In the evolving landscape of blockchain applications, the ability to securely and efficiently manage digital assets is paramount. The Lock-keeper system, designed to streamline asset custody and provide robust security, introduces the concept of authorizing entities as a fundamental element of its architecture.
In this blog post, we’ll explore what authorizing entities are, why they are important, and how they function within the Lock-keeper system.
What Are Authorizing Entities?
At a high level, an authorizing entity is any participant or entity that has been granted permission to approve certain actions within the Lock-keeper system. These permissions typically revolve around the management of assets within a given digital wallet or vault, management of policies protecting a wallet, or the management of the wallet itself. The Lock-keeper system relies on authorizing entities to ensure that only authorized and trusted participants can control assets or wallets.
In simpler terms, authorizing entities are the “gatekeepers” who are entrusted with the authority to approve critical operations, such as signing transactions, exporting wallets, or creating policies.
Real-world examples of authorizing entities could be:
- A compliance entity that ensures KYC has been performed on a customer prior to the execution of a transaction. Alternatively, a compliance entity could verify that source and destination addresses are not on a block list.
- An administrative entity that manages policies. Policies ensure that the proper approvals have been performed prior to the use of a key.
- A co-signer entity that must approve transactions on a shared account.
- A business manager (e.g., CFO or controller) that approves expenses or on/off-boarding of customer accounts.
What do Authorizing Entities Approve?
- Transaction Signing: They can authorize and approve transaction signing, depending on the policies set up by the Lock-keeper system.
- Key Usage: They can approve the use of keys, excluding signing, within the Lock-Keeper system. Examples of key usage include import, export, and deletion of wallets.
- Policy Management: They can approve the creation, modification, and deletion of policies within the Lock-Keeper system. Policies are an integral part of Lock-Keeper security, and they define who must approve the usage of wallets.
Why Are Authorizing Entities Important?
1. Enhanced Security
In any decentralized system, security is critical. Authorizing entities provide an additional layer of defense by ensuring that only trusted participants can initiate or approve transactions. By requiring authorization for wallet operations, Lock-keeper ensures that no single point of failure exists, and assets are protected from unauthorized access or malicious actors.
2. Decentralization and Flexibility
The ability to define multiple authorizing entities within a vault or wallet allows Lock-keeper to support decentralized control over assets. This decentralized model is critical for users who wish to maintain full control over their digital assets while delegating specific responsibilities to others.
3. Compliance and Governance
For institutional users or those with more complex needs, authorizing entities can play an essential role in governance and compliance. By allowing for multiple levels of approval or enforcing specific rules about who can approve transactions, the Lock-keeper system can be used to comply with regulations or organizational policies.
4. Automation and Efficiency
Automation is key to achieving operational efficiency, especially for DeFi protocols, gaming, AI applications, or any organization that handles large volumes of transactions. Authorizing entities enable automation by allowing trusted services to perform actions on behalf of the account holder without requiring manual intervention.
How are Authorizing Entities Managed?
Authorizing entities can be created, updated, and deleted by administrators in the Lock-Keeper system.
An authorizing entity consists of:
- A name: This is how the authorizing entity is referenced in policies.
- A type: Lock-Keeper provides a built-in PolicyApprover type, which is assigned to the authorizing entity that will manage policies. Administrators may define one or more custom types for authorizing entities that will approve operations within their system. Examples include compliance, CFO, external, etc.
- A signing public key: Authorizing entities approve an action by signing a JSON structure (including their approval or rejection) with a private signing key. The provided public key is used by Lock-Keeper to verify the signature over the structure.
Authorizing entities upload their public key to the Lock-Keeper system independently of the administrator. Specialized administrators generate a one-time URL and provide it to the authorizing entity for the purpose of performing this task.
How Are Approvals Generated?
Authorizing entities are provided data by a service provider (who can sign a transaction, or import/export/delete a key) or a policy admin (who can manage policies) which provides sufficient detail to approve or decline an operation. This information can be provided programmatically to authorizing entities via interfaces external to Lock-Keeper, or through the Lock-Keeper AE Dashboard, which allows authorizing entities to manage approvals through a web interface.
The approval of an operation is performed through the following basic steps:
- The authorizing entity is provided data related to the operation to review.
- For signing, this is the transaction being signed.
- For key usage, this would be a structure with the key ID and operation (export, delete, import).
- For policies, this would be a structure containing the policy.
- The authorizing entity examines the provided data, and determines if the operation is to be approved or declined.
- The authorizing entity populates a metadata structure which includes an approval status and a hash of the transaction, message, or operation.
- The metadata structure is serialized and signed by the authorizing entity using their private signing key.
- The serialized metadata and corresponding signature is returned to the service provider or policy administrator.
The service provider/policy administrator then executes the operation using the Lock-Keeper API, passing in the serialized metadata and signature, along with any other required information.
Prior to completing the operation, Lock-Keeper performs the following verifications:
- Decodes the metadata and serializes back into the JSON approval data.
- Compute hash of the operation passed into the Lock-Keeper call and verify it matches the hash computed in the approval data .
- Verifies the signature over the hash of the approval data is that of the authorizing entity. This is performed using the public key of the authorizing data that was registered by the authorizing entity, as described above.
- Verify the approval status in the approval data equals approved.
If any of the checks fail, the operation is declined.
Below is a diagram that illustrates the flow of approval for a sign transaction:
Conclusion
Authorizing entities in conjunction with policies are necessary to mitigate misuse of keys or signing of unauthorized transactions. By enabling precise control over who may approve operations across a wallet, the system provides a robust framework for managing digital assets in a secure, decentralized manner. Whether for individual users, decentralized applications, or large organizations, understanding and configuring authorizing entities is crucial for taking full advantage of Lock-keeper’s capabilities.
As the blockchain universe continues to grow, systems like Lock-keeper, which incorporate fine-grained access control, will play an increasingly important role in securing assets and ensuring that users can maintain full control over their holdings. With the power to customize permissions and ensure multi-party security, authorizing entities are an essential tool in the modern blockchain toolbox.