- Proving Data from Websites and Accounts

Does Jomo or anyone get to know my username/password if I entered it during the Jomo flows?

No. Your username/passwords are only used by the local webpage and are directly sent to the target application's backend servers. They are never sent to Jomo's backend services, so cannot be known to Jomo or anyone else.

Why does Jomo ask me to enter my username/password if you don't need to access it on the back?

Unlike other traditional services (such as Plaid), the data fetching and validation from Jomo happens on user's local device, not our backend. Jomo's webpage needs to use the credentials to establish connection with the target application's server so it can fetch the data that needs to be notarized.

Does Jomo access all the request/response sent to/from my application during this process?

No. Although the webpage processes the request/response stream, Jomo's backend doesn't see the transmitted data except for the desensitized parts the user decides to share and publish.

How exactly is Jomo proving that the data is legit if you never saw the whole of it?

This is where cryptography kicks in. Although Jomo's notary server only ever sees the encrypted streams, it's able to validate whether the selectively disclosed substrings of the stream presented by the user is legit. For more details, see link below.

How Does Jomo Privately Prove My Data on Another Website

- Proving Onchain Activities Aggregated Across Multiple Crypto Wallets

Does Jomo know and store that I own all the wallets I connected on Jomo?

No. Jomo does not know which wallets a user owns nor which wallets are associated together under the same user.

Jomo does know which all wallets came to the Jomo platform, this happens when you sign the message and prove your ownership. But then Jomo does not get any knowledge about which user is associated to the wallet. This can be proved by inspecting network requests coming out of Jomo Frontend, there is never any request that would expose user-wallet or wallet-wallet relations. Everything stays on user's device.

Why does Jomo ask me to sign a message if you don't intend to know I own the wallet?

The ownership signature serves as the basis of following Zero Knowledge Proofs over wallet related attestations.

Jomo does not know, and is not interested in knowing which wallets are associated with a user id, but setting user id aside, Jomo needs to verify someone owns a wallet to issue them attestations related to a wallet.

In short, signing the message proves to Jomo that Someone that is sending the request now owns the wallet address, but Jomo won't know which exact user is that Someone.

How does Jomo prove aggregated activities (such as how many Azukis do I hold across all my connected wallets) if Jomo doesn't know which wallets do I have?

This might sound confusing, but Jomo uses ZKP in many steps so that we can Attest for your ownership over all your connected wallets without knowing which exact wallets we are attesting for.

To understand better we have to dive deeper into Jomo's account model. Jomo's backend does not store what wallets a user owns (because we don't know that). Instead, we store a merkle root, which corresponds to a merkle tree that contains all user's connected wallets. This allows Jomo to verify if an ownership claim is true, without knowing all the details.

For more details on how ZKPs are linked together to prove aggregated activity information, check out this page:

How Does Jomo Privately Prove My Aggregated Onchain Activities

How do I know signing in with Jomo is safe?

The message that we requested you to sign when verifying wallet ownership is purely a signature over a message with a nonce generated with persona_sign method. It does NOT authorize any transactions nor approve any permissions. The only usage of the signature is to verify that the person making the request is indeed the owner of the wallet.

Will Jomo store my wallet associations?

No. Jomo doesn NOT know your wallet associations and thus cannot store it.

This can easily be verified by inspecting network traffic coming out of Jomo frontend. Never will two or more wallets be sent in the same request. Never will a wallet be sent in a request that contains information identifies to a user.

What is generated? Is Jomo making an attestation that others need to trust or does the proof prove it?

Two things get generated when you complete a Jomo prove.

An attestation in the form of EAS Attestation from Jomo about your aggregated wallet data. For example if you were proving BAYC Whale, the attestation could be about you own 6 BAYCs across 3 wallets. The beauty here is that Jomo doesn't even know the number (6) of BAYCs you have, but we were able to attest it by signing a piece of message which you can then use to derive the exact number out from. The user knows the exact number and the secret to be used to reveal the message, and these private information is only stored on user's local device.

A Zero-Knowledge Proof that the attestation signed by Jomo contains information about how many BAYCs you own, and the number is greater or equal than 3. The exact number (6) is hidden from the public, as well as the secret to reveal the attestation. The only thing gets revealed is the threshold (3) and an unique ID of the attestation so it can't be reused again and again.

At the moment, Jomo verifies the proof on our own backend and provides the verification results to our requesters. However we are going to expose both public APIs as well as Smart Contract method so that anyone can verify it anytime.

What information is sent back to the proof's requester (such as icebreaker)?

This depends on what type of proof has been done. For most of the cases, the only information being sent back is a yes meaning that the requested proof has been completed by you. Below is and example schema that is sent back to the requester:

  • public_account_id: The unique identifier to attach verification result with, sent from the requester to Jomo and agnostic to Jomo.

  • type: The type of the verification

  • id: The unique identifier for this type of verification. This will be a randomized unique id that cannot reverse identify to any user

  • timestamp: The timestamp verification is generated

  • attester: Person or entity who attested for the verification. This should be Jomo for most of the cases now but we are going to support other attesters in the future.

  • signature: The cryptographic signature from the attester on the verification

Why should I use this vs something like delegate.xyz?

delegate.xyz mainly solves the security part of the problem in that you make fewer transactions with your high value cold wallet.

Jomo in addition to solving the same security problem, preserves your privacy at the same time too. Unlike when using delegate.xyz, on Jomo your wallet associations are never known or revealed to anyone, including Jomo. This means that not even can you keep your whale wallet secure, it also protects it from unfriendly eyes and excessive gawking and followings.

Further more, using Jomo you can further hide your exact raw information and only present proofs of eligibility. For example instead of letting everyone know that you have 4 wallets and a total of 10 BAYCs, using Jomo you can prove that you own more than 5 BAYCs and present just that. No information about which wallets are those, nor exactly how many BAYCs do you own are exposed.

Why should I use this vs just connecting the wallet with my tokens?

Similar to answered above, mainly for security and privacy. We all know how scary crypto world can be :)

Jomo allows you to link your whale wallet once and be able to prove things about it forever, which makes the cold wallet safer.

At the same time, the wallet associations between your wallets are only known to yourself at all times. Even when you share a proof to a project, all they get is anonymized data. This saves you from unfriendly gawking and following and protects your privacy.

Last updated