With websites operating under the constant threat of attacks, users have long been accustomed to looking for a little green lock in web browsers, signaling an SSL certificate, to ensure that the site is secure.
By Jacob Donnelly
Today, SSL is used for transmitting sensitive information over theInternet, and it has long been a significant driver of e-commerce. Involved in this process are protocols including the Secure Sockets Layer (SSL) and Transport Layer Security (TLS), as well as certificate authorities (CAs), entities that issue digital certificates to organizations or individuals.
Now, digital identity startup Netki has announced that it is releasing what it considers to be the first digital identity certificate akin to the SSL for the blockchain in a bid to replicate both this technology and its top-lever services on the blockchain.
In interview, CEO and co-founder Justin Newton expanded on the vision for the product, which follows a wallet naming service it introduced last year.
He explained:
“What we did is we took a look at the ecosystem and saw that everyone was doing a good job of doing KYC (know your customer) on their own customers, but blockchains in general don’t have a really great way of knowing who your counterparty is. That has some usability issues because you like to know who you’re transacting with.”
Newton pointed to the regulatory reasons why such a functionality could prove useful for those executing blockchain-based transactions. In particular, Newton cited FinCEN’s travel rule, which “requires all financial institutions to pass on certain information to the next financial institution, in certain funds transmittals involving more than one financial institution”.
Under the travel rule, the identities of all participants involved in digital currency transfers greater than $3,000, including the money service businesses (MSBs) such as wallet providers and exchanges and the actual sender and receiver of the funds, must be known.
Part of the problem is that MSBs have to worry about sending money to nations that are sanctioned under the auspices of the Office of Foreign Asset Control (OFAC). “They keep us from transacting with ISIS,” Newton explained.
Newton cautioned that many companies in the digital currency industry are potentially at risk of violating OFAC rules, which harms the ecosystem in two ways. The first is that current companies could deal with significant regulatory risk.
“It’s also preventing traditional financial institutions from being able to connect or interact with the open blockchain,” he argued.
Building on BIP70
On the bitcoin network today, a piece of code called BIP70 handles a similar function, allowing spenders to obtain signed payment details from those who receive transactions.
But, part of the problem is that BIP70 wasn’t built to support the rules required by FinCEN for these large transactions, Netki argues.
In a presentation at Consensus 2016, Newton explained that the existing payment flow, BIP70, only allows for a certificate from the wallet provider of the recipient to be sent. In the slide above, this means that when Alice sends Bob an invoice, that is the only time identity is exchanged.
To get around this problem, a team of developers, including Netki’s Newton and Matt David as well as Breadwallet’s Aaron Voisine and James MacWhyte, submitted an updated proposal called BIP75.
According to the Git, this solves two important problems. The first is that it allows the sender of a payment request to voluntarily sign the original request and provide a certificate to allow the payee to know who they are transacting with.
“This allows the exchange of identity information to be optionally two-way,” Newton explained, adding:
“Before a transaction occurs, the receiver can know who the sender is and the sender can know who the receiver is and their service provider can provide any required AML checks that they need to form before the transaction occurs.”
Essentially, both the sender and receiver of the payment request – and their corresponding MSBs – can voluntarily hand over the necessary identification to ensure that all parties involved are legally allowed to send and receive payment.
Newton explained that BIP75 is already implemented in Netki’s open-source software, Addressimo, and that he expects that implementation in wallet software to commence over the next few months.
A blockchain-agnostic certificate authority
The second problem that BIP75 solves allows for Netki and other service providers is ensuring user privacy.
According to the authors, BIP75 “encrypts the payment request that is returned, before handing it off to the SSL/TLS layer to prevent man in the middle viewing of the Payment Request details”.
This point is critical for the whole process, because Netki doesn’t believe that the identification should actually be on the public ledger.
Newton explained:
“We wanted to be sure that this all happened at the application layer rather than the blockchain protocol layer because we didn’t think it was right to build any identity into an open permissionless network.”
Instead, Netki will seek to act as a certificate authority similar to how Symantec sells SSL certificates to domain name holders. When a MSB acquires a digital identity certificate for itself and its users, the name, address and verification level (aligned to the risk or value of the transactions) is built into the certificate.
When a transaction is made, the MSBs on both sides send identity certificates and compare the information through their own AML checks. If both sides have a small green lock, the transaction is secure and compliant. Newton explained that one certificate would contain both the MSB and client information, but in the future, there would be a separate certificate for the MSB and client.
But not storing information on a public ledger is also necessary for the world that Newton believes is coming.
Netki is taking a blockchain-agnostic approach to the roll out of this digital identity certificate the same way it did with its wallet name product. Specifically, users can use one of the wallet names to receive payment in bitcoin, tether and ethereum so they don’t have to create multiple payment addresses.
With that in mind, Newton explained that they created “one digital identity certificate that works across all blockchains so you don’t have to revalidate across every chain”.
He continued:
“One of the things about the way we built the solution with identity not stored on the blockchain, is that one identity certificate can work across every blockchain you work on. As we start to go into a world where we see that most people will be operating on more than one public or private blockchain, we see that this provides more flexibility than a siloed identity system that requires you to re-verify yourself.”
In the future, users will be able to utilize a single certificate across all the chains they work on, verifying their identity when and where it is needed.
Acceptable certificates
During the identity workshop at Consensus 2016, Newton, who first presented this new product, explained that trying to create an entirely new certificate program is incredibly difficult.
“You can’t walk into a government office and just tell them to get rid of their ID system and trust you,” he explained.
Recognizing this, Netki opted to go with the Federal Bridge Certification Authority that is already widely understood and accepted worldwide.
“One of the other things is we leveraged an existing digital identity standard that actually has legal basis and case law behind it. That has been enshrined in some international treaties. This is already an internationally recognized form of digital identity,” Newton said.
According to a white paper published by Entrust, “the bridge CA provides trust paths between principal Certification Authorities for trust domain PKIs [public key infrastructures]”.
In the case of the Federal Bridge, “it does not provide a root of trust, but instead links together existing trust infrastructures”.
By building on top of the Federal Bridge CA, MSBs don’t have to worry about whether the certificate provided by Netki is acceptable from a regulatory perspective because they already have years of experience using it for their businesses.
While Newton couldn’t yet offer a precise cost for the certificate, he did suggest that the two-year certificate for validated identity wouldn’t be cost prohibitive for individuals or their MSBs.
“In most cases, where a MSB is involved, we anticipate that the cost won’t show up as a direct cost for the consumer. Since it’s only needed for transactions over $3,000, if you look at the cost, it could be comparable to one wire transfer fee, and the certificate can be used for all transactions for the following two years,” he said.
Netki is pushing toward launching a pilot in the next couple of months and Newton expects that the full product will be available to all consumers by the end of 2016.