This memo proposes a secure asset transfer protocol (SATP) that is intended to be deployed between two gateway endpoints to transfer a digital asset from an origin network to a destination network.¶
Both the origin and destination networks are assumed to be opaque
in the sense that the interior constructs of a given network
is not read/write accessible to unauthorized entities.¶
The protocol utilizes the asset burn-and-mint paradigm whereby the asset
to be transferred is permanently disabled or destroyed (burned)
at the origin network and is re-generated (minted) at the destination network.
This is achieved through the coordinated actions of the peer gateways
handling the unidirectional transfer at the respective networks.¶
A gateway is assumed to be trusted to perform the tasks involved in the asset transfer.¶
The overall aim of the protocol is to ensure that the state of assets
in the origin and destination networks remain consistent,
and that asset movements into (out of) networks via gateways can be accounted for.¶
There are several desirable technical properties of the protocol.
The protocol must ensure that the properties of atomicity, consistency,
isolation, and durability (ACID) are satisfied.¶
The requirement of consistency implies that the
asset transfer protocol always leaves both networks
in a consistent state (that the asset is located in
one system/network only at any time).¶
Atomicity means that the protocol must guarantee
that either the transfer commits (completes) or entirely fails,
where failure is taken to mean there is no change to the
state of the asset in the origin (sender) network.¶
The property of isolation means that while a transfer
is occurring to a digital asset from an origin network,
no other state changes can occur to the asset.¶
The property of durability means that once
the transfer has been committed by both gateways,
that this commitment must hold regardless of subsequent
unavailability (e.g. crash) of the gateways implementing the SAT protocol.¶
All messages exchanged between gateways are assumed to run over TLS1.2,
and the endpoints at the respective gateways are associated with
a certificate indicating the legal owner (or operator) of the gateway.¶