decorative pattern

Securely attribute content to domain names

VeraId is a decentralised, user-friendly, offline-first authentication protocol.

Developers! Developers! Developers!

sb@microsoft.com

xkcd.com

You shall not pass!

gandalf@ring.company
Audio visualization

spotify.com

Rrrruuuurrr

chewbacca@kashyyyk.space

bbc.com

Winter is coming

jon@nightswatch.mil

Developers! Developers! Developers!

sb@microsoft.com

xkcd.com

You shall not pass!

gandalf@ring.company
Audio visualization

spotify.com

Rrrruuuurrr

chewbacca@kashyyyk.space

bbc.com

Winter is coming

jon@nightswatch.mil

Use cases

Kliento logo

Workload authentication simplified

Kliento uses VeraId to simplify workload authentication, without long-lived secrets like API keys or public key distribution as needed by JWTs.

Document Signing icon

Artefact signing

Sign documents, apps, libraries, and other files on behalf of a domain name, without gatekeepers like Adobe or Microsoft.

Offline Authentication icon

Offline user authentication

Enable users of offline systems to authenticate with user-friendly, customisable identifiers. That's how Letro uses VeraId!

Decentralised Systems icon

Next-gen decentralised systems

VeraId enables systems that are hard to imagine today, like peer-to-peer web hosting with contents reliably attributed to their respective domain names.

Key features

  • Extends battle-tested standards like DNSSEC, X.509 and CMS.
  • Open protocol with open source reference implementations.
  • As decentralised as DNS itself.
  • Signatures can be produced and verified offline.
  • Independently audited.

How it works

VeraId combines DNSSEC with a new Public Key Infrastructure (PKI) to produce signatures that can be linked to a domain name. Every signature contains enough data to be independently verified without external queries, like DNS lookups.

For example, this is how we'd verify a VeraId Signature Bundle attributing "Bazinga!" to sheldon@caltech.edu:

DNSSEC Chain

.
edu.
caltech.edu.
_veraid.caltech.edu.
caltech.edu.

X.509 Certificate Chain

caltech.edu
sheldon
sheldon@caltech.edu

CMS SignedData

Bazinga!
"Bazinga!"
Play

Any DNSSEC-enabled domain can be a trust anchor in the PKI, but it only has control over itself. This offers far better security than PKIs such as the Transport Layer Security (TLS), where many trust anchors (Certificate Authorities) can issue certificates for any domain.

Forged from necessity

Portrait of the founder, Gus Narea

I designed VeraId to provide Letro users with offline-compatible identifiers that are robust enough to withstand attacks by the nation-state actors that would target some of them.

Designing and implementing another auth protocol is not something I took lightly: I know it's hard to get them right and the consequences can be catastrophic. Unfortunately, no existing technology satisfied our needs.

Gus Narea.

Creator of VeraId, and former member of Auth0's core engineering team.