Whitepaper
A purely peer-to-peer version of electronic identity and reputation would allow users to issue their own cryptographic identities, have more control over data linked to these identities, who this data is shared with, where, and when, and filter for relevancy on the receiving end. Digital signatures provide part of the solution, but the main benefits are lost if a third party is still required to issue the identities. We propose a solution to the self-issuance problem using a peer-to-peer network. The network exchanges data among trusted nodes, whereby each node verifies messages against its local web of trust. The local database not only serves as proof of the sequence of events witnessed by the user, but proof that it was witnessed by one or more trusted parties. As long as the majority of nodes within a web of trust is controlled by honest nodes that are not cooperating to attack the user, they’ll generate the most warning signals and outpace attackers. The network itself requires minimal structure. Private messages and data are only shared with trusted parties after consent has been given by its creator, and having been encrypted specifically for the intended receiver. Public messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting messages from trusted nodes of what happened while they were gone.
Traffic on the Internet has come to rely almost exclusively on identity and reputation systems serving as trusted third parties to curate and filter relevant information for their users. While the system works well enough for most interactions, it still suffers from the inherent weaknesses of the trust-based model. Processing no personally identifiable information is not really possible, since some metadata is always required. The cost of mediation increases the amount of shared and processed personally identifiable information, resulting in costs and risks to both user and processor or controller, and there is a broader cost in the loss of ability to filter for relevancy at the receiving end. With the possibility of identity fraud, the need for trust spreads. Service providers need to be wary of their users, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and verification uncertainties can, for the most-part, be avoided in person through traditional methods, but no mechanism exists to self-issue verifiable identities and securely share data linked to these identities over private communications channels with trusted parties.
What is needed is an electronic identity & reputation system based on cryptographic proof instead of trust, allowing any two willing parties to interact directly with each other without the need for a trusted third party. Messages that are computationally impractical to reverse would protect service providers, and routine multi-sig mechanisms could easily be implemented to protect users. In this paper, we propose a solution to the self-issuance problem using a peer-to-peer distributed identity, reputation, and access management server to generate computational proof, verify the authenticity of messages, and establish secure communications channels between nodes for the exchange of private data. The system is secure as long as honest nodes collectively propagate more messages than any trusted cooperating group of attacker nodes.
We define an electronic identity as one or more signed attributes. An attribute consists of a key-value pair, and can be grouped with one or more other attributes to form an identity. Identities can be linked to form a group. Trusted nodes can verify the signatures to establish the authenticity of received messages.
The problem of course is the user can’t verify that one of the identities is not who they claim to be. A common solution is to introduce a trusted central authority, or public key infrastructure (PKI), that issues and verifies all identities and validates all of their interactions. The problem with this solution is that the fate of the entire information system depends on the organizations issuing, validating, and revoking the identities, with most interactions having to go through them, just like with a passport or driver’s license.
We need a way for the user to know that the identity is who they say they are, while processing the least amount of personally identifiable information possible. For our purposes, all signed messages from trusted sources count, and we don’t care about messages from untrusted sources. The only way to confirm the authenticity of an identity is by verifying it against another signed message from a trusted source, without having to be aware of all their messages about this identity. To accomplish this, messages may remain private, be announced to selected parties, or publicly, and we need a system for participants to rate the messages they store. The user needs proof that a relevant message was signed by an identity they trust.
The solution we propose begins with electronic reputation, which we define as a comment, digitally signed onto an attribute, together with an evaluation in the form of a score on a rating scale. Together, we call them a “rating”. Each identity can sign one or more ratings on to any attribute.
To implement distributed identity & reputation on a peer-to-peer basis, we will need to use a web of trust system similar to Phil Zimmermann and Hal Finney’s PGP web of trust, rather than a PKI. The web of trust involves establishing the authenticity of the binding between a public key and an attribute, which we define as a “connection”. The proof required is an up or down vote that can be verified by validating the signature.
For our web of trust network, we implement the web of trust by degrees of separation. Once an attribute has been up-voted, the attribute is added to the signer’s web of trust, and considered a first degree connections for them from hereon. The first degree connection’s first degree connections -friends of friends- are weighed as second degree connections. Second degree connections’ first degree connections are third degree connections, and so forth. Down-voting an attribute removes the attribute from the signer’s web of trust, and will be imminently treated as untrusted and irrelevant.
The web of trust also solves the problem of determining what information is relevant to the user for decision making. If the score were based on the majority’s one-identity-one-vote, it could be subverted by anyone able to allocate many identities. Web of trust is essentially one-trusted-identity-infinite-votes, since untrusted sources are irrelevant, and therefore discarded. The results are filtered by proof from your network, instead of a general trust score based off untrusted sources. If a majority of identities is controlled by honest nodes, the honest messages are able to propagate in larger volumes than that of an attacker. To defraud a victim, the attacker would need to compromise one or several of the victim’s trusted private keys, to then perform their attack before anyone detects them and warns their network. Attributes known to no longer be relevant are down-voted, and thereby revoked from the web of trust. New attributes can be up-voted in a similar manner.
The steps to run the network are as follows:
- New messages flagged as “private” remain on the node.
- New messages flagged as “public” are publicly broadcasted.
- Nodes process messages with valid signatures from trusted connections, and store them locally.
- Received messages flagged as “private” can be shared with trusted sources or publicly broadcasted.
- Nodes can establish end-to-end encrypted communications channels with trusted nodes, when each party’s public key is already trusted by the other, for the exchange of data in a private manner.
Nodes always consider the signed messages from trusted nodes to be correct and will keep working on processing them. If a node shares contradictory ratings, all ratings will be stored by nodes who trust its authors. In that case, all messages will be presented, and it is up to the receiver to decide how to act on this information.
The tie will be broken when the author’s attribute(s) are down-voted in the node’s web of trust; the messages signed by them will then be discarded from the results, and new messages will no longer be stored.
New message broadcasts do not necessarily need to reach all nodes, as long as the sender knows which trusted connection(s) of the intended receiver to contact. The content of the message is encrypted with the public key of the intended receiver, and the receiver’s first degree connection has to be willing to store, and ultimately deliver the message.
By convention, with every web of trust a node is connected to, and with each relevant message it shares, it becomes exponentially more valuable to the network. This adds an incentive for participants to be good actors within their web of trust. Users can still be defrauded by malicious identities, but the victim will be able to quickly propagate a warning to their network about the attacker, and revoke compromised attributes where needed, whereas the attacker either has to re-establish its credibility, or gain access to more attributes that are trusted by the victim. Automated authentication, authorization, and communications, via strong cryptography, while processing the least amount of personally identifiable information as possible, can also provide a strong motive for running a node.
The node itself is relatively lightweight, and runs as a daemon / service, to generate, sign, process, and store messages. Costly tasks, in regard to CPU time and electricity, can be delegated to trusted nodes where needed, such as data encryption, data decryption, processing data requests, transmitting data, etc.
The incentive may help encourage nodes to stay honest. If a greedy attacker is able to gain access to many trusted attributes of one or more victims, he would have to choose between using it to defraud people by an immediate confidence trick, or using it to generate a more positive reputation for himself, in the hope nobody finds out after the act. He ought to find it more profitable to play by the rules, such rules that favour him with a long term positive reputation, than to undermine the system and the validity of his own reputation.
Once the creator of a private message wants to share it with one or more trusted connections, they add a read or write permission for an attribute to their access control list.
Incoming requests that don’t comply with an ACL can be disregarded, re-routed for additional inspection, or presented to the user for decision making. Once an incoming message with a request for data has been verified against the node’s web of trust and required ACL, the request is authorized. The requested data will then be encrypted with the public key of the requester. An additional layer of security could be added by establishing a secure communications channel, via a second set of known public keys, between trusted nodes. Whether the additional channel is established or not, data is always encrypted for its expected recipient before being sent.
All messages are signed by the node by default. Users of the node can self-verify multiple attributes onto any of their identities. By doing so, they can establish credibility at any point by proving they are in control over one or more of these attributes. This means that the node can handle the cryptography for the user, while the user only has to deal with a form of authentication they are already familiar with, like a website login or unlocking a device.
[add visual explainer here]
As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. While network nodes can verify messages for themselves, the simplified method can be fooled by an attacker’s fabricated messages for as long as the attacker continues to control the node. One strategy to protect against this would be to accept alerts from network nodes when they detect invalid or suspicious ACLs, prompting the user’s software to notify him and notify his own network where needed, or confirm the inconsistency. Nodes that receive frequent messages will probably still want to sign public keys as attributes onto each and every identity for more independent security and stronger verification.
Although it would be possible to add features to the protocol individually, it would be unwieldy to create a separate application for every purpose. To allow for cost and risk-efficient applications to run atop, the protocol is as lightweight and undefined as possible, while offering a framework for secure identity, reputation, and access management. Normally there will be a user interface employing its APIs and secure networking.
It should be noted that multiple frameworks are not a problem here. There is never the need to be locked into a single system, thanks to the universal protocol.
The traditional identity model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to sign all interactions precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending data to someone else, but without information linking the data to anyone. This is similar to the level of information released during end-to-end encrypted communications, where the time and size of the transmission is made public, but without telling who the parties are or what data is being shared.
[add visual explainer here]
As an additional firewall, a new key pair could be used for each interaction to keep them from being linked to a common owner. Some linking is still unavoidable within the web of trust, which necessarily reveals that their messages were signed by the same party.
This sections is the roughest part of the draft, for now, and should eventually explain, and/or substantiate:
- Value of 1 trusted rating vs. 1M untrusted ratings;
- Mutually untrusted connections, and mutually trusted connections;
- Solving for WoT introduction points (piggybacking social media, biz cards, advertisement, etc.);
- Exponential growth (degrees of separation);
- Visualizing Sybil Swarms;
- Cost of signing a message;
- Cost of encrypting data;
- Moore’s law and prediction;
- Cost-efficiencies;
- Risk-efficiencies.
The current world population is around 7.6 billion, and it is estimated that there are some 3.5 billion Internet users. Of these 3.5 billion users, some 3.03 billion are active social media users, who each manage 7.6 social media accounts on average. The amount of social media users, between Q2 and Q3 of 2017, grew with an estimate of 121 million. In other words, a new social media account was created every 15 seconds. The average (mean) number of ‘friends’ (first degree connections) on Facebook was 155, in 2017. Another interesting fact is that Facebook Messenger and WhatsApp handle some 60 billion messages per day. We will use this data for our calculations to scale our system for global usage. [33]
Trusted vs. Untrusted Sources
Our theory starts with the assumption that the subjective value of a trusted source is greater than or equal to the subjective value of an untrusted source. A single rating, such as “is a good barber”, from a trusted source, e.g., a friend, relative, or co-worker, is more valuable than one or more ratings from untrusted sources. For example, even if multiple (untrusted) advertisers actively promote this barber, a single negative recommendation from one of a user’s trusted sources will persuade them to go elsewhere.
The average social media user only has several hundreds of first degree connections. In order to make our system scaleable for global usage each user should be able to connect with many more users than the aforementioned 155. Simultaneously, we need a way to filter for relevance from these connections, and make the system resistant to spam and Sybil attacks. In order to solve for this, we apply the web of trust principle, and apply degrees of separation.
Degrees of Separation
If a user has 155 first degree connections, and each of these first degree connections has 155 first degree connections of their own, on the second degree the user would have 24.025 (155 x 155) connections. Together with the first degree connections, the user now has 24.180 (24.025 + 155) connections in their network. When the second degree connections each have 155 first degree connections, not part of the users first or second degree network, the user would have 3.723.875 (24.025 x 155) connections on the third degree, and a total amount of 3.748.055 (3.748.055 + 24.180) connections in their first to third degree network. If these third degree connections have 155 connections of their own, that aren’t part of the user’s first to third degree network, the user will have 580.948.525 (3.723.875 x 155) fourth degree connections. If these fourth degree connections have 155 connections each, not connected to the user’s first to fourth degree network, the user will have 90.047.021.375 (580.948.525 x 155) fifth degree connections. And finally, when the user’s fifth degree connections each have 155 connections that are not-existent in the user’s first to fifth degree network, the user will have 13.957.288.313.125 (90.047.021.375 x 155) sixth degree connections.
On average, any user would be connected to any other user by not more than four or five degrees. From this perspective, in the foreseeable future, it seems not only all humans are connected within six degrees, but also all machines. In our model it is not our goal to connect everyone to everything, but rather to connect users with all of their trusted connections, services, and devices.
We have proposed a system for human and machine readable electronic identity & reputation without relying on trust. We started with the usual framework of identities made from digital signatures, which provides strong control of ownership, but is incomplete without a way to allow for self-issuance. To solve this, we proposed a peer-to-peer network using the web of trust to record a private history of messages that quickly become computationally impractical for an attacker to change if honest nodes propagate most messages. The network is robust in its structured simplicity. Nodes work all at once with little coordination. They need to be identified, since messages are routed to particular places, except for when they are delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting messages from their web of trust as proof of what happened while they were gone. Users vote with subjectivity, expressing their acceptance of valid identities and attributes by working on extending them and rejecting invalid identities and attributes. Any needed rules and incentives can be enforced with this mechanism.
[add many people here]
[add proper references]