“Who is Who” in the Web3 World? zCloak Network’s New Product Valid ID Launches Public Beta

The Problem of Trust in Web3

Does Web3 need “trust”? It may seem unnecessary from a blockchain technology point of view, for that one of the features of blockchain is “trust-less”: even without a trusted third party as an intermediary, two strangers can still complete a transaction through the combination of cryptography and consensus mechanisms. However, the demand for trust seems to be ubiquitous in the entire blockchain industry. Before a cautious user opens their wallet and clicks to confirm an interaction, he/she will definitely ask: Can I trust this project? Can I trust their contract and frontend code? Can I trust this link? Can I trust this NFT address, etc. All of the above questions are about trust.

To solve the problem of trust in the Web3 world, we must first solve the problem of “who is who.” We often ask questions like: who deployed this NFT contract? Who signed this digital file? Who forwarded this Discord link? Even when dealing with privacy credentials based on Zer-Knowledge Proof, we still have to ask who notarized the original data. It is obvious that once the “who is who” question is answered, most trust issues will be easily solved. Here, the first “who” generally refers to common on-chain identity identifiers, such as wallet addresses, DIDs, decentralized domain names, etc., and the latter “who” refers to real-world identities. But how can these two, one in cyberspace and the other in the real world, be connected?

Problems with Existing Solutions

In the traditional Internet industry, there are two main ways to prove “who is who.” The first one is the Public Key Infrastructure (PKI) system based on Certificate Authorities (CAs). It verifies the entities’ real-world identities using centralized digital CAs, then issues digital certificates to the organizations to prove their real identities. Those common websites using HTTPS connection technology adopt this type of certificate for website identity authentication.

Although the CA and PKI solution has been widely used in website encrypted communications, it still has several apparent drawbacks:

Firstly, the solution is a thoroughly centralized approach and it does not align with the decentralized idea proposed in Web3.

Secondly, although the CA certificate application is open to all organizations, groups, and individuals, the current identity authentication mechanism isn’t flawless. In fact, the DV certificates widely used by small and medium sized websites have no identity authentication mechanism at all.

Thirdly, the application scope is relatively limited. Generally, it is only used in websites’ SSL/TLS encrypted communication.

Figure 1: Organization name certification only for medium and large organizations

Figure 2: The organization name on the certificate of many websites is empty

The second identity verification method in the Internet industry is the system based on PGP (Pretty Good Privacy) and Web of Trust personal key developed by Phil Zimmermann. PGP provides users with a series of encrypted keys to achieve common operations such as encrypting/decrypting, and sign/verify of messages, etc. Technically, PGP is an excellent cryptographic tool, but in practice, it still struggles to solve the “who is who” problem: because the PGP system can only function when you explicitly know the PGP public key of your interaction partner. And some free software developers publish their PGP public keys on social media or their websites, but the security and scalability are clearly not ideal. To address this issue, the PGP 2.0 user manual introduces the Web of Trust concept, which aims to sign and attest to each other’s PGP identities and public keys based on acquaintance social relationships, transferring trust from acquaintances to the attestation of PGP public keys. At this point, the Web of Trust already has a clue of decentralized social attestation. However, this solution also has several problems:

Firstly, it is difficult to establish social circles in the technical field, and trust between people often depends on offline gatherings and activities. So it will be hard for newcomers to integrate into the existing trust circles.

Secondly, the establishment of trust largely relies on word of mouth, which doesn’t have clear methods to check authenticity and validity, and there is no penalty mechanism for false attestations. It is still basically at the stage of a “gentlemen’s agreement.”

Thirdly, the infrastructure of PGP technology is strong but at the same time very complex. It involves fundamental cryptographic principles and command-line operations, making it almost impossible for general users to use, so it’ll be difficult to create a network effect.

Design Philosophy of Valid ID

To solve the various problems of the above two solutions, zCloak Network proposes a PKI suitable for the Web3 era: Valid ID (valid3.id), which can perfectly answer the previous question of “who is who in Web3.”

The basic design philosophy of Valid ID includes:

1. Easy to use. Valid ID tries its best to minimize the threshold of use. As long as users know how to use a regular crypto wallet, they can access all services on the Valid ID platform easily.
2. Secure and reliable. Valid ID uses simple, mature, and time-tested cryptographic primitives such as Keccak hash, ECDSA signature algorithm on the secp256k1 curve, etc. to support accessing mainstream crypto wallet apps and hardware wallets directly.
3. Standardized. Valid ID uses existing W3C DID and VC industry standards, applies verifiable credentials (VC) to the identity attestation process for organizations and individuals based on the zCloak DID method “did:zk:”, and strives for maximum compatibility with the existing crypto ecosystem.
4. Decentralized. Based on the “Web of Trust” concept, Valid ID proposes a Multi-party Attestation-Based Web of Trust architecture to effectively eliminate the issue of single-point trust. Thus, zCloak Network is just one of the attesters for onboarding entities. Any organization capable of attesting to other entities can perform the identity attestation process according to their own standards and issue credentials to other entities on the Valid ID platform.
5. Self-sovereign. Each onboarding entity’s information can only be modified by the root key at registration, and no one else is capable to change the displayed information. Information updates use self-verifying data structures based on digital signatures, and all platform events and logs will be stored on Arweave and EVM public chains. Anyone can independently check and verify relevant information on the platform.
6. Extensible. Valid ID’s architecture refers to the Nostr protocol for the corresponding cryptographic transformation (https://github.com/zCloak-Network/vips). It’s simple, flexible, and extensible. What’s more, it is naturally compatible with omni-chain, related data can even be radiated to all public chains and directly called by smart contracts (mainly EVM public chains in the early stages of the project).

Based on the above design philosophy, Valid ID platform has formed its unique advantages, and has a clear differentiation from existing identity-related projects in the Web3 industry. Typical examples are as follows.

Firstly, Valid ID differs from domain name-related projects such as ENS. The essence of Web3 domain projects is the aggregated expression of on-chain addresses, so the domain name itself cannot convey real identity information. For example, timcook.eth probably isn’t able to represent the CEO of Apple, and openai.eth may not be able to represent OpenAI. In addition, there is no checking mechanism for the profile information entered by its users on ENS, including website, email, etc., so its authenticity cannot be confirmed. In contrast, all information shown on entity profile page within Valid ID is independently checked by multiple third parties, which could include law firms, security audit companies, and accounting firms, and many others. The results of multi-party independent attestation will be stored in Arweave and EVM public chains in the form of tamper-proof verifiable credentials to ensure the authenticity and verifiability of the information.

Secondly, unlike profile-type projects that focus on Web3 identity aggregation display of on-chain transaction information, Valid ID focuses on the attestation and anchoring of an institution’s true off-chain identity. With the double protection of cryptography and legal declaration, it is not only possible to prove the identity of an organization when it acknowledges its on-chain identity, but also to disprove its claims when it denies its on-chain identity. The organizational identity information on Valid ID includes not only common information such as official websites, Twitter accounts, and email, but also registration country and address, on-chain and off-chain credit scores, security reports from auditing firms, and rating reports from research institutions, among others. Thanks to the multi-party attestation architecture of VCs, all the attested information can be seamlessly transferred and expressed in an organization’s profile. This means related organizations do not need to communicate with the zCloak Network team to be able to independently publish organizational attestation information which meets their own standards. Users can also make their own judgment on the value and authenticity of the content published by certified information agencies based on their reputation and credibility.

Valid ID’s Positioning in the zCloak Ecosystem

zCloak Network is a privacy-first DID protocol and verifiable computation infrastructure based on zero-knowledge proof (ZKP). zCloak proposes a new computation paradigm by moving both the storage and computation of data from centralized servers to users’ local devices, which fundamentally ensures users’ identity and data sovereignty. Within the zCloak ecosystem, Valid ID plays a crucial role as the trusted origin of user data, and the relevant technical principles are as follows.

As is well known, the primary purpose of ZKP technology is to prove the correctness of a computation process. Users can prove that their data has certain attributes or meets certain conditions by running a specific ZKP algorithm on their data locally. In this way, users can prove their identity, assets, and other data only by showing the computation results and zero-knowledge proofs to third-party verifiers, without revealing their original data.

However, a complete computation consists of two parts: the input data, and the computation process. While ZKP technology can ensure the correctness of the computation process, it cannot guarantee the correctness of the input data involved in the computation. In other words, if a user applies a zero-knowledge proof computation with the wrong data, the result of the computation is still wrong even if the final proof is verified to be correct. Without authentic input data, such computations are meaningless. We know that the core advantage of user-end ZKP calculations is that they can prove the correctness of user-end computations without the verifier seeing their input data. However, this also brings forth a problem, which is that verifiers can verify the correctness of zero-knowledge proofs, but cannot verify the correctness of the input data they cannot see. Furthermore, what is correct input data, and what is incorrect input data? What are the criteria and basis for defining them? Providing satisfactory answers to these questions is a prerequisite for user-end privacy-preserving zero-knowledge proof computations.

zCloak Network successfully answers the question of “how to verify the correctness of user-end data” by flexibly using verifiable credential technology. Basically, we can select some reputable third-party institutions in advance, authenticate user-end data, use verifiable credential technology to commit to the authentication results, and check them during the zero-knowledge proof computation process. The complete computation process can be summarized like this: Trusted party A authenticates and attest to the personal data of user B, and after running by the ZKP algorithm C, result D is yielded, along with a ZK proof E. The final verifier V only needs to verify the correctness of E and trust the authority of A to accept the correctness of D. To convince V to accept the authority of A’s authentication result, one first needs to know who exactly is behind A’s identifier (eg. blockchain address, DID). The question is complete logically, and the real identity of A is the problem that Valid ID solves.

Application Scenarios of Valid ID

The initial intention of the zCloak team when designing the Valid ID project was to make it interact with the zkID verifiable credential platform, providing authoritative guarantees for user credentials within the zCloak ecosystem. With time, exposure, and discussion increased, we have found that its use cases and practical applications far exceed the scope of digital credentials. Here are two examples:

Example 1: Valid Sign. After using Valid ID to authenticate and anchor an institution’s identity, the institution can use its DID to sign any text, image, document, or even executable file. Any third party can verify the result of the signature. This way, all situations in the real world that require paper signatures or official seals can be replaced by digital methods instantly. And the entire process requires neither tokens nor interaction with blockchain, but it is a genuine Web3 application because it guarantees user data’s sovereignty.

Figure 3: Valid Sign’s verification results show the identity information of the signing authority

We named the signature tool Valid Sign and it’s available now on the Valid ID website. In addition, we also provide the Valid ID bot, which has been integrated with Telegram and Discord. Users can directly verify any Valid Sign message within these social apps. Thus, even if some project’s social accounts are stolen, and hackers post fraudulent or phishing links in the channel, members can still verify the signature of any statements and links posted by the project with just one click, effectively avoiding the endless fraudulent incidents in the Web3 industry.

Figure 4.1 & 4.2: Valid Sign verification bot integrated within Telegram and Discord

Example 2: Web3 institutional structure. Whether it is Web3’s native organizational form DAO or real-world companies, institutions, or even government departments, everyone can map their organizational structure on the Valid ID platform. The hierarchical relationships between institutions and their subsidiaries, the roles of different personnel, the institution’s receiving addresses and NFT contracts, and even various AI-driven unmanned devices can all be registered on the institution’s page and published in the form of a Trust Tree. With Nostr-like messaging protocols, institutions, organizations, and their personnel can engage in a rich variety of social interactions and provide social proof. Besides, related event data can be stored in Nostr relays, Arweave, and blockchain public networks. The Valid ID platform will soon launch the Valid Name function, which directly binds to the institution’s legal name, and the Valid Score function, which quantifies the social certification results between institutions, striving to become the cornerstone of trust for the Web3 institutional network.

To accommodate various application scenarios, different infrastructures of the zCloak Network are being built at full speed. The currently available mobile digital identity wallet zkID Wallet (wallet.zkid.app) is available for use directly, without any installation. Users only need to “add it to the home screen” to get a full-featured digital identity wallet app and use Valid Sign and zero-knowledge proof virtual machine functions on mobile devices. The zkID Credential platform (cred.zkid.app) can handle the preparation, attestation, and verification tasks for various verifiable credentials. A no-code ZKP generator will be integrated into the Credential platform, allowing various verifier parties to customize ZKP programs that meet their needs. Multi-chain attestation contracts will map digital credentials and “who is who” trust relationships within the zCloak ecosystem to mainstream blockchain public chains for direct invocation by smart contracts.

Valid ID launched Public Beta

In March 2023, the Valid ID platform started internal testing, after being tested and verified by dozens of Web3 organizations, it officially began its public beta testing this week. We understand that the construction of Web3 trust infrastructure requires the joint efforts of the entire industry. The decentralized architectural design of Valid ID aims to put identity control in the hands of each institution itself. zCloak Network sincerely invites institutions and projects from all tracks to participate in the construction of the Valid ID network. Visit the Valid ID homepage (valid3.id) and click “Request Onboard” to get in touch with our Business team (they will reach out to you ASAP). Early bird onboarding to the platform can enjoy exclusive benefits such as free Valid Name. We especially welcome institutions with the ability to perform security audits, and institutional ratings, and those with accumulated commercial and legal data to join and co-build the Web3 trust network.