updates delayed in 30 days to prevent takeover

contracts/deploy/DelayedUpdatableInstance.sol

@@ -0,0 +1,63 @@
+pragma solidity ^0.4.17;
+
+import "./DelayedUpdatableInstanceStorage.sol";
+import "./DelegatedCall.sol";
+
+/**
+ * @title DelayedUpdatableInstance
+ * @author Ricardo Guilherme Schmidt (Status Research & Development GmbH) 
+ * @dev Contract that can be updated by a call from itself.
+ */
+contract DelayedUpdatableInstance is DelayedUpdatableInstanceStorage, DelegatedCall {
+
+    event UpdateRequested(address newKernel, uint256 activation);
+    event UpdateCancelled();
+    event UpdateConfirmed(address oldKernel, address newKernel);
+
+    function DelayedUpdatableInstance(address _kernel) public {
+        kernel = _kernel;
+    }
+
+    /**
+     * @dev delegatecall everything (but declared functions) to `_target()`
+     * @notice Verify `kernel()` code to predict behavior
+     */
+    function () external delegated {
+        //all goes to kernel
+    }
+
+    /**
+     * @dev returns kernel if kernel that is configured
+     * @return kernel address
+     */
+    function targetDelegatedCall()
+        internal
+        constant
+        returns(address)
+    {
+        return kernel;
+    }
+    
+    function updateRequestUpdatableInstance(address _kernel) external {
+        require(msg.sender == address(this));
+        uint activation = block.timestamp + 30 days;
+        update = Update(_kernel, activation);
+        UpdateRequested(_kernel, activation);
+    }
+
+    function updateConfirmUpdatableInstance(address _kernel) external {
+        require(msg.sender == address(this));
+        Update memory pending = update;
+        require(pending.kernel == _kernel);
+        require(pending.activation < block.timestamp);
+        kernel = pending.kernel;
+        delete update;
+        UpdateConfirmed(kernel, pending.kernel);
+    }
+
+    function updateCancelUpdatableInstance() external {
+        require(msg.sender == address(this));
+        delete update;
+    }
+
+}

contracts/deploy/DelayedUpdatableInstanceStorage.sol

@@ -0,0 +1,21 @@
+pragma solidity ^0.4.17;
+
+import "./InstanceStorage.sol";
+
+/**
+ * @title InstanceStorage
+ * @author Ricardo Guilherme Schmidt (Status Research & Development GmbH) 
+ * @dev Defines kernel vars that Kernel contract share with Instance.
+ *      Important to avoid overwriting wrong storage pointers is that 
+ *      InstanceStorage should be always the first contract at heritance.
+ */
+contract DelayedUpdatableInstanceStorage is InstanceStorage {    
+    // protected zone start (InstanceStorage vars)
+    Update update;
+    
+    struct Update {
+        address kernel;
+        uint256 activation;
+    }
+    // protected zone end
+}

contracts/identity/IdentityFactory.sol

@@ -1,7 +1,7 @@
 pragma solidity ^0.4.17;
 
 import "../deploy/Factory.sol";
-import "../deploy/UpdatableInstance.sol";
+import "../deploy/DelayedUpdatableInstance.sol";
 import "./IdentityKernel.sol";
 
 
@@ -24,7 +24,7 @@ contract IdentityFactory is Factory {
     function createIdentity(address _idOwner) 
         public 
     {
-        IdentityKernel instance = IdentityKernel(new UpdatableInstance(address(latestKernel)));
+        IdentityKernel instance = IdentityKernel(new DelayedUpdatableInstance(address(latestKernel)));
         instance.initIdentity(_idOwner);
         IdentityCreated(address(instance));
     }

contracts/identity/IdentityKernel.sol

@@ -1,9 +1,9 @@
 pragma solidity ^0.4.17;
 
-import "../deploy/InstanceStorage.sol";
+import "../deploy/DelayedUpdatableInstanceStorage.sol";
 import "./Identity.sol";
 
-contract IdentityKernel is InstanceStorage, Identity {
+contract IdentityKernel is DelayedUpdatableInstanceStorage, Identity {
 
     function initIdentity(address _caller) external {
         _constructIdentity(_caller);