
Certificates, Reputation, and the Blockchain - Smerity
https://medium.com/@medialab/certificates-reputation-and-the-blockchain-aee03622426f#.6nxoub5y0
======
mike_hearn
This appears to be a re-creation of X509 and certificate transparency, but
with a custom format in place of X509 and the block chain in place of CT.

The problem is that the existing infrastructure, though a little ugly in
places, is very well thought out and has a vast ecosystem.

I can (and often do) simply plug in a USB stick that stores my private keys
and then sign a PDF in such a way that the document is timestamped, signed,
and bundled in such a way that clever tricks like swapping out an external
font to change what a message says don't work.

The certificate has a verified identity in it, so I can accrue reputation
under my own legal name if I want to, or I can create a self signed cert and
use a pseudonym.

The CT logs are a blockchain-esque structure for logging of all created
certificates, except searchable, and actually designed for certificates. It
gives the same advantages as the blockchain does in this design, and then a
whole lot more.

X509 is ugly, but still better than "append a signature after some lines of
text", and it has the advantage of being widely supported with libraries in
most major languages and frameworks. Usefully, web browsers know how to create
a self signed cert and upload it to a server for signing, meaning the process
of MIT issuing a university certificate can be easily automated.

Most of the problems of the existing PKI boil down to lack of UI polish. They
aren't something you can fix just by throwing a block chain at it.

~~~
lisper
What is "CT"?

~~~
webnrrd2k
Certificate Transparency,
[https://en.wikipedia.org/wiki/Certificate_Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency)

------
Smerity
Discussing this with friends, we pondered the advantages of university degrees
being cryptographically signed. If universities were created today, the idea
that they would only use paper (or a scan) to certify a degree is laughable.

The process of verifying a degree is complicated - each university has a
different system and the costs can be far from non-zero. This discourages
employers from doing the checks.

The impact is far more than just "well we hired him/her and it didn't work
out" \- counterfeit degrees can be terrifying. Allen Ezell, a former FBI
agent, notes that there are thousands of faked medical degrees[1]. Even in the
case that the employee does a fine job, exposing a faked degree later can
destroy their career from that point forward.

Yes, there are potential issues that go along with this idea (certificate
revocation in the case of a compromised key, proper implementation of the
system, etc) but even a flawed system would be far better than today given so
very few degrees are certified by employers.

It should be as simply as attaching a link to your signed degree in your
resume.

[1]: [http://freakonomics.com/2012/07/30/freakonomics-goes-to-
coll...](http://freakonomics.com/2012/07/30/freakonomics-goes-to-college-
part-1-a-new-freakonomics-radio-podcast/)

~~~
phipps
Yes, this is one of the motivations to experiment. We see this is a prototype
implementation to start a conversation about how we could design better
certification systems in the future. It prompts lots of interesting questions
(and we are concerned with implications around privacy, etc.) and hopefully
others will build similar systems and we can compare notes.

------
EGreg
I think reputation should be the scarce resource for preventing sybil attacks,
and not computing power via proof-of-work. The latter won't even work with new
(and therefore small) blockchain networks, since a 51% attack is trivial.
Reputation replaces distributed consensus with probabilistic value, relative
to each participant. That's actually how currencies are discounted when being
converted. Wildcat money during the free banking era was heavily discounted.
Currencies and debts are accepted locally and from trusted people.

~~~
ff7c11
What does this comment mean?

~~~
EGreg
It means we should move beyond distributed consensus. Forums and voting dont
need it for one

------
pjc50
This seems to be like PGP keysigning web-of-trust, but instead of each
participant managing their own copy you pile the whole thing onto the
blockchain?

The tricky thing here is key management. What happens if you (or the
university) lose a key or it's compromised?

------
jnbiche
I'm often annoyed by "blockchain" projects, but this is a very cool
application of blockchain technology.

Does anyone know which blockchain the Media Lab is using? The actual Bitcoin
one, or Namecoin, or some other one?

~~~
phipps
We are using the Bitcoin blockchain. Glad we made the cut of non-annoying
blockchain projects ;-)

