How does Securities Pass + Identity 设计 design an identity agreement for Securities Pass?

This article is the second article to explore the concept of identity function in securities pass. In the first article , we explored some basic identity guidelines and extended them to the world of encrypted securities. In this article, the author wants to focus on a technical model that combines some of the criteria with the existing securities pass-through platform.


It should be noted that the main premise of the article is that identity should be developed as an independent agreement in the securities pass system architecture. Identity should be one of the basic building blocks of cross-platform interoperability, rather than being tied to a specific securities pass or distribution model. The first article outlines five key attributes of identity representation in a securities pass:

owned by the user, executed by the application : In the securities pass model, the identity should be owned by the user and executed by a different securities pass application (such as a publishing platform or exchange).

· Statementbased : The identity in a securities pass application should be a set of statements or assertions about a particular user or entity.

Reversible : In order to enforce the securities law, the identity representation should be reversible, which means that the regulator can retrieve the files used to generate user assertions.

Based on identity standards : In the past few years, the securities pass industry has produced many high quality standards, such as SAML or OpenID Connect, which have been adopted by many applications we use every day. The author believes that the securities pass agreement should use some established standards as part of its agreement, rather than establishing new standards.

Programmable : Identity should be reusable in other securities pass agreements.

These five guidelines provide a guideline for the representation of securities passes. Investors should submit proof of identity for processes such as understanding customers (KYC), anti-money laundering (AML) or certification. The identification can be a document or ID obtained from an existing identity provider. After completing the process, a set of claims should be used to establish the identity of the user, which contains the relevant attributes of the securities law (eg, jurisdiction, industry certification, etc.). These attributes will be used as part of the compliance rules when the crypted securities are traded. Finally, the regulator can use the identity of the user to retrieve relevant documents for the compliance process.

Identity dilemma: Do you want to centralize?

The fundamental question of enabling identity protocols in the securities pass model is whether to follow a traditional centralized approach or an emerging decentralized identity model. The centralization scheme relies on the identity provider, who acts as the issuer and verifier of the identity token.

This centralized model seems to work well with the current generation of securities pass-through platforms, but it is clear that another level of centralization has been introduced in the securities pass system architecture. The centralized identity model itself is not a problem, and the entire Internet depends on them. However, when you have a blockchain based on a decentralized protocol, the centralized identity model can cause significant friction . After all, when the agreement relies on a key function of the central authority, how can the protocol be decentralized?

In order to challenge the blockchain identity, the industry has tended to adopt a decentralized identity model, using the blockchain protocol as the first class object (first-class citizen, which can be created during execution and passed as a parameter to other functions). Or deposit an entity with a variable). In this area, some of the most forward-looking work comes from the Decentralized Identity Foundation (DIF), which brings together some of the most important players in the identity management and blockchain markets.

Decentralized Identity Model of Securities Pass

The decentralized identity field attempts to take advantage of decades of technological advances in identity schemes and standards. In order to achieve this goal, it is necessary to re-establish identity and dynamically transfer many traditional identities to the decentralized network of participants.

For the past 20 years, Microsoft has been one of the leaders in identity management, but they also realize that the blockchain needs a new identity model. Inspired by DIF, Microsoft recently proposed a forward-looking architecture to support the decentralized identity of the blockchain. Microsoft's architecture includes the following components:


Microsoft Identity Management Architecture component

· W3C Decentralized Identity (DID) : A user creates, owns, and controls an ID that is independent of any organization or government. A DID is a unique global identifier that connects to Decentralized Public Key Infrastructure (DPKI) metadata (the metadata consists of JSON documents containing public key material, authentication descriptors, and service endpoints).

Decentralized system : DID is rooted in a decentralized system that provides the mechanisms and functions required by DPKI.

· DID User Agents : Applications that enable a real person to use a decentralized identity. User agent applications help create DIDs, manage data and permissions, and sign/verify claims related to DIDs.

DIF Universal Parser : A server that uses DID's set of drivers to provide standard lookup and parsing methods for DIDs in different clients and decentralized systems, and returns DID document objects that encapsulate DID-related DPKI metadata. .

· DIF Identity Hub (hub) : A replicated mesh that encrypts a personal data store. It consists of a cloud and edge instances (such as mobile phones, PCs, or smart speakers) that facilitate identity data storage and identity interaction.

· DID Proof : The proof of DID signing is based on standard formats and protocols. They enable identity owners to generate, present, and validate claims. This forms the basis of trust between system users.

The architecture outlined above can be slightly adjusted to accommodate the securities pass model without major modifications. For securities pass, we can envision a securities pass to issue a DID that contains proof of the outcome of the user's KYC-AML process. These DIDs will be acquired on the chain through the decentralized hub and will be integrated as part of the compliance agreement.

Zero knowledge proof database (Store)

The concepts of proof, declaration, and decentralized hub are some of the most important principles of the decentralized identity model . An interesting idea is to combine the decentralized hub with a zero-knowledge proof protocol (such as zk-SNARK) to add another layer of privacy to the DID while allowing other protocols to verify the identity. I like to call this concept a zero-knowledge library, and this concept has been supported by protocols such as uPort. For example, we can envision a securities pass agreement that requires verification that the investor has been certified and is located in Germany. These statements/proofs can be expressed as SNARK and verified at the time of transfer, but will not reveal any information about the identity of the user.


Decentralized hub combined with zero-knowledge proof protocol (eg zk-SNARK)

Some protocols that may be helpful

The decentralized identity industry is still at a very early stage, but there are already some agreements that may help to provide inspiration for the securities pass agreement.

uPort : uPort has been steadily building a set of protocols and solutions for managing identities in decentralized applications. The current stack is compatible with Ethereum Smart Contracts and can be used in license chain applications.

· Azure BaaS : The Azure team is extending the core protocols of different blockchains to take advantage of Azure Active Directory. Recently they implemented the Proof of Identity (PoA) Consensus Agreement in the Ethereum application.

Sidetree : It is a combination of code-level components, including deterministic processing logic, content addressable storage abstraction, and stateful validation processes that can be deployed in decentralized ledger systems (such as public blockchains). On the first floor, to generate a Layer 2 DID network without permission.

Just like compliance, identity is likely to be an independent building block of the securities pass-through architecture and should be a catalyst for other functions. While the centralized model may be the easiest way to build a first-generation identity model, the decentralized identity architecture is likely to dominate in the long run. Organizations like DIF and the results of companies such as Microsoft and uPort can provide a solid starting point for decentralized identity models in securities passes.