:-
did:web: -
auth.pingone.com: -
UUID of the verifier’s environment
-
:verifier: -
UUID of the presentation session
-
# -
UUID of the signing key
For an environment UUID
8fd6a2f0-c568-4de8-a319-eb8ddff49dffand presentation session UUIDd08008f2-d9dc-4d93-8eeb-9d2f7f50b620, the corresponding URL to retrieve the DID document is:https://auth.pingone.com/8fd6a2f0-c568-4de8-a319-eb8ddff49dff/verifier/d08008f2-d9dc-4d93-8eeb-9d2f7f50b620/did.json
-
-
The DID of a verifier hosted on a custom domain is in the format:
-
did:web: -
the verifier’s custom domain
-
:verifier: -
UUID of the presentation session
-
# -
UUID of the signing key
For a custom domain
verifier.customerdomain.comand presentation session UUIDd08008f2-d9dc-4d93-8eeb-9d2f7f50b620, the corresponding URL to retrieve the DID document is:https://verifier.customerdomain.com/d08008f2-d9dc-4d93-8eeb-9d2f7f50b620/did.json
-
Credential verifier DID data models
| Property | Type | Required? | Mutable? | Description |
|---|---|---|---|---|
|
String |
N/A |
Read-only |
URL to the DID scheme |
|
String |
N/A |
Read-only |
A unique identifier that conforms to DID Syntax |
|
String |
N/A |
Read-only |
A unique identifier that conforms to DID URL Syntax |
|
String |
N/A |
Read-only |
The entity that controls the DID in DID Syntax. In PingOne Credentials, the method-specific data is always equal to the domain part of the request URL |
|
String |
N/A |
Read-only |
Name for the type of JWK represented |
|
String |
N/A |
Read-only |
A JSON Web Key that conforms to RFC 7517, JSON Web Key (JWK). The contents vary by algorithm as discussed in RFC 7518, JSON Web Algorithms (JWA). |
|
String |
N/A |
Read-only |
A unique identifier that conforms to DID Syntax including in its fragment a UUID for the key of the |
|
String |
N/A |
Read-only |
A unique identifier that conforms to DID Syntax including in its fragment a UUID for the key of the |