Kusama Identity Registrar #1 - Why and How?

In a previous article, I submitted a motion to the Kusama Council proposing the registration of a new registrar on Kusama: Registrar #1.

Unlike the name suggests, this is not the first registrar on Kusama. It brings a second registrar on the chain as we can see by querying the chain state of the identity module:



If you only want to jump to practical todos ignore the explanations, you may directly go to Certification process.

2. What do Registrars do?

First of of, let’s be clear that we are talking about an Identity Registrar. Its goal is to verify and certify identities.

If you got acquainted with other Blockchains, you may start asking questions:

  • Can I remain anonymous ?

  • Is setting an identity mandatory as on all permissioned Blockchains ?

Currently, accounts created on Kusama are pseudo-anonymous. You do NOT need to provide any personal data in order to create an account. This is similar to creating accounts on chains such as Bitcoin or Ethereum.

Does Polkadot guaranties anonymity then?

Absolutely not.

After creating an account and storing its private key carefully, you obtain its address. It looks like Da3zQ7rLbxBazirv5NzK1WAv1VCbL68VGBq1Dv1k7fXC29f for Kusama.

it is also represented by a uniquely generated identity-icon (identicon):

Figure 1. Identity Icon for Da3zQ7rLbxBazirv5NzK1WAv1VCbL68VGBq1Dv1k7fXC29f

At this point, this account is totally anonymous but as soon as a transaction (you will often hear the term extrinsic on Polkadot) is sent to or from this account, you may start being able to trace up to other accounts. It is not uncommon for users to transfer funds back and worth between their own accounts.

Kusama and Polkadot do not offer anonymous transactions such as a chain like ZCash does. It does not support Zero Knowledge for its core chain but we will likely see bridges to chains like ZCash coming in the future.

Why would you give up this pseudo-anonymity?

Polkadot and Kusama offers a novelty feature: on-chain governance. In a nutshell it means that anyone can, on-chain, influence how the chain will behave. You heard it right, any user can propose to change how the chain works. This could be done for instance by proposing to swap the current runtime with a new version adding/removing/changing features.

Considering this, would you trust our previously created pseudo-anonymous account for such critical modification? Likely not. It may help however, if you could link this account to a real person with a known proven history.

This is what the identity module offers: Users who decide it may attach personal information to their account. Doing so, the account will show up slightly differently in the Polkadot UI:

Figure 2. The W3F-26 account
Figure 3. W3F-26 information

The owner of the account DAT4gSgyMskggCmTQKfEM6hQgRy1NWdhtfMTAuPLsUAGUPy decided to attach some information to the account.

How much can we trust this information?

Seeing the information above does not have much value since any user, related or not to the Web3 foundation, could set a similar identity.

We need a way for this information to be checked, verified and store the result on-chain. This is precisely the mission of the identity registrars.

3. What are the registrar rules?

"It depends!" is likely the most appropriate answer. Each registrar can decide when and what to validate.

In the next chapter, I will describe that the rules of Registrar #1 are and how they are enforced.

4. Registrar levels

The following list may change in the future but here is the current states an account can take:

  • Unknown

  • FeePaid

  • Reasonable

  • KnownGood

  • OutOfDate

  • LowQuality

  • Erroneous

5. Registrar #1 rules

Kusama is an experimental network allowing to build. This is why the rules below may change in the future.

Here are the rules of Registrar #1: - It delivers online only the "Reasonable" level - The "KnownGood" level could be granted for any person I would meet and who could prove his/her legal name with at least 2 legal documents - While display and legal names will loosely checked for sanity and match, no further check will be performed. An account with a display name obviously not matching the legal name may be rejected - Only accounts with at least one communication channel (email, riot, twitter, etc..) will be considered - All the communication channels are verified independently using challenges. The Reasonable level is only granted to account passing all challenges. More on that below.

6. Challenges

The main purpose of the challenges is to ensure that the owner of a given account also is in control of the communication channel. This help validating that the identity contains no typo, but also that those channels are active and valid.

Each communication channel is verified independently and receives its own challenge.

Here is a challenge sample:

  "account": "DbF59HrqrrPh9L2Fi4EBd7gn4xFUSXmrE6zyMzf3pETXLvg",
  "challengeRiot": "OJQNLRPFEUQBTCEL",
  "display": "Chevdor",
  "web": "https://www.chevdor.com",
  "riot": "@chevdor:matrix.org",
  "email": "chevdor@gmail.com"

7. Certification process

Here is the current certification process for Registrar #1.

7.1. User sets on-chain Identity

While you could call an extrinsic directly, the Polkadot UI makes it much easier.

Users can only set on-chain identity for their own accounts, it comes with no surprise that the UI offers a button under the "Accounts" section:

Figure 4. Calling setIdentity

Click on the "Set onc-chain Identity" button bring the following dialog:

Figure 5. setIdentity
It is important to have in mind that any registrar certification will be voided is the on-chain identity is modified after being certified by a Registrar. So it is advisable to double-check that everything is correct.

Setting the identity on-chain currently requires a deposit set to 10 KSM. Those funds do no go anywhere, they remain yours but are locked in your account as long as the identity is set.

7.2. User request judgement

The next step is to request one of the registrar to perform the verification and provide a judgement.

As of now, the Registrar #1 never provided online any other judgement than 'Reasonable' and works with the users to ensure this level can be reached.

Requesting a judgement can be done from the Extrinsics section of the UI:

Figure 6. setIdentity

Here you need to pay attention to a few points:

  • make sure to request FROM the account you want to verify

  • make sure to select the registrar (reg_index) that should be verifying your information

  • finally make sure to provide the correct fee (max_fee) matching the required fee of the selected registrar

The verification status will change to "Judgement: requested".

Currently, the registrar verification process is being automatized but remains manual until this is operational. Stay tuned!

This is time to contact the registrar operator. For Registrar #1, you may send a private message to on Riot.

7.3. Interactive verification

When contacting @chevdor:matrix.org, you do not need to provide much: your account’s address is enough. After all, all the data is on-chain already.

After checking whether the currently set identity satisfies the verification criteria for Registrar #1, @chevdor:matrix.org will generate different challenges to each channel defined in the identity.

The challenges looks very similar but they are NOT the same.

Once you receive the challenge, you will need to compute the signature of this message using the Polkadot UI.

You can easily do that from the UI at: https://polkadot.js.org/apps/#/toolbox/sign

Figure 7. Unlock account to sign
Make sure to unlock the right account!

For each channel, copy the challenge into the "sign the following data" field and click on the "Sign Message" button as shown below:

Figure 8. Sign one of the challenges

This process will be done for each channel and you need to send back the signature that you got using each channel. You MUST provide the signature of the email challenge using your email, you MUST provide the signature of the twitter challenge using twitter, etc…​

To allow Registrar #1 to contact you, you will have to follow @chevdor during the certification process.

On the registrar side, your signatures will be checked. Usually, the registrar informs you over Riot about the result of each test.

You can perform such a check yourself.

The signature of:

  "account": "DbF59HrqrrPh9L2Fi4EBd7gn4xFUSXmrE6zyMzf3pETXLvg",
  "challengeRiot": "OJQNLRPFEUQBTCEL",
  "display": "Chevdor",
  "web": "https://www.chevdor.com",
  "riot": "@chevdor:matrix.org",
  "email": "chevdor@gmail.com"

Using account DbF59HrqrrPh9L2Fi4EBd7gn4xFUSXmrE6zyMzf3pETXLvg gives:


Checking using the Polkadot UI will look like as shown below:

Figure 9. Sign one of the challenges

7.4. Registrar fee

It is important to notice that no KSM are send to the registrar at anytime. You should NOT send or transfer funds. When calling the requestJudgement, the registrar fee will be locked and put aside. it will be transferred to the registrar only once it finished its job. After all, we are using a trustless system.

7.5. Certification

You have nothing to do for the actual certification process. It is usually a matter of seconds until the extrinsic is submitted to the network by the registrar.

As soon as this extrinsic reaches the network, your account will be decorated with the green check-mark allowing to recognize account that have been verified.

Figure 10. Verified account
Remember that, from now on, calling setIdentity and changing any information there will void your current certifications and you will need to start over from the User request judgement section.

Wilfried Kopp aka. Chevdor
Building Blockchains & Decentralized Solutions

I build decentralized solutions and tooling to support them. I am developing Smart Contracts and dApps on Ethereum and developing tooling for Substrate (Polkadot & Kusama). I love Rust! I am using Docker extensively and above all I like efficiency. GPG Fingerprint 15AF C574 D3F9 F1C3 CCDD E31E 2DCE C4DC 506E 6475.