Pre-Readings: Verifiable Attestations

It is important to note that proofs / attestations are just cryptographic signatures. If a malicious party gets the signature, the signature will still be valid. Thus, it is important to protect against replay attacks.

With BitBadges attestations, we aim to leverage our authentication flow (Sign In with BitBadges) to be used in conjunction with proof verification. The authentication flow natively has protective measures against replay attacks, time windows for verification, and more. For a credential / attestation to be valid, the holder must present a) proof of the credential AND b) proof of address ownership via Blockin.

Note that attestations are stored by BitBadges. For a user to generate a proof for attestations stored in their account, they have two options.

Sign-In with BitBadges

If you are implementing Sign In with BitBadges (this is a popup window that redirects the user to BitBadges and passes the important sign-in details back to the site) or Authentication QR codes, you can pass the expectAttestationsPresentations variable to the URL query request for your sign-in. This lets the user know that they should attach proofs to their request. You will receive the proofs back in attestationsPresentations.

You can also attach the onlyProofs variable to not require any signature from the user (just proofs).

Self-Implementations

Self-implementations are tricky because a presentation has to be generated by the user, and you (the verifier) cannot do this for them. You really only have a couple options. This is why we recommend utilizing attestation presentations in combination with SIWBB.

1. Users can navigate to their saved attestations and copy/paste the generated proof and provide it manually. Or, they can use https://bitbadges.io/attestations/genproof.

2. Implement your own solutions. Attestations are just signatures, so you may be able to store / host / verify them yourselves.

Extensions

With self-implementations, you may also choose to extend presentations with additional logic, such as wrapping a zero-knowledge proof around the presentation of standard signatures (Bitcoin, Eth, Solana, Cosmos) to only selectively disclose what you want to like we do with BBS+.