SVID vs DID: Secure Production Identity Framework for Everyone (SPIFFE) Verifiable Identity Document (SVID) vs Decentralized Identity (DID from DIF)

[nathanawmk]

Hello! I am looking to secure production workloads with SPIFFE SVID. I am also looking at how workloads can be tied to decentralized identity (DID from DIF - https://identity.foundation).

Like to know if there are any differences between SPIFFE vs DID and if there are overlaps between both and if there are ways for both to interoperate?

This might not be the best venue to post this question so my apologies in advance.

https://security.stackexchange.com/questions/256175/svid-vs-did-secure-production-identity-framework-for-everyone-spiffe-verifiab

[spikecurtis]

I'm no DID expert, but I did peruse the specs, so I'll try to give a little bit of commentary.

I do think there are some overlaps between the projects in terms of providing identity services via cryptographic proofs, and it seems possible for the two to coexist.

One big immediate challenge in terms of interop is that each use mutually exclusive URI formats to express identity, with each defining a new scheme (spiffe: and did:).

There are some big differences in goals and scope. DID specs state the goal of creating decentralized identity without the use of any central identity providers, whereas SPIFFE architecture describes federations of identity providers. The scope of things to be identified is also much wider in DID, including "people, organizations, apps, and devices," whereas SPIFFE is focused on computer processes & services (i.e. "workloads").

I'm certainly open to further discussion, to see whether there are enough use-case overlaps to motivate some direct collaboration. Can you talk a little bit more about your interest in SPIFFE and DID, and any use cases if you know of any?

[xiaods]

i think SVID is for enterprise centralized database vs DID is for everyone.