[bawolff]

Key management & binding keys to identities is one of the hard problems in cryptography.

Cryptocurrency and friends really have no bearing on the problem. The known solutions are the same as they always were - web of trust, pki, tofu, pre-shared keys, or just give up and ignore the outside world. All have tradeoffs and are very far from satisfactory.

If you take a subpar solution and wrap it in 10 layers of cryptocurrency and magical thinking, you are just left with a complex version of the same subpar solution.

[aaomidi]

Yep. There is no silverbullet. All these systems are doing are just increasing areas where a vulnerability in logic can happen.

[ugjka]

It must be tied to person's biological features, i don't see any other way. Some kind of crypto-bio hash

[bawolff]

Even then you still have problems with revocation.

If someone steals my passport, i tell the gov and they cancel the old one. If someone steals your fingerprint, you are just screwed.

There are some systems that verify things like bloodflow to ensure that the finger belongs to a live person instead of a cut-off hand. However then you end up having the problem of needing to trust hardware, which is fine for an iphone unlock feature but not so fine for this magical decentralized web3 stuff.

[dzhiurgis]

Do biometrics use actual fingerprints or biometric template? I.e. you can revoke template and issue a new one?

[Muromec]

It's fine to trust hardware if you, as a party who performs the check, installed and paid for said hardware. The problem comes when somebody else has to judge whether you performed the check correctly and trust you.

[ugjka]

Agreed, i need look more into this

[bawolff]

Its definitely a really hard problem.

I think fundamentally the issue is you can't create trust out of nothing. Once you have something you trust, you can use cryptography to extend that trust in all sorts of complex ways. However you always need a starting point to bootstrap the system.

I feel like there is a big connection between this problem and trying to prove things in pure logic.

PKI is basically starting from axioms (i trust the following CA's as a starting point)

Tofu is the reflexive property - we know that x=x

Web of trust is some sort of coherence model (in the sense of https://en.m.wikipedia.org/wiki/Coherentism )

I think to make real progress on this problem, we need to make progress in epistomology.

[MichaelZuo]

Biological credentials could work even without revocation if you use a lot of them simultaneously.

It would be like asking for many usernames that are semi public instead of a username and password.

e.g. multiple fingerprints plus iris scan plus voice print plus facial scan.

So even if a few get stolen and successfully replicated somehow to fool the system into thinking it's a living person, it still won't be enough to steal the identity.

[hughesjj]

You can't revoke biological credentials though, at least not if you want the holder if those credentials to participate in your system

[CryptoTotalWar]

Polykey is an open-source, decentralized secrets management solution that uses GitHub as an identity provider (IDP). During the initial setup—akin to creating a new digital wallet—users authenticate and claim their GitHub identity via the Polykey CLI. This step binds their Polykey node to their GitHub profile, verifiable through a publicly visible cryptolink called a "gestalt identity" displayed on their GitHub user profile or gists.

Within the Polykey network, each node can host vaults that safeguard sensitive information. By integrating identity verification directly into this decentralized framework, Polykey enables users to discover, trust, and securely share cryptographic keys with other verified nodes. This system departs from traditional methods that depend on anonymized wallet addresses for user discovery, offering instead a mechanism for direct interaction within users’ operational environments, provided their identities have been linked to their nodes.

This approach aims to tackle foundational challenges in key management and identity binding. Do you think integrating identity verification in this way could improve the management and security of cryptographic identities? Are there any potential advantages or drawbacks you foresee with this model?

[bawolff]

Congrats, you reinvented PKI.

If it works for your usecase, great. But lets not pretend its any different from the things we were doing in the 90s.

[a_random_canuck]

Not only that, but reinvented it way worse… now it depends on GitHub (aka Microsoft).

[CryptoTotalWar]

We didn't reinvent shit! Everything we did is built off existing tech.

We reused PKI and extended it to achieve peer to peer web of trust. So there's both vertical trust chains via certificate signing and horizontal trust chains via a sigchain.

[SgtBastard]

While being slightly more generous than my sibling comment:

If you’ve got a peer-to-peer network of information nodes, where each person is able to assert information about themselves in their node, but the whole trust is based on the polykey binding at setup, I see 3 key challenges:

1) Where’s the real world verification of any identity attributes stored in the node? 2) How do we detect when/if the root key has been compromised, allowing arbitrary new vaults and identity attributes to be automatically trusted within the network?

3) How does this meaningfully improve the experience over having a CA sign a certificate that contains attributes about you? (sibling poster’s argument).

[CryptoTotalWar]

1) Real world verification is voluntary. Nothing is forcing anybody to provide real world information. Users can decide to do so by claiming a real world identity - in which the verification is outsourced to that IdP. Users can also decide who to trust based on what information is available on the network.

2) Root key compromise can be resolved through revocations on the trust network. It's the same as how PKI works right now but in a decentralized manner. This isn't possible yet on PolyKey (PK) but it's something we are working on.

3) Actually we enable CAs to sign the PK certificate. This is in our roadmap.

[SgtBastard]

I’ve previously worked heavily in digital identity and continue to talk from time to time on it - I honestly can’t see any value to this. It’s worse in some dimensions than existing systems (certificates can at least be validated offline) and offers no upsides (assertion of identity validity is the hard and valuable part).

I’d do a deep dive on verifiable credentials and ask yourself truthfully what PolyKey offers to both users and relying parties.