Currently, one's peer ID is a permanent identity on the network. This is really unfortunate for privacy. We'd like to be able to expose a single ephemeral device ID to the network and then have multiple permanent IDs behind this ephemeral ID.

Assuming we have private, encrypted PeerInfo records (see ipfs/notes#291 (comment)), we can implement this as follows:

1. Every node will have a single ephemeral ID (regenerated daily or, possibly, at boot). All connections go through this peer.
2. Nodes may have zero or more permanent IDs.

To connect to a permanent ID, one:

1. Looks up the permanent ID in the DHT (assuming encrypted peer info records). The peer info record will point to an ephemeral ID.
2. Looks up the ephemeral ID in the DHT to get the location-based multiaddr of the peer. Note, we may short-circuit and include the ephemeral addresses in the permanent peer info record.
3. Connects to the ephemeral peer.
4. Opens a stream to the identity service.
5. Runs a protocol with the identity service first proving the identity it wishes to use and then asking the identity service to prove the identity to which it wants to connect. For efficiency, these identities may be assigned short, stable numbers (could be tricky, may not be worth it).
6. The first node can now open new streams to the permanent identity on the second node by:
7. Connecting to the identity service.
8. Specifying the identity from which it wants to connect (already proven) and the identity to which it wants to connect).
9. Finally, it can negotiate the appropriate service over this connection.