Technical Glossary
A globally unique, self-sovereign identifier that enables verifiable, decentralized digital identity without requiring a centralized registration authority. DIDs are expressed as URIs that resolve to DID documents containing public keys, authentication methods, and service endpoints for cryptographic verification. The W3C DID Core specification defines the syntax, data model, and resolution protocol that ensures interoperability across different DID methods and networks. DIDs form the foundational addressing layer for self-sovereign identity systems, verifiable credentials, and decentralized authentication protocols.
A tamper-evident, cryptographically signed digital credential that can be verified without contacting the original issuer, enabling portable and privacy-preserving proof of claims about a subject. The W3C Verifiable Credentials Data Model defines the JSON-LD structure encompassing issuer, subject, claims, proof, and revocation status metadata. Verifiable credentials support selective disclosure through zero-knowledge proofs or BBS+ signature schemes that allow holders to reveal only specific attributes required for a given verification context. Enterprise adoption spans academic transcripts, professional certifications, healthcare records, and financial identity attestations.
An identity management paradigm in which individuals own, control, and share their personal identity data without depending on any centralized authority or intermediary for storage, verification, or permission. SSI architectures combine decentralized identifiers, verifiable credentials, and personal data stores to give users granular control over what information is shared with which parties and for how long. The model addresses fundamental privacy concerns in traditional identity systems where third-party identity providers accumulate sensitive personal data. Principles of SSI including existence, control, access, transparency, and minimization are codified in emerging ISO and IEEE standards for digital identity governance.
The process of dereferencing a decentralized identifier to retrieve its associated DID document, which contains the public keys, authentication methods, and service endpoints necessary for cryptographic verification and secure communication. DID resolution is method-specific, meaning each DID method defines its own read, create, update, and deactivate operations against its respective verifiable data registry. The W3C DID Resolution specification standardizes the abstract resolution function, input metadata, and output document structure to ensure client interoperability across methods. Universal resolver implementations aggregate multiple DID method drivers into a single service endpoint for cross-network identity resolution.
A software application that securely stores, manages, and presents digital identity credentials on behalf of the holder, serving as the personal agent interface for self-sovereign identity interactions. Identity wallets generate and protect private keys, receive verifiable credentials from issuers, and create verifiable presentations for relying parties with user consent and selective disclosure controls. Wallet interoperability is achieved through adherence to W3C credential formats, DIDComm messaging protocols, and OIDC4VC specifications for credential issuance and presentation flows. Mobile identity wallets increasingly leverage hardware-backed secure enclaves and biometric authentication for credential access protection.
An identity verification method that uses unique biological characteristics such as fingerprints, facial geometry, iris patterns, or voice prints to authenticate individuals with higher assurance than knowledge-based or possession-based factors alone. Modern biometric systems use machine learning models to extract and match feature templates while storing only mathematical representations rather than raw biometric data to protect privacy. FIDO2 and WebAuthn standards enable biometric authentication for web and mobile applications through platform authenticators that keep biometric data on-device. NIST SP 800-76 and ISO 19795 define performance testing, accuracy metrics, and presentation attack detection requirements for biometric authentication deployments.
A cryptographic protocol that enables an identity holder to prove specific attributes or predicates about themselves without revealing the underlying data values to the verifier, such as proving age eligibility without disclosing the actual date of birth. ZK identity proofs use techniques including zk-SNARKs, BBS+ signatures, and Pedersen commitments to create unforgeable proofs that reveal only the boolean truth of a claim. These privacy-preserving mechanisms are fundamental to achieving data minimization principles mandated by GDPR and other privacy regulations in digital identity systems. Integration with verifiable credentials enables selective disclosure at the cryptographic level, surpassing attribute-level disclosure limitations.
A transport-agnostic encrypted messaging protocol that enables secure, private communication between parties identified by decentralized identifiers without requiring centralized messaging infrastructure. DIDComm supports authenticated encryption using recipient DID document key material, enabling end-to-end encrypted channels that work across HTTP, WebSocket, Bluetooth, and other transport mechanisms. The protocol defines message structure, routing, threading, and attachment conventions for building higher-level identity protocols including credential issuance, presentation exchange, and trust establishment. The Decentralized Identity Foundation maintains the DIDComm v2 specification that aligns with IETF JOSE and COSE cryptographic standards.
The mechanism by which an issuer invalidates a previously issued verifiable credential, rendering it unacceptable for future verification while preserving the privacy of the credential holder and other non-revoked credentials. Revocation methods include status list bitmaps, accumulator-based schemes, and on-chain revocation registries, each offering different trade-offs between privacy, scalability, and verification latency. The W3C Bitstring Status List specification defines a compact, privacy-preserving approach using compressed bitstrings that verifiers can check without learning which other credentials have been revoked. Timely revocation is critical for maintaining trust in digital identity ecosystems where credentials may be compromised, expired, or factually invalidated.
A set of specifications that extend the widely adopted OpenID Connect protocol to support the issuance, presentation, and verification of W3C Verifiable Credentials through familiar OAuth 2.0 flows and existing identity infrastructure. OIDC4VC enables traditional identity providers to issue verifiable credentials and relying parties to request verifiable presentations without requiring entirely new protocol stacks or user experiences. The specification family includes OIDC4VCI for credential issuance, OIDC4VP for verifiable presentations, and SIOPv2 for self-issued identity provider flows. This bridge between established web authentication and decentralized identity standards accelerates enterprise adoption of verifiable credential ecosystems.
A governance structure that establishes the rules, policies, and technical standards governing participant roles, credential schemas, assurance levels, and liability boundaries within a digital identity ecosystem. Trust frameworks define which issuers are authorized to issue which credential types, what verification procedures are required, and how disputes and revocations are handled across the ecosystem. Government-backed frameworks such as eIDAS 2.0 in the European Union and industry consortia like the Trust Over IP Foundation provide multi-layered governance models spanning technical, operational, and legal requirements. Interoperability between trust frameworks enables cross-border and cross-sector credential recognition through mutual recognition agreements and common assurance level mappings.
A protocol specification that defines how verifiers request and holders provide verifiable credentials or claims through structured presentation definition and submission objects. Presentation exchange enables verifiers to specify the exact credential types, issuers, attributes, and constraints they require, while holders can evaluate requests and construct compliant presentations from their credential portfolio. The Decentralized Identity Foundation's Presentation Exchange specification is format-agnostic and works with JWT, JSON-LD, and other credential formats through input descriptor constraints. This protocol is a critical middleware layer enabling automated credential verification workflows across healthcare, finance, education, and government identity use cases.
The process of collecting and verifying sufficient evidence to establish confidence that an individual is who they claim to be before issuing identity credentials or granting access to protected resources. Identity proofing encompasses document verification, biometric comparison, knowledge-based verification, and trusted referee attestation at varying assurance levels defined by NIST SP 800-63A. Remote identity proofing has evolved to include AI-powered document authenticity detection, liveness testing for selfie verification, and cross-referencing against authoritative databases. The integrity of the identity proofing process directly determines the trustworthiness of all downstream credentials and authentication events built upon the established identity.
The set of protocols and practices governing the creation, storage, rotation, recovery, and revocation of cryptographic keys in decentralized identity systems where no central authority controls the key lifecycle. Decentralized key management incorporates key derivation hierarchies, multi-device synchronization, social recovery mechanisms, and threshold cryptography to balance security with usability. DID documents serve as the public key infrastructure, publishing current verification methods and key agreements that relying parties use for encryption and authentication. NIST key management guidelines and IETF JOSE specifications inform the cryptographic standards applied in decentralized key management implementations.
A non-transferable blockchain token permanently bound to a specific wallet address, designed to represent identity attributes, credentials, achievements, and reputation that should not be tradeable or transferable between individuals. Soulbound tokens encode on-chain provenance of qualifications such as educational degrees, professional certifications, community membership, and governance participation history. The concept, proposed by Vitalik Buterin and formalized in EIP-5192, extends the ERC-721 NFT standard with transfer restrictions to create a decentralized reputation and credential layer. SBTs complement off-chain verifiable credentials by providing publicly auditable, composable identity signals within DeFi governance and decentralized social systems.