Principles of a human-trusted machines distributed network

By on 5 February 2014, in Blog


This is a work in progress, I’m just writing my ideas. Open to remarks.

Humans and beliefs

I believe that humans are central. I believe in human relations(hips?). Durable, volatile, passionate, corrupted, whatever. I have these all in mind.

I think that we, as livings, are the key. It’s fun to live. Didn’t say easy.

Then, I believe in the web of trust. Web not as “http* websites” but as a “real-life-web”. Read about it, and you will build your own reason(s) of believing in it, or not.

The main disavantages of the GPG wot are:

  • it’s slow to grow. People need to meet physically, and this takes time.
  • it’s still perceived as a geek thing. Understanding the key-pairs principles and why it’s really secure and worthless is something that normal people don’t care [and don’t want to care] about.

But the first point is exactly the one that make my two beliefs unite: we meet, we share, we learn and we grow together.

Ideas spread, mutate, evolve. Life goes on.


On the other side, machines need to work in an automated fashion. They have a lot of data to process, and this must flow. Humans don’t have relations with their machines – I hope so; did you see someone recently?.

When one user runs his own machine, there is no trust problem besides the standard security measures: “sysadmin, do your homework“. He basically trust his machine.

I won’t talk about TPM and how to be sure the NSA hasn’t inserted a hardware spy, but I’m aware of it. For now I will consider I can still trust my machine. Even if hard drives cannot be trusted.

Building a network

When we want to operate a distributed network, like the one I want for 1flow, where sensitive information need to move, this gets another dimension.

OK, we’ve got SSL

For me, SSL is like nothing. Half of the world can run a Man-In-The-Middle attack if both sides don’t use a certificate. The certificates themselves are signed by private and opaque third parties

We can potentialy take apart, but it’s not present on mobile and other mainstream OSes.

In some cases, the MITM attack is even legit: think of a corporate HTTPS web proxy.

Besides the NSA scandal, it will become more and more easy in France with the new “ Loi sur la Programmation Militaire ”. It could be the same in other countries.

Even without this, trusting an arbitrary third party that you know from nowhere is a bad habbit.

It’s like trusting the governments or the banks to guarantee the value of fiat currencies: given the global finance context, it’s only wind. But that’s another debate.

Then, we can stack SSH

This would solve the third party problem. Keys on both ends.

But each administrator needs to generate keys with no passphrases for their machines/account. Coupling machines from different persons require at least one manual acceptance operation (copy the key). OK, this also avoids the MITM attacks. Not bad. But still requires a physical access to be 100% sure.

And machines can’t be trusted because of that. A compromised machine will accept any SSH key from anywhere.

Somewhere, we’got BitTorrent

Yeah, perfect for the P2P part, and it uses encryption.

But what about a corrupted player that spies all others? With bittorrent he would be anonymous and could fool the system, whereas with GPG we could get back to the physical person and kick/ban spies.

In the end, we’ve got Bitcoin and ColoredCoins

Theorically, no entity can beat the Bitcoin network.

Yeah. I really hope so, because Bitcoin consumes a non-negligible part of the energy real people need to simply live, and make the energy cost more…

Bitcoin could acheive anonymity in the future, but anonymity is not the point of the network I want to build (more on that later).

Some are already experimenting on these bricks, not mentionning the [unusable and non-private] Tor.

These implementation try to focus on anonymity (eg. real privacy?).

My word

What I suggest is building upon the PGP/GPG web of trust. Building something at the opposite, that is not anonymous at all. Where everything is known. And shared, distributed, un-repudiable and nearly immutable, except if all sharers decide to remove it.

OK I admin this is a bit short. I will probably elaborate in a future dedicated essay about all the advantages of a completely public web of trust.

Technical bits

Every machine has its own GPG key, and does its business. The machine key is signed with low-trust human signature.
Low-trust because no machine is perfectly protected. The key not belonging to a human must be explicit. It will be published on key servers like any other.

When something requires human validation (“what” will be detailled later), the machine sends a mail with the piece of code it wants to execute (or human-readable counterpart) as the mail body, signed with its own key and encrypted with the GPG key of it’s owner. The owner replies, signing the answer, encrypting if wanted. The machines executes. Channel between the machine and its owner is secure, at least sufficiently, and not subject to man-in-the-middle.

We’ve still got the problem of the running code. My previous statements assume the running code is not compromised, and the machine is safe. But is it trustable? What if a compromised machine sends a compromised order to its owner? Without this, what if a compromised machine gets hacked code and do things without the will of its owner? I will address this point a little later. More on the P2P human-trusted network.

As humans know each other in real-life, any machine from user A will be able to interact seemlessly with any machine from user B, because A & B have each-other signed keys, and both have signed their machine keys. Random notes:

  • Any non-reverse signed keys relation will lead to no operation (or read-only, given the signature).
  • We can implement levels and permissions for each key (thus, each machine or user).

As machines use GPG keys and principles, configuration — any data, in fact — can be easily replicated anywhere. If you need basic security, encrypt the data with the machine key for no-remote-readability. If it’s sensitive, encrypt it with data owner(s) key(s). I will elaborate on this point via an implementation specification. There are many, many use cases I see where the machine can work in an automated way, just asking for a simple human confirmation with whatever GPG-supported – and trusted — device. Thus no Android nor iOS nor…

Random ideas

If we need to spread things a little more, we can use BitTorrent to distribute the data. As it is encrypted on-demand, machines outside of the web of trust can act as simple storage to guarantee the reliability of data. If we need more, eg “global” and kind-of-objective validation, the ColorCoins network can come to the rescue to hold signatures of the encrypted data (not necessarily the data itself) and testify of its chronology.

It’s pretty cool that ColorCoins can mutualize their hash power. Without this, the planet would burn many times faster.

Obviously, more to come…