- From: Jori Lehtinen <lehtinenjori03@gmail.com>
- Date: Mon, 6 Oct 2025 22:59:27 +0300
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: public-credentials@w3.org
- Message-ID: <CAA6zkAud77DMN_ObbGO92BnQsAFbJcS2jddP7KA-J1gLUahaPA@mail.gmail.com>
I’ve only been into web development for about ten months, and I came here mostly to seek help and guidance. I understand the direction conceptually, but I’d really appreciate advice on where to go from here, who to talk to, which working groups or initiatives might be most relevant, and how I could contribute in a meaningful way even as a newcomer. I’m genuinely passionate about this idea and willing to put in the time to learn whatever’s necessary to move it forward. ma 6.10.2025 klo 22.14 Jori Lehtinen (lehtinenjori03@gmail.com) kirjoitti: > Hi Manu, > > Awesome to hear I’ve reached the right people! > > 1. > > Regarding your first question: how can the verifier tell if a > state-issued eID value was actually used, in zero knowledge? > > You’re absolutely right, that’s currently the missing link. Conceptually, > AWA behaves almost exactly like the BBS credential-bound pseudonym model > you’re working on. In AWA terms, the parameters would be: > > nym_domain = verifierTopDomain > nym_secret = masterSub > > and the derived pseudonyms are essentially computed as SHA-256(nym_domain, > nym_secret). > > What’s missing, as you pointed out, is the verifier’s ability to confirm > that the pseudonym was actually derived from a valid, state-issued seed > (masterSub). > > My current thinking is that the eID provider should issue not only the > seed but also a separate signature or blinded proof that can be > independently verified via the eID provider’s standard verification > endpoint. > > The main issue is that such a signature proves the issuer’s participation, > but not that the presented pseudonym is mathematically derived from the > same seed. > So the only realistic way forward is to introduce blinding directly at the > eID level, meaning the eID provider would issue both a seed and a blinded > seed. > The blinded version could later be used by a verifier to check that a > legitimate “proof-of-person” seed exists by performing a simple > deterministic verification such as: > unblindSeed(blindedSeed) → checkSeedDb(unblindedSeed) → compute > SHA256(unblindedSeed, allegedVerifierDomain) → > checkMatch(allegedPairwiseSub, computedPairwiseSub) → if match, return ok. > > This would allow the verifier to confirm, in zero knowledge, that the > pseudonym is derived from a real, eID-issued seed without revealing or > linking the underlying identity. > It’s not fully clear yet... I need to review the full BBS specification > and CFRG pseudonym signature methods to determine the cleanest, > standard-compliant way to express this construction. > ------------------------------ > > 2. > > Regarding the national boundary question: the system can, in fact, > operate globally. Each verifier or relying party would simply rely on the > user’s national eID provider for personhood verification. > > What I meant in the README is that the personhood seed itself is never > shared in plaintext across borders, to avoid cross-jurisdictional > surveillance. The user’s national authority manages it securely, and if > nationality changes, the seed can be migrated. Global interoperability is > therefore possible, but without cross-border exposure of raw identity tied > material. > ------------------------------ > > And yes, I’d really love to hear ideas from you and the group. Eventually, > I’d like to see this evolve into a pseudonymous, pairwise, cross-device, > cross-time consistent proof-of-personhood standard, something that can be > tied to an database encrypted with data only this personhood proven > authenticated pseudonym can use or an encryptedtoken wich issuance was > authorized by the user can work as a way for other pseudoyms to read and > write the database or shard or row or well you get it... The goal is full > data sovereignty and a web where even zero-knowledge services that don’t > know who their users are can still exchange data safely and privately with > good UX. > > Honestly, I want this to exist before building any other software > products, because what’s the point of creating new web services if they > don’t respect privacy, and what’s the point of anti-abuse systems that keep > fighting symptoms instead of fixing identity itself? > > Best regards, > Jori Lehtinen > > ma 6.10.2025 klo 16.19 Manu Sporny (msporny@digitalbazaar.com) kirjoitti: > >> On Mon, Oct 6, 2025 at 2:53 AM Jori Lehtinen <lehtinenjori03@gmail.com> >> wrote: >> > AWA is an open, web-native pseudonymous authentication model >> >> Hi Jori, thanks for the work you're doing on AWA and wanting to move >> the Web toward the future that you mentioned above. There are many of >> us on this list that are attempting to do the same, so you're in good >> company. :) >> >> > A full description of a possible protocol can be found in the READ ME. >> (ITS PRETTY DARN GOOD) >> >> I read it quickly, so might have missed a few things. It reminds me of >> the BBS work we're doing with pseudonyms: >> >> https://www.w3.org/TR/vc-di-bbs/#credential-bound-pseudonyms >> >> What I can't tell from your write up is how the RP (we call it a >> Verifier) can tell if a state's eID value was used or not. How do you >> do that in zero knowledge? >> >> You also say that the solution can only be used inside a national >> boundary, which would work against sybil attacks inside the national >> boundary, but proof of personhood often goes beyond national >> boundaries -- how do you solve for that? >> >> -- manu >> >> -- >> Manu Sporny - https://www.linkedin.com/in/manusporny/ >> Founder/CEO - Digital Bazaar, Inc. >> https://www.digitalbazaar.com/ >> >
Received on Monday, 6 October 2025 19:59:45 UTC