What’s the Difference and Why Are They Both Essential?
At some point in a real world commercial interaction, we are used to being asked for some combination of financial and identity information. Sometimes it’s just the former (a credit card), sometimes just the latter (a driver’s license), sometimes both. When we get these requests, we reach into a pocket or purse for our wallet and pull out the appropriate cards.
Like the leather version, a software wallet holds or stores information that we can use to prove certain things about ourselves as we move around the Web (whether 2 or 3). Also like the leather version, wallets can hold financial information or identity information. Generally, the information in a wallet is unique to the owner of the wallet. It is by presenting that information to other parties — and, critically, proving I have the right to do so — that I prove to those other parties certain facts about myself.
A browser extension that remembers your credit card information and pre-fills online forms is a simple sort of financial wallet. The same extension that stores your shipping address and populates forms so you don’t need to is likewise a simple form of identity wallet. The same extension likely generates and remembers unique passwords for the various sites you authenticate to and so mitigates the risk of weak passwords that would otherwise be the default.
As useful as these sorts of browser extensions are, they don’t fundamentally alter the existing trust model for the Web. While a browser extension can remember and fill my credit card number to the ecommerce site, the subsequent validation of the card happens via existing (centralized) rails. Similarly, while the passwords a browser extension generates will almost certainly be stronger than those I myself would pick (for their ease of recall), they are still passwords and so do not appreciably change the risk of compromise if the server is hacked.
The next generation of wallets use cryptography to more tightly bind the information they store to the legitimate owner, and so offer greater protection against theft & compromise.
Calaxy’s wallet will house both crypto assets and identity assets, in the same way your leather wallet holds, say, cash and your driver’s license.
1. Crypto Assets
Cryptocurrencies rely on public key cryptography to give users direct control over the assets they own — this ownership is tracked on public blockchains or decentralized ledger technologies (DLTs). Generally, every user has a cryptographic key pair — one of the key’s is public and serves as an identifier for the user’s particular corner of the network — this is similar to the address at your house, or a website url, the other key is a secret or private key and held by (and only known by), the user (you can think of this as the deed to your house, or the admin password to your website URL manager). It is by proving they control the private key (through a digital signature over some data) that a user demonstrates they are authorized to transfer their assets (in the same way holding the deed to your house authorizes only you to sell it if and when you choose). When validating such a transfer request, the nodes of the network lookup up the public key that corresponds to the sender and verifies that the digital signature on the request was created by the corresponding private key (they don’t see the private key itself). If this validation succeeds, then the nodes perform the requested transfer and update the balances accordingly.
The security of the assets thus depends on how well the private key is protected. If a user loses or forgets their private key, then they lose the ability to create a digital signature necessary to transfer assets (imagine there being only one paper copy of the deed to your house, and you accidentally run it through the shredder or it gets burned — there is no way to now prove you own the house, or have the right to sell it.. serious business!). If the private key is stolen, then the thief has full ability to steal the corresponding assets because with the key they can create the required signatures.
A crypto wallet is software that helps users store and manage private keys and create the digitally signed transactions that, when submitted to the blockchain for validation, serve to transfer assets.
Wallets are differentiated by where they store the private key and where the digital signatures are created — either in a centralized exchange like Binance, your mobile phone’s secure storage, in a browser extension, or in a hardware device. Storing your private key in a centralized exchange is like keeping cash stored in your bank account. Here, the risk of losing your cash or it getting stolen isn’t solely in your control. The bank might go bankrupt, or get hacked or robbed. A similar risk exists with use of a centralized exchange for storage…your private key could be compromised in the event of a hack or other successful endeavor by a bad actor.
This is why it is the preference of some users to store their private keys in a hardware device (“cold storage”) — which is like you storing all your cash under the mattress at home. Your cash exists nowhere else in the world but under your mattress. Here, you hold all the risk of not losing your cash, or preventing someone from stealing it — which might be preferential to you if you don’t trust the banks, or your own computer. But… If you lose your cash or it gets stolen.. you’re screwed. There is no fallback.
Calaxy users will use the crypto wallet functions in the mobile app to control the buying and selling of their tokens — both $CLXY and NFT Collectibles. The private key for the user’s associated Hedera account will be stored in the wallet. The Calaxy web app will likely integrate with a browser extension-based Hedera wallet like HashPack — the private key for that Hedera account either stored in the extension or in a hardware wallet like Ledger.
2. Identity Assets
Web users are accustomed to seeing ‘Sign In with X’ options when attempting to log into a website. These models generally rely on directing the user’s web browser to some other website (e.g. Facebook) where they sign in. Based on that authentication, the user’s browser is redirected back to the original site with an assertion as to the user’s identity. Trusting that assertion (and that it came from Facebook) the website logs the user in.
The above model can simplify authentication for users, and helps to reduce the number of weak passwords that the user might be otherwise tempted to use to login. However, they do presume that Facebook or similar is actively involved in mediating a users’ logins at various other web sites.
From a privacy perspective, it might be preferable to remove Facebook and similar identity providers from the role of active mediation, and give to users more freedom and autonomy over where (and how) they authenticate.
In a decentralized identity architecture, a user stores identity information locally (e.g. on their mobile phone) and presents that identity information as required and appropriate as they navigate the web. There can still be a role for providers like Facebook to assert identity attributes about users, but they do so a priori and not in real time (as in the flow described above). This temporal disintermediation mitigates the power of the identity providers to either prevent users from accessing certain sites or inappropriately sniffing around which corners of the web a user is visiting.
An identity wallet is software that stores identity data for a user and gives to that user control over where (and how) that identity data is presented. A key function is that an identity wallet removes from the user the burden of remembering passwords for authentication at web sites by automating the generation of cryptographic key pairs. So ease of signing in just like “sign in with google” is still there, but you, the user, hold the actual credentials now.. Not Google on their servers. You get to decide who, or what, sees this personal data.
Another common (but not necessary) aspect of decentralized identity architecture is leveraging a public blockchain as a repository of metadata about the identity information (not the identity attributes themselves) that facilitates its validation. One example is storing the public key of an issuer of credentials on a public blockchain such that it can be easily discovered and retrieved by parties verifying those credentials.
Calaxy users will use the identity wallet functions in the mobile app to own and control the presentation of their identity credentials. As an example, a Creator will be issued a Verifiable Credential (VC) that attests to (confirms) their influence — these VCs are stored in the identity wallet of the Creator. The private keys that correspond to the different decentralized identifiers (DIDs) for that Creator will be stored in their wallet. Whenever the Creator is interacting with another app in the Creator’s Galaxy protocol, they would use the identity wallet to select the appropriate credential to present to establish their Creator bona fides, without the need for that app to actually see the underlying data that was used to establish that Creator as “verified”. This is like being able to show your American Passport to a customs officer. All you need to show is the passport.. All of the underlying information, like where you are originally from (if you immigrated), specific details around why you were accepted for American Citizenship, how you scored on the English proficiency test etc. do not need to be looked at all over again by the Customs officer. All of that information is wrapped up in the fact that you now hold, and present, an authentic American Passport. Importantly, the customs Officer is not determining whether or not you qualify as an American Citizen based on all of the underlying criteria like your English proficiency score.. They are simply looking at the passport document that already has that data verified and accepted (“built in”). In crypto, the technical term for this is “Zero Knowledge Proof”. I don’t need to know all the details about your identity.. I just need the badge that verifies those details are true and accurate.. and we can carry on.
Nb There is a recent trend towards using crypto wallets as an identity wallet, eg ‘Sign in with ETH’. If the only requirement for identity is establishing yourself as the owner of a given account, then this might be sufficient. If however, other identity attributes, such as Know Your Customer (KYC) status, are needed, then the value of a true identity wallet supporting the VC & DID standards arguably becomes necessary.
Summary
Crypto & identity assets will be a key piece of Web3. It is through these types of assets that users will view & manage their crypto and identities. For an app like Calaxy, both types of assets are fundamental.
