Does the EUDI Wallet use DIDs?

The EUDI Wallet Architecture Reference Framework (ARF) primarily uses X.509 certificates and EU Trusted Lists as its trust framework, not DIDs. This choice reflects the EU preference for a regulated, hierarchical trust model where issuers are explicitly authorized by Member States. However, DIDs are not excluded from the ecosystem. The European Blockchain Services Infrastructure (EBSI) supports did:ebsi as a DID method for specific use cases. Non-governmental credential issuers may use DIDs to identify themselves. The ARF is designed to be extensible, and future implementing acts may define roles for DIDs alongside the existing PKI infrastructure.

What is the difference between a DID and a traditional digital identifier?

Traditional identifiers (email addresses, domain names, social security numbers) are issued and controlled by a central authority -- your email provider, ICANN, or government respectively. If the authority revokes your identifier or ceases to exist, you lose it. DIDs are designed to be created without any registration authority, controlled entirely by the holder using cryptographic keys, resolvable through decentralized networks (blockchains, distributed ledgers, or even static web pages), and portable across systems. The trade-off is that DIDs lack the implicit trust that comes with centralized authority -- you know a government-issued ID is real because the government issued it, while a DID requires separate trust establishment mechanisms.

How do DID methods work and which are relevant to the EUDI ecosystem?

A DID method defines how DIDs are created, resolved, updated, and deactivated on a specific infrastructure. Each method has its own specification. did:web uses standard web infrastructure -- the DID resolves by fetching a document from a URL. did:ebsi uses the European Blockchain Services Infrastructure. did:key encodes the public key directly in the identifier, requiring no external resolution infrastructure. did:ion uses the Bitcoin blockchain for anchoring. For EUDI relevance, did:ebsi is the most directly applicable as it is developed within the EU institutional framework. did:web is practical for organizations that already have web domains. The choice of DID method affects decentralization, performance, cost, and trust properties.

DID (Decentralized Identifier) - EUDI Wallet Glossary

DID

identity

Full Name: Decentralized Identifier (W3C Standard)

Definition

A Decentralized Identifier (DID) is a new type of globally unique identifier standardized by the World Wide Web Consortium (W3C). Unlike traditional identifiers assigned by centralized authorities, DIDs are created, owned, and controlled by the identity subject using cryptographic key pairs. A DID is a URI (e.g., did:ebsi:z123abc456) that resolves to a DID Document -- a JSON-LD structure containing the subject's public keys, authentication methods, and service endpoints. DIDs are a foundational building block of decentralized identity and the broader verifiable credential ecosystem, designed to enable identity interactions that do not require a centralized intermediary.

Anatomy of a DID and DID Document

Every DID follows the syntax: did:method:method-specific-id. The three components are:

•Scheme (did): The fixed prefix indicating this is a Decentralized Identifier, similar to "https" for web URLs.
•Method: Identifies the specific DID method (e.g., "ebsi", "web", "key") that defines how the DID is created, resolved, updated, and deactivated. Each method has its own W3C-registered specification.
•Method-specific identifier: A unique string within the chosen method's namespace, often derived from a cryptographic public key.

When a DID is resolved, it returns a DID Document containing: the DID subject identifier, one or more public keys (expressed as verification methods), authentication and assertion method references specifying which keys can be used for which purposes, and optionally service endpoints (URLs for interacting with the DID subject). This document is the machine-readable "profile" that enables other entities to verify signatures, encrypt messages, and discover services associated with the DID controller.

DIDs vs. the EUDI Trust Framework

The EUDI Wallet ecosystem and the DID-based Self-Sovereign Identity (SSI) world represent two different philosophical approaches to digital identity trust:

EUDI approach (hierarchical trust): Trust flows from EU Member States through Trusted Lists, Certificate Authorities, and regulated credential issuers. The trust anchor is governmental authority. A credential is trusted because it was issued by an entity that appears on the EU Trusted List, which is maintained by a government body. This is a top-down, regulated model.

DID approach (decentralized trust): Trust is established peer-to-peer through cryptographic verification and reputation. Any entity can create a DID and issue credentials. Trust must be established through other mechanisms -- governance frameworks, credential verification policies, or existing business relationships. This is a bottom-up, flexible model.

In practice, the EUDI ecosystem uses elements of both. The core trust framework is hierarchical (X.509, Trusted Lists), but the credential formats (SD-JWT, mdoc) and protocols (OpenID4VCI, OpenID4VP) are compatible with DID-based ecosystems. This means an EUDI Wallet could potentially verify credentials from DID-based issuers if the wallet's trust policy allows it, and DID-based wallets could potentially accept EUDI-issued credentials. The European Blockchain Services Infrastructure (EBSI) explicitly bridges these worlds with its did:ebsi method.

EBSI and did:ebsi -- Europe's DID Infrastructure

The European Blockchain Services Infrastructure (EBSI) is the EU's blockchain network operated by the European Commission and EU Member States. EBSI defines its own DID method, did:ebsi, which anchors DID documents on the EBSI blockchain. This provides a European-controlled, GDPR-compliant decentralized identifier infrastructure.

EBSI has been used in several cross-border pilot projects relevant to EUDI: the European Digital Identity Wallet pilot programs, cross-border diploma verification (allowing universities to issue verifiable diplomas as credentials), and business credential exchanges. In these pilots, did:ebsi identifiers are used for educational institutions, professional organizations, and other non-governmental issuers who need globally unique, verifiable identifiers but are not part of the traditional X.509 PKI hierarchy.

The relationship between EBSI and the EUDI Wallet is still evolving. As the EUDI framework matures, did:ebsi may play a larger role for specific credential types where the flexibility of decentralized identifiers is advantageous, while the core PID infrastructure continues to rely on the X.509 trust framework for its stronger regulatory guarantees.

What is a DID (Decentralized Identifier)?

DID: Decentralized Identifiers and Their Role in the EUDI Ecosystem

DID

Definition

Anatomy of a DID and DID Document

DIDs vs. the EUDI Trust Framework

EBSI and did:ebsi -- Europe's DID Infrastructure

Related Terms

Credential Issuer

Credential Schema

Certificate Authority

Frequently Asked Questions

Verwandte Leitfäden

→ Glossary Index

→ Credential Issuer

→ Credential Schema

Quellen

⚠️ Independent Information