Toward scalable decentralized identifier systems
Published May 13 2019 06:00 AM 100K Views

Howdy folks,


Today’s post is the next step in realizing our vision for the future of decentralized identities, which we laid out last year. We believe every person needs a decentralized, digital identity they own and control, backed by self-owned identifiers that enable secure, privacy preserving interactions. This self-owned identity must seamlessly integrate into their lives and put them at the center of everything they do in the digital world.


We’ve been hard at work contributing to numerous emerging standards and developing open source components in furtherance of that vision, Identity Hubs being our most recent contribution. Identity Hubs provide secure, encrypted storage of personal data and they rely on decentralized systems (blockchains and distributed ledgers) to anchor their identifiers. Unfortunately, those systems have not had the performance characteristics required to power a truly worldwide decentralized identity system.


That is until now. Today, we’re announcing an early preview of a Sidetree-based DID network, called ION (Identity Overlay Network) which runs atop the Bitcoin blockchain based on an emerging set of open standards that we’ve developed working with many of our partners in the Decentralized Identity Foundation. This approach greatly improves the throughput of DID systems to achieve tens-of-thousands of operations per second.


I’ve asked Daniel Buchner, a program manager on my team who works on standards and open source solutions, to present our latest contributions in this area. His post introduces another major component we’ve been developing—in collaboration with other members from Decentralized Identity Foundation ( Decentralized Identity Foundation (DIF)—to create a scalable foundational layer for decentralized identity systems.


As always, we’d love to hear your thoughts and feedback.


Best regards,


Alex Simons (Twitter: @Alex_A_Simons)
Vice President of Program Management
Microsoft Identity Division




Hi, it’s Daniel, from the Microsoft Identity team focused on developing standards for Decentralized Identity. Today, the most common digital identifiers we use are email addresses and usernames, provided to us by apps, services, and organizations. This puts identity providers in a place of control, between us and every digital interaction in our lives. Our goal is to create a decentralized identity ecosystem where millions of organizations, billions of people, and countless devices can securely interact over an interoperable system built on standards and open source components.


Recent advancements in decentralized consensus systems (e.g. blockchains, distributed ledgers) provide capabilities that can be leveraged to create Decentralized Identifiers (DIDs) that are owned by the user. While blockchains unlock the ability to create highly secure, censorship resistant identity systems, their transactional volumes are severely limited when compared to traditional systems. The most robust, decentralized, public blockchains operate at just tens of transactions per second, nowhere near the volume a world full of DIDs would demand.


This post details our joint effort with various members of the identity and blockchain communities to address the performance and scale needs of DID systems, while maintaining the properties of decentralization and self-ownership that differentiate them from existing identity technologies. There is no simple solution to this problem—one can’t just change a variable to increase the transactional volume of these system without degrading the very attributes of decentralization that make them valuable. To tackle this challenge, we’ve been collaborating with members of the DIF, notably ConsenSys and Transmute, to develop a blockchain-agnostic protocol for creating scalable DID networks, called Sidetree.


Today, we’re announcing an early preview of a Sidetree-based DID network, called ION (Identity Overlay Network), which runs atop the Bitcoin blockchain. ION is a public, permission-less, open network anyone can use to create DIDs and manage their Public Key Infrastructure (PKI) state. ION is designed to deliver the scale required for a world of DIDs, while inheriting and preserving the attributes of decentralization present in the Bitcoin blockchain. The code for the ION reference node is still under rapid development, and there are many aspects of the protocol left to implement before it is ready for testing on Bitcoin mainnet. On low-powered consumer reference hardware we’ve observed tens-of-thousands of DID operations per second. As with our previous announcements, we’re sharing our work as early as possible—rough edges and all—to start a conversation with the community and encourage collaboration.



The generic components specified by the Sidetree protocol comprise the majority of ION’s code. ION, like all Sidetree-based DID networks, is a combination of the core Sidetree logic module, a chain-specific read/write adapter, and a content addressable storage protocol (e.g. IPFS) that replicates data between nodes. Together, these components enable the creation of Layer 2 DID networks that run atop existing blockchains (Layer 1) at thousands, or even tens of thousands, of PKI operations per second. The only form of consensus the Sidetree protocol requires is a decentralized chronological ordering of operations, which is exactly what the underlying blockchain provides. Unlike monetary units and asset tokens, IDs are not intended to be exchanged and traded. This difference in constraints is reflected in how the protocol is designed and enables it to achieve far greater scale without reliance on additional Layer 2 consensus schemes, trusted validator lists, or special protocol tokens. All nodes of the network are able to arrive at the same Decentralized Public Key Infrastructure (DPKI) state for an identifier based solely on applying deterministic protocol rules to chronologically ordered batches of operations anchored on the blockchain, which ION nodes replicate and store via IPFS. 


In the coming months, we’ll work with open source contributors and members of identity community to prepare for a public launch of the ION network on Bitcoin mainnet. During this time, the project’s code will evolve rapidly and is best suited for use by experienced developers. If you’re a developer interested in contributing, you can use the ION node installation guide to get a node up a running on your machine. Please file any bugs you notice as Issues in the ION repo, and submit Pull Requests to help accelerate development. If you’re not an experienced developer but would still like to interact with an ION node, we deployed an early preview build of ION on Azure. For more info, see DID Registration. 


We’re also engaging with ecosystem partners to operate ION nodes. Collaborating with partners to validate the protocol and build out the network is an essential step in preparation for mainnet release.


Here are some of the organizations who are leaning in early to run nodes:


  • Equinix Global interconnection and data center company. Equinix connects the world's leading businesses to their customers, employees and partners inside the most interconnected data centers. 
  • Casa—Developer of hardware, apps, and services for security conscious Bitcoin users. 
  • Learning Machine—Tools and services for issuing official records in a blockchain-anchored digital format, for schools, companies, and governments. 
  • CivicTools to control and protect identities, built using an open source secure identity verification ecosystem 
  • Cloudflare Leading Internet performance and security company that runs one of the world's largest networks

While a great deal of development, community building, and testing remains to be done, we’re excited to work with everyone to drive this important initiative forward!  



Daniel Buchner (Twitter: @csuwildcat) 
Senior Program Manager 
Microsoft Identity Division 


Occasional Contributor

So who is paying for the transactions on the Bitcoin blockchain, and how often?  What are the expected annual costs in transactions?


Also, I'd like to point out that you are using Bitcoin while Azure is using Ethereum.  A bit inconsistent. ;)


That said, are you planning on using other blockchains in the future?

Hi Michael -


Right now in our test we are covering those costs. We are still in early incubation phase, so we don't have a business model finalized yet. We are using Bitcoin as it's great opportunity to prove this new technology out - but our design is chain agnostic. You'll see support for other chains for sure in the future.





Regular Visitor

How does ION compare to Blockstack?


I've been anchoring data to Bitcoin using Blockstack's subdomains protocol for a while (layer 2 batching). Also Blockstack DIDs + Gaia Hub works very well .... it provides speedy, reliable, and client side encrypted storage. I currently use the default provider on Azure Blob storage and I am curious on how it compares when benchmarked vs IPFS. Is there a performance hit when using IPFS compared to a central cloud hosted provider? If IPFS is being used and my local computer is turned off who on the network is going to "pin" (for free?) my data to another node in IPFS? 


Also, I really like the concepts on structured data and saving data using git-like (CRDT) commits. I've replicated this architecture on Blockstack using automerge.js and JSON-LD and concepts.


The real problem I ran into is creating real life collaborative dapps. How does ION support group keys and indexing? For example, how would you create a social network feed for an invite only group? Blockstack Radiks is what I have been using to solve this problem in the Blockstack ecosystem


@Nicholas Theile ION is a Decentralized Identifier-centric protocol ( tuned for scale, and is quite a bit different under the hood because of a few key assumptions: 1) IDs are not friendly names, 2) IDs are non-transferable, 3) global state is strongly eventually consistent. These are reflected in the protocol's rules that unlock a few key attributes we desired in an open protocol. Blockstack's Gaia Hub was loosely based on a concept we developed in the OSS community many years ago that is in the longer standards track of development under DIF, called Identity Hubs: - you'll notice their concept of Collections semantic storage is the same, which was something they adopted from the wider community in DIF. (aside: I have actually been working on many of these components in one way or another since ~2011 at Mozilla, prior to joining MSFT)


In terms of why people pin batches you are included in via IPFS: turns out Identity/PKI is quite valuable, and maintaining the full node global state is basically a rounding error for millions of businesses and entities. Entities already maintain this sort of data today for free, so we believe they will continue to do so. You can also persist your own PKI metadata without the need to rely on anyone, which is a great feature of the protocol that empowers users to exist in the decentralized identity ecosystem without any aid from companies.


:thumbs_up: Can we imagine any circumstances that might fork the chain, and how that might be mitigated?

Senior Member

I can see both business and private applications here... but moving my online identity away from two or three authentication brokers (Microsoft, Google and facebook) and taking control of identity on a personal level would be great! on the corporate level would you say this is the beginning of the end of AD and AAD? 

Occasional Contributor

After reading a bit more, this all looks very promising.  Thank you for taking the time to engage your community and offer them valuable dialogue.


My only remaining ask is to please consider a .NET implementation alongside any web-based (HTML5/JS) implementation you may provide.


It seems that Azure always considers .NET only after the JS-folks are catered to, and this seems very backwards -- to the point of embarrassment.  Azure Functions is a great example of this, where they are still trying to reconcile the two flavors of their offering and now only getting on their feet between the two after years of development. 


This is obviously a very expensive approach to take.


Further, the .NET representation in blockchain is non-existent.  This would be an excellent entry-level introduction to a bunch of great .NET developers out there.  Thanks in advance for any consideration.

Regular Visitor

In the sample app here , how do I create a JWK for login? Is there a good example online or a blog post?


What is the roadmap for streamlining private key management on the client side for the End users? Will login be streamlined for an end user like in Blockstack.... i.e,  will it eventually be easy enough for my Mom to use? 

Occasional Visitor

Sounds really interesting. May I know the business model? Will Microsoft run a network of ION nodes and offer this as service to public/enterprise, or will Microsoft sell this as solution for other organization who wishes to do similar thing?

Also would like to hear your comments on other initiatives in the market, such as Sovrin (Hyperledger Indy) compared to Microsoft's sidetree-based ION solution.


Occasional Visitor

I appreciate your team's effort and Microsoft's intent with ION, as this is clearly a gap in the digital identity service value chain. I have some queries related to preserving privacy and control of users digital identity transactions over the blockchain network. Would appreciate you could take a look.

  1. Performance: ION is stated to overcome current throughput limitations over the blockchain network allows for tens of thousands of operations per second. Is it sufficient to meet the transaction volume of DIDs (Decentralized Identities) from billions of people and devices across the world? 
  2. Control: It's not clear to me how users would be in complete control of their information on the bitcoin blockchain. For instance, my understanding is that the open network Public Key Infrastructure (PKI) secures the transaction by ensuring only authorized application/service providers with a public key will have access to user's personal identity, however,
    • How does ION ensure that the shared personal identity information is being used by app/service providers for authorized purposes only?
    • What happens after the purpose of the transaction is fulfilled? It's unclear how access to the identity data will be revoked once the purpose of that interaction is fulfilled.
    • If for whatever reason, the authorized application/service provider still has access to user's personal information outside of the network then the user is no longer in control of that data anymore and it could become a privacy nightmare.
    • I am assuming that once the transaction is authorized, user's personal identity gets shared with the designated service provider, who would be in possession of that information until explicitly asked to revoke following privacy regulations such as GDPR, CCPA.
  3. Security and reliability: Is there an effort to overcome the vulnerability of the bitcoin blockchain network to well-coordinated attacks that tend to take control over majority CPU power? 

Thanks again for all the effort that is going into this initiative. 

Occasional Visitor

Hi All , i have few questions:


-In order to implement a digital identity solution based on ION, would I need to create and register my own driver/DID method in order for the DID resolver to find it?Or can I use the ION did method(did:ion:)?In this last case, how would I register the method-specific identifier?


-It is not clear to me the differences of responsibilities between DIF Identity Hubs and Sovrin/Indy Agents. Are they complementary and both required in order to deploy a completer identity solution?Or can the Identity Hub perform all agents' functionalities?


Thanks in advance,


New Contributor
What do you plan to do when one of your partners decides to deplatform someone they don't like? Are you sure it was a good idea to partner with cloudflare?

@Jordan Mills the Layer 2 system, ION, that is the topic of this post is a decentralized, immutable system for generating IDs and maintaining their PKI state. This has nothing to do with the content a person chooses to generated in association with their IDs, and the IDs cannot be 'deplatformed' by us or anyone else that runs an ION node (this is a core requirement). If a person uses an ID of theirs with some app or service and that app or service no longer wishes to do business with the person/ID, that's their choice, and has nothing to do with ION.

Occasional Visitor

Hi Alex,
I am looking forward to learn more about this project and how it evolves. Is there anybody in your Munich team in Germany who is part of this group? I consider myself as an advocate for Digital Identity and I am discussing this matter with politicians on local and federal level. Furthermore I am coordinating the working group digital identity within the Blockchain Bavaria association ( Maybe it is of mutual benefit to touch base.


This looks really interesting. I've been working on Blockstack project for past 18 months and am immediately wondering whether we can bind blockstack human readable names to the sidetree generated unique identifiers?



@mijoco there are several equivalence properties supported in the near-ratified DID Core specification (Decentralized Identifiers (DIDs) v1.0 (, but to do so we need to add support in ION for adding those properties and Blockstack must allow you to bi-directionally point back to the ION ID you want to bind, in compliance with the DID Core spec <-- while we can add 'alsoKnownAs' support to ION rather easily, I don't know if Blockstack supports the latest DID Core spec, or if they do, whether they will enable you to add the reverse pointer you'd need to create.


@lucafranceschini1  in response to your questions:

1. You would just use ION, and we are just about to publish a Universal Resolver driver so you can do so via the DIF Universal Resolver implementation, if you desire.

2. DIF/W3C are now jointly working on a personal datastore implementation via the DIF/W3C Secure Data Storage Working Group. Hubs (which will be a byproduct of that group) are different than Indy Agents, as they do not have privileged access to data. Here's a post that Daniel Hardman from Sovrin/Evernym wrote that details the differences between them and how they work together: Rhythm and Melody: How Hubs and Agents Rock Together | by Daniel Buchner | Decentralized Identity Fo...

Version history
Last update:
‎Aug 19 2021 04:21 PM
Updated by: