--- robots: noindex, nofollow --- # Hardy Essay [2025 Submission] https://airtable.com/appFOGLY2oJtkTFpa/pagNydLomRTr2YPWR/form > Full Name Christopher Allen > Email address ChristopherA@lifewithalacrity.com > Are you submitting your own work or nominating someone else for this Prize? [X] Submitting My Own Work > Are there collaborators for the work you are submitting? ? [No or Wolf McNally] > Link(s) to your or your nominee's biography https://www.linkedin.com/in/christophera/ > Describe the work and how it contributes to the stated goals of the prize Gordian Envelope is a storage & data transmission format that I architected for Blockchain Commons. It allows users to make their own decisions about the security of their data through a "holder-based elision" system, where they can choose to remove individual data elements without undercutting underlying validation (e.g., signatures) or data verification. Its focus is on simple, clear, and user-centric security. The ultimate goal is user freedom, which is one of the fundamental principles of all my architectural design. Taking a step back, Gordian Envelope is what I call a "smart data" storage system. It makes the architectural design patterns of data minimization and least authority obvious and simple and puts control over that into the hands of any holder of the data (which is to say, "the user"). Making data minimization and least authority simple and accessible has strong security implications because overidentification is one of the biggest threats of the modern internet. It makes individuals vulnerable to identity theft and also to actual physical threats such as "swatting". To address that, any datum kept in a Gordian Envelope can be elided (or encrypted), but evidence of the datum remains as a hash, which can be incorporated into an "inclusion proof" for verification, but which doesn't broadly reveal the datum. Gordian Envelope's data is laid out in CBOR as semantic triples containing a subject and predicate-object assertions. However, the key to Gordian Envelope's design is a Merkle-like Tree, which organizes the triples into both branches and leaves and which provides hashes of data for each of these nodes. Those hashes remain even if data is elided or encrypted, which is what supports continued validation (as signing occurs across the hashes) and verification (as hashes can prove the existence of elided content). Envelope's Merkle-like Tree is effectively a recursive tree of envelopes, where any part of the semantic triple can be a sub-envelope. This provides for much more complex operations than in typical Merkle Trees. It also ensures that the structure of the data, which is likely to be imposed by a developer as part of the data's inception, will make it easy for users to elide entire categories of data. (This assumes that the structure has been sensibly designed, but in a world of increasing data regulations such as GDPR, HIPAA, and CCPA, this sort of sensible design structure is almost required to ensure regulatory compliance. Gordian Envelope works to make that compliance simple.) A number of use cases demonstrate the security advantages of Gordian Envelope in a variety of industries: * For the credential industry, holder-based data elision can allow a user to withhold information that might be discriminated against. * For the healthcare industry, a user can take part in clinical studies and otherwise distribute their health data as needed, while still choosing what to protect. * For the software industry, a user can choose to anonymously distribute software while still supporting its validation. * For the data industry, a user can protect their data in different ways for different classes of viewers. * For the digital-assets industry, a user can protect secrets such as seeds and keys while still meeting regulatory requirements by proving they hold them. * For the journalism industry, a user can protect sources and other information such as the precise locations of photographs, while maintaining elided proofs of these important references. The largest deployment of Gordian Envelope to date was to the Zcash community, where we used Envelope to architect ZeWIF, the Zcash extensible Wallet Interchange Format, for moving data among wallets. This demonstrated interoperability as a major advantage of Envelope, creating openness and resilience for data. Fundamentally, if you are exporting out of one wallet and into another, you will not be eliding data, but that might change if, for example, you are offering a copy of wallet data to an accountant. In that case, a user could make use of Envelope's simple elision functionality to remove seeds and keys and therefore share only those transactions needed for tax purposes. The other notable deployment of Envelope was to Foundation for their state-of-the-art airgapped hardware wallet, Passport Prime. It uses Envelope's Post-Quantum Computing (PQC) algorithms and secure communication (GSTP) to support software updates and large data drops, ensuring users are automatically and easily using the most secure encryption possible across an otherwise unsecure Bluetooth connection. Beyond these deployments, I also am advancing Envelope through continued work with standards organizations and industry leaders. I've previously coauthored the specs for TLS and DID, both of which have become important internet standards. I also authored the original paper on self-sovereign identity, which laid the foundation for the SSI industry. I expect to similarly introduce Gordian Envelope to the wider industry. Though Gordian Envelope's fundamental design allows a user to maintain the security of their own data, developers will need to create good UX designs that minimize any pain-points for content display, to make Envelope's data-minimization security features truly obvious and accessible to users. But the Gordian Envelope specification is built to support that. The use of a Merkle-like Tree offers an obvious vizualization where data can be laid out in a tree, such that either branches of data or individual leaves can be left out of any data transmission. A good UX might even omit all data by default except for what a user specifically identifies as required for transmission. (Imagine that you could pick up your driver's license, say "Only show my picture and age" and hand it to a club bouncer or bartender; that's what Gordian Envelope allows.) Programmatic data-management and elision-rule methodologies could also be built into a UI to help users to protect themselves ("Never give out my address without a secondary confirmation", "Never give out information to law enforcement, except what's required by law", "Never send out PII on the internet, except to a pre-approved list of sites"). Gordian Envelope gives users the power to elide and makes doing so simple; powerful UX could automate that. Gordian Envelope goes beyond this fundamental. The recursive design of Envelope's Merkle-like Tree has allowed me to create a graph-representation system that supports the incorporation of a variety of graph systems into Gordian Envelopes, even including complex systems such as RDF. This allows a UX to display data intended for minimization in a variety of styles, ensuring that there will always be a format that matches the expected experience for its app or industry and therefore is easy to use and accessible to users. Numerous "extensions" are available atop Envelope's core functionality. One of them, the aforementioned Gordian Sealed Transaction Protocol (GSTP), is another easy-to-use security feature. It is a transport-agnostic system for exchanging Envelopes that uses public and private keys to secure data even when using insecure and unreliable protocols. This permits automated (yet controlled) data exchanges. This modular approach is very future-proof. That's how we integrated the PQC features needed by Foundation by spporting ML-DSA and ML-KEM as signing and encryption alternatives. Envelope is also being used by the web3 community for experimental work, particularly for its envelope-based identifier (XID). XID has already being used as a device identifier by Foundation, but in the wider identity world, it couldbe an alternate to EUDI, which is not minimal-disclosure-first. Another future deployment is our collaborative-seed-recovery system (CSR), which allows users to personally control the backup of their seeds. The linked concepts of data minimization and least authority have been known for decades, but they've been very poorly deployed. So, while there are sexier new concepts such as Zero-Knowledge Proofs and differential privacy, the fundamental issue is getting data minimization into use. Gordian Envelope is unique because it was built privacy-first, from the bottom up. This is a system that integrates user data protections from the start, and that's what makes it easy and accessible to users. Gordian Envelope is fully implemented. The complete specification has been filed with the IETF as an Internet-Draft, and Envelope has been registered with CBOR tag #200 while its leaves ("enclosed dCBOR") are registered with CBOR tag #201. Libraries are available for using Envelope in both Rust and Swift. Blockchain Commons has also released three major reference apps that demonstrate its usage: Gordian Seedtool for iOS and seedtool-CLI for Rust, which both demonstrate Envelope's capabilities for managing digital assets; and envelope-CLI for Rust, which shows off Envelope's full functionality including elision and encryption. Gordian Envelope is part of Blockchain Commons' fundamental mission, to advocate "for the creation of open, interoperable, secure & compassionate digital infrastructure to enable people to control their own digital destiny and to maintain their human dignity online." Blockchain Commons is focused on providing users with privacy, independence, and openness, allowing them to have free choice about their digital assets and digital identity in a way that respects their individual choice. I think that Gordian Envelope is an embodiment of those principles and that they tie closely to the Norm Hardy Prize's focus on encouraging users to make their own wise decisions. > Links to working prototypes or additional work to be evaluated IETF Specification: https://datatracker.ietf.org/doc/draft-mcnally-envelope/ Graphs with Envelope: https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2024-006-envelope-graph.md Rust-Based Envelope-CLI: https://github.com/BlockchainCommons/bc-envelope-cli-rust Envelope Use Cases: https://developer.blockchaincommons.com/envelope/use-cases/summary/ Envelope Overview for Developers: https://developer.blockchaincommons.com/envelope/ Musings on Data Minimization: https://www.blockchaincommons.com/musings/musings-data-minimization/ Musings on Least Authority: https://www.blockchaincommons.com/musings/Least-Necessary/ > Would you like to add any comments? Why Data Minimization is Important. Data minimization just means limiting data to the bare minimum that's needed for a process or procedure to function. It's a stated principle of many systems and it would improve security if it were properly implemented. It's even a requirement of some regulations, such as the GDPR, which requires a legal basis for collecting & processing information. Unfortunately, data minimization has rarely been well-implemented, and so a lot of these ideals have fallen by the wayside. Gordian Envelope makes data minimization not just possible, but simple. In doing so, it empowers users to take into their own hands the decision of what data to share. --- NOTES # What the Hardy Prize Is Security is only possible if users can understand the implications of their actions. The Norm Hardy Prize is being offered to encourage work that helps users make wise decisions. The Prize will recognize work that helps users understand, preferably tacitly, the security aspects of what they do, introduces workflows that make the secure way to do something the easy way, develops design principles for systems that are as easy or easier to use because of their security, or explores 'theory of mind’ with respect to how users interact with secure systems. The long term goal of the Norm Hardy Prize is a set of design principles and tools that encourage developers to create interaction designs that make it easy for people to use secure systems securely. Submissions To be eligible for the annual $10k prize, please submit a short essay, no more than 1,500 words, discussing at least one of these four criteria: 1. Actual implementation of a system 2. User studies of novel system 3. Theory of mind of the user 4. Sets of principles for user interaction design Submissions must include a description of the work and how it contributes to the stated goals of the Prize. They may include links to working prototypes that the judges can evaluate. Wire frames for new affordances will be accepted, but working prototypes are preferred. User studies that only evaluate existing systems are not eligible for the Prize. Work that proposes metrics for usable security must demonstrate that it can differentiate systems based on the ability of users to make good choices. Work on how users build mental models of the systems they use must demonstrate that these models can be translated into guidance for developers. -- -- The hardy community may be particularly connected to my data minimization and least* musings.