•  The emergence of distributed ledger technology   3.  PII Protection:  DID  architecture  should  enable
               (DLT), sometimes referred to as blockchain tech-  entities to control the identifiable data of their
               nology, provides the opportunity for fully decen-  digital identities, including minimal, selective, and
               tralized identity management. In a decentralized   progressive disclosure of attributes or other iden-
               identity system, entities are free to use any shared   tity data.
               root of trust. Globally distributed ledgers (or a   4. Security: DID architecture should enable suffi-
               decentralized  P2P  network  that  provides  similar   cient security for relying parties to depend on DID
               capabilities) provide a means for managing a root   records for their required level of assurance.
               of trust with neither centralized authority nor a   5.  Proof-based: DID architecture should enable an
               single point of failure. In combination, DLTs and   entity to provide cryptographic proof of authen-
               decentralized identity systems enable any entity   tication and proof of authorization rights.
               to create and manage their own identifiers on any   6.  Discoverability:  DID  architecture should  make  it
               number of distributed, independent roots of trust.  possible for entities to discover DIDs for other
            •  The entities are identified by decentralized iden-  entities to learn more about or interact with those
               tifiers (DIDs). They may authenticate via proofs   entities.
               (e.g., digital signatures, privacy-preserving bio-  7.  Interoperability: DID architecture should use
               metric protocols, etc.). DIDs point to DID Docu-  interoperable standards so DID infrastructure can
               ments. A DID Document contains a set of service   make use of existing tools and software libraries
               endpoints for interacting with the entity. Follow-  designed for interoperability.
               ing the dictums of Privacy by Design, each entity   8.  Portability: DID architecture should be system and
               may have as many DIDs as necessary, to respect    network-independent and enable entities to use
               the entity’s desired separation of identities, perso-  their digital identities with any system that sup-
               nas, and contexts.                                ports DIDs and DID Methods.
            •  To use a DID with a particular distributed ledger   9.  Simplicity: To meet these design goals, DID archi-
               or network requires defining a DID method in a    tecture should be “as simple as possible but no
               separate DID method specification. A DID method   simpler”.
               specifies the set of rules for how a DID is regis-  10. Extensibility: When possible, DID architecture
               tered, resolved, updated, and revoked on that spe-  should enable extensibility provided it does not
               cific ledger or network.                          greatly hinder interoperability, portability, or sim-
            •  This design eliminates dependence on central-     plicity.
               ized registries for identifiers as well as centralized
               certificate authorities for key management – the   6.7.6   DID Authentication
               standard pattern in hierarchical PKI (public key   DID  Authentication  [14]  enables  a  DID  Subject  to
               infrastructure). Because DIDs reside on a distrib-  prove control over a DID during its interaction with
               uted ledger, each entity may serve as its own root   a relying party. The following general steps to be
               authority – an architecture referred to as DPKI   executed by the relying party include:
               (decentralized PKI).
                                                               1.  The relying party retrieves the DID Document
            In general, DID design goals are the following [10]:  associated with the DID Subject
                                                               2.  The  relying  party  uses  the  authentication  prop-
            1.  Decentralization: DID architecture should elimi-  erty of the DID Document to determine how to
               nate the requirement for centralized authorities   perform DID authentication,  for  example cryp-
               or single points of failure in identity management,   tographic signatures, proving control of a public
               including the registration of globally unique iden-  key or use of an authentication service endpoint
               tifiers, public verification keys, service endpoints,   3.  The relying party executes the authentication
               and other metadata.                               mechanism provided
            2.  Entity control of identifiers: DID architecture
               should give entities, both human and non-human,   DID authentication should support web and mobile
               the power to directly control their own digital   flows.
               identifiers without the need to rely on external
               authorities.






                                             Implementation of Secure Authentication Technologies for Digital Financial Services  37