[New Wave] Misconceptions and Truths About DID

Professor Kim Seung-joo, Graduate School of Information Security, Korea University

Blockchain has attracted public attention for several years but has yet to become a mainstream technology. However, with recent efforts by companies and public institutions to promote DID (Decentralized ID), expectations are rising that this year will mark the beginning of blockchain’s popularization. In the era of the Fourth Industrial Revolution, where the importance of personal data protection is growing, DID will undoubtedly become a central pillar of the internet and e-business industries. However, it is problematic to excessively associate DID solely with blockchain.

The existing identity verification systems store personal identity information concentrated in specific institutions (government, identity verification/authentication agencies, platform operators like Google and Facebook), which can lead to large-scale personal data breaches in the event of hacking incidents. Moreover, there is always the risk that these institutions holding identity information could become a Big Brother. DID emerged as a technology to solve these issues by allowing individuals to own, manage, and dispose of their own identity information (called 'Identifier') and various credential information such as age, nationality, driving records, education, and employment history (called 'Claims'), thereby securing self-control over personal data. In 2016, Christopher Allen and others proposed 11 requirements that DID should meet: Existence, Control, Access, Transparency, Persistence, Portability, Interoperability, Consent, Minimalization, Protection, and Provable. These have since become widely used as key criteria for evaluating good DID services. So, what is the relationship between DID and blockchain?

One of the biggest misconceptions about DID is that "DID can only be implemented with blockchain." DID can be created using blockchain, as with uPort, or without blockchain, as with PDS (Private Data System). However, when using a public blockchain, it becomes easier to achieve certain properties among the 11 requirements mentioned earlier, such as Transparency, Persistence, and Interoperability, due to the inherent characteristics of blockchain.

The second misconception is that "DID is safe from hacking because it is based on blockchain." Blockchain is not an unhackable technology; it merely provides technical features such as decentralization, transparency, immutability, and availability. Therefore, blockchain-based DID has strengths in preventing forgery of identity documents but remains vulnerable to exposure of personal information recorded on those documents. To address these issues and to fulfill the 'Minimalization' requirement (exposing only the minimum necessary personal information), DID must incorporate technologies beyond blockchain, such as Zero-Knowledge Proofs.

Finally, the utility of various credential proofs using DID is greatly enhanced when they have legal validity (the so-called 'Provable' characteristic). Therefore, electronic signature technologies with legal effect, such as those using certified digital signatures, are not in opposition to DID but rather complementary.

In the era of the Fourth Industrial Revolution, where the safe use of data is emphasized, government and corporate interest in DID is welcome. However, it is problematic to excessively link DID to specific underlying technologies or to have governments or existing identity verification agencies overly involved under the pretext of rapid project implementation, as this could hinder the creation of a desirable ecosystem. A more sober analysis of the fundamental philosophy and underlying technologies of DID, along with diverse approaches, is needed.

Seungjoo Kim, Professor, Graduate School of Information Security, Korea University