How to handle re-used identities


Now that there’s Blockstack Auth, there’s the possibility for services (i.e. this forum) to use Blockstack IDs as identifier. When taking non-serverless (legacy) services and linking Blockstack IDs to that, you have user data (i.e. private messages) that’s still under control of that service but linked to a Blockstack ID. But Blockstack IDs can expire and another user can pick it up (which could get even a bigger problem with crawlers etc).
Therefore the question raises what should happen with the linked data and I’d like to kick off a discussion about this.

  • What happens with user data when someone picks up my ID after I forgot to renew it (or when I intentionally don’t renew it)?
  • Should services delete my data when I revoke my ID?
  • Do I lose my all my account data when I forget to renew my ID?
  • Is it the duty of the service that uses Blockstack Auth to handle this accordingly?


The way Blockstack Auth currently works, is that it provides the calling application with a unique decentralized identifier. (DID) This identifier is a bitcoin address.

It can optionally provide a verified Blockstack ID.

One way to solve this problems is to have a unique identifier tied to the lifecycle of a name. The identifier is created when the name is registered and follows the name through transfers to different addresses until it is revoked or perhaps transferred with a special command that indicates it is changing ownership.

@ryan and I came up with one possible way to handle this.

I’d love to hear your thoughts @vsund