Open weboko opened 12 months ago
Right now @waku/rln
has two points of contact with RLN identity
.
As it is written here in order to register RLN identity with @waku/rln
consumer should:
sign
a message
by using wallet;signed message
as a seed - generate an identity;identity
to register on RLN contract
;Keystore
for later use;Seeing this it is clear that dependency on the wallet exists only because of a need to create a seed
by signing a message.
Once RLN identity
is saved in the Keystore
format it can be passed to @waku/rln
like done here to be used by the library for proof generation like setup here and usage here.
But there are couple problems:
Keystore
format should be decrypted so that password should come with it, here;Keystore
should be stored somewhere and after decryption should not be leaked;This makes it poor to be re-used in a web app at the very least.
Let's use passkey
.
It is a pair of public
/private
keys that securely stored on a device and can be shared with others and more importantly - comes with great UI on various platforms - browsers / iOS / Android.
We can use it for addressing problem with RLN identity
generation and following usage of it.
With passkey
we would eliminate dependency on wallet
and can generate a seed
directly with it by either signing
some message
or doing something else:
const signature = [passkey].sign(same message);
const identity = this.zerokit.generateIdentityCredentials(signature);
// registration
Here comes a nice bonus of not having to store any Keystore
and we can reliably re-generate RLN identity
again by using passkey
from the device.
Main limitation is passkey
are domain
or application
specific meaning they won't be re-used so if user has a RLN identity
at a website - it won't be possible directly re-use it so new identity would be needed to be created.
Potential mitigations:
Keystore
format but later usage would be more complicated;passkey
across different domains - doesn't seem secure; We can try to make a PoC to and have an example app in lab.waku.org
to showcase it.
In order to bring it to production we need to understand:
passkeys look pretty cool! a POC would be fun
on a side note: since they are quite new, how do you think about the education + onboarding part should be handled by us?