Presented on Friday, 13 July 2018 at the ITP Conference in Wellington, New Zealand
Kiwis can't express their identity digitally and securely across cultural backgrounds, across competitive boundaries. This is an ongoing, permanent problem so far. Yes, there are ways for it, e.g. using RealMe, Google federated identity, etc. But they all have their "warts". Some are expensive or cumbersome to use from an organisation's perspective. Others are leaking meta-data to corporates, whose goal is to use your information to be able to sell to you in a better way, thus making the end user The Product (TM). Yet others are lacking critical mass among the population to be successful.
A Bloomberg Intelligence's Report ("The year Ahead 2018") is quoting the cost for the US banking sector for KYC (Know Your Customer) or AML (Anty Money Laundering) breaches to total US$ 16.1 billion from 2008 to 2015. The same report cites the Royal Bank of Scotland to employ 2,000 staff (early 2017) exclusively to comply with KYC rules, with the expectation to lower this headcount by 95% given a viable digital solution.
Due to the magnitude of this problem, a local major bank has kicked off an initiative with the local community to venture into solution opportunities.
This paper presents the background to the problem statement, the goal definition and particularly the approach taken for the system. Design decisions and evaluations will be discussed for this system under the project title of "Kauri ID", a self-sovereign, blockchain-based identity infrastructure. It puts the user at the centre, and no company or organisation owns identity information or acts as a (formal) guardian.
Kauri ID employs privacy by design, enabling fine-granular, selective and confidential data sharing. Authenticity is implemented via a web of trust, attesting identity attribute claims.
Even though Kauri ID is inherently self-sovereign, sovereign aspects can be catered for via governmental attribute endorsements, thus building a bridge between New Zealand's RealMe system and Kauri ID.
Kauri ID - A Self-Sovereign, Blockchain-based Identity System
1. Kauri ID
A Self-Sovereign, Blockchain-based Identity System
Guy Kloss (SingleSource)
Paul Salisbury (BlockchainLabs.NZ)
Vishnu Devarajan (ASB)
ITP Conference
Wellington, 13 July 2018
2. Who am I?
• (Cryptography and Computer Science) Geek
• Working (now) for SingleSource:
• KYC and AML focused services
• Part of the “Centrality family” of companies
• Building an underlying digital identity system
• Lots of blockchain and underlying cross-company synergies
2/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
3. Mission Statement
Solve this common problem:
Kiwis can’t express their identity digitally and securely
across cultural backgrounds and across competitive boundaries.
3/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
4. A Driving Economical Problem
The cost of KYC and AML
(e. g. to banks)
Example: Royal Bank of Scotland
• Employs approx. 2,000 staff (early 2017) for KYC rules
• Expectats to reduce head-count by 95 %
(given a viable digital solution)
Source: Bloomberg Intelligence’s Report “The Year Ahead 2018”
4/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
5. Who Dunnit?
Wynyard Innovation Neighbourhood
5/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
6. Who Dunnit?
Wynyard Innovation Neighbourhood
5/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
7. Value Proposal
• Secure & Trustworthy
(enable fine-granular, selective, confidential data sharing)
• Self-sovereign (privacy preserving, no third party custodian)
• Tamper Resisatant
. . . using blockchain (for us)
6/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
8. Why Blockchain?
by Brendan (Jim) Boughen http://cartoonsbyjim.com
7/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
9. Why Blockchain?
• No custodianship
• No tampering/immutability
• Built-in security/reliability
8/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
12. Based on Distributed Consensus
Whakaaro wh¯anui:
The beauty of thinking together, not thinking the same.
(People in agreement.)
Chris Cormack at OSOS 2015
10/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
13. What is Kauri ID?
• Used to be: The project/vision I’m talking about
• Now: Protocols, data structures, concepts
• Allow for this to work in a decentralised environment
• May be implemented using centralised systems
• Based on a “Web of Trust” approach
11/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
14. What is Kauri ID?
• Very different from traditional/centralised design
• Easy to go one way, quite difficult for the reverse
• A “standard” with a reference implementation,
that allows for integration and federation of ID attributes
12/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
15. The Vision
• For individuals
Give power back to the individual
to be in control of their Digital Identity.
• For Organisations
Take the pain out of compliance and enable risk free business.
We leave traces of our digital self everywhere. Our data is harvested, mined,
exposed, stolen and traded, which is used in cybercrime and financial fraud.
This undermines the trust between individuals and organisations as we are more
reluctant to share information and organisations are having to rely on a
spaghetti of processes to screen customers and meet tougher regulations.
13/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
16. The Vision
• For individuals
Give power back to the individual
to be in control of their Digital Identity.
• For Organisations
Take the pain out of compliance and enable risk free business.
We leave traces of our digital self everywhere. Our data is harvested, mined,
exposed, stolen and traded, which is used in cybercrime and financial fraud.
This undermines the trust between individuals and organisations as we are more
reluctant to share information and organisations are having to rely on a
spaghetti of processes to screen customers and meet tougher regulations.
13/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
17. Privacy and Data Protection
by Brendan (Jim) Boughen http://cartoonsbyjim.com
14/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
18. The Vision
• Still along the lines of the original project
• Standards-based, open, collaborative
• But allows for (easier) federation/integration
(e. g. with proprietary systems)
• Using strong cryptographic assurances,
and guarantees of tamper resistance
15/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
20. The Vision
• De-couple tech from policy/governance
• A robust/capable “core”
→ Can be used in various legislations
(spill beyond the boundaries of NZ)
• Keeps complementary aspects decoupled/separate
(regulatory compliance, GDPR compliance, etc.)
• But supports meeting these requirements
• De-couple Kauri ID from ID/authentication
→ Can “bolt onto” various systems (such as uPort),
to allow for better integration
17/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
21. Modular Design
LEGO
LEGO
LEGO
LEGO
LEGO
LEGO
P = 8.0 mm
= 5/6 × H
= 2.5 × h
3.0 mm
5.0 mm
1.7 mm
H = 9.6 mm
= 1.2 × P
= 3 × h
P - 0.2 mm
= 7.8 mm2 × P - 0.2 mm
= 15.8 mm
h = 3.2 mm
= 0.4 × P
= 1/3 × H
18/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
22. A User Journey
1. Onboarding for AA Membership, making a virgin KauriID
(with DL and POA, extracting attributes & including photo)
2. Local Library Membership
(with attested POA “basket” from step 1)
3. Purchase alcohol
(with attested DOB and picture attribute only from step 1)
4. Onboarding for a Loan at ASB
(with Passport and S&P Agreement)
• ASB attests a stronger identity and updates POA “basket”
• Updated POA “basket” → user’s choice to share updates
5. Connecting power from Mercury
(online only, using latest from step 4)
6. Registering to vote in local election with KauriID records
(with latest from step 4)
19/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
23. Data Structures
It’s a bit too deep to go into data structures . . . ,
but the following shows what they’re supposed to achieve.
20/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
24. Data Structures
The 10 Commandments :-)
1. The ability to make “self claims” by the subject
(to be attested by another party).
2. The ability to make “foreign claims”
(usually by the attester, usually attested immediately).
3. The ability to keep content of claims/attributes confidential.
4. The ability to decrypt every claim element/attribute independently
(separate encryption key).
5. The ability to reference each claim element/attribute independently
(tuple: claim set reference, attribute index).
6. The ability to verify the authenticity of every claim element/attribute independently.
7. Uphold opaqueness of the type of attribute (or named key) to an outside observer.
8. Uphold opaqueness of the attester (signer) of a claim to an outside observer.
9. A requester by default is only enabled to retrieve the attestation meta-data of a single attestation.
10. A requester can be enabled to recursively retrieve the attestation meta-data of the entire (backward facing)
attestation provenance trail.
21/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
25. Data Structures
A glimpse of the current work in progress (incomplete, not up-to-date)
22/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
26. Initial Technical Platform
• uPort on Ethereum: Blockchain Authentication Framework
• IPFS: Decentralised, Immutable Data Storage Framework
• PROV: W3C standard system and grammar to express relationships and
processes
• JSON (RFC 4627): Storage structure for common data payloads
• JOSE: IETF Javascript Object Signing and Encryption
• ERC-780: (Emerging) Standard to reference on-chain claims in Ethereum
23/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
27. Current Status
• NZ DIF
• Industry-driven, government involved
• Technical collaboration
• On Kauri ID core matters
• Adoption/implementation
• Use case evaluation
• Collaborators: SingleSource, Spark, BlockchainLabs.NZ and ASB
24/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
28. Are you interested?
• Follow the KauriID project documentation
https://kauriid.gitlab.io/kauriid_doc/
• Get in touch!
25/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
29. Now, what’s Provenance?
AA validates the address
kauriid:provingAnAddress
wasAssociatedWith
nzta:dl/john_doe_0815
used
watercare:bills/customer/4711/month/201709.pdf
used
kauriid:persons/4242/attestation/0001
wasGeneratedBy wasDerivedFromwasDerivedFrom
prov:content name, dob, photo, dl_no, dl_version, dl_issued_ts, dl_expires_ts, street, suburb, city, post_code
aa:Organisation
aa:Bob
actedOnBehalfOf
water bill driver licence
26/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
30. Now, what’s Provenance?
AA validates the address
kauriid:provingAnAddress
wasAssociatedWith
nzta:dl/john_doe_0815
used
watercare:bills/customer/4711/month/201709.pdf
used
kauriid:persons/4242/attestation/0001
wasGeneratedBy wasDerivedFromwasDerivedFrom
prov:content name, dob, photo, dl_no, dl_version, dl_issued_ts, dl_expires_ts, street, suburb, city, post_code
aa:Organisation
aa:Bob
actedOnBehalfOf
Bob works
for AA
26/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
31. Now, what’s Provenance?
AA validates the address
kauriid:provingAnAddress
wasAssociatedWith
nzta:dl/john_doe_0815
used
watercare:bills/customer/4711/month/201709.pdf
used
kauriid:persons/4242/attestation/0001
wasGeneratedBy wasDerivedFromwasDerivedFrom
prov:content name, dob, photo, dl_no, dl_version, dl_issued_ts, dl_expires_ts, street, suburb, city, post_code
aa:Organisation
aa:Bob
actedOnBehalfOf
new identity attestation
26/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
32. Now, what’s Provenance?
ASB checks validity of the identity
kauriid:provingAnIdentity
wasAssociatedWith
dia:passport/john_doe_0815
used
kauriid:persons/4242/attestation/0001
used
kauriid:persons/4242/attestation/0002
wasGeneratedBy wasDerivedFromwasDerivedFrom
prov:content name, dob, photo, dl_no, dl_version, dl_issued_ts, dl_expires_ts, street, suburb, city, post_code, place_of_birth, country, passport_type, passport_no, passport_issued_ts, passport_expires_ts kauriid:provingAnAddress
used wasAssociatedWith
harcourts:snp/house_47110666.pdf
used
kauriid:persons/4242/attestation/0003
wasGeneratedBywasDerivedFrom wasDerivedFrom
asb:Organisation
asb:Ray
actedOnBehalfOf
New attestations
joined with old graph
*
27/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018
33. Now, what’s Provenance?
ASB checks validity of the identity
kauriid:provingAnIdentity
wasAssociatedWith
dia:passport/john_doe_0815
used
kauriid:persons/4242/attestation/0001
used
kauriid:persons/4242/attestation/0002
wasGeneratedBy wasDerivedFromwasDerivedFrom
prov:content name, dob, photo, dl_no, dl_version, dl_issued_ts, dl_expires_ts, street, suburb, city, post_code, place_of_birth, country, passport_type, passport_no, passport_issued_ts, passport_expires_ts kauriid:provingAnAddress
used wasAssociatedWith
harcourts:snp/house_47110666.pdf
used
kauriid:persons/4242/attestation/0003
wasGeneratedBywasDerivedFrom wasDerivedFrom
asb:Organisation
asb:Ray
actedOnBehalfOf
Can be stored in
bank’s private system
27/29 | Guy Kloss, Paul Salisbury, Vishnu Devarajan | Project Kauri ID c 2018