Collecting cryptographically secure entropy from the operating system. Sources: /dev/urandom, SecRandomCopyBytes, BCryptGenRandom. On hardware with a TPM, additional entropy is mixed.
The Ed25519 key pair is generated from the seed. The private key never leaves the sealed storage boundary. All operations are constant-time. Uses ed25519-dalek with ZeroizeOnDrop.
The DID identifier is derived from the public key by multibase-encoding. The DID URI includes the namespace and hmr entity kind.
The DID document is assembled with verification method, authentication relationship, and optional service endpoints. Self-signed with JCS canonical serialization.
The private key is encrypted and stored in platform-specific sealed storage. Secure Enclave on macOS/iOS. Kernel keyring on Linux. Never written to disk in plaintext. Memory zeroized on drop.
The signed DID document is published to the Weave DHT for global resolution. Replicated across multiple nodes. Publication is optional for fully offline-verifiable identities.