Why Principal ID of nns is different from other places such as dscvr.one?

While we are using the same Internet Identity account to login https://nns.ic0.app/ and other sites like dscvr.one, we find that they have different Principal ID. Can anybody help me clarify the detailed reasons especially from technical point of view? Thanks.

That is by design. It is meant as both a privacy and security feature. For example, if one dApp is somehow compromised, and the user list is leaked, there is no way to link any account with the same user’s accounts on other platforms.

On a technical level, the Internet Identity canister is using canister signatures in order to provide delegations for sessions initiated from multiple devices. Each PrincipalID is derived with a hash function that takes three inputs (key, hostname, salt). That is to say, each PrincipalID is unique to the hostname that requested the authentication.

So if I login to nns.ic0.app, the function would take in (key, nns.ic0.app, salt) and it would output a PrincipalID, and if I then go to dscvr.ic0.app the hash would take in a different hostname, so it would output a different PrincipalID.

edit: to be pedantic with myself, in actuality the hash function would output a public key, and the PrincipalID is described from that public key. (IIUC)

8 Likes