Self-Certifying SIDs: Decentralized Identity

• Self-certifying SIDs are cryptographically bound identifiers that intrinsically link an identity to its public key, ensuring decentralized control without relying on central authorities.
• They utilize immutable, append-only event logs for key rotation, delegation, and governance, which provide tamper-evident proofs of every control operation.
• Their applications span IoT, scientific data certification, and digital asset management, offering strong auditability and trust in distributed systems.

Self-certifying SIDs (Self-certifying Secure Identifiers) constitute a cryptographically grounded paradigm for decentralized identity systems and digital asset control, where the identity or control token is intrinsically bound to a cryptographic public key, and all changes in control, authority, or provenance are publicly verifiable via cryptographic evidence. This approach eliminates the reliance on central authorities for the trust root, enables robust key lifecycle management, and ensures that all operations on the identifier (such as rotation, delegation, and governance) are ambiently verifiable through append-only event logs, decentralized consensus, or direct cryptographic proofs.

1. Cryptographic Root-of-Trust: Self-Certifying Identifiers

The fundamental feature of self-certifying SIDs is the cryptographic binding between the identifier and its controlling public key at issuance. In KERI (Smith, 2019), this is termed the primary root-of-trust: every identifier is issued over a strongly bound (public, private) signing key pair. Only holders of the corresponding private key can produce valid control events. This paradigm is methodologically upheld in registry-less schemes such as did:self (Fotiou et al., 29 Apr 2025), where the identifier is constructed as a hash thumbprint of the controller’s public key (RFC 7638), taking the form:

$$\text{did:self}:<\text{thumbprint}>/<\text{suffix}>$$

Verification simply entails extracting the public key from the signed statement, recomputing its thumbprint, and ensuring consistency with the identifier string.

Self-certification obviates external registries, as the identifier itself serves as a public key fingerprint. This approach is systemically extensible to IoT entities (Dayaratne et al., 3 May 2024, Fedrecheski et al., 2020), scientific datasets (Barclay et al., 2020), or content, offering subject-centric control without requiring persistent registry anchoring.

2. Key Event Logging, Mutation, and Control Provenance

Self-certifying SIDs enhance accountability and auditability by associating every operation over an identifier—namely, inception, key rotation, delegation, and interaction—with an append-only, cryptographically chained event log. In KERI (Smith, 2019), each key event includes the hash digest of its predecessor (except the inception event), coupled with monotonically increasing sequence numbers, forming an immutable chain:

$E_{n} = \{\text{header},\, \text{key block},\, \text{witness config},\, \text{prev_digest},\, \text{signature}\}$

If any event is modified, the cryptographic chain breaks, offering immediate tamper evidence. Transfer-of-control (rotation or delegation) is achieved through signed transfer statements referenced via digests, and all provenance can be reconstructed through chained event validation.

Key lifecycle management is facilitated through pre-rotation: upcoming key sets are committed to in advance by posting (unexposed) digests of the next key material. Current events are signed using now-exposed keys; recovery leverages the unexposed, pre-committed next keys to maintain operational control even after compromise.

3. Delegation, Group Control, and Governance

Delegation in self-certifying SIDs enables controlled transfer or hierarchical partitioning of authority. In KERI (Smith, 2019), delegation involves mutual events—a delegating event with a delegation seal referencing the delegate’s event, and a corresponding delegated event with an anchor to the delegator.

did:self (Fotiou et al., 29 Apr 2025) supports multi-holder DIDs, with delegation realized by allowing the controller to produce multiple signatures over documents containing different holders’ public keys, or by incorporating delegation in JWT/X.509 certificate chains. For group-controlled SIDs (Segat et al., 8 Jul 2025), programmable on-chain governance orchestrates updates to the identifier's associated metadata (DID Document, or DDO) via voting, threshold, or weighted decision schemes implemented as smart contracts. Coordination is formally modeled by aggregating weighted votes:

$\sum_{i} (w_i \cdot v_i) \geq T$

where $w_i$ are controller weights and $v_i$ binary votes, enforcing update policies in a trustless, audit-ready manner.

Embedding governance metadata directly within the DDO enables identity orchestration in multi-stakeholder scenarios (e.g., joint ventures, role-based authority), and governance can itself be mutated through programmable, consensus-enforced processes.

4. Distributed Trust, Verifiability, and Consensus Mechanisms

Ambient and decentralized verifiability is central to self-certifying SIDs. Direct (one-to-one) and indirect (one-to-any) control verification modes are articulated in KERI (Smith, 2019). Direct mode relies on controllers’ signatures validated by the recipient; indirect mode leverages a witness set (of size $N$) and consensus threshold $M$, achieving "immunity" by requiring $M \geq F+1$ with $F$ being the maximum faulty witnesses. Witnesses broadcast event receipts, and KERI's KA2CE agreement algorithm ensures uniformity across witness-validated events.

For credential provenance in research datasets (Barclay et al., 2020), SSI frameworks employ cryptographic hashes as immutable links between datasets and their verifiable credentials, signed and verified via decentralized public keys and standardized mechanisms (e.g., did:web, JSON-LD VCs).

In federated SSI environments, trust registries (Eer et al., 2022) introduce a directed trust graph among issuers, with transitive trust mathematically modeled as the product of edge weights over a path:

$T = w_1 \cdot w_2 \cdots w_k$

Merkle tree cryptographic commitments and zero-knowledge proofs are used to reconcile privacy with auditability.

The VCTP protocol (Mukta et al., 2023) further extends trust propagation from authorized issuers to personal (individual) issuers. Sanitizable signatures and on-chain voting enforce update and delegation integrity, allowing for cryptographic and human oversight.

5. Format Interoperability, Serialization, and Practical Deployment

Serialization and encoding are standardized to guarantee deterministic digest and signature verification, as in KERI's support for JSON, CBOR, and MessagePack, with field ordering established by specification.

did:self (Fotiou et al., 29 Apr 2025) advances this by supporting implicit DID documents reconstructed from authentication artifacts such as JWTs or X.509 certificate chains. In JWT-based authentication, essential claims are: | Claim | Value | |-------|-----------------------------------------| | iss | did:self:<thumbprint> | | sub | <suffix, e.g., device identity> | | cnf | { "jwk": { ... public key ... } } |

These natural mappings enable seamless integration with web authentication standards (e.g., OAuth DPoP) and legacy systems, broadening applied utility while retaining cryptographic self-certification.

6. Application Domains and Security Properties

Self-certifying SIDs are applied in IoT (Dayaratne et al., 3 May 2024, Fedrecheski et al., 2020), scientific publishing (Barclay et al., 2020), content attribution, and digital identity ecosystems. In IoT, DIDs and VCs enable per-device or per-network identity and attribute assertion, with optimized protocols (e.g., CBOR encoding, edge delegation of cryptographic tasks) devised for constrained environments. Applications in data provenance allow datasets to self-certify source and quality via credentialed hashes, supporting reproducibility and trust in scientific workflows.

Security derives from the impossibility of forging identifiers without control of the root private key, the transparency of event chains and delegation, and the verifiability of all control operations. Privacy is advanced by registry-less designs (did:self), limiting metadata exposure and de-linking identity information.

Limitations include challenges in revocation (did:self uses expiration times), scalability for massive IoT deployments, and resilience to complex group control attack scenarios (Segat et al., 8 Jul 2025). Mitigation strategies encompass expiration-based validity, distributed governance, and the use of cryptographic privacy mechanisms (e.g., selective disclosure, zero-knowledge proofs).

7. Future Directions and Open Challenges

The trajectory for self-certifying SIDs includes further minimization of dependency on on-chain registries (favoring registry-less, self-certifying mechanisms), broader support for group control and programmable governance, lightweight integration in constrained environments (suitable for IoT), and advanced privacy-preserving techniques for selective attribute disclosure.

Ongoing efforts seek to accommodate dynamically mutable trust networks, seamless cross-domain delegation, and the embedding of revocation and key lifecycle metadata in self-certifying formats compatible with evolving open standards (e.g., W3C DIDs, Verifiable Credentials, and OAuth/OIDC extensions).

Taken together, self-certifying SIDs represent a foundational architecture for decentralized, secure, and flexible digital identity infrastructure, with applications in autonomous systems, provenance assurance, and privacy-centric authentication across networked domains.