World Citizenship - Creating Affordable Decentralised Passport Services Using Available Cryptographic Tools
Disclaimer:
Due to recent press coverage I’d like to remind everyone that this project is an experiment and learning exercise for experts in the field of cryptography. Remember blockchains are distributed, immutable databases. Don’t put anything in to them that you wouldn’t want to last forever. Please use these tools your own risk and read Issues section before trying anything yourself.
Proof of Initial Publication 17th October 2014
Donations
If you want to donate to the expenses address:
1B9c5V8Fc89qCKKznWUGh1vAxDh3RstqgC
It only needs topping up now and then, just 20mBTC or so would be lovely
If you want to donate to me personally I’d be very grateful and it will go towards my coffee addiction:
13U4gmroMmFwHAwd2Sukn4fE2WvHG6hP8e
The goal of this project is to learn and layout a simple process for anyone in the world to create their own Private Passport Service that can be used to validate and prove the existence of other persons using nothing but available tools.
We will prefer open source where available and we will draw on the cryptographic tools like "Pretty Good Privacy" (PGP) which utilizes public key cryptography, and blockchain technology in the form of Bitcoin.
By doing this we aim to give people across the world the ability to grant one another World Citizenship by virtue of their being witnessed in space and in time. This witnessing can be documented with photography and video, that content can be signed with PGP signatures, hashed and timestamped. It can then be joined with Social Network Validation services like Onename.io & Keybase.io before being plugged in to more dynamic reputation systems.
First and foremost this is a learning exercise to discover whether the currently available open source cryptographic tools are up to the task of a global social network.
What this is not
This is not a Web of Trust or an attempt to build a dynamic reputation system. The aim with this project is to do one thing really well; to create an affordable ID Card that makes an unfalsifiable claim as to the existence of person. We will take a modular approach when scaling out in to areas such as identity management and smart contracts. This cannot prove that a person does not have multiple identities, but simply that they existed at a certain point in time.
- Laptop x2 (one belongs to organisers and the other to our new citizen)
- Webcam
- PGP Software Mac | Windows
- Bitcoin wallet
- Printer
- Laminator
- Cool looking World Citizen Passport design
- Commercial Venue
A determined group of forward thinking cypherpunks arrange a meet-up in their local area using a service like meetup.com or Eventbrite.
The key responsibility of the organisers is to create an ID Document according to the protocol laid out here. A successful Blockchain ID Card is one that adheres to the protocol by leaving an unfalsifiable claim as to the existence of another.
We achieve this by embedding a trail of evidence that are immutable and unfalsifiable. They are:
- The Merkle Root presented on the ID Card
- The PGP Signature and corresponding SHA-256 digests
- The publishing of the on the blockchain
No fraud or even a committee of liars is able to make untrue claims about any of the three variables above.
The event page should layout the following:
- The purpose of the meet-up and why you should care (give people a reason to turn up)
- Lots of learning material clearly laid out like this video series from Khan Academy
- An industrious group may wish to join a wiki in which they can share resources and feedback with a global network of events.
- Clearly communicate what is expected of any potential participants and put them at ease; if it’s their first time they can choose to just watch and be a witness.
We recommend the use of commercial venues so that we can prove our existence in place and space without infringing on an individual’s privacy. Because the venue is commercial it will have a vested interest in advertising its location.
Look for established businesses with good reputations and that are well known in the surrounding area.
Good examples of venues:
- Hotels
- Bars, especially ones that are popular among locals
- Town Halls & Community Centres
- Co-Working spaces owned by reputable franchise e.g. Google Campus
- Law Firms
- Passport Offices (why not ask an official to sign your PGP Key along with a scan of your government ID card?)
- Airports with public WIFI
Businesses and venues to avoid:
- Industrial estates (businesses in these areas are often not well known and smaller units have high turnover)
- Companies using serviced offices
- Retailers in shopping malls
Avoid any business that doesn’t have firm roots within the local community. This is important because once the ID is issued its origin must be subject to scrutiny.
The business also needs to be willing for you to publish their IP Address on the blockchain. There shouldn’t be any reason why they are not okay with this but you must ask.
For added security they can also have the proprietor of the venue sign up for a Blockchain ID and have them sign a message on social media enclosing their IP Address, like so:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 My name is Bob and I am the manager of the Crypto Kings Hotel Ltd Checkout our business on Google Maps: https://plus.google.com/100282243006931582046/posts/8UisBzgLTMi (Post contains a copy of signed message with same key) This is our IP Address: 127.0.0.1 http://www.ipligence.com/geolocation -----BEGIN PGP SIGNATURE----- Version: Keybase OpenPGP v1.1.3 Comment: https://keybase.io/crypto wsBcBAABCgAGBQJUXCQeAAoJEOw2pfEsR+bQUrUH/Rz4n/TCeMB82l8FciY143t5 8aa1FpwUtCn1BWgjhdM+EDnaoxY1KF0kA2mwBkjmhWFAfwgvsjevJfEWeXWC2exO T9xBo8kp2Y4tgRjNCEF9bpZFHQcu8Feihi41COUp7gY5FbAsUp0HgOm/M5t8dlE0 olkvAT53EldI6kz6El5POF1SbqIYgsN+IJ3NySHFIgiK+ht15F6aofRUuMInmjmO rROJ/uje3fjXNoUacfyDgWFfEh+kr64Od7IUDEp87+I4FASNLRasmgls+5vKB2lw 3xbJtDTH2yBkG58Y8J3XKWnm01Tz4ez03NKsajYVPq8vJkhQI0hEREs8GkUPN9Q= =H9SY -----END PGP SIGNATURE-----
The IP address can then be verified using services like ipligence.com and corroborated with the address as advertised on Google Maps and other classifieds even at a distance. Note that the more public reviews and brand presence the business has the more robust the Identity Cards will be.
See point-of-presence and a post by @Patcon in the Issues Section for more information on this topic.
A group of soon-to-be World Citizens and onlookers arrive the venue bringing with them their laptop and an eagerness to learn.
The atmosphere should be relaxed but formal with an emphasis on the exchange of knowledge about the tools and how to use them.
This can also be hosted as a separate event
Before the IDs are made there should be a brief tutorial in operational security, best practice like how to manage keys and demonstrations of Password Managers etc.
The content should be engaging and inspire the audience to learn more for themselves rather than making them dependent on experts in the future. Make use of available resources like this:
Image courtesy of XKCD
The more interesting and relevant the material the better
Facilitate discussion breakouts among the group, encourage them to help one another understand especially if one person is struggling to keep up. Often another student only one rung higher is better able to lift someone up than someone at the top of the ladder.
Show them interactive tools like How Big Is Your Haystack and How Secure is My Password? so they can get a sense of what makes a good password and understand the concepts like randomness versus unpredictability.
Other suggestions:
- Invite students to take part in a ‘password competition’ where students have to submit hard passwords.
- Show techniques hackers use to crack passwords using rainbow lists
- Teach principles like: the more you change the harder it will be to manipulate your data
The last point being important to understand. The majority of security breaches are a result of human failure and the tendency to fall in to a routine. The more predictable we are the easier it is for an adversary to break in to our private data stores.
Their laptop can be also given a security audit also if they wish.
Videos will have been made available to them before the meet up see Step 1 but it’s important for the organisers to get a sense of how the students understand the concepts so that they go in to the ID generation process with their eyes open. If a student does not appear to understand what they are about to do they should be refused an ID card be advised to a witness at the event only.
Attendees then go to a private location with their laptop and generate a new PGP Key that is preferably air gapped. Products like the Crypto-Stick or YubiKey Neo can be offered for sale.
If someone attends with an existing PGP Key that has long been in use they should be advised to set up a new one and simply sign the old key with the one generated at the event [1]
For further discussion on use of Biometrics see Issue #22
Remember Blockchain IDs are voluntary. People should not be forced to have their photo taken. Additional options like reading the PGP Fingerprint in to a good quality sound recorder should also be offered.
Attendees participate in a group photo that can be cropped down to make each individual passport photo.
For added traceability and verification the merkle root[2] of the latest Bitcoin block can be written down on a sheet of paper and be held up by one of the members of the group.
The exact location and direction in which the group photo is taken may display the most uniquely identifiable element(s) of the environment in which the meet-up takes place (landmarks, buildings, etc.) to provide a additional reference to the geographical location.
Photograph Guidelines
Make sure the light is even and the subjects in the photo are facing directly towards the camera. You can observe existing guidelines on passport photo poses to make sure people are recognisable.
If using an SLR Camera it is advised to use JPG format with medium compression at the highest resolution. Do not use Camera RAW or Tiff file types [3].
Please follow these steps carefully to ensure making a secure ID Card
The contents of the ID Card are laid out in an XML or JSON4 document. If the content is placed inside of a JSON file the binary data of the JPG image can also be added making the signing process in the next step easier.
The contents is listed here in the order of importance:
- PGP Fingerprint - A 64-bit fingerprint looks like this: 8181 3268 159E 51D1
- Merkle Root of the latest Bitcoin block which can be obtained from Blockchain.info or Bitpay
- Block number that corresponds to the merkle root above for convenience in cases of manual lookup
- Timestamp using ISO 8601 yyyy-mm-dd—hhmm
- Name or pseudonym5 of the owner of the key
- Photograph optional
- PGP Key technical details
- Link to Social Media Authentification Service e.g. Keybase
- The name of the venue and the IP Address
- QR Code placeholder a QR code will be added later with a link to the blockchain reference for the hashes to the document
Note only items 1 and 2 are necessary to achieve verification of the document. The event itself can have its own identifier, organisers can use the url of the meet up page if they wish but this should be permalink so consider the likely longevity of the site.
The document could look something like this one laid out using CSS or a graphic design software like GIMP:
The PGP key of the organiser and the new key holding world citizen is then used to publicly sign the completed XML or JSON document and its corresponding image/media files.
We then produce SHA-256 hashes of the following files:
- JSON/XML file
- JPG file cropped of individual
- JPG of Group Photo
- PGP Detached Signature file
We can do this in Terminal using the following command using OpenSSL:
openssl dgst -sha256 filename.jpg
This will produce text to enter the blockchain it should look something like this:
3b2a836fa09d22f549016febb8dbf163ee7cf5b0f945e8f940a9d9d3d0e6f37c b115a8912e005bac4e19705efbe33ed5d83dbfbb4c27dea3899d037263188f67 2431f992fb40ff124a8e1070b33627088ed51ff33ca7e03e1fe0f39d93c856f0 IP 127.0.0.0 Crypto King Hotel
We then use a blockchain notary service called CryptoGraffiti also consider Viacoin and Namecoin.
We do NOT recommend putting personal identifiable information of the attendants in to the blockchain. Remember that you are dealing with a distributed database that is permanent and unchangeable.
The document is printed out and presented in a cool Passport Design. Because the document is headless the data in the interchange format such as the JSON file can be branded as BitNation, World Crypto Network or anyway the new citizen wishes it to be.
The person is recognised as a World Citizen by the adherence to the protocol not by the branding of the passport which will be a stylistic choice like where you get your coffee.
You have now made a claim to the wider network of non attendants that you have proved the existence of a new world citizen at this point in space and time. For the documents to be honoured their PGP keys have to mature. Your responsibility as the organiser is to leave clear traceability and evidence so that actors at a distance can independently verify the existence for themselves. We start with Key Signing…
Participants are encouraged to sign other people’s PGP Keys like at a regular key signing party. This is to confirm that they Keys and their Fingerprints were shared face to face. Signing someone’s key is not a claim on their personal character or reputation. Only that they are a person in control of the key being signed.
Key holders can also create accounts with a Social Network Authentication services. We suggest:
- Onename.io - which uses tight integration with the Namecoin Blockchain out of the box.
- Keybase - which has better PGP integration
There’s no reason why both cannot be used. Services like these validate social media identities of the participants and plug their new key in to more dynamic reputation systems.
Let’s take a look at what we’ve just done
- By including the Merkle Root of the latest block in to the ID Card we prove that the document cannot have been created in this state any time prior to the latest block.
- By signing the Passport with a PGP key we bind the state of the document to its cryptographic signature preventing us from changing its contents without detection.
- By stamping the SHA-256 digest of the resulting ID Card in to the blockchain we prove that it existed in this state at no time later than the latest block.
- The ID card is now locked in creation timeframe of approximately 20 to 40 minutes between the two blocks being discovered in steps 1 and 3.
- By publishing the venue’s Bitcoin IP addresses we prove that it was created in this place6.
Note: we do not use GPS data, it is read only and can easily be spoofed.
Because Bitcoin nodes collect IP data in the debug.log file it should be possible for local nodes to confirm the transaction’s IP Address although this data is not commonly shared and opens up potential security risks. More work is being done on this see Issue #11.
It has been brought to my attention that this project is similar to other attempts in the past. What is important is that this idea be allowed to emerge without the need for ownership from one group.
Proposed by Vinay Gupta
A functioning web of trust used in Over the Counter (OTP) bitcoin trading using PGP.
This project proposes combining PGP with Blockchain technologies in a similar way.
IDCoin by David Duccini fleshes out a Web of Trust model alluded to in the Finishing Up section.
As a proof of concept we need to look at both the appropriateness of the current tools and also the ethics of this project. First thoughts are as follows:
- The brave new world citizens must fully understand what they are involving themselves in and must be educated such that they can make a voluntary decision about such an open and public gesture. This may not be right for many people who risk personal safety by being so exposed. The benefit of Public Private Key Cryptography of course is that we do have granularity when it comes to the revealing of the cryptographic digests and their corresponding contents but more needs to be done.
- When putting this together the radical shift in public behaviour in recent years on social network would indicate that people are happy to publish pictures of themselves and for that personal identifiable content to be domiciled on third party servers owned by private corporations. Consideration should be given to whether the public are
- The “World Passport” only contains the name which can be a pseudonym and a photo of the individual for future offline verification and not their Date of Birth or Gender as I am trying to keep this as simple and elegant as possible. Any ‘rich data’ which is more social in its nature should be placed in to the social networking sphere and the reputation systems which should be tailored to voluntary agreements between community members. In fact the person’s legal identity may not even be necessary and they could be given a name based on the randomness of the Merkle Root for example or the Fingerprint.
- An Expiry Date is included as a feature and should be thought carefully about. It is possible that someone could have their PGP key stolen and it’s important that the right intervals of time are chosen so that they can “check-in” to such meet ups on a regular enough basis that they can publicly revoke old keys. The hope is that by bringing down the cost of providing such a service all over the world registering yourself will become effortless.
- We should think carefully before thinking about how biometrics can be used. It would not be wise to leave biometric data out in the open in plain text as it could be used by another. However if it could be salted or hashed with another string and if it can only be implemented at certain times and places according to protocol then it could be used as a kind of Seed which could generate other identities.
- The citizens could also use the meet up as an opportunity to prove other identities like BitMessage addresses in case they are a journalist for example and want to prove that this secure drop for whistle blowers is going to send content to where they say it will.
- One person multiple identities may also be an issue but not if we accept this as a feature of the system and do not misattribute what we are using these passports for. It is already possible to have multiple passports even from the same country if you know what to do.
- Also published here: https://docs.google.com/a/chrisellis.me/document/d/1hq52GT0sQ8mJBZ3_qr-LIpZTBFqIDA2WV8vb_1m8i4U/edit#bookmark=id.tukd0op21duu - This project was forked and first used by BitNation.
This is because we want to deter the theft of keys (someone could steal someone’s Blockchain ID PGP Key and try to reuse the same key with their identity.
The Merkle Root is a highly uncertain number produced in every bitcoin block, it is generated by sum that combines the strict sequence of transactions. It not only contains psuedorandomness from the block hashes but also the human economic activity throughout the network.
By displaying the merkle root in any media you are proving you have knowledge of a highly entropic event which confirms the media cannot have existed in that form any time prior.
Learn more about the Merkle Root here: Bitcoin 101 and on the Bitcoin Wiki.
This is because even though RAW files are read only they are subject to manipulation at the byte level that is hard to detect. As a research topic we should consider the unique signature created by Camera’s CCD chips which can be used as an extra proof. In addition if the image is taken in JPG format we can employ Error Level Analysis to detect any post production as lossy compression will add additional artefacts to the image content.
The preferred use of JSON has been talked about in Issue #15
The Blockchain ID is a voluntary system. The trust of a PGP Key is backed not by the legal identity, birth name of the individual or their ethnic origin but rather by the ability to build a reputation over time that will be verifiable by the key.
In this proposal we recommend proving a place in order to get to the space. This means we distinguish the two. Put simply space is the same in every direction, it’s undifferentiated and allows room for the movement of life. Space is often represented using a grid with co-ordination tools like GPS.
Place in contrast is differentiated and contextual, two places are not equivalent in the same way space is. A place is a site that people can attach memories to see Proust and find meaning in. Learn more.
This work is licensed under a Creative Commons CC0 1.0 Universal.