Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Email, Messaging, and SSI/DID

sylph01
April 30, 2020
700

Email, Messaging, and SSI/DID

discussion slides @ IIWXXX

sylph01

April 30, 2020
Tweet

Transcript

  1. Email, Messaging, and
    SSI/DID
    Ryo Kajiwara
    @ IIWXXX, 2020/04/30

    View Slide

  2. Note
    • This is a presentation of a preliminary idea, which means:
    • This is NOT a demonstration of a product in development
    • This only outlines ideas for discussion
    • There may be flaws in the logic / assumptions that I am making
    • There just might be right solutions out there!
    • It's my first IIW, and I heard there has been lots of discussion
    on Email before
    • Language issues may/will happen

    View Slide

  3. View Slide

  4. TL;DR
    We want better Email, or an
    alternative to Email
    Can SSI/DID help...?

    View Slide

  5. Topics to discuss
    • Why Email is still relevant, Why we need messaging
    • Features we want for messaging, and how current-day solutions
    are lacking them
    • End-to-End encryption
    • Encrypted group communication
    • Control of data
    • Control of your identity

    View Slide

  6. View Slide

  7. Q: Why use Email when
    there's WhatsApp /
    Facebook Messenger /
    Signal ...

    View Slide

  8. Q: Why use Email when there's
    WhatsApp / Facebook Messenger /
    Signal ...
    • SMTP is an archaic protocol without proper encryption and
    authentication
    • Email does not have End-to-End encryption and encrypted group
    communication
    • Email has spam

    View Slide

  9. Q: Why use Email when there's
    WhatsApp / Facebook Messenger /
    Signal ...
    A: You can receive email from people
    without pre-established trust

    View Slide

  10. Q: Why use Email when there's
    WhatsApp / Facebook Messenger /
    Signal ...
    This can be achieved by some messaging services, but under an
    assumption that both parties already have an ID on the same
    messaging service.
    • Some people use Facebook for personal use only. Some don't trust
    Facebook at all...
    • LinkedIn is popular among business people but may not be popular
    among academics

    View Slide

  11. But Email has spam!

    View Slide

  12. Email has spam
    because of its inherent
    anonymity

    View Slide

  13. Anonymity of Email
    The same properties (no need for pre-established trust) applies to
    telephone networks, but email lacks an effective anti-abuse
    mechanism built into the protocol. This is due to email's anonymity.
    If you abuse:
    • the telephone network: You may be caught due to reverse detection
    • email: There are many easy ways to spoof your identity, making the
    other side hard to catch you

    View Slide

  14. Email abusers
    (spammers) use email's
    inherent anonymity to
    their advantage

    View Slide

  15. Do email receivers really
    want anonymous email?
    Anonymous email have a high chance of being spam

    View Slide

  16. Okay, enforce S/MIME
    then ...?

    View Slide

  17. Problems with S/MIME
    • Cost of issuance
    • Yes, money cost
    • Bound to a single context
    • One certificate might prove you belong to a certain organization
    • But you might not want to use that hat all the time
    • Multiple certs? Go back to top

    View Slide

  18. Initial idea:
    Always trust email with
    signatures from
    government-issued
    IDs1
    1 We (kind of) have something like this in Japan (ެతݸਓೝূ)

    View Slide

  19. Nobody spams with a
    government-issued ID,
    right...?

    View Slide

  20. I assume everyone here
    is aware of the
    problems of centralized
    IDs...

    View Slide

  21. View Slide

  22. Email and its "Self-
    Sovereign-ness"
    Email(SMTP/POP/IMAP protocol) is designed to be self-sovereign (you
    can self-issue your ID, you have control of your data), as long as you
    can set up your own server
    Nobody do that these days because ...
    • SMTP: Authentication is difficult, single misconfiguration results in
    sending of spam
    • IMAP: Multi-device access, Storage and backups

    View Slide

  23. Email and its "Self-
    Sovereign-ness"
    As such, we are giving up control of personal messages to Email
    service providers (mostly Gmail)
    This also worsenes the spam problem; they have a spam filter, but its
    inner workings are not transparent enough that many innocent emails
    get caught in them

    View Slide

  24. View Slide

  25. Potential Solutions

    View Slide

  26. Use VCs/DIDs, Selective
    Disclosure
    What if you can select representations of your identity on each
    transaction (=each separate email in this context)?
    minimal/selective disclosure of your identity representation
    Spam filters will check the legitimacy and trustworthiness of the DID
    associated with the email

    View Slide

  27. What would this enable?
    • Senders: Less mail caught by spam filters (as long as your email is
    legitimate)
    • Also, you don't need to expose your full official identity all the
    time
    • Receivers: Less spam, More real mail getting into your inbox
    • Can coexist with current SMTP protocol/infrastructure (with the
    right extension)

    View Slide

  28. Messaging Layer Security
    https://messaginglayersecurity.rocks/
    IETF Working Group that builds secure group messaging protocol,
    designed to be interoperable with systems that share this protocol
    End-to-End encrypted, has encrypted group communication, but still
    needs an ID on a certain platform

    View Slide

  29. DIDComm?

    View Slide

  30. View Slide

  31. Insights from
    yesterday's sessions

    View Slide

  32. JSON Web Messaging
    (Session by Kyle Den Hartog, 12-E)
    https://github.com/mattrglobal/jwm
    Standardized format for secure messaging through extending JOSE
    family of specifications
    Designed to be used in combination with other delivery mechanisms
    such as HTTP(S), MLS, DIDComm, ...

    View Slide

  33. Nōtif
    (from a garden talk with Jim Fenton)
    https://www.slideshare.net/jim_fenton/notifs-2018
    Migrating some use cases, specifically notification to a separate
    protocol
    • Opt-in only
    • Sender is authenticated
    • Pairwise address (different address for sender-recipient pair)

    View Slide

  34. Principles of User Sovereignty /
    Fundamental Problems of Distributed
    Systems
    (Session by Dave Huseby, 9-C, 10-F, 11-I)
    "When a distributed system fails to address any of the fundamental
    problems, it opens itself up to corporate capture."
    Email is a great example of this! Email is designed to be a
    decentralized system, but opened itself up to corporate centralization
    from failing to address the fundamental problems.

    View Slide