#Microsoft Entra Verified ID - Part 1: Decentralized Identity (DID)

Part 1: Decentralized Identity (DID)?- Overview

#Decentralized #Identity (#DID) is a concept in the realm of digital identities that aims to restore control over personal identity data while simultaneously enhancing user privacy and security. In traditional identity management, personal information is often centralized by third parties, which can raise concerns regarding data privacy, security, and misuse.

DID utilizes #blockchain technology and other decentralized technologies to create a digital identity where the user has control over their own identity data. Each identity is represented by a unique and self-managed decentralized identifier (DID) stored on a decentralized network.

The key benefits of DIDs are:

1. Self-determination: Users can decide which identity data they want to share and with whom.
2. Privacy: Personal information is not centrally stored, reducing the risk of data breaches.
3. Interoperability: DIDs can be used across different services and platforms, providing user-friendly and seamless access to various services.
4. Security: Decentralized identities are less vulnerable to identity theft and fraud since they are based on cryptographic techniques.

DID is employed in various application domains, such as authentication, accessing online services, healthcare, financial transactions, and more.

Design Goals

DID-Method

#Microsoft Entra Verified ID can be used with different DID methods.

The terms "DID:WEB" and "DID:ION" refer to different DID methods (Decentralized Identifiers) or specific implementations related to decentralized identities. Let's take a closer look at both:

DID:WEB:

DID Method: "DID:WEB" is a specific method for decentralized identifiers that focuses on the use of URLs and conventional web technologies for identification.

Functionality: With DID:WEB, a URL is used as an identifier to represent a specific identity. This is particularly useful when the identity is used in a web context, and there's already an accessible URL that can serve as a unique identifier. The DID methods specify how the identity is structured within the URL and how it's resolved.

Example: A DID:WEB might look like this: "did:web:example.com:alice."

DID:ION:

DID Method: "DID:ION" is another method for decentralized identifiers developed by Microsoft and specifically designed for the Azure blockchain platform (ION).

Functionality: ION is a Layer-2 blockchain protocol built on the Bitcoin blockchain. DID:ION utilizes this blockchain to create and manage DIDs. It provides a scalable solution for DIDs built on the proven security of the Bitcoin blockchain.

Example: A DID:ION might look like this: "did:ion:abcdef123456."

The main difference between these two DID methods lies in the underlying technologies and platforms on which they are built. DID:WEB uses URLs and conventional web technologies, while DID:ION is based on the ION blockchain platform, specifically designed for DIDs.

It is quite difficult to understand the differences between WEB and ION. That's why I'll first go into ION and what the whole thing has to do with Bitcoin.

ION & Bitcoin

#DID:ION is a specialized method for Decentralized Identifiers (DIDs) developed by #Microsoft, built on the #Azure #blockchain platform called ION (Identity Overlay Network). However, ION is not directly built on the Bitcoin blockchain; it employs a specific technique to leverage the security and decentralization of the Bitcoin blockchain without writing directly to its chain. Here's how DID:ION functions in relation to #Bitcoin:

DID Creation: A user or organization can create a decentralized identity (DID) using DID:ION. This DID is created using the "did:ion" DID method and contains a unique identifier.

#ION Overlay Network: ION is an overlay network that sits atop the Bitcoin blockchain. It uses the Bitcoin blockchain as a secure anchoring layer to store identity data without storing the actual identity data on the #Bitcoin #blockchain itself.

Decentralization and Security: ION uses the security and decentralization of the Bitcoin blockchain to ensure that the anchored identity data cannot be modified. However, this data cannot be directly read from the Bitcoin blockchain; it is enabled through ION verifications.

Scalability: ION is designed to provide a scalable solution for managing DIDs. Through the overlay network, #ION can efficiently handle a larger number of DIDs without overburdening the main blockchain.

Verification: Other parties can verify the identity by utilizing the ION overlay network and verifying the identity without needing to see the actual identity data.

It's important to note that while ION leverages the security and decentralization of the Bitcoin blockchain, it does not directly write to the #Bitcoin blockchain. It's more of a two-layer model where the Bitcoin #blockchain serves as an anchor for identity data, while the actual #identity #management and #administration occur on the ION #overlay #network.

I can only recommend the following page if someone wants to go deeper.

Decentralized Identity Attack Surface – Part 1 (cyberark.com)

In the end you only have to choose one method. Both methods require you to store #DID files and they must be available. With ION it is only one #JSON file and with #WEB there are 2 JSON files.

For production and the way forward, I would recommend setting up did:web for the authority and not did:ion. Did:web is #GA and is supported with SLA.

Hopefully Chapter 2 will follow soon. If you have any suggestions or questions, please contact me directly on LinkedIn.