- From: Alan Karp <alanhkarp@gmail.com>
- Date: Sat, 8 Nov 2025 11:22:05 -0800
- To: Jori Lehtinen <lehtinenjori03@gmail.com>
- Cc: Amir Hameed <amsaalegal@gmail.com>, public-credentials@w3.org
- Message-ID: <CANpA1Z00wbwg8QLM_+teAid+NB7-da7pcTXMRMbU6ESXW3KGbw@mail.gmail.com>
Have you looked at https://self.xyz/ for Sybil resistance? -------------- Alan Karp On Sat, Nov 8, 2025 at 10:41 AM Jori Lehtinen <lehtinenjori03@gmail.com> wrote: > Hi! It’s great that you’re building this, I assume it’s aimed at users who > prefer a passphrase-based system. Or I’d like to understand what specific > problem it solves, since WebAuthn passkeys already provide passwordless > strong authentication and zero-knowledge credential-bound key derivation > through the PRF extension. > > > In my own projects, I’m implementing a usernameless WebAuthn flow where > multiple credential pseudonyms can be bound to a single in-service > pseudonym ID. I use the PRF to encrypt and then back up a random Master > Seed to the cloud. All user data is encrypted with this master key, which > is itself encrypted with the prf extension result. You can attach as many > credentials as you want to an account, but data can only be read using a > key derived from the master seed decrypted by the credential-bound key. > > > I consider this a complete zero-knowledge identity system, durable and > requiring no user action. The remaining challenge is Sybil resistance and > fraud prevention. That’s the last major problem to solve. I’d like to see > focus on how to make zero-knowledge systems respect service providers, by > preventing users from creating new passkey or passphrase-bound credentials > after each free-trial. > > > This issue mainly affects services where users only consume content and > don’t care about losing account data, but it’s still significant. I’ve > previously suggested that national eID providers could help here. Another > option is to use verified, hard-to-acquire documents, such as passports or > personal IDs, integrated into the passkey registration flow via an > extension that requires proof of personhood through document or eID > signatures. This proof should be a verifiable credential, allowing > anonymous per-person business logic. After all, each new disposable account > costs the service provider resources , and by extension, the environment, > while also limiting a provider’s right to decide how much they give away > for free. > > la 8.11.2025 klo 6.24 ip. Amir Hameed <amsaalegal@gmail.com> kirjoitti: > >> Hello Everyone >> >> I'm excited to share a prototype from Sirraya Labs that addresses key >> adoption challenges we've been discussing in this group. We've been working >> on practical bridges between decentralized identity infrastructure and >> legacy web systems. >> >> Prototype Overview: >> Our platform focuses on usability and interoperability while maintaining >> security: >> >> - >> >> Key Management & Recovery: Implements a passphrase-based encrypted >> key derivation system, providing familiar recovery mechanisms while >> preserving user control >> - >> >> Standards-Based VC issuance: Full support for Verifiable Credentials >> with JWT-VC format >> - >> >> Practical Authentication: Generates standards-compliant JWT tokens >> for immediate integration with existing session management and >> authentication systems >> - >> >> Web Technology Bridge: Designed specifically to help legacy systems >> gradually adopt decentralized identity patterns >> >> Technical Approach: >> >> - >> >> Client-side key generation with passphrase-based encryption >> - >> >> Support for did:key and did:web methods initially >> - >> >> JWT-VC issuance and verification pipeline >> - >> >> RESTful APIs for easy integration >> >> We're particularly interested in feedback on our approach to key recovery >> and the JWT bridging pattern, as we believe these are critical for >> mainstream adoption. >> >> The prototype is live at: https://one.sirraya.org >> >> We'd appreciate any technical feedback, security considerations, or >> interoperability thoughts from this group. We're also keen to collaborate >> on use cases and standardization efforts. >> >> Looking forward to the discussion. >> >> Best regards, >> >> Amir Hameed Mir >> >> Founder, Sirraya Labs >> >
Received on Saturday, 8 November 2025 19:22:21 UTC