W3C Member Submission: 30 April 2026
•Authors: SEREYVUTH KIM, M.Phil.(IT), AIGP, Mr. MENGFONG HEAN, Mr. CHANCHHAYA YUN
This specification defines the {method} Decentralized Identifier (DID) method. {method} introduces an asymmetric, role-based architecture designed specifically for Verifiable Credential ecosystems.
It unifies two distinct resolution paradigms under a single method: a zero-latency, cryptographically derived profile (based on {did_key}) for regular network users (Holders/Subjects), and a domain-anchored, highly discoverable profile (based on {did_web}) restricted to credential Issuers. This separation optimizes user privacy and offline verification while ensuring organizational trust and revocation capabilities for Issuers.
CAUTION: This section describes the status of this document at the time of its publication. By publishing this document, W3C acknowledges that the Submitting Members have made a formal Submission request to W3C for discussion. Publication of this document by W3C indicates no endorsement of its content by W3C, nor that W3C has, is, or will be allocating any resources to the issues addressed by it. This document is not a W3C Recommendation and is not a standard. It is a draft document and may be updated, replaced, or obsoleted by other documents at any time. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
In standard decentralized trust networks, entities play different roles that require vastly different identity properties.
Require privacy, ephemeral interactions, zero-latency verification, and the ability to operate in offline environments. They do not need complex routing or discoverability.
Require high public trust, discoverability, key rotation, and strict revocation mechanisms. Their identities must be explicitly tied to their real-world organizational domains.
Forcing both roles to use the same DID method often results in compromises. The {method} method solves this by routing the DID resolution process based on the structural syntax of the identifier itself, granting Users the privacy of did:key and Issuers the authority of did:web.
The namestring that identifies this DID method is {neuralkey}.
The method-specific identifier structurally branches into two distinct formats: the User Profile and the Issuer Profile. A compliant did:neuralkey resolver MUST determine the profile type by inspecting the identifier string.
The format of the DID is defined by the following ABNF:
If the identifier begins with the characters ‘z6Mk’ and strictly conforms to a Base58BTC encoded multicodec payload, it MUST be treated as a User Profile.
If the identifier consists of a valid Fully Qualified Domain Name (FQDN), optionally followed by path segments separated by colons, it MUST be treated as an Issuer Profile.
Creation is purely cryptographic and localized.
Creation requires domain administration.
A compliant resolver MUST execute a branching logic check to resolve a did:neuralkey:
If the parser identifies a User Profile (multibase string):
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/ed25519-2020/v1",
"https://w3id.org/security/suites/x25519-2020/v1"
],
"id": "did:neuralkey:z6MkwAkLNUmKBRha3s2NzRWFFsDSXJ2QF44w9AT4CmSBuU41",
"verificationMethod": [{
"id": "did:neuralkey:z6Mkw...4CmSBuU41#z6Mkw...4CmSBuU41",
"type": "Ed25519VerificationKey2020",
"controller": "did:neuralkey:z6MkwAkLNUmKBRha3s2NzRWFFsDSXJ2QF44w9AT4CmSBuU41",
"publicKeyMultibase": "z6MkwAkLNUmKBRha3s2NzRWFFsDSXJ2QF44w9AT4CmSBuU41"
}],
"authentication": [
"did:neuralkey:z6Mkw...4CmSBuU41#z6Mkw...4CmSBuU41"
],
"assertionMethod": [
"did:neuralkey:z6Mkw...4CmSBuU41#z6Mkw...4CmSBuU41"
]
}If the parser identifies an Issuer Profile (domain string):
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://www.w3.org/ns/cid/v1",
"https://w3id.org/security/jwk/v1"
],
"id": "did:neuralkey:neuralkey.neuralsh.com",
"verificationMethod": [{
"id": "did:neuralkey:neuralkey.neuralsh.com#key-0",
"type": "JsonWebKey2020",
"controller": "did:neuralkey:neuralkey.neuralsh.com",
"publicKeyJwk": {
"kty": "OKP",
"crv": "Ed25519",
"x": "ADTXUVoRZP9A0Lzt5lw8LGK0MLSmuhftNCZh5aQPXMc"
}
}],
"authentication": [ "did:neuralkey:neuralkey.neuralsh.com#key-0"],
"assertionMethod": ["did:neuralkey:neuralkey.neuralsh.com#key-0"],
"deactivated": true
}Updates are {not_supported}. The DID Document is deterministically bound to the private key. If a User loses their key or wishes to rotate it, they MUST generate a new did:neuralkey User Profile.
Updates are {supported}. The Issuer modifies the did.json file hosted on their domain. Relying parties will fetch the updated keys, service endpoints, or metadata upon their next HTTPS resolution request. To rotate keys, it simply update this file. To avoid service disruption, it implement follow this three-stage update process:
Generate new key (Key 2), but keep the old key (Key 1) active. This ensures that any credentials signed with Key 1 while the file was being cached are still valid.
// https://example.com/.well-known/did.json
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://www.w3.org/ns/cid/v1",
"https://w3id.org/security/jwk/v1"
],
"id": "did:neuralkey:neuralkey.neuralsh.com",
"verificationMethod": [
{
"id": "did:neuralkey:neuralkey.neuralsh.com#key-1", // OLD KEY
"type": "JsonWebKey2020",
"controller": "did:neuralkey:neuralkey.neuralsh.com",
"publicKeyJwk": { ... }
},
{
"id": "did:neuralkey:neuralkey.neuralsh.com#key-2", // NEW KEY
"type": "JsonWebKey2020",
"controller": "did:neuralkey:neuralkey.neuralsh.com",
"publicKeyJwk": { ... }
}
],
"authentication": [
"did:neuralkey:neuralkey.neuralsh.com#key-1",
"did:neuralkey:neuralkey.neuralsh.com#key-2"
],
"assertionMethod": [
"did:neuralkey:neuralkey.neuralsh.com#key-1",
"did:neuralkey:neuralkey.neuralsh.com#key-2"
]
}Inform to all identifies who were issued by key 1 immediately sign new proof with key 2. When it's certain no active sessions or unverified credentials rely on Key 1, remove Key 1 from the verificationMethod, assertionMethod and authentication arrays in the did.json file.
Deactivation is {not_supported} on a network level. Users effectively deactivate their DID by deleting their local private key material.
Deactivation is {supported}. The Issuer MUST update their hosted did.json file to include the exact property {deactivated_true} at the root level of the JSON object.
The trust in the Issuer Profile is entirely dependent on the integrity of the DNS and web server hosting the did.json. If an attacker compromises the web server of an Issuer, they can replace the public key in the DID Document and issue fraudulent credentials that relying parties will accept as cryptographically valid. Issuers MUST employ strict TLS requirements, DNSSEC, and secure server access controls.
Because User Profiles cannot be formally revoked, a compromised private key allows an attacker to indefinitely impersonate the User. Users MUST utilize secure hardware enclaves (TEEs, Secure Enclaves, or physical security keys) to store their private key material. Wallet software implementing did:neuralkey SHOULD encourage frequent rotation of User DIDs to minimize the lifespan of any potential key compromise.
This asymmetric architecture inherently protects regular users from the "phone home" tracking risks of did:web. Because a User Profile requires zero network requests to resolve, an Issuer or Verifier cannot track a User's IP address or frequency of verification by monitoring a centralized resolution server. Conversely, Issuers are public entities where discoverability is a feature, not a privacy flaw.
© 2026 NeuralKey / PRESTIGE ALLIANCE CO., LTD. Decentralized Identity (DID) Platform
Last Updated: June 3, 2026