This paper addresses the reliance of Decentralized Identifiers (DIDs) on trusted registries and the security assumptions inherent in existing DID propagation mechanisms. To eliminate this dependency, we propose Zero-Registry DID—a novel architecture that completely dispenses with centralized or distributed registries, instead enabling on-demand generation of DID documents via cryptographic binding and implicit reconstruction. Our method embeds public keys, service endpoints, and delegation policies directly into standardized credentials (e.g., JWT or X.509), secured by digital signatures and verifiable across arbitrary distribution channels—including email, DNS, blockchains, and P2P networks—without imposing security assumptions on those channels. Key contributions include: (1) the first registry-free DID architecture; (2) lightweight, delegatable, and privacy-enhancing identifiers for humans, digital content, and IoT devices; (3) seamless interoperability with Web PKI and existing token ecosystems; and (4) empirical validation in cross-domain identity authentication and resource identification scenarios.

We introduce did:self, a Decentralized Identifier (DID) method that does not depend on any trusted registry for storing the corresponding DID documents. Information for authenticating a did:self subject can be disseminated using any means and without making any security assumption about the delivery method. did:self is lightweight, it allows controlled delegation, it offers increased security and privacy, and it can be used for identifying people, content, as well as IoT devices. Furthermore, DID documents in did:self can be implicit, allowing re-construction of DID documents based on other authentication material, such as JSON Web Tokens and X.509 certificates.