In the bustling tech landscape of Finland, Ammar Bukhari is working at the intersection of digital identity, product management, and customer solutions. With over six years of experience in the industry, Ammar has developed a comprehensive understanding of mobile PKI, eIDAS regulations, and digital wallet technologies.
A technology enthusiast, Ammar serves as the Product Manager for Identity technologies at Methics, a Finnish software company specialized in identity and signature solutions. Here, he oversees Methics products and project, including MUSAP, an NGI funded project aimed at developing a new software interface called Unified Signature Application Programming Interface (USAPI) Library. With MUSAP, Ammar plays an important role in developing innovative solutions for digital identity management. His work focuses on creating user-friendly, secure methods for managing digital signatures and credentials.
Despite the technical nature of his work, Ammar’s approach is human-centric. He sees beyond the codes and algorithms, envisioning how each product and feature can make digital interactions more secure and user-friendly. His goal is to create digital identity solutions that are as intuitive to use as they are secure.
In an interview with NGI, Ammar shared insights into the development process of MUSAP and highlighted the role that NGI played in bringing this project to life.
TELL US ABOUT YOURSELF
Our project MUSAP – Multiple SSCDs using Unified Signature API Library Project – is sought to integrate various credential storage and presentation mechanisms provided by Secure Signature Creation Devices (SSCDs) to facilitate flexible credential management for end-users. We believe that the end user wants to manage their trust relationships (private keys) and ultimately does not want to store all keys in the same basket. Just like we keep our car keys, home keys and bicycle keys in separate keyrings.
MUSAP is designed to streamline the integration of signature creation devices. MUSAP abstracts the complexities of various SSCDs, offering app developers a consistent interface to request low, substantial, or high level of assurance (LoA) signatures, regardless of the underlying SSCD technology or location of the private key.
MUSAP Project’s goal was to develop a new software interface. In the NGI Trustchain first Open Call, we built MUSAP as an API library and provided reference apps. During the nine-month of the open call, we developed the following:
- MUSAP Library for Android
- MUSAP Library for iOS
- MUSAP Link (Java) Docker
- Reference Demo app for Android using MUSAP Android library
- Reference Demo app for iOS using MUSAP iOS library
- Divvy app for Danubetech demo using MUSAP Android library and Link docker
- VSign App for vsign.mn demo using MUSAP Android library and Link docker
Methics published the first five software packages on GitHub at closure of the first open call. You can find the NGI Trustchain’s Github repo for MUSAP here.
The image below shows a complete deployment scheme of MUSAP to enable four different signing technologies for user to choose from.
Figure 1: MUSAP overview
MUSAP is available for community use. The next enhancement we have planned for the MUSAP project is a new initiative called eMUSAP, which is aimed to streamline interoperability more and introduce Cloud-signature-consortium (CSC) API and implement zero-knowledge-proof between MUSAP components.
Moreover, we wrote conference paper on MUSAP titled “Defining Unified Signature API for Mobile Apps to Integrate With Secure Signature Creation Devices (SSCDs)” . Paper is scheduled to be presented at the inaugural Trustchain workshop in IEEE Blockchain 2024 conference.
How did you come up with this project idea?
The idea for MUSAP stemmed from Methics experience in developing mobile PKI products/solutions and observing the challenges of integrating multiple credential storage mechanisms.
We offer local and remote signature solutions, as well as a unified signature solution that provides both. During one implementation of our unified signature solution, we noted that user can enable two SSCDs but cannot use both of them alternatively. We saw there were multiple clients (SSCDS), but it did not provide a unified option for end-user to choose their choice of wireless PKI client. We wanted to give end-users more control over their trust relationships by allowing them to choose their preferred SSCD technology.
Additionally, the European Union’s eIDAS 2 regulation highlighted the need for a standardized API for mobile apps to connect with secure signature creation elements. We saw a need, where implementing a use-case driven identity management API was needed for:
– Offering easy way to integrate SSCDs with mobile apps, or in EUDIW terms, simpler way to integrate WSCA+WSCD with mobile apps
– Provide multiple Level of Assurance (LoA) for mobile apps integrating SSCDs.
– EUDIW to interface different architecture proposed in ARF
This aligned with our goal of creating a unified signature profile that could support various use cases and LoAs. Thus, it involved merging current industry trends, building on ENISA’s recommendations, identifying areas for improvement in deployed services, and developing auxiliary products to support our product portfolio.
How was the journey of building MUSAP and what role did NGI play in product development?
We saw an open call announcement on Linkedin back one day back in April 2023. We discussed internally and realized our unified signature API product might be a perfect fit for Next Generation Internet needs. Me and my colleague, Jarmo Miettinen, spent hours finalizing the project proposal. While finalizing the proposal, we were clear, we had 9 months from end to start. We planned the tasks needed for us to release API and reference apps.
After we won the grant, we reformulated our Product Requirement Document (PRD), and revisited the plan to update accordingly. We started defining MUSAP specifications and do through state-of-the-art analysis. Through collaboration with coaches and other stakeholders, we refined the specifications, features, and use cases of MUSAP.
Our developers, Eemeli Miettinen, Atte Walden and Teemu Mänttäri, worked tirelessly to implement MUSAP specifications, implement four keystores during OC1 and create reference demo apps.
There were several unknown factors as far as the implementation was concerned. Our joint sessions with Danubetech, VSign and other stakeholders, made us realize features needed for implementing the use cases, and allowed us to develop something that could work well enough.
We conducted user surveys to validate the concept and ensure its relevance in the target market. Eventually we had a three fold approach:
- where we developed and demonstrated all features we set out in deliverables and proposal
- we provided MUSAP along with a test app to partner company to implement a use case of signing DIDs through Client-Secret mode
- ran a pilot for 1 month where mobile app using MUSAP provided user a choice to select their signing technology
Lastly, the NGI deliverables approach enabled us to clearly divide our project goals into four parts and report on each one. NGI Trustchain Open Call 1 provided the platform to realize this vision.
What benefits will MUSAP bring to the end users?
MUSAP-built apps can offer their end users the following features:
- simple “key rings” for your keys
- option to not store all their keys in one basket i.e provide user an option to interface signing device technology of their liking
- Sign any data format like X.509 certificates, verifiable credentials, DIDs, etc.
- Support client-secret mode for DIDs and manage cryptographic operations
- Provide a URI scheme compatible with IANA guidelines
Who was the team behind MUSAP?
MUSAP was developed by Methics, a Finnish software company specializing in identity and signature solutions. Our team consists of experienced professionals who have delivered various solutions for national identity schemes and critical business environments. We support digital identity over a wide variety of authentication mechanisms and security assertions. We are committed to bridging the gap between traditional PKI and decentralized identity projects. Our team working on the MUSAP project can be viewed here.
WWhat can you tell us about you?
Ammar Bukhari is an engineer and technology enthusiast working as a Product Manager – ID. Tech. at Methics. He has over six year of experience in building and shipping products. At Methics he is responsible for product and project portfolio, while also managing the company’s product roadmap and development backlog. During OC1 of NGI Trustchain, Ammar was the Product Owner for MUSAP and has completed many identity related projects.
Linkedin: https://www.linkedin.com/in/syedammarbukhari/
Useful links:
MUSAP related blogs and information:
- MUSAP Blog 1: https://www.methics.fi/digital-identity-with-musap-a-library-for-eidas-eudi-wallets-and-identity-apps/
- MUSAP Blog 2: https://www.methics.fi/digital-identity-with-musap-a-library-for-eidas-eudi-wallets-and-identity-apps/
- NGI Trustchain featuring MUSAP: https://trustchain.ngi.eu/interview-meet-musap-team/
Github repo and Demos:
- Github of MUSAP: https://github.com/NGI-TRUSTCHAIN/MUSAP_project
- MUSAP pilot demo video with document signing service: https://www.youtube.com/watch?v=rbmdo-GwndE
- MUSAP demo video to integrate Finnish Mobile ID with app: https://www.youtube.com/watch?v=IHl4WDTJY34
MUSAP related websites:
- MUSAP Website: https://www.methics.fi/musap/
- Trustchain project details: https://trustchain.ngi.eu/musap/