Proof of Authenticity of Crypto-assets with Coinprism

If we want crypto-assets to become mainstream, one important problem to solve is the problem of authenticity. So far, no platform has implemented a solution for authenticity, so this is with excitement that we’re announcing the release of Proof of Authenticity on Coinprism, a much needed innovation in crypto-asset space.

Why is it important?

Let’s first understand the problem. Let’s say a friend owes you $10, and wants to repay you in Starbucks coupons. He sends you 10 STBK in lieu of $10, and tells you that you can spend those at Starbucks. How do you know this is actually true, and those coins are actually issued by the coffee shop Starbucks, and can be redeemed for $10 at those? On Counterparty, Mastercoin or NXT, all you get is an asset identifier, anybody can come and create a coin called STBK or STRK or SRBK, and claim it’s redeemable at Starbucks. However, now you have to do your research and find out yourself if that’s true or not. The perfect breeding ground for scams.

Coinprism goes further. On Coinprism, each coin can be associated with a contract in a decentralized way: the machine-readable contract is hosted by the issuer, and the Blockchain points to that contract. Coinprism knows how to read the contract, and displays it to you. So you can already check that the contract correctly claims that “each coin is worth $1 at Starbucks”.

But still, anybody can write anything on the contract page, and claim to be Starbucks. That doesn’t mean they are. You need to be able to verify the authenticity of the contract, as coming from Starbucks the company.

Verifying that the contract was written – and signed – by the actual “Starbucks Corporation” registered in the US, is key here. If you have a coin, cryptographically bound to a contract saying “you can redeem every one of those coins for $1 at a Starbucks coffee shop”, and this contract is digitally signed by the legal “Starbucks Corporation” entity (which we are all familiar with), then you have an end-to-end Proof of Authenticity of your coin.

The solution is before our eyes

If we take a step back, and look at the Internet today, this problem already exists. When you go to www.overstock.com to buy some bed sheets online, you need to be able to verify the authenticity of the website as coming from “Overstock.com, Inc.”, the company. Someone (your ISP) could intercept the traffic, and replace the contents of the page, or they could intercept the payment page, and sniff your credit card number when you make a purchase. In other words, no communication on the Internet can be safe unless you are able to guarantee authenticity of the entity operating the server you are connecting to.

Well, if you try to log in to overstock.com, you will see this in your browser:

OverstockSSL

The green label means the server you are communicating with has been authenticated as “Overstock.com, Inc.”, the company incorporated in the US. Any communication you are doing while this green label is displayed is guaranteed to be only decryptable by “Overstock.com, Inc”. If you trust Overstock.com, Inc with your bed sheets, then you can safely trust this webpage.

Proof of Authenticity for a crypto-asset

The whole chain of authenticity can be guaranteed by cryptography, but only up to the last mile. The last mile is verifying the identity of an organization. Unfortunately, no amount of cryptography, Blockchain or smart contract will solve that problem. You need a real person (often with gray hair and glasses) to look at real paper documents, proving that person X asking for a certificate is the rightful representative of company Y.

Fortunately though, there are well established companies doing that for a living in many countries: VeriSign, GlobalSign, Go Daddy, Comodo… and they have a dedicated service of real persons with gray hair and glasses, who look at documents all day long to verify that person X is indeed representative of company Y, and can be issued a certificate to prove it cryptographically to their customers.

Sure, this is not perfect. As always, organizations with power can abuse it, but generally it works, and you already rely on it for everything you do online. You’re relying on one of those companies whenever you open your webmail, turn on your Xbox, make a phone call, or even download a piece of software from a website.

Announcing Proof of Authenticity within Coinprism

Coinprism is the first crypto-asset platform to offer end-to-end Proof of Authenticity. Let’s see how it looks.

Every asset for which end-to-end authenticity could not be verified will display with an orange warning sign:

Issuer not verified

If Coinprism is able to verify the end-to-end authenticity of an asset, it will have a green check mark, and the name of the verified issuer is shown in place of the Asset ID:

Verified

This is the equivalent of the padlock icon in your browser.

How do I make my asset verified?

First, let’s be clear that being verified is optional. If you want your asset to be private, and only be used within your circle of friends, you can just share the asset ID (which is cryptographically secure), and your friends can easily check the asset ID matches when they receive a coin. You don’t need a verified asset in that case.

A verified asset is useful if you want strangers to believe in the value of your asset. But again, it’s not a hard requirement either, the same way people can (sometimes) trust websites with anonymous people behind it.

But let’s say you really want to go all the way and prove your asset is trustworthy and has a real company behind it. All you need to do is host the metadata file for the asset on your own servers, and on an HTTPS URL.

Let’s see how that’s done step by step.

Make sure you have a website and an SSL certificate

Hopefully, if you are a trustworthy business, you should have a website of some kind (remember, this is 2014). The next step is to make sure you have an SSL certificate for your website. There are two types of SSL certificates:

  • Domain validated: They are easy to get, but only validate your domain name. You can get those for free with StartSSL. This will mark you as a verified issuer, but the issuer will only show as your website domain name (like “www.appletartcoins.com”) on Coinprism.
  • Organization validated: They are usually more expensive to get. The certificate authority will verify you are the owner of your company. Coinprism will then display the official name of your company as the issuer (like “Apple Tart Ltd.”).

Host the metadata file on your server

The next step is to host a metadata file on your server. The metadata file contains all the information and contract about your coin. It is a simple JSON file that looks like this:

Simply host this file on you website under HTTPS (note: remember to set link_to_website to true). Let’s say it’s hosted at https://lemon.ad/LEMO.

Specify the metadata URL when issue your coins

The last step is to specify this when issuing your coin. It should look like this:

IssueVerified

And this is it.

The URL you specify (https://lemon.ad/LEMO) will be embedded in the Blockchain, and associated to your colored coin. Wallets like Coinprism can then fetch that URL, examine the SSL certificate, and validate end-to-end authenticity.

Bonus question: Why it’s not centralized

There is a common misconception that the fact that metadata is hosted on a server causes centralization.

The value of any crypto-asset comes from the fact that the issuer is willing to redeem it according to the terms they stated. Every crypto-token on Coinprism, Counterparty, Mastercoin, NXT, etc… is therefore already centralized towards the issuer, and you implicitly trust the issuer when buy their coin. If that issuer is responsible for hosting the metadata, there is no additional degree of centralization.

 

You may also like...

  • Olivier Milla

    Is only the URL encoded in the blockchain? or also a hash of the file it points to?
    How does one make sure that the file available disappears or gets modified?
    Where does one turn to if the file IS deleted or modified?

    • flaviencharlon

      There is no hash of the file. That file is provided by the issuer for informational purposes only.
      Even with a hash, you wouldn’t be able to bring anyone to court if the file was modified, because it takes much more than that to have a legally binding contract.

  • http://financialcryptography.com/ iang

    Is this method the same as employed in implementing the Ricardian Contract form, but with the metadata stored on an SSL server, and thus receiving the benefits of that certificate? E.g, http://blog.coinprism.com/2014/12/10/colored-coins-and-ricardian-contracts/

    • flaviencharlon

      Yes it is very similar. Actually in the ricardian contract, the metadata is still stored on a web server, but the hash of the contract is also stored in the blockchain.

  • Mario Alberto Medina Nussbaum

    I extracted my site’s subject, and placed it on my JSON file, but i can’t see it complete validated on coinprism. Maybe I need to place only a part of this:

    openssl x509 -text -noout -in tuminium.com | grep -i subject

    Subject: 1.3.6.1.4.1.311.60.2.1.3=MX/businessCategory=Private Organization, O=Montebit S de RL de CV/serialNumber=MON140124IL0, C=MX, ST=Distrito Federal, L=Mexico, CN=tuminium.com

  • avfontoura

    Asset verification doesn’t work when cloudflare is on. Turning cloudflare off, it verifies well.

  • Tobi Brook1

    My colleagues were needing OIR-B1-1802 a few weeks ago and discovered a document management site that hosts a lot of fillable forms . If you are requiring OIR-B1-1802 too , here’s http://goo.gl/RGGjCR

  • Robert Navarro

    If I put the .json file in https://lemon.ad/LEMO folder what would be the .json file name? Basically, what would the URN be, for example: https://lemon.ad/LEMO/unknown-file-name.json or am I understanding this wrong and the complete URN is https://lemon.ad/LEMO.json… sorry but this is just so new that I haven’t been able to find a YouTube tutorial.