Last modified: Fri Aug 16 2019 11:27:04 GMT+0000 (Coordinated Universal Time)
Every participant in the Winding Tree platform has their own ORG.ID or her public key is associated with an ORG.ID. Both of these entities can be identified by an Ethereum address.
The concept of trust clues is tying these digital Ethereum identities to their real world coutnerparts. There are two key principles to deal with:
- Who is talking to me?
- Can I trust them?
The first issue is solved by using
can perform operations on behalf of the ORG.IDs, in particular sign messages.
By doing that and verifying signatures, every participant
can identify who they are talking with. Either by verifying an incoming signed request, or by verifying
a disclosed signed relationship guarantee.
On the receiving end, all I have to do is decode the signature, compare that the Ethereum address is an associated key of particular ORG.ID and I am good to go.
The second thing in question is how can I establish that I can trust the communication partner. There are many ways to do that, some more complicated than others. We are calling them in general trust clues.
Not all of these are currently implemented in our tooling.
It is probably fairly easy if you have an already established trusted communication channel with your partner. There you can safely exchange your ORG.ID's addresses and whitelist communication incoming from them.
The most obvious trust clue is depositing a certain amount of Líf to a dedicated smart contract. This also works really well against spamming the system with hundreds of fake entities. This deposit can be reclaimed if, for some reason, the organization no longer wants to be a part of the network.
You can learn more about Líf Deposit in the onboarding guide.
If the ORG.JSON record contains a website address, that domain name can be linked to the ORG.ID
via DNS TXT record or a text file accessible on a well known address such as
ORG.ID Ethereum address.
Another possibility is to reuse your company's EV SSL Certificate. Just verify your domain name and you're done! If you don't have one, they are pretty cheap, about $200/year.
If API requests and responses between all these players are signed with their private keys, all these companies have proof that they are doing business together.
Let's say a small OTA has a collection of messages (API responses) that contain both ORG.IDs, a simple message ("order confirmed"), and a timestamp, signed by a private key associated with a big ORG. Now the small OTA has unfalsifiable proof they do business with the big ORG.
This can be used as a proof of legitimacy for other platform members.