About
The Interplanetary Lockbox (IPLB) is an ongoing exploration to leverage the Interplanetary File System (IPFS) for distributed authentication and authorization.
It proposes a schema and a protocol for defining and enforcing access policies for resources published on the IPFS.
#Overview
The following diagram walks through a hypothetical scenario in which Alice publishes a πΌοΈ on IPFS while only granting access to Bob through a Lockbox in the custody of a Gateway supporting the IPLB protocol.
βββββββ ββββββ βββββββββ βββββ
βAliceβ βIPFSβ βGatewayβ βBobβ
ββββ¬βββ βββ¬βββ βββββ¬ββββ βββ¬ββ
β β β β
β β β β
βPublishes Pictureβ β β
ββββββββββββββββββ> β β
β β β β
β Requests Lockbox for Picture's CID β β
βββββββββββββββββββββββββββββββββββββ> β
β β β β
β β ββββββ Encrypts CID β
β β β<ββββ β
β β β β
β Responds with Lockbox β β
β<β β β β β β β β β β β β β β β β β β β
β β β β
βPublishes Lockboxβ β β
ββββββββββββββββββ> β β
β β β β
β β β β
β β β β
β Shares Picture's Lockbox Address β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ>β
β β β β
β β β Requests access β
β β β <ββββββββββββββββββββββββββ
β β β β
β β Retrieves Lockboxβ β
β β <βββββββββββββββββ β
β β β β β β β β β β > β
β β β β
β β ββββββ Validates Lockbox β
β β β<ββββ β
β β β β
β β β Requests Credentials β
β β β β β β β β β β β β β β β >β
β β β β
β β β Provides Credentials β
β β β <ββββββββββββββββββββββββββ
β β β β
β β ββββββ Validates Credentialsβ
β β β<ββββ β
β β β β
β β ββββββ Decrypts CID β
β β β<ββββ β
β β β β
β β Retrieves Pictureβ β
β β <βββββββββββββββββ β
β β β β β β β β β β > β
β β β β
β β β Forwards Picture β
β β β β β β β β β β β β β β β >β
ββββ΄βββ βββ΄βββ βββ΄βββ βββ΄ββ
βAliceβ βIPFSβ βIPLBβ βBobβ
βββββββ ββββββ ββββββ βββββ
A few key things to note:
- Alice owns and controls both the picture and Lockbox at all times.
- Alice may use mutable addresses for both the underlying content and the Lockbox, allowing her to update both content and the access policy.
- Bob doesn't obtain the underlying address even after accessing the content itself, given the gateway is forwarding the contents of the Lockbox without leaking its content identifier.
- Alice could set a privacy-friendly access policy with a credential type that allows Bob to remain anonymous.
In the initial phase of the exploration, the enforcement of access policies is delegated to trusted IPFS Gateways. A subsequent phase will focus on developing strategies to shift trust to credential verification proofs, where any IPFS node could help support enforcement for the whole network.
#The Lockbox
A JSON formatted access policy secured by cryptography that specifies the associated content's address, the credential requirements, and other metadata fields.
{
"schemaVersion": "1.2.3",
"content": {
"custodians": [
{
"custodian": "...",
"cid": "...",
...
}
]
},
"validations": [
{
"id": "ens-controller",
"version": "1.0.2",
"parameters": {
"network": "mainnet",
"ens": "bob.eth"
}
}
],
"metadata": {
"name": "Cat Picture",
"description": "My most recent Cat picture, enjoy!",
...
}
}
#Validations & Verifications
A Lockbox may require one or more Validations which are standardized definitions of the parameters consumed by child Verifications.
Verifications are interchangeable building blocks that allow composability and reusability across different types of Validations.
For example, An "ERC-721 Token Validation" might require two Verifications:
- An Ethereum Address Signature Verification.
- An on-chain ownership Verification for the specified ERC-721 token.
A different "ETH Transaction Validation" may leverage the existing Ethereum Address Signature Verification as well as an on-chain transaction Verification with the specified arguments.
Verifications implement a standard interface and serve as an abstraction for the logic and dependencies.
Only after all of the child Verifications are successful is a parent Validation considered successful.
#Roadmap
The Interplanetary Lockbox exploration is on its early stages. Both code and specifications will be released once they become stable.
In the meantime, you can say π or follow the updates on twitter.