DO-IRP v3.0 Protocol Overview
1. Protocol Overview
The Digital Object Identifier Resolution Protocol (DO-IRP) is a core component of the Digital Object Architecture (DOA). It is an application-layer network protocol designed to manage and resolve unique, persistent identifiers in distributed network environments.
DO-IRP establishes a secure and reliable binding between an identifier and its state information, represented by an identifier record. Given an abstract identifier such as 86.1000/123, a client can locate and retrieve associated metadata, access locations, fingerprint information, or authorization policies.
The DO-IRP v3.0 specification discussed here was released by the DONA Foundation on June 30, 2022. It is intended to supersede the earlier Handle System Protocol (RFC 3650-3652) and provide a more neutral, general-purpose identifier resolution service.
2. Core Design Principles
DO-IRP differs from conventional DNS and URL-redirection protocols by emphasizing three core properties.
2.1 Decoupling Identifiers from Locations
DO-IRP does not directly transfer files or data streams. Instead, it resolves an Identifier Record. The identifier remains persistent while the underlying data location, such as a URL, IP address, or cloud-storage path, may change. Resolving the identifier record decouples the logical identifier from its physical location and preserves long-term identity.
2.2 Fine-Grained Administrative Authority
Unlike DNS, where administration is generally scoped to a zone, DO-IRP supports highly granular administrative control.
- Independence: each identifier can have its own administrator.
- Access control: the protocol includes PKI-based access control. Read and write permissions can be defined independently for each record element. For example, an element may be publicly readable while modifications require an administrator holding a specific private key.
2.3 Distributed and Federated Architecture
DO-IRP is designed for distributed deployment.
- Two-level resolution architecture: a client first contacts a Prefix Registration Service (PRS), which is analogous to a root service, to discover the Local Identifier Service (LIS) responsible for the identifier. The client then contacts the LIS directly to retrieve the data.
- Service autonomy: organizations can operate their own Local Identifier Services and independently manage identifiers in their namespaces while remaining interconnected through the global root service.
3. Key Capabilities
DO-IRP defines two primary classes of service operations:
- Resolution services:
- Retrieval: a client submits an identifier and receives a structured identifier record containing elements such as URLs, public keys, fingerprints, and metadata.
- Type filtering: a client can request only selected data, such as the URL or public key associated with an identifier.
- Administration services:
- Lifecycle management: create and delete identifiers.
- State maintenance: add, modify, and remove individual information elements in an identifier record.
- Authority management: update administrative permissions and authentication keys online.
4. Application Scenarios
DO-IRP is applicable where data interoperability and resource management must span systems and organizations.
4.1 Persistent Identifier Systems
This is the canonical DO-IRP use case, as seen in systems such as DOI.
- Scenario: scholarly papers, datasets, standards, and similar resources require permanent references that remain valid even when the hosting server or domain changes.
- Role of DO-IRP: resolving the identifier dynamically returns the resource’s current URL or metadata, preserving the durability of the reference.
4.2 Cross-Domain Data Sharing and Data Networking
- Scenario: in data-networking or industrial-internet environments, data is distributed across private organizational domains. A unified identifier system connects these isolated data assets.
- Role of DO-IRP: each organization runs its own DO-IRP service, or LIS, and registers identifiers for its data assets. External systems resolve those identifiers to obtain access endpoints, such as API addresses, schema descriptions, and authorization policies. The data remains in place while identifiers provide interoperability.
4.3 Digital Object Lifecycle Management
- Scenario: the properties of digital assets, such as copyrighted files or medical records, change as the assets are created, transferred, and archived.
- Role of DO-IRP: applications use administration operations to update state fields such as Timestamp and Status in real time, allowing the identifier record to serve as a dynamic identity record for the digital object.
4.4 Identity and Public-Key Infrastructure Management
- Scenario: entities in IoT and distributed systems require unique identities and authentication.
- Role of DO-IRP: an identifier serves as the unique device ID, while the identifier record stores the device public key in an HS_PUBKEY element. A system resolves the ID to retrieve the key, verify device signatures, or establish an encrypted channel. This can support decentralized authentication without relying on a conventional CA certificate chain.
4.5 Service Discovery and Routing
- Scenario: microservices and distributed-computing systems need to locate concrete service instances from logical names.
- Role of DO-IRP: the logical name is registered as an identifier, and service instance details such as IP address, port, and protocol version are stored in the record’s HS_SITE element. Resolving the identifier dynamically discovers available service nodes.
5. Protocol Advantages
DO-IRP addresses identifier-management limitations in existing Internet architecture. Compared with conventional network protocols, it offers the following advantages.
5.1 Built-In, Fine-Grained Security
- Self-contained security mechanisms: DO-IRP does not rely on external security facilities such as SSL/TLS certificate chains. Public keys can be stored directly as elements in identifier records, and the protocol defines a public/private-key challenge-response authentication flow, providing native security at the protocol layer.
- Fine-grained permissions: each Element in an identifier record can have independent read and write permissions, including Public Read, Admin Write, and Admin Read. Administrators can also receive different operation privileges, such as permission to add identifiers without permission to delete them.
5.2 High Availability and Performance
- Flexible deployment architecture: a service site can contain multiple primary or mirror nodes. Multiple servers within a site distribute load through a hashing algorithm and reduce single points of failure.
- Multi-level caching: TTL-based caching is defined for clients and servers, reducing network round trips and improving resolution efficiency.
5.3 Transport Independence
- DO-IRP is an application-layer protocol and is not bound to a single transport. Although the specification recommends TCP or UDP, the protocol can also be tunneled over HTTP or HTTPS. This allows it to traverse firewalls and integrate with existing Web architectures.
5.4 Internationalization
- The protocol requires UTF-8 encoding, so identifiers and associated metadata can contain characters from any language without additional transcoding or extension packages.
6. Technical Characteristics
This section summarizes the protocol’s technical architecture and operating model.
6.1 Flat and Structured Data Model
- Identifier structure: identifiers use a
prefix/suffixstructure. A global registration authority assigns prefixes to ensure uniqueness across organizations, while each organization independently manages its suffixes. Suffixes may contain arbitrary levels without imposing a tree structure. - Identifier Record structure: unlike DNS responses that commonly return addresses, a DO-IRP resolution result is a structured record containing multiple Elements. Each Element has a
Type,Value,Index, andTTL, allowing one identifier to reference heterogeneous data such as URLs, email addresses, public keys, and fingerprints.
6.2 Client-Server Interaction Model
- The protocol uses a conventional request-response model. A client sends a request containing an
OpCode, and the server returns a result containing aResponseCode. - Session management allows peers to establish a shared key after one handshake. Subsequent requests can use encryption (
ENC) or message authentication (MAC), improving the efficiency and security of repeated operations.
6.3 Two-Stage Resolution
- Resolution is logically divided into two stages. The client first queries the root service by Prefix to obtain the responsible local Service Info, then connects directly to that local service to retrieve the identifier record. This design supports horizontal scalability.
7. Comparison with Related Technologies
The following table compares DO-IRP with DNS and LDAP to clarify their respective roles.
| Feature | DO-IRP (Digital Object Resolution) | DNS (Domain Name System) | LDAP (Directory Service) |
|---|---|---|---|
| Primary purpose | Resolve persistent identifiers and manage metadata and state | Resolve domain names to IP addresses and support service discovery | Store and retrieve internal user and resource directory information |
| Data model | Identifier Record containing multiple typed, indexed data elements | Resource Records (RRs) with fixed types such as A, AAAA, and MX and relatively simple structures | Directory Information Tree (DIT) with strongly hierarchical, attribute-based entries |
| Persistence | High: identifiers are decoupled from physical locations, so location changes do not alter identifiers | Medium: domains are generally bound to addresses or services and records must be updated when they change | Medium: directory trees often reflect organizational structures and may require restructuring after organizational changes |
| Security | Built in: native PKI support, per-element permissions, and digital signatures | Added separately: relies on DNSSEC, while basic DNS has no authentication mechanism | Transport-dependent: commonly relies on SSL/TLS and includes comparatively complex ACLs |
| Administrative granularity | Very fine: each identifier may have an independent administrator and each element may have distinct permissions | Coarse: zone-based management cannot assign a separate administrator key to an individual domain name | Fine: supports attribute-based access control |
| Architectural flexibility | High: a prefix/suffix structure and flat administration facilitate cross-organizational federation | Low: a strict hierarchy concentrates control at the root | Medium: a strict hierarchy can make cross-organizational searches slower |
| Typical scenarios | Cross-system data exchange, PID systems such as DOI, and IoT device identities | Website access, mail routing, and infrastructure addressing | Enterprise employee management and SSO identity sources |
Summary
- DNS acts like the Internet’s phone book. It quickly translates human-readable names into machine-readable addresses, but provides limited complex data description and no native security in its basic form.
- DO-IRP acts as an identity system for digital objects. It can locate an object, authenticate its identity, and carry important object attributes, making it suitable as a data-exchange layer between heterogeneous systems.
8. Data Model: Element Definition
In DO-IRP, resolving an Identifier returns an Identifier Record composed of multiple Elements.
8.1 Common Element Structure
Every Element follows the same encoding structure regardless of its type.
| Field | Type / Length | Description |
|---|---|---|
| Index | U32 (4 bytes) | Element index, unique within the identifier record. 0 is reserved and must not be used. Values in the signed range (>= 2^31) should be avoided. |
| Type | UTF8-String | Element type, encoded as a 4-byte length prefix followed by a UTF-8 string. It defines the format and semantics of <Value>. |
| Value | Byte Array | Element data, encoded as a 4-byte length prefix followed by the data bytes. Its concrete structure is defined by <Type>. |
| TTL | 1 byte + U32 | Time to live for cache control. - Type=0: relative time in seconds - Type=1: absolute time as a Unix timestamp - Value=0: valid only for the current transaction and must not be cached |
| Permission | U8 (1 byte) | Access-control bitmask defining who may read or modify the Element. |
| Timestamp | U32 (4 bytes) | Last-modified time as a Unix timestamp in seconds. |
| References | 4 bytes + list | Deprecated. The specification requires four 0x00 bytes. |
Permission Bit Definitions
Permission is an 8-bit bitmask with the following definitions:
| Bit | Symbol | Description |
|---|---|---|
| 0x01 | PUBLIC_WRITE | Anyone may modify or delete the Element. |
| 0x02 | PUBLIC_READ | Anyone may read the Element. |
| 0x04 | ADMIN_WRITE | An authenticated administrator may modify or delete the Element. |
| 0x08 | ADMIN_READ | An authenticated administrator may read the Element. Without PUBLIC_READ, authentication is required. |
| High bits | Reserved | Reserved and set to 0. |
8.2 Predefined System Types
DO-IRP defines system types with the implicit 0.TYPE/ prefix. Their <Value> fields have specific binary structures.
8.2.1 HS_ADMIN (Administrators and Permissions)
Purpose: identifies who may administer an identifier record and defines the corresponding administrative permissions.
| Field Order | Type | Description |
|---|---|---|
| AdminPermission | U16 (2 bytes) | Administrative-permission bitmask, defined below. |
| AdminRef | UTF8-String + U32 | Administrator reference. - Identifier: identifier containing the administrator record. - Index: specific Element under that identifier, normally HS_PUBKEY, HS_SECKEY, or HS_VLIST.- Index=0: match any valid authentication Element in the referenced record. |
AdminPermission bit definitions:
| Value (Hex) | Symbol | Meaning |
|---|---|---|
| 0x0001 | Add_Identifier | [Prefix only] Create a new identifier under this prefix. |
| 0x0002 | Delete_Identifier | Delete this identifier record. |
| 0x0004 | Add_Derived_Prefix | [Prefix only] Create a derived prefix. |
| 0x0010 | Modify_Element | Modify an Element other than HS_ADMIN. |
| 0x0020 | Delete_Element | Delete an Element other than HS_ADMIN. |
| 0x0040 | Add_Element | Add an Element other than HS_ADMIN. |
| 0x0080 | Modify_Admin | Modify an HS_ADMIN Element. |
| 0x0100 | Remove_Admin | Delete an HS_ADMIN Element. |
| 0x0200 | Add_Admin | Add an HS_ADMIN Element. |
| 0x0400 | Authorized_Read | Read Elements restricted to ADMIN_READ. |
| 0x0800 | List_Identifiers | [Prefix only] List identifiers under this prefix. |
| 0x1000 | List_Derived_Prefixes | [Prefix only] List derived prefixes. |
8.2.2 HS_SITE (Service Site Information)
Purpose: describes a DO-IRP service site’s configuration, server list, and access interfaces.
Top-level HS_SITE structure:
| Field Order | Type | Description |
|---|---|---|
| Version | U16 | Data-format version, currently 1. |
| ProtocolVersion | U16 | Highest protocol version supported by the site, with Major in the high byte and Minor in the low byte. |
| SerialNumber | U16 | Serial number incremented on each modification and used by clients to synchronize caches. |
| PrimaryMask | U8 | Bit 0 (PrimarySite): whether this is a writable primary site. Bit 1 (MultiPrimary): whether multiple primary sites exist. |
| HashOption | U8 | Identifier hashing algorithm used to locate the responsible server.0x00: HASH_BY_PREFIX0x01: HASH_BY_SUFFIX0x02: HASH_BY_IDENTIFIER |
| HashFilter | UTF8-String | Reserved field. |
| AttributeList | List | Attribute list encoded as Count (U32) followed by {Key (UTF8), Value (UTF8)} entries. Common keys include desc for description and alt_addr for an alternate address. |
| NumOfServer | U32 | Number of servers in the site. |
| ServerRecordList | List | List of server records, defined below. |
ServerRecord structure:
| Field Order | Type | Description |
|---|---|---|
| ServerID | U32 | Server ID unique within the site. |
| Address | 16 Bytes | IPv6 address. An IPv4 address must be represented in IPv6-mapped format. |
| PublicKeyRecord | Byte Array | Server public key encoded as Length (U32) followed by KeyData. It verifies signatures on server responses. |
| InterfaceList | List | Service-interface list encoded as Count (U32) followed by Interface entries, defined below. |
Interface structure:
| Field Order | Type | Description |
|---|---|---|
| ServiceType | U8 | Service-type bitmask.0x01: administration only0x02: resolution only0x03: administration and resolution |
| Protocol | U8 | Transport protocol.0x00: UDP0x01: TCP0x02: HTTP0x03: HTTPS |
| Port | U32 | Port number. |
8.2.3 HS_PUBKEY (Public Key) / HS_SECKEY (Private Key)
Purpose: stores authentication keys.
| Field Order | Type | Description |
|---|---|---|
| KeyType | UTF8-String | Key-type identifier such as DSA_PUB_KEY or RSA_PUB_KEY. |
| Option | U16 | Reserved field. |
| KeyData | Byte Arrays | Concrete length-prefixed key parameters. - DSA: q, p, g, y in that order. - RSA: exponent, modulus in that order. |
| Note | - | The HS_SECKEY Value is the raw key byte stream and should not be granted PUBLIC_READ permission. |
8.2.4 HS_VLIST (Value List / Administrator Group)
Purpose: defines a set of references, commonly used to create an administrator group.
| Field Order | Type | Description |
|---|---|---|
| Count | U32 | Number of references in the list. |
| References | List | Reference list. Each reference contains: 1. Identifier (UTF8-String) 2. Index (U32) |
8.2.5 HS_CERT (Certificate) / HS_SIGNATURE (Signature)
Purpose: supports offline data-integrity verification and trust-chain construction. The content is serialized as a JWT (JSON Web Token).
HS_CERT Claims (JSON fields):
| Claim Key | Description |
|---|---|
| iss | Issuer, represented as an Identifier or Ref. |
| sub | Subject, the authorized party. |
| publickey | Subject public key in JWK format. |
| perms | Permission list, for example {"handle": "prefix/...", "perm": "derivedPrefixes"}. |
| chain | List of trust-chain references. |
HS_SIGNATURE Claims (JSON fields):
| Claim Key | Description |
|---|---|
| sub | Signed identifier. |
| digests | Digest object containing alg, the algorithm, and digests, the list of Element digests.Note: digest computation excludes the Element Index and Timestamp fields. |
| chain | List of trust-chain references. |
Other System Types
| Type Name | Description | Structure |
|---|---|---|
| HS_SERV | Service identifier | <Value> is a UTF8 string referencing another identifier whose record contains HS_SITE information. |
| HS_ALIAS | Alias | <Value> is a UTF8 string referencing the target identifier. Resolution should redirect to that target. |
| HS_SITE.PREFIX | Prefix service referral | Same structure as HS_SITE. It identifies the service location for a derived prefix through a Prefix Referral. |
| HS_SERV.PREFIX | Prefix service referral | Same structure as HS_SERV. It indirectly identifies the service location for a derived prefix. |
9 Protocol Message Structure
A DO-IRP message consists of four consecutive parts: Envelope, Header, Body, and Credential.
9.1 Message Envelope
The Envelope has a fixed length of 20 bytes. Figure 6.2.1 divides its first 4 bytes among the version, flag, and suggested-version fields; the remaining 16 bytes carry the session, request, sequence, and message-length fields.
| Field | Length | Description |
|---|---|---|
| MajorVersion | U8 | Protocol major version, currently 3. |
| MinorVersion | U8 | Protocol minor version, currently 0. |
| Flag | 3 bits | Bit 0 (CP): compression, reserved. Bit 1 (EC): encryption, indicating whether the Body is encrypted. Bit 2 (TC): truncation, used as a packet-fragmentation flag. |
| SuggMajor | 5 bits | Major version suggested by the client. |
| SuggMinorVers | U8 | Minor version suggested by the client. |
| SessionId | U32 | Session ID. 0 means no session. |
| RequestId | U32 | Request ID generated by the client and echoed in the response. |
| SequenceNumber | U32 | Fragment sequence number used to reassemble truncated messages. |
| MessageLength | U32 | Total message length: Header + Body + Credential. |
9.2 Message Header
The Header has a fixed length of 24 bytes. Figure 6.2.2 states that it contains eight fields; the final byte after RecursionCount is unnamed in the diagram and has no separate semantics defined by the specification.
| Field | Length | Description |
|---|---|---|
| OpCode | U32 | Operation code, listed in section 2.2.1. |
| ResponseCode | U32 | Response code, listed in section 2.2.2. 0 denotes a request. |
| OpFlag | U32 | Operation-flag bitmask, listed in section 2.2.3. |
| SiteInfoSerialNumber | U16 | HS_SITE serial number held by the client. |
| RecursionCount | U8 | Recursive-query depth counter. |
| Unnamed field | U8 | Unnamed one-byte field in Figure 6.2.2; the specification does not define separate semantics for it. |
| ExpirationTime | U32 | Message expiration time in Unix seconds. |
| BodyLength | U32 | Message Body length in bytes. |
9.2.1 Common OpCode Values
| OpCode | Symbol | Meaning |
|---|---|---|
| 1 | OC_RESOLUTION | Resolve an identifier. |
| 2 | OC_GET_SITEINFO | Retrieve site information. |
| 100 | OC_CREATE_ID | Create an identifier. |
| 102 | OC_ADD_ELEMENT | Add an Element. |
| 104 | OC_MODIFY_ELEMENT | Modify an Element. |
| 105 | OC_LIST_IDS | List identifiers under a prefix. |
| 200 | OC_CHALLENGE_RESPONSE | Send a challenge response for authentication. |
| 400 | OC_SESSION_SETUP | Establish a session. |
9.2.2 Common ResponseCode Values
| Code | Symbol | Meaning |
|---|---|---|
| 1 | RC_SUCCESS | Success. |
| 2 | RC_ERROR | General error. |
| 100 | RC_ID_NOT_FOUND | Identifier not found. |
| 302 | RC_SERVICE_REFERRAL | Service referral; the client must redirect. |
| 402 | RC_AUTHEN_NEEDED | Authentication required. |
9.2.3 OpFlag Values
| Bit | Symbol | Meaning |
|---|---|---|
| AT | Authoritative | The request or response is associated with the primary, authoritative site. |
| CT | Certified | Request a server signature on the response, including a Message Credential. |
| ENC | Encryption | Request encryption for session messages. |
| REC | Recursive | Request recursive resolution by the server. |
| CN | Continuous | Continuous message used for chunked transfer of large data, such as List operations. |
| KC | Keep Connection | Keep the TCP connection open. |
| PO | Public Only | Query only Elements with PUBLIC_READ permission. |
| RD | Request Digest | Include the request digest in the response to detect tampering. |
| OWE | Overwrite | Overwrite an existing Element during create or add operations. |
| MNS | Mint New Suffix | Ask the server to generate a suffix when creating an identifier. |
| DNR | Do Not Refer | Prevent the server from returning a Referral and require local processing. |
9.3 Message Body
The Body structure depends on OpCode. If the Header’s RD (Request Digest) flag is set, the Body begins with a digest.
Common Body structure:
| Order | Field | Type | Presence Condition |
|---|---|---|---|
| 1 | RequestDigest | Structure | Present only when RD=1 in the Header. |
| 2 | Payload | Variable length | Depends on OpCode, such as <Identifier>, <IndexList>, or <ElementList>. |
RequestDigest structure:
| Field | Type | Description |
|---|---|---|
| Algorithm | U8 | 1: MD5, 2: SHA-1, 3: SHA-256. |
| Digest | Byte Array | Hash of the original request Header + Body. Its length depends on the algorithm. |
9.4 Message Credential
The Credential carries a digital signature or session MAC.
| Field | Length | Description |
|---|---|---|
| Length | U32 | Total Credential length. 0 means no Credential. |
| Reserved | 8 Bytes | Reserved and filled with zeros. |
| SessionCounter | U32 | Session counter used to prevent replay attacks. |
| Type | UTF8-String | Credential type."HS_SIGNED": asymmetric-key signature."HS_MAC": symmetric-key MAC. |
| SignedInfo | Structure | Signature-information block, defined below. |
SignedInfo structure:
| Field | Type | Description |
|---|---|---|
| Length | U32 | Length of the SignedInfo block. |
| Algorithm | UTF8-String | Algorithm identifier such as "SHA-256" or "HMAC-SHA256". |
| SignedData | Byte Array | Signature value or MAC value, prefixed by a 4-byte length. |
Signature coverage:
- Envelope fields (12 bytes): Major/Minor/SuggVersion + SessionId + RequestId.
- Credential field (4 bytes): SessionCounter.
- The complete Message Header.
- The complete Message Body.