[CryptoTotalWar]

Polykey is an open-source, decentralized secrets management solution that uses GitHub as an identity provider (IDP). During the initial setup—akin to creating a new digital wallet—users authenticate and claim their GitHub identity via the Polykey CLI. This step binds their Polykey node to their GitHub profile, verifiable through a publicly visible cryptolink called a "gestalt identity" displayed on their GitHub user profile or gists.

Within the Polykey network, each node can host vaults that safeguard sensitive information. By integrating identity verification directly into this decentralized framework, Polykey enables users to discover, trust, and securely share cryptographic keys with other verified nodes. This system departs from traditional methods that depend on anonymized wallet addresses for user discovery, offering instead a mechanism for direct interaction within users’ operational environments, provided their identities have been linked to their nodes.

This approach aims to tackle foundational challenges in key management and identity binding. Do you think integrating identity verification in this way could improve the management and security of cryptographic identities? Are there any potential advantages or drawbacks you foresee with this model?

[bawolff]

Congrats, you reinvented PKI.

If it works for your usecase, great. But lets not pretend its any different from the things we were doing in the 90s.

[a_random_canuck]

Not only that, but reinvented it way worse… now it depends on GitHub (aka Microsoft).

[CryptoTotalWar]

We didn't reinvent shit! Everything we did is built off existing tech.

We reused PKI and extended it to achieve peer to peer web of trust. So there's both vertical trust chains via certificate signing and horizontal trust chains via a sigchain.

[SgtBastard]

While being slightly more generous than my sibling comment:

If you’ve got a peer-to-peer network of information nodes, where each person is able to assert information about themselves in their node, but the whole trust is based on the polykey binding at setup, I see 3 key challenges:

1) Where’s the real world verification of any identity attributes stored in the node? 2) How do we detect when/if the root key has been compromised, allowing arbitrary new vaults and identity attributes to be automatically trusted within the network?

3) How does this meaningfully improve the experience over having a CA sign a certificate that contains attributes about you? (sibling poster’s argument).

[CryptoTotalWar]

1) Real world verification is voluntary. Nothing is forcing anybody to provide real world information. Users can decide to do so by claiming a real world identity - in which the verification is outsourced to that IdP. Users can also decide who to trust based on what information is available on the network.

2) Root key compromise can be resolved through revocations on the trust network. It's the same as how PKI works right now but in a decentralized manner. This isn't possible yet on PolyKey (PK) but it's something we are working on.

3) Actually we enable CAs to sign the PK certificate. This is in our roadmap.

[SgtBastard]

I’ve previously worked heavily in digital identity and continue to talk from time to time on it - I honestly can’t see any value to this. It’s worse in some dimensions than existing systems (certificates can at least be validated offline) and offers no upsides (assertion of identity validity is the hard and valuable part).

I’d do a deep dive on verifiable credentials and ask yourself truthfully what PolyKey offers to both users and relying parties.