User identification in Byteball: attestations
In the world of cryptocurrency privacy is key and it is possible to maintain anonymity while participating in the crypto economy. There are use cases, however, when identifying users is necessary for example participating in an ICO that complies with regulations and exclusion of certain certain user groups is necessary.
While asset creation is open to anyone, to comply with the rules of the Byteball asset registration, especially to maintain uniqueness and fairness, Byteball Market publishes asset names into the Byteball DAG only for verified issuers. Issuer verification guarantees that the issuer is a legitimate owner of the name. As a result when an asset is transferred to someone they can be sure that the asset was originally issued by the issuing entity. Verifying every issuer would be a tedious manual task but fortunately Byteball offers an excellent method of identity verification that is easy to automate and is free, it is called attestation.
Introducing Byteball Attestations
To understand what attestation is, let's see what the whitepaper tells about it:
Attestations confirm that the user who issued the attestation (the attestor) verified some data about the attested user (the subject). ... The job of attestors is similar to that of modern certification authorities who verify the real-world identities of subjects and certify that a particular public key (or Byteball address) does belong to a person or organization.
There are two keywords here we have to remember: the attestor and the attested Byteball address. An example of an attestor can be a company that performs KYC verification, but it can be something completely different such as an IQ test that would attest the intelligence of the user. The attested Byteball address is the wallet address of the attested user that can be used later on to prove their identity. Some attestors already operational on the Byteball platform:
- Real name attestor is a KYC identity verification service in partnership with Jumio
- US/non-US attestor which is based on the real name attestor and useful for ICOs should they want to exclude or include US residents from acquiring Byteball assets
- Accredited investor attestor verifies if the user qualifies as an accredited investor under the securities law, useful for issuing security tokens
- Email attestor attests that the Byteball user is a legitimate owner of the email address
- Steem username attestor verifies that the Byteball wallet holder owns the login credentials to a given Steem user
Private and Public attestations
The attestation is most commonly performed by a Byteball chatbot that communicates the user via the user's wallet. The attestation bots usually offer public and private attestations:
- public attestation: the attested information about the user is publicly posted on the Byteball DAG visible to anyone. For obvious reasons, it is not recommended to publish sensitive information publicly such as KYC verified real name, birthday, national identity card numbers etc. You may choose public attestation for information that is already public for example Steem username.
- private attestation: the proof of the attested information, eg. a hash, is posted in the DAG publicly, but the attested information itself is only stored in the user's own wallet database.
Another way of storing attested information would be the attestor's own database: the attested information posted on the DAG could simply be an identifier or an url that would allow 3rd parties to retrieve the attested data.
An example of a public attestation:
And a private attestation may look like this:
Identifying users using attestation
Now one more questions remained: how can we make use of all these information? Let's say you are implementing a Byteball bot that needs to identify users by the Steem username attestor. First of all you have to be familiar with the attested data structure posted by the chosen attestor. For Steem, it is as follows:
Next, you will need to know if the user has public or private attestation. To figure that out the bot would ask the user to enter the Steem attested wallet address. Once the bot knows the address it can look the attestation record up in the DAG by querying the
attestations table if the bot runs a full wallet, or by sending a
light/get_attestations message to the hub if it runs a light wallet. The private Steem attestation record will not have a
steem_username, only a
profile_hash indicating the proof of the attestation. At this point the bot has to chose one of the following methods:
- ask the user to prove they own the entered address by signing a message. This method is used for public profiles since the attested information is available in the Byteball DAG, so the bot only needs a proof that the user is really the owner of the address and they didn't just enter someone else's address.
- ask the user to share data from the private attestation profile. This method is used for private profiles. The bot sends a private profile request to the user which pops up the profile screen to the user with the requested data selected. The user simply has to send it back to the bot and the bot can validate and process it.
Below is the communication flow of Byteball Market to verify the user identity when creating verified issuers:
To try it yourself, visit Byteball Market and create your own verified asset issuer. Note, you have to log in by connecting your wallet with the website then navigate to My Issuers screen.