Cacti: Decentralized Identity Management for Trusted Interoperation
Description
Interoperation among permissioned networks for data sharing and asset transfers requires the networks to collectively make verifiable commitments and provide authenticity proofs of ledger state to each other, and the Cacti platform offers tools and protocols to enable these. But because these networks are permissioned, and hence opaque to external entities, an identity management framework needs to be in place to establish a trust basis before two networks can interoperate using Cacti mechanisms. Because the networks themselves and the protocols that link them are decentralized, avoiding the use of trusted third parties, the identity management framework must also be decentralized. The emerging W3C standards around Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) provide the necessary base for decentralized cross-network identity.
Cacti inherits specifications around building "identity plane" protocols using novel "Group DIDs", which are dynamically evolving records representing networks built on blockchain or distributed ledger technology, from the older Weaver Labs project. The specifications describe how decentralized identity registries (which maintain DID records with associated service endpoints and credential schemas) can be augmented to support groups, and mediate the discovery of one group by another followed by a syncing of identities and authority certificates, which will enable networks to authenticate each other and validate their claims and state proofs. Each network member can independently run an identity agent to discover and sync identities, and in consensus with other agents belonging to its network, record a foreign network's group identity to its local ledger. In this model, an ideal registry is referred to as an Interoperation Identity Network (IIN) and the agents are called IIN Agents. Other external entities called Trust Anchors issue VCs to network members, certifying their identities and affiliations.
The goal of this project will be to build a template or sample IIN by minimally augmenting existing decentralized identity registries built on Hyperledger Indy and Aries, adding support for group DIDs, and optionally proposing changes or additions to W3C standards for DIDs and VCs. To demonstrate the working of identity plane protocols, existing Cacti IIN agents for Hyperledger Fabric must be augmented, and IIN Agents for Corda must be built, enabling data sharing and asset transfer across networks built on either Fabric or Corda. Also, a sample trust anchor must be designed and implemented as a service to issue VCs to network members.
Additional Information
Code development repository: https://github.com/hyperledger/cacti. Presently the relevant basic code (to be augmented) lies in https://github.com/hyperledger/cacti/tree/main/weaver/core/identity-management, but the repository structure may be refactored in the future.
For documentation on setting up the Weaver-related portions of Cacti see https://labs.hyperledger.org/weaver-dlt-interoperability/docs/external/getting-started/guide (content will be migrated to Cacti docs in the future).
For background information on the project, the design philosophy, and interoperability in general, see references at the end of https://github.com/hyperledger/cacti/blob/main/weaver/OVERVIEW.md.
Specifically, the following paper will provide background on identity management for interoperation: https://arxiv.org/abs/2104.03277
For the latest specifications that will be used as basis for (and which may be augmented during the course of) this project, see the Cacti Weaver RFCs, starting from https://github.com/hyperledger/cacti/blob/main/weaver/rfcs/models/identity/network-identity-management.md.
Learning Objectives
- Write software according to standardized public specifications
- Using version control to check-in clean commits with logically complete blocks of code along with proper commit messages
- Art of writing good documentation, both targeted at developers and at users
- How to develop on permissioned blockchains/DLTs of different flavors and being able to compare and contrast DLTs: Fabric, Corda, Indy
- Distributed and decentralized identity management, along with concepts of self-sovereign identity (SSI) and verifiable credentials (VCs)
Expected Outcome
- Implementation of Group DID representing a DLT network
- Sample or template IIN registry built on Hyperledger Indy and Aries
- Sample or reference trust anchor service to issue Verifiable Credentials to entities participating in a DLT network
- IIN agents for Hyperledger Fabric (augmentation) and Corda (creation)
- Documentation: setup instructions, tutorial, RFC updates
Relation to Hyperledger
Core contribution: Hyperledger Cacti
Usage and potential contribution: Hyperledger Indy, Aries
Usage: Hyperledger Fabric, (Optional) Besu
Mentee Skills
- Knowledge of JavaScript and Python programming languages.
- Hands-on with basic cryptographic concepts including Digital Signatures.
- Understanding of HTTP client server programming.
- Good to have: prior experience of using Hyperledger Indy or Aries.
- Experience with Hyperledger Fabric a plus.
Future plans
Development: could make future contributions not just to Cacti but also to Indy and Aries after consulting with the maintainers of those projects.
We could conduct performance evaluations and analyses and write research papers.
Mentor(s) Names and Contact Info
Venkatraman Ramakrishna, vramakr2@in.ibm.com, Ramakrishna#6645 (Discord), IBM Research
Bishakh Chandra Ghosh, ghoshbishakh@gmail.com, ghoshbishakh#8899 (Discord), IIT Kharagpur
Sandeep Nishad, sandeep.nishad1@ibm.com, sandeepn#1092 (Discord), IBM Research
Sikhar Patranabis, sikhar.patranabis@ibm.com, Sikhar#9160, IBM Research