baseid-proofs
Build verifiable identity chains linking your DID to social accounts, domains, and signing keys. Each proof is hash-linked and auditable via Merkle trees.
Key Features
Section titled “Key Features”- Sigchains — append-only, hash-linked identity logs where every entry is immutable and cryptographically chained to the previous
- Identity Statements — five types: SocialProof, DomainProof, KeyAddition, KeyRevocation, Endorsement
- Merkle Trees — efficient inclusion proofs let anyone verify a specific identity claim without downloading the entire chain
- Social Verification — pluggable adapters for platform-specific proof verification (GitHub gist, DNS TXT, Mastodon)
- Key Rotation Tracking — full history of key additions and revocations with active key computation
Quick Start
Section titled “Quick Start”use baseid_proofs::*;
// Create a sigchain for a DIDlet mut chain = Sigchain::new("did:key:alice");
// Append a social proof (e.g., GitHub ownership)chain.append(IdentityStatement::SocialProof { platform: "github".to_string(), username: "alice-dev".to_string(), proof_url: "https://gist.github.com/alice-dev/proof".to_string(),});
// Append a domain proof (DNS TXT record)chain.append(IdentityStatement::DomainProof { domain: "alice.dev".to_string(), method: DomainVerificationMethod::DnsTxt, value: "did:key:alice".to_string(),});
// Verify the integrity of the entire chainassert!(chain.verify_integrity().is_ok());assert_eq!(chain.len(), 2);assert_eq!(chain.social_proofs().len(), 1);assert_eq!(chain.domain_proofs().len(), 1);Identity Statement Types
Section titled “Identity Statement Types”| Variant | Fields | Description |
|---|---|---|
SocialProof | platform, username, proof_url | Proves ownership of a social media account |
DomainProof | domain, method, value | Proves ownership of a domain via DNS TXT or .well-known |
KeyAddition | key_id, key_type, purpose | Records addition of a new signing key |
KeyRevocation | key_id, reason | Records revocation of an existing key |
Endorsement | endorser, claim, signature | Peer endorsement from another DID |
Key Rotation
Section titled “Key Rotation”Track the full lifecycle of signing keys through the sigchain:
let mut chain = Sigchain::new("did:key:alice");
chain.append(IdentityStatement::KeyAddition { key_id: "key-1".to_string(), key_type: "Ed25519".to_string(), purpose: "authentication".to_string(),});chain.append(IdentityStatement::KeyAddition { key_id: "key-2".to_string(), key_type: "P256".to_string(), purpose: "assertion".to_string(),});
assert_eq!(chain.active_keys(), vec!["key-1", "key-2"]);
// Revoke key-1chain.append(IdentityStatement::KeyRevocation { key_id: "key-1".to_string(), reason: "rotated".to_string(),});
assert_eq!(chain.active_keys(), vec!["key-2"]);Merkle Tree Auditing
Section titled “Merkle Tree Auditing”Build a Merkle tree from a sigchain and generate inclusion proofs:
use baseid_proofs::*;
let mut chain = Sigchain::new("did:key:alice");for i in 0..4 { chain.append(IdentityStatement::SocialProof { platform: format!("platform-{i}"), username: "alice".to_string(), proof_url: format!("https://example.com/proof-{i}"), });}
// Build the treelet tree = IdentityTree::build(&chain);assert_eq!(tree.leaf_count(), 4);
// Generate and verify an inclusion proof for entry 2let proof = tree.prove_inclusion(2).unwrap();assert!(IdentityTree::verify_proof(&proof));Social Verification
Section titled “Social Verification”Pluggable verification adapters validate proof ownership:
use baseid_proofs::*;
// Mock verifier for testing — accepts proofs where proof_url contains the DIDlet verifier = MockSocialVerifier;let stmt = IdentityStatement::SocialProof { platform: "github".to_string(), username: "alice".to_string(), proof_url: "https://gist.github.com/alice/did:key:alice-proof".to_string(),};
let result = verifier.verify(&stmt, "did:key:alice").unwrap();assert!(result.verified);
// GenericVerifier validates URL format without fetchinglet generic = GenericVerifier;let result = generic.verify(&stmt, "did:key:alice").unwrap();assert!(result.verified);Key Types
Section titled “Key Types”| Type | Description |
|---|---|
Sigchain | Append-only, hash-linked identity log |
SigchainEntry | Single entry with sequence, statement, prev_hash, hash, timestamp |
IdentityStatement | Tagged enum: SocialProof, DomainProof, KeyAddition, KeyRevocation, Endorsement |
DomainVerificationMethod | DnsTxt or WellKnown |
IdentityTree | Merkle tree built from sigchain entry hashes |
MerkleProof | Inclusion proof with leaf_hash, path, and root |
MerkleProofStep | Single step in the proof path with hash and position |
SocialVerifier | Trait for platform-specific proof verification adapters |
MockSocialVerifier | Test verifier that checks proof_url contains the owner DID |
GenericVerifier | Validates URL format without network fetching |
ProofError | Bilingual error type (EN/FR) |
Server API
Section titled “Server API”When using baseid-server, identity proof operations are available via REST:
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/proofs/sigchain | Create a new sigchain for a DID |
| GET | /api/proofs/sigchain/:did | Get the full sigchain |
| POST | /api/proofs/sigchain/:did/append | Append an identity statement |
| GET | /api/proofs/sigchain/:did/verify | Verify chain integrity |
| POST | /api/proofs/merkle/:did | Build Merkle tree and return root |
| POST | /api/proofs/merkle/:did/prove | Generate an inclusion proof for an entry |
Related Crates
Section titled “Related Crates”baseid-core— ClaimSet, lifecycle traits, bilingual errorsbaseid-did— DID resolution for sigchain ownersbaseid-vc— Verifiable Credentials (sigchain entries can be issued as VCs)baseid-trust— Reputation attestations complement identity proofs