|
| 1 | +# W3ID |
| 2 | + |
| 3 | +The metastate ecosystem has the only 1 type of identifiers, W3ID (did:w3id protocol, defined below) for all types of entities, e.g.. |
| 4 | + |
| 5 | + |
| 6 | + |
| 7 | +## Where is it used |
| 8 | + |
| 9 | +### _Users & Groups_ |
| 10 | + |
| 11 | +Users and groups would have a persistent, unchanging identifier which is referred to as Web 3 Identifier |
| 12 | +In case of a person, the W3ID is the life-long anchor which connects keys and the physical essence of a person. It is represented on the diagram below |
| 13 | +(1-2 relations) personal W3ID and personal keys via eID certificate from PKI |
| 14 | +(2-3 relations) personal W3ID and body characteristics, physical passport and friends. |
| 15 | + |
| 16 | +### _Mobile Devices (or Device ID)_: |
| 17 | + |
| 18 | +Mobile devices would use a persistent (within the lifetime of the device) W3ID identifier within the ecosystem. |
| 19 | +eVault: An eVault would use its own unique W3ID, which is not shared with a user, but rather is used internally to sync data between clone eVaults and used internally by an eVault hosting provider. |
| 20 | + |
| 21 | +### _W3 Envelope_ |
| 22 | + |
| 23 | +W3 Envelope would use a W3ID, which is globally unique, and this W3ID would be used in the W3ID URI scheme to retrieve a envelope. |
| 24 | + |
| 25 | +## Technical Requirements and Guarantees: |
| 26 | + |
| 27 | +- The identity must be globally persistent, and unique. |
| 28 | +- The identity must exist on a namespace with more range higher than 10^22 |
| 29 | +- The identity must support rotation of secrets and must only be loosely bound to keys |
| 30 | +- The identity must be loosely tied to a passport in form of binding document |
| 31 | + |
| 32 | +## W3ID URI Scheme |
| 33 | + |
| 34 | +### W3ID URI format: |
| 35 | + |
| 36 | +`w3id://<UUID in HEX>` (case insensitive, like any URI) formed by the rules of RFC4122. In particular, the number and positioning of the dashes in the string is mandatory! |
| 37 | +UUID range is 2^122 or 15 orders larger than expected amount of IDs (10^22) therefore it fits the purpose perfectly. |
| 38 | + |
| 39 | +### Example: |
| 40 | + |
| 41 | +`w3id://e4d909c2-5d2f-4a7d-9473-b34b6c0f1a5a` |
| 42 | +If a local ID is needed, it is added after “/”, also as UUID range e.g.: |
| 43 | +`w3id://e4d909c2-5d2f-4a7d-9473-b34b6c0f1a5a/f2a6743e-8d5b-43bc-a9f0-1c7a3b9e90d7` |
| 44 | +which means “the object `f2a6743e-8d5b-43bc-a9f0-1c7a3b9e90d7` at the eVault `e4d909c2-5d2f-4a7d-9473-b34b6c0f1a5a`, |
| 45 | +where `e4d909c2-5d2f-4a7d-9473-b34b6c0f1a5a` could be: |
| 46 | +either the exact URL of the eVault, or |
| 47 | +the URL of its “controller”, the owner, then such URL should be resolved to the current eVault which this person (or group) controls |
| 48 | + |
| 49 | +## W3ID Key binding |
| 50 | + |
| 51 | +The Identifier would be loosely bound to a set of keys, meaning an identifier is not derived from a set of keys making it easy to change the keys in case someone's keys gets compromised, or they turn up on the beach naked and need a new set of keys as their device is lost. |
| 52 | + |
| 53 | +## W3ID Document Binding |
| 54 | + |
| 55 | +The identifier would be also loosely bound to a Passport, via a binding document certified by a root CA in the prototype, where the Identifier would be connected to entropy generated by the details of the passport of an individual. |
| 56 | + |
| 57 | +> Note: Passport verification is out of scope for W3ID as an identifier and is handled by the eID Wallet Applicaiton. |
0 commit comments