-
Notifications
You must be signed in to change notification settings - Fork 6
Signing
Decentralized apps need a way for Identities to affirm their actions. Digital signatures are used to state the agreement with the content, witnessing the action, verification of correctness, etc. Technically signature is produced from an on-chain object and the Identity's signing key. Signature becomes another property of that object. Note that the Identity is usually a person, but could also be a device or a program.
When we are signing something we are making a statement. Statements are context-specific. For now, let's enumerate some of the scenarios. Later on we will split them between the needs of the application, the laws of the land, objective and subjective statements, etc.
- Verification of identity (web of trust)
- I confirm the identity of another person or organization. This verification can have levels of verification:
- cryptographic, by using Diffie-Hellman shared secrets and communication through a side channels to confirm ownership of the domains, email confirmation, phone number confirmation (code is delivered via SMS or a programmed voice call) and ownership of social accounts
- automatic, verifying the identity based on ECC signature, number of followers, and background checks.
- manual, verifying the identity with phone calls, emails, photos, etc.
- manual, verifying the identity with on-site visit, etc.
- manual, verifying the legal status of the company
- Verification of operations/actions
- e.g. machinery (like done on Alibaba)
- assets under management, reserves
- sources of funds, legality of fund movements
- the officers of the company
- tax documents
- I acknowledge that I was informed of ...
- Witnessing
- I agree with ...
In the organizational setting it is often require for a member to act on behalf of the organization. On the other hand it is important to have personal accountability. Therefore the organization will entitle its members to act independently by signing their keys. Now an employee can sign with their own keys, and these keys can be revoked upon employee leaving the company or upgraded upon the promotion.
Signing should be a separate application, ideally in a container that cuts off all access to the internet. This application should have a very specific and recognizable user interface, so that to give user a pause and to communicate the air of importance. It can use design elements used by printed certificates.
It should have 3 key elements - a text that is being signed, an action that signing indicates (witnessing, verification, agreement) and an action button/link/manual signature area. Text that is being signed will have two viewing options - formatted and raw (full json object with a signature text and with a link to a transaction on a blockchain that recorded the action).
It is important to separate out the storage of signing keys into a separate app, assuming many other apps will need signing functionality. This way the app's source code can be easier to review and trust. This way each app will not need to implement the functionality for signing, much like the argument to have wallets as separate apps. Also, the UI for the signing process needs to be consistent across apps, so that it would be harder to spoof.
Apparently, Keybase has a notion of tracking (thx to Simon de la Rouviere for bringing this up). In his words:
"Tracking" in keybase is essentially signing a snapshot you believe to be the truth. So, compared to say onename, the first time I pay someone, I verify that the details are correct and I sign it ("track it"). It works from 1 - n. If only I signed a friend's snapshot, then it doesn't matter how many people also tracked it. He wouldn't lie to me. However, for a stranger, where I don't have means of personal verification, I can verify the information personally (the tweets, the github gists, etc) to determine if there isn't any forgery. If I believe it is right, I track it for future use. However, if I see that 1000 other people have already tracked it, it adds more clout.
So, you can extend this protocol to other information, and you can make it as granular as you want. Public key crypto for everyone, publicly auditable proofs of identity.
This is like Web 2.0 of signing as many people contribute to trust.
###Software
###Front end