Security Model

Tags:
Categories:

  2 minute read  

Security Model

Youseddit’s security model is designed to ensure content authenticity, privacy, and secure transactions throughout the platform.

Content Authentication

PGP/GPG Email Encryption and Verification

All email content processed through YouSeddit uses PGP/GPG encryption and signatures with multi-party attestation:

  • Journalists must send encrypted emails to interviewees
  • Interviewees must respond with both signed and encrypted emails
  • System validates proper encryption and signature before processing
  • Token-based validation confirms:
    • Source authenticity (who sent the email)
    • Content integrity (the content hasn’t been altered)
    • Timestamp verification (when the content was created)
    • Email address control (via encrypted token verification)
  • The email validation process creates attestations from all parties
  • Journalists can optionally make content searchable while maintaining access controls

Our detailed workflow diagram shows the complete validation process.

C2PA Content Provenance

The Coalition for Content Provenance and Authenticity (C2PA) framework is used to:

  • Create verifiable attestations about content origin
  • Track content editing and transformation
  • Provide a tamper-evident chain of custody

Blockchain Security

Off-Chain Encrypted Storage with On-Chain Hashing

Youseddit uses a hybrid storage approach for GDPR compliance and security:

  • Off-Chain Storage: Full email content is encrypted using GPG/PGP and stored on IPFS
  • On-Chain Hashing: Only cryptographic hashes and metadata are stored on the blockchain
  • IPFS Content Addressing: Encrypted files are accessed via their unique Content Identifier (CID)
  • Content Privacy: Sensitive content remains encrypted off-chain
  • Verification Path: Hash verification allows proving integrity without revealing content
  • Access Control: Only authorized key holders can decrypt the off-chain content

Smart Contract Security

Smart contracts controlling access to content undergo:

  • Formal verification to ensure contract logic is correct
  • Security audits by independent third parties
  • Standard compliance with established NFT and licensing patterns

Access Control

Wallet-Based Authentication

  • Access to content requires cryptographic proof of ownership
  • Smart contracts enforce licensing terms automatically
  • No centralized authority can override access controls

Privacy-First Design

  • Quote content and identity remain private until explicitly shared
  • Consent is managed through attestation transactions
  • Anonymous verification is possible through the public verification API

Audit Trail

All actions on the platform create an immutable audit trail:

  • Content creation and verification
  • License issuance and transfers
  • Access events and usage

This audit trail provides accountability while maintaining privacy through selective disclosure mechanisms.

Last modified July 6, 2025: Update deploy.yml (d65b9c1)