Technical Document – Part 1
“A wallet to rule them all”
To understand the ecosystem built around the “ONE”s wallet, we will first recall how this project is in line with the work around decentralized identities. This work aims to use the blockchain to prove the authenticity of personal information and better manage access to it.
A multi-identity wallet for valued and controlled personal data
Our digital lives today are made up of a multitude of personal data that are not easily verifiable and abusively requested each time a user account is created. The services that request them don’t usually have any particular interest in getting this data. Until now, each Internet user had neither the tools to manage the diffusion of their identity data nor the means to contribute to change the abusive way in which services collect this data.
We all struggle to manage a digital identity composed of a multitude of sub-identities and attributes associated with different contexts. Proving our identity and attributes is a real challenge, especially in a world where dematerialized services are multiplying and where physical movement is limited.
Digital identity management includes the management of:
1 – user registration and attribute validation phase
2 – user identification and authentication on the basis of his verified data
3 – “verifiable credentials” reception, storage and presentation
4 – access to services and transactions on the basis of these “verifiable credentials”.
Usually, this management is delegated to the user. To access their services, he has to manually select all the companies with which he must systematically present part of his information.
Online service providers often combine the role of identity provider and register their own users. Sometimes, for lack of a better solution, they delegate this burden to unscrupulous third parties such as the social network giants through buttons such as “connect with your Facebook account”.
Through various regulations, governments are trying to:
– regulate the use of personal data to limit their misuse (GDPR), often for customer profiling purposes,
– strengthen authentication security levels on the most sensitive online services (PSD2, eIDAS, TSP).
In terms of security, the best practices pushed by these regulators are based on the same cryptographic bases that are well known to crypto-assets enthusiasts: hash functions, data encryption, strong authentication, data and transaction signatures.
Generic cybersecurity and crypto-asset security are already being combined with, for example, the use of FIDO (a strong authentication protocol developed by the Web giants and endorsed by regulators) on certain hardware wallets (Ledger, Trezor, Bitbox). In addition, there is the possibility of adding message encryption functionality to the latest version of Metamask.
Conversely, some crypto wallets can now perform message signatures outside the usual framework of crypto-asset transactions and transfers.
We will also later see how traditional centralized cybersecurity players such as certification authorities that provide certificates can also benefit from this convergence.
The attributes of our online profiles / avatars / accounts are currently mainly hosted by the service who requested them during the creation phase. This is the usual set-up where the online service provider also acts as an identity provider:
Figure 1-1: The Service Provider (SP) creates the user’s account and its attributes (directly used)
The roles of Identity Provider and Service Provider can be dissociated. This is the principle of account opening and information sharing through social network logins.
Figure 1-2: The Service Provider (SP) uses the attributes of an account created with an external Identity Provider (IDP)
Transition towards decentralized architectures
In a decentralized architecture, crypto-assets are assigned referring to a public address, depending on a private key kept by the user in his wallet. The user only performs transaction signatures that will be verified / validated.
Figure 1-3: No personal information is kept outside the local wallet of the “crypto” owner.
Before being able to associate personal data verified by third parties with our identity, we must create a DID. A DID is an identifier that refers to a single user and respects the following principles:
– the DID cannot be assigned (or reassigned) to anyone other than the creator of the DID,
– the DID can operate without a central authority,
– the DID is linked to one or more cryptographic keys to verify that its owner has exclusive control over it,
– the DID allows you to retrieve a public document, the “DID Document”, which allows you to reference other elements such as one or more public keys, services, etc.
Figure 1-4: a user’s DID, unique identifier
In the next article, we will discuss in detail the DID documents and their links with the “Verifiable Credentials”. A “Verifiable Credential” is a set of personal data that has been verified by a trusted party, usually also having its own DID.
This personal data is then signed by the initial verifier and returned to the user, who can then choose to share it as he wishes.
Figure 1-5: The Wallet “ONE” allows credentials to be received and checked
The wallet that manages the private key linked to the user’s DID must be able to manage the received Verifiable Credentials and must also:
– demonstrate cryptographically to the Identity Provider that it has effective control over its DID.
– Test the validity and verifiability of the “Verifiable Credentials” provided by the IDP
– Get files referenced in Verifiable Credentials on centralized and decentralized storage spaces
– Store Verifiable Credentials
– Distribute Verifiable Credentials over the right communication channels
– Use other specified cryptographic keys for other purposes (encryption, generic signature, authentication signature)
– Manage some DIDs from other chains to ensure interoperability / scalability
This Wallet can take advantage of the significant progress of Hierarchical Deterministic Wallets and offer a simplified backup and restore procedure.
Figure 1-6: The HD Wallet “ONE” manages all the private keys necessary for all cryptographic uses.
In an upcoming article, we will see how Verifiable Credentials are generated, transmitted and presented for verification.