- From: Jori Lehtinen <lehtinenjori03@gmail.com>
- Date: Mon, 6 Oct 2025 22:14:12 +0300
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: public-credentials@w3.org
- Message-ID: <CAA6zkAuXt8o7KjdJAknxj+Zu7_2C80VnGUbGWMMxTA4X8+XWPg@mail.gmail.com>
Hi Manu, Awesome to hear I’ve reached the right people! 1. Regarding your first question: how can the verifier tell if a state-issued eID value was actually used, in zero knowledge? You’re absolutely right, that’s currently the missing link. Conceptually, AWA behaves almost exactly like the BBS credential-bound pseudonym model you’re working on. In AWA terms, the parameters would be: nym_domain = verifierTopDomain nym_secret = masterSub and the derived pseudonyms are essentially computed as SHA-256(nym_domain, nym_secret). What’s missing, as you pointed out, is the verifier’s ability to confirm that the pseudonym was actually derived from a valid, state-issued seed (masterSub). My current thinking is that the eID provider should issue not only the seed but also a separate signature or blinded proof that can be independently verified via the eID provider’s standard verification endpoint. The main issue is that such a signature proves the issuer’s participation, but not that the presented pseudonym is mathematically derived from the same seed. So the only realistic way forward is to introduce blinding directly at the eID level, meaning the eID provider would issue both a seed and a blinded seed. The blinded version could later be used by a verifier to check that a legitimate “proof-of-person” seed exists by performing a simple deterministic verification such as: unblindSeed(blindedSeed) → checkSeedDb(unblindedSeed) → compute SHA256(unblindedSeed, allegedVerifierDomain) → checkMatch(allegedPairwiseSub, computedPairwiseSub) → if match, return ok. This would allow the verifier to confirm, in zero knowledge, that the pseudonym is derived from a real, eID-issued seed without revealing or linking the underlying identity. It’s not fully clear yet... I need to review the full BBS specification and CFRG pseudonym signature methods to determine the cleanest, standard-compliant way to express this construction. ------------------------------ 2. Regarding the national boundary question: the system can, in fact, operate globally. Each verifier or relying party would simply rely on the user’s national eID provider for personhood verification. What I meant in the README is that the personhood seed itself is never shared in plaintext across borders, to avoid cross-jurisdictional surveillance. The user’s national authority manages it securely, and if nationality changes, the seed can be migrated. Global interoperability is therefore possible, but without cross-border exposure of raw identity tied material. ------------------------------ And yes, I’d really love to hear ideas from you and the group. Eventually, I’d like to see this evolve into a pseudonymous, pairwise, cross-device, cross-time consistent proof-of-personhood standard, something that can be tied to an database encrypted with data only this personhood proven authenticated pseudonym can use or an encryptedtoken wich issuance was authorized by the user can work as a way for other pseudoyms to read and write the database or shard or row or well you get it... The goal is full data sovereignty and a web where even zero-knowledge services that don’t know who their users are can still exchange data safely and privately with good UX. Honestly, I want this to exist before building any other software products, because what’s the point of creating new web services if they don’t respect privacy, and what’s the point of anti-abuse systems that keep fighting symptoms instead of fixing identity itself? Best regards, Jori Lehtinen ma 6.10.2025 klo 16.19 Manu Sporny (msporny@digitalbazaar.com) kirjoitti: > On Mon, Oct 6, 2025 at 2:53 AM Jori Lehtinen <lehtinenjori03@gmail.com> > wrote: > > AWA is an open, web-native pseudonymous authentication model > > Hi Jori, thanks for the work you're doing on AWA and wanting to move > the Web toward the future that you mentioned above. There are many of > us on this list that are attempting to do the same, so you're in good > company. :) > > > A full description of a possible protocol can be found in the READ ME. > (ITS PRETTY DARN GOOD) > > I read it quickly, so might have missed a few things. It reminds me of > the BBS work we're doing with pseudonyms: > > https://www.w3.org/TR/vc-di-bbs/#credential-bound-pseudonyms > > What I can't tell from your write up is how the RP (we call it a > Verifier) can tell if a state's eID value was used or not. How do you > do that in zero knowledge? > > You also say that the solution can only be used inside a national > boundary, which would work against sybil attacks inside the national > boundary, but proof of personhood often goes beyond national > boundaries -- how do you solve for that? > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > https://www.digitalbazaar.com/ >
Received on Monday, 6 October 2025 19:17:23 UTC