PRISM Verifiable Credential badges

[GENERAL] Name and surname of main applicant

Björn Sandmann

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

Entity (Not Incorporated)

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

5

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

No

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

A toolkit to embed Verifiable Credentials into your website or profiles for everyone to see and verify even without the need of an identity wallet. Think of it, like GitHub build-status-badges.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

No

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

No dependencies.

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] Please provide here more information on the open source status of your project outputs

We intend to put the project under the Apache 2.0 license.

[SOLUTION] Please describe your proposed solution.

The Problem

To determine if websites, service providers, or projects of any kind can be trusted, in the Web 2.0 world we use review systems, trust badges or simply the search rank on the results page of a search engine. Often, however, these signs of trust are manipulated, paid for and fabricated by fake reviewers. Projects put fake endorsements of well-known companies or people on the website, or use company logos of trusted companies as advertisements without their consent or knowledge.

 

A solution

Web 3.0 offers the possibility of making statements by companies or people about one another cryptographically verifiable. Trusted entities (e.g., domain experts) can delegate their hard-earned trust to others by endorsing their work. A few examples:

 

• You completed a course on Plutus or PRISM, you could now show a verifiable badge of completion by embedding it into your Github profile, website or any other page.
• IOG has confidence in a Catalyst project and makes a positive statement about them: instead of a mere HTML text on a project web page, a visitor can cryptographically prove the statement and trace it back to a DID of IOG.
• A startup is sponsored (e.g., by Microsoft) and would like to embed the Microsoft logo on the website to establish trust with new customers. Instead of simply embedding a JPG, the permission issued to use their badge, which may be time-limited, can be checked. As soon as the permission expires, the logo/badge of certification also disappears from the website.
• The use cases are numerous and come to light most notably when previously unknown persons/market participants emerge on the scene, whose trustworthiness cannot be assessed by traditional means (research, sufficiently large number of reviews). The crypto space itself is the best example of this dilemma: nowhere is one more reliant on third-party testimonies about trustworthy and quality projects, and nowhere is the misuse of false credentials greater than in the crypto space. The proposal is by no means limited to web3, and instead should allow everyone to verify third-party statements on websites.

 

Technically, the project is based on Atala PRISM and uses DIDs to identify both the identity of the person making the statement (Issuer) and the recipient of the statement (Holder). The statement itself is called Verified Credential and could be just a short note, a lengthy review, or a picture (logo or badge representing some kind of achievement). The core of the project consists of a web service that periodically checks statements that have already been published for their validity and provides a customizable JavaScript snippet to display the given statement on a website or online-shop.

 

For a visitor of the website, the statement is initially a piece of JavaScript code which gets evaluated and rendered. By clicking on the statement, the visitor can cryptographically trace the statement and verify its authenticity. The revocation of statements by their respective issuers is by design possible and an essential feature. In contrast to Web 2.0, statements that are no longer valid cannot be displayed any longer, instead of sitting unchanged on a website forever.

 

A technical overview of the implementation can be found on the website: https://blocktrust.dev/webcredentials

 

The service consists of a web portal, with three sections geared towards the different use-cases:

 

Management Area (Holder)

In the management area, website owners can use a DID to register (e.g., using the blocktrust identity wallet) and provide proof of domain ownership (document upload/nameserver entries) or control over a page (e.g. GitHub). With that proof, an API token and a JavaScript snippet is generated, which can be placed on the page by the domain owner. Basic customizations (color scheme, number of statements to be displayed) can be made. In the next step, invite links can be created to be sent to the issuers who should provide the content of the credential or who should just sign the already prepared credential. Alternativly the Holder can directly send an existing Credential (Presentation Proof to be precise) to the platform itself. This happens via DIDComm and the WACI Present Proof flow. In this case, no one else is needed to issue a Credential as it already exists.

 

Certifier Area (Issuer)

Logging into the certifier area is done by receiving an invite-link and authenticating with a browser wallet. After logging in, it is possible to proceed with the authoring of one's own statement or the signing of a statement crafted beforehand by the future holder. Different templates for endorsements, reviews, or the embedding of logos are available.

With the completion of this process, the statement is cryptographically signed by the issuer and is now available as a Verified Credential on the Cardano blockchain.

We believe that the signing process must be as simple as possible. If somebody wants to get an endorsement from someone everything has to be prepared, and paid for so that the endorser just has to follow the link, quickly review it and click on a “Sign”-button in this identity wallet.

Verifier API and Portal

As the credential appears in the one's browser, it is automatically cryptographically verified in the background. This is necessary because statements, once made, can be revoked or become invalid. The power to withdraw statements is always completely in the hands of the issuer. Through different caching techniques and periodic verification, the statement always remains up-to-date and matches the data found on the blockchain. For performance reasons, an array of optimization techniques can be used to make the rendering of the statement on the website as fast as possible.

Clicking on a verifiable statement/logo/badge on a website takes the user to the service's verifier portal to obtain detailed cryptographic evidence of the statement's origin to ensure that the statement was actually issued by the expected entity

[IMPACT] Please define the positive impact your project will have on the wider Cardano community.

As a usable product, this proposal adds immediate value for the Cardano identity ecosystem around PRISM:

• The use of DIDs are a prerequisite of these cryptographically signed statements. Thus, the proposal promotes not only the direct adoption of DIDs and the use of Atala PRISM but also the entire SSI ecosystem.
• Through the publicly visible use of the Verified Credentials on websites, the project also creates a multiplier that generates a much stronger growth effect than verified credentials that are private in nature and have no external visibility (e.g., credentials in a user's wallet that rarely need to be presented).
• Existing and newly founded projects can get trust delegated to their project based on statements made by trustworthy and known entities. The willingness to try out new scripts or projects increases significantly if it is evident that a project is verifiably supported.
• Cryptographically verifiable endorsements can also be used in online-stores to promote sales. The cryptographically verifiable way of proving the origin of a statement is superior to the often expensive and very questionable trust badges of existing providers in the Web 2.0 world.
• Other parties, like politicians, well-known personalities, magazines and journalists or product testers can use the system to support trustworthy projects o. products. This includes not only companies, but also social institutions and NGOs, which typically depend on trusted recommendations.

In short, this proposal is not only aligned with the challenge, but also helps the ecosystem as a whole to grow by focusing on what is the hallmark of Cardano: reliability and trust.

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

Blocktrust has been an active participant in the Cardano ecosystem since early 2022, developing SSI solutions using Atala PRISM from the start. Over the last year and a half, we have been building projects and libraries based on PRISM. Many of these are open-source and all of them provide value. Some notable ones include:

 

• Identity Wallet for the Browser (https://blocktrust.dev/identitywallet)
• Analytics Platform (https://analytics.blocktrust.dev)
• Credential Builder (https://credentialbuilder.blocktrust.dev)
• DIDComm Mediator (https://mediator.blocktrust.dev)
• Plus a collection of open-source libraries for use with PRISM, which can be found here (https://github.com/bsandmann)

 

The Identity Wallet and the Credential Builder have been funded with Project Catalyst and have been already successfully completed. We also have a nearly perfect record of submitting the monthly reports over 1,5 years.

Looking at our reports or our blog, you'll see we're constantly sharing videos, posts, new projects, and code. 

[Project Milestones] What are the key milestones you need to achieve in order to complete your project successfully?

Project start, architecture and setup (1 month)

The first milestone is about project setup, the basic application architecture and writing the first code

• Setup of the cloud services
• Basic architectural building-blocks in code
• Bootstrapping of the management, certifier, and verifier API

Acceptance Criteria: Progress report, providing the repository, intial concept presentation, first code

Cost: 24,700 ADA

Development towards an MVP (1 month)

For the second milestopne, it is all about getting the core of the application and the backend-services ready:

• Implementing a basic version of the frontend (most likely written with Vue or Blazor)
• Setup of a Testing-suite (Unit- & Integration-Tests)
• Integration of a continuous integration pipeline
• Proof of concept showcase of the full pipeline, including simple JS-snippets for websites.

Acceptance Criteria: Progress report, showcasing the MVP in a video

Cost: 24,700 ADA

Refinement and new features (2 month)

After milestone 2 we already should have an MVP and will continue refining the product for milestone 3. This includes:

• Working on fleshing out all three portals and APIs with basic functionality.
• Setup of CDNs and a caching strategy for fast delivery of the embedded credentials
• Integration of different wallets and support of authentication using DIDs.
• Developing of basic customization features for the JavaScript-snippets in the Portal
• Designing and preparing templates to use. 

Acceptance Criteria: Progress report, showcasing the features in a video

Cost: 24,700 ADA

Finalization and rollout (1 month)

For the last milestone it is all about bringing the software to the users and gathering feedback.

• Creating documentation and learning material so that everyone understands how to integrate the web-credentials into their profiles and websites.
• Helping some users and website to integrate it with their website
• Gathering feedback

Acceptance Criteria: Progress report, showcasing the complete application in a video. Links to samples for different kind of working embeddings.

Cost: 24,700 ADA

[RESOURCES] Who is in the project team and what are their roles?

Björn Sandmann (Lead developer)

10+ years of full-stack development with the .net Stack. Focused on identity and privacy solutions. PRISM Pioneer, Atala ASTRO, Plutus Pioneer, already funded & successfully finished proposals. Implemented all technical core functionality of products like the blocktrust analytics platform, the blocktrust mediator and the blocktrust identity wallet. Founder of blocktrust. On the Governace Commitee of the Hyperledger Lab for the Open Enterprise Agent (PRISM agent), Trust over IP Member, DIF member

LinkedIn: https://www.linkedin.com/in/codedata/

GitHub: https://github.com/bsandmann

Ed Eykholt (Development support, UX)

20+ years of software product and engineering team leadership. C# developer. Focused on blockchain and identity projects and products since 2015. Atala ASTRO. Working on PRISM related projects with blocktrust over a year. Trust over IP Member. On different working groups related to digital identity.

LinkedIn: https://www.linkedin.com/in/edeykholt/

Github: https://github.com/edeykholt

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources.

Team:

Backend-Engineer working for 100 h/month over 5 months: 500 hours total. With a rate of 70 USD, this would amount to 35,000 USD = 92,000 ADA

 

Infrastructure Costs:

Servers and Infrastructure for the initial 5 months of development plus additional 7 months after launch with a budget of 160 USD/month. 1,920 USD = 6,800 ADA

 

Overall 98800 ADA

A contingency for budget overruns is not necessary in our opinion, since we are already below our normal hourly rates and are willing to take financial cuts to be able to implement this project. Delays or increased costs will be covered by us personally.

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

The team is experienced and has worked with PRISM for a long time, shipping a wide range of products, projects and services. With this experience the work is very much focused and efficient.

The solution itself provides an excellent method of showcasing verifiable credentials, which are typically stored in one's wallet. This exposure to a wide audience serves as a beneficial strategy to make more people notice, and hopefully, use digital identities on Cardano.

We computed effort, in hours, and multiplied that by a below-market rate of US$70 per hour (in both Germany and USA) for the expertise of our team. Then we devided this by a recent price of Ada, US$/ada = 0.38. By doing the, the team is taking a downside risk if the price of Ada drops from that point.

[IMPORTANT NOTE] The Applicant agrees to Fund Rules and also that data in the submission form and other data provided by the project team during the course of the project will be publicly available.

I Accept