DID7: Authority-Scoped Decentralized Identifier Scheme

Introduction The W3C Decentralized Identifiers (DIDs) specification defines method-based identifiers without a global namespace. DID7 introduces an optional authority layer, enabling namespace partitioning, governance domains, and scalable resolution infrastructure while remaining compatible with DID Core.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

DID Document:: As defined in .
Authority:: A namespace controller that defines resolver endpoints and governance rules for a set of DID7 identifiers.
Method:: A named DID method as defined in .

DID7 Syntax

General Form /]: ]]>

ABNF The following ABNF defines the DID7 URI syntax. The unreserved and pct-encoded rules are imported from Section 2.3. The ALPHA, DIGIT, and HEXDIG rules are imported from Appendix B. Note: The colon (":") character is intentionally excluded from method-id to avoid ambiguity with the method delimiter. Colons within method-specific identifiers MUST be percent-encoded.

Default Authority If the authority component is absent, it MUST be treated as equivalent to the authority "w3.org".

Expansion Rule A DID7 URI without an explicit authority component expands as follows: : -> did7://w3.org/: ]]>

Authority Model Authorities define resolution namespaces for DID7 identifiers. An authority:

MAY define resolver endpoints, governance models, and supported methods.
MUST NOT alter DID Document semantics as defined in .
Introduces an optional trust boundary for identifiers in its namespace.

Resolution Model

Stage 1: Authority Resolution Resolvers SHOULD perform DNS-based discovery of the resolver endpoint for an authority using a DNS TXT record of the form: IN TXT \ "resolver=https://resolver.example.com" ]]> DNS responses used for authority resolution SHOULD be validated using DNSSEC.

Stage 2: Method Resolution The method-specific identifier is resolved using the endpoint discovered in Stage 1. The resulting DID Document MUST conform to .

Compatibility

One-Way Mapping Any W3C DID can be mapped to a DID7 URI as follows: : -> did7://w3.org/: ]]> This mapping is one-way. There is no general inverse mapping from DID7 to W3C DID.

Non-Equivalence Implementations MUST NOT assume equivalence between "did" and "did7" identifiers, even when the method and method-specific identifier components are identical.

Security Considerations The following security considerations apply to implementations of this specification:

Authorities introduce a trust surface. The integrity of resolver endpoints MUST be verified before use. Implementations SHOULD use certificate-based authentication when contacting resolver endpoints.
DNS responses used for authority resolution SHOULD be validated using DNSSEC to prevent DNS spoofing attacks.
Resolver endpoints SHOULD use HTTPS (TLS) to protect data in transit. Endpoints using plain HTTP MUST NOT be used in production deployments.
Cryptographic verification of DID Documents MUST follow the procedures defined in .
Implementations MUST NOT accept resolver endpoints that redirect to third-party domains not associated with the declared authority.

IANA Considerations This document requests registration of the URI scheme "did7" in the "Uniform Resource Identifier (URI) Schemes" registry maintained by IANA, in accordance with .

URI scheme name:: did7
Status:: Provisional
URI scheme syntax:: See of this document.
URI scheme semantics:: The "did7" URI scheme identifies authority-scoped decentralized identifiers. Resolution proceeds in two stages: authority discovery via DNS, followed by method-specific DID resolution. The resulting resource is a DID Document as defined in .
Encoding considerations:: The "did7" URI scheme uses only ASCII characters as defined by the ABNF in . Non-ASCII characters in the method-specific identifier component MUST be percent-encoded per .
Applications/protocols that use this URI scheme:: Applications implementing decentralized identity, verifiable credentials, or self-sovereign identity frameworks that require authority-scoped namespace governance.
Interoperability considerations:: DID7 URIs are not directly interchangeable with W3C DID URIs. See for the one-way mapping from W3C DID to DID7.
Security considerations:: See of this document.
Contact:: Michael Herman <michael@web7.foundation>
Author/change controller:: Michael Herman, Web 7.0 Foundation
References:: This document.

Examples The following are valid DID7 URIs:

Conformance (Non-Normative) The following URIs are valid under the syntax defined in : The following URIs are invalid and MUST be rejected by conforming implementations: