SSIMPL Specification

Status of This Document

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C standards and drafts index.

This document was published by the Verifiable Credentials Working Group, the Decentralized Identifier Working Group, and the Web Authentication Working Group as an Editor's Draft.

Publication as an Editor's Draft does not imply endorsement by W3C and its Members.

This is a draft document and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to cite this document as other than a work in progress.

This document was produced by groups operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures (Verifiable Credentials Working Group), a public list of any patent disclosures (Decentralized Identifier Working Group), and a public list of any patent disclosures (Web Authentication Working Group) made in connection with the deliverables of each group; these pages also include instructions for disclosing a patent. An individual who has actual knowledge of a patent that the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 18 August 2025 W3C Process Document.

The SSIMPL protocol defines a Self-Sovereign Identity & Mondial Pseudonymous Ledger framework that allows individuals to maintain control over their digital identity while enabling verifiable credential issuance and revocation. It bridges physical trust anchors (e.g., ePassports) with digital identity systems, ensuring cryptographic verification without reliance on centralized authorities.

SSIMPL addresses two key problems:

User control over digital identity – eliminating reliance on centralized identity providers.
Verification of identities – ensuring online credentials correspond to real individuals using cryptographic proofs.

The protocol balances decentralization, peer authority, and optional server-assisted synchronization for efficiency and availability. Everything is made to be deterministic by default, so no authorities whatsoever are required except the one that signed the Trust Anchor.

SSIMPL identities are rooted in cryptographically verifiable credentials derived from Trust Anchors (TA), such as government-issued ePassports. A valid wallet:

Scans a Trust Anchor (TA) via NFC.
Performs an Active Authentication (AA) challenge.
Derives a Verifiable Credential Root (VCR) tied to the user’s DID.
Publishes this Verifiable Credential Root to Relay Peers.

This ensures only owners of verified physical credentials can create valid DIDs.

Identity is hard to verify by nature. Using a state-issued TA is not a perfect solution, but it's the best deterministic proof of identity available at the moment.

Level 0: DID confirms human ownership (bot detection).
Level 1: Level 0 + unverified attributes requested via scope.
Level 2: Level 1 + verified credentials requested via scope.

Identity The owner of the TA.
Wallet: The actual software responsible for encapsulating the owners TA.
Peers: Mobile devices with the Wallet installed.
Relay Peers: Servers that act both as Peers and distribution points, allowing other Peers to sync their ledger.

The wallet is a Self-Sovereign means of identification that can be installed and bootstrapped entirely independent of any authority. It solely relies on cryptographic proof.

Wallets MUST:

Perform NFC scans of Trust Anchors.
Support Active Authentication challenge verification.
Derive BIP32 keypairs from a BIP39 mnemonic.
Store the master BIP32 keypair in a secure storage section of their device (e.g. Apple Keychain, Android Keystore, due to lack of true HSMs in mobile devices).
Sign and manage the Verifiable Credential Root.
Generate DIDs compliant with did:key for interoperability.
Support JWT issuance and asymmetric key exchange.

Wallets SHOULD:

Encrypt credentials for local storage.
Store additional credentials such as DG11 for user convenience.
Send their signed VCR to Relay Peers.

User installs wallet.
Wallet prompts for MRZ line.
NFC scan and extraction of passport data.
Creation of Verifiable Credential Root (VCR).
BIP39 mnemonic generation.
BIP32 keypair derivation and storage.
Signing of the VCR.
Submission of the VCR to a Relay Peer.

Optional fields in the data object MUST NOT affect the canonical hash unless explicitly defined in the canonicalization rules.
Implementations MUST reject signatures if the hash does not match the canonicalized data object.
Adherence to this pattern is mandatory to ensure correct ledger validation, delta verification, and revocation processing.

This canonical signature object pattern provides a single, consistent approach for proving authorship and integrity across all SSIMPL objects.

In order to function properly, it is essential certain behavior is implemented:

Before any transaction, the Wallet MUST call either the Root Relay Peer, or one of it's known Relay Peers for the latest delta.
If this Peer is new, it must first be bootstrapped. Which means acquiring the full current Ledger. This is done by requesting delta's in chunks between epochs, starting with 0 (Unix Time). Until the Ledger is fully in place, the Wallet MUST NOT allow any transactions.
Before any transaction, the Wallet MUST call either the Root Relay Peer, or one of it's known Relay Peers for the latest list of known Relay Peers.

The Relay Peer is a special kind of Peer in the sense that it is static and reachable over the internet on a fixed hostname. It acts like any other Peer, but it also adds a storage layer for the Ledger and serves as distribution point for the Ledger. All Relay Peers together form a subnetwork on which all other (mobile) Peers 'ride'. This is purely infrastructural to help communication between Peers. It doesn't give any special privileges or authorities to any of the Relay Peers and does therefor still fulfill all requirements to be called decentralized.

Receive, validate and store new LedgerEntries.
Receive, validate and store new LedgerEntryRevocations.
Providing and storing a list of known Relay Peers for discovery.
Responding to registration attempts from new Relay Peers.
Gossiping about newly registered Relay Peers.

To enable deterministic network formation and secure onboarding of Relay Peers, the SSIMPL protocol defines a bootstrap and verification procedure.

The first time a new Relay Peer is bootstrapped, it MUST make itself known to a known (or a well-known Relay Peer, e.g., root.ssimpl.org) to obtain the first list of known Relay Peers. This is a hard-coded node that allows the network to kickstart itself and to have zero knowledge upfront when adding a new Relay Peer.

Upon first contact with the network, a new Relay Peer:

Contacts the Root Relay Peer (or another known Relay Peer) to announce its presence.
Provides its signed DID using the canonical SignatureEnvelope format.
Receives information about other Relay Peers in the network for further connections.
Requests delta's from one (or more) of the Relay Peers in the network in chunks based on the time between two epochs. Starting with 0 (Unix Time) if it has never been online and otherwise starting with the epoch it was last online.

The SSIMPL ledger is a deterministically canonical, peer-replicated structure tracking valid DIDs, maintained across Peers and Relay Peers.

Track valid DIDs without a central authority.
Support bounded state and deterministic pruning.
Enable single-peer verification.
Eventual consistency via optional gossip or client/server synchronization.
Mobile-friendly operation for large ledgers (5–30 GB).

Filter expired entries based on did_expiry and GRACE_PERIOD.
Normalize entries into canonical byte format.
Sort lexicographically by did_expiry then by hash(did).
Compute root_hash using a Merkle tree over the current, complete, pruned ledger.

The SSIMPL ledger uses a Merkle tree to enable efficient verification of ledger state and individual entries.

Leaves: Hashes of canonical ledger entries.
Branches: Hashes of concatenated child nodes.
Root: root_hash representing the current canonical ledger state.

New ledger entries are appended as leaves.
The affected branches are rehashed up to the root.
Pruning does not delete nodes; the canonical ledger for the current epoch defines which entries are considered valid.

To prove inclusion of a DID xyz, a peer can provide the leaf hash and the branch hashes up to root_hash.
Other peers can recompute the root from the proof and verify it matches the canonical root_hash.

Checkpoints store a root_hash for a specific epoch.
Peers can verify their ledger or deltas by starting from the latest checkpoint and applying updates.

An entry is valid if:

current_time < did_expiry + GRACE_PERIOD.
hash(verifiable_credential_root.data) equals verifiable_credential_root.signature_document.message.
The public key in the DID matches signature_document.signature.public_key.
Signature verification succeeds: verify_signature( verifiable_credential_root.signature_document.message, verifiable_credential_root.signature_document.signature.value, verifiable_credential_root.signature_document.signature.public_key, verifiable_credential_root.signature_document.signature.algorithm )

Expired or invalid entries are ignored and removed during canonical construction.

Peers MAY remove their own entries and expired entries. To revoke a DID:
1. Store a revocation payload on the local Ledger.
2. Store and submit a revocation payload to (Relay) Peers.
Peers MUST NOT remove valid entries or modify others' entries.
Deterministic pruning ensures consistent ledger state across peers.

Peers exchange { epoch, root_hash } metadata.
Matching hash: No action required.
Hash mismatch: Request missing entries or snapshots.
Iterative delta exchange ensures eventual convergence.
Relay Peers act as distribution points while also validating entries.
Stateless Relay Peers may bootstrap from peers but should persist data for efficiency.

To enable efficient verification of ledger history and prevent forks from propagating, the SSIMPL protocol introduces Merkle checkpoints. These checkpoints allow peers to validate that their current ledger state stems from a previously agreed-upon canonical state.

A Merkle checkpoint is a snapshot of the canonical ledger at a given epoch, containing:

epoch — The deterministic epoch number of the snapshot
root_hash — The canonical ledger Merkle root at that epoch
metadata (optional) — Any additional information, such as total entry count, checkpoint creator DID, or a reference timestamp

Merkle checkpoints serve three main purposes:

Anchoring history — They provide a trusted reference point for peers to verify that their current ledger is an extension of a previous canonical state.
Fork detection — Peers can detect divergence by comparing their checkpointed root hash with peers’ reported checkpoints.
Efficient synchronization — When a peer joins the network or recovers from offline mode, it can request deltas starting from the latest known checkpoint rather than from the genesis ledger.

Peers MAY create checkpoints at deterministic intervals (e.g., end of each epoch).
Relay Peers SHOULD store checkpoints for availability, enabling efficient delta requests for mobile peers.
Checkpoints themselves are immutable; once created, they cannot be modified or deleted.

To verify a ledger using a checkpoint:

Obtain the checkpoint for the target epoch (epoch, root_hash).
Compute the canonical ledger state from the checkpoint epoch to the current state.
Recompute the Merkle root for the resulting ledger.
Confirm that the recomputed root matches the current root_hash.

A mismatch indicates ledger tampering or divergence, and the peer MUST reject the inconsistent entries.

Checkpoints older than a configurable retention window MAY be pruned to reduce storage overhead.
Retention policies SHOULD be deterministic and consistent across peers to maintain canonical verification paths.

Checkpoint integrity — Checkpoints must be signed by the creating peer using their DID key.
Fork prevention — Peers must reject any checkpoint that does not extend a known valid previous checkpoint.
Replay attacks — Timestamps and epoch numbers help prevent replay of stale checkpoints.

Single-peer revocation verification.
Privacy-preserving registration.
Resistance to illegal pruning and tampering.
Bounded state growth.
Eventual convergence under client/server synchronization.

To ensure that signatures are verifiable and consistent across all peers, every signed object in SSIMPL (including LedgerEntry and VerifiableCredentialRoot) MUST be serialized in a canonical form before hashing and signing. These rules remove ambiguity in encoding and field ordering, preventing mismatches between peers.

Field Ordering
- All objects MUST have their fields sorted lexicographically by key name.
- Example: For {"b":2,"a":1}, canonical form is {"a":1,"b":2}.
Whitespace
- No unnecessary whitespace is allowed.
- Only minimal separators required by the serialization format are permitted.
Encoding
- All strings MUST be UTF-8 encoded.
- No BOM (Byte Order Mark) or non-standard characters are allowed.
Number Representation
- Numbers MUST be represented without leading zeros (except zero itself) and without exponential notation.
- Example: 1.0 → 1.0; 01 → invalid.
Boolean and Null

true, false, and null MUST use JSON literals exactly as shown (case-sensitive).

Recursion: Apply canonicalization rules recursively to all nested objects and arrays.
Arrays MUST preserve element order.
Elements MUST themselves be canonicalized if they are objects or arrays.

The message field in every SignatureEnvelope MUST be the hash of the canonical serialized data object.
Recommended hash function: SHA-256.
The hash input is strictly the canonical byte sequence of the data object (no additional metadata).
Signing the message binds the signer cryptographically to the exact canonical representation of the object.

Multibase or Base64url encoding MUST be used consistently for any binary data (e.g., cryptographic proofs).
Multibase-encoding SHOULD be used consistently for any binary data (e.g., cryptographic proofs).
This ensures that all peers can reproduce the exact same byte sequence for verification.

To verify a signature:

Peer canonicalizes the data object according to the rules above.
Peer hashes the canonicalized bytes to compute the message.
Peer verifies that the computed message matches the message in signatureEnvelope.
Peer validates the signature using the provided publicKey and algorithm.
Only if all checks pass is the object considered valid.

Canonicalization guarantees that:

Signatures are deterministic and portable across implementations.
Peers can independently verify credentials, ledger entries, and revocations.
Forks, replay attacks, and accidental divergence due to encoding differences are prevented.

All cryptographically signed objects in SSIMPL MUST follow a uniform, canonical structure, known as the * SignatureEnvelope*. This ensures consistency across all signed data, including ledger entries, Verifiable Credential Roots (VCR), revocations, and delta payloads.

Each signed object MUST include a SignatureEnvelope with the following structure:

message — The cryptographic hash of the canonical serialization of the data object.
signature — Object containing the signature itself:
- publicKey — Base64url-encoded public key corresponding to the signing private key.
- algorithm — Signature algorithm used (e.g., EdDSA, ECDSA).
- value — Base64url-encoded signature value.
signer — DID of the entity producing the signature.

Example (in JSON for clarity):

{
  "message": "<hash-of-canonical-data>",
  "signature": {
    "publicKey": "<multibase-encoded public="" key="">",
    "algorithm": "<algorithm identifier="">",
    "value": "<multibase-encoded signature="">"
  },
  "signer": "<did of="" signer="">"
}

Every signed object in SSIMPL, including LedgerEntry, VerifiableCredentialRoot, revocation entries, and delta updates, MUST include a signatureEnvelope.
The message field MUST be derived from the canonical serialization of the associated data object, ensuring that identical logical objects produce identical hashes.
This pattern guarantees interoperability, verifiability, and deterministic ordering for all signed objects across the network.

This section defines the reference API for Relay Peers in the SSIMPL protocol. It provides endpoints for DID registration, revocation, and ledger synchronization.

All requests MUST be authenticated using a Bearer token, containing a signed DID in the canonical SignatureEnvelope format, multibase-encoded.

POST /identity

Purpose: Allows (Relay) Peers to check the health an initial validity of the Relay Peer

Request payload (LedgerDeltaRequest):

Field	Type	Description
data	integer	Last ledger epoch known to the peer
signatureEnvleope	string	Merkle root hash of the peer's current ledger state

POST /ledger/delta

Purpose: Allows a Peer to request ledger entries that are newer than a given epoch, if the peer is out of sync.

Request payload (LedgerDeltaRequest):

Field	Type	Description
lastEpoch	integer	Last ledger epoch known to the peer
rootHash	string	Merkle root hash of the peer's current ledger state

Example:

{
  "lastEpoch": 42,
  "rootHash": "abcdef1234567890"
}

Response payload (LedgerDeltaResponse):

Field Type Description currentEpoch integer Current epoch of the relay peer ledger authoritativeRootHash string Merkle root hash after applying returned entries array Ordered ledger entries newer than lastEpoch

Example:

{
  "currentEpoch": 43,
  "authoritativeRootHash": "1234abcd5678ef90",
  "entries": [
    {
      "data": {
        "verifiableCredentialRoot": {
          ...
        },
        "proof": {
          ...
        }
      },
      "signatureEnvelope": {
        ...
      }
    }
  ]
}

⸻

POST /ledger

Purpose: Register a new DID on the ledger.

Request payload: LedgerEntry object

Example:

{
  "data": {
    "verifiableCredentialRoot": {
      ...
    },
    "proof": {
      ...
    }
  },
  "signatureEnvelope": {
    ...
  }
}

Response: 200 OK on success.

⸻

Revoke a DID

PUT /ledger

Purpose: Revoke a DID by submitting a revocation payload.

Request payload: LedgerEntryRevocation object

Example:

{
  "data": {
    "did": "did:key:z6Mkw...example"
  },
  "signatureEnvelope": {
    ...
  }
}

Response: 200 OK on success.

⸻

Shared Object Schemas

Field	Type	Description
data	object	Contains the actual fields used for the signature
signatureEnvelope	object	Signature verifying the `data`

Field	Type	Description
data	object	Contains `verifiableCredentialRoot` and `proof`
signatureEnvelope	object	Signature verifying the integrity of `data`

Field	Type	Description
did	object	Contains `did` and `identityDocumentHash`
identityDocumentHash	object	Signature verifying the `data`

Field	Type	Description
data	object	Contains the DID being revoked
signatureEnvelope	object	Signature verifying the revocation

Field	Type	Description
DG15	string	Data group 15 proof
AASignature	string	Active Authentication signature
AAChallenge	string	Active Authentication challenge
SOD	string	Security Object Document

Field	Type	Description
message	string	Canonical serialized representation of the signed data
signature	object	`Signature` object containing `algorithm`, `publicKey`, and `value`
signer	string	DID or public key identifier of the signer

Field	Type	Description
publicKey	string	Public key of signer
algorithm	string	Signing algorithm
value	string	Multibase-encoded signature value

SSIMPL Specification

Abstract

1. Conformance

Status of This Document

2. Overview

2.1 Identity Trust Model

2.1.1 Considerations

2.2 Levels of Authentication

2.3 Roles

3. Wallet Specification

3.1 Wallet Requirements

3.2 Activation Process

3.2.1 Rules and Notes

3.3 Wallet Functionality

4. Relay Peer Specification

4.1 Relay Peer Responsibilities

4.2 Relay Peer Bootstrap and Verification

4.2.1 Relay Peer Registration

5. Ledger Specification

5.1 Goals

5.2 State and Canonical Construction

5.3 Merkle Tree

5.3.1 Structure

5.3.2 Updates

5.3.3 Merkle Proofs

5.3.4 Relation to Checkpoints

5.4 Validation Rules

5.5 Pruning and Mutability

5.6 Synchronization

5.7 Merkle Checkpoints

5.7.1 Definition

5.7.2 Purpose

5.7.3 Creation and Storage

5.7.4 Verification

5.7.5 Pruning and Expiry

5.7.6 Security Considerations

5.8 Security Properties

6. Conclusion

7. Canonicalization Rules

7.1 Object Serialization

7.2 Nested Objects

7.3 Signature Message

7.4 Deterministic Encoding

7.5 Verification Procedure

7.6 Rationale

7.7 Canonical Signature Object Pattern

7.7.1 Structure

7.7.2 Usage

8. SSIMPL API Specification

8.1 Endpoints

8.1.1 Perform a handshake

8.1.2 Request Ledger Delta

8.1.3 SignedObject (Signed)

8.1.4 SignedObject: LedgerEntry

8.1.5 VerifiableCredentialRoot

8.1.6 SignedObject: LedgerEntryRevocation

8.1.7 Proof

8.1.8 SignatureEnvelope

8.1.9 Signature

A. References

A.1 Normative references