The 'donau' URI scheme for validation of Donau donation statements.

This document defines the 'donau' Uniform Resource Identifier (URI) scheme for triggering interactions with Donau validators.

A 'donau' URI always instructs a Donau validator to perform the validation of a Donau donation statement. A 'donau' URI consists of the reference to the authority that signed the statement, an identifier for the specific taxpayer, the year of the donation, a salt and optional parameters. Optional parameters include the amount donated by the taxpayer and the signature of the Donau donation statement.

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

This document uses the Augmented Backus-Naur Form (ABNF) of .

The base of a Donau URI refers to the base URL of the Donau REST API. It consists of the network location (host name or IP address) and MAY include additional path segments (for example, https://admin.ch/taxes/donau/) mapping to the Donau deployment behind reverse proxies. Validators MUST NOT assume a specific domain naming scheme (such as donau.example) and MUST accept bases with or without additional path components. The year of a Donau URI referes to the year when the donations have been done. The taxid of a Donau URI referes to the taxid of the person that did the donations and asks for their Donau donation statement to be verified. The format of the taxid is specific for each tax authority. The taxid is conveyed in the URI as a single path segment using percent-encoding per . Implementations MUST decode taxid-enc by applying percent-decoding to obtain the exact UTF-8 bytes of the tax identifier before any processing. In particular, the character '/' MUST be percent-encoded as %2F if present in a tax identifier. The salt of a Donau URI referes to the information used by the Donau-wallet application to generate the Donau donation statement. This salt is specific for each wallet, allowing a taxpayer to have many Donau donation statements for the same year that should be treated as cummulative by the validator application. The salt can also be used to obfuscate the taxpayer ID in the donation protocol. The total follows the syntax from and represents the total amount donated in this year by the given taxpayer with the given salt. Thus, given multiple 'donau' URIs with the same salt, the maximum amount should be used, while the amounts from 'donau' URIs with different salts should be added. Parsing note: A Donau validator MUST parse a Donau URI by taking the last three path segments as {year}/{taxid-enc}/{salt}, and treat all preceding path segments (plus the authority) as the base. This ensures that bases with additional path components are unambiguous even when tax identifiers contain reserved characters that are percent-encoded. Finally, algo specifies the specific signature algorithm used; for now, only ED25519 (see ) is supported. The signature using the specified algorithm must be made over the information above (see ) and MUST be encoded using the Base 32 U Crockford encoding scheme . The default operation of applications that invoke a URI with the Donau scheme MUST be to launch a Donau validator (if available). If no Donau validator is available, an application SHOULD show a QR code with the content of the URI. If multiple Donau validators are registered, the user SHOULD be able to choose which application to launch. This allows users with multiple validators to choose which validator to perform the operation with. An application SHOULD allow dereferencing a "donau://" URI even if the action of that URI is not registered in the "Donau URI Actions" sub-registry. Donau-validators seeing a "donau://" URI MUST use HTTP over TLS when talking to the respective network service. Donau-validators seeing a "donau+http://" URI MUST use HTTP without TLS when talking to the respective network service. Donau-validators SHOULD support "donau+http://"-URIs only when run in developer or debug mode. Validators would contact the base to obtain the public key used for the signature. The base origin SHOULD also be shown to the user to indicate which authority issued the proof of donation. Alternatively, specific validation apps MAY only accept 'donau' URLs from a specific set of hard-coded authorities and simply display an error message when given 'donau' URLs from other authorities.

The verification requires the Donau verification application to test if a given taxpayer has got the right to be granted a tax reduction. For doing this, the Donau verification application must verify that the Donau-URI corresponds to a valid Donau donation statement. The Donau verification application MUST verify the validity of the donation statement. There are two possibilities: signature and total are available, or at least one is not available. If signature and total are available, then the verification application will verify that the signature is valid for the server key (see to get the key). If both are missing, the application MUST download them from the get donation statement endpoint .

The verification app MUST have a signing public key corresponding to the base for the given year. The key MAY be retrieved from a cache. If no key for this base and this year is available in the cache, the verification app MUST download the key from the base. The Donau server MUST provide the key at the /keys entrypoint. If the key is not available, no verification can take place. The verification app SHOULD cache downloaded signing public keys for the current year. Endpoint: /keys Method: GET Syntax: base/keys Syntax response: defined hereunder Contact: N/A References: [this.I-D] Each of the "signkeys" is valid between "stamp_start" and "stamp_expire" and the public "key" returned is encoded using Base 32 U Crockford encoding . Example, a response to a GET request to the /key/ endpoint.

If the Donau-URI does not contain the total or the signature, the verification app MUST download them from the /donation-statement/ endpoint of the base.
The verification app will compute the donor hash H using SHA-512 over the exact UTF-8 bytes of the taxpayer ID string, followed by a single NUL byte (0x00), followed by the salt string, followed by a final NUL byte (0x00): H = SHA-512(taxid || 0x00 || salt || 0x00). Here, taxid is the UTF-8 string obtained by percent-decoding the taxid-enc path segment. This produces the hash-donor-id. The verification app will contact the base in the endpoint /donation-statement with the year and the hash-donor-id. The hash-donor-id must be encoded using Base 32 U Crockford encoding . Endpoint: /donation-statement Method: GET Syntax: base/donation-statement/{year}/{hash-donor-id} Contact: N/A References: [this.I-D] Servers implementing the donation-statement endpoint MUST respect the following syntax; all three fields (total-field, sig-field, pub-field) MUST be included. The amount is a string formed first of the currency (in capital letters) then ":" and then the value (can be an integer or a decimal number). Example of an element of USD 100.00 :

The verification app MUST verify that the signature corresponds to the claimed values. If the information is not in the URI, the verification app MUST download the total and the signature from the base using the GET /donation-statement/ endpoint . Otherwise, it SHOULD use the value given in the URI. The verification of the signature is done using EdDSA as specified in . The verification MAY be done with the following instructions. The signed data is the concatenation of the following fields in network byte order (big-endian):

size (4 bytes): 32-bit unsigned integer with the total length of the signed data in bytes.
purpose (4 bytes): 32-bit unsigned integer with the constant value 1500.
total value (8 bytes): integer part as an unsigned 64-bit integer.
total fraction (4 bytes): fractional part as an unsigned 32-bit integer in units of 1/100000000.
currency (12 bytes): ASCII, left-aligned and zero-padded to 12 bytes.
donor hash H (64 bytes): H = SHA-512( UTF-8(taxid) || 0x00 || UTF-8(salt) || 0x00 ).
year (4 bytes): 32-bit unsigned integer (the donation year).

The server signing the donation statement MUST use the Sign(d,message) procedure implemented as defined in .

The signature over the public key covers a 32-bit pseudo header conceptually prefixed to the EXPIRATION and BDATA fields. The wire format is illustrated in .

The Wire Format Used for Creating the Signature of the RRBLOCK 0 8 16 24 32 40 48 56 +-----+-----+-----+-----+-----+-----+-----+-----+ | SIZE | PURPOSE (1500) | +-----+-----+-----+-----+-----+-----+-----+-----+ | TOTAL value | +-----+-----+-----+-----+-----+-----+-----+-----+ | TOTAL fraction | CURRENCY | +-----+-----+-----+-----+ + | | +-----+-----+-----+-----+-----+-----+-----+-----+ | SHA512 of the donor ID | / / / / +-----+-----+-----+-----+-----+-----+-----+-----+ | YEAR | +-----+-----+-----+-----+

SIZE:: A 32-bit value containing the length of the signed data in bytes in network byte order.
PURPOSE:: A 32-bit signature purpose flag in network byte order. The value of this field MUST be 1500. It defines the context in which the signature is created so that it cannot be reused in other parts of the protocol that might include possible future extensions. The value of this field corresponds to an entry in the GANA "GNUnet Signature Purposes" registry .
TOTAL value:: The integer part of the total value. Unsigned integer containing the integer part of the value for the total. It is represented on 64 bits value (in big endian),
TOTAL fraction:: The fractional part of the total value is represented by an unsigned integer on 32 bits (also in big endian notation). It represents the fractional part of the value in 1/100000000th of the base unit.
TOTAL currency: A string representing the currency. ASCII, left-aligned and zero-padded to exactly 12 bytes.
HASH:: The SHA512 hash code for the donor ID.
YEAR:: The year on a 32 bit unsigned integer in big endian.

The signature verification step is taking the data presented in the figure as input. Signature MUST be verified using the EdDSA scheme described in the procedure is Verify(zk,message,signature). Public key and signature are given encoded in Base 32 U Crockford MUST first be decoded to get a binary out of it. The Sign(d,message) and Verify(zk,message,signature) procedures MUST be implemented as defined in .

All binary data MUST be encoded to be transmitted. For encoding, one MUST use the Base32 U Crockford encoding. This is a variation of the base32 encoding . This encoding is presented in details in the appendix of the RFC for GNU Name System The encoding works similarly to the standard, but uses another Base 32 Alphabet. The new alphabet is given in the Table , below.

To prevent optical character reading (OCR) problems, a system decoding binary data encoded with base 32 U Crockford MUST accept the codes presented in the Table , below. System reading a U MUST evaluate it as a V.

This appendix shows how to verify a donation statement starting from a received URI. Public key is fetched from the Donau base.

Verification steps: Input (URI):
donau://donau.test.taler.net/2025/123%2F456%2F789/AWNFDRFT0WX45W4Y32A9DJA03S1EF66GFQZ9EV5EF9JTHWZ37WR0?total=TESTKUDOS:1&sig=ED25519:B14WGS43FFPEB8JMSR6W1H8M6KH9AV33JFH376R6PM2MNH4GR24FP1C93C4ZPDG21W5WY4SASZQ4CRS427F4WJZJFZMQ5Y4HZNXGY30 Parse fields:
- base: donau.test.taler.net
- year: 2025 (4 digits)
- taxid-enc: 123%2F456%2F789
- taxid (UTF-8, percent-decoded, no trimming): 123/456/789
- salt (ASCII): AWNFDRFT0WX45W4Y32A9DJA03S1EF66GFQZ9EV5EF9JTHWZ37WR0
- total (amount string): TESTKUDOS:1
- sig (Crockford Base32, algorithm ED25519): B14WGS...XGY30 Public signing key (Crockford Base32) (from /keys):
2FRN2CAK9DMDWE157W6HY97RAVSP0ZCCC08X9N6JD2MK7413XXZG Donor hash H = SHA-512( UTF-8(taxid) || 0x00 || UTF-8(salt) || 0x00 ):
- length: 64 bytes
- hex:
4aaa1e16fc5be44842b863b1f17da39296ca7b3529a720e11aba9c8bd729f7a1e2bb0b9a39c02d271da5dd15aea66ce95be78bcaf380de19a0bdbcd8a7938f1b
- Crockford Base32 (for HTTP endpoints):
9AN1W5QWBFJ4GGNRCERZ2ZD3JABCMYSN56KJ1R8TQAE8QNS9YYGY5ERBK8WW0B973PJXT5DEMSPEJPZ7HF5F706Y36GBVF6RMY9RY6R Amount encoding (TALER_AmountNBO):
- currency (12 bytes): "TESTKUDOS" then 0x00 x 3
- value (uint64 BE): 1 -> 0x0000000000000001
- fraction (uint32 BE): 0 -> 0x00000000 Signed message M layout (network byte order, total 100 bytes):
- [0000..0003] 4 bytes size: 0x00000064
- [0004..0007] 4 bytes purpose: 0x000005DC (1500)
- [0008..0015] 8 bytes amount.value: 0x0000000000000001
- [0016..0019] 4 bytes amount.fraction: 0x00000000
- [0020..0031] 12 bytes amount.currency: 54 45 53 54 4b 55 44 4f 53 00 00 00 ("TESTKUDOS\x00\x00\x00")
- [0032..0095] 64 bytes i.hash: donor hash H
- [0096..0099] 4 bytes year: 0x000007E9 (2025) Message M (hex, 100 bytes):
00000064 000005dc 0000000000000001 00000000 544553544b55444f53000000 4aaa1e16fc5be44842b863b1f17da39296ca7b3529a720e11aba9c8bd729f7a1e2bb0b9a39c02d271da5dd15aea66ce95be78bcaf380de19a0bdbcd8a7938f1b 000007e9 Signature (ED25519, Crockford Base32 -> bytes):
- length: 64 bytes
- R (first 32 bytes, hex):
5849c864837bece5a254ce0dc0c51434e2956c6393e2339b06b5054ac490c088
- S (last 32 bytes, hex):
fb05891b09fb36020f0bcf132acfee46632411de4e4bf27fe972f891fd7b0f0c Public key (Ed25519, Crockford Base32 -> bytes):
- length: 32 bytes
- hex:
13f15131534b68de38253f0d1f24f856f3607d8c6011d4d4d268a9339023ef7f Verification (expected): call crypto_sign_verify_detached(sig, M, 100, pubkey). The result MUST indicate a valid signature for this vector. Negative check (optional): flip one bit of M or sig and repeat; verification MUST fail.