Identity
controller
The DID document field declaring who has authority to update the DID — the legal and operational owner of the identifier.
A DID document's controller field identifies the DID (or DIDs) authorized to make changes — add verificationMethods, rotate keys, update service endpoints. The controller is the DID's "admin."
For self-sovereign identities, the subject and controller are the same. For delegated identities (a parent controls a child's DID; a company controls an employee's work-credential DID), they differ. The separation is what makes DID documents capable of representing organizational identity hierarchies.
LearnCoin's did:web:learncoin.me declares itself as its own controller — the DID is self-controlled. Each per-tenant verificationMethod lists did:web:learncoin.me as the controller field, meaning LearnCoin (not the tenant) has authority to rotate the signing key. That's deliberate: the key lives in LearnCoin's GCP KMS, so LearnCoin is the entity that can operationally rotate it.