Skip to main content
· ryanwold.net

Identity plumbing

Every enterprise already has an identity problem. DIDs turn it into infrastructure.

Why you should care

Your company spends real money, every year, on identity that doesn’t quite work.

You onboard vendors and re-verify them from scratch. You chase employees through forty SaaS tools when they leave. You sign releases with a key stored somewhere nobody’s sure about, because the person who set it up is gone. You get phishing emails from “the CFO” that are technically from a lookalike domain, and someone in AP always clicks.

Every one of these is an identity problem dressed up as something else. A Decentralized Identifier — a DID — is the primitive that turns these ad-hoc frictions into plumbing. Boring, cryptographic, cross-org. The kind of thing you stop thinking about because it works.

Before

Today, enterprise identity is a patchwork. Each tool holds its own truth. Each relationship re-verifies from zero.

  • Vendor onboarding is a PDF of tax IDs, a form, a phone call to confirm the phone call, and a prayer.
  • Email is the weakest link in every workflow — a lookalike domain is all it takes to redirect a wire.
  • SSO federates a handful of apps but misses the long tail. Offboarding is a checklist across forty services, and someone always misses one.
  • Release signing exists in pockets — container images here, binaries there — but your customers have no portable way to verify any of it against your org.
  • Employee credentials — certifications, access levels, clearances — live in HR systems that don’t talk to anything.

The cost isn’t dramatic. It’s a steady hum of rework, risk, and lost context.

After

With DIDs, each of these becomes a small, verifiable fact.

  • Your org publishes a DID at did:web:yourcompany.com. Anyone can resolve it. It lists your signing keys, your service endpoints, your subordinate DIDs.
  • Vendors you trust publish theirs, and their DIDs are endorsed by industry bodies or prior customers via Verifiable Credentials. Onboarding becomes: resolve, check credentials, sign the contract.
  • Your CI signs releases with a key in your org’s DID document. Customers verify with any DID resolver. A compromised build fails verification by construction.
  • Employees carry a DID issued by your org. It travels with them between systems. When they leave, you revoke the endorsement — the DID persists as theirs, but the claim of affiliation ends, instantly, everywhere.
  • Email signed with a DID key is provable. “Is this really from the CFO?” stops being a judgment call.

None of this is speculative technology. The pieces exist today. The work is plumbing — connecting the pieces to the workflows that already run the business.

What fades

Some things you’ve built elaborate systems to cope with become smaller.

  • Per-tool SSO spaghetti gets thinner. Identity lives in the DID; tools consume it.
  • “Is this really someone from Acme Corp?” becomes a resolver check, not a reply-all.
  • Offboarding-as-archaeology becomes a single revocation that propagates.
  • Proprietary identity silos lose their grip — your employees’ credentials are portable, your vendors’ credentials are portable, your own signing keys aren’t locked to a vendor’s platform.
  • The annual vendor re-audit doesn’t disappear, but it starts with resolvable facts instead of a questionnaire.

The new normal

By the end of the decade, enterprise identity will look the way TLS looks today. A standard. A thing IT provisions. A thing auditors check the absence of, not the presence of.

A new vendor shows up. You resolve their DID. You see the credentials they carry — ISO certifications from bodies whose DIDs you already trust, past engagements signed by companies you recognize. Due diligence that took two weeks takes an afternoon.

A customer downloads your software. Their system verifies the signature against your org’s DID. If the signature doesn’t check out, the install doesn’t happen. Supply-chain attacks that depend on substituting a binary stop being possible in the routine case.

An employee joins from a peer company. They bring a portable credential that says “held a SOC 2 compliance role at Acme from 2028–2031” — signed by Acme’s DID. You don’t call Acme. You verify the credential and move on.

Layered on top, a liveness signal: is this vendor’s signing key still being used? Is the issuer of that credential still active? Tools are beginning to surface it. It’s a soft signal, but it catches orphaned relationships before they become incidents.

The shape of it is: identity becomes infrastructure. You stop running the identity problem and start having the identity layer.

Ready to resolve? Install WeDID. Ready to publish? Here’s how.