ioID Specification
This specification provides a comprehensive overview of the ioID system, detailing its methods, workflows, and security considerations for effective deployment in DePIN applications.
On-Device DID Generation
DePIN devices and network nodes can generate a DID and the corresponding DID document by means of SDKs, CLIs or other tools.
ioID Registration and Binding
A DePIN device owners and node operators can onboard their devices via a the following steps
Generate/obtain the device's DID and DID document (e.g. use a CLI for nodes, or obtain it via the serial port for embedded devices).
Store the DID document on a selected storage layer (e.g. AWS S3, IPFS, etc...)
Invoke the device registry contract with the device's DID, DID document hash, and URI.
Upon successful onboarding, an ioID NFT representing on-chain ownership of the device is minted in the owner's blockchain wallet.
Security Considerations
To mitigate risks such as the registration of fake devices, the system can require device owners to make a small deposit for each DID registration. Additional information, such as manufacturer ID and serial number, can be included in the device registry to help identify and manage fake devices.
Secure Machine-to-Machine Interactions
Once registered on-chain, a DePIN entities can authenticate each other and establish secure off-chain communications with other entities in the network using DID-based protocols.
ioID Specification
did:io Method
DIDs in ioID conform to the Generic DID Scheme described in the DID specification. They follow the format did:io:io-specific-idstring
, where io-specific-idstring
is generated by:
Creating a private/public key pair over the elliptic curve secp256k1.
Converting the public key to an Ethereum address.
Example of an ioID DID:
DID Document for a DePIN Device
A sample DID document:
DePIN Node Onboarding
To onboard a server within a specific layer of a DePIN modular stack (e.g., a sequencer node), a node operator needs to:
Log into the DePIN node using their server credentials.
Generate a DID and DID document (e.g. using a CLI)
Upload the DID document to a storage provider and take note of the URI.
Using the operator's blockchain account, invoke the ioID on-chain registry to perform a Device Registration for the node, with the node DID, DID document hash, and URI.
The ioID device registry is updated with the new information and a "device NFT" is minted to the node operator's blockchain address.
DePIN Device Onboarding
To onboard a device (e.g., a 5G Cellular Antenna) that belongs to a certain DePIN project, a device owner needs to:
Retrieve the device's DID and DID document (e.g. via a usb tool paired with an embedded SDK installed on the device).
Upload the DID document to a storage provider and get the URI.
Register the device with its DID, DID document hash, and URI.
Using the owner's blockchain account, invoke the ioID on-chain registry to perform a Device Registration with the device DID, DID document hash, and URI.
The ioID device registry is updated with the new information and a "device NFT" is minted to the owner's blockchain address.
DePIN Node Discovery
Once DePIN nodes and devices are registered in the ioID device registry, a DePIN device will rely on a bootstrapping node to discover the service endpoint(s) of a DePIN application.
A DePIN device sends a project descriptor (e.g., a project ID) to a bootstrapping node.
The bootstrapping node uses the project descriptor to retrieve the project configuration URL from the project registry on the blockchain.
The bootstrapping node uses the URI to read the project configuration file from the storage.
The bootstrapping node parses the project configuration file to obtain the service endpoint(s) of the DePIN project.
The bootstrapping node returns the service endpoint(s) to the device.
The device stores the service endpoint(s) in its flash.
Such a DePIN node discovery protocol might need to run periodically to handle potential changes in DePIN nodes within the network.
DePIN Machine-to-Machine Communication
With the service endpoint available, a DePIN device can interact with a DePIN node in a secure manner. To this end, a number of DID-based sub-protocols need to be performed.
4.1 Mutual Authentication
A DID-based mutual authentication protocol enables secure communication between devices and nodes.
4.2 VC Issuance
Optionally, DePIN devices receive a VC from an issuer to exchange for a W3bstream access token.
4.3 VC Presentation
Optionally, Devices present the VC to obtain an access token.
4.4 Data Upload
Devices upload data to a node via a DID-based encrypted channel.
Last updated