I believe distributed identity (DID) and the traditional PKI system are not in conflict—they’re two complementary approaches to solving the same core problem: trust. In a way, PKI forms the "arterial system" of trust—the high-level, centralized backbone from governments to institutions. DID, in contrast, addresses the "capillary system"—fine-grained, dynamic trust relationships at the user and application level.

1. Privacy Challenges in Traditional PKI

PKI, especially in its current form based on the X.500 model and X.509 certificates, struggles with user-level privacy. All identity information in X.509 is explicitly encoded and exposed during authentication. This is problematic for personal use cases—users can’t selectively disclose only the necessary attributes. For instance:

• If we include full employment or education details in a certificate, then checking into a hotel would expose too much.

• If we minimize disclosure to just a user ID or serial number, then we lose the ability to verify claims like "I’m a teacher" or "I’m eligible for student benefits."

This trade-off significantly limits PKI's usability at the edge. In contrast, distributed identity offers selective disclosure through advanced cryptographic primitives like ZKPs (zero-knowledge proofs), supporting privacy while preserving trust. The data formats and verification protocols in DID are also evolving toward this goal.

2. Flexibility Beyond Hierarchical Trust

Another issue is the rigidity of hierarchical trust in PKI. Every trust relationship must ultimately trace back to a root—often a government or global CA. But in practice, that’s not always feasible:

• In everyday interactions like a haircut, there's no need to escalate trust all the way to a root CA.

• In cross-border contexts, like a user traveling abroad, it's unlikely that both regions share the same root of trust.

PKI addresses this with cumbersome mechanisms—certificate pinning, cross-certification, or centralized trust anchors—which are hard to scale or coordinate globally.

Distributed identity solves this with decentralized trust anchors. A business in Hong Kong, for example, might choose to trust credentials from Ant Group or a national-level issuer from China, without requiring global consensus or a common root. This model builds a mesh-like trust network—flexible, local, and scalable.

Summary

In short, DID doesn’t replace PKI—it complements it. PKI can continue to serve as the backbone, while DID enables more fine-grained, privacy-preserving, and decentralized identity expression at the edges. Together, they form a complete, layered trust infrastructure—from arteries to capillaries—powering real-world, usable identity systems.