| Internet-Draft | DID7 URN Method | March 2026 |
| Herman | Expires 25 September 2026 | [Page] |
This document specifies the did7:web7
Decentralized Identifier (DID) method, which defines
a deterministic mapping from Uniform Resource Names
(URNs) (RFC 8141) into a DID-compatible
identifier format called a Decentralized Universal Resource Name
(URN). The did7:web7 method preserves URN
semantics, enables DID resolution without mandatory
centralized infrastructure, and provides optional
cryptographic and service-layer extensibility. The
method is fully compatible with the W3C DID Core
specification (W3C DID Core, 2022) and the
broader DID ecosystem.¶
This note is to be removed before publishing as an RFC.¶
This Internet-Draft is derived from the Web 7.0 Foundation specification "SDO: W3C Decentralized Resource Name (URN) DID Method (Web 7.0)" authored by Michael Herman, published 24 March 2026 at https://hyperonomy.com/2026/03/24/ sdo-web-7-0-decentralized-resource-name-urn-did-method/ and licensed under the Creative Commons Attribution-ShareAlike 4.0 International Public License. Web 7.0(TM), Web 7.0 DIDLibOS(TM), TDW AgenticOS(TM), TDW(TM), Trusted Digital Web(TM), and Hyperonomy(TM) are trademarks of the Web 7.0 Foundation. All Rights Reserved.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 25 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
Uniform Resource Names (URNs) [RFC8141] provide a well-established mechanism for assigning persistent, location-independent identifiers to resources. However, URNs predate the Decentralized Identifier (DID) ecosystem [W3C.DID-CORE] and lack native support for DID resolution, DID Document retrieval, cryptographic verification methods, or service endpoint declaration.¶
At the same time, many existing information systems such as bibliographic catalogues, digital libraries, standards registries, and supply-chain systems rely heavily on URN-based identification. Retrofitting these systems with entirely new identifier schemes is often impractical.¶
The did7:web7 method bridges this gap. It
defines a deterministic, reversible transformation
from any well-formed URN into a DID-compatible
identifier called a Decentralized Universal Resource Name
(URN). The resulting DID is fully resolvable, is
backwards compatible with the source URN, requires
no mandatory centralized registry, and is composable
with other DID methods such as did:key,
did:web, and did:peer.¶
The primary design goals of did7:web7 are:¶
The did7:web7 method is positioned as a
universal adapter between the URN and DID ecosystems,
serving as a semantic identity bridge that preserves
existing meaning while enabling participation in the
modern decentralized identity landscape.¶
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, NOT RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals as shown here.¶
urn:<NID>:<NSS>.¶
isbn, uuid, ietf).¶
did7:web7
method namespace; the method-specific identifier
portion of a did7:web7 DID.¶
did:key-compatible equivalent
identifier.¶
The method name that identifies this DID method is:
urn.¶
A DID conforming to this specification begins with
the prefix did7://web7/. This prefix is
case-insensitive for resolution purposes, but
implementations SHOULD produce
lowercase prefixes in all output.¶
The ABNF grammar for a did7:web7 DID is
as follows:¶
did-web7-urn = "did7://web7/" urn urn = "urn:" NID ":" NSS NID = <URN Namespace Identifier per RFC 8141> NSS = <Namespace-Specific String per RFC 8141>¶
The following are conformant examples of
did7:web7 identifiers:¶
did7://web7/urn:isbn:9780141036144 did7://web7/urn:uuid:6ba7b810-9dad-11d1-80b4-00c04fd430c8 did7://web7/urn:ietf:rfc:8141 did7://web7/urn:epc:id:sgtin:0614141.107346.2017¶
Implementations MUST normalize
the embedded URN according to the lexical
equivalence and case-folding rules specified in
Section 3.1 of [RFC8141]
before constructing or comparing a
did7:web7 identifier. Namespace-specific
comparison rules (q-component handling, etc.) as
registered with IANA for each NID
MUST also be preserved.¶
Percent-encoding normalization (Section 2.1 of [RFC3986]) applies to the NSS component where permitted by the applicable namespace registration.¶
A given URN MUST map
deterministically to exactly one
did7:web7 identifier. The transformation
is purely syntactic; no randomness or external
state is introduced. Two URNs that are lexically
equivalent per [RFC8141]
MUST produce the same
did7:web7.¶
The original URN MUST be exactly
recoverable from the did7:web7 identifier
without loss of information. No encoding,
hashing, or irreversible transformation is
applied to the URN content.¶
Baseline resolution of a did7:web7
identifier MUST NOT require
access to any centralized registry, distributed
ledger, or network service. A conformant resolver
MUST be capable of constructing a
minimal conformant DID Document entirely from the
information contained within the DID string
itself (see Mode 1,
Section 7.3).¶
The resolution input is a did7:web7
string conforming to the syntax defined in
Section 5.1, optionally accompanied
by resolution options as defined in
[W3C.DID-RESOLUTION].¶
Input: did7://web7/<urn>¶
A conforming resolver MUST return
a DID Document. The minimum conformant DID
Document for any did7:web7 identifier is:¶
{
"@context": "https://www.w3.org/ns/did/v1",
"id": "did7://web7/urn:isbn:9780141036144",
"alsoKnownAs": [
"urn:isbn:9780141036144"
]
}
¶
The alsoKnownAs property
MUST contain the embedded URN in
its normalized form (per
Section 5.2).¶
A conformant resolver MUST support stateless resolution. In this mode the resolver constructs the DID Document locally from the DID string alone, without any external network lookup.¶
Properties of this mode:¶
Resolvers SHOULD support derivation of a cryptographic fingerprint from the canonical URN. The fingerprint is derived as:¶
fingerprint = hash(canonical-urn)¶
where canonical-urn is the normalized
URN string (UTF-8 encoded) and hash
is a cryptographic hash function registered
for use with did:key (e.g., SHA-256
with multibase encoding
[I-D.multiformats-multibase]).
The derived fingerprint
SHOULD be expressed as a
did:key identifier and added to the
DID Document as follows:¶
"equivalentId": [ "did:key:<multibase-encoded-fingerprint>" ]¶
Resolvers MAY perform external discovery to supplement the locally constructed DID Document. Permitted discovery mechanisms include:¶
/.well-known/did.json).¶
Discovery rules SHOULD be
namespace-aware, such that a resolver for
urn:isbn: DIDs may apply different
discovery heuristics than one for
urn:uuid: DIDs.¶
When external discovery yields a DID
Document, that document
MUST be validated for
consistency with the locally constructed
baseline document before being returned to
the caller. Specifically, the id
and alsoKnownAs values
MUST match the baseline.¶
Every DID Document produced by a
did7:web7 resolver
MUST conform to the following
template:¶
{
"@context": "https://www.w3.org/ns/did/v1",
"id": "did7://web7/<urn>",
"alsoKnownAs": ["<urn>"]
}
¶
Where <urn> is the normalized
URN as defined in
Section 5.2.¶
A DID Document MAY include
one or more verification method entries to
support cryptographic operations associated
with the identified resource. The following
is an example using the
Ed25519VerificationKey2020 type:¶
"verificationMethod": [
{
"id": "did7://web7/<urn>#key-1",
"type": "Ed25519VerificationKey2020",
"controller": "did7://web7/<urn>",
"publicKeyMultibase": "z6Mk..."
}
]
¶
Verification methods MUST conform to Section 5.2 of [W3C.DID-CORE].¶
A DID Document MAY include service endpoint entries to enable discovery of resources or services associated with the URN. The following is an illustrative example:¶
"service": [
{
"id": "did7://web7/<urn>#resource",
"type": "URNResourceService",
"serviceEndpoint":
"https://example.com/urn/<encoded-urn>"
}
]
¶
Service endpoints MUST
conform to Section 5.4 of
[W3C.DID-CORE]. The
type value
SHOULD be registered in a
publicly accessible DID Specification
Registries entry
[W3C.DID-SPEC-REGISTRIES].¶
Where Mode 2 resolution
(Section 7.3.2) is
supported, the DID Document
MAY include an
equivalentId property expressing
the deterministic fingerprint-derived
did:key as described in
Section 7.3.2.¶
A did7:web7 identifier does not
inherently assert or imply a controller. In the
baseline stateless resolution mode (Mode 1),
the DID Document contains no
controller property. The absence of a
controller property indicates that
control has not been established through this
mechanism.¶
Control over a did7:web7 DID Document
MAY be asserted through any of
the following mechanisms:¶
When a controller is established, the
controller property
MUST be included in the DID
Document and MUST reference a
resolvable DID.¶
The did7:web7 method does not inherently
provide authenticity guarantees. A DID Document
produced by a stateless resolver (Mode 1) is
constructed locally and carries no cryptographic
proof of its origin or integrity.¶
Implementations that require trust assurances SHOULD layer one or more of the following mechanisms on top of the baseline:¶
Consumers of did7:web7 DID Documents
SHOULD NOT infer trustworthiness
solely from the presence of the DID; trust
evaluation MUST take into account
the verification mechanisms present in the DID
Document and the verifier's trust policy.¶
The did7:web7 method supports the following
subset of CRUD operations as defined in
[W3C.DID-CORE]:¶
| Operation | Status | Notes |
|---|---|---|
| Create | Implicit | A URN is created implicitly by forming the syntactic transformation of a well-formed URN per Section 5.1. No registration step is required. |
| Read | REQUIRED | Resolution MUST be supported in at least Mode 1 (stateless), per Section 7.3.1. |
| Update | NOT SUPPORTED | The baseline stateless method does not support document updates. Updates are only possible in Mode 3 via an external discovery service that supports document management. |
| Deactivate | NOT SUPPORTED | Deactivation is not supported in the baseline method. External service layers may implement deactivation semantics independently. |
The did7:web7 method is fully backward
compatible with existing URN infrastructure.
The embedded URN is preserved verbatim (after
normalization) within the DID string, and no
changes to existing URN registries, resolvers,
or applications are required.¶
The alsoKnownAs property in the DID
Document ensures that a did7:web7 DID
can always be mapped back to its source URN,
enabling interoperability with legacy systems
that do not support DID resolution.¶
The did7:web7 method is compatible with
the W3C DID Core specification
[W3C.DID-CORE] and the DID
Resolution specification
[W3C.DID-RESOLUTION]. It is
composable with the following DID methods:¶
did:key - via the deterministic
fingerprint mechanism
(Section 7.3.2).¶
did:web - a did7:web7 DID
Document MAY reference a
did:web service endpoint for
resource discovery.¶
did:peer - pairwise
did:peer identifiers
MAY be used in conjunction
with did7:web7 to reduce correlation
in privacy-sensitive contexts (see
Section 14.2).¶
Implementations MAY register additional DID method compositions in a publicly accessible DID Method Registry.¶
The following design decisions underpin the
did7:web7 specification.¶
Deterministic mapping: Aligning with the broader principle that DID methods SHOULD be deterministic where possible, the syntactic transformation from URN to URN requires no external state and produces stable, reproducible identifiers.¶
Use of alsoKnownAs:
The alsoKnownAs property from
[W3C.DID-CORE] is used rather
than a custom extension to ensure semantic
preservation while remaining fully conformant
with the core specification.¶
Stateless baseline: Requiring only syntactic processing for baseline resolution maximises portability and eliminates single points of failure that would arise from mandatory registry dependencies.¶
Acknowledged trade-offs: The method does not include a built-in trust layer or lifecycle operations (Update/Deactivate) at the baseline level. These capabilities are intentionally delegated to optional layers (Modes 2 and 3, and the controller model of Section 9) so that implementations may adopt only the complexity they require.¶
The deterministic mapping from URN to URN means
that any party who observes a did7:web7
identifier can immediately recover the
underlying URN. Where the URN encodes personally
identifiable information (e.g., a personal UUID
or a registry identifier linked to an
individual), this creates a direct correlation
vector.¶
Additionally, because the transformation is deterministic and publicly known, two parties who independently resolve the same URN will arrive at the same URN, enabling linkage across otherwise unrelated contexts.¶
Implementers handling sensitive or personal identifiers SHOULD consider the following mitigations:¶
did:peer identifiers in contexts
where individual interaction tracking is a
concern, rather than exposing the
did7:web7 identifier directly.¶
did7:web7
identifiers from URNs that encode sensitive
personal data in public or semi-public
contexts.¶
did7:web7 identifier.¶
This document does not address the privacy
properties of the underlying URN namespaces;
implementers MUST consult the
privacy considerations of the applicable
namespace registration before using that
namespace in a did7:web7 context.¶
The baseline did7:web7 method
(Mode 1) provides no inherent
proof-of-control. Any party can construct a
syntactically valid did7:web7 DID from
any well-formed URN without demonstrating
authority over the named resource. This is an
intentional consequence of the
zero-infrastructure design; however, it means
that a did7:web7 DID alone cannot be
used to assert ownership or authority.¶
In Mode 3 (Discovery-Enhanced), resolvers that accept DID Documents from external services are susceptible to spoofed or tampered service endpoints. A malicious service could return a crafted DID Document containing false verification methods or service endpoints.¶
To mitigate the limitations identified above, implementations SHOULD apply the following measures:¶
This document requests registration of the following DID method name in the W3C DID Specification Registries [W3C.DID-SPEC-REGISTRIES]:¶
| Field | Value |
|---|---|
| Method Name |
urn
|
| Status | provisional |
| Specification | This document |
| Contact | See Author's Address |
This document has no other IANA actions.¶
This appendix illustrates a complete
did7:web7 resolution using an ISBN URN as
input, with Mode 2 (fingerprint) and a
service endpoint included.¶
Source URN:¶
urn:isbn:9780141036144¶
Derived URN DID:¶
did7://web7/urn:isbn:9780141036144¶
Resolved DID Document (Modes 1 + 2 + service endpoint):¶
{
"@context": "https://www.w3.org/ns/did/v1",
"id": "did7://web7/urn:isbn:9780141036144",
"alsoKnownAs": [
"urn:isbn:9780141036144"
],
"equivalentId": [
"did:key:zQm..."
],
"service": [
{
"id": "did7://web7/urn:isbn:9780141036144#info",
"type": "BookMetadata",
"serviceEndpoint":
"https://example.org/isbn/9780141036144"
}
]
}
¶
The author thanks the members of the W3C Decentralized Identifier Working Group and the broader DID community for their foundational work on the DID Core specification, and the IETF URN community for their long-standing stewardship of URN namespaces.¶