Yeah, identity is a very crucial and difficult topic, which I did ignore in that post. Reason being: in my experience, as soon as you start about identity, it takes up everything. So I have made a couple of assumptions about authentication and identity; this is what we could build on top of that.
The GPL was a massive legal jujitsu that changed software forever. We need the equivalent with a business model.
The biggest challenge isn't the technical plumbing, it's changing how companies operate and changing customers behavior.
What is the business model? Why would the next unicorn give up this advantage?
Business want data lock-in. They try to create "data moats" to protect their castles.
No product will win on security and privacy features alone. They are critical for a small segment of adoption, but sadly haven't been a factor for mass adoption.
I think people should back down slightly from full "no gods no masters" decentralisation, where everyone runs their own castle, and look to user-run mutual ownership structures.
This is going to involve money changing hands. Users are going to have to pay enough that the people running the system get comfortable professional salaries - not unicorn money and not in SV, but it has to be competitive. Relying for the long term on altruism will only take you so far.
In return, the users should get a genuine say in the policies of the system. This involves building not just a system but a community.
Perhaps the closest to this model that's currently successful is Mastodon.
you can find them in community startups that use decentralized technologies and semantic content to empower individuals to cooperate directly, create initiatives between parties without central authorities in control.
the technologies just need to mature further, gain more traction.. and applications need to be created outside of the academic sphere (especially true for semantic web apps).
i'd like to see true decentralized application frameworks that are semantic and truly decentralized.
I submit that we currently have a massively popular decentralized, federated, open standard messaging system. It goes by SMTP, and it's a cluster in many ways.
yeah, agree. but this is low-level protocol.
many mail (email) applications, but event-based application messaging frameworks? i could find some that come close..
- You only store the data you are subscribed to, which if it is your data, it is automatically stored in localStorage and if you run a Electron/React-Native app, is also backed up on your harddrive, and optionally you can have it backup to any server you run. This is particularly true with the P2P identity system: https://hackernoon.com/so-you-want-to-build-a-p2p-twitter-wi...
- This data can only be decrypted by the app if the user happens to use that app. The app doesn't have any special server, it is just some front-end logic, for instance, see this 4min interactive tutorial: https://scrimba.com/c/c2gBgt4
I'm honored!!! Thanks. Yes, the architecture is P2P/decentralized (see this talk https://youtu.be/5fCPRY-9hkc ), however:
- NAT Traversal sucks and WebRTC is still very glitchy. To get around this, it is easier/better to just run gun on your machine directly (not via a browser) and connect directly to other gun peers with their IP addresses. Then browsers can connect via websocket fallback, but as WebRTC gets better that will work too.
- Peer discovery is not built in by default, but should be trivial to do by starting with some bootstrapping peers, which as other peers connect to them everybody saves the new IP addresses to a common `gun.get('peers').set(IP)` table. So yes, it is easily possible, just not built in (I'm sure in the future we'll have a full fledged extension for it).
- re:"gossip" GUN automatically daisy chains updates through peers of peers, in an ad-hoc mesh-network manner.
Would love to chat more! What is your email? Mine is mark [atatatat] gunDB [dotdotdot] io !
What if all the super-advanced technology for consumer behavior tracking could be somehow judo-flipped into a new form of anonymous resource ownership? So instead of legitimate websites being forced to ask a tech giant for an identity token just to establish a session, while shady advertisers silently assemble vast shadow profiles of consumers' behavior using browser fingerprinting, legitimate companies could use browser fingerprinting to automatically create a persistent session, which the user can then voluntarily link to an identity, or leave anonymous if they so choose?
A person could potentially have a number of identities that are anonymous or pseudonymous, that are automatically created and detected whenever they use the internet. They could maybe view a dashboard of their identities on a secure device, link them by function and scope, expose personally identifiable information through them at will, and create policies to automate all this.
Eg. if I visit a site like HN more than twice, it could just create an anonymous account for me automatically through fingerprinting and log me in automatically. Then, if I want to link this account to other services or other devices, I could do that through some general purpose API on a secure device. This could potentially lead to a general purpose "consumer identity" system where a person's offline behaviors are brought in as well.
My point is there's no reason why the most advanced forms of tracking and identity management can't be brought under users' full control for our own benefit. Fingerprinting is treated like the internet's dirty secret, but it's a technology that could be used in different ways. I would prefer this to any of biometric authentication schemes that have been peddled as "passwordless."
> Fingerprinting is treated like the internet's dirty secret, but it's a technology that could be used in different ways. I would prefer this to any of biometric authentication schemes that have been peddled as "passwordless."
Fingerprints (and other biometric data) is the analogue of a (public) username and not the analogue to passwords:
So if you replace entering your username by a fingerprint, retinal scan, ... this is perfectly fine from a security perspective (though IMHO a really bad idea from a privacy perspective). On the other hand using biometric data as replacement for passwords is from a security perspective an anti-pattern.
Why assume it is against publishers' interests for people to control how they expose their own identity? Advertisers, sure, but publishers? I see privacy as being more orthogonal to their interests than directly against them.
Nevertheless, you're probably right about the business model. I was piggybacking on the idealism of the article we're commenting on. It's fun to just discuss possible futures without worrying about viability once in a while.
> This reply seems to have missed the point of its parent and just picked up on the word fingerprint in a different context.
I am aware that "fingerprint" has different meanings, but the grandparent explicitly talked of biometric authentication (e.g. physical fingerprints) in his last sentence:
> I would prefer this to any of biometric authentication schemes that have been peddled as "passwordless."
tboyd47 is talking about browser/device fingerprinting, not physical fingerprints. Such fingerprints are usually attached to device rather than the specific account, but if we assume that a user needs a secure password/login to access the device, it might be a workable proxy.
I've built a new version of HTTP that lets you build apps from multiple websites, linking their internal state together as easily as we link pages together today.
I think this solves much of the difficulty in building the decentralized web vision described in this article. I'd love to get critique and feedback.
A few suggestions (from a backend developer, so not exactly your target audience):
- Show the source (repository) of a real webapp built with Statebus. Citing Linus, "Talk is cheap. Show me the code." Make sure it includes examples of all the advantages cited, like "accessing another site's state".
- Compare your solution with similar alternatives (e.g. my first thought was Meteor).
- Add a public way of asking questions, like a forum or a subreddit. I'm more inclined to ask questions if the responses are public, and it might help you build a body of knowledge to spur the interest of visitors (and even improve your SEO).
Standards committees spent ages retrofitting measures to prevent this, since it's so easily abused to steal data and logins by wrapping one site in another in various ways.
As I say in the blog post, decentralization and replication go hand in hand :-) It's my own Web server, so decentralized. Cloudflare just replicates/caches it for faster access around the globe.
Here are some excellent links about the subjects:
http://www.moxytongue.com/2016/02/self-sovereign-identity.ht... http://www.lifewithalacrity.com/2016/04/the-path-to-self-sov... https://en.wikipedia.org/wiki/Digital_identity https://blog.cryptographyengineering.com/2017/07/02/beyond-p... https://pages.nist.gov/800-63-3/ https://www.forgerock.com/