Own your identity —
quantum-safe & self-sovereign.
A self-sovereign digital identity built on the W3C DID data model (tracking v1.1), PQC-by-default with ML-KEM / ML-DSA / SLH-DSA, and optional X.509 linkage to an MCMC-licensed CA for recognition under Malaysia's Digital Signature Act 1997. You control your identity and disclose only what you approve.
W3C DID data model (v1.1, Candidate Recommendation) · W3C Verifiable Credentials v2.0 · Digital Signature Act 1997
Your DID document
did:ssid: · self-controlled
Self-sovereign · post-quantum · legally recognizable in Malaysia
Why identity is broken today
Centralized identity is a single point of failure — and it isn't quantum-safe
Most digital identity depends on someone else's directory, uses classical keys that a future quantum computer can break, and a plain decentralized identifier still lacks Malaysian legal standing.
Centralized dependency
When your identity lives in a government agency, social platform, or corporate directory, a breach, revocation, or shutdown can lock you out. There is no portability and no real user control.
Classical keys are quantum-vulnerable
Identity systems built on RSA and ECDSA risk cryptographic obsolescence. Systems deployed today without post-quantum readiness inherit that exposure from day one.
A DID alone lacks legal validity
A stock W3C DID does not natively integrate X.509. Without a certificate from an MCMC-licensed CA, its signatures may not satisfy the Digital Signature Act 1997 for banking, government, or legal use.
Fragmented verification
Every business app runs its own verification flow, so you re-create accounts and re-submit documents everywhere — with no standardized, privacy-preserving selective disclosure.
No user-controlled credential lifecycle
Credentials are usually issued and managed by centralized issuers. You cannot issue your own, and revocation or suspension depends on the original issuer.
Key loss can be permanent
In many identity systems, losing or compromising your primary keystore can destroy the identity forever. Without a pre-established recovery path, there is no way back.
How SSID works
A self-sovereign DID — adapted for the quantum era and Malaysian law
SSID is adapted from the W3C DID data model (v1.1, a Candidate Recommendation). Two deliberate adaptations set it apart: PQC cryptography by default, and optional X.509 linkage for legal recognition.
You create and control your DID
A DID document conforming to the W3C DID v1.1 data model is generated and held in your own encrypted vault (AES-256-GCM) — no dependency on a centralized identity provider. A standalone (non-blockchain) DID Registry and Resolver publishes and resolves your identifier.
PQC keys by default, classical as fallback
Every asymmetric operation defaults to post-quantum: ML-DSA (FIPS 204) for signing, ML-KEM (FIPS 203) for key encapsulation, and SLH-DSA (FIPS 205) for long-term signatures. Classical algorithms (ECDSA, EdDSA, RSA) remain available for backward compatibility, with hybrid/composite PQC-plus-classical for a smooth transition.
Optional X.509 linkage for DSA 1997
At least one keypair can be linked to an X.509 certificate. When that certificate is issued by an MCMC-licensed CA, the signature can be recognized under Malaysia's Digital Signature Act 1997. Linkage is optional and owner-controlled — SSID links to, but does not issue, X.509 certificates.
Issue, verify, revoke your own credentials
Full Verifiable Credential lifecycle (W3C VC Data Model v2.0) runs directly in the client: issue, hold, present, verify, revoke, and suspend — no centralized issuer in the loop. A status service distinguishes permanent revocation from reversible suspension.
Privacy-preserving QR authentication
Business apps authenticate you with a signed QR challenge-response. Your client verifies the request signature, then you accept, partially accept, or reject disclosure. Only the information you approve is signed and returned — the business app decides access independently.
Control-key recovery, no third parties
A dedicated control keypair, generated at setup and stored offline, can rotate compromised keys and recover your DID — with time-delay and multi-step confirmation — so a lost keystore never means a lost identity.
One protocol, three clients
The same SSID workflow — desktop, mobile, and backend
All three clients run the identical DID and credential protocol with full functional equivalence. They differ only in how the encrypted key vault is activated.
Desktop client
Windows, macOS, and Linux. Vault activation via OS FIDO2 / passwordless (Windows Hello, platform authenticators), with TOTP and Argon2id password as ordered fallbacks.
Learn moreMobile client
iOS, Android, and HarmonyOS. Biometric-gated vault (Face ID, Touch ID, strong BiometricPrompt) required for every signing operation, with downgrade detection built in.
Learn moreBackend process
An Elixir/OTP library for service and organizational DIDs. Password-plus-TOTP activation by default, sealed-vault startup, and API-based challenge-response for machine-to-machine flows.
Learn moreSelective disclosure
Share only what you approve — nothing more
A business app sends a signed QR challenge that names exactly which attributes or credentials it needs. Your client verifies the signature, shows you the request, and returns a signed response containing only the fields you consented to.
- Single-use challenge nonce and short expiry (5 minutes max by default) defeat replay and tampering.
- You can accept, partially accept, or reject — the app receives only consented data.
- The QR engine makes no access-control decision; the relying party decides independently.
- Works via on-screen display, mobile scan, deep link, or API-based machine-to-machine mode.
{
"@context": [
"https://www.w3.org/ns/credentials/v2"
],
"type": "VerifiablePresentation",
"holder": "did:ssid:8f3a...c19d",
"proof": {
"type": "DataIntegrityProof",
"cryptosuite": "ml-dsa-2024",
"challenge": "b7c1-single-use-nonce",
"created": "2026-07-02T09:41:00Z"
},
"disclosed": {
"over_18": true
},
"withheld": [
"full_name",
"date_of_birth",
"home_address"
]
}
Capabilities
Everything a sovereign identity needs — built in
From post-quantum cryptography to resilient recovery and privacy-first authentication, SSID ships the full stack.
PQC-by-default cryptography
ML-DSA, ML-KEM, and SLH-DSA as defaults, with ECDSA, EdDSA, and RSA compatibility and hybrid/composite modes for transitional security.
User-sovereign credentials
Issue, present, verify, revoke, and suspend Verifiable Credentials (VC Data Model v2.0) directly in the client — no centralized issuer required.
Privacy-preserving QR auth
Signed challenge-response with selective disclosure so you reveal only approved attributes; the relying party decides access on its own.
Control-key recovery
A pre-generated, offline control keypair rotates compromised keys and recovers your DID without any third-party intervention.
X.509 legal linkage
Optionally link a keypair to an X.509 certificate from an MCMC-licensed CA for signatures recognizable under the Digital Signature Act 1997.
Hardened vault & hashing
Encrypted local vault (AES-256-GCM) with Argon2id-derived activation, TLS 1.3 minimum transport, and a SHA-3 hashing posture throughout.
Data portability
Export and import your DID data and credentials to migrate between devices and environments — your identity travels with you.
Crypto-agility ready
Structured for the Crypto & Cipher Agility Framework so algorithms can be switched by policy, without changing client code.
Offline-capable clients
Store, browse, and prepare presentations offline; connectivity is required only for DID resolution and credential status verification.
Use cases
Built for regulated, high-assurance identity
Wherever identity must be portable, private, and quantum-safe — and, in Malaysia, legally recognizable.
Government services
Citizens present verified attributes to public services with selective disclosure, and sign legally recognizable transactions using an X.509-linked keypair from an MCMC-licensed CA.
Banking & KYC
A signed QR request asks for a KYC profile; the customer discloses only the required fields; the bank verifies the credential and decides access — no repeated document re-submission.
Enterprise SSO
Employees and service identities authenticate to internal apps with a privacy-preserving, phishing-resistant challenge-response, backed by post-quantum keys and control-key recovery.
Standards & cryptography
Grounded in real standards — with honest framing
SSID is aligned with finalized NIST PQC algorithms and W3C data models. Legal recognition is a deployment property, not an automatic guarantee.
| Category | Default (post-quantum) | Compatibility / notes |
|---|---|---|
| Digital signature | ML-DSA (FIPS 204) | ECDSA (P-256/P-384), EdDSA, RSA-3072+ |
| Key encapsulation | ML-KEM (FIPS 203) | ECDH (P-256/P-384), RSA-OAEP |
| Long-term signature | SLH-DSA (FIPS 205) | Hash-based; conservative assumptions for archival signing |
| Symmetric / vault | AES-256-GCM | Encrypted keystore; Argon2id activation |
| Hashing | SHA-3 (SHA3-256/384/512, SHAKE) | Uniform modern hashing posture |
| Identity model | W3C DID data model v1.1 | Candidate Recommendation; adapted with X.509 linkage |
| Credentials | W3C Verifiable Credentials v2.0 | Issue / verify / revoke / suspend in-client |
On the W3C DID data model
SSID is adapted from the W3C DID data model (v1.1), which is a W3C Candidate Recommendation — technically complete and inviting implementations, not yet a ratified Recommendation. The word "adapted" is deliberate: SSID adds optional X.509 linkage on top of the stock model.
On Digital Signature Act 1997 recognition
Legal standing under the DSA 1997 flows from a certificate issued by an MCMC-licensed CA in the chain — not from the mere presence of an X.509 keypair. SSID provides the linkage capability; recognition is a deployment and integration outcome, not something the software guarantees on its own.
Performance figures cited in the specification (for example, DID resolution and QR verification latency) are design targets, not measured benchmarks.
Take back control of your identity
Self-sovereign, post-quantum, and built to be legally recognizable in Malaysia. See SSID in action.