Authentication and Traceability
Authentication
UFAC (User-First Access Credentials)
UFAC emerges as a revolutionary protocol for data access and authorization. At its core, this protocol empowers users by providing full control over who can access data, ensuring a secure and decentralized method for managing permissions.
Unlike traditional models that rely on centralized authorities for authentication and access control, UFAC enables users to issue, delegate, or revoke access independently. This is done using cryptographic tokens that authenticate identity without disclosing sensitive information. These tokens are signed, ensuring only authorized parties can validate access without needing a central server or third-party service.
The decentralized structure of UFAC aligns perfectly with privacy-centric ecosystems, enabling users to prove their identity while retaining full control over their data. As the digital world prioritizes security and autonomy, UFAC provides a critical building block for decentralized applications, offering encrypted communication pathways and supporting controlled, secure access across distributed networks. With UFAC, data security and user autonomy are closely intertwined, making it an essential tool for the future of privacy-focused technologies, while ensuring data remains secure across distributed networks.
A Closer Look at UFAC
Capabilities
UFAC credentials are cryptographically signed certificates that define and transfer permissions between Decentralized Identifiers (DIDs) and adhere to two core principles. The first is Time Restriction, which ensures that access is only granted for a defined period, reducing the risk of prolonged exposure to sensitive resources. The second principle is Least Authority, which limits the permissions granted to the absolute minimum necessary for the task, mitigating potential misuse or unintended consequences.
Authentication Scheme
UFAC employs a robust, flexible, capability-based authentication mechanism that is adaptable to diverse network structures. It supports local, centralized, and delegated configurations, making it suitable for various environments, ranging from peer-to-peer networks, where nodes communicate directly, to more structured systems such as cluster environments.
Moreover, UFAC credentials are specifically designed for decentralized ecosystems, providing seamless integration with DID-based frameworks to ensure robust DID-based compatibility and interoperability across platforms.
In Simple Terms, The UFAC Structure
Let's break down the structure of UFAC credentials in a simple way. Three key elements define UFAC functionality:
Issuer: This entity (a user) creates and signs the UFAC credential. The issuer decides what permissions are granted and ensures that these permissions are securely tied to the user's identity using cryptographic methods.
Audience: The recipient of the UFAC credential. The audience is the entity that is authorized to perform specific actions or access certain resources.
Capabilities: These are the permissions that the UFAC credential grants. For example, a capability could be the ability to "read," "write," or "delegate" certain actions. These capabilities define exactly what the audience is allowed to do.
For example, if a user wants to grant another person the ability to read a specific file stored in a decentralized network, they would issue a UFAC credential with the appropriate "read" capability. This UFAC credential, signed by the issuer, is delivered to the audience, who can then use it to authenticate and access the file. At the same time, the issuer can revoke or update the UFAC credential as needed, ensuring continued control, flexibility, and security in managing permissions.
DIDs (Decentralized Identifiers)
The Etherland platform utilizes advanced authentication mechanisms, including Decentralized Identifiers (DIDs) for user and entity authentication. DIDs offer a robust and decentralized approach to authenticating users, eliminating reliance on central authorities and ensuring secure and private access to the platform. This is further enhanced by device-specific authentication and multi-device synchronization, which enables efficient management of user access across devices.
DID Specification Summary
Decentralized Identifiers (DIDs) are a new type of digital identity that allows individuals or organizations to create their unique identifiers without relying on any central authority, such as a government or large tech company. Instead of having IDs controlled by a central registry, DIDs are managed by the individual or organization that creates them, known as the DID controller. This independence means that only the controller can prove ownership of the DID through cryptographic methods, such as digital signatures, without requiring permission from anyone else.
A DID is essentially a web-like link (URI) that points to a specific document, known as a DID document, which contains important information about the DID. This document includes cryptographic keys and verification methods, allowing the controller to verify their identity or interact with others securely. It also provides service endpoints, essentially addressing the digital services the DID controller offers, enabling trusted communication.
The DID system is designed to support a wide variety of uses. For instance, a DID could represent a person, a device, or even an abstract data model. By creating their DIDs, people gain more privacy and security. They can control who can see their data and when, without relying on any central body to maintain the validity of the identifier. This also means people can create multiple DIDs for different contexts, keeping interactions separate and more secure.
Key Goals Driving the Development of DIDs
Decentralization: No single point of control; users have full ownership of their identifiers.
Autonomy: Users independently manage and control their DIDs.
Privacy & Security: Cryptographic proof enables the selective sharing of information without requiring permission from central authorities. It provides a secure foundation for trusted interactions. Zero-knowledge proofs (ZKPs) can further enhance privacy, allowing users to prove their identity or attributes without revealing sensitive data, thanks to implementations like PolygonID.
Interoperability: DIDs are compatible across different networks and systems.
Portability & Simplicity: The DID framework is portable across various applications and systems and is designed for easy use.
W3C Approval
This framework was developed under the auspices of the World Wide Web Consortium (W3C), which oversees web standards. After rigorous testing and approval from W3C members, DIDs are now recommended as a web standard. This means they are widely encouraged for use on the Internet, paving the way for a more decentralized, secure digital identity framework.
Permission
Etherland's permission framework is designed to accommodate various security and access requirements. For instance, a company's employees may have varying clearance levels to access organizational data. Clients or collaborators can grant partial access to specific datasets during or after their onboarding process.
Advanced Permission Framework Authority (APFA) further refines this by allowing users to set accreditation levels via Verifiable Claims. These claims automate access control by presenting the appropriate files to users based on their assigned clearance within the authorized data structures.
This system ensures a seamless balance between security and accessibility, bolstered by blockchain's inherent immutability and transparency. It simplifies workflows for managing sensitive files while adhering to rigorous security protocols.
APFA (Advanced Permission Framework Authority)
Ecosystem-bound
APFA introduces a distinct layer of permission management designed specifically for the Etherland technological ecosystem. Unlike User-First Access Credentials (UFAC) permissions, APFA imposes the highest level of authority. This ensures robust governance over critical access control mechanisms. In the details:
APFA settings can only be configured within the Etherland products. This exclusivity guarantees tighter control and minimizes the risk of unauthorized alterations.
Only users holding the highest authorityβsuch as senior members of a client organization or specialized personnel like Identity and Access Management (IAM) Administratorsβcan establish or modify APFA access levels. This protocol safeguards against accidental or malicious modifications by less privileged users.
Default Stamping of Access Levels
When enabled, APFA automates the assignment of access permissions. Specific files within designated folders or those uploaded from particular sources (e.g., IoT devices) are automatically stamped with predefined APFA access levels upon being integrated into the DEFS. This streamlines compliance and enhances security by ensuring critical data is appropriately classified and protected immediately upon creation or upload.
Auth Access
All our products employ robust primary Web3 authentication to protect sensitive data and module access. This ensures secure account management and eliminates reliance on traditional username-password systems, reducing vulnerabilities like phishing and centralized data breaches.
Root user authentication in our applications is achieved via WalletAuth, which leverages decentralized identifiers (DIDs). Users sign in using private keys associated with their Web3 identities, ensuring cryptographic security and eliminating the need for centralized credential storage.
Root access is managed exclusively on the ProApp through UFACs (User-First Access Credentials). These cryptographically secured bearer tokens allow delegation and revocation of permissions, ensuring that resource control remains decentralized and user-driven.
Our infrastructure supports access distribution to less secure devices without requiring WalletAuth. This is achieved using the did:key method, enabling flexible and secure interactions while maintaining strict control over primary accounts. This method allows the generation and use of DIDs without relying on external services or registries; it creates DIDs directly from cryptographic key pairs, making it ideal for use cases requiring simplicity and minimal infrastructure.
Accounts can be backed up by saving the DID's private key or linking another device to the same account. This ensures redundancy while maintaining user control over account recovery.
Delegating access strictly adheres to the principle of Least Authority, minimizing permissions granted to secondary agents and ensuring security through detailed proof chains and delegation models inherent to UFACs.
Etherland and its partners plan to introduce additional hardware and software security measures, further enhancing user trust and access management capabilities.
Traceability
DIDs and Advanced Access Tracking
In Etherland's ecosystem, DIDs are the cornerstone of our comprehensive traceability framework. By creating persistent, cryptographically verifiable identities, DIDs enable the systematic tracking of all interactions within the system while preserving user privacy. Each DID acts as a pseudonymous identifier that can be linked to actions, modifications, and access events without exposing sensitive personal information.
This tracking capability is significantly enhanced when DIDs are combined with our UFAC and APFA technologies. While UFAC provides the authorization mechanism for access control, it simultaneously creates an immutable record of permission grants, delegations, and revocations. Each UFAC credential issuance or modification is logged with cryptographic proof, creating a verifiable chain of authorization events tied to specific DIDs.
The APFA framework further extends this traceability by implementing hierarchical access controls that restrict access based on clearance levels and log every attempt to access protected resources. This creates a multi-layered tracking system where successful and unsuccessful access attempts are recorded and associated with the requesting DIDs. For example, when a user attempts to access a document beyond their clearance level, the system records this event while maintaining the security boundary.
Together, these technologies create a comprehensive audit trail that allows property managers to answer critical questions such as:
Who accessed specific property documents and when?
Which users attempted to access resources beyond their authorization?
How have access permissions evolved for sensitive documents?
What modifications were made to key files, and by which authenticated entities?
This level of traceability is particularly valuable in regulatory environments where proof of appropriate access controls and comprehensive audit capability is required for compliance.
KYC and Serendptech's Accountability Framework
KYC processes in Etherland's platform serve a dual purpose: they provide essential security verification and establish a crucial link between digital identities and real-world entities. This connection forms the foundation of a robust accountability framework that enhances traceability throughout the system.
By verifying real-world identities through Serendptech's advanced tools, we create a secure bridge between cryptographic DIDs and the legal entities they represent. This connection remains privacy-preserving during normal operations but provides an accountability anchor when required for compliance or security purposes. For institutional clients managing valuable property portfolios, this accountability layer offers critical protection against both internal and external threats.
Serendptech's integration enables several advanced traceability features:
Identity Verification Chain: All actions within the system can be traced through a verification chain that links cryptographic identifiers to verified entities. This chain creates non-repudiation for critical operations such as document modifications or permission changes without exposing sensitive identification details during regular operations.
Risk Mitigation Through Accountability: The knowledge that actions are traceable to verified identities is a powerful deterrent against malicious behavior or negligent handling of sensitive property data. This preventive aspect of traceability reduces the likelihood of security incidents before they occur.
Remediation Capabilities: In case of suspicious activity or security concerns, the KYC-DID linkage enables targeted investigation and appropriate remediation actions. This capability is especially valuable for institutional clients subject to regulatory oversight who must demonstrate both preventive controls and responsive capabilities.
Regulatory Compliance Evidence: The combined KYC and traceability infrastructure generates verifiable evidence of compliance with regulations such as GDPR, AML directives, and industry-specific requirements. This evidence can be selectively disclosed to auditors or regulators without compromising the overall privacy of the system.
Serendptech's tooling specifically enhances these capabilities by providing sophisticated analysis of historical activities. When combined with robust KYC information, these tools allow for early detection of potential issues, pattern recognition across user behaviors, and forensic investigation capabilities when needed.
Versioning and Modification Tracking
Integrating IPFS into our DEFS system creates a powerful framework for comprehensive version control and modification tracking. Unlike traditional storage systems, where files can be overwritten without a record, IPFS's content-addressed architecture naturally preserves every document version as a distinct entity with its unique identifier.
DEFS extends this inherent capability by implementing structured versioning that explicitly links related document versions and enriches them with metadata about modifications. This creates a complete historical record of how documents have evolved, with each change immutably recorded and cryptographically verifiable.
Document Lifecycle Traceability
For real estate asset managers, this versioning system provides unprecedented traceability throughout a document's lifecycle:
Origin Verification: The initial creation of a document is recorded with its original content hash, timestamp, and the creating entity's DID. This establishes a verifiable point of origin for all property documents.
Modification Tracking: Each subsequent change generates a new content hash while maintaining links to previous versions. These links create an unbroken chain of modifications that can be traversed to understand how a document evolved.
Contributor Identification: Through integration with our authentication system, every modification is associated with the contributing entity's DID. This creates accountability while maintaining the privacy-preserving properties of decentralized identifiers.
Temporal Context: All versions include precise timestamps that place modifications in their temporal context, allowing for chronological reconstruction of document histories and correlation with other system events.
Enhanced Recovery and Audit
Beyond basic versioning, this approach offers significant advantages for property data management:
State Recovery: In case of erroneous changes or data corruption, previous document states can be instantly recovered, protecting against accidental and malicious modifications.
Differential Analysis: The system can compare any two versions of a document to identify what changed, who made the changes precisely, and when they occurred, facilitating detailed audits of critical property information.
Compliance Evidence: The immutable history of document modifications provides strong evidence for regulatory compliance, demonstrating appropriate data handling and the integrity of property records over time.
Linked Accountability: By connecting document changes to authenticated DIDs and ultimately to verified KYC information, the system creates comprehensive accountability while maintaining appropriate privacy boundaries during normal operations.
This traceability framework is particularly valuable for property documents with legal or regulatory significance, such as ownership records, compliance certifications, and ESG documentation. By maintaining a verifiable history of all such documents, Etherland provides asset managers with operational confidence and regulatory protection.
Last updated