Re: Sirraya One: A Web based platform to create DID and Issue VCs

Hi! It’s great that you’re building this, I assume it’s aimed at users who
prefer a passphrase-based system. Or I’d like to understand what specific
problem it solves, since WebAuthn passkeys already provide passwordless
strong authentication and zero-knowledge credential-bound key derivation
through the PRF extension.


In my own projects, I’m implementing a usernameless WebAuthn flow where
multiple credential pseudonyms can be bound to a single in-service
pseudonym ID. I use the PRF to encrypt and then back up a random Master
Seed to the cloud. All user data is encrypted with this master key, which
is itself encrypted with the prf extension result. You can attach as many
credentials as you want to an account, but data can only be read using a
key derived from the master seed decrypted by the credential-bound key.


I consider this a complete zero-knowledge identity system, durable and
requiring no user action. The remaining challenge is Sybil resistance and
fraud prevention. That’s the last major problem to solve. I’d like to see
focus on how to make zero-knowledge systems respect service providers, by
preventing users from creating new passkey or passphrase-bound credentials
after each free-trial.


This issue mainly affects services where users only consume content and
don’t care about losing account data, but it’s still significant. I’ve
previously suggested that national eID providers could help here. Another
option is to use verified, hard-to-acquire documents, such as passports or
personal IDs,  integrated into the passkey registration flow via an
extension that requires proof of personhood through document or eID
signatures. This proof should be a verifiable credential, allowing
anonymous per-person business logic. After all, each new disposable account
costs the service provider resources , and by extension, the environment,
while also limiting a provider’s right to decide how much they give away
for free.

la 8.11.2025 klo 6.24 ip. Amir Hameed <amsaalegal@gmail.com> kirjoitti:

> Hello Everyone
>
> I'm excited to share a prototype from Sirraya Labs that addresses key
> adoption challenges we've been discussing in this group. We've been working
> on practical bridges between decentralized identity infrastructure and
> legacy web systems.
>
> Prototype Overview:
> Our platform focuses on usability and interoperability while maintaining
> security:
>
>    -
>
>    Key Management & Recovery: Implements a passphrase-based encrypted key
>    derivation system, providing familiar recovery mechanisms while preserving
>    user control
>    -
>
>    Standards-Based VC issuance: Full support for Verifiable Credentials
>    with JWT-VC format
>    -
>
>    Practical Authentication: Generates standards-compliant JWT tokens for
>    immediate integration with existing session management and authentication
>    systems
>    -
>
>    Web Technology Bridge: Designed specifically to help legacy systems
>    gradually adopt decentralized identity patterns
>
> Technical Approach:
>
>    -
>
>    Client-side key generation with passphrase-based encryption
>    -
>
>    Support for did:key and did:web methods initially
>    -
>
>    JWT-VC issuance and verification pipeline
>    -
>
>    RESTful APIs for easy integration
>
> We're particularly interested in feedback on our approach to key recovery
> and the JWT bridging pattern, as we believe these are critical for
> mainstream adoption.
>
> The prototype is live at: https://one.sirraya.org
>
> We'd appreciate any technical feedback, security considerations, or
> interoperability thoughts from this group. We're also keen to collaborate
> on use cases and standardization efforts.
>
> Looking forward to the discussion.
>
> Best regards,
>
> Amir Hameed Mir
>
> Founder, Sirraya Labs
>