Internet Identity - how principal is same across different devices/how extract private key?

Hey, I have two questions about internet identity:

  1. How can single principal be shared across multiple devices?
    I’ve read that you can use multiple devices to login and use the same principal. According to*XiLv6n_fzyMeWRekneC1lA.png user send his public key and sign it with its private key. Every devices generates its own private/public key and as far as I know the public keys get signed with one of the previous certified devices and this signed public keys are stored in internet identity. But still according*XiLv6n_fzyMeWRekneC1lA.png the request only contains single public key, not multiple. The principal is hash of the public key and if the request can contain just one public key then the principal must be different on each device? Or can the request contain multiple public keys (delegations)?

  2. Is it possible to extract the private key?
    The NNS -App utilze internet identity, is it possible to extract the privat key to a .pem file (maybe from the recovery seed-phrase) and use this extracted private key in tools like dfx to make valid calls to the nns-canister? In general can one register with internet identity and later extract the private key to some cold-storage device and make calls to a canister with this extracted private key?


1 Like

Great question! For part 1, here’s a summary from @roman-kashitsyn

II works by adding a level of indirection. It implements a new signature scheme based on certified variables: the signature means “I, II canister, had this piece of data on behalf of this principal in my memory and certified it”. We tweaked the replica to verify and accept such signatures.
Now the indirection bit: II allows you to add a dynamic list of keys to your identity and if you give it a piece of data signed with one of your dynamic keys, it can temporarily issue its own signature for the same data (prepare delegation) which you then need to query (get delegation). The stable principal is obtained from the data known to the canister and the name of the frontend, not from your dynamic keys. Hope that makes sense.

For part 2, no. There’s no way to extract a private key from the Internet Identity for cold storage with the existing functionality


Ok, thanks.

To second question:
quill can be used to manage neurons and quill need a private key in .pem format. As far as I know neuron management happens on the governance-canister where you need to use internet identity to register (NNS-App). If I can’t extract the private key, then how can I use quill? And is it possible in a single canister to utilize internet idenity as registration or just make calls using own generated private/public key simultaneously (here my question is: if a canister integrates internet idenity, can then own generated keys in .pem (without internet identity) format be used to make calls or is internet identity the only way to make calls to this canister)?

Internet Identity is a requirement of the current implementation of the NNS dapp, not of the governance canister. Quill can use its own identity generated from your local .pem file or a number of other ed25519-encoded strategies to call the canister