71 lines
2.3 KiB
Markdown
71 lines
2.3 KiB
Markdown
---
|
|
id: task-10
|
|
title: Design EncryptID unified identity system for r-ecosystem
|
|
status: Done
|
|
assignee: []
|
|
created_date: '2026-02-05 15:02'
|
|
updated_date: '2026-02-05 15:05'
|
|
labels:
|
|
- architecture
|
|
- security
|
|
- rSpace-ecosystem
|
|
dependencies: []
|
|
priority: high
|
|
---
|
|
|
|
## Description
|
|
|
|
<!-- SECTION:DESCRIPTION:BEGIN -->
|
|
Design and document the EncryptID unified identity/authentication system for rspace.online, rwallet, rvote, rmaps, and rfiles.
|
|
|
|
Key requirements:
|
|
- WebAuthn/Passkey as primary authentication
|
|
- WebCrypto API for key derivation and client-side encryption
|
|
- Account Abstraction smart wallet integration
|
|
- Social recovery (NO seed phrases)
|
|
- Cross-app SSO across all r-ecosystem apps
|
|
- DID:key for decentralized identity
|
|
<!-- SECTION:DESCRIPTION:END -->
|
|
|
|
## Acceptance Criteria
|
|
<!-- AC:BEGIN -->
|
|
- [x] #1 Architecture document complete with all 5 layers defined
|
|
- [x] #2 Social recovery mechanism designed (no seed phrases)
|
|
- [x] #3 Cross-app SSO strategy documented
|
|
- [x] #4 Integration path with existing CryptID documented
|
|
- [x] #5 Provider comparison (ZeroDev vs Safe vs Privy) complete
|
|
<!-- AC:END -->
|
|
|
|
## Implementation Notes
|
|
|
|
<!-- SECTION:NOTES:BEGIN -->
|
|
## Completed Research
|
|
|
|
Created comprehensive ENCRYPTID-SPECIFICATION.md covering:
|
|
|
|
### 5-Layer Architecture
|
|
1. **Layer 1: WebAuthn/Passkeys** - Hardware-backed primary auth
|
|
2. **Layer 2: Derived Keys (WebCrypto)** - Encryption, signing, DID keys via HKDF
|
|
3. **Layer 3: Smart Wallet (AA)** - ZeroDev + Safe hybrid for on-chain ops
|
|
4. **Layer 4: Social Recovery** - Guardian-based, no seed phrases, 48h time-lock
|
|
5. **Layer 5: Session/SSO** - Related Origin Requests for cross-app auth
|
|
|
|
### Social Recovery Design
|
|
- 3-of-5 guardian threshold recommended
|
|
- Guardian types: secondary passkey, trusted contacts, hardware key, institutional
|
|
- 48-hour time-lock with user notification and cancellation
|
|
- Privacy-preserving (guardians don't know each other)
|
|
|
|
### Provider Comparison
|
|
- **ZeroDev**: Best for custom flows, native passkey support via Turnkey
|
|
- **Safe**: Best for DAOs/shared treasuries, multi-sig native
|
|
- **Privy**: Quickest integration, managed recovery
|
|
- **Turnkey**: Infrastructure layer, TEE-backed
|
|
|
|
### Key Research Sources
|
|
- Yubico PRF Extension Guide
|
|
- Vitalik's social recovery recommendations
|
|
- ZeroDev/Safe documentation
|
|
- Corbado passkey guides
|
|
<!-- SECTION:NOTES:END -->
|