
Paradigm shifts for the decentralized Web - quickfox
https://ruben.verborgh.org/blog/2017/12/20/paradigm-shifts-for-the-decentralized-web/
======
venamresm__
I'm surprised nobody mentioned self-sovereign identity and digital identity.

Here are some excellent links about the subjects:

[http://www.moxytongue.com/2016/02/self-sovereign-
identity.ht...](http://www.moxytongue.com/2016/02/self-sovereign-
identity.html) [http://www.lifewithalacrity.com/2016/04/the-path-to-self-
sov...](http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-
identity.html)
[https://en.wikipedia.org/wiki/Digital_identity](https://en.wikipedia.org/wiki/Digital_identity)
[https://blog.cryptographyengineering.com/2017/07/02/beyond-p...](https://blog.cryptographyengineering.com/2017/07/02/beyond-
public-key-encryption/)
[https://pages.nist.gov/800-63-3/](https://pages.nist.gov/800-63-3/)
[https://www.forgerock.com/](https://www.forgerock.com/)

~~~
rubenverborgh
Yeah, identity is a very crucial and difficult topic, which I did ignore in
that post. Reason being: in my experience, as soon as you start about
identity, it takes up everything. So I have made a couple of assumptions about
authentication and identity; this is what we could build on top of that.

------
ozten
The GPL was a massive legal jujitsu that changed software forever. We need the
equivalent with a business model.

The biggest challenge isn't the technical plumbing, it's changing how
companies operate and changing customers behavior.

What is the business model? Why would the next unicorn give up this advantage?

Business want data lock-in. They try to create "data moats" to protect their
castles.

No product will win on security and privacy features alone. They are critical
for a small segment of adoption, but sadly haven't been a factor for mass
adoption.

~~~
rapnie
i think these business models already exist.

you can find them in community startups that use decentralized technologies
and semantic content to empower individuals to cooperate directly, create
initiatives between parties without central authorities in control.

the technologies just need to mature further, gain more traction.. and
applications need to be created outside of the academic sphere (especially
true for semantic web apps).

i'd like to see true decentralized application frameworks that are semantic
and truly decentralized.

solid ([https://github.com/solid/solid](https://github.com/solid/solid) ) is a
great project for the semantic web, and so is
[http://ld-r.org/](http://ld-r.org/)

then you also have ipfs.org, datproject.org, scuttlebot.io, mastodon social

but the semantic web projects are too content-oriented and the others are
either file-exchange or (limited) social web interpretations.

afaik no truly decentralized messaging / application framework exists yet
(though i have to investigate solid more thoroughly still)

~~~
Kalium
I submit that we currently have a massively popular decentralized, federated,
open standard messaging system. It goes by SMTP, and it's a cluster in many
ways.

~~~
rapnie
yeah, agree. but this is low-level protocol. many mail (email) applications,
but event-based application messaging frameworks? i could find some that come
close..

do you have some good pointers?

------
marknadal
Wow, point for point this is what we've built at gun (
[https://github.com/amark/gun](https://github.com/amark/gun) ).

\- You only store the data you are subscribed to, which if it is your data, it
is automatically stored in localStorage and if you run a Electron/React-Native
app, is also backed up on your harddrive, and optionally you can have it
backup to any server you run. This is particularly true with the P2P identity
system: [https://hackernoon.com/so-you-want-to-build-a-p2p-twitter-
wi...](https://hackernoon.com/so-you-want-to-build-a-p2p-twitter-
with-e2e-encryption-f90505b2ff8)

\- This data can only be decrypted by the app if the user happens to use that
app. The app doesn't have any special server, it is just some front-end logic,
for instance, see this 4min interactive tutorial:
[https://scrimba.com/c/c2gBgt4](https://scrimba.com/c/c2gBgt4)

\- The interface literally is just query, where that query is represented in
HTML (or GraphQL at [https://github.com/brysgo/graphql-
gun](https://github.com/brysgo/graphql-gun) ) with automatic 2-way binding
based off of `name` attributes, like so:
[https://github.com/amark/gun/blob/master/examples/contact/in...](https://github.com/amark/gun/blob/master/examples/contact/index.html#L111-L130)

Ruben, if you happen to see this shoot me an email (check my HN profile)! I
also know Dmitri as well! Great article! :)

~~~
rapnie
thx! i have been following gun for a while.. very interesting project!

but its decentralization features are not all too clear to me (have to dive
deeper). things like peer discovery, nat traversal, gossiping, etc.

does that come with the package?

~~~
marknadal
I'm honored!!! Thanks. Yes, the architecture is P2P/decentralized (see this
talk [https://youtu.be/5fCPRY-9hkc](https://youtu.be/5fCPRY-9hkc) ), however:

\- NAT Traversal sucks and WebRTC is still very glitchy. To get around this,
it is easier/better to just run gun on your machine directly (not via a
browser) and connect directly to other gun peers with their IP addresses. Then
browsers can connect via websocket fallback, but as WebRTC gets better that
will work too.

\- Peer discovery is not built in by default, but should be trivial to do by
starting with some bootstrapping peers, which as other peers connect to them
everybody saves the new IP addresses to a common `gun.get('peers').set(IP)`
table. So yes, it is easily possible, just not built in (I'm sure in the
future we'll have a full fledged extension for it).

\- re:"gossip" GUN automatically daisy chains updates through peers of peers,
in an ad-hoc mesh-network manner.

Would love to chat more! What is your email? Mine is mark [atatatat] gunDB
[dotdotdot] io !

~~~
rapnie
great! enlightening.. (a mail has been dispatched :)

------
tboyd47
What if all the super-advanced technology for consumer behavior tracking could
be somehow judo-flipped into a new form of anonymous resource ownership? So
instead of legitimate websites being forced to ask a tech giant for an
identity token just to establish a session, while shady advertisers silently
assemble vast shadow profiles of consumers' behavior using browser
fingerprinting, legitimate companies could use browser fingerprinting to
automatically create a persistent session, which the user can then voluntarily
link to an identity, or leave anonymous if they so choose?

A person could potentially have a number of identities that are anonymous or
pseudonymous, that are automatically created and detected whenever they use
the internet. They could maybe view a dashboard of their identities on a
secure device, link them by function and scope, expose personally identifiable
information through them at will, and create policies to automate all this.

Eg. if I visit a site like HN more than twice, it could just create an
anonymous account for me automatically through fingerprinting and log me in
automatically. Then, if I want to link this account to other services or other
devices, I could do that through some general purpose API on a secure device.
This could potentially lead to a general purpose "consumer identity" system
where a person's offline behaviors are brought in as well.

My point is there's no reason why the most advanced forms of tracking and
identity management can't be brought under users' full control for our own
benefit. Fingerprinting is treated like the internet's dirty secret, but it's
a technology that could be used in different ways. I would prefer this to any
of biometric authentication schemes that have been peddled as "passwordless."

~~~
wolfgke
> Fingerprinting is treated like the internet's dirty secret, but it's a
> technology that could be used in different ways. I would prefer this to any
> of biometric authentication schemes that have been peddled as
> "passwordless."

Fingerprints (and other biometric data) is the analogue of a (public) username
and not the analogue to passwords:

> [http://blog.dustinkirkland.com/2013/10/fingerprints-are-
> user...](http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-
> not.html)

HN discussion:

>
> [https://news.ycombinator.com/item?id=8496797](https://news.ycombinator.com/item?id=8496797)

So if you replace entering your username by a fingerprint, retinal scan, ...
this is perfectly fine from a security perspective (though IMHO a really bad
idea from a privacy perspective). On the other hand using biometric data as
replacement for _passwords_ is from a security perspective an anti-pattern.

~~~
lovemenot
This reply seems to have missed the point of its parent and just picked up on
the word _fingerprint_ in a different context.

I like the parent's overall point, but I suspect its business model is not
viable.

Any service that helps the user against the publisher's interests will need to
be funded through charging the consumer. Not easy these days.

~~~
tboyd47
Why assume it is against publishers' interests for people to control how they
expose their own identity? Advertisers, sure, but publishers? I see privacy as
being more orthogonal to their interests than directly against them.

Nevertheless, you're probably right about the business model. I was
piggybacking on the idealism of the article we're commenting on. It's fun to
just discuss possible futures without worrying about viability once in a
while.

~~~
lovemenot
Agreed. I ought not to have assumed the status quo must prevail. Indeed,
hopefully a viable solution to the Publisher's Dilemma will be found.

------
toomim
I've built a new version of HTTP that lets you build apps from multiple
websites, linking their internal state together as easily as we link pages
together today.

I think this solves much of the difficulty in building the decentralized web
vision described in this article. I'd love to get critique and feedback.

[https://stateb.us](https://stateb.us)

~~~
icebraining
A few suggestions (from a backend developer, so not exactly your target
audience):

\- Show the source (repository) of a real webapp built with Statebus. Citing
Linus, "Talk is cheap. Show me the code." Make sure it includes examples of
all the advantages cited, like "accessing another site's state".

\- Compare your solution with similar alternatives (e.g. my first thought was
Meteor).

\- Add a public way of asking questions, like a forum or a subreddit. I'm more
inclined to ask questions if the responses are public, and it might help you
build a body of knowledge to spur the interest of visitors (and even improve
your SEO).

As an aside, the svg is not rendering well on my machine (FF 58 on Ubuntu
16.04):
[http://sufi.andreparames.com/screen_statebus.png](http://sufi.andreparames.com/screen_statebus.png)

~~~
toomim
Wow, thank you! This is great feedback!

------
tw1010
Grandiose visions and inspiring words doesn't change the fact that users don't
care how the backend is implemented.

~~~
rapnie
yes, that is exactly why almost no (end-user) product explains this on their
landing page :)

but a user might see the merits of being in control of their own data, and
knowing their privacy is not violated by some nefarious use of it..

with all the free-use software platforms nowadays the user is not even the
customer.. the advertiser operating in the background is.

makes me feel bad, especially as the software providers are becoming absolute
monopolists :)

------
earenndil
I just got an error page...from cloudflare. Ironic, for a page that talks
about decentralization.

~~~
rubenverborgh
As I say in the blog post, decentralization and replication go hand in hand
:-) It's my own Web server, so decentralized. Cloudflare just
replicates/caches it for faster access around the globe.

