https://DevOpsCloud.io -- Cloud Monk Losang Jinpa, Ph.D., MCSE/MCT, GitOps DevOps Engineer

Return to Decentralized Identity, IAM

https://identity.foundation

Join us in developing the foundational components of an open, standards-based, decentralized identity ecosystem for people, organizations, apps, and devices.

Using the Microsoft Authenticator with Verified ID: https://learn.microsoft.com/en-us/entra/verified-id/using-authenticator

https://learn.microsoft.com/en-us/entra/verified-id/how-to-opt-out?source=recommendations

https://learn.microsoft.com/en-us/entra/verified-id/decentralized-identifier-overview?source=recommendations

Microsoft is actively collaborating with members of the Decentralized Identity Foundation (DIF), the W3C Credentials Community Group, and the wider identity community. We’ve worked with these groups to identify and develop critical standards, and the following standards have been implemented in our services.

• W3C Decentralized Identifiers - https://www.w3.org/TR/did-core

• W3C Verifiable Credentials - https://www.w3.org/TR/vc-data-model/

• DIF Sidetree Protocol - https://identity.foundation/sidetree/spec - Sidetree is a protocol for creating scalable Decentralized Identifier (https://w3c.github.io/did-core) networks that can run atop any existing decentralized anchoring system (e.g. Bitcoin, Ethereum, distributed ledgers, witness-based approaches) and be as open, public, and permissionless as the underlying anchoring systems they utilize. The protocol allows users to create globally unique, user-controlled identifiers and manage their associated PKI metadata, all without the need for centralized authorities or trusted third parties. The syntax of the identifier and accompanying data model used by the protocol is conformant with the W3C Decentralized Identifiers (https://w3c.github.io/did-core) specification. Implementations of the protocol can be codified as their own distinct DID Methods and registered in the W3C DID Method Registry - https://w3c.github.io/did-spec-registries/#did-methods.

• DIF Well Known DID Configuration - https://identity.foundation/specs/did-configuration

• DIF DID-SIOP - https://identity.foundation/did-siop

• DIF Presentation Exchange

Terminology Term Description DID Decentralized Identifier as per DID DID Document DID Document as per DID SIOP DID Self-Issued OpenID Connect Provider DID profile. Refers to a specific flavor of DID AuthN used in the OIDC SIOP flow. JWT JSON Web Token as per RFC7797 JWE JSON Web Encryption as per RFC7516 JWS JSON Web Signature as per RFC7515 JWK JSON Web Key as per RFC7517 JWKS JWK Set as per RFC7517 OIDC OpenID Connect as per verified_id OIDC client Used synonymously with Relying Party (see RP) OP OpenID Provider as per verified_id SIOP Self-Issued OpenID Provider as per verified_id RP Relying Party, as used in verified_id Identity Wallet An Identity Wallet refers to a application that is under the control and acts on behalf of the DID holder. This Also known as an identity agent. The Identity Wallet can have different form factors such as a mobile app, browser extension/ plugin etc. DID AuthN Refers to a method of proofing control over a DID for the purpose of authentication.

Source: https://identity.foundation/did-siop

Terminology

Term Description

• Decentralized Identifier (DID) Unique ID string and PKI metadata document format for describing the cryptographic keys and other fundamental PKI values linked to a unique, user-controlled, self-sovereign identifier in a target system (i.e. blockchain, distributed ledger). * [[DID Configuration Well-Known resource in the format of a JSON object that includes * [[Domain Linkage Assertions - JSONobject containing a DID string and cryptographic proof (in the form of a JWT signed with the specified DID's keys) that verifies the domain controller and the DID controller are the same entity.

• JWT - JSON Web Token, as specified in IETF RFC 7797 - https://datatracker.ietf.org/doc/html/rfc7797

Source: https://identity.foundation/specs/did-configuration

Terminology

This section is non-normative.

The following terms are used to describe concepts in this specification.

claim An assertion made about a subject. credential A set of one or more claims made by an issuer. A verifiable credential is a tamper-evident credential that has authorship that can be cryptographically verified. Verifiable credentials can be used to build verifiable presentations, which can also be cryptographically verified. The claims in a credential can be about different subjects. data minimization The act of limiting the amount of shared data strictly to the minimum necessary to successfully accomplish a task or goal. decentralized identifier A portable URL-based identifier, also known as a DID, associated with an entity. These identifiers are most often used in a verifiable credential and are associated with subjects such that a verifiable credential itself can be easily ported from one repository to another without the need to reissue the credential. An example of a DID is did:example:123456abcdef. decentralized identifier document Also referred to as a DID document, this is a document that is accessible using a verifiable data registry and contains information related to a specific decentralized identifier, such as the associated repository and public key information. derived predicate A verifiable, boolean assertion about the value of another attribute in a verifiable credential. These are useful in zero-knowledge-proof-style verifiable presentations because they can limit information disclosure. For example, if a verifiable credential contains an attribute for expressing a specific height in centimeters, a derived predicate might reference the height attribute in the verifiable credential demonstrating that the issuer attests to a height value meeting the minimum height requirement, without actually disclosing the specific height value. For example, the subject is taller than 150 centimeters. entity A thing with distinct and independent existence, such as a person, organization, or device that performs one or more roles in the ecosystem. graph A network of information composed of subjects and their relationship to other subjects or data. holder A role an entity might perform by possessing one or more verifiable credentials and generating presentations from them. A holder is usually, but not always, a subject of the verifiable credentials they are holding. Holders store their credentials in credential repositories. identity provider An identity provider, sometimes abbreviated as IdP, is a system for creating, maintaining, and managing identity information for holders, while providing authentication services to relying party applications within a federation or distributed network. In this case the holder is always the subject. Even if the verifiable credentials are bearer credentials, it is assumed the verifiable credentials remain with the subject, and if they are not, they were stolen by an attacker. This specification does not use this term unless comparing or mapping the concepts in this document to other specifications. This specification decouples the identity provider concept into two distinct concepts: the issuer and the holder. issuer A role an entity can perform by asserting claims about one or more subjects, creating a verifiable credential from these claims, and transmitting the verifiable credential to a holder. presentation Data derived from one or more verifiable credentials, issued by one or more issuers, that is shared with a specific verifier. A verifiable presentation is a tamper-evident presentation encoded in such a way that authorship of the data can be trusted after a process of cryptographic verification. Certain types of verifiable presentations might contain data that is synthesized from, but do not contain, the original verifiable credentials (for example, zero-knowledge proofs). repository A program, such as a storage vault or personal verifiable credential wallet, that stores and protects access to holders' verifiable credentials. selective disclosure The ability of a holder to make fine-grained decisions about what information to share. subject A thing about which claims are made. validation The assurance that a verifiable credential or a verifiable presentation meets the needs of a verifier and other dependent stakeholders. This specification is constrained to verifying verifiable credentials and verifiable presentations regardless of their usage. Validating verifiable credentials or verifiable presentations is outside the scope of this specification. verifiable data registry A role a system might perform by mediating the creation and verification of identifiers, keys, and other relevant data, such as verifiable credential schemas, revocation registries, issuer public keys, and so on, which might be required to use verifiable credentials. Some configurations might require correlatable identifiers for subjects. Some registries, such as ones for UUIDs and public keys, might just act as namespaces for identifiers. verification The evaluation of whether a verifiable credential or verifiable presentation is an authentic and timely statement of the issuer or presenter, respectively. This includes checking that: the credential (or presentation) conforms to the specification; the proof method is satisfied; and, if present, the status check succeeds. Verification of a credential does not imply evaluation of the truth of claims encoded in the credential.. verifier A role an entity performs by receiving one or more verifiable credentials, optionally inside a verifiable presentation for processing. Other specifications might refer to this concept as a relying party. URI A Uniform Resource Identifier, as defined by [RFC3986].

https://www.w3.org/TR/vc-data-model