DID Integration

SAP integrates with W3C Decentralized Identifiers (DIDs) to provide interoperability with the broader decentralized identity ecosystem.

DID Primer

A Decentralized Identifier (DID) is a globally unique identifier that:

Is created and controlled by the identity owner
Can be resolved to a DID Document containing public keys and service endpoints
Enables cryptographic verification of identity claims

did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK
│   │   └──────────────────────────────────────────────────┘
│   │               Method-specific identifier
│   └── DID Method (key, peer, web, etc.)
└── DID URI Scheme

SAP’s DID Strategy

Primary: `did:key`

SAP uses did:key as the primary identifier because:

Benefit	Description
No registry	ID derived directly from public key
Offline verifiable	No network required to verify
Cost-free	No blockchain fees or registration
Self-certifying	Key proves identity, identity proves key

`did:key` Format

did:key:<multibase-encoded-public-key>

The multibase encoding includes:

Multicodec header indicating key type
Raw public key bytes
Base58btc encoding with ‘z’ prefix

Supported Key Types

Key Type	Multicodec	Prefix	SAP Status
Ed25519	`0xed01`	`z6Mk`	✅ Primary
secp256k1	`0xe701`	`zQ3s`	🔄 Planned
P-256	`0x1200`	`zDn`	📋 Future

Derivation

function deriveDIDKey(ed25519PublicKey) {
  // 1. Prepend Ed25519 multicodec header
  const ED25519_CODEC = Buffer.from([0xed, 0x01]);
  const withCodec = Buffer.concat([ED25519_CODEC, ed25519PublicKey]);

  // 2. Encode as base58btc with 'z' prefix
  const multibase = 'z' + base58btc.encode(withCodec);

  // 3. Construct DID
  return `did:key:${multibase}`;
}

SAP PID vs DID Document

Feature	W3C DID Document	SAP PID
Identifier	Any DID method	`did:key` (RIK-derived)
Verification methods	Flexible array	Structured `operationalKeys` with validity
Services	Generic endpoints	Agent-specific service types
Proof	Optional	Required (RIK signature)
Key rotation	Method-dependent	Sentinel rotation chain

PID to DID Document Mapping

function pidToDIDDocument(pid) {
  return {
    '@context': ['https://www.w3.org/ns/did/v1'],
    'id': pid.id,
    'controller': pid.controller,
    'verificationMethod': pid.operationalKeys.map(ok => ({
      'id': `${pid.id}#${ok.id}`,
      'type': ok.type,
      'controller': pid.id,
      'publicKeyMultibase': ok.publicKeyMultibase
    })),
    'authentication': pid.operationalKeys
      .filter(ok => isCurrentlyValid(ok))
      .map(ok => `${pid.id}#${ok.id}`),
    'service': pid.services?.map(svc => ({
      'id': `${pid.id}#${svc.id}`,
      'type': svc.type,
      'serviceEndpoint': svc.serviceEndpoint
    }))
  };
}

Verifiable Credentials

SAP works with W3C Verifiable Credentials (VCs) for attestations:

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "type": ["VerifiableCredential", "AgentCapabilityCredential"],
  "issuer": "did:key:z6MkIssuer...",
  "credentialSubject": {
    "id": "did:key:z6MkAgent...",
    "capability": "commerce",
    "scope": ["buy", "sell"]
  },
  "proof": {
    "type": "Ed25519Signature2020",
    "verificationMethod": "did:key:z6MkIssuer...#key-1",
    "proofValue": "z3Mc..."
  }
}

Key Rotation and DIDs

The Challenge

With did:key, the identifier is the key. Rotating the key changes the DID.

SAP Solution: Rotation Chain

Time T₁: RIK₁ → did:key:z6MkOLD
Time T₂: Rotation entry signed by z6MkOLD authorizing z6MkNEW
Time T₃: RIK₂ → did:key:z6MkNEW

Verifier traces: z6MkNEW → z6MkOLD via rotation chain

Resolution Strategy

1. Parse did:key → derive public key
2. Check for SAP PID at well-known location
3. Verify PID signature matches did:key
4. Return PID if available, else basic DID Document