This repository has been archived by the owner on Mar 8, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 17
/
verifiable-payid-protocol.txt
1232 lines (836 loc) · 47.4 KB
/
verifiable-payid-protocol.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group A. Malhotra
Internet-Draft D. Schwartz
Intended status: Standards Track Ripple
Expires: January 18, 2021 July 17, 2020
Verifiable PayID Protocol
draft-aanchal-verifiable-payid-protocol-01
Abstract
This specification defines the Verifiable PayID protocol - an
extension to [PAYID-PROTOCOL] that aims to provide payment account(s)
information associated with a PayID [PAYID-URI] while allowing
involved parties to exchange "identity" information and provides
third-party verifiable cryptographic proof trail of the entire
communication. More specifically, the Verifiable PayID protocol
provides the following enhancements to the Basic PayID
protocol[PAYID-PROTOCOL].
o Verifiable Custodial PayID service: It allows custodial wallets
and exchanges to send payment account(s) address information and
other resources digitally signed with their off-ledger private
key.
o Verifiable Non-Custodial PayID service: It allows non-custodial
wallets and exchanges to send payment account(s) address
information digitally signed with the off-ledger private key of
the PayID owner along with PayID owner's "identity" information.
o Privacy-enhanced PayID service: It allows PayID service providers
(both custodial and non-custodial) to deploy appropriate access
control mechanisms by allowing the PayID clients or senders to
transmit their "identity" information for authentication.
Feedback
This specification is a draft proposal, and is part of the PayID
Protocol [1] initiative. Feedback related to this document should be
sent in the form of a Github issue at: https://github.com/payid-
org/rfcs/issues.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Malhotra & Schwartz Expires January 18, 2021 [Page 1]
Internet-Draft Verifiable PayID Protocol July 2020
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 18, 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Verifiable PayID Protocol Specification . . . . . . . . . . . 5
3.1. Basic Operations . . . . . . . . . . . . . . . . . . . . 5
3.1.1. PayID Client Requesting the PaymentInformation
Resource . . . . . . . . . . . . . . . . . . . . . . 5
3.1.2. PayID Server Responding to the PaymentInformation
Resource Request . . . . . . . . . . . . . . . . . . 6
3.2. JSON Payloads . . . . . . . . . . . . . . . . . . . . . . 6
3.2.1. PayID Client Request Query Body for
PaymentInformation Resource . . . . . . . . . . . . . 6
3.2.2. PayID Server Response Body for PaymentInformation
Resource Request . . . . . . . . . . . . . . . . . . 6
3.2.3. SignatureWrapper . . . . . . . . . . . . . . . . . . 7
4. Custodial and Non-Custodial PayID Service Providers . . . . . 8
5. Verifiable PayID Protocol for Custodial Wallets and Exchanges 9
5.1. Step 1: Preparing the HTTP Request to PayID URL using
HTTP POST Method . . . . . . . . . . . . . . . . . . . . 9
5.2. Step 2: Preparing the PaymentInformation Response . . . . 9
Malhotra & Schwartz Expires January 18, 2021 [Page 2]
Internet-Draft Verifiable PayID Protocol July 2020
5.2.1. Preparing the payment account(s) information message 9
5.2.2. Preparing SignatureWrapper message . . . . . . . . . 10
5.3. Step 3: Parse PaymentInformation Response . . . . . . . . 10
6. Verifiable PayID Protocol for Non-Custodial Wallets and
Exchanges . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6.1. Discussion Section on distributing PayID owner's keys . . 11
6.1.1. identity field in payment account(s) information
message . . . . . . . . . . . . . . . . . . . . . . . 11
6.1.2. Embed the public key of PayID owner in the PayID . . 12
6.2. Step 1: Preparing HTTP Request to PayID URL using HTTP
POST Method . . . . . . . . . . . . . . . . . . . . . . . 13
6.3. Step 2: Preparing PaymentInformation Response . . . . . . 13
6.4. Step 3: Parsing the PaymentInformation Response . . . . . 13
7. Example Use of the Verifiable PayID Protocol . . . . . . . . 13
7.1. Verifiable PayID Protocol by a Custodial Wallet as PayID
server . . . . . . . . . . . . . . . . . . . . . . . . . 13
7.2. Verifiable PayID Protocol by a Non-Custodial Wallet as
PayID Server . . . . . . . . . . . . . . . . . . . . . . 16
8. Security Considerations . . . . . . . . . . . . . . . . . . . 16
8.1. Fully-Malicious Adversary Model for PayID Client Wallet
and Custodial Wallets and Exchanges as PayID Servers . . 17
8.1.1. Cryptographic Proofs . . . . . . . . . . . . . . . . 18
8.2. Fully Compromisable Custodial PayID Server Wallet
(hot/always online systems): Adding another Layer of
Security. . . . . . . . . . . . . . . . . . . . . . . . . 18
8.3. Security Model for Non-Custodial PayID Server Wallets . . 19
9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 20
9.1. Access Control . . . . . . . . . . . . . . . . . . . . . 20
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
12.1. Normative References . . . . . . . . . . . . . . . . . . 21
12.2. Informative References . . . . . . . . . . . . . . . . . 22
12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Terminology
This protocol can be referred to as the "Verifiable PayID Protocol".
It uses the following terminology.
o endpoint: either the client or the server of the connection.
o sender: individual or entity originating the transaction.
o PayID client: the endpoint that initiates PayID protocol/sending
side of the transaction.
Malhotra & Schwartz Expires January 18, 2021 [Page 3]
Internet-Draft Verifiable PayID Protocol July 2020
o PayID server: the endpoint that returns payment account(s)
information/receiving side of the transaction (custodial or non-
custodial wallets, exchanges, etc).
o receiver/PayID owner: individual or entity receiving the
transaction/owner of the PayID[PAYID-URI].
The terms "receiver" and "PayID owner" are used interchangeably.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119] and [RFC9174][].
2. Motivation
Basic PayID protocol [PAYID-PROTOCOL] specifies a protocol to
interact with a PayID server and retrieve a payment account(s)
information resource along with other meta-data corresponding to the
queried PayID. The protocol relies on the underlying secure
transport (TLS 1.3 [RFC8446]) to ensure message integrity and privacy
from network attackers. There are at least two assumptions in the
security and privacy model of the basic PayID protocol that are less
desirable.
1. Trust requirement between the PayID client and PayID server: As
pointed out in the security considerations section of the
[PAYID-PROTOCOL], PayID server has full control over the contents
of the response message, and may go rogue or be compromised. The
PayID client has no way of knowing if the PayID server behaves
maliciously. This implicit trust assumption between the PayID
client and server is not ideal in the world where the information
provided by the PayID server may be used by the PayID client to
transmit money.
2. Privacy: Per [PAYID-PROTOCOL], anyone can query the PayID server
and retrieve the payment account(s) information corresponding to
the queried PayID. The PayID server or PayID owner has no way of
deploying access control mechanisms since the "identity" of the
PayID client and the sender is unknown to the PayID server.
The motivation for the Verifiable PayID protocol is threefold:
1. Eliminate implicit trust assumption between the PayID client and
server: While it is not possible for the protocol to prevent
PayID server from acting maliciously, the best we can do is to
allow for mechanisms in the protocol that enables PayID client to
Malhotra & Schwartz Expires January 18, 2021 [Page 4]
Internet-Draft Verifiable PayID Protocol July 2020
prove this misbehaviour to third-parties and potentially hold the
PayID server legally accountable for misbehaving.
2. Enhance privacy of the PayID protocol by allowing the PayID
client to share their and sender's "identity" information with
the PayID server. This information could then be used to:
* Give the PayID owner and/or PayID server the ability to decide
if they want to share their payment account(s) information and
other resources with the PayID client or the sender.
* Allow for an open standards based way for endpoints to keep
verifiable records of their financial transactions, to better
meet the needs of accounting practices or other reporting and
regulatory requirements.
3. Ensure that if the PayID server is compromised, an attacker
cannot swap a payment address in the payment account information
response and redirect funds to the attacker-controlled payment
network and address. Allow the PayID server or PayID owner to
pre-sign "PaymentInformation" in a cold/airgapped system offline
instead of online on a hot wallet.
4. Allows for non-custodial service providers to run non-custodial
PayID service by allowing the PayID owners to digitally sign the
"PaymentInformation" resource locally on their device with their
off-ledger private keys and send PayID owner's "identity"
information in the response. This information can then be used
by the PayID client and sender to authenticate the PayID owner
and decide if they want to proceed with the transaction.
3. Verifiable PayID Protocol Specification
The Verifiable PayID protocol is designed along the same design
principles as [PAYID-PROTOCOL].
3.1. Basic Operations
Following are the basic operations performed by the verifiable PayID
client and PayID server to retrieve "PaymentInformation" resource
corresponding to PayID.
3.1.1. PayID Client Requesting the PaymentInformation Resource
When requesting the payment accounts(s) information resource per
[PAYID-PROTOCOL] that is digitally signed and requires input
parameters, the PayID client uses the HTTP "POST" method with path
Malhotra & Schwartz Expires January 18, 2021 [Page 5]
Internet-Draft Verifiable PayID Protocol July 2020
parameter "payment-setup-details" with an optional payload in JSON
format. We define this resource as a "PaymentInformation" resource.
3.1.2. PayID Server Responding to the PaymentInformation Resource
Request
Upon receiving a request for a "PaymentInformation" resource that the
PayID server can provide, the PayID server normally returns the
requested response. However, if PayID server does not support the
Verifiable PayID protocol, the PayID server MAY send back an
appropriate error code (TBD) to indicate to the PayID client that the
resource is available via an HTTP "GET" request to an alternate URL.
3.2. JSON Payloads
3.2.1. PayID Client Request Query Body for PaymentInformation Resource
{
optional string identity,
optional string memo
}
3.2.1.1. identity
The type/value of the "identity" field is TBD. We anticipate this
being a mechanism for the PayID client to transmit their or the
sender's "identity" information to the PayID server. This
information can then be used by the PayID server/PayID owner to *
Enhance privacy by exercising access control mechanisms such as
authorized access via accept/deny lists, etc. for the
"PaymentInformation" or other resources for a PayID. * Record-
Keeping
3.2.1.2. memo
The type/value of the "memo" field is TBD. "memo" field is a
placeholder to ensure protocol extensibility. e.g. for the primary
use-case of making payments, the PayID client MAY send information
such as amount, scale, etc. necessary to make the payment. //TBD:
The request body parameters will depend on the use-case.
3.2.2. PayID Server Response Body for PaymentInformation Resource
Request
Refer to the payment account(s) information resource in
[PAYID-PROTOCOL].
Malhotra & Schwartz Expires January 18, 2021 [Page 6]
Internet-Draft Verifiable PayID Protocol July 2020
3.2.3. SignatureWrapper
"SignatureWrapper" is an encapsulating wrapper for any verifiable
PayID protocol messages. It allows for the generation of
cryptographically signed third-party verifiable proofs of the
contents of the messages exchanged between the participating
endpoints. We define "SignatureWrapper" as JSON object with the
following name/value pairs:
{
required string messageType,
required Message message,
required string publicKeyType,
required array publicKeyData,
required string publicKey,
required string signature
}
3.2.3.1. messageType
The value of "messageType" is the message type of the signed
"message". "messageType" is essential for future extensibility of the
protocol to include more message types. We define the following enum
for message types: enum messageType { PaymentInformation }
3.2.3.2. message
The value of "message" includes the contents of the Verifiable PayID
protocol message of the type "messageType" to be signed.
3.2.3.3. publicKeyType
The value of "publicKeyType" is the Public Key Infrastructure
(PKI)/identity system being used to identify the signing endpoint.
e.g. "X509+SHA512" means an X.509 certificate as described in
[RFC5280] and SHA512 hash algorithm used to hash the contents of
"message" for signing. This field defaults to empty string. We
define the following "publicKeyType" values. One can register more
in future.
Malhotra & Schwartz Expires January 18, 2021 [Page 7]
Internet-Draft Verifiable PayID Protocol July 2020
+---------------+--------------------------------------------------+
| publicKeyType | Description |
+---------------+--------------------------------------------------+
| X509+SHA512 | A X.509 certificate [RFC5280] |
| | |
| pgp+SHA512 | An OpenPGP certificate |
| | |
| ecdsa+SHA256 | A secp256k1 ECDSA public key [RFC6979] [RFC8422] |
+---------------+--------------------------------------------------+
3.2.3.4. publicKeyData
The value of "publicKeyData" is the PKI-system/identity data used to
identify the signing endpoint who creates digital signatures over the
hash of the contents of the "message". e.g. in the case of X.509
certificates, it may contain one or more X.509 certificates as a list
upto the root trust certificate. Defaults to empty.
3.2.3.5. publicKey
The value of "publicKey" is the contents of the public key. Defaults
to empty.
3.2.3.6. signature
The value of "signature" is the digital signature over the hash of
the contents of the "message" using the private key corresponding to
the public key in "publicKey". This is a proof that the "message"
was signed by the corresponding private key holder.
4. Custodial and Non-Custodial PayID Service Providers
We anticipate that the most common use-case for retrieving the
"PaymentInformation" resource is to make transactions. We can
categorize the providers of such services as follows: * Custodial
wallets and exchanges: Custodial wallets and exchanges hold the
private keys of their customers on their servers and essentially hold
their funds. There is an implicit trust between the custodial
service provider and their customers.
o Non-Custodial wallets and exchanges: Non-custodial wallets and
exchanges do not store their customers' keys on their servers.
The customers hold their private keys locally on their device.
[Arguably] there is a no trust requirement between the non-
custodial wallets and exchanges and their customers. Since the
customers hold the private keys so the wallets are not liable for
any consequences coming from the lost, compromised or hacked
private keys of the customers. Nor do they need their customers
Malhotra & Schwartz Expires January 18, 2021 [Page 8]
Internet-Draft Verifiable PayID Protocol July 2020
to trust their servers in case wallet's servers go malicious or
are compromised.
Notice that the custodial and non-custodial service providers operate
under different trust models. To continue operating under the same
trust model, verifiable PayID requires slightly different treatment
for custodial and non-custodial service providers.
5. Verifiable PayID Protocol for Custodial Wallets and Exchanges
The Verifiable PayID protocol flow is similar to that of the Basic
PayID protocol [PAYID-PROTOCOL] with the following modifications.
Sender PayID client PayID server Receiver
| | | |
|PayID, etc.| | |
|---------->| | |
| | 1.) POST /payment-setup-details request to PayID URL | |
| |--------------------------------------------------------->| |
| | 2.) 200 Ok | |
| | Signed PaymentInformation response | |
| |<---------------------------------------------------------| Optional |
| | |notification|
| | |----------->|
| | | |
5.1. Step 1: Preparing the HTTP Request to PayID URL using HTTP POST
Method
A verifiable PayID client issues a query using the HTTP "POST" method
to the PayID URL with path parameter "payment-setup-details" and
optional body parameters as described above.
5.2. Step 2: Preparing the PaymentInformation Response
In response, the PayID server returns a JSON representation of the
"PaymentInformation" resource. "PaymentInformation" resource is the
"signed" payment account(s) information message [PAYID-PROTOCOL] for
the payment-network and environment requested by PayID client in the
request "Accept" header field along with other required and optional
metadata as "message" field in the "SignatureWrapper".
5.2.1. Preparing the payment account(s) information message
o Set "payId" to the value of the PayID in the client query. This
is a required field in the Verifiable PayID protocol.
o Set "addresses" to the value as described in [PAYID-PROTOCOL]
Malhotra & Schwartz Expires January 18, 2021 [Page 9]
Internet-Draft Verifiable PayID Protocol July 2020
o Optionally set "memo" to any additional information.
o "identity" field is optional.
o Optionally set "proofOfControlSignature" to the value as described
in [PAYID-PROTOCOL].
5.2.2. Preparing SignatureWrapper message
o Set "messageType" to "PaymentInformation".
o Set "message" to the value of the payment account(s) information
message as generated above.
o Set "publicKeyType" to one of the values described in the
Section above.
o Set "publicKeyData" to the data corresponding to the value in
"publicKeyType".
o Set "publicKey" to the value of the public key of the signing
endpoint (PayID server.)
o Sign the "message" using the hash algorithm and the signature
scheme corresponding to the value in "publicKeyType"
o Set "signature" to the result of the signature operation in the
previous step.
Send the signed payment account(s) information message as
"PaymentInformation" response to the client.
5.3. Step 3: Parse PaymentInformation Response
If the PayID server returns a valid response, the response will
contain one or more of the fields defined above. The PayID client
will then:
o Verify the "publicKey" using the information in the
"publicKeyType" and "publicKeyData" in the response.
o Verify the signature retrieved from the "signature" field using
the public key verified in the previous step.
o Retrieve payment account(s) information message from the "message"
field of the "PaymentInformation" Response.
Malhotra & Schwartz Expires January 18, 2021 [Page 10]
Internet-Draft Verifiable PayID Protocol July 2020
All the verification steps MUST pass. The PayID client proceeds to
the next step only if the previous step passes, otherwise it
generates the relevant Error message (//TBD).
6. Verifiable PayID Protocol for Non-Custodial Wallets and Exchanges
Pre-step at PayID owner's (non-custodial wallet's customer) device
locally. For each "payment-network" and "environment" as described
in [PAYID-PROTOCOL] that the PayID owner has a payment address for,
generate the following payment account(s) information message * Set
"payId" to the value of the PayID. This is a required field in the
Verifiable PayID protocol. * Set "addresses" to the value as
described in [PAYID-PROTOCOL] * Optionally set "memo" to any
additional information. * "identity" field is TBD. *
"proofOfControlSignature" is optional described in [PAYID-PROTOCOL]
and is not required in this case.
For each payment account(s) information message, prepare
"SignatureWrapper" message * Set "messageType" to
"PaymentInformation". * Set "message" to the value of payment
account(s) information message as generated above. * Set
"publicKeyType" to one of the values described in Section X. * Set
"publicKeyData" to the data corresponding to the value in
"publicKeyType". * Set "publicKey" to the value of the public key of
the signing endpoint (PayID server.) * Sign the "message" using the
hash algorithm and the signature scheme corresponding to the value in
"publicKeyType" * Set "signature" to the result of the signature
operation in the previous step.
This signed payment account(s) information message is then securely
transferred to the non-custodial PayID server and stored by the PayID
server as a "PaymentInformation" resource.
6.1. Discussion Section on distributing PayID owner's keys
In this subsection, we discuss potential ways to distribute the keys
of the PayID owner used to sign the message. Once we reach a
consensus, it will be added to the relevant sections of this document
and this subsection will be removed. Following are the two possible
approaches:
6.1.1. identity field in payment account(s) information message
The following table enumerates the possible ways to share the public
key of PayID owner using "identity" field.
Malhotra & Schwartz Expires January 18, 2021 [Page 11]
Internet-Draft Verifiable PayID Protocol July 2020
+----------------------------+--------------------------------------+
| identity | Description |
+----------------------------+--------------------------------------+
| Global Identifier (GiD) | digital identifier |
| [GiD] | |
| | |
| Human Universally Unique | digital identifier |
| Identifier (Human UUID) | |
| [HUUID] | |
| | |
| Digital Identifier (DID) | digital identifier |
| [DID] | |
| | |
| Certificate | attested certificate that associates |
| | digital identifier to PayID and |
| | public key |
| | |
| URL | URL for secure retrieval of public |
| | key of the PayID owner |
| | |
| Public key | out-of-band pre-shared public key |
| | between PayID client and PayID owner |
+----------------------------+--------------------------------------+
o Digital identifier: A global digital identifier that uniquely
associates the "PayID owner's identity" as defined by the
identifier (GiD, HUID, DID, etc.) to the "PayID" and "public key".
The PayID client can then verify the "public key" using the
digital identifier. This could be a direct retrieval of the
corresponding "public key" from a digital identity service
provider if PayID is a part of that digital identifier.
o Certificate: An attested certificate that associates digital
identifier such as GiD, Human UUID, DID, etc. to the "PayID" and
"public key".
o URL: A URL for secure retrieval of "public key" of the PayID
owner.
o Pre-shared public Key: The public key that has been pre-shared
out-of-band between the PayID client and PayID owner.
6.1.2. Embed the public key of PayID owner in the PayID
PayID [PAYID-URI] could support non-custodial systems with a fairly
simple extension to the protocol to run non-custodial PayID servers
that could not be hacked or tricked into sending money to the wrong
place. The idea is to reserve the hostname "pkh" for "public key
Malhotra & Schwartz Expires January 18, 2021 [Page 12]
Internet-Draft Verifiable PayID Protocol July 2020
hashes" and support a PayID format like
"public_key_hash"$pkh.provider.domain. PayID client implementations
would require that any "PaymentInformation" resource that resulted
from the PayID of that form be signed with the "private key"
corresponding to that "public key hash". So only a
"PaymentInformation" signed by the owner of the PayID would work.
The caveat is that the PayID format is not human-readable anymore.
The solution is simple: the non-custodial wallets and exchanges would
provide a non-human-readable PayID of the form
"public_key_hash"$pkh.provider.domain, but the customers may get a
human-readable PayID from another trusted service providers (say from
their email provider) that maps to the non-human-readable PayID they
got from their non-custodial service-provider. Non-custodial
service-providers could even automate this process by allowing the
user to choose a mapping provider.
// Details TBD
6.2. Step 1: Preparing HTTP Request to PayID URL using HTTP POST Method
Same as in the previous section.
6.3. Step 2: Preparing PaymentInformation Response
The PayID server MUST parse the request body. The protocol does not
provide specification on how the PayID server MAY use this
information.
If the PayID server were to proceed, the PayID server retrieves the
pre-signed "PaymentInformation" response to the PayID client.
6.4. Step 3: Parsing the PaymentInformation Response
The PayID client follows the same verification steps as in the
previous section. Details to be decided based on "identity"
solution.
7. Example Use of the Verifiable PayID Protocol
This section shows sample use of the Verifiable PayID protocol in
several hypothetical scenarios.
7.1. Verifiable PayID Protocol by a Custodial Wallet as PayID server
Suppose Alice (sender) wishes to send a friend Bob (PayID owner) some
XRP from a web-based wallet provider (PayID client) that Alice has an
account on. Alice would log-in to the wallet provider and enter
Malhotra & Schwartz Expires January 18, 2021 [Page 13]
Internet-Draft Verifiable PayID Protocol July 2020
Bob's PayID (say, "bob$receiver.example.com") into the wallet UI to
start the payment.
The Wallet application would first discover the PayID URL for the
PayID service-provider using one of the mechanisms described in PayID
discovery protocol [PAYID-DISCOVERY].
The Wallet application would then issue an HTTPS POST request:
POST /users/bob/payment-setup-details HTTP/1.1
Host: www.receiver.example.com
Accept: application/xrpl-testnet+json
PayID-version: 1.0
{
"identity": "TBD",
"memo": "Any additional required information"
}
Bob's wallet who is a custodial PayID server wallet might respond
like this:
Malhotra & Schwartz Expires January 18, 2021 [Page 14]
Internet-Draft Verifiable PayID Protocol July 2020
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 403
PayID-version: 1.0
Cache-Control: max-age=0
Server: Apache/1.3.11
{
"messageType" : "PaymentInformation",
"message" :
{
"payId" : "bob$receiver.example.com",
"addresses" :
[
{
"paymentNetwork" : "xrpl",
"environment" : "testnet",
"addressDetailsType" : "CryptoAddressDetails",
"addressDetails" : {
"address" : "XTVQWr6BhgBLW2jbFyqqufgq8T9eN7KresB684ZSHKQ3oDth"
}
}
],
"memo" : "Additional optional Information",
"proofOfControlSignature" :
{
"publicKey" : "sdkfhjasdvkakjnasdv",
"payId" : "bob$receiver.example.com",
"hashAlgorithm" : "SHA512",
"signature" : "9743b52063cd84097a65d1633f5c74f5"
}
}
"publicKeyType" : "X509+SHA512",
"publicKeyData": [],
"publicKey" : "00:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5:af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e:9d:3b:ef...",
"signature" : "8b:c3:ed:d1:9d:39:6f:af:40:72:bd:1e:18:5e:30:54:23:35..."
}
In the above example we see that Bob's custodial PayID server wallet
returned a signed X-Address on XRPL testnet identified by PayID
"bob$receiver.example.com". This is because Alice's wallet asked for
XRPL and testnet payment accounts corresponding to the PayID in the
"Accept" header.
Alice's Wallet MAY then use the payment account information to make
payments.
Malhotra & Schwartz Expires January 18, 2021 [Page 15]
Internet-Draft Verifiable PayID Protocol July 2020
7.2. Verifiable PayID Protocol by a Non-Custodial Wallet as PayID
Server
Consider the same scenario as above.
Bob's wallet who is a non-custodial PayID server might respond like
this:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 403
PayID-version: 1.0
Cache-Control: max-age=0
Server: Apache/1.3.11
{
"messageType" : "PaymentInformation",
"message" :
{
"payId" : "bob$receiver.example.com",
"addresses" :
[
{
"paymentNetwork" : "xrpl",
"environment" : "testnet",
"addressDetailsType" : "CryptoAddressDetails",
"addressDetails" : {
"address" : "XTVQWr6BhgBLW2jbFyqqufgq8T9eN7KresB684ZSHKQ3oDth"
}
}
],
"memo" : "Additional optional Information",
"identity" : "TBD",
}
"signature" : "TBD"
}
In the above example, the "PaymentInformation" resource is a pre-
signed message with the off-ledger private keys of the PayID owner
Bob. Bob's non-custodial wallet retrieves this response and sends it
to the PayID client.
//TODO Add example for PayID owner's public key embedded in PayID.
8. Security Considerations
This security considerations section only considers verifiable PayID
clients and servers bound to implementations as defined in this
document.
Malhotra & Schwartz Expires January 18, 2021 [Page 16]
Internet-Draft Verifiable PayID Protocol July 2020
The security guarantees mentioned in [PAYID-PROTOCOL] applies to the
Verifiable PayID protocol. In this section, we discuss a security
model for the Verifiable PayID protocol.
8.1. Fully-Malicious Adversary Model for PayID Client Wallet and
Custodial Wallets and Exchanges as PayID Servers
While the Verifiable PayID protocol operates between a PayID client
and a PayID server, there are actually four parties to any payment.
The other two parties are the sender of the payment whose funds are
being transferred and the PayID owner or the receiver of the payment
who the sender wishes to pay.
In the current security model, there is necessarily some existing
trust between the sender and the sender's wallet. The sender's
wallet is holding the sender's private keys and consequently their
funds before the payment is made. Similarly, there is necessarily
some existing trust between the receiver and their custodial wallet
since the receiver has directed that the custodial wallet receive
their funds.
The Verifiable PayID protocol provides a stronger security guarantee:
The ideal scenario that we strive for is that the sender should be
able to hold the PayID client wallet legally accountable if the
institution provably mishandles their funds. Similarly, the PayID
owner/receiver should be able to hold the PayID server wallet legally
accountable if their funds are mishandled. However, this mechanism
requires that it be possible for either wallet to establish that it
acted properly and that the other wallet acted improperly.
Of course, the preferred outcome of any payment is that nothing goes
wrong and both the sender and PayID owner/receiver of the payment are
satisfied that the payment took place as agreed. A less desirable
outcome is that the payment cannot take place for some reason and the
sender still has their money and understands why the payment cannot
take place.
While the protocol cannot possibly prevent the PayID client wallet
from sending the funds to the wrong address or the PayID server
wallet from receiving the funds but refusing to release them to the
PayID owner/receiver, it is vital that the institutions not be able
to plausibly blame each other for a failure where the sender has been
debited but the PayID client/wallet has not been credited.
Accordingly, the security model of the Verifiable PayID protocol
permits four acceptable outcomes:
Malhotra & Schwartz Expires January 18, 2021 [Page 17]
Internet-Draft Verifiable PayID Protocol July 2020
1. The payment succeeds, the sender is debited, and the PayID owner/
receiver is credited.
2. The payment fails, the sender is not debited, and the PayID
owner/receiver is not credited.
3. The payment fails, the sender is debited, the PayID owner/
receiver is not credited, and the sender can show that the PayID
client wallet did not follow the protocol.
4. The payment fails, the sender is debited, the PayID owner/
receiver is not credited, and the sender can show the receiver
that their PayID server wallet did not follow the protocol.
Again, the protocol cannot possibly prevent outcomes 3 or 4 because
the PayID client wallet can always send the money to the wrong
address and the PayID server wallet can always refuse to credit the
PayID owner/receiver. It is, however, critical that the PayID client
and PayID server wallets not need to trust each other to ensure that
one of these four outcomes occurs and that they cannot point blame at
each other.
8.1.1. Cryptographic Proofs
//TODO
8.2. Fully Compromisable Custodial PayID Server Wallet (hot/always
online systems): Adding another Layer of Security.
The Verifiable PayID protocol's security model assumes that the
online servers can be physically or remotely compromised by an
adversary. These are the most attractive attack vectors. There is
sufficient evidence that hot/always online systems are more
vulnerable.
There are multiple cryptographic operations that the PayID server
wallet MUST perform to establish secure communication channels, to
generate signed messages as verifiable cryptographic proofs, etc.
These operations have very different security requirements and
compromising the cryptographic keys required for these operations
have different security implications.
o High-risk impersonation attack to steal funds: If the PayID server