Attestations

What are Attestations?

Attestations are the core functionality for how Shyft network provides assurances around KYC data and the methodologies for sharing that data between VASPs. In the KYC use case, attestations allow for the verification from other members of the network if a user provided honest identity information during the KYC onboarding process. This allows for additional checks and balances can be used to verify if users provided other entities false ID information, falsified bank information, etc. Attestations are created as transactions that interact with smart contracts created for the Shyft network for the specific purpose of KYC validation and information sharing.

When a trust anchor (that is, an entity the network inherently trusts without the need to derive it) has data about a user that’s available for sharing, that data is kept confidential, and only an attestation is published declaring that the information in question exists. The attestation is pseudonymous (attached to their network address rather than any more recognizable form of their identity), and generally restricted to metadata about the information it contains. Additionally, the metadata is encrypted with a user-controlled key, so that users can restrict access to the metadata, to entities that they consent to share it with. This degree of user control also makes it harder for an attacker to use social engineering or data mining attacks to obtain private information.

The attestation structure is also flexible. A certification body can easily use it to publish an attestation that a trust anchor is in compliance with a particular standard for the protection of confidential data, or an industry group could certify that they meet other standards for the accuracy of the records they provide. This will be supplemented by the Reputational Merit Token (RMT), a system for ranking trustworthiness, being built on top of the Shyft network, which enables users to distinguish between legitimate standards bodies and industry groups, and fraudulent certifiers intended to trick people into sharing their data with careless trust anchors or with attackers.