Skip to Content
FundamentalsIdentifiers

Identifiers

Identifiers form the base of your identity and are similar to Cardano addresses. They are controlled by asymmetric key pairs which may or may not be updatable.

A user might have a number of public identifiers which represent different personas of that person’s digital identity. Public identifiers will build up reputation over time and may hold a number of credentials. It may even be involved in issuing credentials! As such, it’s quite important to be able to rotate keys and recover from any key compromise or exposure.

In addition, you may use a number of ephemeral identifiers to help protect your privacy from bystanders.

We use the Key Event Receipt Infrastructure (KERI) standard for managing identifiers and keys. Developers should refer to our protocol guides for more information.

Identifier types

The first tab of the wallet holds and tracks your public identifiers. Here you can create, rotate and delete identifiers.

When creating an identifier you may select Individual or Group. Individual identifiers represent you as a person whereas group is designed to represent an entity.

For now, individual identifiers are single-signature identifiers which means there is one key pair to sign attestations, and one key pair to rotate keys. We hope to expand this in the future to support multi-device recovery and social recovery.

Group identifiers are of course already multi-signature. Each member of the group controls one of the signing keys and one of the rotation keys. A threshold can be set to decide how many members of a group are required to sign or rotate.

Multi-signature identifiers in theory can be customized much further. Each member’s signature can be weighted, and the threshold and weights can be different for signing and rotation. In fact, you could even have different members who can sign and who can rotate.

For now, we’re starting out simple to not overcomplicate the user experience!

Rotating keys

In general it’s a good practice to rotate keys over time. The more data you sign with a key, the more exposed it gets, either through its environment or cryptanalysis.

In the case of a group identifier, rotating also allows you to change which members are in the group — however, this is a work in progress and not supported yet! In the future, rotation will also enable individual identifiers to be recovered with multi-device and social recovery.

The ultimate goal is to keep your identifiers for life. That way you can always prove who you are, and your reputation can be built up and end up carrying a lot of weight. This is why we are so keen on being ready for any potential key compromise or device loss.

Delegated identifiers

Single or multi-signature identifiers may also be delegated. Delegation in KERI is known as co-operative delegation and can be used in enterprise for top-down hierarchical identifier recovery. It also has other scalability benefits, for those who are interested in the various types of benefits, please check out this section of our developer docs.

There are some advanced features of recovery that are enabled by delegated identifiers, but we think it would be a little too much for this documentation. Delegated identifiers aren’t supported in the wallet yet but are indeed planned!

Last updated on
IntroductionConnections