public key which could be on the distributed led-  7�5  DID Resolution
                ger.                                           The DID specification requires each DLT to have a DID
                                                               Method specification to describe how DID operations
               DID Authentication enable a DID Holder to prove   are performed. The implication of having many DID
            control over a DID during its interaction with a Ver-  Method specifications is that resolving a text string,
            ifier (sometimes referred to as Relying Party). DID   the DID, to locate the trust root and the associated
            authentication should support web and mobile flows.  DID Document is complex. The DID resolution func-
               The following general steps to be executed by the   tion could become a major impediment to interoper-
            Verifier include:                                  able DIDs. Work has begun on a universal DID resolv-
                                                               er architecture and toolset that can take any valid
            a)  The Verifier retrieves the DID Document associ-  DID as input and resolve it to a DID Document. The
                ated with the DID Holder.                      universal resolvers are specifically designed to work
            b)  The Verifier uses the authentication property of   for decentralized identifiers and support DID resolu-
                the DID Document to determine how to perform   tion over many different types of DLT. The universal
                DID authentication, for example cryptographic   resolver approach solves the problem of heteroge-
                signatures, proving control of a public key or use   neous networks having different method specifica-
                of an authentication service endpoint.         tions for their own DID. Figure 13 depicts the Univer-
            c)  The Verifier executes the authentication mecha-  sal Resolver concept.
                nism provided.


            Figure 13: Universal DID Resolver



























            7�6  Decentralized Identity Wallets                allow the individual to prove control over a DID and
            The individual must have software and/or hardware   thus participate in the decentralized identity system.
            that enables them to interact with the decentralized   The agent and wallet hold verifiable credentials and
            identity system. These components are agents and   proofs belonging to the individual.
            wallets.                                             The wallet can be entirely on the user's device or
               The primary function of an agent is to commu-   a virtual wallet where one part of the wallet is on the
            nicate with other agents and coordinate DID reso-  user mobile device and another part in the cloud. The
            lution and authentication. The agent keeps track   latter configuration enables the creation of agents to
            of DIDs related to other entities in the network. An   act on behalf of the user and perform services with-
            agent contains or is connected to a wallet where   out the need for user direct involvement.
            cryptographic secret keys are kept and protected.
            The wallet contains  the essential private keys  that





           32    e-KYC use cases in digital financial services