Sure. Here is what matters. If you use the Reclaim SDK, you can ask your users to prove certain identity and reputation they have on other websites. For example, you could ask the user to login into their bank and prove their bank balance. You could ask your user to login into Uber and prove that they've taken more than 50 rides this year. All of this happens without compromising security and without needing any change on the bank's or Uber's side. Not just Banks and Uber, you can connect to any website on the internet. Over 250 already.
Reclaim Protocol creates digital signatures, known as zero knowledge proof, of users' identity and reputation on any website. These digital signatures are computed completely on the client side. Meaning, it is private and secure. When the user shares this proof with your app, you can be certain that its authenticity and integrity haven't been compromised.
Great question. Glad you asked. Reclaim Protocol makes HTTPS verifiable. At a high level, the HTTPS request and response is routed through a network of HTTPS Proxies. These proxies provide their digital signatures to the responses sent by the websites. The user's device then generates a cryptographic proof using the encrypted response and the digital signature. This proof is that of the data that was present in the response like their bank balance or Uber rides count. If you want to learn more, you can see this non technical explanation or this technical whitepaper.
Well, ofcourse not. Else, we'd be in jail. But the question isn't irrelevant. Reclaim uses HTTPS Proxies that forward the users' requests and responses. These are requests that are encrypted on the TLS layer. The HTTPS Proxies on Reclaim Protocol Network do not have access to the keys that decrypt these requests and responses. To perform an MITM attack, the proxies need to have the decryption keys. You can also see a more detailed cryptographic argument here.
As of today, all the nodes on the Reclaim Protocol Network are run by a single corporate entity, us. So, you need to trust us that we won't provide digital signatures for requests and responses that were never made. However, soon (TM) we will be having decentralized nodes in a way that makes sure no one is capable of providing signatures for events that never happened. Here's how.
Also, you need to trust the corporate entity that publishes the client software. This one isn't a hard trust assumption. If you don't trust the published software, you could also clone the repo and publish your own software.
You're right. You can use Reclaim Protocol without ever needing to pay anyone. You can clone the repos and run the network and clients yourself. You need to pay us only if you want to use the software we publish and maintain. We keep the softwares stable and always upto date. Additionally, we provide a suite of developer tools and managed services to make your development and dev ops as cheap as possible.
No. Users can tap on a button on your app or scan a QR code on your website and they'll be guided through generating the proof on their mobile device. They do need to use their mobile phone but they don't need to install any app. Reclaim client software uses Appclips on iOS and InstantApps on Android. So, no - user doesn't need to install anything. You can try it by tapping the "Try out the demo" button on the top right of this page. You'll see what I mean :)
Ofcourse, Reclaim Protocol isn't the only solution if you want your users to import their identity or reputation from other websites into yours. This is cutting edge tech, but there are a few other options you can choose from depending on what tradeoffs you're willing to make. Here are some competitors we love - Deco, Tls notary, Zkpass, Pado. Choose us if you want to be mobile friendly.
So, you've been reading our technical documentation. I see. One way to let users import their identity, credentials and reputations from other websites is do what Plaid does. Which is basically, store the username & password of the user on our servers and impersonate the user with a bot that punches in the username password into the required website and fetches the desired data. Why is that bad? Sorry, that isn't a frequently asked question - so, won't be answered in this section. The only way to keep users' private data private is to use a cryptographic primitive called zk-proofs. The blockchain technology is used so that it is impossible or impractically expensive to generate proofs of credentials the user doesn't have.