# Identities

With a domain or a subdomain in place, an identity for a device or a user can be created.

## Lifecycle

### Registration

In order to register a new identity, a certificate must be created beforehand.

An OpenKeyChain certificate for a device or a user is composed of a private key and a public key, just like a certificate for a domain or a subdomain.

The certificate created must be associated with an identity under a domain or a subdomain. A blockchain registration record represents the association.

The registratino record is stored on blockchain as a colored coin transaction, and it must be signed by the identity's parent domain or subdomain.

### Revocation

In order to revoke an identity created, the domain certificate used to create the identity must be used to create a revocation record on blockchain.

The identity's parent domain or subdomain can revoke the domain on behalf as well.