Files
the_order/docs/governance/eresidency-ecitizenship-task-map.md

296 lines
10 KiB
Markdown
Raw Normal View History

# eResidency & eCitizenship Task Map
Complete execution-ready task map to stand up both **eResidency** and **eCitizenship** for a decentralized sovereign body (DSB) modeled on SMOM-style sovereignty (recognition without permanent territory).
## Phase 0 — Program Charter & Guardrails (23 weeks)
### 0.1 Foundational Charter
* Draft: Purpose, powers, immunities sought, governance model, membership classes (Resident, Citizen, Honorary, Service).
* Define scope: digital-only status vs. claims with diplomatic effects.
* Deliverable: DSB Charter v1 + Glossary.
* Accept: Approved by Founding Council with recorded vote.
### 0.2 Legal & Risk Frame
* Commission legal opinions on: personality under international law (IO/NGO/Order), recognition pathways, host-state agreements/MOUs, data protection regimes, sanctions compliance, export controls.
* Map constraints for KYC/AML, conflict-of-laws, tax neutrality, consumer protections.
* Deliverable: Legal Risk Matrix + Opinion Letters Index.
* Accept: Red/Amber/Green ratings with mitigations.
### 0.3 Trust & Assurance Model
* Choose trust posture: "Assured Identity Provider" with defined Levels of Assurance (LOA 13) and assurance events (onboard, renew, recover).
* Deliverable: Trust Framework Policy (TFP), including incident handling & audit.
* Accept: External reviewer sign-off.
---
## Phase 1 — Governance & Policy Stack (46 weeks)
### 1.1 Constitutional Instruments
* Citizenship Code (rights/duties, oath), Residency Code (privileges/limits), Due Process & Appeals, Code of Conduct, Anti-corruption & Ethics.
* Deliverable: Statute Book v1.
* Accept: Published and version-controlled.
### 1.2 Data & Privacy
* Privacy Policy, Lawful Bases Register, Data Processing Agreements, DPIA, Records of Processing Activities, Retention & Deletion Schedules.
* Deliverable: Privacy & Data Governance Pack.
* Accept: DPIA low/medium residual risk.
### 1.3 Sanctions/KYC/AML Policy
* Define screening lists, risk scoring, Enhanced Due Diligence triggers, PEP handling, source-of-funds rules (if fees/donations), audit trail requirements.
* Deliverable: KYC/AML Standard Operating Procedures (SOPs).
* Accept: Mock audit passed.
### 1.4 Benefits & Obligations Catalog
* Enumerate tangible benefits (digital ID, signatures, notarial layer, dispute forum, community services, ordinaries, honors) and duties (updating info, code compliance).
* Deliverable: Benefits Matrix + Service SLAs.
* Accept: SLA thresholds defined and met in testing.
---
## Phase 2 — Identity & Credential Architecture (68 weeks)
### 2.1 Identifier Strategy
* Pick scheme: Decentralized Identifiers (DIDs) + UUIDs; namespace rules; revocation & recovery flows.
* Deliverable: Identifier & Namespace RFC.
* Accept: Collision tests + recovery drill.
### 2.2 Credentials & Schemas
* Define verifiable credential (VC) schemas for: eResident Card, eCitizen Passport (digital), Address Attestation, Good Standing, Professional Orders.
* Deliverable: JSON-LD schemas + Registry.
* Accept: Interop tests with 3rd-party verifiers.
### 2.3 PKI / Trust Anchors
* Stand up Sovereign Root CA (offline), Issuing CAs (online), Certificate Policy/Practice Statements (CP/CPS), CRL/OCSP endpoints.
* Deliverable: Root ceremony artifacts + HSM key custody procedures.
* Accept: External PKI audit checklist passed.
### 2.4 Wallet & Verification
* User wallet options: web wallet + mobile wallet (iOS/Android) with secure enclave; verifier portal; QR/NFC presentation.
* Deliverable: Wallet apps + Verifier SDK (JS/TS) + sample verifier site.
* Accept: LOA-aligned presentation proofs; offline-capable QR working.
---
## Phase 3 — Application, Vetting & Issuance (610 weeks)
### 3.1 eResidency Workflow (MVP)
* Application: email + device binding, basic identity, selfie liveness.
* KYC: doc scan (passport/ID), sanctions/PEP screening, proof-of-funds if needed.
* Issuance: eResident VC + X.509 client cert; optional pseudonymous handle tied to real identity at LOA 2.
* Deliverable: eResidency Portal v1 + Reviewer Console.
* Accept: Median approval time <48h; false-reject rate <3%.
### 3.2 eCitizenship Workflow (elevated assurance)
* Eligibility: tenure as eResident, sponsorship, service merit, oath ceremony (digital).
* Additional checks: video interview, multi-source corroboration, background attestations.
* Issuance: eCitizen VC (higher LOA), qualified e-signature capability, digital heraldry/insignia.
* Deliverable: eCitizenship Portal v1 + Ceremony Module.
* Accept: Chain-of-custody logs complete; ceremony audit trail immutable.
### 3.3 Appeals & Ombuds
* Build case management, independent panel roster, timelines, remedy types.
* Deliverable: Appeals System + Public Register of Decisions (redacted).
* Accept: Two mock cases resolved end-to-end.
---
## Phase 4 — Services Layer & Interoperability (68 weeks)
### 4.1 Qualified e-Signatures & Notarial
* Implement signature flows (advanced/qualified), timestamping authority (TSA), document registry hashes.
* Deliverable: Signature Service + Notarial Policy.
* Accept: External relying party verifies signatures without DSB assistance.
### 4.2 Interop & Recognition
* Map to global standards (ISO/IEC 24760 identity; W3C VC/DID; ICAO Digital Travel Credentials roadmap; ETSI eIDAS profiles for cross-recognition where feasible).
* Deliverable: Interop Gateway + Conformance Reports.
* Accept: Successful cross-verification with at least 3 external ecosystems.
### 4.3 Membership & Services
* Roll out directories (opt-in), guilds/orders, dispute resolution forum, grant program, education/badging.
* Deliverable: Service Catalog live.
* Accept: ≥3 live services consumed by ≥20% of cohort.
---
## Phase 5 — Security, Audit, & Resilience (continuous; gate before GA)
### 5.1 Security
* Threat model (insider, phishing, bot farms, deepfakes), red team, bug bounty, key compromise drills, geo-redundant infra.
* Deliverable: Security Plan + PenTest Report + DR/BCP playbooks.
* Accept: RTO/RPO targets met in exercise.
### 5.2 Compliance & Audit
* Annual external audits for PKI and issuance, privacy audits, sanctions/KYC reviews, SOC2-style controls where applicable.
* Deliverable: Audit Pack.
* Accept: No critical findings outstanding.
### 5.3 Ethics & Human Rights
* Anti-discrimination tests, appeal transparency, proportionality guidelines.
* Deliverable: Human Rights Impact Assessment (HRIA).
* Accept: Board attestation.
---
## Phase 6 — Diplomacy & External Relations (parallel tracks)
### 6.1 Recognition Strategy
* Prioritize MOUs with NGOs, universities, chambers, standards bodies, and willing states for limited-purpose recognition (e.g., accepting DSB e-signatures or credentials).
* Deliverable: Recognition Dossier + Template MOU.
* Accept: ≥3 executed MOUs in Year 1.
### 6.2 Host-State Arrangements
* Negotiate data hosting safe harbors, registered offices (non-territorial), or cultural mission status to facilitate operations.
* Deliverable: Host Agreement Playbook.
* Accept: At least one host agreement finalized.
---
## Product & Engineering Backlog (cross-phase)
### Core Systems
* Member Registry (event-sourced), Credential Registry (revocation lists), Case/Appeals, Payments (if fees), Messaging & Ceremony.
### APIs/SDKs
* Issuance API, Verification API, Webhooks for status changes, Admin API with immutable audit logs.
### Integrations
* KYC providers (document, selfie liveness), sanctions screening, HSM/KMS, email/SMS gateways.
### UX
* Application flows ≤10 minutes, save/resume, accessibility AA+, multilingual, oath UX.
### Observability
* Metrics: time-to-issue, approval rates, fraud rate, credential use rate, verifier NPS.
---
## Distinguishing eResidency vs eCitizenship (policy knobs)
### Assurance
* **eResidency**: LOA 12
* **eCitizenship**: LOA 23
### Rights
* **eResident**: Use DSB digital ID, signatures, services
* **eCitizen**: Governance vote, public offices, honors, diplomatic corps (as policy allows)
### Duties
* **eCitizen**: Oath; possible service contribution/hour benchmarks
### Fees
* **eResidency**: Lower, subscription-like
* **eCitizenship**: One-time plus renewal/continuing good standing
### Revocation
* Graduated sanctions; transparent registry
---
## Acceptance Metrics (90-day MVP)
* 95% issuance uptime; <48h median eResidency decision
* <0.5% confirmed fraud after adjudication
* ≥2 independent external verifiers using the SDK
* First recognition MOU executed
* Public policy corpus published and versioned
---
## Minimal Document Set (ready-to-draft list)
* Charter & Statute Book
* TFP (Trust Framework Policy)
* CP/CPS (Certificate Policy/Practice Statements)
* KYC/AML SOP
* Privacy Pack (DPIA, DPA templates)
* Security Plan
* HRIA (Human Rights Impact Assessment)
* Benefits & SLA Catalog
* Ceremony & Oath Script
* Appeals Rules
* Recognition MOU Template
* Host-State Playbook
---
## RACI Snapshot (who does what)
* **Founding Council**: Approves Charter, Statutes, Recognition targets
* **Chancellor (Policy Lead)**: Owns legal/policy stack, diplomacy
* **CIO/CISO**: Owns PKI, security, audits
* **CTO/Eng**: Platforms, wallets, APIs, issuance & verification
* **Registrar**: Operations, case management, ceremonies
* **Ombuds Panel**: Appeals & remedies
* **External Counsel/Auditors**: Opinions, audits, certifications
---
## Implementation Priority
### Immediate (Phase 0-1)
1. Draft DSB Charter
2. Legal & Risk Framework
3. Trust Framework Policy
4. Constitutional Instruments
5. Privacy & Data Governance
### Short-term (Phase 2-3)
1. Identifier Strategy
2. Credential Schemas
3. PKI Infrastructure
4. eResidency Workflow
5. eCitizenship Workflow
### Medium-term (Phase 4-5)
1. Qualified e-Signatures
2. Interoperability
3. Security & Compliance
4. Services Layer
### Long-term (Phase 6)
1. Recognition Strategy
2. Host-State Arrangements
3. External Relations
---
## Integration with The Order
This task map integrates with The Order's existing systems:
* **Identity Service**: Extends credential issuance for eResidency and eCitizenship
* **Database Package**: Member registry, credential registry, case management
* **Auth Package**: Enhanced authentication and authorization for membership classes
* **Workflows Package**: Application workflows, appeals, ceremonies
* **Notifications Package**: Application status, ceremony invitations, renewal reminders
* **Compliance Package**: KYC/AML, sanctions screening, risk scoring