Slide 1

Slide 1 text

Email, Messaging, and SSI/DID Ryo Kajiwara @ IIWXXX, 2020/04/30

Slide 2

Slide 2 text

Note • This is a presentation of a preliminary idea, which means: • This is NOT a demonstration of a product in development • This only outlines ideas for discussion • There may be flaws in the logic / assumptions that I am making • There just might be right solutions out there! • It's my first IIW, and I heard there has been lots of discussion on Email before • Language issues may/will happen

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

TL;DR We want better Email, or an alternative to Email Can SSI/DID help...?

Slide 5

Slide 5 text

Topics to discuss • Why Email is still relevant, Why we need messaging • Features we want for messaging, and how current-day solutions are lacking them • End-to-End encryption • Encrypted group communication • Control of data • Control of your identity

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Q: Why use Email when there's WhatsApp / Facebook Messenger / Signal ...

Slide 8

Slide 8 text

Q: Why use Email when there's WhatsApp / Facebook Messenger / Signal ... • SMTP is an archaic protocol without proper encryption and authentication • Email does not have End-to-End encryption and encrypted group communication • Email has spam

Slide 9

Slide 9 text

Q: Why use Email when there's WhatsApp / Facebook Messenger / Signal ... A: You can receive email from people without pre-established trust

Slide 10

Slide 10 text

Q: Why use Email when there's WhatsApp / Facebook Messenger / Signal ... This can be achieved by some messaging services, but under an assumption that both parties already have an ID on the same messaging service. • Some people use Facebook for personal use only. Some don't trust Facebook at all... • LinkedIn is popular among business people but may not be popular among academics

Slide 11

Slide 11 text

But Email has spam!

Slide 12

Slide 12 text

Email has spam because of its inherent anonymity

Slide 13

Slide 13 text

Anonymity of Email The same properties (no need for pre-established trust) applies to telephone networks, but email lacks an effective anti-abuse mechanism built into the protocol. This is due to email's anonymity. If you abuse: • the telephone network: You may be caught due to reverse detection • email: There are many easy ways to spoof your identity, making the other side hard to catch you

Slide 14

Slide 14 text

Email abusers (spammers) use email's inherent anonymity to their advantage

Slide 15

Slide 15 text

Do email receivers really want anonymous email? Anonymous email have a high chance of being spam

Slide 16

Slide 16 text

Okay, enforce S/MIME then ...?

Slide 17

Slide 17 text

Problems with S/MIME • Cost of issuance • Yes, money cost • Bound to a single context • One certificate might prove you belong to a certain organization • But you might not want to use that hat all the time • Multiple certs? Go back to top

Slide 18

Slide 18 text

Initial idea: Always trust email with signatures from government-issued IDs1 1 We (kind of) have something like this in Japan (ެతݸਓೝূ)

Slide 19

Slide 19 text

Nobody spams with a government-issued ID, right...?

Slide 20

Slide 20 text

I assume everyone here is aware of the problems of centralized IDs...

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Email and its "Self- Sovereign-ness" Email(SMTP/POP/IMAP protocol) is designed to be self-sovereign (you can self-issue your ID, you have control of your data), as long as you can set up your own server Nobody do that these days because ... • SMTP: Authentication is difficult, single misconfiguration results in sending of spam • IMAP: Multi-device access, Storage and backups

Slide 23

Slide 23 text

Email and its "Self- Sovereign-ness" As such, we are giving up control of personal messages to Email service providers (mostly Gmail) This also worsenes the spam problem; they have a spam filter, but its inner workings are not transparent enough that many innocent emails get caught in them

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

Potential Solutions

Slide 26

Slide 26 text

Use VCs/DIDs, Selective Disclosure What if you can select representations of your identity on each transaction (=each separate email in this context)? minimal/selective disclosure of your identity representation Spam filters will check the legitimacy and trustworthiness of the DID associated with the email

Slide 27

Slide 27 text

What would this enable? • Senders: Less mail caught by spam filters (as long as your email is legitimate) • Also, you don't need to expose your full official identity all the time • Receivers: Less spam, More real mail getting into your inbox • Can coexist with current SMTP protocol/infrastructure (with the right extension)

Slide 28

Slide 28 text

Messaging Layer Security https://messaginglayersecurity.rocks/ IETF Working Group that builds secure group messaging protocol, designed to be interoperable with systems that share this protocol End-to-End encrypted, has encrypted group communication, but still needs an ID on a certain platform

Slide 29

Slide 29 text

DIDComm?

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

Insights from yesterday's sessions

Slide 32

Slide 32 text

JSON Web Messaging (Session by Kyle Den Hartog, 12-E) https://github.com/mattrglobal/jwm Standardized format for secure messaging through extending JOSE family of specifications Designed to be used in combination with other delivery mechanisms such as HTTP(S), MLS, DIDComm, ...

Slide 33

Slide 33 text

Nōtif (from a garden talk with Jim Fenton) https://www.slideshare.net/jim_fenton/notifs-2018 Migrating some use cases, specifically notification to a separate protocol • Opt-in only • Sender is authenticated • Pairwise address (different address for sender-recipient pair)

Slide 34

Slide 34 text

Principles of User Sovereignty / Fundamental Problems of Distributed Systems (Session by Dave Huseby, 9-C, 10-F, 11-I) "When a distributed system fails to address any of the fundamental problems, it opens itself up to corporate capture." Email is a great example of this! Email is designed to be a decentralized system, but opened itself up to corporate centralization from failing to address the fundamental problems.