New DID Method: did:pki — Bridging National PKI Hierarchies to the DID Ecosystem from Eduardo C. on 2026-04-15 (public-credentials@w3.org from April 2026)

From: Eduardo C. <e.chongkan@gmail.com>
Date: Wed, 15 Apr 2026 04:44:55 -0600
To: Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAANnk0Li3yiBkjc706MoBiwgYik3Wn4Uf05B+=O44uv7vQniEg@mail.gmail.com>

Hi all,

We've submitted a new DID method for peer review: did:pki (w
*3c/did-extensions#697)*.

*It addresses a specific interoperability gap: over 100 countries operate
sovereign PKI hierarchies for digital signatures, but a certificate issued
by one country's CA is unverifiable in another without custom tooling — an
N-countries × M-verifiers integration problem that doesn't scale.*

did:pki provides a deterministic, read-only mapping from X.509 CA
certificates to W3C DID Documents. Any DID-aware system can resolve any
national CA's public key without bundling country-specific root
certificates.

*Key properties:*
- Read-only — DIDs derived from existing certificates, not registered
- Deterministic — same certificate → same DID, by any implementation
- Multi-registry — any party can operate a resolver; no central authority
- No PII — only CA organizational identity; never personal data

*Examples:*
  did:pki:cr:sinpe:persona-fisica   → *Costa Rica* BCCR (citizens)
  did:pki:es:fnmt:raiz              → *Spain* FNMT Root CA
  did:pki:br:icp:raiz               → *Brazil* ICP-Brasil Root CA
  did:pki:eu:de:d-trust             → *Germany* D-Trust (EU QTSP)
  did:pki:us:fpki:common-policy     → *US* Federal PKI

*Resources:*
- Spec (11 sections): https://github.com/Attestto-com/did-pki-spec
- Live resolver:
https://resolver.attestto.com/1.0/identifiers/did:pki:cr:raiz-nacional
- W3C Registry PR: https://github.com/w3c/did-extensions/pull/697
- Universal Resolver PR:
https://github.com/decentralized-identity/universal-resolver/pull/542
- Test vectors:
https://github.com/Attestto-com/did-pki-spec/tree/main/test-vectors

*Particularly relevant to the cross-border regulatory data exchange and
eIDAS discussions happening in the group. The method complements ETSI AdES
signature validation, EU Trusted Lists, and GLEIF vLEI — bridging existing
national trust infrastructure into the DID ecosystem without replacing it*.

Feedback welcome on the PR or directly.

Eduardo Chongkan
Attestto — https://attestto.org
open@attestto.com

Received on Wednesday, 15 April 2026 10:45:12 UTC