DID7: Authority-Scoped Decentralized Identifier Scheme

Internet-Draft	DID7 Identifier	March 2026
Herman	Expires 18 September 2026	[Page]

Abstract

This document defines the "did7" URI scheme, an authority-scoped decentralized identifier format. DID7 introduces an optional authority component and a two-stage resolution process, while remaining fully compatible with the W3C Decentralized Identifiers (DIDs) v1.0 specification (DID Core).¶

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 18 September 2026.¶

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶

2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶

DID Document:: As defined in [DID-CORE].¶
Authority:: A namespace controller that defines resolver endpoints and governance rules for a set of DID7 identifiers.¶
Method:: A named DID method as defined in [DID-CORE].¶

3. DID7 Syntax

3.1. General Form

did7:[//<authority-name>/]<method>:<method-specific-id>

3.2. ABNF

The following ABNF [RFC5234] defines the DID7 URI syntax. The unreserved and pct-encoded rules are imported from [RFC3986] Section 2.3. The ALPHA, DIGIT, and HEXDIG rules are imported from [RFC5234] Appendix B.¶

did7-uri       = "did7:" [ authority ] method ":" method-id

authority      = "//" authority-name "/"
authority-name = 1*( ALPHA / DIGIT / "-" )

method         = 1*( ALPHA / DIGIT )
method-id      = 1*( unreserved / pct-encoded / "." / "-" / "_" )

pct-encoded    = "%" HEXDIG HEXDIG

Note: The colon (":") character is intentionally excluded from method-id to avoid ambiguity with the method delimiter. Colons within method-specific identifiers MUST be percent-encoded.¶

3.3. Default Authority

If the authority component is absent, it MUST be treated as equivalent to the authority "w3.org".¶

3.4. Expansion Rule

A DID7 URI without an explicit authority component expands as follows:¶

did7:<method>:<id>  ->  did7://w3.org/<method>:<id>

5. Resolution Model

5.1. Stage 1: Authority Resolution

Resolvers SHOULD perform DNS-based discovery of the resolver endpoint for an authority using a DNS TXT record of the form:¶

_did7.<authority-domain> IN TXT \
    "resolver=https://resolver.example.com"

DNS responses used for authority resolution SHOULD be validated using DNSSEC.¶

5.2. Stage 2: Method Resolution

The method-specific identifier is resolved using the endpoint discovered in Stage 1. The resulting DID Document MUST conform to [DID-CORE].¶

6. Compatibility

6.1. One-Way Mapping

Any W3C DID can be mapped to a DID7 URI as follows:¶

did:<method>:<id>  ->  did7://w3.org/<method>:<id>

This mapping is one-way. There is no general inverse mapping from DID7 to W3C DID.¶

6.2. Non-Equivalence

Implementations MUST NOT assume equivalence between "did" and "did7" identifiers, even when the method and method-specific identifier components are identical.¶

7. Security Considerations

The following security considerations apply to implementations of this specification:¶

Authorities introduce a trust surface. The integrity of resolver endpoints MUST be verified before use. Implementations SHOULD use certificate-based authentication when contacting resolver endpoints.¶
DNS responses used for authority resolution SHOULD be validated using DNSSEC to prevent DNS spoofing attacks.¶
Resolver endpoints SHOULD use HTTPS (TLS) to protect data in transit. Endpoints using plain HTTP MUST NOT be used in production deployments.¶
Cryptographic verification of DID Documents MUST follow the procedures defined in [DID-CORE].¶
Implementations MUST NOT accept resolver endpoints that redirect to third-party domains not associated with the declared authority.¶

8. IANA Considerations

This document requests registration of the URI scheme "did7" in the "Uniform Resource Identifier (URI) Schemes" registry maintained by IANA, in accordance with [RFC7595].¶

URI scheme name:: did7¶
Status:: Provisional¶
URI scheme syntax:: See Section 3.2 of this document.¶
URI scheme semantics:: The "did7" URI scheme identifies authority-scoped decentralized identifiers. Resolution proceeds in two stages: authority discovery via DNS, followed by method-specific DID resolution. The resulting resource is a DID Document as defined in [DID-CORE].¶
Encoding considerations:: The "did7" URI scheme uses only ASCII characters as defined by the ABNF in Section 3.2. Non-ASCII characters in the method-specific identifier component MUST be percent-encoded per [RFC3986].¶
Applications/protocols that use this URI scheme:: Applications implementing decentralized identity, verifiable credentials, or self-sovereign identity frameworks that require authority-scoped namespace governance.¶
Interoperability considerations:: DID7 URIs are not directly interchangeable with W3C DID URIs. See Section 6 for the one-way mapping from W3C DID to DID7.¶
Security considerations:: See Section 7 of this document.¶
Contact:: Michael Herman <michael@web7.foundation>¶
Author/change controller:: Michael Herman, Web 7.0 Foundation¶
References:: This document.¶

10. Conformance (Non-Normative)

The following URIs are valid under the syntax defined in Section 3.2:¶

did7:example:123
did7://w3.org/example:123
did7://dif/web:abc.def

The following URIs are invalid and MUST be rejected by conforming implementations:¶

did7:///          (empty authority-name and empty method)
did7://w3.org/    (empty method and method-id)
did7:             (missing method and method-id)

11. References

11.1. Normative References

[RFC2119]: Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC3986]: Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.rfc-editor.org/rfc/rfc3986>.
[RFC5234]: Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, January 2008, <https://www.rfc-editor.org/rfc/rfc5234>.
[RFC7595]: Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines and Registration Procedures for URI Schemes", BCP 35, RFC 7595, DOI 10.17487/RFC7595, June 2015, <https://www.rfc-editor.org/rfc/rfc7595>.
[RFC8174]: Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

11.2. Informative References

[DID-CORE]: World Wide Web Consortium (W3C), "Decentralized Identifiers (DIDs) v1.0", W3C Recommendation, July 2022, <https://www.w3.org/TR/did-core/>.