Hosted Identity (&Crypto) wallets

# Hosted Identity (&Crypto) wallets - **Problem statement** - General Web3/SSI interface/wallet challenges - Web3 & SSI are as it's core relying on cryptographic keys - that proof ownership of crypto assets and decentralized identifiers - humans cannot memorize or process keys, so need to rely on software/hardware to being used - Key management is a major challenge - need keys for every interaction - storage of keys secure, but also accessable to use them; risk to lose them vs. others get access (and steel assets, or hijacked your identity) - today - end-user managed (e.g. mobile app, browser extenion with 12 word backup), some people use hw keys - often keys copied to multiple devices to access assets from multiple devices - often tied different to service / asset (abstraction via smart contract account or DID often not used) - Trusted Signing interface - UI to display action/intention what is being signed by the keys - Trust the development teams (mistakes and intentional attack) - Trust in distribution infrastructure (e.g. app stores); and that e.g. open source code really is used for an application on your phone - add on (wallet/identity ) data & services - to enhance user experience, or allow certain use-cases additional **data** is required to be available - history of transactions (with meta data that it not stored onchain) - relevant tokens - verifiable credentials - additional blockchain networks - messages (inbox) - services - automations - based on certain events - messaging - ... - User data (beyond wallet specifics) - photos, playlists, etc - **Options today** (with specific challenges) - 1) Fully hosted solutions e.g. Coinbase (custodial wallets/key managements) - Trust in provider with data + assets - Usable from multiple devices - Access to providers often with traditional web2 security (password, 2FA token) - 2) User controlled (mobile apps, browser extensions, hw wallets) - user experience bad - new browser/device requires setup, etc. - hard to manage / or less secure - with 12 word backup, - same keys on multiple devices - UX vs. security - not scalable to large audience with more critical assets/identity use-cases - Most offering only target SSI or Digital assets - SSI agents (e.g. Evernym, IDNow, ...) are centralized providers operated by a few companies with specific business models and under certain legal/regulatory oversight. - who is deciding on legal/illegal of controversial use-cases e.g. drugs, prescriptions, weapon ownership, religions, etc.? - who classified globally a 'terrorist' (which could lead to freezing of all assets and access)? - - **My (our?) opinion / objectives:** - Infrastructure of SSI & Digital assets shouldn't make judgements on legal, regularoty, etc. questions - that should happen on a higher level (application) - e.g. we don't regulate on TCP package level, but application level?! - Establish an SSI infrastructure that operates on cryptographic, math, economic / game-theory level rather - harder to censor - incentives aligned between users & providers - choice for users (no lock-in) - Censorshop resistance - required multiple instances from different providers (at least a data & key backup), maybe passive sufficient until activted - paid in same token, to reduce friction to pay independent providers - e.g. protocol could ensure at least 2 independent operators + 1-2 passive backups (in case both operators collude) - - **Target Solution in 2022 ** - Establish a semi-decentralized infrastructure with know actors (at least some from of reputation) - paid in (same) tokens to reduce end-user friction to add / remove / increase operators - Chainkey, MPC, etc. - to avoid control of keys by any party - Runs/compiles open source code in transparent way - Allows access via traditional (username/password )and modern (keys, hw) - to control defined use-cases options - e.g. access to read sufficient with username/password; all write transaction need to be secured by an end-user controlled key? - long-term just based on HW based keys (e.g. in devices like phones, or laptops) - Data encryption at rest - operation on data without decryption (likely not efficient enough today) - decryption only by limited set of (somewhat trusted) wallet operators to display - **First sketch:** ![](https://i.imgur.com/4eZPUfY.png) - **Roadmap / MVPs** - MVP 1 - Q1 22 - Using WebAuth (e.g. using MacOS or iOS keys) to access an IC hosted wallet - Wallet allows to create a DID (and interact with other DIDs sending/receiving DIDComm messages) - MVP 2 - Q2 22 - Wallet to manage VCs (create, present, etc.) - Use IC as data store for VCs, other other meta-data - MVP 3 - Q3 22 - add Eth keys to manage Ethereum transactions - like MM /Tally running on a hosted server - **Approach** (for discussion) - Explore collaboration with Stoicwallet, Plugwallet or AstroX - **AstroX** likely closest to crypto wallet offering, without DIDs & VCs - Research options for data encryption keys (rather than ECSDA signing keys from Chainkey) - - Research sources: - Dfinity / Identity - Inside the Internet Computer | Identity and Authentication on the Internet Computer - https://www.youtube.com/watch?v=9eUTcCP_ELM - Community Conversations | Internet Identity - https://www.youtube.com/watch?v=vCyQb9IHNQY - Dfinity tools/services - https://identity.ic0.app - StoicWallet - https://www.stoicwallet.com/ - PlugWallet - https://plugwallet.ooo/ - MM for ICP? - AstroX ME - https://63k2f-nyaaa-aaaah-aakla-cai.raw.ic0.app/anthen/login - https://twitter.com/Astrox_Network/status/1460585595483435010?s=20 -