forked from cheng/wallet
355 lines
18 KiB
Markdown
355 lines
18 KiB
Markdown
|
---
|
|||
|
title:
|
|||
|
Zooko’s Triangle
|
|||
|
---
|
|||
|
|
|||
|
# Zooko Identity
|
|||
|
|
|||
|
In a decentralized system with no trust anchors how do you figure out
|
|||
|
which name is the right one with any certainty. If you are texting to “Bob”,
|
|||
|
how do you know you have the right “Bob”? There are a lot of Bobs.
|
|||
|
|
|||
|
Zooko’s triangle is the solution to this problem. It is explained in several places
|
|||
|
|
|||
|
- [An Introduction to Petname Systems](http://www.skyhunter.com/marcs/petnames/IntroPetNames.html)
|
|||
|
- [Lambda for Humans: The PetName Markup Language](http://www.erights.org/elib/capability/pnml.html)
|
|||
|
|
|||
|
Each identity, whether a human, a server, or something else, has a globally
|
|||
|
unique cryptographic identifier, which is not human readable or human
|
|||
|
memorable, a title or display name, which is human readable but not
|
|||
|
necessarily easy to type correctly or reproduce exactly from memory, a
|
|||
|
nickname, which is not globally unique, is likely to be unique among the entities that you are dealing with, but not necessarily unique, even among them.
|
|||
|
|
|||
|
The petname is the name that your system calls this entity, not necessarily
|
|||
|
what any other system calls this entity, a name constructed by or your computer, typically constructed from, or identical to, the nickname.
|
|||
|
|
|||
|
The petname is locally unique, human readable, and human typeable. It is how you know this entity and reference it.
|
|||
|
|
|||
|
The computer is responsible for doing the mapping as needed, and
|
|||
|
makes sure that when you connect to Bob, you are connecting to the right Bob.
|
|||
|
|
|||
|
Typically the globally unique cryptographic identifier is a public key, and
|
|||
|
only Bob knows the correct corresponding secret key. If the thing
|
|||
|
identified is an immutable data structure, the globally unique
|
|||
|
cryptographic identifier is a hash of that data, according to the hashing
|
|||
|
rules for that data type and data structure, which type and structure you
|
|||
|
very likely do not know and will not learn until you contact the system
|
|||
|
that has the data.
|
|||
|
|
|||
|
# Zooko’s triangle today
|
|||
|
|
|||
|
We now have a lot of systems that to a greater or lesser extent implement
|
|||
|
Zooko’s triangle, and while they are frequently incomplete and
|
|||
|
unsatisfactory implementations, they all do a sufficient job of making sure
|
|||
|
you are talking to the right Bob.
|
|||
|
|
|||
|
The way it works as (more or less) implemented today (frequently less) is
|
|||
|
as follows:
|
|||
|
|
|||
|
In private messaging, there are separate message threads for each public
|
|||
|
key, just as when you text on a phone to and from a particular person,
|
|||
|
there are separate threads for each phone number, unless you have
|
|||
|
manually associated two different phone numbers with the same identifier,
|
|||
|
and where the name appears in text in public or private messages your
|
|||
|
local computer should associate a unique local petname with each public key.
|
|||
|
And mostly they do, though existing software is frequently half assed
|
|||
|
about this.
|
|||
|
|
|||
|
The petname is generated by mangling the nickname (and possibly part of
|
|||
|
the display name) down to a valid locally unique identifier, unique on your
|
|||
|
computer and following your computer’s local rules for valid identifiers,
|
|||
|
which rules might well depend on the language locale in which the
|
|||
|
computer is running.
|
|||
|
|
|||
|
Existing software fouls up on the local petname issue in a variety of ways,
|
|||
|
but does a sufficient job to ensure that one person cannot impersonate
|
|||
|
another person
|
|||
|
|
|||
|
The petnames appear in the text, and in the equivalent of reply-to and cc
|
|||
|
fields, as @petname, but if “petname” is a local petname corresponding to
|
|||
|
a public key that corresponds to the other party’s private key, it is colored
|
|||
|
differently to the text and/or looks like a link in html. If you hover over the
|
|||
|
link, you see the other party’s display name and nickname, and if you click
|
|||
|
on that link, you go to data about that person.
|
|||
|
|
|||
|
What actually gets sent, computer to computer, when Ann mentions Bob
|
|||
|
in a message to Carol, is not the the local petname that that Ann typed into
|
|||
|
her text, but the globally unique identifier, which should be, and usually is,
|
|||
|
the public key or information uniquely identifying the public key, and
|
|||
|
possibly the nickname, the display name, and information on
|
|||
|
how to direct a message to that party.
|
|||
|
|
|||
|
The display name is long, humanly meaningful, and usually
|
|||
|
probabilistically unique to humans, but inconvenient for typing in full in
|
|||
|
text, unlikely to be typed correctly, likely to be incorrectly formatted for
|
|||
|
reply-to and cc fields, and often likely to disrupt the flow of text were it to
|
|||
|
be directly typed as part of a paragraph.
|
|||
|
|
|||
|
The nickname is a potential petname, or can be mangled into a locally
|
|||
|
valid petname without too much mangling.
|
|||
|
|
|||
|
Display names and nicknames are unique on any one forum If one public
|
|||
|
key, one nickname and display name on any one forum. Different people
|
|||
|
can have the same nickname and display name on different forums on
|
|||
|
different forums. But if they do, if there is one Bob on one forum and a
|
|||
|
different Bob on another forum, they are going to nonetheless have
|
|||
|
different local petnames on your computer, and if one Bob sends you a
|
|||
|
private message, it will appear in a different message thread to that other
|
|||
|
Bob’s message thread.
|
|||
|
|
|||
|
What appears in the address fields, and in references to particular people
|
|||
|
in the middle of a paragraph, is always locally unique, one distinct local
|
|||
|
petname for each globally unique public key.
|
|||
|
|
|||
|
In practice, you don’t rely on petnames to distinguish people, though they
|
|||
|
are quite adequate for distinguishing people, but on the fact that the
|
|||
|
threading software associates messages coming from the same public key,
|
|||
|
just as when you see text messages coming from the same phone number
|
|||
|
on your phone, you see them displayed with previous text messages and
|
|||
|
replies to that phone number, and pay little attention to the phone number.
|
|||
|
|
|||
|
In most contexts, you don’t actually need to look at, or even remember, the
|
|||
|
phone number, and you don’t actually need to look at, or even remember,
|
|||
|
the petname. You click on the “reply to” button, and the software fills in
|
|||
|
the appropriate local petnames, which become the appropriate global
|
|||
|
identifiers when the message is sent, and when the parties receive the
|
|||
|
message, it gets threaded according to global identifiers, and they see their
|
|||
|
local petnames for people. Same as with phone numbers on your text
|
|||
|
messaging application on your phone. No one needs to see phone numbers
|
|||
|
these days, and even less do people need to see public keys, and seldom
|
|||
|
need to pay attention to local petnames.
|
|||
|
|
|||
|
# The full and correct implementation of Zooko UI
|
|||
|
|
|||
|
All existing systems are half incomplete and unsatisfactory:
|
|||
|
|
|||
|
> Bitmessage will never be popular, period. The common pleb
|
|||
|
> doesn't give a shit about privacy or anonymity or security, and just
|
|||
|
> happily uses Fecesbook. The slightly advanced computer user
|
|||
|
> uses the "more secure" instant messengers, that offer a proper GUI and
|
|||
|
> easy usage. The only people using bitmessage are literally some
|
|||
|
> groups of nerds, the unfortunate few, who have coriously stumbled
|
|||
|
> here (for a minute, until they realize what the public channels look
|
|||
|
> like), or trolls that need an outlet for their mental diahrea.
|
|||
|
>
|
|||
|
> As much as I think BitMessage is an interesting concept, you
|
|||
|
> cannot avoid realizing that it's massively unattractive for wide adoption.
|
|||
|
|
|||
|
The Bitmessage UI is unbearable. What is needed for it to be popular is a
|
|||
|
full Zooko name system. With a full Zooko name system, it is going to feel
|
|||
|
much like one of the more popular apps.
|
|||
|
|
|||
|
A Zooko name consists of
|
|||
|
|
|||
|
- the Guid, the Globally unique identifier, for example the bitmessage Guid, "`BM-NB5cJuoFTkcmNEKDcBwn1RDxYDX3gGbq`", which represents
|
|||
|
the public elliptic point of a secret scalar known only to the sender.
|
|||
|
|
|||
|
- the nickname, which is global and chosen by the entity named, but
|
|||
|
probably not unique, Many people can, and usually do, have the same
|
|||
|
nickname. The nickname starts with a letter, and is composed of
|
|||
|
letters, numbers, and underscore characters, for example "John_Smith".
|
|||
|
|
|||
|
- The full name: The full name is likely to be unique, but only if the entity
|
|||
|
named chooses it to be likely unique, for example
|
|||
|
{John_Smith, Dark Lord of attack resistant cryptography}. The full
|
|||
|
name can be any sequence of unicode characters that does not
|
|||
|
contain unbalanced curly brackets, and the nickname is the first
|
|||
|
sequence within the full name of three or more alphabetic, numeric,
|
|||
|
or underscore characters starting with an alphabetic character.
|
|||
|
|
|||
|
- The petname, which is the local name of someone else on your
|
|||
|
computer. This is locally unique, and defaults to the nickname, or a
|
|||
|
name constructed from the nickname, unless that petname already
|
|||
|
exists and names a different guid.
|
|||
|
|
|||
|
When your system locally constructs a default petname from a nickname,
|
|||
|
it may mangle it in such a way that nicknames that look similar do
|
|||
|
not have petnames that look similar.
|
|||
|
|
|||
|
When sending a message, you can reference a guid by the petname
|
|||
|
|
|||
|
For example, if Bob's petname for John_Smith is John_Smith71 (because he already had John_Smiths one to seventy as petnames on his computer), but Carol's petname for John_Smith is JohnSmith, and Bob sends a message to Carol containing the the text
|
|||
|
|
|||
|
> remember when @John_Smith71 said ...
|
|||
|
|
|||
|
then this gets translated on sending to
|
|||
|
|
|||
|
> remember when @{John_Smith, Dark Lord of attack resistant cryptography} #`BM-NB5cJuoFTkcmNEKDcBwn1RDxYDX3gGbq` said ...
|
|||
|
|
|||
|
and when displayed to Carol, gets represented as:
|
|||
|
|
|||
|
> remember when @`JohnSmith` said ...
|
|||
|
|
|||
|
because the guid is already defined on her computer as the local petname JohnSmith.
|
|||
|
|
|||
|
If it is not yet defined, then she sees the full set of Zooko names, as sent:
|
|||
|
|
|||
|
> remember when @{John_Smith, Dark Lord of attack resistant
|
|||
|
> cryptography} `#BM-NB5cJuoFTkcmNEKDcBwn1RDxYDX3gGbq` said ...
|
|||
|
|
|||
|
Petnames preceded by the '@' symbol get translated to the full Zooko
|
|||
|
nameset on being sent from the local context where the petname is
|
|||
|
defined, and the guid gets translated back into the corresponding locally
|
|||
|
defined petname on entering a local context where a petname is defined
|
|||
|
for the guid of that nameset.
|
|||
|
|
|||
|
When receiving a message that references a known guid, the same guid
|
|||
|
always translates to the same local name, even if the nickname and
|
|||
|
fullname is different.
|
|||
|
|
|||
|
The same guid can have many nicknames and full names, and the same
|
|||
|
nickname and full name might by used by many different entities with
|
|||
|
many different guids. But people should try to avoid that, by choosing full
|
|||
|
names likely to be globally unique, and nicknames likely to be locally
|
|||
|
unique on the systems of the people they communicate with.
|
|||
|
|
|||
|
If someone maliciously chooses the same full name as someone else, in
|
|||
|
order to deceive the recipient of the message, the computer will see the
|
|||
|
guid, and assign him a different petname. To protect oneself against
|
|||
|
against people pretending to be oneself, one should choose a nickname
|
|||
|
likely to get a short and distinctive petname assigned on the recipient's
|
|||
|
computer.
|
|||
|
|
|||
|
Everyone's system will record each association between a full name and a
|
|||
|
guid that is sees, the time at which it saw that association, and the guid
|
|||
|
asserting the association. If it sees a later guid claiming a nickname that
|
|||
|
corresponds to an existing petname, it treats this as strong reason to
|
|||
|
suspect the entity who knows the secret key corresponding to the guid
|
|||
|
making the assertion of scamming, spamming, and shilling. If it sees two
|
|||
|
different guids with the same full name, also strong reason for suspicion
|
|||
|
Two guids with the same nickname, weaker reason for suspicion.
|
|||
|
|
|||
|
If you send a message to an entity defined by a guid, or add a guid to your
|
|||
|
address book, or if you compose a text containing a full Zooko nameset,
|
|||
|
perhaps because you are replying to a message that references an entity
|
|||
|
that has no petname on your system, you will asked to whether you want to
|
|||
|
store that full Zooko nameset under a local petname on your system.
|
|||
|
|
|||
|
# Moving to a global Zooko system
|
|||
|
|
|||
|
Zooko’s triangle is, among other things, a user interface concept for
|
|||
|
storing, managing, and communicating, cryptographic capabilities.
|
|||
|
|
|||
|
Zooko’s triangle solves half the problem: provides a trusted path. If
|
|||
|
you trust Bob, and Bob trusts Carol, you can trust that Bob’s
|
|||
|
introduction to Carol will in fact bring you to the correct Carol.
|
|||
|
|
|||
|
This, of course, assumes a browser is somehow able to use Zooko style
|
|||
|
links, rather than PKI links.
|
|||
|
|
|||
|
The problem then becomes having large number of trusted introduction – a
|
|||
|
map between human phrases, and documents containing information about
|
|||
|
globally unique identifiers that are relevant to that phrase: Something
|
|||
|
like Wikipedia, but without centralized authority forbidding “original
|
|||
|
research”, aka any deviation from official government truth, and
|
|||
|
something like a search engine.
|
|||
|
|
|||
|
To solve the problem of making Zooko style links useful, we have to
|
|||
|
solve the problem of providing global data that is not state dominated.
|
|||
|
|
|||
|
Past experience with cryptographic capabilities is that if users are
|
|||
|
expected to consciously and intentionally use them, they screw up, that
|
|||
|
even experts screw up, and that end users are not only reluctant to use
|
|||
|
them correctly, but find it profoundly difficult to use them at all that
|
|||
|
even expert users find them a pain, as for example the regular
|
|||
|
unpleasantness of installing a certificate on a web server so that it
|
|||
|
can do https.
|
|||
|
|
|||
|
Zooko’s triangle, correctly implemented, should hide from users that
|
|||
|
they are using cryptographic identifiers, or indeed any globally unique
|
|||
|
identifier.
|
|||
|
|
|||
|
Because globally unique identifiers have become almost as ugly as
|
|||
|
cryptographic identifiers, we have already implemented interfaces that
|
|||
|
hide globally unique identifiers, for example the bookmarks folder, the
|
|||
|
buddy list, and the email contacts list. And since those identifiers are
|
|||
|
already hidden, they can be cryptographic, giving the user many
|
|||
|
benefits, and no extra grief.
|
|||
|
|
|||
|
We can do this with not one extra click for security, and indeed will
|
|||
|
have to do so, for experience has proven that if we ask the user for
|
|||
|
extra clicks for security, the user becomes frightened and confused, and
|
|||
|
even supposedly expert users do not provide those extra clicks.
|
|||
|
|
|||
|
In order that references to objects can be securely transmitted across
|
|||
|
trust boundaries, they need to be cryptographic capabilities
|
|||
|
|
|||
|
You don’t want people sending you spam pretending to be your webmaster,
|
|||
|
or your email host, or your employer, or your bank. You want to share
|
|||
|
files with certain people, but not always with the entire world, you
|
|||
|
want to give some people, but not others, the ability to edit particular
|
|||
|
files. When someone trusted recommends a bank, or a firm, you don’t want
|
|||
|
some scammer connecting you to himself, instead of the bank you are
|
|||
|
trying to connect to.
|
|||
|
|
|||
|
IM buddies, email contacts, and important web pages should be
|
|||
|
cryptographic capabilities. When you click on a link, it should take you
|
|||
|
to the web page the author you are clicking on intended. When you
|
|||
|
receive a message that purports to be from an entity you have a
|
|||
|
relationship with, it should be from that entity, and when you receive a
|
|||
|
message from an entity you do not have a relationship with, it should be
|
|||
|
obvious you do not. All messages should have in the headers “Regarding
|
|||
|
.....”, which refers to a particular capability to contact you – which
|
|||
|
usually is the particular capability to contact you contained in some
|
|||
|
previous outgoing message sent by you.
|
|||
|
|
|||
|
Further, if we had a way of routinely and easily handling cryptographic
|
|||
|
capabilities, lots of things that are now inconvenient and unsafe, such
|
|||
|
as web money, could be made considerably easier and safer.
|
|||
|
|
|||
|
# Monetizing a system of Zooko identity
|
|||
|
|
|||
|
Information wants to be free, but programmers want to be paid. The
|
|||
|
primary reason for centralized name systems is that people can make
|
|||
|
money off other people's internet and corporate reputations.
|
|||
|
|
|||
|
Names have value, when embedded in a network of names linking to
|
|||
|
names, because reputation has value. We can create secure pseudonymous
|
|||
|
payment using cryptography, but cannot create secure delivery of goods
|
|||
|
and services using cryptography. The other side of the transaction needs
|
|||
|
reputation.
|
|||
|
|
|||
|
[sovereign corporations]:social_networking.html#many-sovereign-corporations-on-the-blockchain
|
|||
|
|
|||
|
So the other side of the transaction needs to be authenticated by a secret
|
|||
|
that *he* controls, not a secret controlled by registrars and certificate
|
|||
|
authorities. Enabling people to own their own names is an important step
|
|||
|
towards enabling [sovereign corporations].
|
|||
|
|
|||
|
Most of the value in the world is not in productive machinery and land. It
|
|||
|
is in “goodwill” – the value of names linked by names. And governments
|
|||
|
registrars, and so on and so forth keep skimming that value, and from time
|
|||
|
to time recklessly destroy it.
|
|||
|
|
|||
|
But someone has to be paid for enabling people to own their own
|
|||
|
reputations.
|
|||
|
|
|||
|
How do we make money out of enabling people and groups of people to
|
|||
|
own their own reputations?
|
|||
|
|
|||
|
The easiest and most obvious way is if we issue the money that they use to
|
|||
|
transact on these reputations. Cryptographic transfer of funds is one half of
|
|||
|
the problem. The other half is wondering whether the person you are
|
|||
|
transferring it to will hold up his end of the bargain. Both parts need to be
|
|||
|
integrated.
|
|||
|
|
|||
|
Reputations have value by being embedded in a network of reputations.
|
|||
|
Google made a lot of money by analysing the network and making the
|
|||
|
information readily available. My fundamental plan is that the keys used
|
|||
|
for identity will be rooted in the same wallet as the keys used for
|
|||
|
cryptographic coins, and thus communication carrying metadata about
|
|||
|
transactions rooted in that wallet, resulting in an intimate linkage between
|
|||
|
the crypto currency being valuable, and the information about reputation
|
|||
|
secured by the same wallets being readily available.
|
|||
|
|
|||
|
And to make reputation embedded in the network of links from
|
|||
|
reputations to reputations valuable, we are going to eventually need
|
|||
|
network analysis systems similar to that provided by Google and others.
|
|||
|
|
|||
|
First mover providing such analysis will have a substantial first mover advantage, as Google has and still enjoys to this day, but the first mover advantage is likely to be less valuable, since lots of search companies
|
|||
|
will simply add analysis of secure links, links rooted in secrets that are
|
|||
|
controlled by the owner of the name to their analysis of links rooted in
|
|||
|
government authority, rooted in certificate authority secrets answerable to registrars. On the other hand, being the source of the wallet software is
|
|||
|
likely to be a substantial and lasting advantage in being source of the
|
|||
|
network analysis.
|