And this is the corresponding sentence in the documentation:
The first time you run the dfx canister create command to register an identifier, your public/private key pair credentials are used to create a default user identity. The credentials for the default user are migrated from $HOME/.dfinity/identity/creds.pem to $HOME/.config/dfx/identity/default/identity.pem .
I can`t find this file on my machine:
And all further identities are created based on the first default identity?
I don’t think that’s how it works, you can create private keys offline, they don’t need to be verified by a subnet and you can use and idenity dervied from a private key to communicate with different subnets, it’s not tied to a specific one.
The reason you can’t this file is probably that you used the default identity to create a canister, which migrates it to $HOME/.config/dfx/identity/default/identity.pem as stated in the sentence you quoted.
And to my understanding further identites are created independent of the default identity.
I think i misunderstood your question, in this context the signature of a message is being verified before it reaches a canister. Usually you don’t say that a private key is verified, you say that a signature is verified.
Your private key and the subnets public key aren’t in any relationship.
If you want to find out more about the topic there are a couple of nice resources out there.