When a client instance is started for the very first time, a number of things have to setup first to allow creating a EDV at a provider:
A master key has to be setup. For human-facing clients, this key is derived from a master passphrase. This symmetric master key will be used to encrypt all data-at-rest of the client instance.
A session is created. This session is initialized with a new Ed255191 based EdDSA public-private key-pair for requests to services and EDVs, and authorization with ZCaps.
This key is used to create the session DID - also known as "controller DID".
The controller DID is used to request a new EDV at a chosen provider. The request contains data about the client, most importantly the did:key.
The key receives the initial capability delegation from the root of trust. Several attributes are generated (e.g. IDs, sets up a did:key for the EDV) for the EDV.