[bisq-network/proposals] Self certification of bank account details using ID verified digital certificates (#79)

mpolavieja notifications at github.com
Thu Apr 25 07:58:25 UTC 2019

> _This is a Bisq Network proposal. Please familiarize yourself with the [submission and review process](https://docs.bisq.network/proposals.html)._

### Introduction

This is a proposal related with the issue "Certification for ownership of a bank account" #23, but instead of basing the certification of ownershipon performing a series of procedures through trusted intermediaries (arbitrators or validators) the system would rely on each user providing proof of ownership of his bank account through signing with a digital certificate where the ID of the owner has been verified.   

Ideally, we should use digital certificates attested by a decentralized ID infrastructure, but as there is none still deployed we can only rely on centralized issued digital certificates (private or government issuers). Therefore, if we rely on government infrastructure is just for convenience, as the core idea is not based on any centralized / government infrastructure but on open source digital signature standards. Moreover, there is a reasonable chance that the development could be ported without much effort from centralized to decentralized, as today's centralized infrastructures are already using open source cryptographic standards such as ECDSA or SHA256. 

### Goal

Given that fiat bank accounts require providing personal information, the main goal of this proposal is to prevent the fraudulent impersonation of fiat bank account details within Bisq network.

This feature would be **optional** and its specific goal is to be used to override account age trading limitations or to directly jump to a specific higher trusted level if a rating system is implemented. This procedure **does not need** trusted intermediaries within Bisq nor any centralized storage of ID personal data.  

There is no KYC service provider involved.  In this case the equivalent to the KYC provider would be the digital certificate issuers, who will not know nor need to know absolutely anything about Bisq system or Bisq users.


- It is unlikely that a scammer has managed to steal both access to a bank account and to the private keys of a digital certificate.

- There is a significant Bisq user base that has easy access or already has an ID validated digital certificate

- Standard Digital Certificates won´t provide significant additional information than the information the user is already providing on his bank account details.  Maybe national ID number which anyway is already rather easy to find publicly once you know the name and last name of the user.  It is important to note, that if the digital certificate is to be used also for encrypting and signing emails and the user provides his real email in the certification generation process, then his email address will be part of the Digital Certificate. In this respect I ask for feedback from the community to review their certificates to see what kind of information is included.

### Implementation overview

**Initial caveat:** If the implementation of this optional feature is considered incompatible with Bisq core principles by the Bisq community, it could be derived onto a second layer that interacts with Bisq liquidity network, where a Bisq node could allow other traders to interact only with him (using a Bisq fork or other Bisq protocol compatible app in that second layer) under the condition of having his bank details signed as outlined in this proposal.

There is already a rather widespread standard in Europe called **Advanced Electronic Signature (AdES)** that is legally and technically regulated by the European Union.  The definition of AdES is: _“It is the electronic signature that allows to identify the signatory and to detect any subsequent changes of the signed data, which is linked to the signatory in a unique way and to the data to which it refers and which has been created by means that the signatory can maintain under its exclusive control”_.  

AdES signatures are not legally equivalent to handwritten signature but shall not be rejected by the mere fact that they are electronic (i.e. if legally challenged, the signer bears the burden of the proof). **Qualified Electronic Signatures (QES)** are legally fully equivalent to handwritten signatures (i.e. if challenged, it is the challenger who bears the burden of the proof), and the additional requirement in comparison with AdES is that they also require a specialized hardware for each signature, such as the chips embedded on some National ID cards, which requires a hardware chip reader that almost no one has.  So QES are not yet a practical path, AdES should be good enough.  In the event we decide AdES is not good enough (i.e. weak personal identificatiojn procedure or 2FA not mandatory for signing), maybe this proposal won´t be feasible until better standards are available.

Because AdES based certificates must be accepted as legally valid on all EU member states, this would cover most SEPA countries, therefore it would cover a very significant proportion of SEPA Bisq EUR-BTC trading volume.  It could even cover all SEPA countries if Bisq accepts AdES signatures of Bank account details from non EU countries such as Switzerland if Swiss users have an AdES compliant certificate.  It could be also considered if this AdES digital certificates would be also valid outside Europe (US, Venezuela, Brazil, etc) 

There are several formats of AdES, for internal use probably XAdES (based on XML) could be best, if we want it human readable another option is PAdES (final result is a pdf file). For more general details see https://en.wikipedia.org/wiki/Advanced_electronic_signature  For detailed technical information, there are available libraries and technical support for the AdES standards:

- https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eSignature+Service+desk
- https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/DSS 

The AdES standard requires that the Certification Authority verifies the Identity of the user, but it does not necessarily require a physical verification nor a 2FA procedure for signing, so if for Bisq we require one or both of those requisites, then we should filter and therefore maintain a whitelist to exclude certification authorities that do not require what we want.   For example, Spanish government digital certificates required physical ID verification until June 2017 and do not require 2FA for signing.  The european union based on its AML regulations allows each country to establish remote identification procedures for AdES and QES digital certificates.  See Spain´s example here: https://www.sepblac.es/wp-content/uploads/2018/02/Autorizacion_video_identificacion.pdf)

In Spain, the government digital certificate issuer recently launched an Android application that allows to obtain a certificate by remote ID verification (through streaming video I believe, the details on how they verify ID within the android app are not available at this moment on issuer website).     

Other AdES private certification authorities make remote verification ID procedures, and also require 2FA for signing, such as those adhered to https://cloudsignatureconsortium.org/.  

### Description and UI overview

When setting up a bank account in Bisq, the user would have the option to sign his account details with the digital certificate installed on his computer.  **The name inputted in the Bank account details must match exactly with the name of the digital certificate**.  The process would follow these steps:

1. Bisq would make a call to the operating system to prompt the user to select a digital certificate 
2. User signs the payload data (his name and IBAN number) 
3. Bisq would have to check that the certificate is still valid and not revoked (TOR might require doing this through a relay), and that it belongs to Bisq minimum standards.  IMO Bisq should just require AdES, because maintaining an ad-hoc whitelist would add complexity and possibly centralization.
4. Bisq would verify that the name in the payload and the Bank details match (this could be done separately for name and surname).
5. If names don't match, a pop up message should be shown to warn the user that names do not match and the signing process fails
6. If names match, then Bisq stores the payload data and the digital signature together with the public key of the certificate.

When a trading peer opens a trade with that self-certified user, the process would be as follows:

1. If the certificate is valid (not revoked and  complies with the required standard), a “verify signature” option would be enabled within the user profile contextual menu
2. The trading peer then could click that option and Bisq would verify the signature and payload data against the name specified in the bank account details and if successful would show a pop up with the message “Name specified in the bank details fully matches the name on user´s digital certificate” 
3. The pop-up contains a button that would make a call to the operating system to show the user certificate so it could be manually reviewed and verified by the trading peer. 

Those 3 steps above could be abstracted away by showing a green / red signature icon if Bisq is able to do all the verification above in the background. The same way a closed / green lock works on the navigation bar of a browser when https is working.

### Attack Vectors

If a scammer manages to fully compromise a computer, it is likely that he could obtain access to both user bank accounts and user digital certificate.  Digital certificates that require 2FA from a different device for signing could be rather resilient to this attack.

### Possible digital certificate providers

Apart from governments and specialised private certification authorities, in some countries such as Norway, Sweden or Finland Banks provide AdES compliant digital certificates to their clients.  See the following links:

- Sweden:https://www.bankid.com/en/
- Norway: https://www.bankid.no/en/about-us/,
- Finland: https://www.nets.eu/developer/e-ident/eids/Pages/TupasFI.aspx  

Private certification authorities that issue AdES compliant digital certificates at a reasonable cost that I have found are the following:

- https://infocert.digital/cloud-id/   for 29.90€ / year
- https://store.intesigroup.com/qualifiedCS.php  For 45€ / year.
- http://cloudsignature.transsped.ro/  For 22.50€ / year.

**Note:** National ID cards with embedded cryptographic chips require a hardware reader and might require to additionally get a Digital Certificate from a certification authority (maybe at a cost) depending on the country.  RFID chips on passports are a memory that carries the passport’s data (name, high resolution picture, etc) but is not capable to perform cryptographic functions such as signing.

### Feedback request to Bisq community

For me it is a bit difficult to find out in which countries digital certificates to interact with the government are free for private individuals.   If you guys are so kind to provide me the following data from your country:

- Cost: free / if not, yearly cost
- Name of the Issuer and website
- Type of Issuer:  Government / Bank / other private certification authority
- 2FA for signing: Yes / No

I will collect it and update it in the following list:

- Austria: Free (government issued)
- Spain: Free (government issued - www.fnmt.es) / No 2FA
- France
- Germany
- Portugal
- ...

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190425/9579039d/attachment-0001.html>

More information about the bisq-github mailing list