About the Author
Graeme Moore is the Head of Tokenization at the Polymesh Association, a not-for-profit dedicated to the growth of the Polymesh blockchain ecosystem. He is also the author of "B is for Bitcoin," the first ever ABC book about Bitcoin. The views expressed here are his own and do not necessarily represent those of Decrypt.
While normalized in the Web2 world, identity verification isn’t a reality on Web3—yet. With world regulators from the European Union to South Korea passing virtual asset legislation this year, on-chain know your customer has become a regulatory inevitability.
Known in the financial industry as KYC, know your customer verifies that an individual is a valid human, and that they are who they say they are. For blockchain—often blighted by bots—this trust in a real-life human offers important protection. Rogue bots can funnel millions of dollars from ecosystems in a matter of weeks.
Decentralized finance (DeFi) needs more than just proof of being human, however. Without proper controls, the DeFi environment offers unbridled freedom—and a lack of enforceable regulation leaves the temptation to exploit high.
More than proof of known identity, DeFi needs proof of trust. Web3 needs a way to both verify a user’s identity and build their reputation, with which (perceived) trust is intertwined.
KYC won’t cut it. Unless an identity is explicitly on a sanction list, KYC can’t attest—or prove—the identity’s trustworthiness.
Until this issue is tackled, blockchain’s most valuable use cases—like decentralized voting—can’t lift off. “This is one of the reasons why nine years later, we just have NFTs and asset tokens,” says Ethereum founding member Steve Dakh.
Attestations, attestations, attestations
Dakh is now building the Ethereum Attestation Service (EAS), a primitive for any entity to make attestations on the ledger about anything at all. From those attestations, other entities can derive a relative idea of trust. Dakh believes this base layer protocol opens the door for everything Ethereum’s founding members were hoping for during the founding of Ethereum.
“When we started building EAS, it was important to find the heart of what identity actually is. And this is a construct aggregate of attestations about an entity,” says Dakh. Dakh and his team realized they could represent identity and reputation on-chain as an aggregate of attestations, much like how identity works in the real world.
Attestations are claims about one identity, usually made by another identity, that can be independently verified. Attestations can thus provide a common method to communicate intentions or claims about identities that can be used as evidence of trust.
Attestations work by making reference to identifiers, such as a legal name, address, or social security number. For example, your U.S. passport uses identifiers like your legal name when attesting you’re a citizen of the United States. Border agents can later check this claim’s validity by scanning your passport to compare it with a database.
The passport example shows how attestations work in ordinary life. On the blockchain, attestations are tied to on-chain identifiers. This could be a decentralized identifier (known as a DID), a wallet, a small multi-signature address, or something else. Identity and reputation become representable as an aggregate of attestations tied to this identifier.
The value of attestations—one’s aggregate reputation—is relative to the receiver’s trust in the entities making them. Smart contracts can be set to only interact with entities that either provably possess or provably do not possess certain attestations, or a complex criteria of them. You might choose to trust one entity or multiple, companies or individuals, or claims of X or Y.
In certain use-cases—such as voting—you might choose to only trust proven attestations signed by one powerful authority, such as a government. For other use-cases—such as intellectual property—you might choose to trust thousands of disparate authorities.
You might choose to interact with identities with proven attestations signed by certain entities but not others. For example, one government may choose to trust attestations by a select group of other governments, but not those on its sanction list.
What one company wants to exclude, another may wholly include. For example, legacy institutions may choose only to trust attestations by themselves or by one or a few traditional KYC providers, but certainly not individuals. Other use-cases—like proving social trust—may only care about attestations signed by individual people.
Combined with zero-knowledge proofs, which provide a mechanism for proving data validity without revealing the data itself, attestations also enable entities to prove facets of identity information without revealing the entire contents. This is useful for KYC as it means individuals can independently verify different aspects of their identity as required for compliance. For example, they can share their social security number without sharing their legal name.
A more universally valuable use case is providing ID to purchase alcohol or lottery tickets, or gain entry to a venue. Instead of showing a cashier or bouncer your entire ID, you can just show them a zero-knowledge proof that an attestation was made of your birthday by the government, which they can verify.
Flexible identity models
What’s cool about on-chain attestations is that they can be made for practically anything, enabling much more meaningful interaction at large-scale than currently possible. They can be modeled on traditional attestations—such as birthday or accredited investor status—but also anything else one deems important: music taste, Twitter profile, proof of authorship, real-life meeting, one’s employment history.
This flexibility enables participants to not only choose which entities they trust, but also how quantitative or qualitative they want this trust to be. It’s possible to move beyond one entity verifiably making true or false claims about other identities—e.g. the government deeming your passport number is true, or a platform that you really published a post—and create actual relative identity data.
Attestations also empower modularity. It’s possible to decide that possessing attestation 1 and 2—say, friend of Graeme and 10k+ Twitter followers—makes an identity trustworthy even when you don’t like attestation 3, music taste.
Protocols like EAS enable these interactions between identities and reputation to be represented on-chain—and interoperable between platforms—with one atomic unit. Other solutions, like Intuition, are experimenting with peer-to-peer identity models leveraging these protocols to gamify the production of useful identity-related metadata beyond one-to-one deterministic claims.
Imagine being able to parse interactions based on identity with this much flexibility and modularity, just by toggling certain signing entities or types of claims on or off. While it’s not clear yet exactly what this will look like on a technical level—the infrastructure is only in its infancy—this is where blockchain is headed. Prepare your rockets: decentralized finance will take off after all.