KERI-based Authentication and Authorization Browser Extension by BLOCKTRUST

[GENERAL] Name and surname of main applicant

Ed Eykholt

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

Entity (Not Incorporated)

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

10

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

No

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

A browser extension will leverage the KERI stack to allow users to create and manage DIDs, private keys, then authenticate (sign in) and authroize (via credentials) with compatible web sites.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

Yes

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

The KERI protocol stack and some implementation libraries are under development under the Trust Over IP (ToIP) Foundation. These libraries implement critical functions such as key rotation, key log creation, and credential verification. We believe these are currently ready enough to build an initial concept implementation of the Authentication and Authorization Extension.

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] Please provide here more information on the open source status of your project outputs

Apache 2.0 license and GitHub

[METADATA] SDG rating

n/a

[SOLUTION] Please describe your proposed solution.

Problems:

Since the Internet Protocol doesn't provide an authentic identity layer, various authentication mechanisms have been built, including password-based, authenticators (using shared secrets), federated identity via 3rd parties (OAuth), and passkeys (FIDO, U2F, and WebAuthN). However, none of these place the user in exclusive control of their own private keys for cryptographic signing, with a persistent identifier, recovery from a lost key, key pre-rotation, and multi/threshold signatures. Further, for authentication, the certificates required today often security flaws based on DNS or Certificate Authority system and process design.

Solution:

The BLOCKTRUST Authentication and Authorization Browser Extension will be a Chromium browser extension that leverages libraries and an agent from KERI projects (Signify-ts and KERIA). The extension itself will be built in C# Blazor WASM.

Identity and Credential Technology:

The KERI (Key Event Receipt Infrastructure) stack, which includes standards for credentials (ACDC) and encoding (CSER), is a set of emerging standards that address the above problems and is being incubated in the Trust Over IP Foundation, with the intention to standardize these via the IETF. We believe KERI will emerge as a very strong contender to existing identification, authentication, and authorization/credential solutions.

KERI has the promise of delivering identifiers (DIDs) and credentials that can be used in many settings, including traditional corporate settings and multiple blockchains, including Cardano.

Already, several of the KERI stack protocols have been implemented and available open-source.

The Global Legal Entity Identity Foundation (GLEIF) and their partners can provide a cryptographically and legally strong "root of trust".

Features:

The BLOCKTRUST Authentication and Authorization Browser Extension will include the following features:

• Configure to use a KERI agent
• Designate witnesses for key events
• Create identifiers and key-pairs
• Encrypted storage
• Receive Key Event Receipts from witnesses
• Import and view credentials using ACDCs (Authentic Chained Data Containers)
• Authenticate with website using cryptographic signing
• Authorize with website using credential (ACDC)
• Sample website
• Install in Developer Mode in Chromium-based browser

Stretch Goals:

• One or both of:
• Header-based integration
• authenticate with website via header-based (IEEE standard) including identifier
• authorize with website via header-based leveraging ACDC credential
• JavaScript API integration
• authenticate with website including identifier
• authorize with website leveraging ACDC credential
• Rotate keys for single signer

Engagement:

We'll engage with use cases, including existing Cardano projects who want to be regulatory compliant leveraging on-chain DIDs and Credentials, especially for legal entities and their authorized representatives. We'll engage in projects that want self-certifying identifiers leveraging a root-of-trust provided by GLEIF's Verifiable Legal Entity Identifier (vLEI) processes and technology. We'll engage with projects who want to establish their own root-of-trust, potentially related to roles in Cardano Governance.

Demonstrable Impact:

In addition to sharing engagement with other projects, we'll provide regular recorded demonstrations, and continue to build our Discord community. Ideally, we'll release an installable product via the Chrome Web Store.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community.

By bringing in KERI-based solutions into the Cardano ecosystem, this helps bridge trust gaps between global legal entity organizational identifiers, identifiers that can be used on other corporate systems and blockchains including Cardano and Midnight. The logs generated from key events and nested credentials (ACDC) can be written to the Cardano blockchain (as proposed in F11 project by Roots ID, for example) and then consumed and validated by Plutus contracts! Together, these open up cross-chain innovations that will spur greater adoption of Cardano, and even migration to Cardano from other registries and ledgers.

These solutions will help establish trust between parties transacting on Cardano and beyond.

These features can enable new use cases mentioned in the challenge, including:

• Authenticated ownership and provenance. With a legal basis for a root of trust, transaction signers can be more trusted. With a graph of credentials as supported by ACDC, provenance can be proven.
• Digital Identity. KERI is all about authentic digital identity, with keys created and controlled "at the edge" versus in hosted platforms.
• Internet of Things. An identity owner/controller can be an IoT device and interact with other legal entities.
• Supply Chain and Logistics. Once parties are well-known and authenticated, commercial transactions and audit trails can be created as credentials and other data signed by authenticated controllers.
• Bridge to other ecosystems, especially those of legal entities.

Additionally, in the future once authentic identities and credentials can be evaluated and used by Plutus contracts, a more decentralized governance system can be imagined and built for Cardano.

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

We have the capability, history, determination, and bandwidth to deliver.

Blocktrust delivered its Catalyst Fund 9 Identity Wallet, a project that successfully completed in November 2023, and the product of which is now available on the Chrome Web Store. Some of the extension technology is the same. This experience provides voters reassurance of our trustworthiness and accountability.

Given this experience and the demonstrable progress around the open-source KERI stack's specifications and implementations, we already have high confidence in our capability to deliver.

[Project Milestones] What are the key milestones you need to achieve in order to complete your project successfully?

Goals:

• Identify all key risks and mitigate the most impactful ones.

Outputs:

• Risk list
• Inventory all technical dependencies
• Architecture diagrams
• Complete UX outline

Acceptance Criteria:

• Open source repository with above artifacts
• Discord server
• Milestone video
• Announcements for above

Goals:

• Source code build and installs
• UI menus and navigation
• Identifier and key creation
• Use of Signify-ts or similar KERI library
• Configure to use a KERI agent
• Use of KERI Agent service or similar
• Encrypted storage
• Automated tests
• Continuous Integration via GitHub Actions (or Azure build pipeline)

Outputs:

• Supporting source code and artifacts in repo

Acceptance Criteria:

• Milestone video

Goals:

• Designate witnesses for key events
• Receive Key Event Receipts from witnesses

Outputs:

• Supporting source code and artifacts in repo

Acceptance Criteria:

• Milestone video

Goals:

• Receive and view ACDC credentials
• Authenticate with website using cryptographic signing
• Authorize with website using credential (ACDC)
• Sample website

Outputs:

• Supporting source code and artifacts in repo

Acceptance Criteria:

• Milestone video

Goals:

• Publish publicly available release (may be Alpha or Beta) via GitHub or Chrome Web Store

Outputs:

• Supporting source code and artifacts in repo
• Install procedure

Acceptance Criteria:

• Milestone video

[RESOURCES] Who is in the project team and what are their roles?

Ed Eykholt

20+ years of software product and engineering team leadership. C# developer. Focused on blockchain and identity projects and products since 2015. Atala ASTRO. Working on PRISM related projects with blocktrust over a year. Trust over IP Member. On different working groups related to digital identity.

LinkedIn: https://www.linkedin.com/in/edeykholt/

GitHub: https://github.com/edeykholt

Role: Project Lead, Lead Developer, UX-Design and Documentation

Björn Sandmann

10+ years of full-stack development with the .net Stack. Focused on identity and privacy solutions. PRISM Pioneer, Atala ASTRO, Plutus Pioneer, already funded & successfully finished proposals. Implemented all technical core functionality of products like the blocktrust analytics platform, the blocktrust mediator and the blocktrust identity wallet. Founder of blocktrust. On the Governance Committee of the Hyperledger Lab for the Open Enterprise Agent (PRISM agent), Trust over IP Member, DIF member

LinkedIn: https://www.linkedin.com/in/codedata/

GitHub: https://github.com/bsandmann

Role: Developer, UI Services

New Team Member

Blocktrust might hire or contract with an experienced full-stack C# developer to augment Ed and Björn's contributions. The project can still be successful without this additional person.

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources.

Summary: Cost 100,000 Ada

Milestone 1:

• 15 person-days (Ed @80% Bjorn @20%)
• Planned Finish: 2024-04-01
• Cost: 20,000 Ada

M2:

• 15 person-days (Ed @80% Bjorn @20%)
• Planned Finish: 2024-05-01
• Cost: 20,000 Ada

M3:

• 15 person-days (Ed @70% Bjorn @30%)
• Planned Finish: 2024-06-01
• Cost: 20,000 Ada

M4:

• 15 person-days (Ed @70% Bjorn @30%)
• Planned Finish: 2024-07-01
• Cost: 20,000 Ada

Final Milestone:

• 10 person-days Ed @60-80% Bjorn @20%
• Potential external attorney review of Terms of Use and Privacy Policy @0-20%
• Planned Finish: 2024-09-01
• Cost: 20,000 Ada

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

This project brings direct value in accelerating the implementation of many use cases involving trust for many participants in the Cardano ecosystem, especially for establishing strong identity for holders and verifiers of KERI ACDC credentials in the future. Without good identity, authentication and authorization with websites (including those used by dApps), they are prone to impersonation attacks and privacy leakage. Without this type of solution, the potential greater adoption of many dApps and enterprise solutions will be slowed, especialy for established corporations wanting to enter a trustworthy blockchain ecosystem. The benefits of establishing trustworthy and authentic identity and credentials that can be inputs to Plutus contracts far exceeds this project's cost.

[IMPORTANT NOTE] The Applicant agrees to Fund Rules and also that data in the submission form and other data provided by the project team during the course of the project will be publicly available.

I Accept