Private and Public Keys

Public and private keys enable secure communication and identity verification online. Public keys encrypt data, while private keys decrypt it and sign digital documents. This system ensures privacy, authenticity, and trust across websites, emails, and transactions.

Digests

Digital digests are cryptographic fingerprints used to verify data integrity. Created by hashing algorithms, they produce a fixed-length string unique to the original content. Even a small change alters the digest, making it ideal for detecting tampering. By comparing digests, users can confirm authenticity without relying on central authorities—building trust through math.

Digital Signatures

Digital signatures ensure the authenticity and integrity of digital content using cryptographic tools. A unique digest of the content is created through hashing, then encrypted with the signer’s private key to form the signature. To verify it, the recipient recalculates the digest and compares it to the decrypted signature using the signer’s public key. A match confirms the content is unchanged and genuinely signed; a mismatch indicates tampering or an invalid signature.

DIDs and Key Rotation

Decentralized Identifiers (DIDs) and key rotation protect digital identities when private keys are compromised. Key rotation replaces old keys with new ones, and DIDs track these changes without relying on central authorities. Stored on decentralized systems, DIDs link to DID documents showing valid keys and updates—ensuring secure, self-managed identity verification.

Verifiable Credentials

Verifiable credentials are digital proofs of identity or qualifications, similar to physical documents like passports. Instead of physical security features, they use cryptographic signatures from trusted issuers to confirm authenticity. When presented, a verifier checks the credential’s digital signature against the issuer’s public key—often retrieved via decentralized identifiers (DIDs)—to confirm it’s valid and untampered. This system enables secure, private, and decentralized verification of personal claims online.

Identifiers

Identifiers are labels used to refer to things—like people, documents, or data—in both physical and digital contexts. They come in two types: assigned identifiers, given by an authority (e.g., passport numbers or student IDs), and derived identifiers, generated from the content itself using hashing algorithms. Derived identifiers act as digital fingerprints that change if the content changes, making them useful for verifying integrity. Both types are essential for organizing, referencing, and ensuring trust in digital systems.

Self-certifying Identifiers

Self-certifying identifiers are cryptographically derived identifiers that prove their own authenticity without relying on a central authority. Unlike assigned identifiers (like passport numbers), these are created by hashing content—often including a public key—so any change to the key alters the identifier itself. This makes them tamper-evident and verifiable. Used in systems like Decentralized Identifiers (DIDs), they enable secure, trustless identity verification by embedding cryptographic trust directly into the identifier.

Where DID Documents List

DID Documents—files that describe public keys, authentication methods, and service endpoints—can be stored in various ways depending on the DID method. Some methods store them on blockchains for immutability (e.g., did:indy), others use content-addressable systems like IPFS (did:ipfs) for tamper-evidence. Web-hosted DIDs (did:web) are easy to publish but rely on website control. Event-log-based methods like did:keri track changes over time, while peer and key-based DIDs share data directly or derive it from keys for lightweight, private use. Despite different storage models, all resolve to a standard W3C DID Document, ensuring interoperability across systems.

Resolving a DID

Resolving a Decentralized Identifier (DID) means converting it into a DID Document containing public keys, service endpoints, and metadata for secure interactions. The resolution process varies by DID method. Some, like did:web, use domain-based URLs and HTTPS to fetch the document. Others, like did:indy, query blockchains to reconstruct the document from signed operations. Lightweight methods like did:key generate the document locally from embedded key material, while did:peer involves direct exchange between parties. Hybrid approaches may store document digests on-chain for tamper-evidence. Despite different resolution models, all produce a standard W3C DID Document, ensuring interoperability and trust.

Detecting DID Document Duplicity

Detecting duplicity in DID documents is crucial for maintaining trust in decentralized identity systems. Since DID controllers can update their documents—including public keys—malicious changes may go unnoticed if not externally monitored. To prevent this, some DID methods store documents or their cryptographic digests on tamper-resistant public ledgers (e.g., did:indy, did:ipfs, or Ethereum), making unauthorized changes detectable. Others, like did:keri, use decentralized networks of observers to track and verify document history. These external verification mechanisms ensure that any attempt to alter identity records without accountability can be identified, preserving the integrity of the system.