How does key rotation work with DIDs (Decentralized Identifier)?

us flag

I've spent some time learning about DIDs but have some questions about key rotation:

The way I understand it is that a DID and DID doc are generated from a public key derived from a private key. Subsequently, if the owner wants to rotate the keys (the private key really), they can make a new DID doc which will include the new public key, and the doc will be signed with the old private key.

  1. At this point, I'm assuming the DID would resolve to the new DID document and not the old (so the resolver needs to be updated to have the new doc?)?
  2. Is there a way to get all the DID documents back?
  3. If so, does that mean that if we were to rotate keys every 24 hours there would be hundreds of DID documents potentially for a DID?


fgrieu avatar
ng flag
DID stands for [Decentralized Identifier](
kr flag

How key rotation is handled, or even supported, highly depends on the DID method in question. Examples of DID methods are did:web (served from a webserver), did:jwk (JWK encoded as DID) and did:btc (DIDs anchored on the Bitcoin blockchain). A method specifies how to create, read and update a DID document. Meaning there isn't a single way in how to create and update DID documents, it's highly dependent on the DID method.

Given that, key rotation is "just" a matter of adding a new key to the DID document (given it can contain multiple keys) and removing the old.

That is, given the DID methods actually supports multiple keys. Most do, but simple methods like did:jwk encode a single JWK into a key and don't support updates or multiple keys. And if the DID method support updates (I think most do), they don't necessarily allow reading previous versions. This could mean that after key rotation, old versions containing the old key aren't available anymore, immediately invalidating signatures created before rotation.

For example, Web DIDs (did:web) can be updated (change the file) and support an arbitrary number of keys in it, but the DID method doesn't support DID document history.

A DID document doesn't need to be created from a key pair, this again depends on the DID method. For example, a Web DID (e.g. is "created" as soon the DID document is served from It doesn't even need to contain a key!

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.