SSIMPL Specification

SSIMPL identities are rooted in cryptographically verifiable credentials derived from Trust Anchors, such as government-issued ePassports. A valid wallet:

• MUST extract cryptographic material from a TA
• MUST perform necessary processes to verify chip authenticity. For example, an Active Authentication (AA) challenge.
• MUST extract and store all relevant claims and their proofs. See VCR

This ensures only owners of verifiable physical credentials can create valid DIDs.

• Level 0: ephemeral DID + TrustAnchorProof confirms human ownership (bot detection).
• Level 1: stable DID + TrustAnchorProof confirms human ownership (bot detection) and identifies owner spanning multiple sessions.
• Level 2: Level 0/1 + unverifiable attributes (e.g. the owners home address) requested via scope.
• Level 3: Level 2 + verifiable credentials requested via scope.

These different levels allow people to authenticate themselves on several levels, depending on the context. Say a person would like to order a product from a website. Using SSIMPL, the webshop could request a certain scope of credentials (like a shipping address). The owner of the identity could then approve or disapprove this request. This flow is very similar to Open ID Connect, except that there is no need for a 3rd party.

• Identity The owner of the TA and user of the network.
• Wallet: The actual software responsible for encapsulating the owners TA.
• Peers: Mobile devices with the Wallet installed.
• Relay Peers: Servers that act both as Peers and distribution points, allowing other Peers to sync their ledger.

A did:ssimpl identifier has the following structure, conforming to the generic DID syntax defined in [DIDCORE]:

ssimpl-did     = "did:ssimpl:" ssimpl-specific-id
ssimpl-specific-id = Multibase( network-bytes || pk-bytes )
network-bytes  = country-bytes subnetwork-byte node-byte
country-bytes  = 3ALPHA        ; ICAO 9303 alpha-3 country code
subnetwork-byte = 1OCTET       ; unsigned integer 0–255
node-byte      = 1OCTET        ; unsigned integer 0–255
pk-bytes       = 33OCTET       ; compressed secp256k1 public key

The method-specific identifier is a single Multibase-encoded opaque string. It encodes 38 bytes: 3 bytes of country code, 1 byte of subnetwork identifier, 1 byte of node identifier, and 33 bytes of compressed public key. No delimiters are used. Decoding is deterministic by fixed byte offset.

The 38-byte payload prior to Multibase-encoding is laid out as follows:

The country code MUST be an ICAO 9303 [ICAO9303] alpha-3 code encoded as ASCII uppercase bytes. The subnetwork and node fields are unsigned 8-bit integers (range 0–255). The public key is a 33-byte compressed secp256k1 public key.

Given a did:ssimpl identifier, the following algorithm recovers the network coordinates and public key:

1. Strip the did:ssimpl: prefix to obtain the method-specific identifier string.
2. Multibase-decode the string to obtain a byte array. The result MUST be exactly 38 bytes. If not, the DID is malformed.
3. Extract bytes[0..2] (inclusive) as the country code. Interpret as ASCII. The result MUST be a valid ICAO 9303 alpha-3 country code.
4. Extract bytes[3] as the subnetwork identifier (unsigned integer).
5. Extract bytes[4] as the node identifier (unsigned integer).
6. Extract bytes[5..37] (inclusive) as the 33-byte compressed secp256k1 public key.

The keypair corresponding to a did:ssimpl identifier is derived using [BIP32] hierarchical deterministic key derivation. The seed is computed as:

seed = HASH( mnemonic )
DID keypair = BIP32( seed )

Where mnemonic is the user's secret mnemonic phrase, and HASH is a cryptographically secure hash function (SHA-256 or equivalent).

For TA-backed identities, the mnemonic is additionally bound to the passport's AA public key:

seed = HASH( mnemonic || HASH( aa_public_key ) )

This binding ensures that possession of the DID keypair implicitly attests possession of the corresponding passport material, without exposing the AA public key or mnemonic to any external party.

SSIMPL networks are organised hierarchically by country and subnetwork. Each country identified by its ICAO 9303 alpha-3 code constitutes a top-level network. Large countries MAY be subdivided into subnetworks to bound ledger size on mobile devices.

Every peer holds a complete copy of the ledger for their own network. No peer holds a privileged or partial role. Relay peers and wallet peers are structurally identical.

A network SHOULD be sized such that its ledger remains manageable on a contemporary mobile device. A suggested ceiling is one million registered identities per subnetwork, corresponding to approximately 200 megabytes of ledger storage at maximum capacity. This is also where the subnetworks come into play. Each subnetwork can be used for one separate ledger. Depending on the identity you're interacting with, you either need your ledger AND theirs, or can keep using your own.

Individual nodes are addressed using DNS subdomain names under the networks domain e.g. ssimpl.org. The addressing scheme is:

<country>.<subnetwork>.<node>.<domain>

Where <country> is the lowercase ICAO 9303 alpha-3 country code, <subnetwork> is the decimal subnetwork number, and <node> is the decimal node number.

A client wishing to reach any node within a given subnetwork MAY omit the node segment and resolve at the subnetwork level:

<country>.<subnetwork>.ssimpl.org   ; any node in subnetwork
<country>.ssimpl.org                 ; any node in country

DNS wildcard records SHOULD be configured to support these resolution patterns. The DNS infrastructure does not carry authoritative identity data; it serves only as a bootstrap mechanism for peer discovery.

Given a did:ssimpl identifier, the corresponding network and node are resolved as follows:

1. Decode the DID per the algorithm in 5.3 Decoding Algorithm to obtain country, subnetwork, and node.
2. Construct the DNS address: lower(country).subnetwork.node.ssimpl.org.
3. Resolve via DNS to obtain the peer's IP address and port.
4. To query any peer in the same subnetwork (e.g. for ledger synchronisation), resolve lower(country).subnetwork.ssimpl.org.

Country-based network segregation provides a natural bound on ledger size. Peers overwhelmingly interact with others from the same country, meaning most peers need only one ledger. Additional ledgers are downloaded lazily on first encounter with a foreign DID and MAY be pruned after a configurable period of inactivity.

For countries with populations where passport adoption would exceed the recommended per-subnetwork ceiling, additional subnetworks MUST be provisioned. Subnetwork assignment for new registrations SHOULD be load-balanced across available subnetworks within the country.

When a peer encounters a DID from a foreign network, they MUST download the relevant subnetwork ledger before verifying the identity. Ledgers are cached locally and synchronised incrementally on subsequent interactions.

A peer MAY pre-emptively download ledgers for networks they anticipate interacting with — for example, before international travel. Implementations SHOULD provide a mechanism for users to manage which ledgers are retained on their device.

Ledger freshness is maintained by delta synchronisation: a peer requests only entries added since their last known ledger state. Full re-download is not required after initial acquisition.

Wallets MUST:

• Extract cryptographic material from a Trust Anchor (TA).
• Support Active Authentication challenge verification.
• Derive a BIP32 keypair (as defined in [BIP32]), from the BIP39 mnemonic (as defined in [BIP39]).
• Present the BIP39 mnemonic to the owner. Note: the BIP39 mnemonic should be stored redundantly, preferably offline.
• Generate a fresh BIP32 keypair (as defined in [BIP32]).
• Store the master BIP32 private key in a secure storage section of their device (e.g. Apple Keychain, Android Keystore).
• Sign and manage the TA data.
• Generate (BIP32 child) DIDs compliant with did:key for interoperability.
• Support JWT issuance and asymmetric key exchange.

Wallets SHOULD:

• Encrypt credentials for local storage.
• Extract and store additional VCs such as DG11 for user convenience.

• Before any transaction, the Wallet MUST call either the Well-known Relay Peer, or one of it's known Relay Peers for the latest delta.
• If the Wallet is new, it must first be bootstrapped. Which means acquiring the full current Ledger. This is done by requesting delta's in chunks between epochs, starting with 0 (Unix Time). Until the Ledger is fully in place, the Wallet MUST NOT allow any transactions.
• Before any transaction, the Wallet MUST call either the Well-known Relay Peer, or one of it's known Relay Peers for the latest list of known Relay Peers.

A SSIMPL Wallet has certain security scenario's that need to be addressed

• The owners TA is lost/stolen: The owner MUST revoke their current TA - No transactions can take place until a new TA has been used to bootstrap.
• The owners device is lost/stolen: The owner MUST use their BIP39 mnemonic to restore their Wallet on a new device, then the owner MUST revoke their current DID and reinitialize their wallet. AND The owner MUST revoke their current TA through Delegated Revocation.
• The owners BIP39 mnemonic is lost/stolen: The owner MUST revoke their current DID and reinitialize their wallet. This will result in a double entry in respect to the same TA. But the 'older' one will be automatically ignored.
• The owners BIP39 mnemonic AND TA is lost/stolen: The owner MUST use their BIP39 mnemonic to restore their Wallet on a new device, then the owner MUST revoke their current DID and reinitialize their wallet. AND The owner MUST revoke their current TA through Delegated Revocation.
• ⚠️The owners BIP39 mnemonic AND TA is lost/stolen AND Delegated Revocation hasn't been configured: There is currently no way to come back from this scenario. Until the natural expiration of the used TA, a malicious actor could potentially impersonate the owner of the original Identity. SSIMPL implementations MUST therefore have a mandatory Delegated Revocation exchange flow.

In order to mitigate the scenario where the user has no access to their wallet anymore, SSIMPL offers a relatively straight-forward solution: two Peers (you and someone you trust, like a close relative) exchange a complete Revocation. In case of emergency, either Peer can always revoke the other Peers DID.

1. User installs wallet.
2. Wallet prompts for MRZ line.
3. NFC scan and extraction of passport data.
4. Creation of Verifiable Credential Root (VCR).
5. BIP39 mnemonic generation (and presentation to the user).
6. BIP32 keypair derivation and storage.
7. Signing of the TrustAnchorProof.
8. (lazy) publication of the TrustAnchorProof to the network.

• Receive, validate and store new Registrations/Revocations.
• Propagate ledger changes to a minimum quorum of N = 3* other Relay Peers upon receiving a new valid ledger entry or revocation, using the traversal algorithm.
• Provide metadata about the ledger.

To enable deterministic network formation and secure onboarding of Relay Peers, the SSIMPL protocol defines a bootstrap and verification procedure.

1. Attempt contact with n.{i+1}.ssimpl.org.
2. If unresponsive, assume end of ring and wrap to 0.ssimpl.org.
3. Continue incrementally (1, 2, ...) until a responsive peer is found or all indices up to i have been exhausted.
4. An unresponsive node MUST be skipped; it is not an error condition.

1. Beginning at {country}.n.{i+1}.ssimpl.org, push the change to each responsive peer in sequence.
2. Count each successful push. If the minimum quorum of N = 3 successful pushes is reached, propagation is complete.
3. If the end of the ring is reached before quorum is met, wrap to n.0.ssimpl.org and continue.
4. If the full ring is exhausted without reaching quorum, propagation MUST still be considered complete — quorum is a best-effort guarantee.

A peer that receives a pushed change via gossip MUST validate the entry before storing it, and *MUST NOT* re-propagate it (the originating peer is responsible for reaching quorum).

• Track valid DIDs without a central authority.
• Support bounded state and deterministic pruning.
• Enable single-peer verification.
• Eventual consistency via optional gossip or client/server reconciliation.
• Mobile-friendly operation for large ledgers (5–30 GB).

1. Filter expired entries based on did_expiry and GRACE_PERIOD.
2. Normalize entries into canonical byte format.
3. Sort lexicographically by did_expiry then by hash(did).
4. Compute root_hash using a Merkle tree over the current, complete, pruned ledger.

The SSIMPL ledger uses a Merkle tree to enable efficient verification of ledger state and individual entries.

An entry is valid if:

1. current_time < did_expiry + GRACE_PERIOD.
2. hash(verifiable_credential_root.data) equals verifiable_credential_root.signature_document.message.
3. The public key in the DID matches signature_document.signature.public_key.
4. Signature verification succeeds: verify_signature( verifiable_credential_root.signature_document.message, verifiable_credential_root.signature_document.signature.value, verifiable_credential_root.signature_document.signature.public_key, verifiable_credential_root.signature_document.signature.algorithm )

Expired or invalid entries are ignored and removed during canonical construction.

• Peers MAY remove their own entries and expired entries. To revoke a DID:

  1. Store a revocation payload on the local Ledger.
  2. Store and submit a revocation payload to (Relay) Peers.

• Peers MUST NOT remove valid entries or modify others' entries.

• Deterministic pruning ensures consistent ledger state across peers.

• Iterative delta exchange ensures eventual convergence.
• Relay Peers act as distribution points while also validating entries.
• Stateless Relay Peers MAY bootstrap from peers but SHOULD persist data for efficiency.
• Upon requesting deltas from other Peers, any requesting RelayPeer MUST send their index* along with the request. A regular Peer doesn't have an index, so this requirement can be ignored in that case.

Repeat until reconciled:

1. (Relay)Peer sends LedgerDeltaRequests to 2-N other (Relay)Peers.
2. Matching hash: No action required.
3. Hash mismatch: Merge attached Entries.
4. Hash mismatch: (Relay)Peer sends LedgerDeltaRequests to 2-N other (Relay)Peers. Etc.

1. Field Ordering
   • All objects MUST have their fields sorted lexicographically by key name.
   • Example: For {"b":2,"a":1}, canonical form is {"a":1,"b":2}.
2. Whitespace
   • No unnecessary whitespace is allowed.
   • Only minimal separators required by the serialization format are permitted.
3. Encoding
   • All strings MUST be UTF-8 encoded.
   • No BOM (Byte Order Mark) or non-standard characters are allowed.
4. Number Representation
   • Numbers MUST be represented without leading zeros (except zero itself) and without exponential notation.
   • Example: 1.0 → 1.0; 01 → invalid.

5. Boolean and Null

6. true, false, and null MUST use JSON literals exactly as shown (case-sensitive).

• Recursion: Apply canonicalization rules recursively to all nested objects and arrays.
• Arrays MUST preserve element order.
• Elements MUST themselves be canonicalized if they are objects or arrays.

1. The message field in every SignatureEnvelope MUST be the hash of the canonical serialized data object.
2. Recommended hash function: SHA-256.
3. The hash input is strictly the canonical byte sequence of the data object (no additional metadata).
4. Signing the message binds the signer cryptographically to the exact canonical representation of the object.

There are many ways to encode raw bytes or strings, and more are being invented as we speak. It is highly inefficient to make these encodings contract-based. SSIMPL therefore highly recommends the use of the Multibase Data Format, as defined in [Multibase], which is deterministic.

• Multibase or Base64url encoding MUST be used consistently for any binary data (e.g., cryptographic proofs).
• Multibase-encoding SHOULD be used consistently for any binary data (e.g., cryptographic proofs).
• This ensures that all peers can reproduce the exact same byte sequence for verification.

To verify a signature:

1. Peer canonicalizes the data object according to the rules above.
2. Peer hashes the canonicalized bytes to compute the message.
3. Peer verifies that the computed message matches the message in signatureEnvelope.
4. Peer validates the signature using the provided publicKey and algorithm.
5. Only if all checks pass is the object considered valid.

Canonicalization guarantees that:

• Signatures are deterministic and portable across implementations.
• Peers can independently verify credentials, ledger entries, and revocations.
• Forks, replay attacks, and accidental divergence due to encoding differences are prevented.

All cryptographically signed objects in SSIMPL MUST follow a uniform, canonical structure, known as the SignatureEnvelope. This ensures consistency across all signed data, including ledger entries, revocations, and delta payloads.

{
  "message": "<hash-of-canonical-data>",
  "signature": {
    "publicKey": "<Multibase-encoded public key>",
    "algorithm": "<algorithm identifier>",
    "value": "<Multibase-encoded signature>"
    },
  "signer": "<DID of signer>"
}

The following, canonical, JSON structure needs to be fed into a hash function (SHA-256 recommended) which results in the 'taHash'. It is specific for standardised ePassports. Other TAs should have their own canonical JSON structure.

{
    "dateOfBirth": 580963131,
    "documentExpiryDate": 1960861131,
    "documentNumber": "ABC123...example",
    "documentType": "P"
}

PUT /ledger

Purpose: Revoke a TA by submitting a revocation payload. Providing the taHash means that the related TA can NEVER be used again to initialize a Wallet. The taHash is mandatory for Delegated Revocation.

Request payload: Revocation

Response: 201 ACCEPTED

PUT /ledger

Purpose: Revoke a TA by submitting a revocation payload. Providing the taHash means that the related TA can NEVER be used again to initialize a Wallet. The taHash is mandatory for Delegated Revocation.

Request payload: LedgerDeltaRequest

Response: 200 OK

Response payload: LedgerDeltaResponse

Response: 409 CONFLICT

Response payload: none