zkPass
zkPass User's Guide
zkPass User's Guide
  • Getting Started
    • 🔊Introduction
      • What is zkPass?
      • How does it work?
      • How zkPass can help you
      • What's Ahead
    • 🌤️Service-based Proof System
      • Main Features
      • zkPass Workflows
      • Deployment Options
        • Public-Cloud Hosting
        • Private-Cloud Hosting
        • On-Premise Hosting
    • 🗝️Key Concepts
      • User Data
      • DVR
      • zkPass Proof
  • Core Components
    • 🏛️Service Architecture
      • RESTful API Web Service
      • zkPass Query Host
    • 👥zkPass Client Roles
    • 🤝Trust Models
      • Data Privacy Trust Model
      • Data Integrity Trust Model
      • Computation Integrity Trust Model
    • 👩‍💻zkPass Module
  • Use Cases
    • 🩸Employee Onboarding
      • “Blood Test Result” User Data
      • "Employee Onboarding" DVR
      • zkPass Integration
      • Call Sequence
    • 🚘Loan Application Screening
      • “BCA Customer Profile” User Data
      • Loan Screening DVR
      • zkPass Integration
      • Call Sequence
    • 🛒Sharing OIDC Users Securely
      • "ShopSphere ID Token" User Data
      • "ShopSphere Account Holder" DVR
      • zkPass Integration
        • Integration Guidelines for ShopSphere OIDC Provider
        • Integration Guidelines for Krisna Service
        • Integration Guideline for ShopSphere App
      • Call Sequence
  • FAQ
    • How is verifiable computing implemented by ZKP?
  • Glossary
    • Client-based Proof System
    • DVR
    • User Data
    • zkPass Proof
Powered by GitBook
On this page
Export as PDF
  1. Core Components

zkPass Client Roles

zkPass follows a robust trust model inspired by the W3C Decentralized Identifiers (DID) standards. Within the zkPass ecosystem, we define three client roles which participate in the zkPass ecosystem.

PreviouszkPass Query HostNextTrust Models

Last updated 1 year ago

Depending on the application, the client of zkPass can take one of these roles:

  1. Data Issuer The entity responsible for issuing the original data that requires protection.

  2. Data Holder (User) The individual whose confidential data is being protected.

  3. Proof Verifier The Proof Verifier is the client that is responsible for setting conditions and requirements on user data using the zkPass Query language, which are then encapsulated in a Data Verification Request (DVR). The concept of a Proof Verifier is similar to that of the DID's Data Verifier. Unlike a generic DID's Data Verifier, the Proof Verifier specifically validates zero-knowledge proofs generated from the query execution to ensure the user data meets the specified conditions. The term "Proof Verifier" is therefore used here to emphasize its specialized capability for verifying data through zkPass Proofs.

This multi-faceted trust model allows the proper flow of data and communications among the zkPass stakeholder clients and ensures that the user’s confidential information remains protected and secure.

Central to the ecosystem is the zkPass service, which provides the generateProof RESTful API. This method takes the user data token and the dvr token, both of which are signed and encrypted JWT content. This is a nested JWT message in which the inner token is the signed JWT (JWS), and the outer token is the encrypted JWT (JWE). The caller of the API first signs the inner token with its signing private key and then encrypts the outer token with the zkPass service’s public key. Upon receiving the user data and dvr tokens, zkPass service first decrypts the outer token with its private key and then verifies the signature of the inner token with the public of the caller. Since the public key of the zkPass must be known to the caller of the API, zkService exposes the JWKS endpoint, which contains the URL and the key name for its public key.

👥
The Three zkPass Client Roles