Skip to main content
info
IOTA Identity for Rebased is currently in alpha and may still be subject to significant changes

Identity Object

An Identity Object is a shared Move object that stores a single DID Document on the network, allowing both on-chain and off-chain actors to interact with it.

The Identity Object's unique ID is used to derive the actual DID of the DID Document it contains.

Identity's Access Control

An Identity is a shared object and is thus accessible by anyone. For this reason, it is of paramount importance to limit the use of an Identity's APIs - especially its mutable ones - to only the intended actors.

Controllers and ControllerCap

The DID specification defines DID controller as the entity allowed to make changes to a DID document. Since an Identity may be viewed as a simple wrapper over a DID Document, we extend the definition of DID controller to be: the entity allowed to make changes to an Identity.

In order to allow a broader range of actors to act as an Identity's controller - e.g. an Identity controlling another Identity - a controller is identified through its controller capability ControllerCap. A ControllerCap is a Move object that acts as a blind token, allowing anyone who presents it to the corresponding Identity to access the Identity's APIs that are only invocable by its controllers.

Voting power and threshold

When an Identity has more than a single controller, an access control (AC) policy for the Identity must be established. Such a policy is represented by an unsigned integer threshold that is established upon the Identity's creation. Together with the Identity's threshold, each controller is assigned with a voting power, i.e. an unsigned integer that acts as a sort of weight in the evaluation of an AC control policy.

Proposals

Whenever a controller wants to make a change to its Identity, a proposal encapsulating that change is created instead of carrying out the update right away. In order to execute the changes contained in a Proposal enough controllers need to approve it. The exact number of approvals depends on the controllers' voting powers as well as the Identity's threshold. Proposals keep track of the approvals they receive by internally storing the sum of all approving controllers' voting powers in a field called votes. A Proposal can only be executed after votes exceeds Identity's threshold.