Technical Glossary
The foundational technical stack comprising distributed ledgers, decentralized identifiers, verifiable credentials, and agent protocols that collectively enable self-sovereign identity operations without centralized gatekeepers. Decentralized identity infrastructure provides resolver networks, credential registries, and trust anchors that applications consume through standardized interfaces. AI integration within this infrastructure enables automated credential evaluation, trust graph analysis, and adaptive identity workflows. W3C, DIF, and IETF provide the standards underpinning interoperable decentralized identity infrastructure.
The process of retrieving a DID document associated with a decentralized identifier by querying the appropriate verifiable data registry or decentralized network. DID resolution returns the DID document containing public keys, authentication methods, and service endpoints required for secure interaction with the DID subject. Resolver implementations may use universal resolver architectures that support multiple DID methods through pluggable drivers. The W3C DID Resolution specification defines the resolution algorithm, metadata structures, and error handling for interoperable DID resolvers.
A specification that defines the precise mechanism by which a particular type of decentralized identifier is created, resolved, updated, and deactivated on a specific verifiable data registry. Each DID method specifies its own namespace, CRUD operations, security properties, and trust model tailored to the capabilities of its underlying infrastructure. Methods exist for diverse substrates including public blockchains, peer-to-peer networks, web domains, and IoT device registries. The W3C DID Specification Registries catalogue registered DID methods and their conformance characteristics.
A tamper-evident packaging of one or more verifiable credentials prepared by a credential holder and cryptographically signed to prove both credential authenticity and holder binding. Verifiable presentations enable selective sharing of credentials with verifiers while proving that the presenter is the legitimate credential subject. The presentation format supports derived credentials, range proofs, and predicate disclosure for privacy-preserving verification scenarios. W3C defines the verifiable presentation data model as a core component of the verifiable credentials ecosystem.
A layered architecture model developed by the Trust over IP Foundation that defines four distinct layers for establishing digital trust: public utilities, peer-to-peer protocols, credential exchange, and governance frameworks. The ToIP stack provides a comprehensive blueprint for building interoperable decentralized identity ecosystems that combine technical protocols with human governance structures. AI-enabled ToIP implementations leverage automated trust evaluation, policy compliance checking, and dynamic governance adaptation. The Linux Foundation hosts the Trust over IP Foundation as an industry-wide collaboration on digital trust infrastructure.
An OpenID Connect profile that enables individuals to act as their own identity provider by generating self-issued ID tokens directly from their identity wallet without relying on a third-party provider. SIOP bridges traditional OpenID Connect relying parties with decentralized identity wallets by translating DID-based credentials into standard OIDC token formats. This approach enables incremental adoption of decentralized identity within existing authentication ecosystems. The OpenID Foundation and Decentralized Identity Foundation jointly maintain the SIOP v2 specification for interoperable self-issued authentication.
A decentralized data structure that maintains the revocation status of issued verifiable credentials, enabling verifiers to confirm that presented credentials have not been invalidated by their issuer. Revocation registries employ privacy-preserving techniques such as cryptographic accumulators and status list bitmaps to prevent correlation of revocation checks with specific credential holders. AI-driven monitoring systems can trigger automated revocation based on detected fraud indicators or policy violations. W3C specifications define status list and bitstring status list methods for scalable credential revocation.
A decentralized key management infrastructure that uses append-only key event logs to establish cryptographic root-of-trust for identifiers without requiring a blockchain or distributed ledger. KERI provides self-certifying identifiers with portable key state that can be verified by replaying the key event log against witnessed receipts. This architecture enables ambient verifiability where any party can independently validate identifier control authority. The IETF is developing KERI as a standards-track protocol for lightweight, ledger-agnostic decentralized identity infrastructure.
A personal data storage service associated with a decentralized identifier that enables secure storage, discovery, and sharing of identity-related data with authorized parties through permissioned access interfaces. Identity hubs provide encrypted data vaults where credential holders store verifiable credentials, personal data objects, and application state with fine-grained access control policies. Hubs replicate data across multiple instances for availability while maintaining owner-controlled encryption for privacy. The Decentralized Identity Foundation specifies the Identity Hub protocol for interoperable personal data management.
A documented set of rules, policies, and procedures that govern the operations, trust decisions, and liability assignments within a decentralized identity ecosystem. Governance frameworks define participant roles, credential schemas, assurance levels, compliance requirements, and dispute resolution mechanisms for identity network operation. AI-assisted governance enables automated policy enforcement, compliance monitoring, and dynamic trust assessment across federated identity networks. The Trust over IP Foundation publishes metamodel specifications for composable governance framework design.
A mesh-networked personal data storage and messaging node that enables individuals and organizations to store, replicate, and exchange data using decentralized identifiers for authentication and authorization. Decentralized web nodes replace centralized data silos with user-controlled data instances that synchronize across devices and cloud endpoints while maintaining owner-managed access permissions. DWN protocols support structured data collections, file storage, and protocol-specific message handling for diverse identity applications. The Decentralized Identity Foundation develops the DWN specification as an evolution of identity hub concepts.
A set of open-source standards for providing cryptographic identity to workloads in dynamic, heterogeneous computing environments including containers, virtual machines, and serverless functions. SPIFFE defines a URI-based identity format and X.509 certificate issuance mechanism that enables zero-trust authentication between microservices without application-level credential management. The SPIRE runtime implementation automates workload attestation, certificate rotation, and trust bundle distribution at scale. The Cloud Native Computing Foundation hosts SPIFFE as a graduated project for production workload identity.
A standardized protocol defining the message formats, workflows, and security requirements for requesting, presenting, and verifying credentials between issuers, holders, and verifiers in decentralized identity systems. Exchange protocols support various presentation patterns including proof requests with predicate constraints, credential manifests for issuance, and presentation submission formats. AI-enabled exchange systems can automatically select appropriate credentials, evaluate disclosure requirements, and negotiate trust terms during verification. The Decentralized Identity Foundation and W3C define complementary exchange protocol specifications.
The practice of recording cryptographic hashes or state commitments from identity operations onto a blockchain to create an immutable, timestamped audit trail for decentralized identity events. Blockchain anchoring provides tamper-evident proof of DID creation, key rotation, credential issuance, and revocation events without storing personal data on-chain. Layer-2 solutions batch multiple identity operations into single blockchain transactions to reduce cost and improve throughput. IEEE and ACM research evaluates the security guarantees and scalability tradeoffs of various blockchain anchoring approaches for identity systems.
A paradigm where autonomous AI agents negotiate, present, and verify identity credentials on behalf of their principals using decentralized identity protocols and secure messaging channels. Agent-mediated exchange enables automated trust establishment between parties by programmatically evaluating credential sufficiency, checking revocation status, and enforcing disclosure policies. This capability is essential for machine-to-machine identity scenarios where real-time credential verification must occur without human intervention. DIDComm and Aries protocol specifications provide the messaging infrastructure for agent-mediated credential exchange workflows.