SSIMPL Specification

Status of This Document

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C standards and drafts index.

This document was published by the Verifiable Credentials Working Group, the Decentralized Identifier Working Group, and the Web Authentication Working Group as an Editor's Draft.

Publication as an Editor's Draft does not imply endorsement by W3C and its Members.

This is a draft document and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to cite this document as other than a work in progress.

This document was produced by groups operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures (Verifiable Credentials Working Group), a public list of any patent disclosures (Decentralized Identifier Working Group), and a public list of any patent disclosures (Web Authentication Working Group) made in connection with the deliverables of each group; these pages also include instructions for disclosing a patent. An individual who has actual knowledge of a patent that the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 18 August 2025 W3C Process Document.

The SSIMPL protocol defines a Self-Sovereign Identity & Mondial Pseudonymous Ledger framework that allows individuals to maintain control over their digital identity while enabling verifiable credential issuance and revocation. It bridges physical trust anchors (e.g., ePassports) with digital identity systems, ensuring cryptographic verification without reliance on centralized authorities.

SSIMPL addresses two key problems:

User control over digital identity – eliminating reliance on centralized identity providers.
Verification of identities – ensuring online credentials correspond to real individuals using cryptographic proofs.

The protocol balances decentralization, peer authority, and optional server-assisted synchronization for efficiency and availability.

SSIMPL identities are rooted in cryptographically verifiable credentials derived from Trust Anchors (TA), such as government-issued ePassports. A valid wallet:

Scans a Trust Anchor (TA) via NFC.
Performs an Active Authentication (AA) challenge.
Derives a Verifiable Credential Root (VCR) tied to the user’s DID.
Publishes this Verifiable Credential Root to Relay Peers.

This ensures only owners of verified physical credentials can create valid DIDs.

Level 0: DID confirms human ownership (bot detection).
Level 1: Level 0 + unverified attributes requested via scope.
Level 2: Level 1 + verified credentials requested via scope.

Wallet: The actual software responsible for encapsulating the owners credentials and cryptographic material.
Peers: Mobile devices with the Wallet installed.
Relay Peers: Servers that act both as Peers and distribution points, allowing other Peers to sync their ledger.

The wallet is a Self-Sovereign means of identification that can be installed and bootstrapped entirely independent of any authority. It solely relies on cryptographic proof.

Wallets MUST:

Perform NFC scans of Trust Anchors.
Support Active Authentication challenge verification.
Derive BIP32 keypairs from a BIP39 mnemonic.
Store the master BIP32 keypair in a secure storage section of their device (e.g. Apple Keychain, Android Keystore, due to lack of true HSMs in mobile devices).
Sign and manage the Verifiable Credential Root.
Generate DIDs compliant with did:key for interoperability.
Support JWT issuance and asymmetric key exchange.

Wallets SHOULD:

Encrypt credentials for local storage.
Store additional credentials such as DG11 for user convenience.
Send their signed VCR to Relay Peers.

User installs wallet.
Wallet prompts for MRZ line.
NFC scan and extraction of passport data.
Creation of Verifiable Credential Root (VCR).
BIP39 mnemonic generation.
BIP32 keypair derivation and storage.
Signing of the VCR.
Submission of the VCR to a Relay Peer.

All cryptographically signed objects in SSIMPL MUST follow a uniform, canonical structure, known as the * SignatureDocument*. This ensures consistency across all signed data, including ledger entries, Verifiable Credential Roots (VCR), revocations, and delta payloads.

Each signed object MUST include a signatureDocument with the following structure:

message — The cryptographic hash of the canonical serialization of the data object. See §Canonicalization Rules.
signature — Object containing the signature itself:
- publicKey — Base64url-encoded public key corresponding to the signing private key.
- algorithm — Signature algorithm used (e.g., EdDSA, ECDSA).
- value — Base64url-encoded signature value.
signer — DID of the entity producing the signature.

Example (in JSON for clarity):

{
  "message": "<hash-of-canonical-data>",
  "signature": {
    "publicKey": "<multibase-encoded public="" key="">",
    "algorithm": "<algorithm identifier="">",
    "value": "<multibase-encoded signature="">"
  },
  "signer": "<did of="" signer="">"
}

Every signed object in SSIMPL, including LedgerEntry, VerifiableCredentialRoot, revocation entries, and delta updates, MUST include a signatureDocument.
The message field MUST be derived from the canonical serialization of the associated data object, ensuring that identical logical objects produce identical hashes.
This pattern guarantees interoperability, verifiability, and deterministic ordering for all signed objects across the network.

Optional fields in the data object MUST NOT affect the canonical hash unless explicitly defined in the canonicalization rules.
Implementations MUST reject signatures if the hash does not match the canonicalized data object.
Adherence to this pattern is mandatory to ensure correct ledger validation, delta verification, and revocation processing.

This canonical signature object pattern provides a single, consistent approach for proving authorship and integrity across all SSIMPL objects.

---

The Relay Peer is a special kind of Peer in the sense that it is static and reachable over the internet on a fixed hostname. It acts like any other Peer, but it also adds a storage layer for the Ledger and serves as distribution point for the Ledger.

To enable robust peer-to-peer synchronization while maintaining decentralization, SSIMPL defines a Relay Peer Discovery and Verification Protocol. This allows new Peers to bootstrap securely and verify that Relay Peers are implementing the protocol correctly.

Relay Peers are discoverable via a canonical hostname scheme:

Hostnames are deterministic, e.g., 0.ssimpl.org … 9999.ssimpl.org.
Each Relay Peer implements a fixed set of endpoints defined by the SSIMPL specification.
Peers attempt to connect sequentially or via pseudo-randomized probing across the deterministic range.

Rationale: Deterministic hostnames avoid the need for a centralized list, while still enabling Peers to discover Relay Peers without prior trust assumptions.

Connection: Peer attempts a connection to a candidate Relay Peer.
Metadata Exchange: Relay Peer returns:
- last_epoch (latest ledger epoch)
- root_hash (canonical ledger root)
- Timestamp
- signature_document - Signature over the metadata using the Relay Peer’s DID key
Validation: Peer verifies:
- root_hash corresponds to canonical ledger rules
- Timestamp is within an acceptable window
- Signature is valid and matches the DID key
Challenge-Response (Optional):
- Peer sends a nonce to the Relay Peer
- Relay Peer signs the nonce and returns the signature
- Peer validates the signature to ensure possession of the claimed DID key
Trust Establishment: Peer marks Relay Peer as verified if all checks pass; otherwise, the peer discards the candidate.

Peers iterate through deterministic hostnames.
Temporarily unreachable hosts are retried after a backoff period.
Optionally, a seed CID on IPFS may provide an initial snapshot of active Relay Peers to bootstrap discovery.

Deterministic discovery combined with cryptographic verification ensures that peers cannot be misled by malicious Relay Peers.
Relay Peers are auditable: any failure to implement endpoints correctly or return invalid data can be detected.
Peers remain authoritative for ledger validation; Relay Peers are relays, not arbiters.

Summary:
This protocol allows new Peers to bootstrap without centralized coordination, ensures Relay Peers can be trusted, and maintains the integrity and decentralization of the SSIMPL ledger.

The SSIMPL ledger is a deterministically canonical, peer-replicated structure tracking valid DIDs, maintained across Peers and Relay Peers.

Track valid DIDs without a central authority.
Support bounded state and deterministic pruning.
Enable single-peer verification.
Eventual consistency via optional gossip or client/server synchronization.
Mobile-friendly operation for large ledgers (5–30 GB).

Filter expired entries based on did_expiry and GRACE_PERIOD.
Normalize entries into canonical byte format.
Sort lexicographically by did_expiry then by hash(did).
Compute root_hash using a Merkle tree over the current, complete, pruned ledger.

The SSIMPL ledger uses a Merkle tree to enable efficient verification of ledger state and individual entries.

Leaves: Hashes of canonical ledger entries.
Branches: Hashes of concatenated child nodes.
Root: root_hash representing the current canonical ledger state.

New ledger entries are appended as leaves.
The affected branches are rehashed up to the root.
Pruning does not delete nodes; the canonical ledger for the current epoch defines which entries are considered valid.

To prove inclusion of a DID xyz, a peer can provide the leaf hash and the branch hashes up to root_hash.
Other peers can recompute the root from the proof and verify it matches the canonical root_hash.

Checkpoints store a root_hash for a specific epoch.
Peers can verify their ledger or deltas by starting from the latest checkpoint and applying updates.

An entry is valid if:

current_time < did_expiry + GRACE_PERIOD.
hash(verifiable_credential_root.data) equals verifiable_credential_root.signature_document.message.
The public key in the DID matches signature_document.signature.public_key.
Signature verification succeeds: verify_signature( verifiable_credential_root.signature_document.message, verifiable_credential_root.signature_document.signature.value, verifiable_credential_root.signature_document.signature.public_key, verifiable_credential_root.signature_document.signature.algorithm )

Expired or invalid entries are ignored and removed during canonical construction.

Peers MAY remove their own entries and expired entries. To revoke a DID:

Remove the DID from the local ledger.
Store and submit a revocation payload to (Relay) Peers.

Peers MUST NOT remove valid entries or modify others' entries.
Deterministic pruning ensures consistent ledger state across peers.

Peers exchange { epoch, root_hash } metadata.
Matching hash: No action required.
Hash mismatch: Request missing entries or snapshots.
Iterative delta exchange ensures eventual convergence.
Relay Peers act as distribution points while also validating entries.
Stateless Relay Peers may bootstrap from peers but should persist data for efficiency.

To enable efficient verification of ledger history and prevent forks from propagating, the SSIMPL protocol introduces Merkle checkpoints. These checkpoints allow peers to validate that their current ledger state stems from a previously agreed-upon canonical state.

A Merkle checkpoint is a snapshot of the canonical ledger at a given epoch, containing:

epoch — The deterministic epoch number of the snapshot
root_hash — The canonical ledger Merkle root at that epoch
metadata (optional) — Any additional information, such as total entry count, checkpoint creator DID, or a reference timestamp

Merkle checkpoints serve three main purposes:

Anchoring history — They provide a trusted reference point for peers to verify that their current ledger is an extension of a previous canonical state.
Fork detection — Peers can detect divergence by comparing their checkpointed root hash with peers’ reported checkpoints.
Efficient synchronization — When a peer joins the network or recovers from offline mode, it can request deltas starting from the latest known checkpoint rather than from the genesis ledger.

Peers MAY create checkpoints at deterministic intervals (e.g., end of each epoch).
Relay Peers SHOULD store checkpoints for availability, enabling efficient delta requests for mobile peers.
Checkpoints themselves are immutable; once created, they cannot be modified or deleted.

To verify a ledger using a checkpoint:

Obtain the checkpoint for the target epoch (epoch, root_hash).
Compute the canonical ledger state from the checkpoint epoch to the current state.
Recompute the Merkle root for the resulting ledger.
Confirm that the recomputed root matches the current root_hash.

A mismatch indicates ledger tampering or divergence, and the peer MUST reject the inconsistent entries.

Checkpoints older than a configurable retention window MAY be pruned to reduce storage overhead.
Retention policies SHOULD be deterministic and consistent across peers to maintain canonical verification paths.

Checkpoint integrity — Checkpoints must be signed by the creating peer using their DID key.
Fork prevention — Peers must reject any checkpoint that does not extend a known valid previous checkpoint.
Replay attacks — Timestamps and epoch numbers help prevent replay of stale checkpoints.

Single-peer revocation verification.
Privacy-preserving registration.
Resistance to illegal pruning and tampering.
Bounded state growth.
Eventual convergence under client/server synchronization.

To ensure that signatures are verifiable and consistent across all peers, every signed object in SSIMPL (including LedgerEntry and VerifiableCredentialRoot) MUST be serialized in a canonical form before hashing and signing. These rules remove ambiguity in encoding and field ordering, preventing mismatches between peers.

Field Ordering

All objects MUST have their fields sorted lexicographically by key name.
Example: For {"b":2,"a":1}, canonical form is {"a":1,"b":2}.

Whitespace

No unnecessary whitespace is allowed.
Only minimal separators required by the serialization format are permitted.

Encoding

All strings MUST be UTF-8 encoded.
No BOM (Byte Order Mark) or non-standard characters are allowed.

Number Representation

Numbers MUST be represented without leading zeros (except zero itself) and without exponential notation.
Example: 1.0 → 1.0; 01 → invalid.

Boolean and Null

true, false, and null MUST use JSON literals exactly as shown (case-sensitive).

Recursion: Apply canonicalization rules recursively to all nested objects and arrays.
Arrays:
Arrays MUST preserve element order.
Elements MUST themselves be canonicalized if they are objects or arrays.

The message field in every SignatureDocument MUST be the hash of the canonical serialized data object.
Recommended hash function: SHA-256.
The hash input is strictly the canonical byte sequence of the data object (no additional metadata).
Signing the message binds the signer cryptographically to the exact canonical representation of the object.

Multibase or Base64url encoding MUST be used consistently for any binary data (e.g., cryptographic proofs).
This ensures that all peers can reproduce the exact same byte sequence for verification.

To verify a signature:

Peer canonicalizes the data object according to the rules above.
Peer hashes the canonicalized bytes to compute the message.
Peer verifies that the computed message matches the message in signatureDocument.
Peer validates the signature using the provided publicKey and algorithm.
Only if all checks pass is the object considered valid.

Canonicalization guarantees that:

Signatures are deterministic and portable across implementations.
Peers can independently verify credentials, ledger entries, and revocations.
Forks, replay attacks, and accidental divergence due to encoding differences are prevented.

This section defines the reference API for Relay Peers in the SSIMPL protocol. It provides endpoints for DID registration, revocation, and ledger synchronization.

All requests MUST be authenticated using a Bearer token, containing a signed DID in the canonical SignatureDocument format, multibase-encoded.

POST /ledger/delta

Purpose: Allows a Peer to request ledger entries that are newer than a given epoch, if the peer is out of sync.

Request payload (LedgerDeltaRequest):

Field	Type	Description
lastEpoch	integer	Last ledger epoch known to the peer
rootHash	string	Merkle root hash of the peer's current ledger state

Example:

{
  "lastEpoch": 42,
  "rootHash": "abcdef1234567890"
}

Response payload (LedgerDeltaResponse):

Field Type Description currentEpoch integer Current epoch of the relay peer ledger authoritativeRootHash string Merkle root hash after applying returned entries array Ordered ledger entries newer than lastEpoch

Example:

{
  "currentEpoch": 43,
  "authoritativeRootHash": "1234abcd5678ef90",
  "entries": [
    {
      "data": {
        "verifiableCredentialRoot": {
          ...
        },
        "proof": {
          ...
        }
      },
      "signatureDocument": {
        ...
      }
    }
  ]
}

⸻

POST /ledger

Purpose: Register a new DID on the ledger.

Request payload: LedgerEntry object

Example:

{
  "data": {
    "verifiableCredentialRoot": {
      ...
    },
    "proof": {
      ...
    }
  },
  "signatureDocument": {
    ...
  }
}

Response: 200 OK on success.

⸻

Revoke a DID

PUT /ledger

Purpose: Revoke a DID by submitting a revocation payload.

Request payload: LedgerEntryRevocation object

Example:

{
  "data": {
    "did": "did:key:z6Mkw...example"
  },
  "signatureDocument": {
    ...
  }
}

Response: 200 OK on success.

⸻

Shared Object Schemas

Field	Type	Description
data	object	Contains `verifiableCredentialRoot` and `proof`
signatureDocument	object	Signature verifying the integrity of `data`

Field	Type	Description
data	object	Contains the DID being revoked
signatureDocument	object	Signature verifying the revocation

Field	Type	Description
data	object	Contains `did` and `identityDocumentHash`
signatureDocument	object	Signature verifying the `data`

Field	Type	Description
DG15	string	Data group 15 proof
AASignature	string	Active Authentication signature
AAChallenge	string	Active Authentication challenge
SOD	string	Security Object Document

Field	Type	Description
message	string	Canonical serialized representation of the signed data
signature	object	`Signature` object containing `algorithm`, `publicKey`, and `value`
signer	string	DID or public key identifier of the signer

Field	Type	Description
publicKey	string	Public key of signer
algorithm	string	Signing algorithm
value	string	Multibase-encoded signature value

SSIMPL Specification

Abstract

1. Conformance

Status of This Document

2. Overview

2.1 Identity Trust Model

2.2 Levels of Authentication

2.3 Components

3. Wallet Specification

3.1 Wallet Requirements

3.2 Activation Process

3.3 Canonical Signature Object Pattern

3.3.1 Structure

3.3.2 Usage

3.3.3 Rules and Notes

4. Relay Peer Specification

4.1 Relay Peer Discovery and Verification

4.1.1 Deterministic Relay Hostnames

4.1.2 Relay Peer Verification Protocol

4.1.3 Handling Non-Existing or Offline Relay Peers

4.1.4 Security and Trust Implications

5. Ledger Specification

5.1 Goals

5.2 State and Canonical Construction

5.3 Merkle Tree

5.3.1 Structure

5.3.2 Updates

5.3.3 Merkle Proofs

5.3.4 Relation to Checkpoints

5.4 Validation Rules

5.5 Pruning and Mutability

5.6 Synchronization

5.7 Merkle Checkpoints

5.7.1 Definition

5.7.2 Purpose

5.7.3 Creation and Storage

5.7.4 Verification

5.7.5 Pruning and Expiry

5.7.6 Security Considerations

5.8 Security Properties

6. Conclusion

7. Canonicalization Rules

7.1 Object Serialization

7.2 Nested Objects

7.3 Signature Message

7.4 Deterministic Encoding

7.5 Verification Procedure

7.6 Rationale

8. SSIMPL API Specification

8.1 Endpoints

8.1.1 Request Ledger Delta

8.1.2 LedgerEntry

8.1.3 LedgerEntryRevocation

8.1.4 VerifiableCredentialRoot

8.1.5 DataGroupProof

8.1.6 SignatureDocument

8.1.7 Signature

A. References

A.1 Normative references