Link Search Menu Expand Document

VeraId: Domain names without the Internet

VeraId will be a protocol to authenticate users and organisations, as well as any content they produce. It’ll leverage the existing DNS infrastructure without actually using the Internet.

Apps will use VeraId to verify the authenticity and integrity of any type of data, and thus reliably attribute it to an organisation (like acme.com) or a member of an organisation (like alice.smith of acme.com).

Use cases

VeraId can improve existing systems in many ways, such as:

  • Avoiding phishing in offline communication apps (the raison d’être of this project).
  • Signing documents or software without gatekeepers like Adobe.
  • Authenticating API clients without bearer tokens or pre-shared public keys.

But perhaps more interestingly, it could power a new generation of decentralised systems that wouldn’t be possible today – like peer-to-peer web hosting with contents reliably attributed to their respective domain names.

Technical overview

VeraId combines DNSSEC with a new Public Key Infrastructure (PKI) to produce digital signatures whose provenance can be traced back to a domain name. Any DNSSEC-enabled domain can be a trust anchor in the PKI, but it’d only have control over itself (not other domains).

Consequently, every digital signature contains enough data to be independently verified. External queries, such as DNS lookups, are not needed.

Designing and implementing yet another auth protocol is not something we take lightly: We know it’s hard to get them right and the consequences can be catastrophic. Unfortunately, no existing technology satisfied our needs.

Watch the video below for a walk-through of the protocol and a demo of the prototype.

Learn more about the architecture Read the spec

About

This project is being incubated by Relaycorp for use in Letro, but VeraId itself is completely agnostic of Letro and Relaycorp.

We could bundle it with Letro, but we think that the core functionality is generic enough and so widely applicable that it makes more sense to develop it independently. We also expect it to play a crucial role in Awala in the future, such as when we support message broadcasting.

The word vera is Ido for authentic, and it’s pronounced VEH-rah (with a trilled R).