Note • This is a presentation of a preliminary idea, which means: • This is NOT a demonstration of a product in development • This only outlines ideas for discussion • There may be flaws in the logic / assumptions that I am making • There just might be right solutions out there! • It's my first IIW, and I heard there has been lots of discussion on Email before • Language issues may/will happen
Topics to discuss • Why Email is still relevant, Why we need messaging • Features we want for messaging, and how current-day solutions are lacking them • End-to-End encryption • Encrypted group communication • Control of data • Control of your identity
Q: Why use Email when there's WhatsApp / Facebook Messenger / Signal ... • SMTP is an archaic protocol without proper encryption and authentication • Email does not have End-to-End encryption and encrypted group communication • Email has spam
Q: Why use Email when there's WhatsApp / Facebook Messenger / Signal ... This can be achieved by some messaging services, but under an assumption that both parties already have an ID on the same messaging service. • Some people use Facebook for personal use only. Some don't trust Facebook at all... • LinkedIn is popular among business people but may not be popular among academics
Anonymity of Email The same properties (no need for pre-established trust) applies to telephone networks, but email lacks an effective anti-abuse mechanism built into the protocol. This is due to email's anonymity. If you abuse: • the telephone network: You may be caught due to reverse detection • email: There are many easy ways to spoof your identity, making the other side hard to catch you
Problems with S/MIME • Cost of issuance • Yes, money cost • Bound to a single context • One certificate might prove you belong to a certain organization • But you might not want to use that hat all the time • Multiple certs? Go back to top
Email and its "Self- Sovereign-ness" Email(SMTP/POP/IMAP protocol) is designed to be self-sovereign (you can self-issue your ID, you have control of your data), as long as you can set up your own server Nobody do that these days because ... • SMTP: Authentication is difficult, single misconfiguration results in sending of spam • IMAP: Multi-device access, Storage and backups
Email and its "Self- Sovereign-ness" As such, we are giving up control of personal messages to Email service providers (mostly Gmail) This also worsenes the spam problem; they have a spam filter, but its inner workings are not transparent enough that many innocent emails get caught in them
Use VCs/DIDs, Selective Disclosure What if you can select representations of your identity on each transaction (=each separate email in this context)? minimal/selective disclosure of your identity representation Spam filters will check the legitimacy and trustworthiness of the DID associated with the email
What would this enable? • Senders: Less mail caught by spam filters (as long as your email is legitimate) • Also, you don't need to expose your full official identity all the time • Receivers: Less spam, More real mail getting into your inbox • Can coexist with current SMTP protocol/infrastructure (with the right extension)
Messaging Layer Security https://messaginglayersecurity.rocks/ IETF Working Group that builds secure group messaging protocol, designed to be interoperable with systems that share this protocol End-to-End encrypted, has encrypted group communication, but still needs an ID on a certain platform
JSON Web Messaging (Session by Kyle Den Hartog, 12-E) https://github.com/mattrglobal/jwm Standardized format for secure messaging through extending JOSE family of specifications Designed to be used in combination with other delivery mechanisms such as HTTP(S), MLS, DIDComm, ...
Nōtif (from a garden talk with Jim Fenton) https://www.slideshare.net/jim_fenton/notifs-2018 Migrating some use cases, specifically notification to a separate protocol • Opt-in only • Sender is authenticated • Pairwise address (different address for sender-recipient pair)
Principles of User Sovereignty / Fundamental Problems of Distributed Systems (Session by Dave Huseby, 9-C, 10-F, 11-I) "When a distributed system fails to address any of the fundamental problems, it opens itself up to corporate capture." Email is a great example of this! Email is designed to be a decentralized system, but opened itself up to corporate centralization from failing to address the fundamental problems.