Uniform ID Framework v1.0 Base Document
Uniform ID Framework
Spec Version 1.0
| Document Version: | 5 |
| Date Issued: | 02 February 2024 |
| Status: | This document is made available for adoption by the public community at large. |
| This version: | https://www.imsglobal.org/spec/uid/v1p0/ |
| Latest version: | https://www.imsglobal.org/spec/uid/latest/ |
| Errata: | https://www.imsglobal.org/spec/uid/v1p0/errata/ |
IPR and Distribution Notice
Recipients of this document are requested to submit, with their comments, notification of any relevant patent claims or other intellectual property rights of which they may be aware that might be infringed by any implementation of the specification set forth in this document, and to provide supporting documentation.
1EdTech takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on 1EdTech's procedures with respect to rights in 1EdTech specifications can be found at the 1EdTech Intellectual Property Rights webpage: http://www.imsglobal.org/ipr/imsipr_policyFinal.pdf .
The following participating organizations have made explicit license commitments to this specification:
| Org name | Date election made | Necessary claims | Type |
|---|
Use of this specification to develop products or services is governed by the license with 1EdTech found on the 1EdTech website: http://www.imsglobal.org/speclicense.html.
Permission is granted to all parties to use excerpts from this document as needed in producing requests for proposals.
The limited permissions granted above are perpetual and will not be revoked by 1EdTech or its successors or assigns.
THIS SPECIFICATION IS BEING OFFERED WITHOUT ANY WARRANTY WHATSOEVER, AND IN PARTICULAR, ANY WARRANTY OF NONINFRINGEMENT IS EXPRESSLY DISCLAIMED. ANY USE OF THIS SPECIFICATION SHALL BE MADE ENTIRELY AT THE IMPLEMENTER'S OWN RISK, AND NEITHER THE CONSORTIUM, NOR ANY OF ITS MEMBERS OR SUBMITTERS, SHALL HAVE ANY LIABILITY WHATSOEVER TO ANY IMPLEMENTER OR THIRD PARTY FOR ANY DAMAGES OF ANY NATURE WHATSOEVER, DIRECTLY OR INDIRECTLY, ARISING FROM THE USE OF THIS SPECIFICATION.
Public contributions, comments and questions can be posted here: http://www.imsglobal.org/forums/ims-glc-public-forums-and-resources .
© 2024 1EdTech™ Consortium, Inc. All Rights Reserved.
Trademark information: http://www.imsglobal.org/copyright.html
Abstract
In the rapidly evolving landscape of educational technology, the need for
robust, interoperable, and secure digital identity management systems has never been more
critical.
The adoption of decentralized identifiers (DIDs), specifically using the
did:web method, presents a transformative opportunity for the 1EdTech ecosystem.
This document outlines the integration of did:web as a foundational element
for digital identity across 1EdTech specifications, offering a scalable, secure, and
interoperable framework
for identifying learners, courses, assets, and more. Unlike traditional
string-based identifiers, did:web addresses serve as drop-in replacements capable of
enhancing privacy, security,
and control over digital identities.
Furthermore, this framework explores the extension of did:web utility through
specific DID services tailored to the unique needs of the ed-tech sector. By leveraging
did:web and specialized DID services, the 1EdTech ecosystem can achieve unprecedented
levels of
interoperability, security, and efficiency.
The UniformId Framework integrates decentralized identifiers (DIDs) into the 1EdTech
ecosystem and represents a strategic enhancement to the existing digital identity
management systems in educational technology. This approach is not about replacing
current systems but enriching them, offering an additional layer of security, privacy,
and interoperability that complements and strengthens the existing infrastructure.
By leveraging did:web, which utilizes web domains to create and manage DIDs, the
framework enables educational institutions and service providers to seamlessly adopt a
more flexible and user-readable identity management model. This model coexists with and
enhances traditional identity verification processes and data sovereignty without
disrupting existing operations.
This document outlines how did:web and specific DID services can be integrated into the
1EdTech specifications to complement and extend the capabilities of current digital
identity systems. It aims to provide stakeholders with a clear understanding of the
benefits and applications of this technology, illustrating how it can support a more
secure, efficient, and learner-focused educational ecosystem.
Embracing the UniformId Framework and its related services allows 1EdTech specifications to address the evolving needs of digital identity management in education, ensuring that the sector is well-positioned to capitalize on technological advancements while enhancing the learning experience and operational effectiveness.
This document builds upon the concepts and terms introduced in the DID-Core specification [DID-Core] and the DID-Web Method Specification [DID-Web], specifically:
- Decentralized Identifier (DID)
- A globally unique identifier that enables a verifiable, self-sovereign digital identity. DIDs are not reliant on centralized registries, identity providers, or certificate authorities. Instead, they are created, updated, and deactivated by the DID subject or an entity acting on their behalf, enabling direct control over their digital identity.
- DID Service
- Refer to the various functionalities that can be associated with a DID, enabling interaction with the DID subject's digital identity. These services can include verification, authentication, data sharing, and privacy services, among others, designed to extend the utility of DIDs within specific ecosystems like ed-tech.
- Domain
- Refers to a segment of the internet under the control of a particular entity,
identified by a unique domain name. This domain is used as the basis for constructing a
did:webURI, enabling the DID to be associated with a specific web domain for easy resolution and verification. - Registrar
- Refers to an entity or service that facilitates the registration of DIDs within a
specific namespace or domain. For
did:web, this would typically be a service that allows entities to register a DID that corresponds to a web domain they control, ensuring that the DID is globally unique and resolvable. - Validator/Verifier
- Is an entity or mechanism that confirms the authenticity and validity of a DID and the claims associated with it. This process typically involves checking the DID's current status, resolving the DID to retrieve its document, and verifying cryptographic proofs. "Verifier" is the more commonly used term in the DID ecosystem, emphasizing the role in verifying the integrity and ownership of a DID.
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key words MAY, MUST, MUST NOT, OPTIONAL, RECOMMENDED, REQUIRED, SHALL, SHALL NOT, SHOULD, and SHOULD NOT in this document are to be interpreted as described in [RFC2119].
An implementation of this specification that fails to implement a MUST/REQUIRED/SHALL requirement or fails to abide by a MUST NOT/SHALL NOT prohibition is considered nonconformant. SHOULD/SHOULD NOT/RECOMMENDED statements constitute a best practice. Ignoring a best practice does not violate conformance but a decision to disregard such guidance should be carefully considered. MAY/OPTIONAL statements indicate that implementers are entirely free to choose whether or not to implement the option.
The Conformance and Certification Guide for this specification may introduce greater normative constraints than those defined here for specific service or implementation categories.
did:web utilizes web domains to create and manage decentralized identifiers (DIDs),
leveraging standard web infrastructure for ease of use and accessibility. By associating
DIDs directly with web domains, such as did:web:example.comco, it simplifies the
creation and resolution process, making digital identities easy to manage and verify via
standard web protocols.
Unlike other DID methods that may require blockchain or specialized technologies,
did:web's reliance on familiar web infrastructure aligns well with the operational and
technical realities of the educational technology sector. This method offers a
cost-effective, straightforward path to adopting decentralized identity systems,
minimizing the need for additional investments while enhancing security and control over
digital identities. Its suitability for the ed-tech sector is evident in its support for
seamless interactions across diverse platforms, ensuring secure and efficient management
of credentials and learner data.
In essence, did:web provides a practical, efficient solution for decentralized identity
management within ed-tech, fostering interoperability and security without departing from
existing web-based systems.
Within the 1EdTech ecosystem, did:web introduces a significant enhancement to digital
identity management, building upon the existing infrastructure of string-based
identifiers, such as UUIDs, and sourcedids. Unlike traditional identifiers, did:web
brings added layers of interoperability, security, and control, offering a comprehensive
solution that integrates seamlessly with the concept of sourcedids for maintaining
continuity of upstream IDs.
did:web identifiers complement the existing SourcedIds by providing a verifiable,
decentralized identifier that can easily encapsulate and reference upstream student IDs
from systems like Student Information Systems (SIS). This ensures that while local
sessions between systems may use localized IDs, the overarching identity remains
consistent and verifiable across the ecosystem.
The creation of did:web identifiers utilizes an entity's domain name, offering a
straightforward method to generate unique, resolvable identifiers. This process not only
supports the decentralization of identity management but also enhances the ease of
integration with existing web infrastructure, maintaining a clear link to the entity's
control and authority over the identifier.
Accessing a did:web identifier leads to a DID document hosted on the entity's domain.
This document provides detailed instructions on interacting with and verifying the DID
subject, including authentication services, public keys, and service endpoints. This
mechanism supports a robust framework for identity verification, essential for secure
interactions within the ed-tech sector.
Incorporating did:web into 1EdTech specifications enhances the ability to maintain and
verify digital identities across various applications, from learner IDs and course IDs to
resource IDs. This adaptability showcases did:web's utility in supporting a wide range
of educational technology scenarios, reinforcing the ecosystem's interoperability and
security.
By leveraging did:web, the 1EdTech ecosystem gains enhanced interoperability, allowing
for seamless data exchange and validation across different systems and platforms. The
security and control over digital identities are significantly improved, providing a more
reliable and user-centric approach to identity management. This shift not only supports
the integrity and privacy of educational data but also fosters a more connected and
efficient educational technology landscape.
In summary, the integration of did:web within the 1EdTech specifications introduces a
forward-looking approach to digital identity management. By enhancing existing identifier
systems with the capabilities of did:web, the ed-tech sector can achieve greater
interoperability, security, and control, paving the way for more innovative and
user-centric educational experiences.
Decentralized Identifiers provide mechanisms to establish equivalence between different DIDs [DID-Core-Equiv]. This is important for maintaining a cohesive and interconnected digital identifier ecosystem that can span across the multi-vendor environments that are typical in education technology. Examples include when a common resource is known by different identifiers in different systems.
The did:web method incorporates the following properties to facilitate this
interconnectedness and provide a robust mechanism for managing and associating multiple
identifiers.
The canonicalId property denotes the primary, authoritative DID for a subject when multiple DIDs refer to the same entity. This is particularly useful in scenarios where a DID subject may have different DIDs issued by various systems or for different purposes, but there is a need to establish one as the primary reference point.
| Purpose: | Establishes the primary DID representing the subject's true identity. |
| Usage: | Helps consolidate and link different DIDs, ensuring that users and systems can identify and interact with the entity's authoritative digital presence. |
The equivalentId property indicates that two or more DIDs reference the same subject. Unlike canonicalId, which establishes a hierarchy, equivalentId denotes a peer relationship among DIDs, implying that they are interchangeable in the context of the subject's identity.
| Purpose: | Signifies that different DIDs are essentially aliases of each other, representing the same entity. |
| Usage: | Enables systems to recognize and link different identifiers, facilitating seamless interactions across various platforms and services that may use different DIDs for the same entity. |
The AlsoKnownAs property links a DID subject with other URIs where the subject is represented or known. This is broader than just linking different DIDs and can include various types of identifiers or profiles across different platforms.
| Purpose: | Provides a mechanism to associate a DID subject with other identities or profiles, whether they are other DIDs or different forms of identifiers. |
| Usage: | Enhances the discoverability and connectivity of the DID subject's identity across different platforms and services, allowing for a more comprehensive representation of the subject's digital footprint. |
AlsoKnownAs property in its DID document to link all these different
platform-specific versions, illustrating that they are all instances of the same
application across various ecosystems.
AlsoKnownAs is especially useful for the use cases outlined for UniformIDs because
application directories may create identifiers for listed applications and provide an
optional capability for application vendors to associate their identifiers.
The core DID specification [DID-Core] describes how to attach additional information
to identifiers via DID services. This framework describes a set of DID Services and
guidelines tailored for educational contexts that extend the utility of did:web
identifiers to facilitate secure, interoperable, and user-centric applications across
multi-vendor education ecosystems.
To ensure the effective and secure implementation of Decentralized Identifiers (DIDs) within the educational technology sector, the following guiding principles are established:
DID documents are to be treated as public resources. It is imperative that they do not contain sensitive or personally identifiable information (PII) to safeguard privacy and comply with data protection regulations.
Each DID service must have a uniquely registered name. This allows validators to selectively implement and interact with only those services that are relevant to their operational needs, enhancing system efficiency and specificity.
Any DID service associated with an identifier should be clearly listed in the returned DID document, including the service endpoint. Validators interested in a specific DID service must identify the service by its name and interact through the designated service endpoint, ensuring clarity and precision in service utilization.
The service itself can define the data structure returned by each DID service. This flexibility allows services to tailor their data formats to best suit the needs of their specific use cases within the ed-tech ecosystem.
DID services are primarily intended as discovery mechanisms within the ed-tech sector. They should be regarded as providers of public information, facilitating the easy identification and verification of educational resources, applications, and entities.
While DID services can include information relevant to the secure exchange of more sensitive data (e.g., through authenticated protocols like OIDC Discovery endpoints), such functionalities extend beyond the core use cases envisioned for UniformID. These aspects are acknowledged but considered outside the immediate scope of these guiding principles.
1EdTech prefers using GET requests for DID service endpoints, emphasizing simplicity and efficiency for data retrieval. Though the DID core specification does not mandate a specific HTTP method, GET requests align with our focus on accessible discovery mechanisms within the ecosystem.
Paths and query strings for interacting with DID services are declared in each DID document, so they can be unique per Identifier if required. This enables the inclusion of unique identifiers as parameters for specific applications, enhancing precision and utility in accessing DID services.
The specification for each DID service will not mandate the path structure for each service because each implementation can define this according to their unique requirements.
HTTPS is recommended for all interactions with DID services to ensure secure data transmission. Although DID Services are public resources, it is good practice to ensure end-to-end encryption across the 1EdTech ecosystem.
Adhering to these principles allows the ed-tech community to leverage the full potential of DID services, ensuring interoperability, security, and user privacy are maintained across the ecosystem. These guidelines pave the way for a robust and user-centric approach to digital identity and resource discovery in educational technology.
Part of the Well-Known DID Configuration [Well-Known-DID] Specification.
LinkedDomains verify the ownership and association between a DID and web domains, establishing an added layer of legitimacy and trust.
Here, we explore several examples of DID services that are particularly relevant and beneficial to the ed-tech sector.
| Service Name | Status | Relevance to Education Technology |
|---|---|---|
| TRUSTEDAPP | Proposed | Facilitates trust in applications by verifying compliance and certification status, enhancing security and reliability within the ed-tech ecosystem. |
| LEARNING_CONTENT | Proposed | Aids in discovering and validating educational content, ensuring educators access high-quality, relevant resources. |
| 1EDTECH_MEMBER | Proposed | Promotes transparency and trust by showcasing member organizations' contributions and credentials, fostering collaboration within the ed-tech community. |
This section is non-normative.
| Specification Version No. | Document Version No. | Release Date | Comments |
|---|---|---|---|
| v1.0 | 1 | February 2 2024 |
|
| v1.0 | 2 | March 14 2024 |
|
| v1.0 | 3 | March 14 2024 |
|
| v1.0 | 4 | April 04 2024 |
|
| v1.0 Final | 5 | Oct 04 2024 |
|
- [DID-Core]
- Decentralized Identifiers (DIDs) v1.0. Drummond Reed; Manu Sporny; Markus Sabadello; Sam Smith. World Wide Web Consortium (W3C). URL: https://www.w3.org/TR/did-core/
- [DID-Core-Equiv]
- Decentralized Identifiers (DIDs) v1.0. Drummond Reed; Manu Sporny; Markus Sabadello; Sam Smith. World Wide Web Consortium (W3C). URL: https://www.w3.org/TR/did-core/#equivalence-properties
- [DID-Web]
- did:web Decentralized Identifier Method Specification. Markus Sabadello; Kyle Den Hartog; Orie Steele; Manu Sporny. W3C Credentials Community Group. URL: https://w3c-ccg.github.io/did-method-web/
- [RFC2119]
- Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
- [Well-Known-DID]
- DID Resolution. Daniel Buchner (Microsoft); Orie Steele (Tansmute); Tobias Looker (Mattr). Identity Foundation. URL: https://identity.foundation/.well-known/resources/did-configuration/
The following individuals contributed to the development of this document:
| Name | Organization |
|---|---|
| Tim Couper | 1EdTech Consortium |
| Jacques Menasche | 1EdTech Consortium |
| Colin Smythe | 1EdTech Consortium |