wallet/docs/zookos_triangle.md

---
title:
    Zooko’s Triangle
...

# Zooko Identity

In a decentralized system with no trust anchors how do you figure out
which name is the right one with any certainty.  If you are texting to “Bob”,
how do you know you have the right “Bob”?  There are a lot of Bobs.

Zooko’s triangle is the solution to this problem. It is explained in several places

- [An Introduction to Petname Systems](http://www.skyhunter.com/marcs/petnames/IntroPetNames.html)
- [Lambda for Humans: The PetName Markup Language](http://www.erights.org/elib/capability/pnml.html)

Each identity, whether a human, a server, or something else, has a globally
unique cryptographic identifier, which is not human readable or human
memorable, a title or display name, which is human readable but not
necessarily easy to type correctly or reproduce exactly from memory, a
nickname, which is not globally unique, is likely to be unique among the entities that you are dealing with, but not necessarily unique, even among them.

The petname is the name that your system calls this entity, not necessarily
what any other system calls this entity, a name constructed by or your computer, typically constructed from, or identical to, the nickname.

The petname is locally unique, human readable, and human typeable.  It is how you know this entity and reference it.

The computer is responsible for doing the mapping as needed, and
makes sure that when you connect to Bob, you are connecting to the right Bob.

Typically the globally unique cryptographic identifier is a public key, and
only Bob knows the correct corresponding secret key.  If the thing
identified is an immutable data structure, the globally unique
cryptographic identifier is a hash of that data, according to the hashing
rules for that data type and data structure, which type and structure you
very likely do not know and will not learn until you contact the system
that has the data.

# Zooko’s triangle today

We now have a lot of systems that to a greater or lesser extent implement
Zooko’s triangle, and while they are frequently incomplete and
unsatisfactory implementations, they all do a sufficient job of making sure
you are talking to the right Bob.

The way it works as (more or less) implemented today (frequently less) is
as follows:

In private messaging, there are separate message threads for each public
key, just as when you text on a phone to and from a particular person,
there are separate threads for each phone number, unless you have
manually associated two different phone numbers with the same identifier,
and where the name appears in text in public or private messages your
local computer should associate a unique local petname with each public key.
And mostly they do, though existing software is frequently half assed
about this.

The petname is generated by mangling the nickname (and possibly part of
the display name) down to a valid locally unique identifier, unique on your
computer and following your computer’s local rules for valid identifiers,
which rules might well depend on the language locale in which the
computer is running.

Existing software fouls up on the local petname issue in a variety of ways,
but does a sufficient job to ensure that one person cannot impersonate
another person

The petnames appear in the text, and in the equivalent of reply-to and cc
fields, as @petname, but if “petname” is a local petname corresponding to
a public key that corresponds to the other party’s private key, it is colored
differently to the text and/or looks like a link in html.  If you hover over the
link, you see the other party’s display name and nickname, and if you click
on that link, you go to data about that person.

What actually gets sent, computer to computer, when Ann mentions Bob
in a message to Carol, is not the the local petname that that Ann typed into
her text, but the globally unique identifier, which should be, and usually is,
the public key or information uniquely identifying the public key, and
possibly the nickname, the display name, and information on
how to direct a message to that party.

The display name is long, humanly meaningful, and usually
probabilistically unique to humans, but inconvenient for typing in full in
text, unlikely to be typed correctly, likely to be incorrectly formatted for
reply-to and cc fields, and often likely to disrupt the flow of text were it to
be directly typed as part of a paragraph.

The nickname is a potential petname, or can be mangled into a locally
valid petname without too much mangling.

Display names and nicknames are unique on any one forum  If one public
key, one nickname and display name on any one forum.  Different people
can have the same nickname and display name on different forums on
different forums.  But if they do, if there is one Bob on one forum and a
different Bob on another forum, they are going to nonetheless have
different local petnames on your computer, and if one Bob sends you a
private message, it will appear in a different message thread to that other
Bob’s message thread.

What appears in the address fields, and in references to particular people
in the middle of a paragraph, is always locally unique, one distinct local
petname for each globally unique public key.

In practice, you don’t rely on petnames to distinguish people, though they
are quite adequate for distinguishing people, but on the fact that the
threading software associates messages coming from the same public key,
just as when you see text messages coming from the same phone number
on your phone, you see them displayed with previous text messages and
replies to that phone number, and pay little attention to the phone number.

In most contexts, you don’t actually need to look at, or even remember, the
phone number, and you don’t actually need to look at, or even remember,
the petname.  You click on the “reply to” button, and the software fills in
the appropriate local petnames, which become the appropriate global
identifiers when the message is sent, and when the parties receive the
message, it gets threaded according to global identifiers, and they see their
local petnames for people.  Same as with phone numbers on your text
messaging application on your phone.  No one needs to see phone numbers
these days, and even less do people need to see public keys, and seldom
need to pay attention to local petnames.

# The full and correct implementation of Zooko UI

All existing systems are half incomplete and unsatisfactory:

> Bitmessage will never be popular, period. The common pleb
> doesn't give a shit about privacy or anonymity or security, and just
>  happily uses Fecesbook. The slightly advanced computer user
> uses the "more secure" instant messengers, that offer a proper GUI and
> easy usage. The only people using bitmessage are literally some
> groups of nerds, the unfortunate few, who have coriously stumbled
> here (for a minute, until they realize what the public channels look
> like), or trolls that need an outlet for their mental diahrea.
>
> As much as I think BitMessage is an interesting concept, you
> cannot avoid realizing that it's massively unattractive for wide adoption.

The Bitmessage UI is unbearable.  What is needed for it to be popular is a
full Zooko name system.  With a full Zooko name system, it is going to feel
much like one of the more popular apps.

A Zooko name consists of

- the Guid, the Globally unique identifier, for example the bitmessage Guid, "`BM-NB5cJuoFTkcmNEKDcBwn1RDxYDX3gGbq`", which represents
  the public elliptic point of a secret scalar known only to the sender.

- the nickname, which is global and chosen by the entity named, but
   probably not unique,  Many people can, and usually do, have the same
   nickname.  The nickname starts with a letter, and is composed of
   letters, numbers, and underscore characters, for example "John_Smith".

- The full name:  The full name is likely to be unique, but only if the entity
  named chooses it to be likely unique, for example
  {John_Smith, Dark Lord of attack resistant cryptography}.  The full
  name can be any sequence of unicode characters that does not
  contain unbalanced curly brackets, and the nickname is the first
  sequence within the full name of three or more alphabetic, numeric,
  or underscore characters starting with an alphabetic character.

- The petname, which is the local name of someone else on your
  computer. This is locally unique, and defaults to the nickname, or a
  name constructed from the nickname, unless that petname already
  exists and names a different guid.

  When your system locally constructs a default petname from a nickname,
  it may mangle it in such a way that nicknames that look similar do
  not have petnames that look similar.

When sending a message, you can reference a guid by the petname

For example, if Bob's petname for John_Smith is John_Smith71 (because he already had John_Smiths one to seventy as petnames on his computer), but Carol's petname for John_Smith is JohnSmith, and Bob sends a message to Carol containing the the text

> remember when @`JohnSmith71` said ...

 then this gets translated on sending to

> remember when @{John_Smith, Dark Lord of attack resistant cryptography} #`BM-NB5cJuoFTkcmNEKDcBwn1RDxYDX3gGbq` said ...

 and when displayed to Carol, gets represented as:

 > remember when @`JohnSmith` said ...

 because the guid is already defined on her computer as the local petname JohnSmith.

If it is not yet defined, then she sees the full set of Zooko names, as sent:

> remember when @{John_Smith, Dark Lord of attack resistant
> cryptography} `#BM-NB5cJuoFTkcmNEKDcBwn1RDxYDX3gGbq` said ...

Petnames preceded by the '@' symbol get translated to the full Zooko
nameset on being sent from the local context where the petname is
defined, and the guid gets translated back into the corresponding locally
defined petname on entering a local context where a petname is defined
for the guid of that nameset.

When receiving a message that references a known guid, the same guid
always translates to the same local name, even if the nickname and
fullname is different.

The same guid can have many nicknames and full names, and the same
nickname and full name might by used by many different entities with
many different guids.  But people should try to avoid that, by choosing full
names likely to be globally unique, and nicknames likely to be locally
unique on the systems of the people they communicate with.

If someone maliciously chooses the same full name as someone else, in
order to deceive the recipient of the message, the computer will see the
guid, and assign him a different petname.  To protect oneself against
against people pretending to be oneself, one should choose a nickname
likely to get a short and distinctive petname assigned on the recipient's
computer.

Everyone's system will record each association between a full name and a
guid that is sees, the time at which it saw that association, and the guid
asserting the association.  If it sees a later guid claiming a nickname that
corresponds to an existing petname, it treats this as strong reason to
suspect the entity who knows the secret key corresponding to the guid
making the assertion of scamming, spamming, and shilling.  If it sees two
different guids with the same full name, also strong reason for suspicion
Two guids with the same nickname, weaker reason for suspicion.

If you send a message to an entity defined by a guid, or add a guid to your
address book, or if you compose a text containing a full Zooko nameset,
perhaps because you are replying to a message that references an entity
that has no petname on your system, you will asked to whether you want to
store that full Zooko nameset under a local petname on your system.

# Moving to a global Zooko system

Zooko’s triangle is, among other things, a user interface concept for
storing, managing, and communicating, cryptographic capabilities.

Zooko’s triangle solves half the problem: provides a trusted path. If
you trust Bob, and Bob trusts Carol, you can trust that Bob’s
introduction to Carol will in fact bring you to the correct Carol.

This, of course, assumes a browser is somehow able to use Zooko style
links, rather than PKI links.

The problem then becomes having large number of trusted introduction – a
map between human phrases, and documents containing information about
globally unique identifiers that are relevant to that phrase: Something
like Wikipedia, but without centralized authority forbidding “original
research”, aka any deviation from official government truth, and
something like a search engine.

To solve the problem of making Zooko style links useful, we have to
solve the problem of providing global data that is not state dominated.

Past experience with cryptographic capabilities is that if users are
expected to consciously and intentionally use them, they screw up, that
even experts screw up, and that end users are not only reluctant to use
them correctly, but find it profoundly difficult to use them at all that
even expert users find them a pain, as for example the regular
unpleasantness of installing a certificate on a web server so that it
can do https.

Zooko’s triangle, correctly implemented, should hide from users that
they are using cryptographic identifiers, or indeed any globally unique
identifier.

Because globally unique identifiers have become almost as ugly as
cryptographic identifiers, we have already implemented interfaces that
hide globally unique identifiers, for example the bookmarks folder, the
buddy list, and the email contacts list. And since those identifiers are
already hidden, they can be cryptographic, giving the user many
benefits, and no extra grief.

We can do this with not one extra click for security, and indeed will
have to do so, for experience has proven that if we ask the user for
extra clicks for security, the user becomes frightened and confused, and
even supposedly expert users do not provide those extra clicks.

In order that references to objects can be securely transmitted across
trust boundaries, they need to be cryptographic capabilities

You don’t want people sending you spam pretending to be your webmaster,
or your email host, or your employer, or your bank. You want to share
files with certain people, but not always with the entire world, you
want to give some people, but not others, the ability to edit particular
files. When someone trusted recommends a bank, or a firm, you don’t want
some scammer connecting you to himself, instead of the bank you are
trying to connect to.

IM buddies, email contacts, and important web pages should be
cryptographic capabilities. When you click on a link, it should take you
to the web page the author you are clicking on intended. When you
receive a message that purports to be from an entity you have a
relationship with, it should be from that entity, and when you receive a
message from an entity you do not have a relationship with, it should be
obvious you do not. All messages should have in the headers “Regarding
.....”, which refers to a particular capability to contact you – which
usually is the particular capability to contact you contained in some
previous outgoing message sent by you.

Further, if we had a way of routinely and easily handling cryptographic
capabilities, lots of things that are now inconvenient and unsafe, such
as web money, could be made considerably easier and safer.

# Monetizing a system of Zooko identity

Information wants to be free, but programmers want to be paid.  The
primary reason for centralized name systems is that people can make
money off other people's internet and corporate reputations.

Names have value, when embedded in a network of names linking to
names, because reputation has value.  We can create secure pseudonymous
payment using cryptography, but cannot create secure delivery of goods
and services using cryptography.  The other side of the transaction needs
reputation.

[sovereign corporations]:social_networking.html#many-sovereign-corporations-on-the-blockchain

So the other side of the transaction needs to be authenticated by a secret
that *he* controls, not a secret controlled by registrars and certificate
authorities.  Enabling people to own their own names is an important step
towards enabling [sovereign corporations].

Most of the value in the world is not in productive machinery and land. It
is in “goodwill” – the value of names linked by names.  And governments
registrars, and so on and so forth keep skimming that value, and from time
to time recklessly destroy it.

But someone has to be paid for enabling people to own their own
reputations.

How do we make money out of enabling people and groups of people to
own their own reputations?

The easiest and most obvious way is if we issue the money that they use to
transact on these reputations.  Cryptographic transfer of funds is one half of
the problem.  The other half is wondering whether the person you are
transferring it to will hold up his end of the bargain.  Both parts need to be
integrated.

Reputations have value by being embedded in a network of reputations.
Google made a lot of money by analysing the network and making the
information readily available.  My fundamental plan is that the keys used
for identity will be rooted in the same wallet as the keys used for
cryptographic coins, and thus communication carrying metadata about
transactions rooted in that wallet,  resulting in an intimate linkage between
the crypto currency being valuable, and the information about reputation
secured by the same wallets being readily available.

And to make reputation embedded in the network of links from
reputations to reputations valuable, we are going to eventually need
network analysis systems similar to that provided by Google and others.

First mover providing such analysis will have a substantial first mover advantage, as Google has and still enjoys to this day, but the first mover advantage is likely to be less valuable, since lots of search companies
will simply add analysis of secure links, links rooted in secrets that are
controlled by the owner of the name to their analysis of links rooted in
government authority,  rooted in certificate authority secrets answerable to registrars.  On the other hand, being the source of the wallet software is
likely to be a substantial and lasting advantage in being source of the
network analysis.