On Wed, Nov 20, 2013 at 3:21 AM, Melvin Carvalho <[email protected]> wrote: > > TLS *as an example* lets you exchange keys, and encrypt messages. Rolled > out to billions of users and devices.
What about MITM attacks? What about the fundamentally broken certificate architecture? The only way I see that both issues obviously can be solved is to solve the DNS issue right from the start and use public keys as fundamental identifiers. Now, we're back to Zooko's Triangle, an issue that GNS probably solves in the most elegant way. On Wed, Nov 20, 2013 at 3:21 AM, Melvin Carvalho <[email protected]> wrote: > > On 20 November 2013 03:05, Simon Hirscher <[email protected]> wrote: >> >> On Wed, Nov 20, 2013 at 2:31 AM, Melvin Carvalho >> <[email protected]> wrote: >> > >> > Why do you say no other project is working on this? How can you even >> > know >> > every project out there? >> >> Melvin, I obviously can't know every project out there. Let's do a >> search & replace then: >> >> Because no one *we (or I) know of* is doing this *successfully*. > > These are modular components, which elements do you think are not being done > successfully? I said those 4 problems are not being addressed successfully *at once*. And that's really the key to understanding why we can't just solve these issues by mostly building upon existing technologies – like TLS and web technologies. Because every project [again: I know of] is just paying attention to one or, at the maximum, two of those points and on the other hand makes it damn hard or simply impossible to solve those other two or three issues at the same time. Yes, some web applications might enable self-determined storage at first glance. But, meanwhile, by running server-delivered code (which might not even come from the server you trust – due to compromised TLS certificates) in your browser you give up on end2end encryption. So, no, it actually doesn't allow self-determined storage because there might be someone else listening. In fact, we could boil down the four requirements to just one: Self-determined storage. This already implies end2end encryption, perfect forward secrecy as well as social graph obfuscation because *I* determine who gets to see my data and my messages and my buddy lists. Now and in the future. Hence, to wrap it all up and answer your question in the shortest way possible: So far, there is absolutely no project that managed to realize genuinely self-determined storage. > Why cant this be done in a modular way with different teams working on > different pieces and then put together. I agree maybe not all pieces are > perfect, but we cant some of us work on fixing the bugs working together? See above. Also, I don't even know where to start when talking about fixing TLS and doing web apps in a secure way. Then again, that might be due to the fact that their design is fundamentally broken with respect to our wishlist. Maybe I'm all wrong – in which case I'd ask you to tell me which building blocks you would use in our quest to fulfill those 4 requirements. At the same time, I'd ask you to explain to me why do you think it's even possible to fix all their "bugs" (I prefer the term "architectural flaws") all at once. In short: Give me a plan I can believe in. So far, however, all those solutions you proposed in your previous email – regarding "E2E + Forward secrecy", "Social Graph Transmission" and "Self Determined Data Storage" – aren't solutions at all. I think Carlo really has a point here.
