Home » Security by Design, Enforced by Smart Contracts

Security by Design, Enforced by Smart Contracts

April 18, 2025 By admin Off

Knowledge Base

Security by Design, Enforced by Smart Contracts

Every ObjectID is generated by a smart contract, not issued by a central authority.
While the user provides certain inputs, the smart contract autonomously derives key elements and enforces strict rules that guarantee the integrity, authenticity, and immutability of each ObjectID.
This ensures that the informational structure of every ObjectID complies with a secure format defined directly in the code.

Identity Derived from a Seed

The process begins with the generation of a cryptographic seed, created and stored securely by the user.
From this seed, the system deterministically derives:

  • A blockchain address, used for transaction signing
  • A W3C-compliant Decentralized Identifier (DID)

The DID is a URL that points to a DID Document, a dataset containing identity-related information signed by the private key derived from the seed.

This DID Document is generated and stored on the IOTA blockchain through the IOTA Identity smart contract, making it immutable and verifiable.
To establish a verifiable link between the DID and the blockchain address, a special on-chain object called a ControllerCap is issued to the user’s address. This proves that the holder of the address also controls the associated DID.
This step is crucial, as smart contracts cannot natively resolve DIDs but can rely on this on-chain object to verify ownership.

Associating the DID with a Domain

Once the DID is active, the user can add additional metadata to the DID Document.
In the context of ObjectID, a Service Endpoint that links the DID to a specific internet domain (e.g., example.com) is addedd to the DID Document.

The updated DID Document, containing the domain linkage, is then signed and republished. Only the DID controller, who possesses the corresponding private key, can perform this operation.

Creating the Domain-Linked Verifiable Credential

After establishing the connection between the DID and the domain, the ObjectID dApp generates a Verifiable Credential (VC).
This credential is self-signed by the user and declares that the DID is associated with ownership of the specified domain.The resulting file, named did-configuration.json, must be uploaded to the /.well-known/ directory of the domain’s web server.
This placement allows external systems to verify that the domain publicly acknowledges the DID as its controller and vice versa.

Verifying Domain Control

Once the Verifiable Credential is published, the ObjectID dApp contacts the Non-Critical ObjectID Oracle via REST API to initiate a verification process.
The oracle checks the consistency between the DID and the VC available at the domain’s /.well-known/ path.

If successful, the oracle issues a new on-chain object, similar to the ControllerCap, and sends it to the user’s blockchain address. This object confirms that the address owner controls both the DID and the corresponding web domain.

This verified association is what enables the ObjectID smart contract to perform robust security checks at the moment an ObjectID is created. The smart contract ensures that no ObjectID can be generated by a user unless they have provable control over both the identity and the brand domain, preventing impersonation and unauthorized issuance.

Note: we define “npn-critical” the ObjectID Oracle because even in the case a user would objtain a ControlerCap for un uncontrolled internet domain, the validation of the Object that everyone can do autonomously, will fails. In practice, the ObjectID Oracale simply prevent the creation of spam.

Terms & Conditions Privacy - ObjectID is a service provided by SDV Consulting SRLS, VAT: IT 13168650961
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Accept
Privacy & Cookie policy
Privacy & Cookies policy
Cookies list
Cookie name Active

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where your data is sent

Visitor comments may be checked through an automated spam detection service.

Save settings
Cookies settings