The wba DID method is a web-based decentralized identifier (DID) specification designed to meet the requirements of cross-platform identity authentication and intelligent agent communication. This method extends and optimizes the did:web specification, named as did:wba, maintaining compatibility while enhancing adaptability for agent scenarios. In this specification, we design a process based on the did:wba method and HTTP protocol that enables servers to quickly verify client identities from other platforms without increasing interaction frequency.
The wba DID method specification complies with the requirements specified in Decentralized Identifiers V1.0 [DID-CORE].
This specification builds upon the did:web method specification by adding DID document constraints, cross-platform identity authentication processes, and agent description service specifications, proposing a new method name did:wba (Web-Based Agent).
Considering that the did:web method specification is still a draft and may undergo changes unsuitable for agent communication scenarios, and that reaching consensus with the original authors on specification modifications is a long-term process, we have decided to use a new method name.
We do not rule out the possibility of merging the did:wba specification into the did:web specification in the future, and we will work towards achieving this goal.
The did:wba method references the did:web method specification at https://w3c-ccg.github.io/did-method-web, version dated July 31, 2024. For management purposes, we have backed up a copy of the did:web method specification currently used by did:wba: did:web Method Specification.
In designing the did:wba method, our core principle is to fully utilize existing mature technologies and robust Web infrastructure while achieving decentralization. Using did:wba enables email-like functionality where platforms can implement their account systems in a centralized manner while maintaining interoperability between platforms.
Furthermore, various types of identifier systems can add DID support, bridging interoperability between centralized, federated, and decentralized identifier systems. This means existing centralized identifier systems do not require complete restructuring; they can achieve cross-system interoperability by simply creating DIDs on top of their existing infrastructure, significantly reducing technical implementation complexity.
The method name string used to identify this DID method is: wba. DIDs using this method MUST begin with the following prefix: did:wba. According to the DID specification, this string MUST be lowercase. The remainder of the DID (after the prefix) is specified below.
The method-specific identifier is a fully qualified domain name protected by TLS/SSL certificates, optionally including a path to the DID document. The formal rules describing valid domain name syntax are specified in (RFC1035), (RFC1123), and (RFC2181).
The method-specific identifier MUST match the common name used in the SSL/TLS certificate and MUST NOT contain IP addresses. Port numbers may be included but colons must be percent-encoded to prevent conflicts with paths. Directories and subdirectories may be optionally included, using colons instead of forward slashes as separators.
wba-did = "did:wba:" domain-name wba-did = "did:wba:" domain-name * (":" path)
example: wba method DID example
did:wba:example.com
did:wba:example.com:user:alice
did:wba:example.com%3A3000
Due to how most web servers render content, specific did:wba documents are likely to be served with the media type application/json. When retrieving a document named did.json, the following processing rules should be followed:
-
If @context exists at the root of the JSON document, the document should be processed according to JSON-LD rules. If processing fails or cannot be performed, the document should be rejected as a did:wba document.
-
If @context exists at the root and the document is successfully processed as JSON-LD, and includes the context
https://www.w3.org/ns/did/v1
, it may be further processed as a DID document according to [did-core specification section 6.3.2]. -
If @context does not exist, the document should be processed as a DID according to the normal JSON rules specified in [did-core specification section 6.2.2].
-
When DID URLs appear in a did:wba document, they MUST be absolute URLs.
Note: This includes URLs in embedded key material and other metadata, which prevents key confusion attacks.
Apart from the DID Core specification, most other specifications are still in draft stage. This section will demonstrate a subset of a DID document used for authentication. To enhance interoperability between systems, all fields marked as required MUST be supported by all systems; fields marked as optional MAY be selectively supported. Fields defined in other standards not listed here MAY be selectively supported.
Example DID Document:
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/jws-2020/v1",
"https://w3id.org/security/suites/secp256k1-2019/v1",
"https://w3id.org/security/suites/ed25519-2020/v1",
"https://w3id.org/security/suites/x25519-2019/v1"
],
"id": "did:wba:example.com%3A8800:user:alice",
"verificationMethod": [
{
"id": "did:wba:example.com%3A8800:user:alice#WjKgJV7VRw3hmgU6--4v15c0Aewbcvat1BsRFTIqa5Q",
"type": "EcdsaSecp256k1VerificationKey2019",
"controller": "did:wba:example.com%3A8800:user:alice",
"publicKeyJwk": {
"crv": "secp256k1",
"x": "NtngWpJUr-rlNNbs0u-Aa8e16OwSJu6UiFf0Rdo1oJ4",
"y": "qN1jKupJlFsPFc1UkWinqljv4YE0mq_Ickwnjgasvmo",
"kty": "EC",
"kid": "WjKgJV7VRw3hmgU6--4v15c0Aewbcvat1BsRFTIqa5Q"
}
}
],
"authentication": [
"did:wba:example.com%3A8800:user:alice#WjKgJV7VRw3hmgU6--4v15c0Aewbcvat1BsRFTIqa5Q",
{
"id": "did:wba:example.com%3A8800:user:alice#key-1",
"type": "Ed25519VerificationKey2020",
"controller": "did:wba:example.com%3A8800:user:alice",
"publicKeyMultibase": "zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV"
}
],
"keyAgreement": [
{
"id": "did:wba:example.com%3A8800:user:alice#key-2",
"type": "X25519KeyAgreementKey2019",
"controller": "did:wba:example.com%3A8800:user:alice",
"publicKeyMultibase": "z9hFgmPVfmBZwRvFEyniQDBkz9LmV7gDEqytWyGZLmDXE"
}
],
"service": [
{
"id": "did:wba:example.com%3A8800:user:alice#agent-description",
"type": "AgentDescription",
"serviceEndpoint": "https://agent-network-protocol.com/agents/example/ad.json"
}
]
}
Field Descriptions:
-
@context: Required field. The JSON-LD context defines the semantics and data model used in the DID document, ensuring document comprehensibility and interoperability.
https://www.w3.org/ns/did/v1
is required. Others can be added as needed. -
id: Required field. Cannot contain IP addresses but may include ports. When ports are included, colons must be encoded as %3A. Paths are separated using colons.
-
verificationMethod: Required field. Contains an array of verification methods that define public key information for verifying the DID subject.
- Sub-fields:
- id: Unique identifier for the verification method
- type: Type of verification method
- controller: DID that controls this verification method
- publicKeyJwk: Public key information in JSON Web Key format
- Sub-fields:
-
authentication: Required field. Lists verification methods used for authentication, which can be strings or objects.
- Sub-fields:
- id: Unique identifier for the verification method
- type: Type of verification method
- controller: DID that controls this verification method
- publicKeyMultibase: Public key information in Multibase format
- Sub-fields:
-
keyAgreement: Optional field. Defines public key information used for key agreement between DIDs for encrypted communication. Verification methods typically use key agreement algorithms suitable for key exchange, such as X25519KeyAgreementKey2019.
- Sub-fields:
- id: Unique identifier for the key agreement method
- type: Type of key agreement method
- controller: DID that controls this key agreement method
- publicKeyMultibase: Public key information in Multibase format
- Sub-fields:
-
service: Optional field that defines a list of services associated with the DID subject.
- id: Unique identifier for the service.
- type: Type of service. For agent description service, use "AgentDescription".
- serviceEndpoint: URL endpoint of the service. For agent description service, this URL points to a document that follows the ANP-Agent Description Protocol Specification.
Note:
- Public key information currently supports two formats: publicKeyJwk and publicKeyMultibase. For details, see https://www.w3.org/TR/did-extensions-properties/#verification-method-properties.
- The definitions of verification method types can be found at https://www.w3.org/TR/did-extensions-properties/#verification-method-types. The currently supported types are: EcdsaSecp256k1VerificationKey2019, Ed25519VerificationKey2018, X25519KeyAgreementKey2019. (Ed25519VerificationKey2020, JsonWebKey2020, etc. are not currently supported.)
- AgentDescription is a newly added service type to support the discovery of agent description documents.
The did:wba method specification does not specify specific HTTP API operations, but rather leaves the programmatic registration and management to each implementation based on their Web environment requirements.
Creating a DID requires the following steps:
- Apply for a domain name with a domain name registrar
- Store the location and IP address of the hosted service in the DNS query service
- Create a DID document JSON-LD file containing the appropriate key pair and store the did.json file in the well-known URL on behalf of the entire domain name. If multiple DIDs need to be parsed under the same domain name, store them in the specified path.
For example, for the domain name example.com, the did.json will be available at the following URL:
Example: Create a DID
did:wba:example.com
-> https://example.com/.well-known/did.json
If a specified optional path is used instead of the bare domain name, the did.json will be available at the specified path:
Example 5: Create a DID using an optional path
did:wba:example.com:user:alice
-> https://example.com/user/alice/did.json
If a specified port is used on the domain name, the colons between the host and port must be percent-encoded to prevent conflicts with paths.
Example 6: Create a DID using an optional path and port
did:wba:example.com%3A3000:user:alice
-> https://example.com:3000/user/alice/did.json
The following steps must be performed to parse a Web DID from a DID document:
- Replace the ":" in the method-specific identifier with "/" to obtain the fully qualified domain name and optional path.
- If the domain name contains a port, decode the port.
- Generate an HTTPS URL by prefixing the expected location of the DID document with
https://
. - If the URL does not specify a path, append
/.well-known
. - Append
/did.json
to complete the URL. - Use a proxy that can successfully negotiate a secure HTTPS connection to execute an HTTP GET request to the URL. The proxy enforces the security and privacy requirements described in 2.6 Security and Privacy Considerations.
- Verify that the ID of the parsed DID document matches the Web DID being parsed.
- During the HTTP GET request, the client should use [RFC8484] to prevent tracking the identity being parsed.
To update the DID document, the DID corresponding did.json file must be updated. Note that the DID itself will remain unchanged, but the content of the DID document can be changed, such as adding new verification keys or service endpoints.
Note: Using version control systems such as git and continuous integration systems such as GitHub Actions to manage the update of the DID document can provide support for identity verification and auditing history.
Note: HTTP API The update process does not specify specific HTTP API, but rather leaves the programmatic registration and management to each implementation based on their needs.
To delete the DID document, the did.json file must be removed, or it must no longer be publicly available for other reasons.
Security and privacy considerations are based on [did:web method specification section 2.6].
When a client makes a request to a service on different platforms, the client can use the domain name combined with TLS to authenticate the service. The service then verifies the identity of the client based on the verification methods in the client's DID document.
The client can include the DID and signature in the HTTP header during the first HTTP request. Without increasing the number of interactions, the service can quickly verify the identity of the client. After the initial verification is successful, the service can return a access token to the client. The client can then carry the access token in subsequent requests, and the service does not need to verify the client's identity each time, but only needs to verify the access token.
sequenceDiagram
participant Agent A Client
participant Agent B Server
participant Agent A DID Sever
Note over Agent A Client,Agent B Server: First Request
Agent A Client->>Agent B Server: HTTP Request: DID,Signature
Agent B Server->>Agent A DID Sever: Get DID Document
Agent A DID Sever->>Agent B Server: DID Document
Note over Agent B Server: Authentication
Agent B Server->>Agent A Client: HTTP Response: access token
Note over Agent A Client, Agent B Server: Subsequent Requests
Agent A Client->>Agent B Server: HTTP Request: access token
Agent B Server->>Agent A Client: HTTP Response
When the client first makes an HTTP request to the service, it needs to authenticate according to the following method.
The client sends the following information through the Authorization
header field to the service:
- DIDWba: Indicates the use of the did:wba protocol
- did: The did identifier of the client, used for identity verification.
- nonce: A randomly generated string used to prevent replay attacks. It must be unique for each request. We recommend using a 16-byte random string.
- timestamp: The time when the request is initiated, usually in UTC format using ISO 8601, accurate to seconds.
- verification_method: Identifies the verification method used in the signature, which is the DID fragment of the verification method in the DID document. For example, for the verification method "did:wba:example.com%3A8800:user:alice#key-1", the verification method's DID fragment is "key-1".
- signature: Sign the
nonce
,timestamp
, service domain, and client DID. For ECDSA signatures, use the R|S format. It includes the following fields:nonce
timestamp
service
(the domain name of the service)did
(the DID of the client)
Client request example:
Authorization: DIDWba did="did:wba:example.com%3A8800:user:alice", nonce="abc123", timestamp="2024-12-05T12:34:56Z", verification_method="key-1", signature="base64url(signature_of_nonce_timestamp_service_did)"
- The client generates a string containing the following information:
{
"nonce": "abc123",
"timestamp": "2024-12-05T12:34:56Z",
"service": "example.com",
"did": "did:wba:example.com:user:alice"
}
-
Use JCS(JSON Canonicalization Scheme) to normalize the JSON string, generating a normalized string.
-
Use the SHA-256 algorithm to hash the normalized string, generating a hash value.
-
Use the client's private key to sign the hash value, generating a signature value
signature
, and encode it in URL-safe Base64. -
Construct the
Authorization
header in the above format and send it to the service.
After receiving the client's request, the service performs the following verification:
-
Verify Timestamp: Check if the timestamp in the request is within a reasonable time range. The recommended time range is 1 minute. If the timestamp is out of range, the request is considered expired, and the service returns
401 Unauthorized
with a authentication challenge. -
Verify Nonce: Check if the
nonce
in the request has been used or exists. If thenonce
has been used or exists, it is considered a replay attack, and the service returns401 Unauthorized
with a authentication challenge. -
Verify DID Permissions: Verify if the DID in the request has the permission to access the resources of the service. If not, the service returns
403 Forbidden
. -
Verify Signature:
- Read the DID document based on the client's DID.
- Find the corresponding verification method in the DID document based on the
verification_method
in the request. - Use the public key of the verification method to verify the signature in the request.
- Verification Result: If the signature verification is successful, the request passes verification; otherwise, the service returns
401 Unauthorized
with a authentication challenge.
-
Extract Information: Extract
nonce
,timestamp
,service
,did
, andverification_method
from theAuthorization
header. -
Build Verification String: Construct a JSON string identical to the one constructed by the client:
{
"nonce": "abc123",
"timestamp": "2024-12-05T12:34:56Z",
"service": "example.com",
"did": "did:wba:example.com:user:alice"
}
-
Normalize String: Use JCS(JSON Canonicalization Scheme) to normalize the JSON string, generating a normalized string.
-
Generate Hash Value: Use the SHA-256 algorithm to hash the normalized string, generating a hash value.
-
Get Public Key: Obtain the corresponding public key from the DID document based on
did
andverification_method
. -
Verify Signature: Use the obtained public key to verify the
signature
, ensuring that it is generated by the corresponding private key.
After the service successfully verifies the client's identity, it can return a access token in the response. The access token is recommended to be in JWT (JSON Web Token) format. The client can then carry the access token in subsequent requests, and the service does not need to verify the client's identity each time, but only needs to verify the access token.
The following generation process is not required by the specification, but is provided for reference. Implementers can define and implement it as needed.
JWT generation method reference RFC7519.
- Generate Access Token
Assuming the service uses JWT (JSON Web Token) as the access token format, JWT typically contains the following fields:
- header: Specifies the signing algorithm
- payload: Stores user-related information
- signature: Signs the
header
andpayload
to ensure their integrity
The payload can include the following fields (other fields can be added as needed):
{
"sub": "did:wba:example.com:user:alice", // User DID
"iat": "2024-12-05T12:34:56Z", // Issued time
"exp": "2024-12-06T12:34:56Z", // Expiration time
}
Implementers can add other security measures in the payload, such as using scope or binding IP addresses.
- Return Access Token The generated header, payload, and signature are concatenated and URL-safe Base64 encoded to form the final access token. Then, the access token is returned through the Authorization header:
Authorization: Bearer <access_token>
- Client Send Access Token The client sends the access token through the Authorization header field to the service:
Authorization: Bearer <access_token>
- Service Verify Access Token After receiving the client's request, the service extracts the access token from the Authorization header and verifies it, including verifying the signature, verifying the expiration time, and verifying the fields in the payload. The verification method is based on RFC7519.
When the server fails to verify the signature and requires the client to reinitiate the request, it should return a 401 response.
Additionally, if the server doesn't support recording client request Nonces, or requires clients to always use server-generated Nonces for signing, it may return a 401 response with an authentication challenge containing a Nonce for each initial client request. However, this increases the number of client requests, and implementers can choose whether to use this approach.
Error information is returned through the WWW-Authenticate
header field, for example:
WWW-Authenticate: Bearer error="invalid_nonce", error_description="Nonce has already been used. Please provide a new nonce.", nonce="xyz987"
Contains the following fields:
- error: Required field, error type, containing the following string values:
- invalid_request: Request format error, missing required fields, or contains unsupported parameters.
- invalid_nonce: Nonce has already been used.
- invalid_timestamp: Timestamp is out of range.
- invalid_did: DID format error, or unable to find corresponding DID document.
- invalid_signature: Signature verification failed.
- invalid_verification_method: Unable to find corresponding public key based on verification method.
- invalid_access_token: Access token verification failed.
- forbidden_did: DID lacks permission to access server resources.
- error_description: Optional field, error description.
- nonce: Optional field, server-generated random string. If present, the client must use this Nonce to regenerate the signature and reinitiate the request.
When the client receives a 401 response, if the response contains a Nonce, the client must use the server's Nonce to regenerate the signature and reinitiate the request. If the response doesn't contain a Nonce, the client must use a client-generated Nonce to regenerate the signature and reinitiate the request.
It's important to note that both client and server implementations should limit the number of retry attempts to prevent infinite loops.
When server authentication succeeds but the DID lacks permission to access server resources, a 403 response should be returned.
In the previous chapter, we introduced the cross-platform identity authentication process based on the did:wba method and HTTP protocol. However, identity authentication using the did:wba method is transport protocol agnostic. Here we define a cross-platform identity authentication process based on the did:wba method and JSON format data, which can be used in scenarios where JSON format is used for communication. This specification only describes the process of using JSON for identity authentication, and how to pass JSON is left to the implementer to decide.
Theoretically, protocols based on other data formats can also add support for the did:wba method.
The overall process is as follows:
sequenceDiagram
participant Agent A Client
participant Agent B Server
participant Agent A DID Sever
Note over Agent A Client,Agent B Server: Initial Request
Agent A Client->>Agent B Server: Authentication Request Info: DID,Signature
Agent B Server->>Agent A DID Sever: Get DID Document
Agent A DID Sever->>Agent B Server: DID Document
Note over Agent B Server: Authentication
Agent B Server->>Agent A Client: Authentication Response Info: access token
Note over Agent A Client, Agent B Server: Subsequent Requests
Agent A Client->>Agent B Server: Request: access token
Agent B Server->>Agent A Client: Response
When the client first initiates a request to the server, authentication needs to be performed according to the following method.
The client needs to send the following information to the server:
- did: The client's DID identifier in the request, used for identity verification.
- nonce: A randomly generated string used to prevent replay attacks. Must be unique for each request. A 16-byte random string is recommended.
- timestamp: The time when the request is initiated, typically in ISO 8601 UTC format, accurate to seconds.
- verification_method: Identifies the verification method used in the signature, which is the DID fragment of the verification method in the DID document. For example, for the verification method ID "did:wba:example.com%3A8800:user:alice#key-1", the verification method's DID fragment is "key-1".
- signature: Signs the
nonce
,timestamp
, server domain, and client DID. For ECDSA signatures, uses R|S format. Includes the following fields:nonce
timestamp
service
(the server's domain name)did
(the client's DID)
Client request example:
{
"did": "did:wba:example.com%3A8800:user:alice",
"nonce": "abc123",
"timestamp": "2024-12-05T12:34:56Z",
"verification_method": "key-1",
"signature": "base64url(signature_of_nonce_timestamp_service_did)"
}
The authentication information can be sent in a separate request or together with the business request data.
Same as Section 3.1.2 Signature Generation Process.
The verification process is the same as Section 3.2.1 Verify Request Header. The difference is that the did, nonce, timestamp, verification_method, and signature fields need to be extracted from the request data.
After verification passes, the server can return a access token, and the client carries the access token in subsequent requests. The server doesn't need to verify the client's identity each time but only needs to verify the access token.
The access token generation method is the same as Section 3.2.4 Return Access Token After Successful Authentication.
Response JSON example:
{
"code": 200,
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}
Field descriptions:
- code: Status code, using HTTP status codes.
- access_token: Access token returned after successful authentication.
When the client receives a 200 response, it can carry the access token in subsequent requests.
Subsequent request example:
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}
Error handling follows the same principles as Section 3.2.4 Error Handling.
Example of 401 response in JSON format:
{
"code": 401,
"error": "invalid_nonce",
"error_description": "Nonce has already been used. Please provide a new nonce.",
"nonce": "1234567890"
}
Example of 403 response in JSON format:
{
"code": 403,
"error": "forbidden_did",
"error_description": "did not have permission to access the resource."
}
Implementers need to consider the following security issues when implementing:
- Key Management
- The private key corresponding to the DID must be properly kept and never leaked. Additionally, a regular refresh mechanism for private keys should be established.
- Users should generate multiple DIDs, each with different roles and permissions, using different key pairs to achieve fine-grained access control.
- Anti-Attack Measures
- The server must keep a record of the Nonce in requests to prevent replay attacks.
- The server must check the timestamp in requests to prevent time rollback attacks. Generally, the server's nonce cache duration should be longer than the timestamp expiration duration.
- When generating a Nonce, must use a secure random number generator provided by the operating system to meet modern cryptographic security standards and norms. For example, you can use a module like Python's
secrets
to generate secure random numbers.
- Transport Security
- When retrieving DID documents, the server should use the DNS-over-HTTPS (DoH) protocol to enhance security.
- The transport protocol must use HTTPS, and clients must strictly verify whether the CA certificate of the other party is trustworthy.
- Token Security
- Both client and server must properly keep the Access Token and must set a reasonable expiration time.
- Should include additional security information in the Access Token, such as client IP binding, User-Agent binding, etc., to prevent token abuse.
- Use Case 1: User Accessing Files on Other Websites via Intelligent Assistant
Alice has stored a file on example.com and wants to access it through her intelligent assistant. First, Alice creates a did:wba-based DID on her intelligent assistant, logs into example.com, associates this DID with her account, and grants file access permissions to the DID. After setup, the intelligent assistant can log into example.com using this DID. Upon successful authentication, example.com allows the intelligent assistant to access Alice's stored files. This DID can also be configured on other websites to enable the intelligent assistant to access files across different platforms.
- Use Case 2: User Calling Third-party Service APIs via Intelligent Assistant
Alice wants to call APIs of a third-party service named "example" through her intelligent assistant. First, Alice creates a did:wba-based DID on her intelligent assistant and uses it to subscribe to services on the example platform. The example service authenticates the DID, confirms Alice as the purchaser, and records her DID. After authentication, Alice can use her intelligent assistant to call example service APIs using this DID.
Note: While client-to-server authentication is not illustrated in the current use cases, this process can still function effectively.
This specification builds upon the did:web method specification by adding DID document constraints, cross-platform authentication processes, and agent description services. It proposes a new method name did:wba (Web-Based Agent). We designed a cross-platform authentication process based on the did:wba method and HTTP protocol, and provided detailed implementation methods.
In the future, we will further improve the did:wba method by adding agent capability and protocol description service endpoints, bidirectional authentication processes between agents, and more.
-
DID-CORE. Decentralized Identifiers (DIDs) v1.0. Manu Sporny; Amy Guy; Markus Sabadello; Drummond Reed. W3C. 19 July 2022. W3C Recommendation. Retrieved from https://www.w3.org/TR/did-core/
-
did:web. Retrieved from https://w3c-ccg.github.io/did-method-web/
-
JSON Canonicalization Scheme (JCS). Retrieved from https://www.rfc-editor.org/rfc/rfc8785
-
RFC 1035. Domain names - implementation and specification. P. Mockapetris. IETF. November 1987. Internet Standard. Retrieved from https://www.rfc-editor.org/rfc/rfc1035
-
RFC 1123. Requirements for Internet Hosts - Application and Support. R. Braden, Ed. IETF. October 1989. Internet Standard. Retrieved from https://www.rfc-editor.org/rfc/rfc1123
-
RFC 2119. Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. Retrieved from https://www.rfc-editor.org/rfc/rfc2119
-
RFC 2181. Clarifications to the DNS Specification. R. Elz; R. Bush. IETF. July 1997. Proposed Standard. Retrieved from https://www.rfc-editor.org/rfc/rfc2181
-
RFC 8174. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. Retrieved from https://www.rfc-editor.org/rfc/rfc8174
-
RFC 8484. DNS Queries over HTTPS (DoH). P. Hoffman; P. McManus. IETF. October 2018. Proposed Standard. Retrieved from https://www.rfc-editor.org/rfc/rfc8484
-
DID Use Cases. Decentralized Identifier Use Cases. Joe Andrieu; Kim Hamilton Duffy; Ryan Grant; Adrian Gropper. W3C. 24 June 2021. W3C Note. Retrieved from https://www.w3.org/TR/did-use-cases/
-
DID Extensions. Decentralized Identifier Extensions. Orie Steele; Manu Sporny. W3C. 24 June 2021. W3C Note. Retrieved from https://www.w3.org/TR/did-extensions/
-
DID Extension Properties. Decentralized Identifier Extension Properties. Orie Steele; Manu Sporny. W3C. 24 June 2021. W3C Note. Retrieved from https://www.w3.org/TR/did-extensions-properties/
-
DID Extension Methods. Decentralized Identifier Extension Methods. Orie Steele; Manu Sporny. W3C. 24 June 2021. W3C Note. Retrieved from https://www.w3.org/TR/did-extensions-methods/
-
DID Extension Resolution. Decentralized Identifier Extension Resolution. Orie Steele; Manu Sporny. W3C. 24 June 2021. W3C Note. Retrieved from https://www.w3.org/TR/did-extensions-resolution/
-
Controller Document. Controller Document. Manu Sporny; Markus Sabadello. W3C. 24 June 2021. W3C Note. Retrieved from https://www.w3.org/TR/controller-document/