DID registry
A DID Registry is a service that stores and retrieves DIDs and DID documents. It is a key component of the tdx Volt decentralized identity ecosystem, as it allows users to manage their DIDs and DID documents in a consistent, reliable, secure and decentralized way.
What is a DID?
A decentralized identfier, or DID, is a new type of identifier that enables verifiable, self-sovereign digital identity. DIDs are fully under the control of the DID subject, independent of any centralized registry, identity provider, or certificate authority.
DIDs are presented as URIs that are resolvable to a DID document, which is a JSON object that contains cryptographic material, authentication suites, and service endpoints.
Below is an example DID document for the DID did:volt:48c7e0bb-9c62-4db0-be2f-d2f46528ccdb
.
DID documents do not contain any sensitive or personal information about the DID subject, but rather contain cryptographic material that can be used to verify the identity of the DID subject. It simply binds an opaque identifier to a set of cryptographic keys and services.
For more information, see the W3C Decentralized Identifiers (DIDs) specification.
DID Registry
The DID registry is a database that stores and retrieves DIDs and DID documents.
The tdx Volt ecosystem is designed to be decentralized and self-sovereign, so each tdx Volt instance maintains its own DID registry. This allows each tdx Volt instance to have complete control over its own identity and the identities of other peers that it interacts with. As well as this, any tdx Volt instance can be configured to use one or more other DID registries to store and resolve DIDs.
In order for two tdx Volt instances, or any two entities in the tdx Volt ecosystem, to communicate with each other, they must be able to resolve each other’s DIDs. This is necessary in order to acquire the public key of the other peer and thereby verify their identity and encrypt the communication between the two peers.
To resolve a given DID, the tdx Volt or client will begin by querying the local DID registry, and then querying any other DID registries that are configured. If the DID is not found in any of the configured DID registries, the resolution fails.
Hence in order for two peers to verify each other’s identity and encrypt/decrypt data, they must have a common DID registry that they can use to resolve each other’s DIDs.
Currently a number of DID registries are publicly available, and can be used by any tdx Volt instance to resolve DIDs.
- coreid.com - a public DID registry operated by the tdx Volt community
- tdxvolt.com - a public DID registry and relay operated by nquiringminds Ltd in the UK
- tdxid.com - a development DID registry based in the nquiringminds London office
These DID registries are designed to be highly available and secure and are typically operated by trusted third parties, such as those run by the community or a foundation of some sort.
The idea is that over time a network of DID registries will emerge, each operated by different entities. Some may interoperate with each other, some may not, some may be public, some may be private. Each tdx Volt instance can choose which DID registries to use, and can even run its own DID registry if it wishes. This will allow for a highly decentralized and self-sovereign identity ecosystem that is not dependent on any single entity or organization, and enables a high degree of flexibility and interoperability between different tdx Volt instances.
Resolution API
Applications and services of the tdx Volt platform can resolve and register DIDs using the various APIs.
The DID Registry resolution is exposed as an HTTP endpoint, as well as the grpc ResolveDID and SearchDIDRegistry APIs.
The HTTP endpoint is a simple GET request that takes a DID as a query parameter and returns the DID document as a JSON object - example.
The grpc API is a more advanced API that allows for more complex queries and operations on the DID registry.
Registration API
In order to register a DID in the DID registry, use the Authenticate API.
There is no HTTP endpoint for registering a DID directly.
It is also possible for the client must first create a DID document and then submit it to the DID registry using the RegisterDIDDocument API.
The DID registry will validate the DID document and store it in the database. The DID document will then be available for resolution by other tdx Volt instances and clients.
Synchronisation
DID registries can elect to synchronise with each other in order to maintain a consistent view of the DID registry across several tdx Volt instances. This also provides a level of fault tolerance and availability, including the ability to resolve DIDs when offline or only partially connected to the network or intranet.
In this configuration, each tdx Volt instance maintains its own copy of the DID registry, and the DID registry is designed to be eventually consistent across all tdx Volt instances.
When a new DID is registered in the DID registry, the tdx Volt instance that registered the DID will broadcast the new DID to all other tdx Volt instances in the network. Each tdx Volt instance will then update its local copy of the DID registry to include the new DID.