Link Search Menu Expand Document

VeraId: DNS-based authentication, with or without the Internet

VeraId is a new authentication protocol that apps can use to verify the integrity of any content, and reliably attribute it to a domain name (like acme.com) or a member of it (like alice@acme.com), without querying any server on the Internet.

The protocol is essentially a thin layer on top of existing DNS infrastructure. It’s also open, decentralised and has open source implementations.

Use cases

VeraId can improve existing systems in many ways, such as:

  • Avoiding phishing in offline communication apps (the raison d’être of this project).
  • Signing documents or software without gatekeepers like Adobe.
  • Authenticating API clients without bearer tokens or pre-shared public keys.

But perhaps more interestingly, it could power a new generation of decentralised systems that wouldn’t be possible today – like peer-to-peer web hosting with contents reliably attributed to their respective domain names.

Technical overview

VeraId combines DNSSEC with a new Public Key Infrastructure (PKI) to produce digital signatures that can be linked to a domain name. Consequently, every signature contains enough data to be independently verified without external queries, such as DNS lookups.

Any DNSSEC-enabled domain can be a trust anchor in the PKI, but it only has control over itself. This offers far better security than PKIs such as the Transport Layer Security (TLS), where many trust anchors (Certificate Authorities) can issue certificates for any domain.

Designing and implementing yet another auth protocol is not something we took lightly: We know it’s hard to get them right and the consequences can be catastrophic. Unfortunately, no existing technology satisfied our needs.

Watch the video below for a walk-through of the protocol and a demo of the prototype.

Learn more about the architecture Read the spec

About

This project is led by Relaycorp and funded by the Open Technology Fund for use in Letro, but VeraId itself is completely agnostic of Letro and Relaycorp.

We could’ve bundled it with Letro, but the core functionality is generic enough and so widely applicable that it makes more sense to develop it independently. We also expect it to play a crucial role in Awala in the future, such as when we support message broadcasting.

The word vera is Ido for authentic, and it’s pronounced VEH-rah (with a trilled R).