AIS technical solution aims at addressing two main industry needs:
securely identify artworks as well as various art market actors on the internet
share the associated data in a manner that allows for privacy preservation and a maximal friction reduction for all parties involved
The core of the technology required for creating such a solution has been extensively developed over the last years. Decentralised Identifiers (DIDs) and Verifiable Credentials (VCs) aim to solve the problem of online identity for any one and (almost) any object (via a model called Self-Sovereign Identity).
Standardised by the World Wide Web Consortium (W3C), these solutions are applied to issue Covid-19 vaccination attestation (CCI), for legal entity identification (GLEIF) and many more purposes.
This extract from AIS white paper gives a brief layman's introduction to DIDs, VCs, associated concepts and how they would work together for the benefit of the art world.
Building blocks
The Identifiers
A DID is a type of globally unique identifier - no two entities are identified by the same one (with extremely high probability). It is a string, much like a URL, but starting with “did:” instead of “http:” that leads to (is “resolved” to) a standardised set of information associated with the entity it identifies. In the case of DIDs, this information is encapsulated in a so-called “DID document”. A DID is persistent, which means that it never needs to change. What is special about a DID, is that one can register it without the need of any central authority and one can always prove (cryptographically) they have control over it.
We distinguish two categories of DIDs:
Public DIDs are visible to everyone - anyone can resolve a public DID or contact its owner. They are stored on a Verifiable Data Registry, usually a distributed ledger, so that no single entity has control over the associated data.
Private DIDs are on the other hand created and shared only by two or more parties that intend to communicate between each other (and perhaps refer to some entity identified by a DID) in a private and secure way.
The credentials
Imagine having your artwork examined by an expert appraiser. After her job is done, she issues a signed and sealed certificate with the established artwork value. The physical document is rather hard to forge, and in most cases will be enough to convince a potential buyer. But what if you want to share the valuation over the internet? It is easy to change the numbers in the file containing the scan of the document, meaning that the scan itself is not reliable enough. Verifiable Credentials bring about a solution to this digital conundrum and many other associated problems.
In essence, VCs are cryptographically-protected claims that are issued by a trusted entity (the Issuer) to the Holder, that pertain to a DID that the Holder controls and that can be proven to be true when presented to a Verifier - see the schema below. They have the form of a JSON file (just like the DID document) and are stored in the Holder’s digital wallet (see tools, below). In particular, the Holder does not have to be a subject of the VC. Moreover, VCs can have expiration dates, and can be revoked.
Notably, presenting and proving the validity of a claim doesn’t need the participation or knowledge of the Issuer. With the help of Zero Knowledge Proofs, VCs allow selective disclosure, when only part of the claims attested by the Issuer is presented to the Verifier. Moreover, the claim can be proven without disclosing the identity of the entity it pertains to (the DID controlled by the Holder). This is one of the ways that the VC technology helps maintain the Holder’s privacy. In fact, the essence of VCs is that they place the Holder in the centre of the identity ecosystem.
It is important to understand that this doesn’t eliminate the need for trust entirely. Most notably, the Verifier must trust the Issuer that the issued credentials are accurate. Nonetheless, when executed correctly, this system almost entirely eliminates the risk of the Holder presenting a forged claim.
The tools
We finally need to talk about how the identifiers and credentials are stored and communicated. Although the naming differs between platforms, typically digital wallets are responsible for the former (DIDs) and digital agents for the latter (VCs). Together, they allow the user to function in the identity ecosystem to hold DIDs, VCs and other important data. They are responsible for generating cryptographic keys, securing communication between DID owners and finally for requesting credentials and presenting claims associated to them in so-called presentations.
For an individual, the wallet/agent will be a mobile app. She/He will be using it to identify her/himself, to exercise control over DIDs representing artworks as well as obtain, hold and use associated credentials. For an organisation, this most likely will be a server application, able to handle DIDs and VCs in bulk and in many ways autonomously. It will be able to delegate authority to individual wallets of the organisations’ members.
When it comes to storage, it is worth mentioning that no private data is ever hosted in a public database, encrypted or not. All such information is stored inside the secured wallet of the owner.
Governance
Technology is never a solution by itself. This fact was also recognised by the community behind SSI, which led to establishing the Trust over IP governance stack (see picture below and the associate governing body, the ToIP Foundation). The stack recognises that the solution to the problem of online identity, with its aim of facilitating trust over the internet, comprises four technological layers, with each one requiring a different governance framework. Establishing a functioning and widely adopted identification standard for the art world using the above-mentioned technologies will require different kinds of efforts within each of those layers at different stages of development. Let us go over them one by one so we can understand their function. Where AIS comes into play (governance) is not treated here.
Layer 1
On the technical side, the base of the stack is formed by Verifiable Data Registries - this is where the public DIDs, as well as other public data that the ecosystem relies on are stored. These are treated as public utilities or public infrastructure and are expected to host data for many ecosystems and be interoperable. The registries can be based on distributed ledger technologies but don’t have to. Governing them will (among others) include maintaining, defining policies for consensus on the ledger and for introducing changes or defining requirements for nodes that can participate in the network.
Layer 2
Layer 2 deals with storing and sharing of private data - this is where the agents/wallets and protocols describing their interactions live. A governance authority at this level is responsible for establishing and enforcing security, privacy, interoperability, certification and data protection requirements. These apply to hardware and software developers as well as so called agencies - cloud wallets and agents performing tasks for the actors of the ecosystem.
Layer 3
The next layer is where requesting, issuing and presenting Verifiable Credentials happens. As you can see, we are moving from interactions between software components to interactions between people and organisations. This is associated with a shift of where the trust is placed: from math and algorithms to humans and their relations. The governance framework reflects that and deals with policies like issuer qualification or credential revocations.
Layer 4
The top layer of the stack encapsulates all the applications that are based on the layers below and that function in the ecosystem. In our case, this ecosystem is the art market in the broadest sense. Here are some key examples of where governance needs to be involved at this level:
Interoperability in terms of legal and business rules
Legal, economic and business rules of delegation of responsibilities concerning artworks and people
Rules around transitive trust, how a trusted relationship with one application can be used to establish trust with another
Guidelines around usability
Establishing trust marks (a way to make it easier for art market actors to know who to trust) with related member directories, certification authorities, auditors and auditor accreditors
Establishing and enforcing anti-coercion rules
DIDs and VCs for the Art Market
DID nomenclature
We distinguish four groups of DIDs, each used in a different way. We envision:
Actor Private DIDs (APvD) - these will be Private DIDs (not stored in a public repository) identifying Art Market Actors - individuals and organisations - any entities with some kind of agency - that decide to use the identifiers to open channels of trusted communications with each other, as well as issue, receive and verify VCs via those relationships.
Actor Public DIDs (APbD) - stored in the Verifiable Data Registry, these DIDs will identify those individuals and organisations who want and need their identifiers to be public. This will most notably include VC issuers, whose identifiers will be also featured on special lists curated by governance bodies.
Object Private DIDs (OPvD) - private DIDs created to identify objects like artworks for the purpose of uniquely identifying them within the context of private communication channels between two or more parties. These will pertain for example to artworks in a private collection. Control over those DIDs might be transferred, for example when the artwork changes its owner - this way, the associated VCs are transferred too.
Object Public DIDs (OPbD) - public DIDs, saved in the Verifiable Data Registry - visible to and resolvable by everyone. Pertaining to objects, and created (at least at first) only by authorised organisations, they will be used to publicly reference the artworks and find information about them online. The scope of the data required in the DID documents will be in this case strictly defined and mechanisms will be employed to prevent duplication of artworks and abuse of the system.
DID combinations
The same Actor will be able to have both one Private and one Public DID. A single artwork will likewise possibly be represented by both types.
Private DIDs will be able to claim association with Public DIDs. In the case of Actors, it could be employees representing an organisation. In the case of objects, the same object can be represented differently within different relationships, however all the associated DIDs may claim reference to a Public DID uniquely representing a given artwork. This last feature can be used to enable the discovery of sources of information about a given object.
Standardised VCs
Verifiable Credentials will be used with all those types of DIDs. Any person can issue a VC, but it will be important that the most significant, broadly used types of credentials are purposefully designed and standardised. In particular, those credentials that will be important for the functioning of the art market ecosystem, claiming artwork authenticity, ownership, as well as KYC and AML statements, will have tailor made, broadly agreed upon forms, which will result in seamless interoperability across the industry.
This will allow also for efficient use of Zero Knowledge Proofs, for example by a collector, proving AML eligibility without revealing their name to the gallery they are buying a piece from.
Extract from the White Paper 2021, Version 0.3