Forget key-signing parties: how VRCs can make digital trust personal

Key signing parties never really took off as a way to establish first-person digital trust. They relied on awkward, manual interactions, delivered little or not immediate practical value, did not establish strong enough trust, and did not scale well. But the possibilities for establishing first-person digital trust have changed, Internet Identity Workshop Co-founder Phil Windley writes in an analysis on his Substack page, Technometria.

Windley describes the limitations of key signing parties in contrast with the potential presented by Gen Digital Director of Trust Services Drummond Reed during VRM Day, a recurring event held the day before each IIW in Mountain View, California.

“VRM” in this case stands for “vendor relationship management.”

Pretty awkward parties

First-person key signing was a way to establish a basis for trust in Pretty Good Privacy (PGP) based on vouching.

Windley describes a ritual of “half security theater, half social ceremony” which did not meet the practical needs of decentralized digital identity verification. The verification process was typically based on a visual inspection of a long hexadecimal strings for matches.

While correct that “identity verification shouldn’t require a central authority,” Windley writes, the idea behind key signing parties failed because it could not extend the trust infrastructure created into the useful areas of people’s lives.

The introduction of new technologies and methods like the W3C’s decentralized identifier (DID) specification and the capabilities of mobile devices open up new ways of establishing trust at the personal level.

Personal verification and remote trust

An updated version of key signing parties, however, is possible, and shown in Reed’s presentation on verifiable relationship credentials (VRCs).

The parties can each use their smartphone to scan a QR code or read the NFC chip in a credential to establish more meaningful connections with each other. An agent (not necessarily endowed with AI) resolves the “self-certifying, autonomic” DID pulled from a credential in a peer-to-peer interaction, and the parties each prove control over their identifier cryptographically. The cryptographic proof provides mutual authentication.

The exchange of DIDs also creates a secure and private DIDComm messaging channel, Windley writes, which can be used for personal messaging, sharing files or access and all kinds of other interactions.

The new model of peer-to-peer trust cuts out the key server. It also exchanges the static record of trust for a DIDComm channel that can be used to issue a VRC. The VRC can take the form of a verifiable credential with self-asserted attributes.

Those attributes could the individual’s name and contact information, as well as that they were verified during the in-person meeting. In Windley’s example, it also contains a note about the context of that meeting, possibly an expiration, and the identifier of the issuing DID “within a shared community context (e.g., her IIW working group handle or project-specific DID).”

A VRC issued by the other party in a peer-to-peer meeting does not need to match the first one, except for the community identifier that tells third parties where the trust behind the credential comes from. Windley argues that combined with selective disclosure, the VRCs are “both useful and safe.” And agents can provide the VRC in digital interactions where it has value to third parties making a decision about how much to trust the subject.

Building a web of trust in this way will require a lot of connections between groups, but VRCs could provide a scalable, useful model in which “relationships are the root of first-person identity.”

Article Topics

decentralized identifiers (DIDs)  |  digital identity  |  digital trust  |  identity verification  |  Phil Windley  |  verifiable relationship credentials  |  web of trust