Digital Trust Protocol

Carsten Keutmann
10 min readJul 10, 2019

--

The Digital Trust Protocol (DTP) is a protocol for the handling of trust in the digital space. The protocol is broadly designed to work with all aspects of trust; this includes identity, reputation, and security.

The protocol is designed to be very minimalistic and system/platform agnostic. The intention is to extend the protocol with layers above rather than direct implementations. The protocol claim message data is designed to be self-provable of authenticity, by use of private/public key algorithms and the blockchain timestamping feature. This enables the protocol to be decentralized without a need for a central authority, as servers can use a peer-to-peer communication system and verify all the data it receives individually, without having to rely on the sender.

The Protocol allows anyone, including automated software, to issue their own cryptographic identities, for the use of trust and reputation and be able to verify those of others, without the need for a trusted third party. Users issue claims to other identities, and this way, build a personal web of trust network.

Users can search for claims on subjects by use of the user’s trust network. The search only includes results from trusted sources, claims from untrusted sources are not returned. The system is resistant to attacks like Sybil and bot networks as they are usually not a part of the uses networks and, therefore, not considered when evaluating searches.

The system works on the incentive of the user’s reputation and established trust, to be a good actor within their networks, since no one will listen to them if no one trusts them.

It is possible to trust anything digitally, and therefore, the protocol suitable to be used for anything that requires some degree of trust shared between systems related or unrelated. The DTP protocol is ideal for identity, reputation, and security management that needs to be used in a broader sense without a central authority, and furthermore, it can augment existing systems already in place.

The problem

Trust in the digital world of today are mostly centralized. Many reputation systems only work on specific platforms. There is usually no sharing of trust and reputation between the platforms, and this makes it hard to keeping track of identities reputation across systems. Many platforms do even not have any form of reputation system in the first place, like many forums, news sites, and so on. Therefore keeping a personal record of each identity on many different contents providing platforms becomes a time consuming and near-impossible task, as the identity of the same person may differ from platform to platform.

  • Trusting everyone is hard and very time-consuming
  • Incompatible systems and siloed reputation systems
  • Objective opinion on subjects, vulnerable to manipulation
  • In real life, trust is slow and limited in availability

The solution

There is a need for a solution that can span across systems and platforms openly and freely. The Digital Trust Protocol (DTP) is designed to provide an open protocol for the handling of trust of any kind in the digital space. DTP is a decentralized web of trust protocol.

  • A generic protocol for Trust
  • Leverage on our trust to family, friends, coworkers, and the government or some kind of authority
  • Decentralized the trust to make it resistant to manipulation and control
  • When trust is digital, it is always available
  • Open source generic protocol
  • DTP is subjective, decentralized, globally scalable, pseudo-anonymous, and shareable across all systems.

The Incentive

The DTP system works on the assumption that it is harder to gain trust than to losing trust. This is the basis for the system to function properly, as it creates an incentive for a user to act appropriately to maintain the reputation. Steadily losing trust will most likely result in a loss of attention and influence.

  • The DTP protocol works on the incentive of reputation.
  • The motivation of not losing reputation will help to keep the system honest.
  • The use of the reputation incentive allows the system to scale globally and still be decentralized.

Definition of trust

The belief that a person or system will behave predictably, even under stress. Based on experience and/or evidence. Trust is the basis of identity, reputation, and security.

DTP perspective of identity

Credentials of your identity are issued by others than yourself. Credentials can be trusted with facts instead of hard values. The issuer is responsible for the credentials. Everyone can create their own key for identity, even software.

Chain of trust for identity

When credentials are issued by an authority, the credentials work fine with verifiers that trust the authority. Like a bank will trust credentials from the local government, however, it will not trust credentials from just a common forum website. When crossing boundaries of a trust context, like traveling to another country, the bank in a foreign country may not trust any other credentials than a passport. Passports are the only credential that is trusted across multiple trust contexts (countries). Other times additional credentials about a person are needed to be verified, and this takes time to clear if the credentials are not issued in the same trust context.

With a large number of different forms of credentials issued today by different authorities, makes it difficult for a verifier to recognize and trust any form of credentials other than from a local context.

A solution to this problem could be to create a web of trust between authorities and verifiers. All existing credentials and systems do not need to be changed but can simply be augmented with claims of trust.

Imagine a state that has a public key. By this key, the state trust it’s division keys, divisions trust department keys, and departments trust the employee’s keys.

In the following scenario, a state will trust one of your credentials that you are indeed over 21 of age.

  1. A state employee trusts your credential with a claim (proof) that you are above age 21.
  2. You can get the full chain of trust from the state public key to your credentials and store it locally if necessary. Claims are simply just small pieces of signed data, with no personally identifiable data in them.
  3. Provide the full chain of trust to anyone who needs to verify your age,
    so they can verify that your credential…
    has a full chain of trust…
    to the state public key

The result is a chain of trust from the State public key all the way down to the credential.

The subject of the credentials can hold a local copy of the chain of trusts from the State and present it to a verifier together with the credentials.

The verifier trusts the state public key with claims and, together with the chain of trust from the subject, can close the circle and verify that the credentials are indeed valid.

This system also works in a state to state scenario, where trust is established between states and therefore makes it possible for foreign verifiers to verify your local issued credentials as they have the full circle of trust claims as proof.

The benefit of using a chain of trust for credentials is that it provides the possibility for an instant verification with a high degree of certainty, as it will be very hard to fake. In many situations, the verifiers only make identification according to law. Therefore from a verifiers perspective, having a digital chain of trust on the credentials from the subject greatly reducing risk as they have digital proof of compliance.

Some of the benefits of using trust claims as augmentation is that:

  • It can work offline
  • It may not reveal any more information than necessary
  • No need to store full digital credentials locally
  • Chain of trust can be stored locally and is considered low-risk data

DTP is a low-level protocol, and the intention is for it be a metadata system describing trust in data and not holding the data directly.

DTP perspective of Reputation

Reputation is based on trust. Reputation is an aggregation of all trust given. Reputation is subjective for the issuer and observer. The protocol does not make any opinion on a subject’s reputation, but simply just deliver the data to the client. It is up to the client to choose how to interpret the reputation data.

DTP perspective of Security

Security is trust given by someone that gives or refuses access to something. The DTP protocol could work as an excellent ticket or access control system, especially suited across platforms and systems because of the immutability of the claim data.

The DTP protocol implementation

DTP defines claims, packages, and a rule set for searching.

  • Claims are atomic, signed, and timestamp, making them immutable and tamper-proof.
  • Packages are a collection of claims for easy transport between servers.
  • Searching for a claim happens within a graph structure build from the claims.

Trust is a metaphoric definition where the claims are the implementation of trust.

Clients and DTP servers

Clients submit claims to servers. Server timestamp and share claims with other servers. Clients can search in the graph of claims.

A federated network of trust servers and clients

Everyone can run their own local server. It is expected, as with time, this will be a common thing. With time people will pay for DTP services that optimizes the graph from their perspective. Free DTP servers may still be found; however, their services would be limited due to the huge scale of the network.

There is no definition of the transport layer, as this is considered out of scope of the protocol. When sharing claims and packages between servers, any form of transportation can be used, and highly depends on the needs of the clients.

A simple publish / subscriber transportation system, would in many cases be sufficient as it scales very easily, the internet is built in this way. There is no need for a consensus system like a blockchain because there is no need to protect against double spends. You cannot spend other people’s trust in you, and you issue as many trust claims as you like.

Claims and Packages

Designed to be decentralized and still perform on a global scale

  • A claim is a piece of data from an issuer towards a subject
  • Claims are atomic. Single value per claim. Makes them stateless and easy to replace
  • Claims are signed by the issuer and timestamp on a blockchain
  • Claims are self-authentic proveable, able to detect tampering
  • Claims are ordered by their timestamps. Event source pattern
  • Grouping claims of into packages are kind of similar to transactions in a block on a blockchain
  • Packages are shared publicly online with other DTP servers
  • Claims are searchable by loading them into a graph structure on DTP servers

Read more on claims here

Web of Trust graph

Source: http://wot-vis.firebaseapp.com

A graph is built from all the claims issued to subjects. A server will host this graph and serve requests from clients on their network of trust.

The intention is to mimic the web of trust established in real life and make it available for searching. This way, a person can search her or his network for trust in specific subjects without having to contact her or his peers directly.

The power of the graph is the possibility to leverage on your first-degree peer’s trust, but also your peers trusted peers. Usually, the server limits the search to 3 degrees out as the relevance drops with each degree further from you.

Case study

The anonymous reporter

Imagine a dictatorship where the news outlet is highly controlled, and the real information is limited. Imagine a reporter from within the country that want to publish reports about the conditions of things that is not in favor of the ruling government. The problem is how to trust the reports coming out of the country reliably. The dictatorship may also be engaging in fake news fabrication disguised as coming from freedom thinkers. The DTP allows for pseudonymous identity and therefore makes it possible to trust someone how real identity is unknown but are just identified by a public key. The reporter can establish a trusted reputation on the graph network though proof multiple reports that check out correct. This enables the reporter to publish information that immediately can be trusted by other news outlets without the need to verify the information first. Information from unknown sources can be viewed with a high degree of suspicion as there is no reputation behind it.

Sharing of trust

Just like the information can be open on the Internet or closed in an Intranet, the trust data can be shared openly across systems or kept on a closed server. The protocol does not define any rules in this regard, but the incentive is to share the trust claims openly as it will increase the value of the web of trust network for everyone to leverage on.

Conclusion

The Digital Trust Protocol (DTP) is an open and license-free (MIT) protocol for the handling of trust in the digital space. It handles this by use of public/private keys pairs and cryptographic proofs and blockchain timestamping, to ensure that data is immutable. This enables the data to be used and shared across systems and platforms in a decentralized way. The protocol enables people to leverage on their peers trusted networks and establish provable credentials. Trusting information from sources that are trusted in your network makes it highly useful.

Trust is the basis for identity, reputation, and security. Therefore the potential for applications to be built on the protocol is endless.

True decentralized social platforms can leverage on the protocol as the incentive to build up and keep a good reputation far outweigh the cost of trolling. In a sense, the protocol creates an environment of self-regulation within the context of the subject.

Want to join the project?
Contact me on postmaster@digitaltrustprotocol.org

Resources

DTP whitepaper
https://github.com/DigitalTrustProtocol/Whitepaper

DTP server (working alpha)
https://github.com/DigitalTrustProtocol/DtpSolution

DTP browser extension (not working)
https://github.com/DigitalTrustProtocol/TrustBrowserExtension
NB! Chrome only supported for now.

--

--