



Independent Submission                                         M. Herman
Internet-Draft                                        Web 7.0 Foundation
Intended status: Informational                             17 March 2026
Expires: 18 September 2026


         DID7: Authority-Scoped Decentralized Identifier Scheme
                    draft-herman-did7-identifier-00

Abstract

   This document defines the "did7" URI scheme, an authority-scoped
   decentralized identifier format.  DID7 introduces an optional
   authority component and a two-stage resolution process, while
   remaining fully compatible with the W3C Decentralized Identifiers
   (DIDs) v1.0 specification (DID Core).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 18 September 2026.

Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.







Herman                  Expires 18 September 2026               [Page 1]

Internet-Draft               DID7 Identifier                  March 2026


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  DID7 Syntax . . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  General Form  . . . . . . . . . . . . . . . . . . . . . .   3
     3.2.  ABNF  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.3.  Default Authority . . . . . . . . . . . . . . . . . . . .   3
     3.4.  Expansion Rule  . . . . . . . . . . . . . . . . . . . . .   3
   4.  Authority Model . . . . . . . . . . . . . . . . . . . . . . .   3
   5.  Resolution Model  . . . . . . . . . . . . . . . . . . . . . .   4
     5.1.  Stage 1: Authority Resolution . . . . . . . . . . . . . .   4
     5.2.  Stage 2: Method Resolution  . . . . . . . . . . . . . . .   4
   6.  Compatibility . . . . . . . . . . . . . . . . . . . . . . . .   4
     6.1.  One-Way Mapping . . . . . . . . . . . . . . . . . . . . .   4
     6.2.  Non-Equivalence . . . . . . . . . . . . . . . . . . . . .   4
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   9.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
   10. Conformance (Non-Normative) . . . . . . . . . . . . . . . . .   6
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   6
     11.2.  Informative References . . . . . . . . . . . . . . . . .   7
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   The W3C Decentralized Identifiers (DIDs) specification [DID-CORE]
   defines method-based identifiers without a global namespace.  DID7
   introduces an optional authority layer, enabling namespace
   partitioning, governance domains, and scalable resolution
   infrastructure while remaining compatible with DID Core.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   DID Document:  As defined in [DID-CORE].

   Authority:  A namespace controller that defines resolver endpoints
      and governance rules for a set of DID7 identifiers.

   Method:  A named DID method as defined in [DID-CORE].




Herman                  Expires 18 September 2026               [Page 2]

Internet-Draft               DID7 Identifier                  March 2026


3.  DID7 Syntax

3.1.  General Form

   did7:[//<authority-name>/]<method>:<method-specific-id>

3.2.  ABNF

   The following ABNF [RFC5234] defines the DID7 URI syntax.  The
   unreserved and pct-encoded rules are imported from [RFC3986]
   Section 2.3.  The ALPHA, DIGIT, and HEXDIG rules are imported from
   [RFC5234] Appendix B.

   did7-uri       = "did7:" [ authority ] method ":" method-id

   authority      = "//" authority-name "/"
   authority-name = 1*( ALPHA / DIGIT / "-" )

   method         = 1*( ALPHA / DIGIT )
   method-id      = 1*( unreserved / pct-encoded / "." / "-" / "_" )

   pct-encoded    = "%" HEXDIG HEXDIG

   Note: The colon (":") character is intentionally excluded from
   method-id to avoid ambiguity with the method delimiter.  Colons
   within method-specific identifiers MUST be percent-encoded.

3.3.  Default Authority

   If the authority component is absent, it MUST be treated as
   equivalent to the authority "w3.org".

3.4.  Expansion Rule

   A DID7 URI without an explicit authority component expands as
   follows:

   did7:<method>:<id>  ->  did7://w3.org/<method>:<id>

4.  Authority Model

   Authorities define resolution namespaces for DID7 identifiers.  An
   authority:

   *  MAY define resolver endpoints, governance models, and supported
      methods.

   *  MUST NOT alter DID Document semantics as defined in [DID-CORE].



Herman                  Expires 18 September 2026               [Page 3]

Internet-Draft               DID7 Identifier                  March 2026


   *  Introduces an optional trust boundary for identifiers in its
      namespace.

5.  Resolution Model

5.1.  Stage 1: Authority Resolution

   Resolvers SHOULD perform DNS-based discovery of the resolver endpoint
   for an authority using a DNS TXT record of the form:

   _did7.<authority-domain> IN TXT \
       "resolver=https://resolver.example.com"

   DNS responses used for authority resolution SHOULD be validated using
   DNSSEC.

5.2.  Stage 2: Method Resolution

   The method-specific identifier is resolved using the endpoint
   discovered in Stage 1.  The resulting DID Document MUST conform to
   [DID-CORE].

6.  Compatibility

6.1.  One-Way Mapping

   Any W3C DID can be mapped to a DID7 URI as follows:

   did:<method>:<id>  ->  did7://w3.org/<method>:<id>

   This mapping is one-way.  There is no general inverse mapping from
   DID7 to W3C DID.

6.2.  Non-Equivalence

   Implementations MUST NOT assume equivalence between "did" and "did7"
   identifiers, even when the method and method-specific identifier
   components are identical.

7.  Security Considerations

   The following security considerations apply to implementations of
   this specification:

   *  Authorities introduce a trust surface.  The integrity of resolver
      endpoints MUST be verified before use.  Implementations SHOULD use
      certificate-based authentication when contacting resolver
      endpoints.



Herman                  Expires 18 September 2026               [Page 4]

Internet-Draft               DID7 Identifier                  March 2026


   *  DNS responses used for authority resolution SHOULD be validated
      using DNSSEC to prevent DNS spoofing attacks.

   *  Resolver endpoints SHOULD use HTTPS (TLS) to protect data in
      transit.  Endpoints using plain HTTP MUST NOT be used in
      production deployments.

   *  Cryptographic verification of DID Documents MUST follow the
      procedures defined in [DID-CORE].

   *  Implementations MUST NOT accept resolver endpoints that redirect
      to third-party domains not associated with the declared authority.

8.  IANA Considerations

   This document requests registration of the URI scheme "did7" in the
   "Uniform Resource Identifier (URI) Schemes" registry maintained by
   IANA, in accordance with [RFC7595].

   URI scheme name:
      did7

   Status:
      Provisional

   URI scheme syntax:
      See Section 3.2 of this document.

   URI scheme semantics:
      The "did7" URI scheme identifies authority-scoped decentralized
      identifiers.  Resolution proceeds in two stages: authority
      discovery via DNS, followed by method-specific DID resolution.
      The resulting resource is a DID Document as defined in [DID-CORE].

   Encoding considerations:
      The "did7" URI scheme uses only ASCII characters as defined by the
      ABNF in Section 3.2.  Non-ASCII characters in the method-specific
      identifier component MUST be percent-encoded per [RFC3986].

   Applications/protocols that use this URI scheme:
      Applications implementing decentralized identity, verifiable
      credentials, or self-sovereign identity frameworks that require
      authority-scoped namespace governance.

   Interoperability considerations:
      DID7 URIs are not directly interchangeable with W3C DID URIs.  See
      Section 6 for the one-way mapping from W3C DID to DID7.




Herman                  Expires 18 September 2026               [Page 5]

Internet-Draft               DID7 Identifier                  March 2026


   Security considerations:
      See Section 7 of this document.

   Contact:
      Michael Herman <michael@web7.foundation>

   Author/change controller:
      Michael Herman, Web 7.0 Foundation

   References:
      This document.

9.  Examples

   The following are valid DID7 URIs:

   did7:example:123
   did7://w3.org/example:123
   did7://dif/web:abc
   did7://acbd1234/custom:xyz_123

10.  Conformance (Non-Normative)

   The following URIs are valid under the syntax defined in Section 3.2:

   did7:example:123
   did7://w3.org/example:123
   did7://dif/web:abc.def

   The following URIs are invalid and MUST be rejected by conforming
   implementations:

   did7:///          (empty authority-name and empty method)
   did7://w3.org/    (empty method and method-id)
   did7:             (missing method and method-id)

11.  References

11.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.







Herman                  Expires 18 September 2026               [Page 6]

Internet-Draft               DID7 Identifier                  March 2026


   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/rfc/rfc3986>.

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              <https://www.rfc-editor.org/rfc/rfc5234>.

   [RFC7595]  Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines
              and Registration Procedures for URI Schemes", BCP 35,
              RFC 7595, DOI 10.17487/RFC7595, June 2015,
              <https://www.rfc-editor.org/rfc/rfc7595>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

11.2.  Informative References

   [DID-CORE] World Wide Web Consortium (W3C), "Decentralized
              Identifiers (DIDs) v1.0", W3C Recommendation, July 2022,
              <https://www.w3.org/TR/did-core/>.

Author's Address

   Michael Herman
   Web 7.0 Foundation
   Email: michael@web7.foundation





















Herman                  Expires 18 September 2026               [Page 7]
