-
Notifications
You must be signed in to change notification settings - Fork 548
Discussion: The Web of Trust (WoT)
One of Beaker's goals is to take all friction out of site & content publishing. DNS obstructs this goal by its poor usability. Top-level domains cost money and are time-consuming to manage. Subdomains are cheaper but still require registration and create a dependency on the subdomain-provider. Therefore, DNS presents an obstacle to Beaker's goal of frictionless publishing.
DNS is also a censorship risk. If a domain is shuttered or seized, then it's content will disappear from the Web. While this may not be common, the Web is a global system and it's reasonable to wonder when foreign nations will press for a right to seize domains to silence criticism.
Beaker is already able to allocate new domains in the form of public keys. Pubkeys are decentralized and secure but not human-readable. There have been some efforts to provide decentralized, secure, human-readable domains using blockchains. While a blockchain may solve censorship, they currently suffer from poor performance, high ecological impact, and token-price instability.
A Web of Trust provides an alternative to DNS. Rather than creating a global 1:1 mapping of domains to pubkeys, the WoT creates a network of certificates which can be searched and curated by the user. This changes the presentation of identity. Rather than looking at the domain name, the user looks at the certificate's label. The long URL remains the shareable URL, but the cert provides a human-readable title.
If the site is security-sensitive, the browser can help the user seek out confirmations (or warnings) about the identity. These positive and negative signals are then included in the certificate.
PKI certificates are not currently available for dat:// sites. (They can be leveraged now using HTTPS servers via the .well-known technique.) Introducing them in the ideal form to the dat network will require coordination with standards bodies and the CA network. What's more, SSL certs are tied to DNS, making them less useful in our DNS-free model.
In addition to trusting identity, the Web needs a way to establish trust in software and information. As Web applications are given more power to manage the user's data, it's especially important that users be able to trust the software they install. PKI does not help us on that front.
A Web-of-Trust is more flexible. We can introduce new kinds of signals for rating identity, software security, and information credibility. The WoT is also fully decentralized, as users are free to choose their authorities.
No. Though DNS is too difficult for most users to deploy, it's relatively trustworthy and easy enough for orgs to manage. Therefore, we can use DNS + PKI as a way to anchor the Web-of-Trust around organizations and advanced users.