Enterprise architects evaluating Self-Sovereign Identity (SSI) for production deployments face a landscape of competing standards, evolving protocols, and conflicting vendor promises. The core challenge is no longer whether SSI works—it does, in pilots—but how to scale it across thousands of issuers, millions of holders, and billions of verifications without recreating the centralization problems it aims to solve. This guide provides a decision framework for architects who need to choose an SSI architecture, implement it within existing identity infrastructure, and avoid common failure modes that derail enterprise rollouts.
1. The Decision Frame: Who Must Choose and by When
Every organization adopting SSI eventually faces a fork: which DID method, which credential format, which revocation mechanism, and which governance model. The decision is not purely technical—it is a bet on where the ecosystem is heading. An enterprise architect must weigh the trade-offs between interoperability today and flexibility tomorrow, between operational simplicity and cryptographic rigor.
The urgency varies by industry. Financial services firms under PSD2 or open banking mandates often have regulatory deadlines that force a choice within 12–18 months. Healthcare organizations exploring patient-controlled data sharing may have more runway but face stricter privacy requirements. Government agencies deploying digital identity schemes typically operate on multi-year timelines but cannot afford a false start that erodes public trust.
Regardless of timeline, the decision should be driven by three factors: the trust model of the ecosystem (who are the issuers and verifiers, and what relationships exist), the scalability requirements (number of credentials, verification frequency, geographic distribution), and the operational capacity of the organization to run infrastructure like ledgers or registries. Architects who defer this choice risk building pilots that cannot connect to production networks or that lock them into a single vendor's proprietary extensions.
The goal of this guide is to help you make an informed architectural choice—not to recommend one approach as universally superior, but to map each option to the contexts where it thrives. We will compare three primary SSI architectural patterns using concrete criteria, then walk through the implementation path and common pitfalls.
Who This Guide Is For
This guide is for identity architects, security engineers, and technical decision-makers who already understand the basics of SSI—DIDs, verifiable credentials, zero-knowledge proofs—and need to evaluate real-world deployment options. If you are new to SSI, we recommend first reviewing foundational resources from the Decentralized Identity Foundation or W3C Verifiable Credentials specifications before diving into this comparison.
2. The Option Landscape: Three Architectural Approaches
Enterprise SSI deployments today cluster around three architectural patterns, each with different trade-offs in decentralization, performance, and operational overhead. We describe them without naming specific vendor implementations, focusing on the underlying DID method and infrastructure choices.
Approach A: Ledger-Based SSI (e.g., did:indy)
This approach uses a permissioned or public blockchain to store DID documents and credential schemas. The most mature example is Hyperledger Indy, which underpins several government and enterprise networks. In this model, DIDs are anchored on a ledger, enabling decentralized resolution without relying on any single party. Credential revocation is handled via accumulator-based mechanisms (e.g., Indy's Revocation Registry), which allow privacy-preserving revocation checks without revealing the holder's full credential.
Pros: High decentralization; no single point of failure; strong privacy guarantees for holders; mature open-source codebase with proven interoperability in networks like Sovrin and IDunion.
Cons: Requires operating or joining a ledger network, which introduces operational complexity (node management, consensus, governance); transaction costs and latency for writes; ledger size grows unbounded, requiring pruning strategies; less flexible for private or permissionless scenarios where a public ledger is undesirable.
Approach B: Web-Based SSI (e.g., did:web)
did:web uses standard HTTPS servers to host DID documents, leveraging existing DNS and TLS infrastructure. No blockchain is required. The DID document is a JSON file served at a well-known URL derived from the domain. This approach is simple to deploy for organizations that already manage web servers and want to issue credentials without blockchain overhead.
Pros: Extremely low operational overhead; no ledger sync or consensus; leverages existing security practices (TLS, DNS); easy to integrate with existing identity systems like OAuth or SAML via federation.
Cons: Centralized by design—the domain owner controls the DID document, which may conflict with SSI's decentralization goals; revocation is typically handled via list-based mechanisms (e.g., status list 2021) that can leak correlation data; no built-in privacy preservation for holders; less resilient if the domain goes down; not suitable for ecosystems requiring trust without a central authority.
Approach C: Key-Based SSI (e.g., did:key)
did:key derives the DID directly from a public key, with no external lookup required. The DID document is generated deterministically from the key material. This method is often used for ephemeral or pairwise DIDs in peer-to-peer scenarios, such as in the Aries framework for agent-to-agent communication.
Pros: Maximum simplicity—no infrastructure needed; fully decentralized; ideal for high-frequency, low-trust interactions (e.g., IoT, messaging); supports offline verification if the verifier has the DID and public key.
Cons: No key rotation without changing the DID (which breaks existing references); no revocation mechanism built-in—revocation must be handled out-of-band; not suitable for long-lived, high-assurance credentials; limited ecosystem support for verifiable credential issuance at scale.
Hybrid and Emerging Approaches
Some deployments combine methods—for example, using did:web for issuer DIDs and did:key for holder pairwise DIDs, or layering a did:indy ledger with did:web fallback for resolution. The W3C DID Core specification also includes did:peer for private pairwise relationships, which is gaining traction in decentralized messaging. Architects should consider whether a hybrid approach better matches their trust model than a single method.
3. Comparison Criteria: How to Evaluate SSI Architectures
Choosing among these approaches requires a structured evaluation. We propose five criteria that address the most common enterprise concerns.
Scalability
How does the system perform as the number of issuers, holders, and verifications grows? Ledger-based systems face throughput limits from consensus latency—public ledgers typically handle 10–50 writes per second, which may be insufficient for high-volume issuance (e.g., university diplomas for millions of students). Web-based systems scale with existing web infrastructure, but centralized resolution creates a bottleneck and single point of failure. Key-based systems have no central bottleneck but require out-of-band key distribution, which can become unwieldy at scale.
Privacy and Correlation Resistance
SSI promises holder privacy, but not all architectures deliver equally. Ledger-based systems with zero-knowledge proofs (e.g., Indy's revocation) allow verifiers to check revocation without learning the holder's identity or credential details. Web-based status lists, by contrast, can leak correlation data if the same list is queried repeatedly. Key-based systems offer no built-in privacy—any interaction using the same DID can be correlated. Architects handling sensitive personal data (e.g., healthcare, finance) should prioritize architectures that support selective disclosure and unlinkable proofs.
Operational Complexity
Running a ledger network requires dedicated DevOps for node maintenance, consensus monitoring, and governance participation. Web-based systems fit into existing IT operations—essentially, managing HTTPS endpoints. Key-based systems require no infrastructure beyond key management, but key lifecycle management (generation, storage, rotation) becomes critical at scale. Organizations with limited blockchain expertise may find web-based or hybrid approaches more feasible for initial deployment.
Interoperability
Interoperability across different SSI implementations is still evolving. The Aries framework provides a common agent-to-agent protocol, but DID method support varies. did:indy has the broadest ecosystem support due to its maturity, but did:web is gaining traction in the W3C CCG and OpenID Foundation. Key-based DIDs are widely supported in Aries but less so in enterprise credential issuance platforms. Architects should verify that their chosen approach supports standard credential formats (W3C VC, JWT-VC) and protocols (DIDComm, OpenID4VC).
Regulatory Compliance
GDPR, eIDAS, and other regulations impose requirements on data minimization, right to erasure, and auditability. Ledger-based systems with immutable records raise questions about the right to erasure—while credentials are not stored on-ledger, revocation registries may retain history. Web-based systems allow full control over data but may not meet decentralization requirements for certain trust frameworks. Key-based systems minimize data retention but complicate audit trails. Legal review is essential before choosing an architecture for regulated use cases.
4. Trade-Offs Table: Comparing the Three Approaches
The following table summarizes the trade-offs across the five criteria. Use it as a starting point for your own weighted decision matrix.
| Criterion | Ledger-Based (did:indy) | Web-Based (did:web) | Key-Based (did:key) |
|---|---|---|---|
| Scalability (writes) | Low (10–50 tps) | High (web infrastructure) | N/A (no writes) |
| Scalability (reads) | Medium (ledger nodes) | High (CDN, caching) | High (no lookup) |
| Privacy (correlation resistance) | High (ZKPs, unlinkable) | Low (status lists) | Low (same DID reused) |
| Operational complexity | High (ledger ops) | Low (web ops) | Very low (key mgmt) |
| Interoperability | High (mature ecosystem) | Medium (growing) | Medium (Aries-focused) |
| Regulatory fit | Mixed (immutability vs. erasure) | Good (full control) | Good (minimal data) |
When to Choose Each Approach
Choose ledger-based SSI when you need strong decentralization, privacy-preserving revocation, and are willing to invest in ledger infrastructure—common in government digital identity schemes and multi-stakeholder consortia. Choose web-based SSI when you prioritize operational simplicity, already have mature web infrastructure, and operate in a trust model where a central issuer is acceptable—typical for enterprise employee credentials or university diplomas. Choose key-based SSI for ephemeral or pairwise interactions where long-term credential management is not required—ideal for IoT device authentication or peer-to-peer messaging.
5. Implementation Path: From Decision to Production
Once you have selected an architectural approach, the implementation path follows a similar sequence regardless of the underlying DID method. We outline the key phases with attention to enterprise-specific concerns.
Phase 1: Governance Framework Design
Before writing a line of code, define the rules of your SSI ecosystem: who can issue credentials, what schemas are allowed, how revocation is handled, and what dispute resolution mechanisms exist. For ledger-based systems, this often means joining an existing governance framework (e.g., Sovrin) or creating a new one. For web-based systems, governance is typically unilateral—the issuer defines the rules—but if multiple issuers are involved, a trust framework must be agreed upon. Document the governance framework as a machine-readable trust registry or as a legal agreement.
Phase 2: Credential Schema and Issuance Pipeline
Define credential schemas using standard formats (W3C VC or JWT-VC). For ledger-based systems, schemas are often published on the ledger for discoverability. For web-based systems, schemas can be hosted on the issuer's domain. Build an issuance pipeline that integrates with your existing identity source (e.g., HR system, student database) to generate credentials. Ensure the pipeline supports batch issuance for high-volume scenarios—for example, issuing 10,000 employee badges in a single operation. Test the pipeline with a small cohort before scaling.
Phase 3: Wallet and Holder Experience
Choose a wallet strategy: will you provide a branded wallet app, integrate with existing wallets (e.g., mobile OS-native wallets), or use a web wallet? Enterprise deployments often require a combination—a branded wallet for employees, but support for standard wallets for external partners. Ensure the wallet supports the chosen DID method and credential format. For high-assurance credentials, consider hardware-backed key storage (e.g., secure enclave, YubiKey). Test the holder experience for common flows: credential receipt, storage, presentation, and revocation.
Phase 4: Verification and Revocation
Build or integrate a verifier component that can accept credential presentations and check their validity. For ledger-based systems, the verifier must be able to query the ledger for revocation status. For web-based systems, the verifier fetches status lists. For key-based systems, revocation must be handled out-of-band (e.g., via a blacklist). Ensure the verifier supports the same credential formats and proof types as the issuer. Plan for high verification throughput—caching revocation status and using asynchronous verification where possible.
Phase 5: Monitoring and Lifecycle Management
SSI systems require ongoing monitoring: DID document changes, key rotations, schema updates, and revocation list updates. Implement logging and alerting for these events. For ledger-based systems, monitor ledger health and consensus. For web-based systems, monitor DNS and TLS certificate expiry. Establish a lifecycle management process for credentials—e.g., automatic revocation when an employee leaves, or credential renewal before expiry.
6. Risks: What Happens When You Choose Wrong or Skip Steps
Even a well-chosen architecture can fail if implementation skips critical steps. We examine common failure modes with composite scenarios based on patterns seen in enterprise deployments.
Risk 1: Underestimating DID Rotation Costs
In a ledger-based system, rotating an issuer's DID requires updating the DID document on the ledger and notifying all holders who have credentials issued under the old DID. If the issuer has issued millions of credentials, the cryptographic binding between the old DID and the new DID must be maintained to avoid breaking verifiability. In practice, this means either keeping the old DID resolvable indefinitely or issuing new credentials to all holders—a massive operational burden. One financial services consortium we heard about had to postpone a key rotation for six months because they had not budgeted for the re-issuance effort. Mitigation: use short-lived DIDs with automatic rotation built into the governance framework, and plan for rotation costs from the start.
Risk 2: Neglecting Governance Framework
A healthcare network deployed a web-based SSI system for patient credentials without a formal governance framework. When a dispute arose over whether a certain clinic was authorized to issue credentials, there was no mechanism to resolve it. The network had to shut down issuance for three months while lawyers drafted a governance agreement. Mitigation: even for web-based systems, document governance rules—who can issue, what schemas are valid, how revocation is authorized—before going live.
Risk 3: Overlooking Revocation at Scale
An education consortium chose did:key for simplicity, only to realize that revoking a credential required contacting every verifier individually with an updated blacklist. With over 100,000 credentials issued, this was impractical. They had to migrate to a ledger-based system mid-project, causing delays and rework. Mitigation: choose an architecture with built-in revocation that scales to your expected credential volume. If using did:key, plan for revocation from the start—perhaps by issuing short-lived credentials that expire automatically.
Risk 4: Ignoring Wallet Fragmentation
A government agency issued credentials using a proprietary wallet app, but citizens expected to use their existing mobile wallets. The agency had to build bridges to support multiple wallet formats, adding months of development. Mitigation: adopt standard wallet interfaces (e.g., W3C VC API, OpenID4VP) and test with multiple wallet implementations early in the project.
7. Mini-FAQ: Common Questions from Enterprise Architects
We address recurring questions that arise during SSI evaluation and deployment.
Is SSI ready for high-throughput environments like payment systems?
Current SSI implementations are not designed for sub-millisecond verification at thousands of transactions per second. Ledger-based systems introduce latency from ledger queries, and zero-knowledge proof verification is computationally expensive. For high-throughput scenarios, consider hybrid approaches: use SSI for credential issuance and initial verification, then fall back to traditional session-based authentication for subsequent interactions. Alternatively, use did:web with status lists cached on CDNs for faster verification, accepting the privacy trade-off.
How does SSI integrate with existing IAM systems like Active Directory or Okta?
SSI is not a replacement for existing IAM but a complement. Typical integration patterns include: (1) using the existing IAM as the identity source for credential issuance—e.g., an HR system triggers credential issuance when a new employee is onboarded; (2) using SSI credentials as an additional factor in multi-factor authentication; (3) using SSI to enable cross-domain federation without a central identity provider. The integration point is usually at the issuance pipeline and the verifier component, which can be exposed as a standard API (e.g., OpenID Connect) that existing systems can call.
What is the role of DIDs in zero-trust architectures?
DIDs can serve as persistent, cryptographically verifiable identifiers for devices, services, or users in a zero-trust network. Unlike traditional IP addresses or usernames, DIDs are not tied to a network location, making them resilient to network changes. However, zero-trust also requires continuous authentication and authorization, which SSI alone does not provide. DIDs are best used as a foundation for identity in zero-trust, combined with real-time policy evaluation and risk scoring.
Can we use SSI without a blockchain?
Yes. did:web and did:key are blockchain-free. Many enterprise deployments choose web-based SSI precisely to avoid blockchain complexity. The trade-off is that you lose some decentralization and privacy guarantees. Evaluate whether your use case truly requires the properties that a ledger provides (e.g., decentralized resolution, unlinkable revocation) or whether a simpler web-based approach suffices.
How do we handle key management for millions of holders?
Key management at scale is the hardest operational challenge in SSI. For holders, the private key must be stored securely and be recoverable if lost. Options include: (1) custodial wallets where the enterprise manages keys on behalf of users (suitable for employee credentials but contradicts SSI principles); (2) non-custodial wallets with backup seeds (user-managed, but recovery is a UX challenge); (3) hardware-backed keys for high-assurance use cases. For issuers, key management involves regular rotation, secure storage in HSMs, and auditing. Plan for key recovery and rotation processes before deployment.
8. Recommendation Recap: Pragmatic Next Steps
SSI is not a single product but a family of architectural choices. The right approach depends on your ecosystem's trust model, scalability needs, and operational capacity. Here are specific next moves for architects evaluating SSI for production.
1. Run a structured decision workshop. Gather stakeholders from security, legal, and business teams. Use the criteria in Section 3 to score each architectural approach against your specific requirements. Weight the criteria based on your priorities—for example, if privacy is paramount, ledger-based systems score higher; if operational simplicity is key, web-based wins.
2. Build a proof of concept with your top two candidates. Do not commit to one architecture without hands-on testing. Implement a small end-to-end flow—issue a credential, store it in a wallet, present it to a verifier, and revoke it. Measure latency, throughput, and operational effort. Involve your DevOps team to assess the operational burden of each approach.
3. Engage with existing governance frameworks. Before building your own, check if an existing governance framework (e.g., Sovrin, IDunion, or a sector-specific trust framework) meets your needs. Joining an existing network reduces the governance design effort and provides interoperability with other participants.
4. Plan for a phased rollout. Start with a low-risk use case, such as internal employee credentials, before expanding to external partners or customers. Use the initial phase to refine your issuance pipeline, wallet experience, and revocation processes. Monitor closely and be prepared to adjust your architecture if the chosen approach does not scale as expected.
5. Invest in key lifecycle management. Regardless of architecture, key management is the linchpin of SSI security. Implement robust key generation, storage, rotation, and recovery processes. Consider using HSMs for issuer keys and secure enclaves for holder keys. Document key management procedures as part of your security policies.
Decentralized identity at scale is achievable, but it requires careful architectural choices and disciplined implementation. Avoid the temptation to chase the most decentralized option if your organization lacks the operational capacity to run it. Conversely, do not settle for a centralized shortcut if your use case demands the privacy and resilience that only a ledger-based approach can provide. The decision is yours—use the framework in this guide to make it confidently.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!