Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time

Topics & Advance Readings

In advance of the design workshop, all participants produced a one-or-two page topic paper to be shared with the other attendees on either:

  • A specific problem that they wanted to solve with a web-of-trust solution, and why current solutions (PGP or CA-based PKI) can't address the problem?
  • A specific solution related to the web-of-trust that you'd like others to use or contribute to?

If you will be attending Rebooting the Web of Trust Fall 2019 in Prague, the Czech Republic, please upload your topic papers and advanced readings to this directory with a pull request.

Pull Request Submission

To add a paper, create a pull request to this repo with your contribution (preferably as an .md file, but if you can't, as a PDF), along with updates to the in this folder. Please also include a byline with contact information in the paper itself.

Please also enter your paper twice in this README file, once in the topical listing (adding a new category describing your topic, if necessary) and one in the alphabetical listing. Please be sure to include the full URL for your paper in the README, so that we can copy it to the main page URL and have it still correctly link.

If you don't know how to submit a pull request, please instead submit an issue.

Primer Listing

These primers overview major topics which are likely to be discussed at the design workshop. If you read nothing else, read these. (But really, read as much as you can!)

Topical Listing


  • Decentralizing Reputation with DID

    • by Adrian Gropper
    • "To scale decentralized commerce based on self-sovereign identity and decentralized identifiers we will need to provide a practical alternative to centralized reputation managers. Decentralization is a complex topic and the rubrics that will help formalize our community's approach to decentralization is work that’s just beginning. One way to evaluate decentralization is the absence of essential intermediaries in an otherwise peer-to-peer transaction by self-sovereign peers. A decentralized reputation solution must provide context, a negligible increase in transaction costs, and high resistance to gaming by either the peers to a transaction or their competitors."
    • #did #activitypub #fediverse #wot
  • Gently introducing DIDs to the Mastodon/ActivityPub Fediverse

  • Keeping Unwanted Messages off the Fediverse

    • By Serge Wroclawski with advice and ideas by Christopher Lemmer Webber
    • "A collection of techniques to keep unwanted messages (spam, phishing, hate speech) off the Fediverse, with a focus on OCAP and WoT.
    • #activitypub #spam #wot #ocap


See also Identity, Self-sovereign

DID/Verifiable Claim Infrastructure


  • Bare minimum agent for identity

    • by Snorre Lothar von Gohren Edwin
    • "First we want to discuss what the bare minimum specifications that an identity app needs to provide value? How can an identity be represented physically? What are the pros and cons of a combination of these situations. The second issue is to discuss how to enable an ecosystem, what is needed to get other startups with their own non did solutions in play. Is it SDKs, libraries, proxys, some kind of shared infrastructure?"
    • #identity #ecosystem #minimization
  • Building Blocks for Sovereign P2P Identity

    • by Arthur Brock, Joel Ulahanna, and Philip Beadle
    • "We present a collection of tools designed to perform as a complete foundation for distributed applications enable a fully distributed, peer-to-peer identity. These tools are integrated into an open-source, cryptographic, data integrity framework called Holochain, without promoting the Holochain Foundation into any elevated status of authority as an identity provider. Instead, the tools are specifically designed to enable the emergence of an ecosystem of providers leveraging the tools as a foundation for their services."
    • #identity #p2p #holochain
  • Decentralized Identity as a Meta Platform

    • by Samuel Smith
    • "The purpose of this paper is to foster awareness of the economic benefits of cooperation and the crucial role decentralized identity may play in unleashing historic new sources of value creation and transfer."
    • #cooperation #did
  • Decentralized unique anonymous identity

    • by Andrew Edi
    • "The talk presents a novel way to create decentralized anonymous identity, that does not require any personally identifying information to be verified. The humanness and uniqueness is proven by running a collective simultaneous online Turing test."
    • #identity #DID #anonymity
  • Why we must ask the Why of Identity

    • by Ian Grigg
    • "When I formulated the 4 schools or types of identity (state, self, corporate, community), I was not thinking of inclusion, I was expressly intending to exclude"
    • #identity #definitions
  • Decentralized unique identity via graph-based Sybil-detection on a peer-to-peer credit network

    • by Aleeza Howitt
    • "It should be possible to analyze the connectivity of members in a p2p credit network, and from this to determine which members are real and which are Sybils (fake or duplicate accounts)."
    • #identity #p2p #credit

Identity, Self-sovereign

  • A Business Framework for SSI in IoT

    • by Michael Shea and Michael Corning
    • An approach to identify and surface the business needs and concerns to create a business case to support addition of SSI to IoT devices.
    • #ssiniot #businessofssi #iot #ssi
  • Formal protocol verification for SSI

    • by hammanns
    • "Protocol verification models different agents and the messages they can send over a network. In particular, symbolic protocol verification in the Dolev-Yao network attacker model assumes that the attacker controls the network, i.e., the attacker can read, send, block, and modify messages, but cannot break cryptography (i.e., cryptography is assumed to be perfect). The goal is to detect logical errors in the protocol design that can lead to attacks on desired security properties (such as the secrecy and integrity of messages)."
    • #protocol #verification #did See also DIDs

Key Management

  • KERI for a Universal DKMI

    • by Samuel Smith
    • "The Key Event Receipt Infrastructure (KERI) provides a minimally sufficient means for managing signing authority and tracking events for a crypto-graphic key-pair based decentralized identifier such as a W3C DID. This includes inception, rotation, interaction, and delegation. It includes single and multi-signature schemes. ... A more in depth technical description of KERI is provided here."
    • #KERI #DKMI #did #dad
  • Publicly verifiable split-key schemes for hybrid secret sharing and multi-sig authorization

    • by Mark Friedenbach and Christopher Allen
    • When using the same underlying group, Shamir secret sharing and compact threshold multi-signature schemes are two sides of the same coin. By exploiting this fact we can create publicly verifiable secret sharing schemes for social key recovery which permit dual-use as threshold multi-signature authorization schemes.
    • #shamirsecretsharing #sss #keymanagement #keyrecovery #vss #multisig
  • Zion Key Management APIs and Social Key Recovery

    • by Hank Chiu, Hankuan Yu, David Chen and Jon Tsai
    • Zion Key Management SDK Sets provide rich sets of APIs to help developers to use keys which is protected in Secure Enclave.
    • #shamirsecretsharing #sss #keymanagement #keyrecovery

Mandates and Delegation

  • Mandates and Delegation (Rieks Joosten)
    • The paper aims to inventory how mandates and delegations are used in practice. From that, we want to derive a conceptual, generic (mental) model that we can use to discuss any issues and ultimately transform that in useful, standardizable artefacts that allow embedding and using mandates in VCs.
    • #mandates #delegation #law #VC


  • Decentralising Opencerts
    • by Bill Claxton and Wong Wai Chung
    • "In March 2018, Singapore's can-do government introduced the OpenCerts solution for issuing academic certificates linked to the Ethereum public blockchain. We believe that the code and schema provided by OpenCerts can be the foundation of a verifiable digital credentials issuance mechanism. But several changes have to be made in the implementation, to make it more decentralised and reach adoption at scale."
    • #privacy #identity #verifiability #centralisation #singapore #opencerts

Secure Storage


  • Addressing DID Connection Man in the Middle Attacks

    • By Kyle Den Hartog
    • "There's two options for addressing Man-in-the-middle (MITM) that are created by the Trust On First Use (TOFU) problem: Passing a hash of a key or DID Document through a trusted out of band channel. This is also called fingerprinting; or Adding a key as a self-attested attribute to a credential."
    • #TOFU
  • Preventing Transferrability with ZKP-based Credentials

    • By Daniel Hardman and Lovesh Harchandani
    • "Some in the digital credential movement have claimed that ZKP-based credentials are inherently unsafe because they can be shared by a malicious holder. The reasoning is that ZKPs guarantee perfect anonymity, and are therefore transferable by simply sharing the link secret. This is a misunderstanding of how ZKP-based credentials work. In fact, ZKPs can provide the same sorts of transfer protections as any other type of credential."
    • #fraud #credentials #ZKP #zeroknowledgeproofs #privacy

Standards Working Groups

  • NVC for Standards Working Groups
    • "We propose to facilitate the collaborative drafting of a paper that discusses the possible use of non-violent communications (NVC) and cognitive behavioral (CBT) methodologies, to create a collaboration toolkit for Internet standards working groups."
    • by Claire Rumore & Moses Ma
    • #cooperation #communication #standards


  • Terminology Process (Rieks Joosten)
    • Many problems exist as we try to 'fix' terminology. At RWoT-9, I propose to have (perhaps hackathon-like) sessions, the purpose of which is to establish a generally useable process for creating and maintaining terminologies, building on earlier experiences in this area at TNO. In order to validate this process, one (perhaps two) actual terminologies should be established. The paper Terminology for Agent-Hub-Related Identity Concepts might serve as a starting point for that.

Verfiable Credentials

  • Analysis of Verifiable Credential Protocols for Issuer Interactions

    • by Martin Riedel, Daniel Kelleher
  • Combining Verifiable Credentials and Zero Knowledge Proof Systems

    • by Yancy Ribbens
    • Anonymous credentials enable a holder (prover) to reveal select information to a verifier during the verification process. In order to build anonymous credential systems, ZKPs can be combined with Verifiable Credentials to enhance user privacy. This is a proposal to develop library support for Verifiable Credentials and recommend ZKP formats for different use cases and credential attributes.
    • #verifiable-credentials #ZKP #zeroknowledgeproofs
  • Decision Making with Verifiable Credentials

    • "The paper will focus on the intersection between verifiable credentials and decision making ... We start by giving an overview of the problem in the context of mortgage lending and then describe a general model of decision making which is reconciled with the verifiable credentials data model. Then discuss the properties of our proposed approach as well as possible implementations."
    • by Edward Curran, Paul Ezhilchelvan, Aad Van Moorsel & Simon Brown (AB)
    • #verifiablecredentials, #decisionmaking, #DMN, #financialservices
  • Establishing level of assurance with verifiable credentials and the need for a human centered design exploration

    • "In this paper we would like to explore the idea of establishing levels of assurance, which will no longer be tied to single issuance processes, but also to a multi-source verification processes."
    • by Bentley Farrington , Bart Suichies and Víctor Martínez Jurado
    • #verifiable-credentials #assurance #humancentric
  • Islands, Tigers, and Bears, Oh My!

    • by Daniel C. Burnett
    • "Many of the properties in VCs are optional, and of the ones that are mandatory there is often flexibility in how they can be used. It is very likely that credentials written assuming use of JSON-LD for vocabularies and semantics will have semantics that basic JSON processors will ignore. It is likely that VCs using zero knowledge proofs will be unverifiable by processors that do not understand zero knowledge proofs. In short, the syntax is generic enough to support all these options, but it is NOT the case that every VC in existence will be verifiable, or even understandable without verification, by every processor."
    • "This leads to a question that has frequently arisen in the VCWG: what level of interoperability can we expect, and is there a risk of the VC ecosystem devolving into islands of incompatible VCs?"
    • "In short, the answer is yes."
    • #verifiable-credentials #interoperability
  • Verifiable Credential Authentication via OpenID Connect (vc-authn-oidc)

    • by Tobias Looker
    • "The aim of this document is to describe how a standard OpenID provider (OP) can be extended to support verifiable credential authentication. With this support, a relying party (RP) is able to request this method of authentication to harness the power of verifiable credentials."
    • #verifiable-credentials #authentication #openid-connect
  • Addition of Proof Request/Response to a formal Verifiable Credentials specification

    • by Jonathan Reynolds, Daniel McGrogan
    • "The W3C Verifiable Credentials specification does not currently outline how credential data should be requested by a Verifier. Our document outlines the approach taken at Workday and proposes it as an addition or companion to the VC spec. At RWoT we wish to present our approach in order to get community feedback and consensus. Workday recently announced our credentialing platform and will shortly begin to issue credentials within our market verticals. We fully intend to support the community standards around credentialing and therefore wish to drive consensus in the community on a simple, standard approach for requesting and sharing VCs between a holder and verifier."
    • #verifiable-credentials #proof-request

Verifiable Credentials Use Cases

  • Decentralized Identifiers to Enable Trusted Machine Economy

    • "Transacting IoT data must be different in many respects in order to build much-needed trust in IoT-enabled Data Marketplaces, trust that will be key to their sustainability. Data generated internally to an organization is usually not enough to remain competitive, improve customer experience, and optimize strategic decision-making. However, there is still no transparent and reliable marketplace for data trading with fair price. Furthermore, the verification of the machines (e.g. sensors) for data collection becomes another crutial issue. As a result, an innovative type of platform with the introduction of distributed legder technology (DLT) has emerged, in order to transform data into profits with better trust basic."
    • #DID
  • DID for ROSCAS

    • Rotating Savings and Credits Association are a type of Micro finance option. They have played an important role for lower income level group in the developing/emerging economies. While the legislation to regulate them and a formal study of the economic value they add is fairly recent, these have been around for more than 1000 years. Some researchers have also called ROSCAS as poor man’s banker. They provide a win-win situation for both borrowers and people who want to save without intervention of a central authorities like banks. However, the quick good return has often been used as bait for unsuspecting and gullible investors, resulting in very high value financial scandals that has often have political repercussions. In this paper we present the kind of scandals that take place in these schemes and how scaling them up digitally is extremely risky. How Decentralized Identifiers and Verifiable claims along with biometrics on mobile phone can be used to create a trust framework.
    • by Vineet Singh
    • #DID #ROSCAS
  • Ecosystem Bootstrapping via Notary Credentials

    • Credentials do not yet factor into any significant public process such as requesting a Schengen visa for the purposes of attending RWoT IX. The governments and businesses involved can not update their existing processes until there is an existing credential ecosystem resting on the proven ability of the general population to engage digital trust technology. This paper explores the use of credentials which attest the observation of a primary document by an authority and the non-intrusive pairing of these credentials with existing processes. This approach establishes the infrastructure required for a strong credential ecosystem without first requiring a global re-engineering of identity management.
    • by Eric Welton
    • #bootstrapping, #verifiablecredentials, #notary
  • SolidVC: A Decentralized Verifiable Credentials Management System

    • SolidVC is a decentralized Verifiable Credentials platform built with the open protocols of the Web and for the open community that the Web was intended to serve. It enables the unilateral issuance and presentation of credentials by anyone running the software locally, as well as verification of these credentials against an open credential status document. SolidVC is implemented in the context of Solid, a Web technology developed at MIT in 2016 that allows decentralized applications to interact with personal data on behalf of users in an access controlled environment. In this paper, I discuss the motivation of SolidVC, provide sufficient background of supporting technologies, present my contribution, outline a real use case, and discuss future improvements to the platform.
    • by Kayode Ezike
    • #verifiablecredentials #solid #linkeddata
  • Using Verifiable Claims as a Proof of Ownership for Blockcerts

    • by Anthony Ronning, Chris Winczewski, Dan Hughes
    • "The proposed method outlined in this paper would be able to use a Verifiable Credential from a recipient to prove ownership of a Blockcert needing verification."
    • #verifiable-credentials #digitial-certificiates #ssi
  • Using Verifiable Credentials for German Government Grants

    • This paper describes the potential usage of the SSI framework for the application of government grants. It takes into consideration the current developments from the German government with their "Bundes-chain" initiative.
    • by Adrian Doerk
    • #verifiable-credentials #ssi #government
  • Utilizing zero-knowledge proofs and verifiable credentials to provide privacy-friendly income tests for social housing

    • "This paper explains how we integrated zero knowledge proofs in our issuing and verifying flow of the universal ledger agent. We will this for a pilot this year covering the income test required in social housing."
    • by David Lamers (Rabobank)
    • #ZKP #zeroknowledgeproofs #verifiablecredentials #socialhousing #usecases
  • Verifiable Credentials in Incentivized Competency Assessment

    • "We leverage web of trust concept in order to create a network of competencies where Experts (Examiners) act as verifiers to assess user's competency on a given subject. We propose using decentralized staking and slashing mechanism similar to Augur's dispute model in order to create financial incentives for users to minimize fraud in the network. Finally, we propose a design for mechanism that produces verifiable credentials of skills and competencies which do not require centralized assessor or an institution."
    • by Stepan Gershuni (
    • #competency-based-assessment #ssi #decentralized-identifiers #verifiable-credentials #digital-certificates

Verifiable Data Chains / Decentralised Autonomic Data (DADs)

  • A DID based solution for verifiable data streaming & processing in cyber-physical systems
    • "In this paper we will introduce the concept verifiable data chains and data provenance for industrial applications such as driving event processing, manufacturing value chains in regulated industries and insure AI propositions. We do a deep dive discussion for driving event processing in mobility systems while highlighting the benefits of using DIDs for data provenance in order to increase safety in the mobility system."
    • by Dr. Carsten Stöcker (Spherity GmbH), Dr. Michael Rüther (Spherity GmbH), Alexander Yenkalow (Spherity GmbH), Juan Caballero (The Purple Tornado)
    • #verifiableclaims #dad #did #provenance


  • What's In Your Wallet
    • by Christopher Allen and Joe Andrieu
    • "A Universal Identity Wallet (UIW) for digital credentials promises seamless interoperability across issuers and verifiers, and would be usable by people, organizations, and things, for digital transactions both online and off."
    • #wallet #universal-identity

Web of Trust

  • Concerns for minorities in a Web of Trust
    • by Marie Axelsson
    • "As we keep building a new web of trust, we need to remember that the needs of marginalized groups are often not heard. It’s easy to talk about access just in terms of disability, and while it is one aspect it’s also important to remember that there are other marginalized groups who are not heard because they are a minority, or they are oppressed in other ways."
    • #web-of-trust #minorities

Web of Trust Alternatives

  • Exploring Interpersonal Data

    • by Kaliya Young
    • I recently wrote a series with Glen Weyl about Decentralized Social Identity and it got me thinking about interpersonal data and what it looks like relative to decentralized idetnity standards since so much of the focus in our work is centered on getting existing "centralized" institutions to issue decentralized verifiable credentials.
  • Firefly Trust Sync

    • by Tom Marble
    • "Introducing the Firefly Trust Sync (Firefly) architecture as a decentralized, web-of-trust alternative to address the shortcomings of the Certificate Authority (CA) based Public Key Infrastructure (CA-based PKI) and the Pretty Good Privacy (PGP) web-of-trust. Self sovereign identity is a cornerstone of this architecture and yet it does not rely whatsoever on distributed ledger technology. Essential design elements are presented with initial thoughts on both advantages and disadvantages of this approach as well as some next steps."
    • #firefly #web-of-trust
  • Heresay: A Fuzzy Prediction Market for Distributed Reputation

    • by AJ Adams, Matt Condon
    • We propose a pattern for distributed, emergent reputation rendered via a fuzzy prediction market. In order to promote scale with resilience, legibility with ephemerality, and transitivity with context, we begin by investigating how identity, trust, and reputation function at intimate scale and under organic constraints.
    • #reputation #web-of-trust #privacy
  • Nodemail Protocol

    • by Ethan Brown
    • Document describing the Nodemail Protocol.
  • Reimagining global: Programmable incentivization and its implications for personal governance

    • by John R Hoopes IV
    • "Ideas for a new conception of global governance. Opt-in mechanisms of incentivization based on the conditional provision or restriction of access to financial or informational assets could provide individuals with an enforceable mechanism of self-regulation, to encourage intentional behavior."
  • Reputation Loops

    • by Matthew Schutte
    • An alternative way to think about generating good enough sense-making and social coordination through agent-centric combinings of correlated information from multiple sources. This is somewhat distinct from the transitive trust model that Web of Trust relies upon, but has similarities as well.
  • A Web of Credit Framework

    • by Yonatan Sompolinsky and Alexandra Tran
    • "This document is a high-level discussion on using webs of trust for decentralized credit systems."

Alphabetical Listing