PRISM credentials for the web

[IMPACT] Please describe your proposed solution.

The Problem

To determine if websites, service providers, or projects of any kind can be trusted, in the Web 2.0 world we use review systems, trust badges or simply the search rank on the results page of a search engine. Often, however, these signs of trust are manipulated, paid for and fabricated by fake reviewers. Projects put fake endorsements of well-known companies or people on the website, or use company logos of trusted companies as advertisements without their consent or knowledge.

A solution

Web 3.0 offers the possibility of making statements by companies or people about one another cryptographically verifiable. Trusted entities (e.g., domain experts) can delegate their hard-earned trust to others by endorsing their work. A few examples:

• IOHK/IOG has confidence in a Catalyst project and makes a positive statement about them: instead of a mere HTML text on a project web page, a visitor can cryptographically prove the statement and trace it back to a DID of IOHK/IOG.
• A startup is sponsored (e.g., by Microsoft) and would like to embed the Microsoft logo on the website to establish trust with new customers. Instead of simply embedding a JPG, the permission issued to use their badge, which may be time-limited, can be checked. As soon as the permission expires, the logo/badge of certification also disappears from the website.
• Charles Hoskinson makes a positive comment about an open-source project in an AMA. The project founders would like to include the quote on their website or GitHub page. They use this toolkit to prepare their own endorsement and send it to Charles. He quickly signs it with his identity wallet, and the project owners can embed it later on their page.

The use cases are numerous and come to light most notably when previously unknown persons/market participants emerge on the scene, whose trustworthiness cannot be assessed by traditional means (research, sufficiently large number of reviews). The crypto space itself is the best example of this dilemma: nowhere is one more reliant on third-party testimonies about trustworthy and quality projects, and nowhere is the misuse of false credentials greater than in the crypto space. The proposal is by no means limited to web3, and instead should allow everyone to verify third-party statements on websites.

Technically, the project is based on Atala PRISM and uses DIDs to identify both the identity of the person making the statement (Issuer) and the recipient of the statement (Holder). The statement itself is called Verified Credential and could be just a short note, a lengthy review, or a picture (logo or badge representing some kind of achievement). The core of the project consists of a web service that periodically checks statements that have already been published for their validity and provides a customizable JavaScript snippet to display the given statement on a website or online-shop.

For a visitor of the website, the statement is initially a piece of JavaScript code which gets evaluated and rendered. By clicking on the statement, the visitor can cryptographically trace the statement and verify its authenticity. The revocation of statements by their respective issuers is by design possible and an essential feature. In contrast to Web 2.0, statements that are no longer valid cannot be displayed any longer, instead of sitting unchanged on a website forever.

A technical overview of the implementation can be found on the website: https://blocktrust.dev/webcredentials

The service consists of a web portal, with three sections geared towards the different use-cases:

Management Area (Holder)

In the management area, website owners can use a DID to register (e.g., using the blocktrust identity wallet) and provide proof of domain ownership (document upload/nameserver entries). With proof of the domain, an API token and a JavaScript snippet is generated, which can be placed on the page by the domain owner. Basic customizations (color scheme, number of statements to be displayed) can be made. In the next step, invite links can be created to be sent to the issuers who should provide the content of the credential or who should just sign the already prepared credential.

Certifier Area (Issuer)

Logging into the certifier area is done by receiving an invite-link and authenticating with a browser wallet. After logging in, it is possible to proceed with the authoring of one's own statement or the signing of a statement crafted beforehand by the future holder. Different templates for endorsements, reviews, or the embedding of logos are available.

With the completion of this process, the statement is cryptographically signed by the issuer and is now available as a Verified Credential on the Cardano blockchain.

We believe that the signing process must be as simple as possible. If somebody wants to get an endorsement from someone everything has to be prepared, and paid for so that the endorser just has to follow the link, quickly review it and click on a “Sign”-button in this identity wallet.

Verifier API and Portal

As the credential appears in the one's browser, it is automatically cryptographically verified in the background. This is necessary because statements, once made, can be revoked or become invalid. The power to withdraw statements is always completely in the hands of the issuer. Through different caching techniques and periodic verification, the statement always remains up-to-date and matches the data found on the blockchain. For performance reasons, an array of optimization techniques can be used to make the rendering of the statement on the website as fast as possible.

Clicking on a verifiable statement/logo/badge on a website takes the user to the service's verifier portal to obtain detailed cryptographic evidence of the statement's origin to ensure that the statement was actually issued by the expected entity

[IMPACT] Please describe how your proposed solution will address the Challenge that you have submitted it in.

As a usable product, this proposal adds immediate value for the Cardano ecosystem:

• Existing and newly founded projects can get trust delegated to their project based on statements made by trustworthy and known entities. The willingness to try out new scripts or projects increases significantly if it is evident that a project is verifiably supported.
• The use of DIDs are a prerequisite of these cryptographically signed statements. Thus, the proposal promotes not only the direct adoption of DIDs and the use of Atala PRISM but also the entire SSI ecosystem.
• Through the publicly visible use of the verified credentials on websites, the project also creates a multiplier that generates a much stronger growth effect than verified credentials that are private in nature and have no external visibility (e.g., credentials in a user's wallet that rarely need to be presented).
• Cryptographically verifiable endorsements can also be used in online-stores to promote sales. The cryptographically verifiable way of proving the origin of a statement is superior to the often expensive and very questionable trust badges of existing providers in the Web 2.0 world.
• Other parties, like politicians, well-known personalities, magazines and journalists or product testers can use the system to support trustworthy projects o. products. This includes not only companies, but also social institutions and NGOs, which typically depend on trusted recommendations.

In short, this proposal is not only aligned with the challenge, but also helps the ecosystem as a whole to grow by focusing on what is the hallmark of Cardano: reliability and trust.

[IMPACT] What are the main risks that could prevent you from delivering the project successfully and please explain how you will mitigate each risk?

Technical risks

From a technical point of view, the risks are negligible, since technically comparable projects have already been implemented by us.

Additionally, we already collected a lot of experience with Atala PRISM over the last few months. We created our own version of the PRISM SDK, and we have a working prototype of a browser-based extension wallet (see proposal and demo -> blocktrust identity wallet).

Adoption and marketing challenges

As stated before, there are compelling reasons for a strong adoption inside and outside the Cardano ecosystem. However, with a technical background, it is always easy to run the risk of focusing solely on the technical implementation and treating the marketing as a side issue that will take care of itself. We recognize that this is a risk, and we are aware of the necessity to also make the project known and help others use the toolkit. To not fall in to this trap, we allocated some budget for a basic marketing campaign.

[FEASIBILITY] Please provide a detailed plan, including timeline and key milestones for delivering your proposal.

We are estimating a launch of the project within 5 months after the kickoff

Phase 1 (8 weeks)

In the first phase, it is all about getting the core of the application and the backend-services ready:

• Setup of the cloud services
• Bootstrapping of the management, certifier, and verifier API
• Implementing a basic version of the frontend (most likely written with Vue or Blazor)
• Setup of a Testing-suite (Unit- & Integration-Tests)
• Integration of a continuous integration pipeline
• Proof of concept showcase of the full pipeline, including simple JS-snippets for websites.

Phase 2 (8 weeks)

After phase 1 we already should have an MVP and will continue refining the product in phase 2. This includes:

• Working on fleshing out all three portals and APIs to a production-level quality with basic functionality.
• Setup of CDNs and a caching strategy for fast delivery of the embedded credentials
• Integration of different wallets and support of authentication using DIDs.
• Developing of basic customization features for the JavaScript-snippets in the Portal
• Designing and preparing templates to use.
• Testing and launching the product for first selected users to gather feedback.

Phase 3 (4 weeks) 

In the last phase it is all about bringing the software to the users, but also to prepare everything to run on mainnet:

• Integration of payment-mechanism for the ability to run on mainnet (including smart-contracts to refund payments for credentials which were paid for, but not signed by an invited issuer)
• Creating documentation and learning material so that everyone understands how to integrate the web-credentials into their profiles and websites.
• Getting promotion material ready and run a small educational marketing campaign to make it more known in the space.

Deliverables

A mostly polished and production-ready solution, hosted at https://blocktrust.dev

Core features:

• Management-area for websites-owners to register their site, prove their ownership, connect their identity wallet, manage existing endorsements and send invites. Generate a JS-Snippet with configuration options to use on their website.
• Certifier-area for organizations or people to connect their DID and issue endorsement to registered websites or DIDs. Manage existing endorsements and revoke them if necessary. Use custom images, badges, or logos to represent an endorsement instead of written text, e.g., a 'Catalyst Funded Project'-badge.
• A customized JS-Snippet gets rendered on the holders-websites with a cryptographic guarantee, that the statement is indeed from the specified holder. Clicking on the text/badge links to the verifier portal in which the details of the Verified Credential are shown, as well as existing metadata provided by the issuer to reinforce the credibility of the statement made.
• Documentation and tutorial material to get everyone started using web-credentials

Other projects and timelines

If there will be funding of any additional proposals from blocktrust, there will inevitably be an overlap. At this point, priority will be given first to the proposal with the most votes (considering the technical feasibility of the order in which the projects could be completed most efficiently).

To be as transparent as possible: here are the other proposals from blocktrust in this fund:

• Blocktrust identity wallet
• PRISM analytics platform 

Björn Sandmann is also working on a previous proposal from Fund 7. It allowed the proposer to work full-time on PRISM and laid therefor the basis for much of what was accomplished since then (e.g., .net SDK for Atala PRISM, PoC of a browser-extension wallet). The proposal from F7 is still ongoing and will likely finish as planned (September) and therefore will not collide with the new proposal.

[FEASIBILITY] Please provide a detailed budget breakdown.

Core Team:

Backend-Engineer (Björn Sandmann) working for 100 h/month over 5 months: 500 hours total. With a rate of 80 USD, this would amount to 40,000 USD, which is not feasible for a community funded project. Consequently, I (the main proposer) would invest my own time/money into the project and therefore would reduce the rate to 60 USD for myself. In Total, 30,000 USD.

Frontend-Developer (John Grabenmeier) will develop the JS-Snippets, which are loaded into the websites, as well as additional work on the different views of the web portal. Costs: 120h of work also at a reduced rate with 60 USD/h for a total of 7,200 USD.

Supporters:

Designer: Concept and design of the project website, marketing material and endorsement icons/badges. Estimated 100 h of work at a rate of 60 USD/h. Totaling 6,000 USD.

Marketing: As outlined before, a small marketing position starting with the MVP should be created. Estimated 50 h of work over a time span of 2-3 months at 60 USD/h. Totaling 3,000 USD.

Infrastructure Costs: Servers and Infrastructure for the initial 5 months of development plus additional 12 months after launch with a budget of 200 USD/month. 3,400 USD.

Overall 49,600 USD

A contingency for budget overruns is not necessary in our opinion, since we are already below our normal hourly rates and are willing to take financial cuts to be able to implement this project. Delays or increased costs will be covered by us personally.

[FEASIBILITY] Please provide details of the people who will work on the project.

blocktrust is a startup focusing on developing technologies around Atala PRISM. For more information about our other proposals and current technology demos (like the browser-extension wallet) visit: https://blocktrust.dev

Björn Sandmann

9+ years of full stack development with the .net. Focused on identity and privacy solutions. PRISM Pioneer, Atala ASTRO, Plutus Pioneer, already funded proposals.

Björn Sandmann will primarily work on the technical infrastructure, the integration with PRISM and the web app.

LinkedIn: https://www.linkedin.com/in/codedata/

Project history and technical skills: https://www.gulp.de/gulp2/g/spezialisten/profil/bsandmann

John Grabenmeier

20+ years of frontend development. Proven track record of from small online shops to high-profile enterprise systems.

John Grabenmeier will primarily be working on the embeddable JS-Snippets and will also overlook some of the design aspects of the frontend.

LinkedIn: https://www.linkedin.com/in/johngrabenmeier/

Project history and technical skills: https://www.johngrabenmeier.com/

Supporters:

As defined above we would require a designer and marketing support primarily in the later stages of the project. Due to our work in software development and taking part in an uncounted number of product and company launches we have a wide network of both. We are committed to onboard these persons after funding to participate as early as possible in the development phase with their respective experience and input. 

Should the workload increase due to the realization of more than one submitted proposal, there is currently the opportunity to onboard another developer at relatively short notice, who has been considering working full-time in the blockchain space for some time, but needs secure financing. With over 15 years of professional experience with backend code and working for large companies in complex system landscapes, this person would be the ideal addition to the team. However, this decision can only be finalized once the funding has been secured. A naming is not yet possible due to a current employment contract.

[FEASIBILITY] If you are funded, will you return to Catalyst in a later round for further funding? Please explain why / why not.

A further funding round of the proposal will depend on its adoption. Should the platform be used actively, a second funding round is conceivable after the conclusion of the first to ensure the further development and permanent operation of the platform (if no other monetization model can be found).

In any case, the planned budget is sufficient to build the platform to the extent outlined here and then operate it for a period of at least 12 months.

[FEASIBILITY] Are you or any member of your team working on any other proposals in this Fund9?

[FEASIBILITY] Are you or your team working on any other proposals from previous Funds?

[AUDITABILITY] Please describe what you will measure to track your project's progress, and how will you measure these?

During development, we will write a blog entry every two weeks at www.blocktrust.dev/blog, which will provide information about the advancement of the work. This allows the community to follow the progress during this busy time. In the blog entry we will report on the technical details of the work and at the same time state whether we are within the predicted time window of release.

After the development and launch of the project, we’ll despite the proposal being completed by then report usage numbers and the number of embedded credentials regularly for at least 12 months.

We are well aware of the trust put into a funded project like this by the community and are happy to be as transparent as possible. In the end, this proposal is all about trust.

[AUDITABILITY] What does success for this project look like?

For us, success is not measured by mere user numbers, but by the progress and success of the entire ecosystem. With this proposal, we are delivering a tool to make our ecosystem even better at what it is already good at: delivering great and trustworthy solutions.

But it is not all about projects which like to get a verifiable badge or endorsement on their webpage. It’s also about individuals, who complete courses and want to show off what they have achieved. Maybe just to build their reputation as an expert, but perhaps to finally get a new job.

And in the long term a project like this could also change some of the dodgy parts of e-commerce with their useless trust-badges they draw up by themselves, or pay for. Being able to verify those endorsements or reviews would really improve our all lives.

Specifically, we hope:

• That we are able to develop a good and easy solution everybody can use.
• That we get some traction inside and outside Cardano community, with more and more people embedding verifiable credentials on their websites and profile-pages.
• That we help to grow the ecosystem. With the technology of Atala PRISM we have a uniqueness and growth-factor that sets us apart from numerous other blockchains.

[AUDITABILITY] Please provide information on whether this proposal is a continuation of a previously funded project in Catalyst or an entirely new one.

This proposal is entirely new, in that sense, that it has no relation to an already funded proposal.

But this proposal is an improvement of a recent proposal from Fund 8, which got a good rating of 4.6. It was very close, but unfortunately, it didn't make the cut last time.