The OMI spec is under heavy development, and every piece of it is subject to change. We are documenting the core primitives for sovereign application lifecycles. Join us in defining the v1.0 draft.
Documentation
The OMI Lifecycle & Orchestration Protocol
Identity Recovery & Guardian Keys

Identity Recovery & Guardian Keys

Objective

Reclaiming control of an AppID and rotating the Master Public Key in the event that the original Master Private Key is lost, stolen, or compromised.

Prerequisites

The Protocol Workflow

  1. New Key Generation: The developer generates a fresh Master Key-Pair. The old one is considered “dead.”
  2. The Recovery Request: The developer sends a signed Recovery Request to the App Registry. This request is unique because it is NOT signed by the Master Key, but by a Guardian Private Key.
    provisional payload
    {
  "version": "1.0",
  "data": {
    "new_master_public_key": "PUB_KEY_NEW_MASTER_XYZ123...",
    "timestamp": 1705412600,
    "nonce": "k3m9j2p1",
    "context": "identity_recovery" 
  },
  "signature": "c7d8e9f0a1b2..." 
}
  3. Guardian Verification: The App Registry retrieves the Guardian Public Key(s) associated with the AppID namespace from its immutable genesis record.
  4. Master Key Overwrite: If the signature is valid, the Registry overwrites the old Master Public Key with the new_master_public_key.
  5. Session Invalidation: The Registry immediately invalidates all active administrative sessions and issues a “Security Alert” to the Auth Provider and all bound Domain Services.
    provisional payload
    {
  "version": "1.0",
  "header": {
    "origin": "omiappreg.org",
    "type": "BROADCAST",
    "target_app_id": "org.omiappreg.alice.business_app.7f8a9d"
  },
  "data": {
    "event_type": "MASTER_IDENTITY_RECOVERY",
    "severity": "CRITICAL",
    "timestamp": 1705412610,
    "nonce": "ALERT-RED-9921",

    "security_context": {
      "reason": "Guardian Key Override",
      "action_required": "IMMEDIATE_REVOCATION",
      "scope": "ADMINISTRATIVE_SESSIONS"
    },

    "trust_update": {
      "revoked_master_key": "PUB_KEY_OLD_MASTER_ABC...",
      "new_master_public_key": "PUB_KEY_NEW_MASTER_XYZ123..."
    }
  },
  "registry_signature": "REGISTRY_ROOT_SIG_7d8e9..."
}

Security Policy: Multi-Sig Recovery (M-of-N)

For high-value namespaces, the App Registry may enforce a Multi-Signature policy. In this scenario, the signature field must contain an array of signatures from a majority (e.g., 2 out of 3) of registered Guardian Keys.

Storage Best Practice: Guardian Keys should never be stored on the same device as the Master Private Key. They are intended to be kept in “Cold Storage” (e.g., hardware wallets, encrypted paper backups, or a physical safe).
Cryptographic Key RotationRegistry Migration (The Sovereignty Exit)