TrustBox

• 

  Import trust doc

• 

  View site identity

• 

  View trust assertions

• 

  Trust graph of two interlocking trust frameworks

Inspiration

This project is inspired by an effort I'm involved in to a build trust framework for the home buying and selling industry in the UK, called the Property Data Trust Framework. It aims to make it safe & easy for individuals and organization to share data during the home buying and selling process. It was also inspired by the UK Digital Identity and Attributes Trust Framework policy in the UK.

I wanted to understand how an average web user could utilize a trust framework and how trust relationships could be demonstrated between entities.

Try It!

1. Install TrustSight here (chrome only for now sorry)
2. Open up the TrustUK Demo Site here
3. Watch the demo video above and follow along for yourself!

What it does

TrustBox is a suite of tools to build and utilize trust infrastructure for application ecosystems. Such as industry specific trust frameworks. It targets open standards that bridge the web with digital identity. It consists of 3 main components.

TrustSight is a trust overlay for your browser. It helps web users figure out if they can trust a website.

TrustBench is a developer tool for building and deploying trust infrastructure such as trust frameworks. It was used to construct the "trust backbone" for the demo.

TrustGraph visualizes trust relationships. It can be used by both trust frameworks administrators and web users to understand how trust is established.

Plus a demo to tie them all together. Watch the demo video and try it out yourself here! Also, look at this graph.

How we built it

The core of the solution is the combination of trust establishment documents and wellknown did configurations. Together it provides an open and standards compliant way to make trust assertions about an entity and have that entity be provably associated with a domain. It means it is practical to publish and consume trust infrastructure (welknown did configs, topic schemas, trust docs) using a web server.

Additionally we use decentralised web nodes to offer enhanced publishing functionality, so that organizations do not have to rely solely on publishing to a website. (currently only trust establishment documents themselves can be published to a DWN. In the future, topic schemas would be too). This provides an easier way for applications to query for an entity's trust documents, which we take advantage of in TrustGraph. TrustSight also uses it to refresh trust docs (keep them up to date), or falls back to refreshing from the authors webserver/website.

We use various libraries: veramo, @sphereon/wellknown-dids-client, web5.js - to implement the standards properly, and perform real did operations, credential signing, and verification (although we don't support verification of JSON-LD linked domain credentials yet, just VC-JWT). We have a burgeoning library called trustlib which may one day combine that stuff in a way that its easy to reuse, atm its all rather spread about the place.

• TrustSight wraps it into a chrome extension with a react UI (tailwind + shadcn <3). TrustSight use did configs to go from domain -> did.
• TrustBench wraps it into a node js library / proto cli.
• TrustGraph wraps it into a Next.js application using Reagraph for the graph visualisation. TrustGraph uses did configs to go from did->domain (but will probably do both directions eventually)
• Each demo website is a simple Next.js application with tailwind, hosted on vercel.
• trust-backbone is the TrustBench model that describes all the trust infrastructure for the demo websites.

TrustSight has its own repository, while everything else is in a monorepo.

Challenges we ran into

To effectively demonstrate our use case for TrustSight it was necessary to construct 3 separate websites with interlocking trust relationships. Turns out this this is quite hard - managing different dids and origins and signed credentials across local and live environments. This challenge was the birth of TrustBench. Also, because the websites themselves aren't really the focus, the trust backbone is, we used free templates and AI generated logos to make them look presentable quickly.

You will likely want to check TrustSight against the sites listed here, as i did, and you'll find none of them resolve to a did (as in display an icon). It's not TrustSight I promise, the JWT linked domain credential for each deviates slightly from the spec (when interpreted strictly as @sphereon/wellknown-dids-client does.

• dif - the origin doesn't include the scheme (i.e. https://)
• transmute - the origin includes a trailing "/"
• trinsic - the origin includes a trailing "/"

I decided to stick with the @sphereon/wellknown-dids-client interpretation.

We wanted to use DWNs to allow a user to share their imported trust documents between different applications. i.e. import a trust document in TrustGraph and have it apply in TrustSight (and eventually in your smartphone wallet). web5.js doesn't yet have easy support for this (soon!), so it didn't make it in. Instead we ended up with a cool graph visualization, and hopefully you can see how it would slot in nicely.

Couldn't get verification of JSON-LD linked domain credentials working with veramo in the chrome extension. I know the problem and solution, but wasn't an easy fix.

Fitting it all into a 3 minute demo was also rather challenging :o

Accomplishments that we're proud of

Nothing is fake and there's no smoke and mirrors. All the verifications you expect to happen (minus json-ld support) are happening. There is a cut in the middle of the demo video, but its just because I kept messing up my lines.

TrustBench surprised me about how well it worked, it made it a lot easier to construct and change the demo.

What we learned

You can get pretty far by taking advantage of the web servers / websites that organizations already run. Although it probably opens you up to concerns about how DNS and traditional PKI work.

There might be some missing developer tooling that fits in the gap between existing libraries and full managed SSI solutions.

DWNs are pretty cool.

What's next

• Firefox!
• Share trust docs imported via TrustSight with your wallet!
• Maybe TrustSight is a wallet :)))))))
• TrustGraph should be expanded to surface more information such as TrustSight does (i.e assertions). The UX will need some adjustment to suit the explicit graph depiction. I think it should be more edge focused than node focused.
• TrustBench should have a proper cli (and ui?)
• TrustBench should support credential schemas, and shortcuts for building trust frameworks made up of issuers and verifiers. Should support publish of topic schemas and credential schemas to a DWN.

Built With

• nextjs
• react
• typescript
• veramo
• web5.js