- From: Jori Lehtinen <lehtinenjori03@gmail.com>
- Date: Sat, 8 Nov 2025 21:42:48 +0200
- To: Alan Karp <alanhkarp@gmail.com>
- Cc: Amir Hameed <amsaalegal@gmail.com>, public-credentials@w3.org
- Message-ID: <CAA6zkAs965Fa41=mGpYe6u-6-j+2iTuw91qfofJWM-hCcr39yw@mail.gmail.com>
Sure have and it no doubt solves that, but it’s not a web standard and isn’t accessible through any Web API only as a third-party solution, and, as I understand it, Web Standards is what this mailing list is about. la 8.11.2025 klo 9.22 ip. Alan Karp <alanhkarp@gmail.com> kirjoitti: > Have you looked at https://self.xyz/ for Sybil resistance? > > -------------- > Alan Karp > > > On Sat, Nov 8, 2025 at 10:41 AM Jori Lehtinen <lehtinenjori03@gmail.com> > wrote: > >> Hi! It’s great that you’re building this, I assume it’s aimed at users >> who prefer a passphrase-based system. Or I’d like to understand what >> specific problem it solves, since WebAuthn passkeys already provide >> passwordless strong authentication and zero-knowledge credential-bound key >> derivation through the PRF extension. >> >> >> In my own projects, I’m implementing a usernameless WebAuthn flow where >> multiple credential pseudonyms can be bound to a single in-service >> pseudonym ID. I use the PRF to encrypt and then back up a random Master >> Seed to the cloud. All user data is encrypted with this master key, which >> is itself encrypted with the prf extension result. You can attach as many >> credentials as you want to an account, but data can only be read using a >> key derived from the master seed decrypted by the credential-bound key. >> >> >> I consider this a complete zero-knowledge identity system, durable and >> requiring no user action. The remaining challenge is Sybil resistance and >> fraud prevention. That’s the last major problem to solve. I’d like to see >> focus on how to make zero-knowledge systems respect service providers, by >> preventing users from creating new passkey or passphrase-bound credentials >> after each free-trial. >> >> >> This issue mainly affects services where users only consume content and >> don’t care about losing account data, but it’s still significant. I’ve >> previously suggested that national eID providers could help here. Another >> option is to use verified, hard-to-acquire documents, such as passports or >> personal IDs, integrated into the passkey registration flow via an >> extension that requires proof of personhood through document or eID >> signatures. This proof should be a verifiable credential, allowing >> anonymous per-person business logic. After all, each new disposable account >> costs the service provider resources , and by extension, the environment, >> while also limiting a provider’s right to decide how much they give away >> for free. >> >> la 8.11.2025 klo 6.24 ip. Amir Hameed <amsaalegal@gmail.com> kirjoitti: >> >>> Hello Everyone >>> >>> I'm excited to share a prototype from Sirraya Labs that addresses key >>> adoption challenges we've been discussing in this group. We've been working >>> on practical bridges between decentralized identity infrastructure and >>> legacy web systems. >>> >>> Prototype Overview: >>> Our platform focuses on usability and interoperability while maintaining >>> security: >>> >>> - >>> >>> Key Management & Recovery: Implements a passphrase-based encrypted >>> key derivation system, providing familiar recovery mechanisms while >>> preserving user control >>> - >>> >>> Standards-Based VC issuance: Full support for Verifiable Credentials >>> with JWT-VC format >>> - >>> >>> Practical Authentication: Generates standards-compliant JWT tokens >>> for immediate integration with existing session management and >>> authentication systems >>> - >>> >>> Web Technology Bridge: Designed specifically to help legacy systems >>> gradually adopt decentralized identity patterns >>> >>> Technical Approach: >>> >>> - >>> >>> Client-side key generation with passphrase-based encryption >>> - >>> >>> Support for did:key and did:web methods initially >>> - >>> >>> JWT-VC issuance and verification pipeline >>> - >>> >>> RESTful APIs for easy integration >>> >>> We're particularly interested in feedback on our approach to key >>> recovery and the JWT bridging pattern, as we believe these are critical for >>> mainstream adoption. >>> >>> The prototype is live at: https://one.sirraya.org >>> >>> We'd appreciate any technical feedback, security considerations, or >>> interoperability thoughts from this group. We're also keen to collaborate >>> on use cases and standardization efforts. >>> >>> Looking forward to the discussion. >>> >>> Best regards, >>> >>> Amir Hameed Mir >>> >>> Founder, Sirraya Labs >>> >>
Received on Saturday, 8 November 2025 19:43:04 UTC