Editors did:cndomain Draft Editors
Status Working Draft
Latest Version https://cndomain-dev.github.io/did-method-cndomain/did-cndomain-method-specification-draft.html
This Version Repository snapshot dated 2026-05-07
Date 2026-05-07
Publication Note This working draft is published at the stable public URL listed above for DID Method Registry review.
This specification defines the did:cndomain DID method.
The did:cndomain method defines decentralized identifiers anchored to the .cn domain namespace. It is intended for scenarios in which domain control, domain-bound service discovery, and domain-governed trust relationships are expressed through DID Documents.
The method is designed for domain-related subjects and resources. It is not intended to serve as a general-purpose national identity method or as a universal DID method for subjects unrelated to the .cn domain namespace.
Under this method:
.cn domain namespace serves as the primary naming anchor.cn domain remains central to authority, lifecycle, and trust interpretation.The purpose of this specification is to define:
did:cndomain identifiersThis specification is designed to be self-contained for DID method registration and baseline interoperability.
Companion did:cndomain profiles MAY define stricter or deployment-specific operational behavior (for example resolution/discovery refinements, control proof policies, or governance overlays), but conforming baseline method behavior is defined in this specification.
The did:cndomain method is a DID method specification within the meaning of DID Core.
Accordingly, this specification defines method-specific rules for:
Where DID Core defines general DID architecture, terminology, or representation requirements, this specification applies those requirements to the did:cndomain method.
The did:cndomain method adopts a domain-anchored design.
A did:cndomain identifier is rooted in a .cn domain or valid subdomain and MAY identify a subordinate service or resource object beneath that domain.
The method intentionally separates:
This design allows a did:cndomain identifier to preserve familiar domain-based discoverability while expressing method-specific authority, verification material, delegation, service binding, and lifecycle state through DID mechanisms.
The did:cndomain method is best understood as a domain-governed namespace DID method.
Its defining feature is not merely that DNS may be used in discovery. Its defining feature is that the .cn domain namespace acts as the method’s primary naming and authority anchor, and that current legitimate domain control remains relevant to control-sensitive DID operations.
Accordingly, this method is narrower than a general-purpose DID method and more specific than a generic DNS-based identifier deployment pattern.
Sections 5–6 define syntax and identifier semantics.
Sections 7–11 define lifecycle operations, resolution, representation, domain control binding, and lifecycle status.
Sections 12–14 define governance, security, and privacy considerations.
Sections 15–17 define implementation considerations, examples, and conformance.
Detailed operational behavior MAY be further refined by companion did:cndomain profiles, but conformance to this method specification MUST NOT depend on the existence of a separate profile document.
This section defines the intended scope of the did:cndomain method and clarifies what the method does not attempt to provide.
The did:cndomain method applies to decentralized identifiers anchored to the .cn domain namespace.
A did:cndomain identifier MAY be used to represent:
.cn domain.cnThe method is intended for scenarios in which the following are relevant:
Subjects represented by did:cndomain identifiers MAY include, depending on the applicable deployment or governance profile:
.cn domain.This specification does not require all deployments to support all such subject categories.
The did:cndomain method is not intended to:
.cn domainThis specification defines method-level technical and governance-aware interpretation rules. It does not, by itself, determine legal rights, institutional authority, or regulatory jurisdiction.
A conforming implementation of did:cndomain MUST treat the .cn domain anchor as central to the method.
An implementation MUST NOT interpret this method as a general-purpose namespace for arbitrary non-domain subjects.
If a subject cannot be meaningfully anchored to a .cn domain or subordinate object under that domain, it is outside the intended scope of this method.
This section defines the principal design goals of the did:cndomain method.
The did:cndomain method is designed to provide a domain-anchored DID method with clear semantics for authority, lifecycle, and discovery in the context of the .cn domain namespace.
The method is designed to ensure that a did:cndomain identifier is rooted in a .cn domain or valid subordinate context beneath such a domain.
The domain anchor is intended to provide:
The method is designed so that authority over a DID is not determined solely by historical key possession or syntactic publication.
Instead, authority is intended to remain tied to current legitimate control of the corresponding .cn domain, especially for control-sensitive operations such as update, delegation, deactivation, and reactivation.
The method is designed to separate:
Under this design:
The method is designed to support both:
This allows a single domain anchor to support multiple subordinate subjects, such as services or resources, while preserving a coherent parent-child authority model.
The method is designed so that DID lifecycle interpretation may respond to domain-related events, including:
This allows DID status to remain consistent with materially changing domain authority conditions.
The method is designed to permit governance-aware deployment.
This means that deployments may define profiles addressing:
At the same time, the core method semantics remain defined by this specification.
The method is designed to remain compatible with DID ecosystem concepts, including:
This specification does not seek to replace DID architecture, but to define a method-specific application of it to the .cn domain namespace.
This section defines method-specific terminology used in this specification.
Unless otherwise specified, terms inherited from DID Core retain their DID Core meaning. The terms below define additional meanings specific to did:cndomain.
.cn Domain AnchorThe .cn domain anchor is the normalized .cn domain or valid subdomain extracted from the method-specific identifier.
The .cn domain anchor serves as:
The domain portion is the portion of the method-specific identifier that encodes the .cn domain or subdomain before any optional object-level segments.
The domain portion is primarily relevant in syntax, parsing, normalization, and resolution contexts.
A domain-level DID is a did:cndomain identifier whose subject is the .cn domain itself or a valid subdomain under .cn.
Examples:
did:cndomain:example.cn
did:cndomain:sub.example.cn
An object-level DID is a did:cndomain identifier derived from a parent .cn domain and extended with an object classification and object-local name.
Examples:
did:cndomain:example.cn:service:web
did:cndomain:example.cn:resource:gpu0
An object classification is the method-defined segment that indicates the semantic category of an object-level identifier.
Examples include:
serviceresourceAn object classification is interpreted according to this specification.
If a deployment adopts a companion profile, object classification handling MAY be further constrained within that profile’s declared scope.
An object-local name is the identifier segment that distinguishes a specific subordinate object within the relevant object classification beneath a parent domain.
Its interpretation remains subordinate to the authority and naming rules of the parent domain.
Current legitimate control refers to the currently valid control relationship recognized by the applicable technical and governance procedures of this method for the corresponding .cn domain.
This specification does not define legal ownership in the abstract. Rather, it defines how current legitimate control is interpreted for the purposes of DID authority, lifecycle operations, and trust-sensitive behavior.
A domain control proof is a technical proof that demonstrates current legitimate control over the corresponding .cn domain in a manner accepted by this specification.
Companion control-proof profiles, if adopted, MAY define stricter admissibility and verification procedures.
Examples MAY include:
A DID update key is verification material authorized to approve control-sensitive modifications to a did:cndomain DID Document or lifecycle state, subject to the method’s domain control requirements.
Possession of a DID update key alone does not automatically establish sufficient authority under this method.
A resolver is a component that accepts a did:cndomain identifier, applies this specification and any applicable profile, retrieves or constructs the corresponding DID resolution result, and returns:
A discovery record is a DNS record used to indicate or assist in locating the HTTPS publication endpoint for a did:cndomain DID Document.
A discovery record is part of the discovery plane. It is not, by itself, a complete DID Document representation.
A lifecycle state is the currently applicable method-level status of a did:cndomain identifier.
Primary lifecycle states under this specification include:
activesuspendedfrozendeactivatedLifecycle state affects how a DID may be interpreted, resolved, updated, or relied upon.
A status value is a metadata value used to indicate the lifecycle state of a DID in a DID document metadata or DID resolution metadata context.
A status value is one possible means of expressing lifecycle state, but it is not itself the entirety of lifecycle interpretation.
A governance profile is a deployment- or ecosystem-specific set of rules that refines how this method handles proof requirements, eligibility, restricted states, disputes, continuity, and auditability.
A governance profile MAY refine operational details, but MUST NOT contradict the method-level semantics defined by this specification.
A control-sensitive operation is an operation whose validity depends on authoritative control over the DID and corresponding domain anchor.
Examples include:
Parent domain authority refers to the default authority relationship by which an object-level DID remains subordinate to the authority of its parent domain-level DID, unless a valid delegation model explicitly defines otherwise.
This concept is central to the inheritance semantics of did:cndomain.
This section defines the syntax of did:cndomain identifiers.
A did:cndomain identifier MUST conform to the general DID syntax defined by DID Core, and its method-specific identifier MUST be interpreted according to this specification. Under this method, the method-specific identifier is rooted in the .cn domain namespace and MAY include a subordinate object structure.
A did:cndomain identifier is formally defined by the following ABNF, using the ABNF notation of RFC 5234:
did-cndomain = "did:cndomain:" domain [ ":" object-type ":" object-name ]
domain = domain-label *( "." domain-label ) ".cn"
domain-label = alnum / ( alnum *( alnum / "-" ) alnum )
object-type = segment
object-name = segment
segment = 1*( %x61-7A / DIGIT / "-" )
alnum = %x61-7A / DIGIT
This ABNF defines the minimum method-specific syntax. It is complemented by the normalization and validity rules in Sections 5.3 through 5.7, including lowercase normalization, A-label handling for internationalized domain names, and rejection of empty or non-normalized segments.
A did:cndomain identifier therefore takes one of the following forms:
did:cndomain:<domain>
did:cndomain:<domain>:<object-type>:<object-name>
Where:
<domain> identifies a normalized .cn domain or subdomain<object-type> identifies a method-defined object classification<object-name> identifies a domain-local object name under the authority of the corresponding domain.A conforming did:cndomain identifier MUST begin with:
did:cndomain:
The portion following did:cndomain: is the method-specific identifier.
The method-specific identifier MUST contain a valid normalized .cn domain or subdomain.
The method-specific identifier MAY additionally contain an object-type and object-name pair.
A domain-level identifier has the following form:
did:cndomain:<domain>
An object-level identifier has the following form:
did:cndomain:<domain>:<object-type>:<object-name>
No additional method-specific segments are defined by this version of the specification.
An implementation MUST reject an identifier that does not conform to one of the above forms.
The following are examples of valid did:cndomain identifiers:
did:cndomain:example.cn
did:cndomain:sub.example.cn
did:cndomain:example.cn:service:web
did:cndomain:example.cn:service:resolver
did:cndomain:example.cn:resource:gpu0
The following are examples of identifiers that are not valid under this specification:
did:cndomain:example.com
did:cndomain:Example.cn
did:cndomain:example.cn:service
did:cndomain:example.cn:service:web:extra
did:cndomain:
These examples are invalid because, respectively:
.cnThe domain portion of a did:cndomain identifier:
.cn namespaceFor avoidance of encoding ambiguity, a conforming did:cndomain string representation MUST use the normalized A-label form whenever internationalized labels are involved. An implementation MAY accept Unicode domain input as a local convenience, but it MUST convert that input to normalized A-label form before DID construction, comparison, publication, or resolution.
A domain portion MAY represent either:
.cn domain.cn domain.Examples:
example.cn
sub.example.cn
xn--example-9d0b.cn
An implementation MUST reject a method-specific identifier whose domain portion is not a .cn domain or subdomain.
The object portion is optional.
When present, it MUST consist of exactly two additional segments:
<object-type><object-name>.Accordingly, a conforming object-level identifier MUST have the following structure:
did:cndomain:<domain>:<object-type>:<object-name>
The object portion MUST NOT appear unless both <object-type> and <object-name> are present.
The object portion is interpreted under the authority of the corresponding domain anchor.
This specification initially recognizes the following object-type values:
serviceresourceAn implementation MAY define additional object-type values only if such values are permitted by an applicable profile or governance rule.
For interoperability, producers SHOULD prefer registered or profile-defined object-type values and SHOULD avoid private ad hoc values in public-facing identifiers.
The domain portion MUST follow applicable domain normalization rules.
For <object-type> and <object-name>, this specification defines the following minimum syntax constraints:
a-z), digits (0-9), and hyphen (-):) charactersAn implementation MAY impose stricter naming requirements for object-level identifiers, including:
For interoperability, producers SHOULD avoid unstable, ambiguous, or overly sensitive object-local names.
Before constructing, publishing, or resolving a did:cndomain identifier, an implementation MUST normalize the identifier according to the following rules:
cndomainTwo identifiers that differ only by disallowed case variation in the domain portion MUST NOT be treated as distinct identifiers under this specification.
An implementation SHOULD reject non-normalized identifiers rather than silently rewriting them, unless an applicable profile explicitly allows normalization prior to validation.
A did:cndomain identifier is syntactically valid only when all of the following conditions are satisfied:
cndomain.cn domain or subdomainAn implementation MUST reject an identifier that violates any of the above conditions.
A conforming parser for did:cndomain MUST interpret the method-specific identifier in the following order:
Colons appearing in the method-specific identifier are interpreted according to this specification only. They do not imply any generic semantics shared across other DID methods.
The syntax of did:cndomain is not merely representational. It reflects the method’s semantic model.
In particular:
Accordingly, syntactic parsing and semantic interpretation are closely related under this method. A syntactically valid identifier MUST still be interpreted in accordance with the method-specific authority, inheritance, and lifecycle rules defined elsewhere in this specification.
This section defines the semantics of did:cndomain method-specific identifiers.
A did:cndomain identifier is rooted in the .cn domain namespace. Its method-specific meaning is determined by:
.cnA did:cndomain identifier MAY therefore represent either:
.cn domain.Unless otherwise specified by an applicable governance profile, the parent domain serves as the primary authority anchor for all identifiers defined beneath it.
A domain-level DID is a did:cndomain identifier whose subject is the .cn domain itself, or a valid subdomain under .cn.
A domain-level DID MUST be directly derived from a normalized .cn domain name.
Examples:
did:cndomain:example.cn
did:cndomain:sub.example.cn
A domain-level DID is unique only when all of the following conditions are satisfied:
.cn namespaceThe authority of a domain-level DID is rooted in the current legitimate control of the corresponding .cn domain.
A domain-level DID MAY act as the parent authority anchor for one or more object-level DIDs defined beneath that domain.
An object-level DID is a did:cndomain identifier derived from:
.cn domainExamples:
did:cndomain:example.cn:service:web
did:cndomain:example.cn:resource:gpu0
An object-level DID is unique only when all of the following conditions are satisfied:
.cn namespaceThe meaning of an object-level DID is determined by the combination of:
Unless a valid delegation model is explicitly defined, the authority of an object-level DID is subordinate to and derived from the authority of the corresponding parent domain-level DID.
An implementation MAY define additional constraints for object-level identifiers, including naming conventions, reserved object classifications, or governance-specific validation rules.
The did:cndomain method adopts a domain-rooted authority model.
Under this model:
.cn domainA subject MUST NOT be treated as authorized to create, update, or control a did:cndomain identifier solely on the basis of identifier syntax or historical association.
For object-level DIDs, the parent domain authority MAY delegate limited control to another controller, provided that:
.cn domain.Loss of current legitimate control over the parent domain SHOULD invalidate control-sensitive authority over subordinate object-level DIDs unless an applicable governance profile explicitly defines a continuity mechanism.
The .cn domain namespace serves as the root naming anchor for all did:cndomain identifiers.
For a domain-level DID, the identifier semantics are anchored directly in the corresponding .cn domain.
For an object-level DID, the identifier semantics are inherited from the parent domain and refined by the object classification and object-local name.
This means that:
An object-level DID MUST NOT be interpreted independently of its parent domain context.
Because did:cndomain identifiers are anchored to the .cn domain namespace, their semantic continuity is sensitive to material domain lifecycle events.
Such events MAY include:
A material change affecting the legitimacy of domain control SHOULD trigger re-evaluation of the semantic authority and lifecycle status of the corresponding did:cndomain identifier.
For object-level DIDs, a material change affecting the parent domain SHOULD also trigger re-evaluation of subordinate identifiers.
Further operational consequences of such events are defined in Section 10 and Section 11.
Companion governance profiles MAY define stricter or deployment-specific procedures consistent with this specification.
A did:cndomain identifier MUST be interpreted according to this specification.
If a deployment adopts a companion profile, interpretation MUST additionally remain consistent with that profile for the claimed scope.
In particular:
did:cndomain rules and not according to any generic cross-method conventionservice, resource, or other allowed values are method-specific.An implementation MUST NOT assume that object-level identifiers from this method are semantically equivalent to identifiers from another DID method merely because they use superficially similar segment structures.
This section defines the lifecycle operations for did:cndomain, including creation, resolution, update, suspension, freezing, deactivation, and possible reactivation.
Unless otherwise specified by an applicable governance profile, control-sensitive operations under this method MUST require both:
.cn domain.For object-level DIDs, authority is derived from the corresponding parent domain unless a valid delegation mechanism is explicitly defined in the applicable DID Document.
Further requirements relating to domain control binding and continuity are defined in Section 10.
Companion control-proof profiles MAY further refine operational procedures.
A requester MAY initiate creation of a did:cndomain identifier only when all of the following conditions are satisfied:
.cn domain, or to a valid object defined under a .cn domain.cn domainFor a domain-level DID, the subject MUST correspond to the .cn domain itself.
For an object-level DID, the subject MUST correspond to an object that is defined under the authority of the parent .cn domain and named in accordance with the naming rules of that domain authority.
Because a newly created DID might not yet have an existing DID Document, initial creation proof is distinct from post-creation update proof. For initial creation, the requester MUST prove control of the verification material that will be authorized by the initial DID Document, and the proof MUST be bound to the requested DID, domain anchor, operation, challenge, and expiration time.
Creation of a did:cndomain identifier is considered complete only when all of the following conditions are satisfied:
id matches the requested DID exactly.A governance profile MAY impose additional requirements for creation, including registration approval, policy review, eligibility checks, or higher-assurance control proof.
A did:cndomain identifier is resolved by performing the following steps:
cndomaindidDocumentMetadata, and didResolutionMetadata.Resolution MUST use HTTPS as the publication retrieval mechanism.
DNS, when used, serves primarily as a discovery mechanism and not as the authoritative carrier of the complete DID Document.
A resolver MUST reject a retrieved DID Document if:
id value does not exactly match the requested DIDDetailed discovery and retrieval behavior for baseline conformance is defined in Section 8.
Companion resolution profiles MAY define stricter or deployment-specific refinements.
A did:cndomain DID Document MAY be updated only when all of the following conditions are satisfied:
.cn domainPermitted updates MAY include:
An implementation SHOULD ensure that update requests are bound to:
An implementation SHOULD record update-related metadata, including:
Further requirements relating to domain control binding are defined in Section 10.
Companion control-proof profiles MAY further refine operational procedures.
A did:cndomain identifier MAY enter a temporary restricted state prior to final deactivation.
This specification recognizes two temporary restricted states:
suspendedfrozenA did:cndomain identifier MAY enter suspended or frozen state when triggered by events such as:
When a DID is in a restricted state:
The method-level meaning of lifecycle states is defined in Section 11.
A did:cndomain identifier MAY be deactivated when one or more of the following conditions occur:
.cn domain expires and is no longer considered under valid controlOnce a DID is deactivated:
A deactivated DID Document MAY still be resolvable for historical, audit, or transparency purposes, provided that the returned metadata clearly indicates that the DID is deactivated and no longer valid for active trust decisions.
By default, deactivation SHOULD be treated as final.
A governance profile MAY define a reactivation procedure, but only under narrowly scoped and explicitly governed circumstances, such as:
If reactivation is supported, it MUST require:
.cn domainA reactivated DID MUST return metadata that makes the restoration event auditable.
Detailed technical procedures for such authorization MAY be further refined in the did:cndomain Control Proof Profile, if adopted.
Implementations of did:cndomain MUST ensure that lifecycle operations remain consistent with the status of the underlying .cn domain anchor.
At a minimum, implementations SHOULD account for the following domain events:
A material change in domain control or domain validity SHOULD trigger re-evaluation of DID lifecycle state.
If a domain event invalidates current legitimate control, the DID MUST NOT continue to accept control-sensitive operations on the basis of stale or previously valid authorization alone.
The method-level meaning of lifecycle states is defined in Section 11, and further requirements relating to domain control binding and continuity are defined in Section 10.
Companion control-proof profiles MAY further refine operational procedures.
This section defines the resolution model for the did:cndomain method.
A did:cndomain identifier is resolved by combining:
Under this method, DNS serves primarily as a discovery plane, while HTTPS serves as the publication and retrieval plane for the DID Document.
This specification defines baseline discovery procedures, endpoint selection rules, metadata structures, and error signaling conventions for method conformance.
Companion resolution profiles, if adopted, MAY define stricter or deployment-specific refinements.
A conforming did:cndomain resolver MUST process a DID in a manner consistent with the following model:
did:cndomain syntaxA resolver MUST NOT treat DNS records alone as a complete authoritative DID Document representation under this specification.
A resolver MUST accept a did:cndomain identifier as input.
A resolver MAY additionally accept method-appropriate resolution options, including:
If resolution options are provided, the resolver MUST apply them consistently with this specification and any applicable profile.
Before attempting discovery or retrieval, the resolver MUST:
cndomain.cn domain anchor.If the DID is syntactically invalid, the resolver MUST reject it and return an appropriate resolution error.
If the extracted domain is not under the .cn namespace, the resolver MUST reject the DID as invalid under this method.
A resolver MUST determine the authoritative HTTPS endpoint for the DID Document using one of the following mechanisms:
_did.<domain>When DNS discovery is supported, a resolver SHOULD attempt records in the following priority order:
_did.<domain> URI record_did.<domain> TXT record containing a did-url= or did-base= HTTPS value.For URI-based discovery:
/ is interpreted as a base publication endpoint/ is interpreted as an exact DID Document URL.For TXT-based discovery:
did-url= or did-base= are eligible for discoverydid-url or did-base value MUST be HTTPSdid-url= identifies an exact DID Document URLdid-base= identifies a base publication endpointdid-url= or did-base= item MUST be ignored.An exact DID Document URL is authoritative only for the requested DID whose DID Document is retrieved from that URL. If an exact URL returns a DID Document whose id does not exactly match the requested DID, the resolver MUST reject the result.
A base publication endpoint is a HTTPS URL prefix from which this specification’s path construction rules are applied. When a base publication endpoint is discovered, a resolver MUST construct the final retrieval URL as follows:
<base>/cndomain.json<base>/cndomain/<object-type>/<object-name>.jsonFor this construction, the resolver MUST normalize a base endpoint to exactly one trailing / before appending the method-specific path.
If both URI and TXT records are present and inconsistent, the resolver MUST treat discovery as a conflict and MUST return a resolution error. In this case, the resolver MUST NOT silently continue with default fallback path construction.
If no acceptable DNS discovery record is found, the resolver MAY fall back to default HTTPS path construction unless policy requires DNS discovery.
Default fallback paths under this method are:
https://<domain>/.well-known/did/cndomain.jsonhttps://<domain>/.well-known/did/cndomain/<object-type>/<object-name>.jsonFor deterministic fallback path construction, a resolver MUST:
<object-type> and <object-name> according to Sections 5.5 and 5.6 before path constructionOnce the publication endpoint has been determined, the resolver MUST retrieve the DID Document over HTTPS.
When performing HTTPS retrieval, the resolver:
A resolver MAY send representation preferences using a suitable request header or equivalent mechanism where supported.
After retrieving a candidate DID Document, the resolver MUST verify at least the following:
id property of the DID Document exactly matches the requested DIDA resolver MUST reject the retrieved DID Document if any of the above validations fail.
A resolver SHOULD additionally validate any lifecycle state or policy signals that affect whether the DID may be relied upon for the intended purpose.
A successful resolution result SHOULD include:
The DID document metadata MAY include information such as:
createdupdatedversionIddeactivated, when the DID is deactivatedcndomainLifecycleState, for method-specific lifecycle states such as active, suspended, frozen, or deactivatednextUpdate, where applicable.The DID resolution metadata MAY include information such as:
contentTypediscoverySourceretrievalUrlredirectwarning or warningserror.The precise metadata fields MAY be defined more strictly by deployment policy or companion profiles.
A resolver MUST take DID lifecycle state into account during resolution.
At a minimum, a resolver SHOULD distinguish among the following states where such information is available:
activesuspendedfrozendeactivatedIf a DID is deactivated, the resolver MUST NOT present it as an active identifier for trust decisions.
When a deactivated DID is successfully resolved as a deactivated DID, the resolver SHOULD indicate this through DID document metadata, including deactivated: true, rather than treating deactivation itself as an ambiguous retrieval failure.
If a DID is suspended or frozen, the resolver MAY still return a DID Document, but the returned metadata SHOULD clearly indicate the restricted state.
A governance profile MAY define stricter behavior for restricted states, including partial resolution, flagged resolution, or rejection.
This section defines the operational consequences of lifecycle state during resolution. The method-level meaning of lifecycle states is defined in Section 11.
A resolver MAY support version-aware or time-aware resolution.
If such support is provided, the resolver SHOULD define how the following inputs are processed:
versionIdversionTimeWhere historical or versioned resolution is supported, the resolver MUST ensure that the returned result is clearly distinguished from the currently active representation.
A historical or previous representation MUST NOT be confused with current active authority.
If resolution fails, the resolver SHOULD return structured failure information.
Resolution failure MAY result from one or more of the following:
.cn domain anchorA resolver SHOULD signal such failures through structured resolution metadata rather than through ambiguous or implementation-specific behavior.
A resolver SHOULD support a stable, documented error vocabulary.
Recommended error values include:
invalidDidinvalidMethodSpecificIddomainNotCndnsDiscoveryNotFoundhttpsRetrievalFailedinvalidDidDocumentidMismatchstatusSuspendedstatusFrozennotFoundA resolver MAY cache discovery results and retrieved DID Documents, subject to applicable policy.
When caching is used, the resolver SHOULD consider:
A resolver SHOULD avoid long-lived reuse of cached discovery or document data when current domain control may have materially changed.
This section defines the method-level resolution principles for did:cndomain.
This section also defines the baseline operational requirements required for standalone method conformance.
The did:cndomain Resolution and Discovery Profile, if used, MAY define stricter or deployment-specific procedures.
Where a conflict arises between this section and an applicable profile, this section governs the method-level semantics and baseline behavior, while the applicable profile governs additional operational behavior, unless otherwise explicitly stated.
This section defines the representation requirements for DID Documents associated with the did:cndomain method.
A DID Document for did:cndomain MUST conform to the applicable DID Core representation requirements. Under this method, the DID Document serves as the authoritative expression of identifier control, verification material, service binding, and, where applicable, delegated authority and lifecycle-related metadata.
A did:cndomain DID Document is retrieved over HTTPS in accordance with this specification. Companion profiles MAY define stricter publication and retrieval conventions.
Examples in this section that use only DID Core terms use only the DID Core context. Examples that use extension terms include additional JSON-LD contexts for those terms.
A DID Document associated with did:cndomain:
id propertyid value that exactly matches the DID being representedA relying party or resolver MUST reject a retrieved DID Document if its id property does not exactly match the requested DID.
Method-specific terms that appear only in DID document metadata or DID resolution metadata do not, by themselves, require extension terms in the DID Document representation.
At a minimum, a conforming active did:cndomain DID Document SHOULD include:
@contextidA conforming did:cndomain DID Document intended for active trust use SHOULD additionally include, where applicable:
controllerverificationMethodauthenticationassertionMethodserviceThe omission of one or more of these properties does not automatically make a DID Document invalid, but it MAY limit the purposes for which the DID can be used.
A domain-level DID Document represents a DID whose subject is the .cn domain itself or a valid subdomain under .cn.
For a domain-level DID Document:
id MUST be the exact domain-level DID.cn domain anchorExample:
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suite/jws-2020/v1",
"https://identity.foundation/.well-known/did-configuration/v1"
],
"id": "did:cndomain:example.cn",
"controller": "did:cndomain:example.cn",
"verificationMethod": [
{
"id": "did:cndomain:example.cn#key-1",
"type": "JsonWebKey2020",
"controller": "did:cndomain:example.cn",
"publicKeyJwk": {
"kty": "OKP",
"crv": "Ed25519",
"x": "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ"
}
}
],
"authentication": [
"did:cndomain:example.cn#key-1"
],
"assertionMethod": [
"did:cndomain:example.cn#key-1"
],
"service": [
{
"id": "did:cndomain:example.cn#did-document",
"type": "LinkedDomains",
"serviceEndpoint": "https://example.cn"
}
]
}
An object-level DID Document represents a DID whose subject is defined beneath a parent .cn domain.
For an object-level DID Document:
id MUST be the exact object-level DIDExample:
{
"@context": "https://www.w3.org/ns/did/v1",
"id": "did:cndomain:example.cn:service:web",
"controller": "did:cndomain:example.cn"
}
An object-level DID Document MAY use the parent domain-level DID as its controller, or MAY identify another controller where such delegation is valid under this specification and any applicable governance profile.
A did:cndomain DID Document MAY contain a controller property.
Where present, the controller property identifies the DID or DIDs authorized to control the subject represented by the DID Document.
For did:cndomain:
.cn domain.A controller declaration in a DID Document MUST NOT, by itself, override the domain-anchored authority and lifecycle rules defined by this specification.
A did:cndomain DID Document MAY contain one or more verification methods.
Where verification material is used for control-sensitive operations, implementations SHOULD distinguish among keys intended for different purposes, including:
A DID Document SHOULD NOT rely on ambiguous key usage where more specific relationships can be expressed.
Where a key is intended to authorize updates or lifecycle operations, such use SHOULD be clearly identified through the applicable verification relationships or method-specific profile rules.
The presence of a verification method in the DID Document does not, by itself, prove current authority unless the lifecycle and control proof requirements of this specification are also satisfied.
A did:cndomain DID Document MAY include authentication and assertionMethod relationships.
Where these are present:
authentication indicates verification methods that may be used to authenticate as the DID subjectassertionMethod indicates verification methods that may be used to make claims or assertions on behalf of the DID subject.Applications using did:cndomain SHOULD evaluate these relationships consistently with the domain-anchored trust and lifecycle model of this method.
A did:cndomain DID Document MAY include one or more service entries.
Service entries are especially relevant for this method because did:cndomain is intended to support domain-bound service discovery and domain-governed trust relationships.
A service entry:
Service entries MAY identify, for example:
Example:
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://identity.foundation/.well-known/did-configuration/v1"
],
"id": "did:cndomain:example.cn",
"controller": "did:cndomain:example.cn",
"service": [
{
"id": "did:cndomain:example.cn#linked-domain",
"type": "LinkedDomains",
"serviceEndpoint": "https://example.cn"
}
]
}
A did:cndomain DID Document MAY express delegated control or subordinate authority relationships, particularly for object-level identifiers.
Where delegation is expressed:
.cn domainA delegated controller MAY be used to operate an object-level DID, but such delegation MUST remain subject to method-level lifecycle, suspension, freezing, and deactivation rules.
A did:cndomain DID Document MAY be accompanied by lifecycle-related metadata.
Such metadata is typically returned as DID document metadata or DID resolution metadata rather than being embedded directly as authoritative subject data in the DID Document itself.
Relevant lifecycle-related values MAY include:
Implementations SHOULD distinguish clearly between:
An implementation MUST NOT treat non-authoritative transport metadata as if it were part of the DID subject’s authoritative cryptographic control state unless such interpretation is explicitly defined.
A did:cndomain DID Document representation is valid only when all of the following conditions are satisfied:
id matches the DID being represented exactly.cn domain anchorA representation that is syntactically well-formed but inconsistent with the governing domain anchor or lifecycle state MUST NOT be treated as authoritative for active control-sensitive use.
A did:cndomain DID Document MAY be returned for historical, audit, transparency, or limited inspection purposes even where the DID is no longer fully active.
This may occur, for example, when the DID is:
suspendedfrozendeactivatedIn such cases:
This section defines the method-level representation requirements for did:cndomain.
An applicable profile MAY further define:
Profiles are optional for baseline method conformance unless explicitly adopted by a deployment.
Where a conflict arises between this section and an applicable profile, this section governs the method-level semantics and baseline representation behavior, while the applicable profile governs additional operational behavior, unless otherwise explicitly stated.
This section defines how did:cndomain identifiers are bound to current legitimate control of the corresponding .cn domain anchor.
The did:cndomain method is domain-anchored by design. Accordingly, control over a did:cndomain identifier is not determined solely by possession of cryptographic key material. It is also dependent on current legitimate control of the corresponding .cn domain.
This domain control binding is a core method property and applies to both:
.cn domain.A did:cndomain identifier MUST be interpreted as anchored to the corresponding .cn domain.
For a domain-level DID, the domain anchor is the domain identified directly by the DID.
For an object-level DID, the domain anchor is the parent .cn domain from which the object-level identifier is derived.
A control-sensitive lifecycle operation MUST NOT be authorized solely on the basis of historical association, prior publication, or continued possession of an update key, unless current legitimate control of the corresponding .cn domain can also be established in accordance with this specification.
For operations that create, update, delegate, suspend, freeze, deactivate, or reactivate a did:cndomain identifier, an implementation MUST require both:
.cn domain.An applicable governance profile MAY impose stronger requirements for sensitive operations, including:
The dual control requirement exists to ensure that cryptographic control and namespace control remain aligned.
This specification defines a baseline control proof procedure so that baseline method conformance does not depend on a separate control-proof profile.
A control proof procedure for did:cndomain MUST verify both DID-side authorization and domain-side control.
For DID-side authorization:
For domain-side control, a baseline implementation MUST support at least one of the following proof methods:
A DNS challenge proof MUST use a TXT record under _did-challenge.<domain> containing a verifier-issued challenge value. The challenge value MUST be bound to the requested DID, normalized domain, operation, issuance time, and expiration time.
An HTTPS challenge proof MUST publish a challenge representation at:
https://<domain>/.well-known/did/cndomain-challenge.json
The HTTPS challenge representation MUST identify the requested DID, normalized domain, operation, challenge value, issuance time, and expiration time.
A registrar-backed or governance-authorized proof MAY be accepted only when the accepting implementation can verify the proof source, scope, freshness, and applicability to the requested operation.
All baseline control proofs MUST satisfy the following requirements:
.cn domain anchor.To reduce cross-domain replay risk, challenge construction SHOULD include explicit domain-specific context, such as the normalized domain value or a verifier-derived digest bound to that value, rather than relying on an unscoped random nonce alone.
An applicable control-proof profile MAY define stricter record names, payload formats, proof suites, assurance levels, retention rules, or registrar-backed procedures, but it MUST NOT weaken the baseline dual-control semantics defined here.
For a domain-level DID, the corresponding .cn domain is the primary naming and authority anchor.
Examples:
did:cndomain:example.cn
did:cndomain:sub.example.cn
For such identifiers:
.cn namespaceA domain-level DID MUST NOT continue to be treated as fully authoritative if the corresponding domain has expired, been cancelled, been transferred, or is otherwise no longer under legitimate control of the party asserting authority over the DID.
For an object-level DID, the corresponding parent .cn domain remains the root authority anchor.
Examples:
did:cndomain:example.cn:service:web
did:cndomain:example.cn:resource:gpu0
For such identifiers:
An object-level DID MAY express delegated control, but such delegation MUST remain subordinate to the continued current legitimate control of the parent .cn domain unless an applicable governance profile explicitly defines a continuity exception.
Because did:cndomain identifiers are domain-anchored, domain lifecycle events MAY materially affect DID validity and authority.
Relevant domain lifecycle events MAY include:
An implementation SHOULD re-evaluate the corresponding DID lifecycle state when such an event occurs or is detected.
A material domain event MAY result in:
Domain transfer is a particularly important case for did:cndomain.
If current legitimate control of the domain changes, an implementation MUST NOT assume that previously authorized DID update keys remain sufficient for future control-sensitive operations.
Unless an applicable governance profile explicitly defines a continuity procedure:
At minimum, transfer handling SHOULD include an explicit continuity review phase.
During this phase:
suspended or frozen state until a governance decision is reachedThis rule exists to prevent stale authority from surviving a real change in namespace control.
If current legitimate control of the corresponding .cn domain can no longer be demonstrated, then:
Loss of control MAY arise from:
A did:cndomain DID Document MAY express delegated authority for certain operations, especially for object-level DIDs.
However, a delegation:
.cn domain unless an applicable governance profile explicitly permits such continuity.Accordingly, delegation under this method is conditional, not absolute.
This section defines the method-level semantics of domain control binding.
This specification defines the baseline control-proof requirements for method conformance, including:
The did:cndomain Control Proof Profile, if used, MAY define stricter procedures and policy levels.
Where a conflict arises between this section and an applicable profile, this section governs the method-level semantics and baseline control-binding behavior, while the applicable profile governs additional operational behavior, unless otherwise explicitly stated.
A did:cndomain identifier MUST NOT be treated as authoritative for control-sensitive trust decisions unless its DID authority remains consistent with current legitimate control of the corresponding .cn domain.
This requirement applies even where:
For did:cndomain, namespace control and DID control are intentionally bound together.
This section defines the lifecycle status model for did:cndomain.
Because did:cndomain identifiers are anchored to the .cn domain namespace, DID lifecycle state is sensitive not only to DID-specific actions, but also to domain state, control changes, governance events, and related restrictions.
A did:cndomain identifier MUST be interpreted in light of its lifecycle state where such state is available.
This specification defines the following primary lifecycle states:
activesuspendedfrozendeactivatedAn applicable governance profile MAY define additional operational sub-states, provided that such sub-states do not conflict with the method-level semantics defined here.
A DID in the active state is valid for normal use under this method.
When a did:cndomain identifier is active:
A DID SHOULD be treated as active only when there is no applicable restriction, freeze, or deactivation condition affecting the corresponding DID or its domain anchor.
A DID in the suspended state is temporarily restricted.
The suspended state is intended for situations where the DID remains identifiable and potentially recoverable, but normal control-sensitive operations should not proceed without further review or restoration.
A did:cndomain identifier MAY enter suspended state due to events such as:
When a DID is suspended:
A suspended DID MUST NOT be silently treated as fully equivalent to an active DID.
A DID in the frozen state is subject to a stronger restriction than suspended.
The frozen state is intended for situations involving dispute, judicial action, regulatory intervention, compliance enforcement, or another governance-imposed restriction requiring stricter control.
A did:cndomain identifier MAY enter frozen state due to events such as:
When a DID is frozen:
A frozen DID MAY later transition to:
active, if the restriction is resolvedsuspended, if a lower restriction remains appropriatedeactivated, if final termination is required.A DID in the deactivated state is no longer valid for active trust use under this method.
A did:cndomain identifier MAY enter deactivated state when, for example:
When a DID is deactivated:
A deactivated DID MAY still be returned for historical, audit, transparency, or inspection purposes, but MUST NOT be presented as a currently active authority.
A did:cndomain identifier MAY transition between lifecycle states in accordance with this specification and any applicable governance profile.
Typical transitions MAY include:
active → suspendedactive → frozenactive → deactivatedsuspended → activesuspended → frozensuspended → deactivatedfrozen → activefrozen → suspendedfrozen → deactivatedBy default, deactivated SHOULD be treated as final.
A governance profile MAY define narrowly scoped reactivation conditions, but such reactivation MUST be explicit, auditable, and policy-governed.
Lifecycle state determination SHOULD take into account, where applicable:
.cn domainNo lifecycle state decision SHOULD be based solely on stale historical publication if current domain authority has materially changed.
A resolver SHOULD take lifecycle state into account when returning a resolution result.
Recommended behavior:
active: return normal resolution outputsuspended: return the DID Document where allowed, with metadata indicating suspensionfrozen: return the DID Document only where permitted, with clear metadata or structured restriction signalingdeactivated: return deactivation metadata or structured error signaling, and do not present the DID as active.An applicable resolution profile MAY define more specific error codes, metadata field names, or policy-driven restrictions for each state.
This section defines the method-level meaning of lifecycle states during resolution. Detailed operational handling of restricted states MAY be further refined by applicable resolution and governance profiles.
Lifecycle state SHOULD be signaled through DID document metadata, DID resolution metadata, or another profile-defined mechanism.
Recommended status values include:
activesuspendedfrozendeactivatedWhere state metadata is returned, it SHOULD be sufficiently clear to allow relying parties to distinguish:
An implementation SHOULD avoid embedding temporary transport or operational state directly into the DID subject semantics unless such treatment is explicitly defined.
Lifecycle state changes SHOULD be auditable.
An implementation SHOULD record, where applicable:
High-impact transitions SHOULD receive stricter audit treatment, especially:
frozendeactivatedFurther governance-specific procedures MAY be defined in an applicable governance profile.
This section defines the method-level meaning of lifecycle states.
The operational consequences of lifecycle state, including whether updates are allowed, whether reactivation is possible, and how resolution behaves, MUST be applied consistently with:
An applicable governance profile MAY refine operational details, but MUST NOT contradict the method-level meaning of the lifecycle states defined here.
A did:cndomain identifier MUST NOT be treated as fully active if its known lifecycle state is inconsistent with current legitimate control of the corresponding .cn domain.
If lifecycle information is available and indicates restriction or final invalidation, relying parties, resolvers, and management systems MUST interpret the DID accordingly.
For this method, lifecycle state is not an optional cosmetic property. It is part of the authoritative interpretation of the DID within the domain-anchored trust model.
This section defines the governance considerations applicable to the did:cndomain method.
The did:cndomain method is domain-governed by design. Accordingly, its operation depends not only on syntactic validity and cryptographic proof, but also on governance rules that determine how domain control, lifecycle events, disputes, restrictions, and exceptional cases are to be interpreted.
This section does not attempt to define a single universal governance institution. Instead, it defines the categories of governance concern that a conforming deployment, profile, or ecosystem implementation of did:cndomain SHOULD address.
A governance framework for did:cndomain SHOULD address at least the following:
.cn domain is recognizedThe governance framework MAY be implemented by one or more technical, administrative, or policy mechanisms.
An implementation or deployment profile MAY define governance roles, including but not limited to:
The existence of a role in governance documentation MUST NOT, by itself, imply unrestricted authority over a DID. Any authority claimed by such a role MUST remain consistent with the method-level rules of domain anchoring, lifecycle control, and proof requirements defined by this specification.
A governance profile SHOULD define who may create or operate a did:cndomain identifier.
At a minimum, the governance framework SHOULD clarify:
.cn domain may create a DID for that domainA governance framework MAY define higher-assurance requirements for sensitive identifiers or operations.
A governance framework for did:cndomain SHOULD define how domain events affect DID interpretation and lifecycle.
Relevant events MAY include:
The governance framework SHOULD define whether each such event results in:
Under this method, governance mappings for domain-status signals (including EPP status codes or equivalent registrar/registry status indicators) SHOULD be explicit, deterministic, and auditable.
At minimum, the governance framework SHOULD define:
suspended or frozen treatment pending review).Domain-status signals MUST NOT, by themselves, be treated as sufficient authorization for control-sensitive operations. Applicable DID-side authorization and domain-control proof requirements remain in force.
Because did:cndomain is domain-anchored, continuity across domain transfer or control change is a governance-sensitive matter.
A governance framework SHOULD define:
Unless explicitly defined otherwise by governance policy, continuity SHOULD NOT be assumed automatically after a material change in domain control.
To avoid ambiguous takeover semantics, the governance framework SHOULD define transfer outcomes as explicit, auditable control-sensitive decisions rather than implicit side effects of publication timing.
A governance framework SHOULD define how disputes and conflicting authority claims are handled.
Such disputes MAY involve:
Where a dispute exists, the governance framework MAY require:
A DID under unresolved dispute SHOULD NOT be treated as fully active for control-sensitive decisions.
At minimum, unresolved-dispute handling SHOULD apply explicit restricted-state treatment:
suspended or frozen state until the dispute is resolved through a defined governance processA governance framework MAY define exceptional actions, including:
Such actions MUST be tightly constrained.
An exceptional action SHOULD:
A governance framework SHOULD define which events must be recorded for audit purposes.
At a minimum, auditable events SHOULD include, where applicable:
An implementation MAY use append-only logging, transparency services, signed event records, or other integrity-preserving audit mechanisms.
This specification permits governance profiles tailored to different deployment environments.
A governance profile MAY define:
A governance profile MUST NOT contradict the method-level semantics defined by this specification, especially with respect to:
A did:cndomain deployment MUST NOT treat governance as an entirely external or irrelevant concern.
Because this method is domain-governed by design, a conforming deployment SHOULD define at least a minimal governance position covering:
Detailed governance procedures MAY be defined in an applicable governance profile.
Where a conflict arises between this section and an applicable profile, this section governs the method-level semantics, while the applicable profile governs detailed operational behavior, unless otherwise explicitly stated.
This section defines the principal security considerations for the did:cndomain method.
As required by DID Core, a DID method specification must describe security considerations relevant to method syntax, control, update, resolution, and lifecycle behavior. The did:cndomain method is domain-anchored and therefore has security properties that arise both from decentralized identifier management and from .cn domain control dependencies.
The security of did:cndomain depends on the integrity of all of the following:
A failure in any of these areas MAY lead to incorrect trust decisions.
A major security risk for did:cndomain arises when a previously valid DID control or update key remains available after the underlying domain authority has materially changed.
This MAY occur after:
For this reason, implementations MUST NOT rely solely on historical DID key possession for control-sensitive operations. Update or lifecycle authority MUST remain conditioned on current legitimate domain control as defined by this specification.
An attacker who gains unauthorized control over a domain, or over the mechanisms used to prove domain control, MAY attempt to assume DID authority.
Risks include:
Implementations SHOULD consider mitigations including:
Because this method may use DNS for endpoint discovery, security risks include:
Implementations SHOULD consider:
DNS under this method is a discovery plane, not a complete trust plane. Discovery results SHOULD therefore always be validated against retrieved DID Document content and method rules.
Because this method uses HTTPS to retrieve DID Documents, security risks include:
Resolvers and relying parties SHOULD:
id matches the requested DID exactlyPublishers and deployers of DID Document endpoints SHOULD enable HSTS and avoid deployment patterns that allow HTTPS downgrade exposure.
A did:cndomain DID Document MAY be syntactically valid while still being inconsistent with the current domain authority state.
Examples include:
Implementations MUST account for the fact that syntactic validity and current authority are not always identical.
Object-level DIDs and delegated controllers introduce additional security complexity.
Risks include:
Implementations SHOULD ensure that:
Where control-sensitive operations rely on proof mechanisms, replay attacks are a significant concern.
Implementations SHOULD ensure that proof procedures are:
Expired, reused, or context-mismatched proofs MUST be rejected.
A DID in suspended, frozen, or deactivated state presents additional security considerations.
If a relying party ignores lifecycle state, it may incorrectly accept a DID that should no longer be trusted for active decisions.
Accordingly:
deactivated DIDs MUST NOT be treated as activefrozen DIDs MUST NOT be treated as fully active for control-sensitive purposessuspended DIDs SHOULD be treated cautiously according to governance and application policy.Historical DID Documents, cached discovery data, or stale lifecycle metadata MAY cause incorrect trust decisions if treated as current without validation.
Implementations SHOULD:
Governance-authorized override or administrative action may be necessary in some environments, but it introduces additional security risks, including:
Where such mechanisms exist, they SHOULD be:
A conforming deployment of did:cndomain SHOULD implement security controls that ensure, at a minimum:
For DID method review, implementations and deployments SHOULD evaluate at least the following security categories:
Residual risk remains where domain registration systems, registrar accounts, DNS hosting, HTTPS publication infrastructure, or governance processes are compromised. Deployments SHOULD document their operational assumptions and incident response procedures for those dependencies.
This section defines the principal privacy considerations for the did:cndomain method.
As required by DID Core, a DID method specification should explain how the method may affect privacy and what measures can reduce unnecessary exposure. Because did:cndomain is anchored to publicly meaningful domain names and may also support object-level identifiers, privacy risks may arise from both identifier design and publication behavior.
A did:cndomain identifier is domain-centric.
This means that privacy characteristics of the method are influenced by:
In many cases, the domain anchor itself may already reveal organizational, operational, or brand-related information.
A stable DID anchored to a publicly recognizable domain MAY enable correlation across contexts.
This risk is especially relevant when:
Implementations and deployers SHOULD consider whether the same domain-level or object-level DID should be reused universally, or whether more context-limited publication and usage patterns are appropriate.
Object-level identifiers may expose internal structure, operational roles, or resource topology.
Examples of potentially revealing names include:
resource:gpu0service:billingservice:adminThese examples are illustrative and syntactically valid under this method. They are not prohibited by default.
In lower-sensitivity deployments, descriptive names may be operationally appropriate. Where exposure risk is higher, descriptive names MAY reveal:
Implementations SHOULD avoid unnecessarily descriptive object-local names where such exposure creates material risk.
For sensitive deployments, producers SHOULD prefer non-descriptive high-entropy object-local names. Where deterministic derivation is required, salted or keyed derivation SHOULD be preferred over predictable cleartext naming or unsalted hash-only naming.
DNS discovery records and well-known HTTPS publication paths may reveal that a domain participates in a DID-based identity system.
This disclosure may be acceptable in many deployments, but it can still reveal:
Deployers SHOULD assess whether dedicated trust endpoints, reduced public metadata, or more selective publication strategies are appropriate for their context.
A DID Document may expose more information than is strictly necessary.
Potentially sensitive information may include:
Implementations SHOULD apply data minimization. Only information necessary for intended interoperability and trust functions SHOULD be published publicly.
Lifecycle metadata such as suspended, frozen, or deactivated may itself reveal operational or governance-sensitive facts.
For example, a public frozen state may imply:
Where lifecycle metadata is disclosed, implementations SHOULD ensure that the disclosure is proportionate, policy-consistent, and no more revealing than necessary for relying parties to make correct trust decisions.
Auditability is important for this method, but audit logs may themselves contain sensitive information.
Logged data MAY reveal:
Implementations SHOULD define retention, access control, and minimization policies for audit data.
Transparency mechanisms, where used, SHOULD avoid publishing unnecessary personal or operational detail.
Resolvers may observe DID queries and resolution patterns.
This MAY reveal:
Where resolver privacy is important, deployers and implementers SHOULD consider:
Historical DID Documents and retained metadata may expose prior controllers, services, or relationships that are no longer current.
While historical records may be valuable for audit or transparency, they MAY also reveal past internal structure or control history.
Implementations SHOULD define whether historical representations are retained, how they are accessed, and how long they are made available.
This section maps the privacy considerations of did:cndomain to privacy threat categories commonly used in RFC6973 and DID Core privacy review.
This mapping does not create additional protocol mechanisms. It identifies how the method’s domain-anchored design may affect privacy and where deployers should apply the mitigations described in this section.
.cn domain. Deployers SHOULD assess whether such identification is necessary for the intended trust function before publishing the information.A conforming deployment of did:cndomain SHOULD apply the principle of minimum necessary disclosure.
In particular:
A conforming deployment of did:cndomain SHOULD, at a minimum:
This section provides implementation considerations for did:cndomain.
The purpose of this section is not to redefine the method semantics, but to clarify how the method may be implemented in a conforming and operationally coherent manner.
A practical implementation of did:cndomain typically involves multiple functional roles, including:
An implementation MAY combine these functions into a single system or distribute them across multiple systems, provided that the overall behavior remains consistent with this specification and any applicable profile.
A minimally functional did:cndomain deployment SHOULD include all of the following:
did:cndomain identifiersA deployment that lacks one or more of the above elements MAY still be useful for experimentation, but SHOULD NOT claim full operational support for the method.
A publisher of did:cndomain DID Documents SHOULD ensure that:
id exactly matches the DID being publishedA publisher SHOULD NOT continue to publish a DID Document as if it were fully active once current legitimate control of the corresponding .cn domain can no longer be demonstrated.
A did:cndomain resolver SHOULD ensure that it can:
.cn domain anchor correctlyA resolver SHOULD treat lifecycle metadata, domain control changes, and governance-sensitive restrictions as meaningful inputs to trust interpretation, rather than as optional informational hints.
Companion resolution/discovery profiles MAY define stricter procedures, but implementations SHOULD remain conformant to the baseline rules of Section 8.
An implementation that supports create, update, delegation, suspension, freezing, deactivation, or reactivation MUST implement control proof verification consistent with this specification.
At a minimum, such an implementation MUST ensure that:
A system SHOULD NOT authorize a control-sensitive operation solely on the basis of historical publication or stale proof artifacts.
Companion control-proof profiles MAY define stricter proof policy levels and additional governance-triggered checks.
An implementation SHOULD include a mechanism for lifecycle management.
Such a mechanism SHOULD be capable of:
An implementation MAY realize lifecycle management through:
Whatever mechanism is used, it SHOULD preserve clear distinction between:
An implementation supporting object-level identifiers SHOULD define how object identifiers are created, named, and managed beneath a parent domain.
In particular, such an implementation SHOULD define:
An implementation SHOULD avoid ambiguous or unstable naming practices for object-level identifiers.
Implementations that cache discovery results or DID Documents SHOULD do so carefully.
A caching strategy SHOULD take into account:
An implementation SHOULD avoid treating cached resolution data as authoritative when there is reason to suspect a material change in domain control or lifecycle state.
An implementation SHOULD log high-impact events relevant to authority and lifecycle interpretation.
Such events MAY include:
Logs SHOULD be:
A deployment MAY introduce an external tamper-evident audit layer, including a blockchain-based integrity log, for DID Document hash anchoring, lifecycle event traceability, and status proof publication. Such a layer is additive and MUST NOT replace the baseline HTTPS publication and resolution requirements defined by this specification.
An implementation of did:cndomain SHOULD clearly state which profiles it supports.
This MAY include support for:
An implementation SHOULD NOT claim support for the method in a way that obscures major unsupported features or materially incompatible profile behavior.
Further governance-specific procedures MAY be defined in an applicable governance profile.
Where a conflict arises between this section and an applicable profile, this section governs the method-level semantics, while the applicable profile governs detailed operational behavior, unless otherwise explicitly stated.
A conforming operational implementation of did:cndomain SHOULD, at a minimum:
The examples in this section are non-normative and are provided solely to illustrate possible uses of this method.
Any lowercase keywords in this section are descriptive only and do not introduce additional normative requirements.
Example domain-level DID:
did:cndomain:example.cn
This identifier represents the domain-level subject anchored to example.cn.
Example subdomain DID:
did:cndomain:sub.example.cn
This identifier represents a subject anchored to the subdomain sub.example.cn.
Example object-level service DID:
did:cndomain:example.cn:service:web
This identifier represents a service object named web under the authority of example.cn.
Example object-level resource DID:
did:cndomain:example.cn:resource:gpu0
This identifier represents a resource object named gpu0 under the authority of example.cn.
Example DID Document for a domain-level DID:
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suite/jws-2020/v1",
"https://identity.foundation/.well-known/did-configuration/v1"
],
"id": "did:cndomain:example.cn",
"controller": "did:cndomain:example.cn",
"verificationMethod": [
{
"id": "did:cndomain:example.cn#key-1",
"type": "JsonWebKey2020",
"controller": "did:cndomain:example.cn",
"publicKeyJwk": {
"kty": "OKP",
"crv": "Ed25519",
"x": "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ"
}
}
],
"authentication": [
"did:cndomain:example.cn#key-1"
],
"assertionMethod": [
"did:cndomain:example.cn#key-1"
],
"service": [
{
"id": "did:cndomain:example.cn#did-document",
"type": "LinkedDomains",
"serviceEndpoint": "https://example.cn"
}
]
}
Example DID Document for an object-level DID:
{
"@context": "https://www.w3.org/ns/did/v1",
"id": "did:cndomain:example.cn:resource:gpu0",
"controller": "did:cndomain:example.cn"
}
Example DNS base discovery record:
_did.example.cn. IN URI 10 1 "https://trust.example.cn/.well-known/did/"
This indicates that a resolver may construct the final DID Document retrieval URL from the discovered base endpoint according to Section 8.4.
If no DNS discovery record is present, a resolver may use a default fallback rule.
Example domain-level retrieval URL:
https://example.cn/.well-known/did/cndomain.json
Example object-level retrieval URL:
https://example.cn/.well-known/did/cndomain/resource/gpu0.json
Example successful resolution result:
{
"didDocument": {
"@context": "https://www.w3.org/ns/did/v1",
"id": "did:cndomain:example.cn"
},
"didDocumentMetadata": {
"cndomainLifecycleState": "active",
"updated": "2026-04-08T10:00:00Z"
},
"didResolutionMetadata": {
"contentType": "application/did+ld+json",
"discoverySource": "dns-uri",
"retrievalUrl": "https://trust.example.cn/.well-known/did/cndomain.json"
}
}
Example resolution metadata for a suspended DID:
{
"didDocumentMetadata": {
"cndomainLifecycleState": "suspended"
},
"didResolutionMetadata": {
"warning": "The DID is currently suspended."
}
}
This indicates that the DID remains identifiable, but normal trust use may be restricted.
Example resolution metadata for a frozen DID:
{
"didDocumentMetadata": {
"cndomainLifecycleState": "frozen"
},
"didResolutionMetadata": {
"warning": "The DID is currently frozen and subject to governance restriction."
}
}
This indicates that stronger governance restrictions apply.
Example deactivation result:
{
"didDocument": null,
"didDocumentMetadata": {
"deactivated": true,
"cndomainLifecycleState": "deactivated"
}
}
This indicates that the DID is no longer active for current trust decisions.
Example conceptual control proof context:
{
"did": "did:cndomain:example.cn",
"domain": "example.cn",
"operation": "update",
"nonce": "7f31ab92",
"issuedAt": "2026-04-08T10:30:00Z",
"expiresAt": "2026-04-08T10:35:00Z"
}
A conforming implementation would require both:
example.cn.This example illustrates a case in which an object-level DID remains anchored to a parent .cn domain, while a delegated controller is explicitly identified for limited operational purposes.
Example object-level DID:
did:cndomain:example.cn:service:web
Example DID Document with delegated controller:
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suite/jws-2020/v1"
],
"id": "did:cndomain:example.cn:service:web",
"controller": [
"did:cndomain:example.cn",
"did:example:ops-team-01"
],
"verificationMethod": [
{
"id": "did:cndomain:example.cn:service:web#ops-key-1",
"type": "JsonWebKey2020",
"controller": "did:example:ops-team-01",
"publicKeyJwk": {
"kty": "OKP",
"crv": "Ed25519",
"x": "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ"
}
}
],
"authentication": [
"did:cndomain:example.cn:service:web#ops-key-1"
]
}
Interpretation:
did:cndomain:example.cndid:example:ops-team-01 is explicitly identified for limited control purposesexample.cnexample.cn would normally trigger re-evaluation of the delegated authorityThe following are examples of identifiers that are not valid under this specification:
did:cndomain:example.com
did:cndomain:Example.cn
did:cndomain:example.cn:service
did:cndomain:example.cn:service:web:extra
did:cndomain:
These examples are invalid because:
.cn namespaceThis section defines conformance requirements for implementations of the did:cndomain method.
The key words “MUST”, “MUST NOT”, “SHOULD”, “SHOULD NOT”, and “MAY” in this specification are to be interpreted as described in RFC 2119 and RFC 8174 when, and only when, they appear in all capitals.
An implementation claiming conformance with did:cndomain MUST conform to the normative requirements applicable to the functions it performs.
An implementation claiming conformance with the did:cndomain method MUST:
An implementation MUST NOT claim conformance if it knowingly ignores the domain-anchored authority model defined by this specification.
An implementation claiming conformance as a did:cndomain resolver MUST:
did:cndomain identifiers as input.cn domain anchor correctlyA resolver MUST NOT present a deactivated DID as if it were fully active.
Companion resolution/discovery profiles MAY define stricter procedures, but baseline resolver conformance is defined by this specification.
An implementation claiming conformance as a DID Document publisher MUST:
id exactly matches the DID being representedA publisher SHOULD ensure that publication changes are auditable.
An implementation claiming conformance for create, update, delegation, suspension, freezing, deactivation, or reactivation functions MUST:
.cn domain cannot be establishedAn implementation performing such control-sensitive operations SHOULD support a control proof procedure that is compatible with the baseline requirements of this specification.
If a companion control-proof profile is adopted, the implementation MUST apply that profile consistently for the claimed scope.
An implementation supporting object-level DIDs MUST:
.cn domain authority unless a valid delegation model explicitly defines otherwiseAn implementation claiming lifecycle-aware conformance MUST:
active and deactivatedsuspended and frozen consistently if those states are supportedAn implementation MAY support additional sub-states, provided that they do not contradict the method-level lifecycle semantics of this specification.
An implementation MAY claim support for one or more did:cndomain profiles, including:
If an implementation claims support for an applicable did:cndomain profile, it MUST implement the normative requirements of that profile consistently and MUST clearly identify any unsupported optional features.
Claiming no companion profile support does not prevent baseline conformance to this method specification.
An implementation SHOULD clearly disclose which profiles, options, and object classifications it supports.
Where a conflict arises between this section and an applicable profile, this section governs the method-level semantics, while the applicable profile governs detailed operational behavior, unless otherwise explicitly stated.
A partial implementation MAY conform to a subset of did:cndomain functions, provided that:
For example:
The following are examples of non-conforming behavior:
.cn domains as valid method anchorsid does not exactly match the requested DIDAn implementation engaging in such behavior MUST NOT claim conformance with this specification.
At a minimum, an implementation claiming meaningful conformance with did:cndomain SHOULD demonstrate that it can do all of the following for its claimed role: