Skip to content

Commit

Permalink
improvements
Browse files Browse the repository at this point in the history
  • Loading branch information
Mateusz Czeladka committed Dec 1, 2022
1 parent 1a42e67 commit e38b523
Showing 1 changed file with 26 additions and 7 deletions.
33 changes: 26 additions & 7 deletions CPS-???/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,43 @@
CPS: ?
Title: On chain dApp / scripts audits
Status: Open
Category: ?
Category: dApps
Authors:
- Mateusz Czeladka <mateusz.czeladka@cardanofoundation.org>
Proposed Solutions: []
Proposed Solutions: ?
Created: 2022-12-01
---

# DRAFT - certification

## Abstract

Currently there is no way to check if a particular dApp version (release) or a given script has been audited from on-chain metadata.
Currently there is no way to check if a particular dApp version (release) or a given script has been audited by a certain auditing company / party from on-chain metadata. As a developer using on-chain metadata I would like to verify that a given script hash has been audited by a certain auditing company.

## Problem

Our understand is that dApp on Cardano is nothing else that a collection of scripts, sometimes it could be even just one script. dApps are naturally evolving therefore they receive new versions and also new script hashes. We often find ourselves in the situation that we have to trust the people issuing scripts. In typical examples one can lookup a certification as PDF from e.g. certiK but there are cases where a team is claiming that a certification of a script is also valid for new version (e.g. when moving from Plutus V1 to Plutus V2). We don't want to trust anybody, we would like to build an indexer from on chain metadata and be able to verify that CertiK has signed off an audit. We don't want to have to trust teams / people building dApps that Plutus V1 certification / audit is also valid for Plutus V2.
A typical understanding of dApps on Cardano is that a dApp is nothing else that a collection of scripts (identifiable by a script hash), sometimes it could be even just one script. dApps are naturally evolving therefore they receive new versions and also new script hashes. We often find ourselves in the situation that we have to trust the people issuing scripts. A typical process is that by manually, without any automated process, one can open audit / certification as PDF from an auditing company (e.g. certiK) and check if audit applies to given script hashesh. This process is manual but it works, however, in some cases a company / people issing a script may claim that a former certification of a script is also valid for new version (e.g. when moving from Plutus V1 to Plutus V2). One should not trust issuers, one should be able to verify in an automated manner that a given script (hash) is audited by certain certification / audit which lives on chain and is signed by a certain auditing company.

If you look at crfa-offchain-metadata registry (https://github.com/Cardano-Fans/crfa-offchain-data-registry) and more specifically dApps currently we maintain manually the fact that there is an audit of a given dApp or not. We would prefer to automate this via on chain indexer and this data should be automatically injested without human level oracle involvement.
If you look at crfa-offchain-metadata registry (https://github.com/Cardano-Fans/crfa-offchain-data-registry) and more specifically dApps currently we maintain manually the fact that there is an audit of a given dApp or not. We would prefer to automate this via on chain indexer and this data should be automatically injested without any human involvement.

## Possible solution
Propose a CIP where various certification companies will be able to certify a "dapp release" or certain scripts so that we know that they have been properly audited.
## Use cases
- DappsOnCardano.com would like to show a certification icon and link to audit report and be certain that this audit is pertinent for a given dApp - in our case all scripts that belong to a certain dApp have been audited.
- lace wallet would like to know if a given dApp is fully audited and certified.
- A certification / auditing company would like to issue an audit report assuring that certain scripts have been audited with a link to an off chain (e.g. IPFS) audit report.

## Goals
- issuing an audit report for a given dApp
- identify issuing company and that their signing keys indeed belong to them in an automated fashion
- protection against fake signing audit report, somebody signed audit report but it wasn't a certification company
- verify that a given script hash belongs to a certain audit report
- certification / audit could be AUTOMATED or MANUAL, MANUAL would be done by humans and certification company / auditing firm but AUTOMATED one could be done by e.g. Marlowe software suite or any other tool which could do an automated formal verification
- It should be possible to issue multiple MANUAL / AUTOMATED certifications for a given "dApp release" or set of scripts since it is not uncommon that a given dApp has multiple certifications.

## Open Questions

- how would I know that a given audit is not signed by a fake certification company (we don't have on Cardano key distribution system like keybase)?
- Since a dApp is a collection of scripts how do I know that audit report signs all scripts which compose of a dApp?
- Since dApps have releases, v1, v2, how do I know that a previous audit is still valid for a new script, it seems like audit reports should be released for each new script hash?

## Possible solution
Propose a CIP where various certification companies / auditing firms will be able to certify a "dapp release" or certain scripts so that anybody interested in this infrmation will be able to subscribe to those on chain event and verify that have been properly audited.

0 comments on commit e38b523

Please sign in to comment.