search

HelloZeroNet / ZeroID

ZeroNet authentication provider
http://127.0.0.1:43110/zeroid.bit
GNU General Public License v2.0
42 stars 23 forks source link

Decentralization using Web of Trust #43

Open yanmaani opened 2 years ago

yanmaani commented 2 years ago

Currently, ZeroNet uses a quasi-centralized system called "certificate authorities" for user registration. In brief:

  1. I register as yanmaani@centralizedprovider.bit
  2. My identity is stuck to that provider for all time
  3. Trust is handled by having zites delegate to a list of trusted certificate providers
  4. Clients keep a full copy of the database of the relevant providers
  5. Spam is handled by the certificate authority removing bad users (unlikely) or by each individual user filtering them out

This has its obvious issues (limited spam resistance, excessive trust in provider, no portability). It is also not technologically necessary.

There is a very similar system, known as Web of Trust, used in GPG and other places. In brief:

  1. I seek up a centralized provider for registration (theoretically, anyone who has an account)
  2. That account adds me to its list at a very low trust level
  3. Everyone who trusts that account now transitively trusts me, if very little
  4. People who see my behavior and notice it is not harmful can assign more trust to me
  5. Zites (or users) delegate to a list of trusted root nodes
  6. Clients keep a full copy of the trust lists of everyone they trust and so on

This is very similar to the old system, except that:

  1. My identity is not tied to any specific provider. As soon as I have gained some trust from other sources, the initial provider can remove me from its trust list
  2. Spam can be handled by letting anyone in your trust graph filter it out, instead of requiring it to be done at the top or in your client
  3. Theoretically, registration can be done out-of-band, e.g. by asking my friend from IRC to trust me

In the worst possible case, this is equivalent to the old system, but under realistic assumptions, it is strictly superior. For users who are concerned about censorship, it is possible to set trust thresholds in such a way as to mimic the old system ("as long as one person has at least something positive to say about them, I want to see their messages")

caryoscelus commented 2 years ago

we're looking to implement something like that in zeronet-conservancy