Abstract: Executing an application within a scope of user-granted permission in a decentralized network that implements a distributed edger. First, receiving a request from an entity for using data stored in a data storage that is associated with a DID owner as one or more inputs of an application associated with the entity to generate one or more results. Next, one or more characteristics of the application associated with the entity is identified. Based on identified one or more characteristics, a scope of permission to access the requested data that is to be granted to the entity is determined. Then, the scope of permission is granted to the entity to use the data as the one or more inputs of the application associated with the entity. Finally, the one or more results from the application is received.

Abstract: An attestation component to make attestations about itself to a relying party. The attestation component offers identity attestations of a particular decentralized identity, and manages use of a private key of that decentralized identity. However, the attestation component also has its own private key that is different than the private key of the decentralized identity for which it offers attestations. As an example, the attestation component might, using its own private key, provide an integrity attestation from which an integrity with which the attestation component has managed the private key of the decentralized identity may be determined. Based on this integrity attestation, a relying party can determine whether to trust other attestations provided by the attestation component on behalf of the decentralized identity.

Abstract: Failover between decentralized identity stores in the context of there being multiple decentralized identity stores that are each under the control of a single decentralized identity to store data belonging to or regarding the decentralized identity. Third parties can use the decentralized identity to at least conditionally access the data of the primary decentralized identity store. However, in response to detecting a failover event, one of the remaining decentralized identity stores is promoted as the new primary decentralized identity store. As part of this promotion, the new primary decentralized identity store replaces the old primary decentralized identity store as being the decentralized identity store that is accessed using the decentralized identity.

Abstract: Embodiments disclosed herein are related to computing systems, computer program products, and methods for selecting and providing an attestation in response to a request from an entity. A request is received from an entity for attestation that included in various attestations related to an owner of the attestations. The attestations define information about the owner of the attestations that the entity desires to obtain. The request includes request metadata that identifies a type of the attestation that is being requested. The request metadata is analyzed to determine the attestation that is being requested. Based on the analysis, the attestation is selected. Access to the attestation is provided to the entity making the request.

Abstract: Permitting a decentralized identity to authenticate on behalf of a centralized identity to a centralized identity system, and/or permitting a centralized identity to authenticate on behalf of a decentralized identity to a decentralized identity system. Thus, the principles described herein permit authentication across decentralized and centralized domains. The identity system receives and registers a delegation for the first identity to authentic as the second identity, where one of the identities is a decentralized identity and one is a centralized identity. Thereafter, when the identity system receives a communication from the first identity to access a resource owned by the second identity, the identity system accesses the registration to determine that the first identity is authorized to authenticate as the second identity, authenticates the first identity as the second identity, and grants the first identity access to the resource owned by the second identity.

Abstract: Embodiments disclosed herein are related to computing systems and methods for broadcasting an intent of a first user to a second user of a decentralized network. The computing system and methods are implemented in the decentralized network that implements a distributed ledger that backs one or more decentralized identities (DID) for one or more users of the computing system. Intent from first users of the computing system is received. The intent data defines potential interactions between the first users and second users of the computing system. Broadcast messages are generated. The broadcast messages include a DID for each of the first users and information specifying the potential interactions. The generated broadcast messages are provided to the second users.

Abstract: Embodiments disclosed herein are related to computing systems, computer program products, and methods for providing a callback pattern for DID attestations or claims. An attestation is provided from a first entity of a decentralized network to a second entity of the decentralized network. The attestation defines information about an owner of the attestation that has been generated by the first entity and that is to be used by the second entity. The attestation includes contact metadata that defines how to contact the first entity. In response to the attestation being provided to the second entity, the first entity is contacted using the contact metadata.

Abstract: Enforcing different policy rules that are applicable to different types of data. A plurality of DIDs and a plurality of storages are managed by a computing system. Each of the plurality of storages is associated with at least one of the plurality of DIDs. Receive a request from an entity for operating on data stored or to be stored in one of the plurality of storages. Determine a type of the data requested to be operated on. Access one or more policy rules that are applicable to the type of the data. Based on the accessed one or more policy rules, determine whether the operation to be performed on the data will result in the data complying with the one or more policy rules. Based on the determination, allow or deny the request.

Abstract: Enforcing different policy rules that are applicable to different types of data. The computing system and methods are implemented in a decentralized network that implements a distributed ledger, the distributed ledger backing one or more decentralized identities (DID) for one or more users of the computing system. Receive a request from an entity for operating on data stored or to be stored in a storage that is associated with an owner of a DID. A type of data that is requested to be operated on is then determined. One or more policy rules that are applicable to the determined type of data are accessed. Based on the one or more policy rules, determine if the operation to be performed on the data will result in the data complying with the one or more policy rules. Based on the determination, allow the request when the operation will result the data complying with the one or more policy rules.

Abstract: The generation and management of decentralized identifiers of an entity. A decentralized identifier of a particular entity is recorded. Then, upon determining that the particular entity is granting a permission to another entity, the permission is signed based on the recorded decentralized identifier. As one example, the permission may be signed by a private key of the decentralized identifier. The permission may be verified upon request by authenticating the signed permission being associated with the recorded decentralized identifier; and authorizing the other entity to act upon the data depending on the authentication. As an example only, the authentication may occur using a public key associated with the recorded decentralized identifier.

Abstract: Embodiments disclosed herein are related to computing systems, and methods for determining patterns in received data that are indicative of common characteristics of the one or more users of a computing system. Data from first users of the computing system is received. The received data defines information about the first users. The type of the data that is received is determined by the first users. The received data is analyzed to determine one or more patterns in the received data. The one or more patterns are indicative of one or more common characteristics shared by the first users. Information related to the determined one or more patterns is provided to second users. The information includes a DID for each of the f first users that may be used by the second users to communicate with the first users.

Abstract: Generating a private key recovery seed based on random words extracted from an input memory of a user and using the recovery seed to recover the private key. An input that is related to a specific memory of a user is received. The specific memory was previously entered and used to generate random words that are related to each other by being included in the specific memory. The random words are extracted from the received input. The random words are associated with a first private key recovery mechanism for recovering a private key. The random words are input into the first private key recovery mechanism to generate a recovery seed. The recovery seed is input into a second private key recovery mechanism. The second private key recovery mechanism generates a recovered private key upon performing a recovery operation on the private key recovery seed.

Abstract: Embodiments disclosed herein are related to computing systems, computer program products, and methods for selecting and providing an attestation in response to a request from an entity. A request is received from an entity for attestation that included in various attestations related to an owner of the attestations. The attestations define information about the owner of the attestations that the entity desires to obtain. The request includes request metadata that identifies a type of the attestation that is being requested. The request metadata is analyzed to determine the attestation that is being requested. Based on the analysis, the attestation is selected. Access to the attestation is provided to the entity making the request.

Abstract: Selecting a persona for a Decentralized Identifier (DID) and associated DID document based on a trust score. A request for data or services associated with an owner of various decentralized identifiers (DID) is received. Each of the plurality of DIDs may have an associated DID document. The associated DID document for each of the DIDs defines a persona based on an amount of identifying information included in the DID document. Based on the received request, a trust score is assigned to an entity that generated the received request. The trust score is at least partially based on the verifiability of an identity of the entity that generated the received request. Based on the trust score, the persona and the associated DID and DID document that should be used by the owner for interacting with the entity that generated the request is selected.

Abstract: Creating and managing linked decentralized identifiers for an entity. A parent decentralized identifier of an entity has an associated parent private key. A determination is made that a child decentralized identifier is to be created for the parent decentralized identifier. In response to the determination, the parent private key is used to generate a child private key, and a child decentralized identifier is created by at least assigning the generated child private key as the private key for the child decentralized identifier. Each of the decentralized identifiers may be associated with a permission to another entity. The permission associated with the child decentralized identifier may not be broader than the permission granted to the parent decentralized identifier.

Abstract: The generation and management of decentralized identifiers of an entity. A decentralized identifier of a particular entity is recorded. Then, upon determining that the particular entity is granting a permission to another entity, the permission is signed based on the recorded decentralized identifier. As one example, the permission may be signed by a private key of the decentralized identifier. The permission may be verified upon request by authenticating the signed permission being associated with the recorded decentralized identifier; and authorizing the other entity to act upon the data depending on the authentication. As an example only, the authentication may occur using a public key associated with the recorded decentralized identifier.