Child Identities
Overview
Child identities facilitate the creation of multiple DIDs on Polymesh by enabling existing users to generate new DIDs derived from a parent identity's CDD claim. An unlimited number of child identities can be created and associated with a parent identity.
Common Use Cases
Child identities are useful for various organizational and security needs:
-
Smart Contract Isolation: Create a separate identity for a smart contract to protect user funds managed by the contract, ensuring it operates independently of the deployer's identity.
-
Enhanced Security Structure: Use child identities as "hot wallets" while retaining the parent identity as a "cold wallet" to secure assets. This structure permits separate identities for hot/cold wallet functions.
-
Organizational Hierarchy: Structure an organization through child identities, such as assigning individual identities to different departments or subsidiaries.
Keys linked to a child identity are fully independent of those of the parent identity; the parent cannot directly access assets held by a child identity.
Technical Implementation
Prerequisites
To create child identities, you need:
- A parent identity with a valid CDD claim
- Access to the parent identity's primary key
- New key pair(s) for the child identity/identities
Creation Methods
There are two methods for creating child identities, each with different requirements and processes:
Child Identity Creation from Secondary Key
Using identity::create_child_identity:
- Requires the new child key to already be associated as a secondary key of the parent identity
- Immediately converts the secondary key into the primary key of the new child identity
- No additional authorization step is needed
- Direct and immediate creation process
Child Identity Creation from Unlinked Keys
Using identity::create_child_identities:
- Can create multiple child identities in one transaction
- Each child identity creation requires:
- The unassigned key to be used as the primary key
- An off-chain authorization signature from that key
- The authorization signature must be generated by the future child key signing data containing:
- The target Identity's DID (future parent)
- The parent identity's off-chain authorization nonce (retrieved via
identity::offchain_authorization_nonce) - An expiry date for the authorization
This method enables bulk creation of child identities without first linking the keys to the parent identity.
Only the primary key of the parent identity can initiate either creation process.
Capabilities and Limitations
Once established, a child identity:
- Receives a unique DID
- Can hold claims and assets independently
- Inherits the parent's CDD status
- Can receive additional compliance claims directly
- Cannot create its own child identities (no recursive child identities)
Unlinking Child Identities
Child identities can be detached from their parent when needed. This process requires:
- Initiation by either:
- The parent identity's primary key, or
- The child identity's primary key
- Calling the
identity::unlink_child_identityextrinsic with the child's DID as an argument
After unlinking, the child identity loses its inherited CDD status and must obtain its own CDD claim to continue transacting on the chain.
Learn more about child identities in our SDK documentation.