System overview

This system implements constitutional committee credentials that are backed by an X.509 certificate tree, composed of multiple sub-credentials. Its goals are:

• Distribute responsibility between different groups of users.

• Allow user groups to be updated (rotated) without changing the committee credentials.

• Tie individual’s credential to publicly verifiable identity via X.509 certificate chains for transparency and audit compliance.

At a high level, it works by coordinating four script credentials and two minting scripts:

• A cold minting script.

• A hot minting script.

• A cold committee script credential.

• A hot committee script credential.

• A cold NFT payment script credential.

• A hot NFT payment script credential.

The two committee credential scripts are registered as the actual hot and cold committee credentials on-chain. However they do not contain the majority of the system’s logic for two reasons:

• Committee credentials cannot be associated with a datum, so any information they depend on like lists of users must be hard-coded in the script.

• If the system needs to be updated — for example, to apply security patches — the committee credentials would need to be replaced, which is the situation the system is intended to avoid.

Instead, they both employ a layer of indirection to delegate the logic to payment credentials, which do not suffer from these two problems. To do this, they require only that an NFT minted by the corresponding minting script is spent by the transaction. The payment credential that holds this NFT implements the real logic of the system.

Warning

This system replaces control of a private key with control of an NFT. The loss of control of either NFT is equivalent to the loss of control of either committee credential. To mitigate the risks involved, it is imperative to follow these guidelines, none of which are enforced by the system:

• The signing keys used by the user groups to spend these NFTs must be managed according to established security best practices.

• The above is especially true for users in the membership group, who have the power to arbitrarily spend the Cold NFT. It is recommended that the members of this group are technically skilled, trustworthy individuals who have the knowledge, skills, and equipment required to manage keys securely.

• In addition to secure key management, it is equally important to use Cryptographically secure sources of entropy to generate these keys, such as /dev/urandom on Unix-based systems and it is important to properly instruct users how to do this.

• Roles
• Cold NFT minting script
• Hot NFT minting script
• Cold committee credential script
• Hot committee credential script
• Cold NFT locking script
• Hot NFT locking script
• Auditing transactions