VeraId is a new authentication protocol that apps can use to verify the integrity of any content, and reliably attribute it to a domain name (like
acme.com) or a member of it (like
email@example.com), without querying any server on the Internet.
VeraId can improve existing systems in many ways, such as:
- Avoiding phishing in offline communication apps (the raison d’être of this project).
- Signing documents or software without gatekeepers like Adobe.
- Authenticating API clients without bearer tokens or pre-shared public keys.
But perhaps more interestingly, it could power a new generation of decentralised systems that wouldn’t be possible today – like peer-to-peer web hosting with contents reliably attributed to their respective domain names.
VeraId combines DNSSEC with a new Public Key Infrastructure (PKI) to produce digital signatures that can be linked to a domain name. Consequently, every signature contains enough data to be independently verified without external queries, such as DNS lookups.
Any DNSSEC-enabled domain can be a trust anchor in the PKI, but it only has control over itself. This offers far better security than PKIs such as the Transport Layer Security (TLS), where many trust anchors (Certificate Authorities) can issue certificates for any domain.
Designing and implementing yet another auth protocol is not something we took lightly: We know it’s hard to get them right and the consequences can be catastrophic. Unfortunately, no existing technology satisfied our needs.
Watch the video below for a walk-through of the protocol and a demo of the prototype.
We could’ve bundled it with Letro, but the core functionality is generic enough and so widely applicable that it makes more sense to develop it independently. We also expect it to play a crucial role in Awala in the future, such as when we support message broadcasting.
The word vera is Ido for authentic, and it’s pronounced VEH-rah (with a trilled R).