| ▲ | woodruffw 8 months ago |
| There are some niceties here, but I think this is a little thin on the security aspects of the scheme: it's not clear how users establish the authenticity of transitively received petnames, for example. More fundamentally, there's a factor outside of Zooko's triangle: trust isn't really transitive[1]. I trust my doctor and my doctor trusts their sibling, but I don't necessarily trust their sibling. With that being said, I think there's a pretty rich research space here, and I think the edge/local aspects of this design are pretty interesting! I just hope we don't end up with a reinvention of historically insufficient web-of-trust architectures :-) [1]: https://uhra.herts.ac.uk/bitstream/handle/2299/4349/904849.p... |
|
| ▲ | davexunit 8 months ago | parent | next [-] |
| There's an associated paper that goes through implementing a petname system in a simple chat application. Petnames compose well with object capability security. https://files.spritely.institute/papers/implementation-of-pe... |
| |
| ▲ | woodruffw 8 months ago | parent [-] | | That's great, but I don't think it addresses the basic point: sharing edge names requires a way to share those names, and that's a trusted third party (one with a degree of centralization, to boot). There are ways to (dis)intermediate that trust (like a PKI), but the shape of that PKI or other technique is itself a question of decentralization, security, etc. I think that's a very hard underlying problem that the petname design needs to at least offer some opinions on in order to make claims about security. | | |
| ▲ | paroneayea 8 months ago | parent [-] | | Jessica Tallon's implementation of petnames and edge names was extremely simple within the paper davexunit linked, but used in-band mechanisms to communicate edge names that didn't require any sort of large trusted authority. You could retrieve them directly from fellow peers, who could publish their current set of edge names. This even works in a p2p context over ocapn, etc. The implementation was naive but it did work and used a publish-subscribe mechanism directly from other peers. That said, edge names are only one way to share contacts. In fact "share contact" on peoples' phones is a great way to have contextual sharing: "Oh, let me introduce you to my friend Dave. Here's Dave's contact info!" At any rate, petnames aren't a particular technology, they're a design space of "Secure UI/UX". However I do agree more research needs to be done in that space; we've only barely begun to scratch the surface. |
|
|
|
| ▲ | tobr 8 months ago | parent | prev | next [-] |
| > I trust my doctor and my doctor trusts their sibling, but I don't necessarily trust their sibling. Isn’t that because that’s a different type of trust? For example, you trust your doctor to give you decent medical advice, and they trust their sibling for emotional support. That doesn’t mean their sibling will be supportive of you, or give you good medical advice. |
| |
| ▲ | dwallin 8 months ago | parent [-] | | Yeah, this is one of the big issues with digital peer trust networks. Trust in human interactions is fuzzy and very conditional, which is hard to collect, represent, and update in a user friendly and low effort way. Hence we tend to collapse it to a single, often-binary, trust score. | | |
| ▲ | bandie91 8 months ago | parent [-] | | is not this WoT just about "i fully trust Dr A's public key is P1 because he gave it to me personally. i trust Dr A's sibling's public key is P2 because i've found it somewhere and it's cryptographically signed with P1. so i'm highly confident that this cryptographically signed message is from Dr A's sibling as long as neither P1 or P2 compromised or misused in the meanwhile." ? |
|
|
|
| ▲ | thomastjeffery 8 months ago | parent | prev | next [-] |
| > I trust my doctor and my doctor trusts their sibling, but I don't necessarily trust their sibling. Sure, but let's get back to the use case we are exploring here: Do you trust your doctor's contact info for their sibling? Could it provide you utility? What about your doctor's contact info for the front desk of their practice? What's important here is that the subject of trust is explicit to whoever attests that trust. If your doctor intentionally publishes a list of known contacts, then it can be reasonably presumed that they know those contacts. This, along with the ability to attest falsehood, should be enough to replace traditional authority and moderation. I get into this more in my comment here: https://news.ycombinator.com/item?id=42238201 |
| |
| ▲ | woodruffw 8 months ago | parent [-] | | > Sure, but let's get back to the use case we are exploring here: Do you trust your doctor's contact info for their sibling? Could it provide you utility? What about your doctor's contact info for the front desk of their practice? Not inherently: for all I know, my doctor is technically illiterate and their contact book is thoroughly padded with spam. The problem of trust is that trust isn't a boolean; it's a set of policies that vary by principal and action. It's very hard to encode that in a truly general way, which is why modern cryptographic application design orthodoxy dictates that applications should try to solve exactly one kind of trust at a time. | | |
| ▲ | thomastjeffery 8 months ago | parent [-] | | > Not inherently: for all I know, my doctor is technically illiterate and their contact book is thoroughly padded with spam. Sure, but that leads us to the next question: Could it provide you utility? > The problem of trust is that trust isn't a boolean That's also the utility of trust. Most of the information we want to reason about is not context-free. So far, no one has figured out a reliable way to offload context-sensitive work to computation. The next best thing is to offload as much context-free work as possible, and provide the user a direct interface to the remaining context-sensitive work. By organizing our social networks as attestations of [dis]trust, we can deliver the uncomputable question of trustworthiness closer to the user. By delivering that question to many users, we can collaborate efficiently on that work. | | |
| ▲ | woodruffw 8 months ago | parent [-] | | It could provide me utility, and it could get me scammed. That’s the double bind. (I don’t think delivering the question of trust closer to the user has worked all that well, historically. Why do we expect inexperienced users - who should not have to understand anything technical! - to do better rather than worse when they’re given large numbers of datapoints about a principal’s trustworthiness? The default hypothesis should be that the average user is more susceptible to information fatigue than a technically savvy one.) | | |
| ▲ | thomastjeffery 8 months ago | parent [-] | | I would argue that the technological aspect isn't the most significant. Average people put too much faith into authoritative sources, even in person. People know what it means to trust and distrust each other without authority. That's the way everyone interacts with everyone else on a regular basis. It's not a new dynamic: it's the most familiar one. All we need to do is communicate the lack of authority, and the rest will be obvious. |
|
|
|
|
|
| ▲ | catlifeonmars 8 months ago | parent | prev [-] |
| > trust isn’t really transitive Not sure I agree with this. Sure, trust might drop off pretty quickly (like an inverse square law), but I would still trust a friend of a friend over a complete stranger. |
| |
| ▲ | woodruffw 8 months ago | parent | next [-] | | I would also trust a mutual friend over a complete stranger. But that's not the point of the observation: the observation is that "trust" isn't a boolean, but an umbrella term for a wide range of policies that we apply to different principals. Or in other words: transitive trust is a thing, but it's of a different color than "trust." Attempts to gloss over this in web-of-trust designs have historically not gone well. | | |
| ▲ | smatija 8 months ago | parent | next [-] | | So you can trust friend of a friend only after awaiting him (with apologies to https://journal.stuffwithstuff.com/2015/02/01/what-color-is-...)? | |
| ▲ | catlifeonmars 8 months ago | parent | prev [-] | | 100% agree about the difference in meaning between the two uses of “trust”. To be frank I responded after only skimming over your comment, and should have read a bit more closely. FWIW, I think there’s a way to unify those two realms: if you model boolean trust in terms of a random variable and sum over the transitive web à la binomial distribution. |
| |
| ▲ | gregmac 8 months ago | parent | prev [-] | | I'd argue "friend of a friend" is strong transitivly because it's explicitly chosen by all parties involved. Trust in a professional relation - a doctor, especially - is actually very strong, because of the professional requirements to be trustworthy, and the protections built into that (being held accountable by an organization and/or lawsuits). "Family of friend" or "family of professional" isn't necessarily a strong relation for exactly the opposite reason, unless maybe the first-degree contract is vouching for the person. | | |
| ▲ | catlifeonmars 8 months ago | parent [-] | | There’s also a compounding effect. If multiple friends vouch for the same stranger that means something too. |
|
|
