Luca, I wanted to add to Andy’s answer on this thread because the question you asked is actually central to the Sovrin Trust Framework (and I chair the Sovrin Trust Framework Working Group).
Andy’s answer is spot on—that the association between a real-world identity and any one of its Sovrin identities (i.e., DID and DDO) is not proven by the Sovrin ledger itself, but by verifiable claims that are issued and digitally signed by other DIDs stored on the ledger. This means it’s not the Sovrin ledger that serves as the root of trust, but each individual DID on the Sovrin ledger serves as its own root of trust.
This is a fundamentally different trust model than hierarchical CAs (certificate authorities). It’s a web of trust model. The web of trust is not a new idea—as the Wikipedia page explains, it’s over 25 years old. What’s new is using a decentralized ledger for all of the trust roots.
For example, there can be billions of DIDs on Sovrin and you may not trust 99.9999% of them. But of the 10 DIDs you do trust (perhaps because you personally know the people or companies that own them), you know their Sovrin identity records are very strong because those DIDs and DDOs are written to an immutable distributed ledger that is nearly impossible to tamper with.
And starting from those 10, you can use verifiable claims to determine who else you might trust. So you can organically grow your own web of trust built on the trust roots YOU select. And I can organically grow my own web of trust based on the trust roots I select. And so on.
As we build these digital webs-of-trust, more and more of them will intersect, and we will be able to form new trust relationships more easily, which can have all kinds of beneficial effects for commerce, society, governments, etc.
I call this the web of trust network model because even though no two Sovrin identity owners may share the same DID trust roots, we all share the same global identity network—Sovrin. Which means we all have the potential to develop intersecting webs of trust as soon as we have at least one common DID trust root.