Skip to main content

DID Web

TrackVision uses did:web Decentralized Identifiers so that the public key used to sign DPPs can be retrieved and verified by any third party without a central authority.

What is did:web?

did:web is a DID method that maps a DID to a URL. The DID document is retrieved over HTTPS, meaning the trust anchor is the domain's TLS certificate rather than a blockchain or external registry.

The TrackVision DID for an account at acme.trackvision.ai is:

did:web:acme.trackvision.ai

This resolves to:

https://acme.trackvision.ai/.well-known/did.json

DID Document

The resolver serves a DID document at /.well-known/did.json containing the account's Ed25519 public key:

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1"
  ],
  "id": "did:web:acme.trackvision.ai",
  "verificationMethod": [
    {
      "id": "did:web:acme.trackvision.ai#key-1",
      "type": "Ed25519VerificationKey2020",
      "controller": "did:web:acme.trackvision.ai",
      "publicKeyMultibase": "z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
    }
  ],
  "assertionMethod": [
    "did:web:acme.trackvision.ai#key-1"
  ]
}

Verification Steps

To verify a TrackVision DPP signature:

1. Get the verification method

Find the verificationMethod in the DPP's proof block:

"verificationMethod": "did:web:acme.trackvision.ai#key-1"

2. Resolve the DID document

Fetch https://acme.trackvision.ai/.well-known/did.json and find the key with id matching did:web:acme.trackvision.ai#key-1.

3. Decode the public key

The publicKeyMultibase field contains the Ed25519 public key encoded as base58btc multibase (prefix z). Decode it to get the raw 32-byte public key.

4. Verify the signature

Follow the eddsa-jcs-2022 verification algorithm described in Verifiable Credentials.

Checking the DID Document

You can fetch the DID document directly:

curl https://acme.trackvision.ai/.well-known/did.json

Or via the DID resolver endpoint on the TrackVision resolver service:

curl https://resolver.acme.trackvision.ai/.well-known/did.json

Both return the same document.

Trust Model

The trust model is: if you trust acme.trackvision.ai (verified via TLS), and the DPP's issuer is did:web:acme.trackvision.ai, and the signature verifies against the public key in the DID document, then the DPP was genuinely issued by the owner of that domain and has not been tampered with.

This is suitable for supply chain and regulatory use cases where domain ownership is a reasonable trust anchor.