<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 03/03/2025 18:29, Marek Tichy wrote:<br>
</div>
<blockquote type="cite"
cite="mid:7d14159f-e308-44fe-a2c2-62e96667cdae@gn.apc.org">
<pre wrap="" class="moz-quote-pre">Thanks a lot iang for your elaborate answer
</pre>
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">
There's an enourmous class of security problems that can be solved by
"if only we really knew who everyone was." Which derives from our
anthropology as tribal animals, in which so many of our normal
processes are protected by knowing everyone around us. It's inbuilt
into our brains.
Unfortunately there isn't a really good technical solution for that at
remote or Internet scale. WoT didn't work in large part because nobody
knew what the T meant. The CA/PKI/x509 industrial complex didn't
really work in large part because their business model of selling
numbers for money didn't align with needs.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">It has to be free and radically bottom up.</pre>
</blockquote>
<p><br>
</p>
<p>That's hard as you need a lot of code, which needs money to pay
for that code, and therefore some form of business model.
Normally. I know there is this kind of dream that open source will
make things magically self-birth, but open source always seems to
succumb to the business model sooner or later.</p>
<p>(I say that as I do actually build one of them myself, sans
business model...)<br>
</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:7d14159f-e308-44fe-a2c2-62e96667cdae@gn.apc.org">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">
That said, there is a long-running thing called Rebooting Web of Trust
(RWOT) which runs like 2 events per year on this goal. This crowd is
strongly aligned with Verifiable Credentials (VCs) and Decentralised
IDentifiers (DIDs). And less strongly with a group pushing
Self-Sovereign Identity (SSI), which seems to have lost its way,
probably because they didn't understand the I nor the T, nor the
business model nor the technology.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">I know these guys.</pre>
</blockquote>
<p><br>
</p>
<p>Without knowing the ins and outs of DIDs etc, this did seem
interesting:</p>
<p><a class="moz-txt-link-freetext" href="https://ggreve.medium.com/a-future-for-self-sovereign-identity-c237caa5e46f">https://ggreve.medium.com/a-future-for-self-sovereign-identity-c237caa5e46f</a></p>
<p>in that it suggests their implementation is about to lift off,
and is properly decentralised, which has been a criticism of
others.<br>
</p>
<p><span style="white-space: pre-wrap">
</span><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:7d14159f-e308-44fe-a2c2-62e96667cdae@gn.apc.org">
<pre wrap="" class="moz-quote-pre">How about each new DID is validated by at least two already existing
DIDs? As part of this initial validation, VCs about some basic
properties like name, place of birth, age can be issued.
That DID then lives and gradually collects various other, stronger VCs.
The service providers can choose what level of certification they
require for their service to be available.</pre>
</blockquote>
<p><br>
</p>
<p>How do you enforce "two" ? What does the application do with
two-ness when it sees it? Is two-ness too strong for some purposes
and too weak for others?</p>
<p>How does it relate to real life? Do you talk to people at a
social gathering if they have two-ness?</p>
<p>My preferred approach to this question is to use
micro-communities. Approximately 20-30 people. This way, everyone
knows everyone inside, and therefore can inject that knowingness
into the technology. I think this works well, but it is hard to do
in the West. Much more prevalent in the East, for reasons.<br>
</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:7d14159f-e308-44fe-a2c2-62e96667cdae@gn.apc.org">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">We need a way to tell AI from humans and yesterday was too late to
switch to a pseudonymous internet.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">
Would be useful - but hard. Because you're asking a security question,
one has to think in adversarial terms. How would you attack the system?
The simplest attack is to create a million of the nyms and lie.
Actually AI is very good at lying. And can do it better at scale than
humans. So a simple, first order web of nyms won't work.
Somehow you have to stop the nym holder from lying. The only way to do
that is to make the incentives align such that it's better for the
holder to tell the truth and worse to lie. A general answer is carrot
& stick.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">The carrot in this case would be gaining access. To porn and gamble,
ideally.
The stick could be pruning entire dishonest branches together with their
parents.</pre>
</blockquote>
<p><br>
</p>
<p>Right, plenty of carrot. The stick is a harder problem. Just
kicking out a dishonest branch isn't going to hurt much if it was
built by an AI. This is like the old joke "how do you punish a
public key ? Lop a few bits off ???"<br>
</p>
<p><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:7d14159f-e308-44fe-a2c2-62e96667cdae@gn.apc.org">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">Carrot & stick works well with nation states. But for reasons, the
nation states have trouble working with public keys. What does work is
communities that have some inner strength. For an example of one that
worked, look at CAcert, which these days is a shadow of its former
self, but it did crack the problem of honesty versus lying, at
Internet scale.
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">Yeah, I remember CACert issuing free certificates at some conference
lobby ages ago. This is similar, but decentralized.</pre>
</blockquote>
<p><br>
</p>
<p>Yes. So, a community needs both a purpose, and an infrastructure.
The purpose in this case was free certs. The infra that was build
was a group of "Assurers" that checked your passport/ID and
assigned points. Behind that group of 5000 say, there were other
elements: testing, training, audit, dispute resolution,
governance, policy. All those elements were built, and they
worked. The dispute resolution was the stick, and it was scary and
effective.<br>
</p>
<p>Sadly, the free certs thing never worked for that community bc
they got blocked out of the browsers. Big long painful story. But
the TL;DR for today is that the community needs a primary purpose
which isn't the infra. And that purpose needs to be strong enough
to build / support / pay for the infra. That's quite tricky.<br>
</p>
<p><span style="white-space: pre-wrap">
</span><span style="white-space: pre-wrap">
</span></p>
<blockquote type="cite"
cite="mid:7d14159f-e308-44fe-a2c2-62e96667cdae@gn.apc.org">
<pre wrap="" class="moz-quote-pre">I always imagined the DIDs could live in the IOTA Tangle, but I'm less
and less sure about that.
<a class="moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/IOTA_(technology)">https://en.wikipedia.org/wiki/IOTA_(technology)</a>
Marek
</pre>
</blockquote>
<p><br>
</p>
<p>Huh. I'm sure I've come across IOTA somewhere before. It is
interesting to read the history of these chains, but there sure is
a lot of them, more than days in a year it seems.</p>
<p><br>
</p>
<p>iang<br>
</p>
</body>
</html>