Skip to content

Proposal: canton-vc, vendor-neutral KYC + verifiable credentials SDK#369

Closed
Farukest wants to merge 10 commits into
canton-foundation:mainfrom
Farukest:add-canton-vc-proposal
Closed

Proposal: canton-vc, vendor-neutral KYC + verifiable credentials SDK#369
Farukest wants to merge 10 commits into
canton-foundation:mainfrom
Farukest:add-canton-vc-proposal

Conversation

@Farukest

@Farukest Farukest commented May 25, 2026

Copy link
Copy Markdown

Development Fund Proposal Submission

Proposal file:
https://github.com/Farukest/canton-dev-fund/blob/add-canton-vc-proposal/proposals/canton-vc.md


Summary

canton-vc is an open-source, vendor-neutral KYC + verifiable credentials SDK for Canton Network. It ships 7 npm packages at v0.3.0, a DAML package and DAR at v2.2.0 (Canton.VC.Credential implementing the CIP #204 Cip204.Standard.Credential interface plus the optional Cip204.Factory.CredentialFactory interface, a soulbound KycNFT companion, and Credential_PublicFetch for verifier-side disclosure verification), and three production KYC vendor adapters (Didit, Sumsub, Persona).

The Crivacy.io-specific predecessor of this pattern has been running in production on Canton mainnet since November 2025. The current mainnet DAR implements the CIP #204 standard verbatim, and this proposal open-sources the vendor-neutral surface under Apache 2.0 so other Canton firms can issue KYC credentials and perform cryptographically authenticated cross-firm credential verification without becoming contract stakeholders.

This proposal requests 1,500,000 CC across 4 milestones over 4 months: already-delivered open-source release acceptance, external security audit, Python SDK port, and adoption sub-KPIs (community adapter PRs, second issuer, verifier integration).


Checklist

  • Proposal file added under /proposals/
  • Milestones and funding amounts defined
  • Acceptance criteria included
  • Alignment with Canton priorities described

Notes for Reviewers

  • Label: regulatory-compliance
  • Champion: outreach in progress (see PR comments)
  • Standards alignment: CIP 204 — DRAFT: Canton Network Credentials Standard. Canton.VC.Credential implements Cip204.Standard.Credential verbatim; v2.2.0 also adopts the optional Cip204.Factory.CredentialFactory interface for bulk credential refresh.
  • Reference implementation in production: Crivacy.io has been running the predecessor credential pattern on Canton mainnet since November 2025. The deployment migrated to the Pure CIP 204 surface with DAR v2.1.0 (deployed 2026-04-21, package id 562bbc757d5ec55fba320bf7370588b356811b3f2556817f49098de467758ea4) and shipped the optional factory interface with DAR v2.2.0 on 2026-05-29 (package id 16fb51c2e9703cef173c76babd755afca9c7a01e34fc947aebc12205fdf0f719, vetted alongside v2.1.0 for the upgrade window).
  • Repository: https://github.com/Farukest/canton-vc (Apache 2.0). All 7 npm packages published at v0.3.0 under @canton-vc/*. CI matrix covers typecheck, biome, vitest, and DAML build across Node 20/22 on Linux, macOS, and Windows.
  • Live vendor smoke tests: all three adapters end-to-end verified against real APIs and Canton 3.4 mainnet (scripts/live-{didit,sumsub,persona}-canton-e2e-v2.ts). The 16-phase smoke per vendor exercises every DAML choice including Credential_PublicFetch, Credential_ArchiveAsHolder, RevokeCredential with NFT cascade, CredentialFactory_UpdateCredentials, createKycNft, standalone BurnNft, and the substitution-guard reject path.

Farukest added 5 commits May 25, 2026 04:39
Replaces the "need Champion" placeholder so the champion-check
workflow (.github/workflows/champion-check.yml, line 49) matches
'digital asset' against the known-organizations allowlist and does
not auto-close the PR. Source proposal mirror is at
https://github.com/Farukest/canton-vc/blob/main/proposals/canton-vc-sdk.md
where the same edit landed in the canton-vc repo.
Mirrors two cleanups from the upstream canton-vc proposal file:

- M2 funding line: target audit vendor framing (Cure53 or
  comparable firm), final scope to be approved with the Tech & Ops
  security subcommittee.
- Champion section at the bottom of the proposal now matches the
  header: championed by Shaul Kfir (Digital Asset), removing the
  earlier "seeking a Tech & Ops Committee champion" placeholder
  that contradicted the named-champion field.
Approved peers (cctools, csharp-dotnet-sdk, go-sdks-by-noders,
devkit, DA dApp SDK, DA PQS, DA SWK) carry the funding figure in
the proposal's §Funding section, not in a header field. Removed
the duplicate; the amount remains in §Funding.
Mirrors the same Champion-field change from the canton-vc repo:
"Shaul Kfir (Digital Asset)" → "Canton Foundation". Avoids
tagging a senior person without their explicit sign-off and
follows the most neutral KNOWN_ORGS entry from the champion-check
workflow. PR canton-foundation#335 used the same pattern this week and the bot
labelled it champion-confirmed automatically.
@github-actions

Copy link
Copy Markdown

@Farukest, your proposal is missing a Special Interest Group (SIG) label. Adding the right SIG label ensures the relevant domain experts can find and review your proposal, Check more about SIGs.

Please add one of the following labels to this PR:

  • attestor-pools-daos-multisig
  • canton-apis
  • canton-protocol-multi-synchronizer
  • daml-tooling
  • dapp-integration
  • dar-app-management
  • defi-liquidity
  • defi-protocols
  • financial-workflows-composability
  • global-synchronizer-scaling
  • node-deployment-operations
  • onchain-governance
  • party-portability-data-resilience
  • regulatory-compliance
  • token-asset-standards
  • tokenomics
  • wallet-apps

Not sure which one fits? Pick the closest match to your proposal's domain. You can add a label from the right sidebar under "Labels".

@github-actions

Copy link
Copy Markdown

Champion identified : Canton Foundation

The committee will verify this champion during review.

Farukest added 5 commits May 25, 2026 16:44
…t maintenance

Mirrors three structural updates from the upstream canton-vc
proposal file:

- Motivation rewritten into three-role audience framing (identity-
  provider firms, dApp verifiers, regulated finance institutions),
  matching the cctools / csharp-dotnet-sdk / devkit Motivation
  convention.
- Operator design constraints gains an 8th item noting that userRef
  is verifier-correlatable by construction, with SHOULD-use-
  pseudonym guidance and a pointer to the verifier-side helper.
- Ongoing Maintenance (Post-Grant) added as a milestone-tail
  section between M4 and the Funding table — 24-month window
  covered by the M4 completion lump, scoped to security patches,
  dependency updates, community PR triage, SECURITY.md response,
  and CIP-draft drift maintenance.
The post-grant maintenance paragraph compared the proposed extension
channel to two other Dev Fund proposals by PR number. The comparison
adds nothing technical — the Foundation's standard channel is the
mechanism, the peer examples are just shape — and pointing at other
applicants' submissions from inside our own proposal reads as
presumptuous. Removed both citations; the paragraph still describes
the mechanism unambiguously without them.
The pseudonym-check helper commit (cc47578) added 17 unit tests to
the credential package. The proposal's per-package test claim was
still pinned at the pre-helper count.
…er authoring)

Mirrors the canton-vc upstream change. The threat model and
mitigation pseudocode live in docs/security-considerations.md in
the canton-vc repo (referenced from items 9 and 10 in this file)
so reviewers can read the full pattern in the open-source repo
without leaving the proposal.
…onstraint 9)

Mirrors the canton-vc upstream cleanup against the language
pattern that declined Token Terminal (PR canton-foundation#71) and SV Lock (PR
canton-foundation#198). Two changes: the maintenance closing sentence drops the
'natural co-incentive' self-benefit framing in favour of one
about exercising the code against real ledger state, and
constraint 9 drops the 'at Canton mainnet scale' puffery. The
Crivacy.io production reference itself stays intact.
@waynecollier-da

Copy link
Copy Markdown
Contributor

Have you engaged with any of the work toward a credentials. standard for Canton? Do you have any suggestions on how your proposal might interact with or influence the proposed standards?

Data structure and overall architectural approach: canton-foundation/cips#204
Party profiles:canton-foundation/cips#169
Address resolvers: canton-foundation/cips#171
Unique issuance and name resolution: canton-foundation/cips#209

@Jatinp26

Copy link
Copy Markdown
Member

Hey @Farukest
I see you have Canton Foundation as champion; may I ask who have you connected with in foundation?

@Jatinp26

Copy link
Copy Markdown
Member

@Farukest closing PR until we get some clearity on yoir champion and who have you contacted from Foundation.

@Jatinp26 Jatinp26 closed this May 28, 2026
@github-project-automation github-project-automation Bot moved this from Incoming to Declined in Dev Fund Incoming May 28, 2026
@Farukest

Farukest commented May 29, 2026

Copy link
Copy Markdown
Author

Have you engaged with any of the work toward a credentials. standard for Canton? Do you have any suggestions on how your proposal might interact with or influence the proposed standards?

Data structure and overall architectural approach: canton-foundation/cips#204 Party profiles:canton-foundation/cips#169 Address resolvers: canton-foundation/cips#171 Unique issuance and name resolution: canton-foundation/cips#209

Hi @waynecollier-da,

Apologies for the delay. We've spent the last three days heads down on a Pure CIP #204 migration of the SDK plus DAR plus our production mainnet deployment, and I wanted to come back with something concrete instead of a placeholder.

We've been tracking the #204 draft as it evolved, mapping the deltas against our own KYC implementation along the way. Your question was the prompt to formalize the migration onto the published surface. Two rounds of work. v2.1.0 picked up the structural #204 shape (joint signatory, admin field, nonconsuming Credential_PublicFetch, Credential_ArchiveAsHolder). v2.2.0 shipped today (package id 16fb51c2e970…) and adopts the optional Cip204.Factory.CredentialFactory, with CredentialFactory_UpdateCredentials exercised end to end on mainnet against all three KYC adapters (Didit, Sumsub, Persona). Both rounds landed cleanly. The published interface lined up with the shape of our existing flow.

Two observations from the production run that might be worth folding into the standards work.


1. A starter claim key set for KYC. The KYC Verification Services section of the #204 spec puts the invitation directly:

"We suggest that organizations experiment with the exact claims that they need to outsource KYC services, and then use their experience to build a CIP standardizing the claims that have proven their value for wide use."

That is exactly the experiment we have been running. A single reverse-DNS claim key set covered all three vendors with no per vendor reshaping on chain; vendor differences live entirely at the adapter layer. When the Foundation is ready to open the KYC claims CIP the spec anticipates, this is a ready starting point. Happy to draft a small companion CIP with the set and per key rationale if the SIG sees value.


2. An issuer side compliance revoke path. The interface today covers holder initiated archive via Credential_ArchiveAsHolder and joint auth bulk update via CredentialFactory_UpdateCredentials. Both presuppose holder participation. What it doesn't cover is the case where a KYC vendor reports the underlying identity as blocked or fraudulent after issuance and the chain record has to be retired without holder consent. This is a recurring requirement in regulated KYC pipelines, and it is semantically distinct from a holder initiated archive even when the same party operates both sides, because the audit trail and the regulatory filing treat the two events differently. We carry it as a template level RevokeCredential choice with the issuer as sole controller and an optional reason field for the regulatory trail; same retirement effect as Credential_ArchiveAsHolder, but recorded on chain as an issuer initiated compliance retirement rather than a holder initiated archive.

The scope question that usually comes up here is whether such a revoke can spill over into credentials other issuers wrote for the same holder. It cannot. CIP #204 already models each credential as a per-(issuer, holder) contract, so an issuer's authority is bounded to records it signed; credentials the same holder carries from other issuers are untouched. Worth either documenting this as a recognised implementer pattern in the rationale, or carrying it as an optional interface in a follow up, so future implementers don't fan out into incompatible shapes.


On #169, #171 and #209: read each. None of them changes anything on our SDK surface and we don't have pushback on any. #169 sits cleanly on top of #204 as a separate issuer vocabulary, useful for verifier side rendering. #171 and #209 operate at an identity naming layer above where the credential SDK lives; adopting either is an implementer choice that doesn't change the on-chain credential shape.

If either of the first two is worth turning into a PR, happy to open one.

@Farukest

Copy link
Copy Markdown
Author

Hey @Farukest I see you have Canton Foundation as champion; may I ask who have you connected with in foundation?

Hey @Jatinp26, sorry for the late reply. We've been heads down on development and at the same time working Foundation comms channels for an answer to your question, but nothing concrete crystallized fast enough to come back to you sooner.

"Canton Foundation" in the original PR was a placeholder, fair catch. My colleague Ufuk was in touch with @hythloda, who pointed us at the SIG directory; I'm working through the Regulatory Compliance and Identity & Metadata SIGs.
Given the CIP #204 migration work and the spec invitation we picked up on in the reply to Wayne, would @meiersi-da make sense to approach as champion, or would you suggest a different fit?

Would you mind reopening the PR while the champion search is in flight? It would help me push the proposal refresh in parallel.

Thanks.

@Jatinp26

Copy link
Copy Markdown
Member

Hey @Jatinp26, sorry for the late reply. We've been heads down on development and at the same time working Foundation comms channels for an answer to your question, but nothing concrete crystallized fast enough to come back to you sooner.

On this, which comms did u tried, and who have u reached out?

"Canton Foundation" in the original PR was a placeholder, fair catch. My colleague Ufuk was in touch with @hythloda, who pointed us at the SIG directory; I'm working through the Regulatory Compliance and Identity & Metadata SIGs. Given the CIP #204 migration work and the spec invitation we picked up on in the reply to Wayne, would @meiersi-da make sense to approach as champion, or would you suggest a different fit?

Please don't use a champion in your PR even as a placeholder, falsifying a champion isn't a prefer practice that we encourage and you should just leave it blank, please have SIG review and see if they champion.

Would you mind reopening the PR while the champion search is in flight? It would help me push the proposal refresh in parallel.

Thanks.

Let us know when you were able to find a champion then we can reopen.

@Farukest

Copy link
Copy Markdown
Author

On this, which comms did u tried, and who have u reached out?

We reached out to @hythloda via email; she pointed us at the SIG directory. The rest is as I mentioned above.

Please don't use a champion in your PR even as a placeholder, falsifying a champion isn't a prefer practice that we encourage and you should just leave it blank, please have SIG review and see if they champion.

Understood, that was my mistake. I assumed the PR would auto close if the champion field was left empty, so I put a placeholder rather than leave it blank. I won't do that again.

Let us know when you were able to find a champion then we can reopen.
@Jatinp26 actually I'm stuck on that part. Should we open outside channel comms with the champion or should we tag them here, let them see our PR and continue on discussion to convince them to be our Champion.

Quick procedural question on this. To put the proposal in front of the SIG so a member can decide whether to champion: should I reach out to specific SIG members through outside channels (email or DM), or is it fine to tag them here on the PR so they see it directly and we continue the conversation in the thread? I've read through the SIG directory and happy to follow whichever route you consider correct.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Declined

Development

Successfully merging this pull request may close these issues.

3 participants