[Cryptography] People vs AI

Marek Tichy marek at gn.apc.org
Mon Mar 3 09:29:49 EST 2025 

Thanks a lot iang for your elaborate answer
>
> There's an enourmous class of security problems that can be solved by 
> "if only we really knew who everyone was." Which derives from our 
> anthropology as tribal animals, in which so many of our normal 
> processes are protected by knowing everyone around us. It's inbuilt 
> into our brains.
>
> Unfortunately there isn't a really good technical solution for that at 
> remote or Internet scale. WoT didn't work in large part because nobody 
> knew what the T meant. The CA/PKI/x509 industrial complex didn't 
> really work in large part because their business model of selling 
> numbers for money didn't align with needs.
>
It has to be free and radically bottom up.
>
> That said, there is a long-running thing called Rebooting Web of Trust 
> (RWOT) which runs like 2 events per year on this goal. This crowd is 
> strongly aligned with Verifiable Credentials (VCs) and Decentralised 
> IDentifiers (DIDs). And less strongly with a group pushing 
> Self-Sovereign Identity (SSI), which seems to have lost its way, 
> probably because they didn't understand the I nor the T, nor the 
> business model nor the technology.
>
I know these guys.

How about each new DID is validated by at least two already existing 
DIDs? As part of this initial validation, VCs about some basic 
properties like name, place of birth, age can be issued.

That DID then lives and gradually collects various other, stronger VCs. 
The service providers can choose what level of certification they 
require for their service to be available.

>> We need a way to tell AI from humans and yesterday was too late to
>> switch to a pseudonymous internet.
>
> Would be useful - but hard. Because you're asking a security question, 
> one has to think in adversarial terms. How would you attack the system?
>
> The simplest attack is to create a million of the nyms and lie. 
> Actually AI is very good at lying. And can do it better at scale than 
> humans. So a simple, first order web of nyms won't work.
>
> Somehow you have to stop the nym holder from lying. The only way to do 
> that is to make the incentives align such that it's better for the 
> holder to tell the truth and worse to lie. A general answer is carrot 
> & stick.
>
The carrot in this case would be gaining access. To porn and gamble, 
ideally.

The stick could be pruning entire dishonest branches together with their 
parents.

> Carrot & stick works well with nation states. But for reasons, the 
> nation states have trouble working with public keys. What does work is 
> communities that have some inner strength. For an example of one that 
> worked, look at CAcert, which these days is a shadow of its former 
> self, but it did crack the problem of honesty versus lying, at 
> Internet scale.
>
Yeah, I remember CACert issuing free certificates at some conference 
lobby ages ago. This is similar, but decentralized.

I always imagined the DIDs could live in the IOTA Tangle, but I'm less 
and less sure about that.

https://en.wikipedia.org/wiki/IOTA_(technology)

Marek


>
> iang
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list