DID and DID Document publication in Identity Hub

[lauramartingonzalezzz]

Hello everyone,

I am struggling trying to understand the architecture behind the use of the Identity Hub component within my dataspace.
I believe that in order to maintain the decentralised nature of a dataspace, each participating connector should be associated with a different Identity Hub (assuming these connectors belong to different domains or owners). That is, a connector and identity hub pair.

On the other hand, each connector must have a DID (and a DID Document) that identifies it. This DID Document must be registered in the corresponding Identity Hub (and all subsequent steps with VCs and VPs) so that any other participant within the dataspace is able to verify the identity of the DID owner. However, the Identity API documentation (https://eclipse-edc.github.io/IdentityHub/openapi/identity-api/#/DID/publishDid) explicitly states that the DID Document to be published (registered) must already be available in the database ("_Publish an (existing) DID document. The DID is expected to exist in the database _"). In which database?

How can I store the DID document in the Identity Hub database (wherever it is) without using the Identity API? Is there a configuration parameter that indicates where the DID Document is stored? For example, in a test environment, could I have the DID document stored on a simple HTTP server and still make the POST /v1alpha/participants/{participantId}/dids/publish request?

I hope I have explained myself well enough. Otherwise, please feel free to ask.

Thank you so much!

[paullatzelsperger]

I think you misunderstood something there. When you create a "user" (= participant context) in IdentityHub, a DID Document is created for you in the database, alongside a key pair and some other bits and pieces.

Depending on whether the participant context is active or not (e.g. through the isActive flag in the creation request), the DID document is hosted (= exposed to the internet) by the internal DID hosting service (DidWebController).

Lets say you then want to add another endpoint to your (already published) DID document, then you'd have to either manually publish the DID again, or you set the autoPublish parameter to true, so that change is reflected in the publicly accessible document.

Side note: you can use other DID hosting platforms as well such as CDNs but you will then have to implement your own DidDocumentPublisher.

edit: technically, a participant in a dataspace is identified by its participant ID, and one IdentityHub can manage multiple participants. This is useful if e.g. a large corporation with several subsidiaries allocates one participant ID per subsidiary, but only wants to operate one IdentityHub.

[lauramartingonzalezzz]

Oh!! I see!! Thank you so much, really!! That was an awful loop I was in.

I have a few other questions related to the creation of participants. I will open a new discussion, as it is slightly related yet on another topic, and mark this one as answered.

Again, thank you so much!