cAuth (SSI & oAuth) by AIM

[IMPACT]

The Cardano ecosystem is growing rapidly and many solutions in the ecosystem (https://www.cardanocube.io/cardano-ecosystem-interactive-map) require users to authenticate using a login/e-mail and a password. This adds to what is commonly known as password chaos and password fatigue and is a potential security risk. Alternatively developers might choose to allow login via 3rd party, this leads in most cases to feeding the centralization of the Internet, if the provider turns out to be Google, Facebook, Twitter or some other corporation. It creates a vendor lock in (i.e. you need to have the account to be able to login). It also prevents the system from being truly decentralized. We either depend on a project's own database or we depend on centralized systems of corporations. In both cases the identity of the person is owned by the system so it’s not self-sovereign.

Web 2.0 used username and password, which later added email address as a means of proving identity. This was good for security as it offered the two levels, something you know and something you have. The trouble is that these days that almost all aspects of interaction with web services requires a ‘login’, the layman term for authentication. This has given rise to the problem that people often reusing passwords across their various platforms and services they use, a major security risk these days given the heightened probability of these platforms/services having a data breach and personal data being leaked and a shared password being compromised. The solution that is available to the user is the use of a password manager. This reduces the risks of cross use passwords but requires a level of technical know how and dedication to maintain properly. In some cases the password manager is not held by the individual and therefore held by a service provider which reduces self-sovereignty and adds the risk of the holder being compromised. 

Web 3 gives an opportunity to assist with the various issues associated with Web 2.0 Identity and authentication. Using blockchain technology and connecting with the needs and well established structure already in use. cAuth will implement the two components of the authentication system. Firstly an identification system and second is an authentication system.

The community uses a number of tools and platforms that require authentication, but we don’t have a common authentication system, so we depend on word of mouth and personal relations of trust. As the community grows it gets harder and harder to know if the person can be trusted, Cardano blockchain and existing standards like DID, Oauth 2.0 and SAML 2.0 give a way to provide authentication, while respecting users privacy and self-sovereignty. We want to promote openness and security to avoid situations where accounts can get hacked (as we have seen in the Catalyst Discord server) which can happen with legacy authentication systems. 

cAuth is an implementation using the open authentication protocol which is in wide and common use across the Internet. That being, OAuth (https://oauth.net/). Implementing an extension to an already open standard will reduce development time and increase trust and credibility of the cAuth implementation. 

We aim to separate the SSI creation and decentralize it, at this moment we are investigating possible solutions and will explore future partnerships over the course of development.

In order for this solution to be truly decentralized future versions of cAuth can run in part as smart contracts, we have identified 2 possible SCs, as they could become part of a sustainable business model under consideration. They would aim at making the system financially sustainable and self-governing.

We want to provide users a way to become their own authentication provider.  This will mean an integration with existing wallet or dedicated web/mobile app depending on research and development.

We will need server side code to provide a proxy for Web 2.0 applications to connect to the wallet app on the users phone. Initially this will be a single server application, but we are already investigating and designing a decentralized solution.

This SSI implementation will pave the way for significant use SSI and of Cardano blockchain and therefore participation and adoption growth of SSI ecosystem of Cardano.

First of all sign-in is one of the most commonly used features on the world wide web.

Secondly it will increase adoption, because in order to sign-in with Cardano a person will need to own a wallet and hold ADA.

It provides an easy to understand, low complexity example of the power of SSI usability it has a chance to make SSI more accessible.

It will decrease identity chaos Catalyst currently has (ideascale login, discord login and more), improve security and provide interoperability with existing apps

We aim to develop a sustainable and participatory business model which will provide opportunities for members of the community for services rendered.

The proof-of-concept solution will be through the use of issuing NFTs. We will explore the use of integrating a Smart Contracts solution, however this is beyond the scope of this proposal.

The outcomes will be clearly measurable and visible as part of MVP we aim to provide a web app that will serve as the main gateway to cAuth, allow the user to create his own SSI, explain the process, provide documentation, introduce the user to SSI, DIDs on Cardano (Atala PRISM), and point user to required tools. The website will also provide community members with information on how to participate and earn rewards.

There are various implementations of SSI (self sovereign identity) being worked on by various people. The key to the long term success of cAuth will be to create an open standard that can be implemented by as many of these SSI implementations. A major risk therefore is that our standards are not easy to implement or are not widely adopted. A further risk is complexity. This a high complexity project incorporating: DIDs, Smart Contracts, mobile apps and a complex security model in a domain that is currently being developed.

The mitigation of this problem is two fold. Firstly we will use cAuth for the AIM Community Tools series and have already had discussions with a number of community tool builders who have expressed an interest in implementing cAuth into their platforms. Secondly we will look to form partnerships and build consensus on agreed open standards. With the help of this proposal (if it be funded) Authentication Protocol Work Group https://cardano.ideascale.com/c/idea/399380 we can ensure that broad participation in quality SSI based authentication is achieved for the Cardano Community. Further, if Atala PRISM becomes more widely adopted it can become a part of the trusted DID sources to prove SSI on the cAuth authentication implementation. Complexity can be reduced by dividing the implementation into interoperable modules with open and well written documentation and ensuring scope creep is minimized.

[FEASIBILITY]

Roadmap:

• May 2022
• Preliminary research - Literature review of current research about some key problems - SSI, DIDs, developing standards, etc. (i.e. SIOPv2)
• cAuth Brand development - branding forms an important part of a project's broad awareness and appeal.
• UI/UX design and prototyping
• Research implementation options
• June 2022
• Website development
• Design protocol and architecture.
• Begin early stage development
• API design
• July 2022
• Development of first prototype
• Prototype testing 
• August 2022
• Implementation of wallet integration
• Marketing plan development
• September 2022
• Finalize development
• Finalize documentation
• Soft launch/limited public testing
• Marketing plan execution
• October 2022
• Q&A & bug fixing
• Performance tests
• Marketing continuing

Deliverables:

• Project Website
• API Specification
• Protocol Documentation
• Architecture Documentation
• 3rd-party Integration Documentation
• Backend Implementation
• Wallet Integration SDK and Documentation or dedicated cAuth mobile app
• PoC implementation (cAuth Cardano authenticator + wallet(s) integration)

Project Management - $6000 (over 6 months) ~ 120 hours

Proposal writing, Project oversight and define future directions, Manage partnerships, represent the project externally (e.g. TH and Community Initiatives), Manage project's finance.

Marketing & Community Engagement - $4000 ~ 100 hours

Marketing budget will provide for promotion and project engagement acquisition. This can include project presentations, influencer interviews, community engagement, promotional material development. 

Design - $6000 ~ External Hire

This item will include:

cAuth Brand development for recognition and adoption. App design including data structures and usability. Production of promotion material.

Research - $2000 ~40 hours

Research existing SSI and authentication systems, explore opportunities and implementations. Investigate and develop the business model.

Administration - $3000

Submission of reports, recording of meeting minutes, purchase of tools, project support staff and sundry expenses.

Development - $36000 ~ 740 hours

Creating the webpage, documentation, backend for creating, revoking, managing and verifying SSIs, mobile app that can contain the SSI and serve as authentication provider or integrating with existing wallets (depends on research), API design, Oauth to SSI gateway. 

Technical Lead - Michał Wojtera $12000 (300 hours)

Technical Consultant - Lucio Baglione $6000 (120 hours)

Developers - AIM Developer Team - $16000 (320 hours)

Testing / QA / Feedback iteration: $2000 ~ 40 hours

Total: 57000

Phil Khoo: Project Lead - Veteran Community Advisor (vCA), co-creator of and project lead on the Community Tools (Proposer/CA/vCA/Voter Tools and Community Landing page), front end UI/UX designer and finance and business background.

Michał Wojtera: full stack developer, sysadmin and researcher with 15+ years of experience, Java, SQL, NoSQL, Javascript, Typescript, Vue.js, Node.js, Linux Administration, Docker, Virtualisation, CA, vCA, co-creator of Community Landing Page PRISM Pioneer 2nd cohort. 9 peer-reviewed publications https://github.com/mwojtera https://github.com/Project-Catalyst/

Lucio Baglione: Technical Consultant and misunderstood genius - Developer with 9+ years of experience (mainly focused on web/mobile. Languages and frameworks: PHP, Javascript, Typescript, Python, Ruby - Laravel, Ruby on Rails, Wordpress, Angular.js, Vue.js, Node.js). CA and vCA, co-creator of the Community Tools (Proposer/CA/vCA/Voter Tools). PRISM Pioneer program participant first cohort. https://github.com/Project-Catalyst/ https://github.com/coire1 .

The AIM Developer team. The team is a growing part of Cardano AIM and we will look to hire/contract additional talent as needed. The team will be responsible for webpage development and wallet integration.

[AUDITABILITY]

• Number of Github commits
• Milestones reached
• Deliverables as specified above
• Number of Github issues opened/resolved
• Number of Github PR reviewed / merged / accepted
• Number of feedback received and implemented

Success will be the delivery of the two parts of this project. Firstly a simple proof of concept SSI solution offering a form of DID. Secondly the implementation of the DID into a community authentication system that allows community members and users to login to various community tools and ecosystem platforms. Further, it will provide a way forward to the community and platform builders to implement the system and expand to include other SSI implementations..

This is not a continuation funding of an existing project, however it is a logical step in the expansion of various community projects including AIM vCA-tool https://cardanocataly.st/vca-tool, Community participation in the Community landing page https://cardanocataly.st