Intriguing product, definitely something that is a major pain point for inventors.
I do wonder however, I see a couple of the profiles listed show 500+ patents.
Does this indicate that we are now in an era of full fledged "IP spam" or can you argue that inventors have in fact historically been under-rewarded by the difficulty of filing patents? Otherwise that is a lot of patents for someone who isn't building a spacecraft :)
Haha to be fair, the team I ran was an applied research group that’d partner with teams within the organization. So every month we’d do designs & bring in ML expertise to a new project. Plus we maintained a ton of tools. This resulted in a lot of patents every month. Particularly, around generative AI, autoML, federated learning, etc years before it was popular. So it was a fairly open space, resulting in a high number of patents
I am the developer of Solvent, it is a polyglot web app platform for the JVM and has long supported JRuby integration as indicated here:
https://codesolvent.com/web-apps/
I am not a ruby developer and even though I integrated it don't know anything about its internals. I am guessing if JRuby goes away GraalVM which supports Ruby will be its replacement?
GraalVM Ruby does not integrate with Java in the same way, and not nearly as seamlessly. JRuby allows implementing Java interfaces in a direct way that optimizes better, as well as extending and importing Java classes such that they look and feel like normal Ruby classes.
JRuby runs on all JVMs with or without Graal, where the GraalVM languages are tied to that runtime. The design of those languages also incurs heavy startup, warmup, and memory footprint penalties even greater than that of JRuby or the JDK itself, and those problems are not easily solvable.
JRuby will never go away, and as long as I have a say in it, development will continue full speed ahead. We are tackling some of our long-desired optimizations now, have near parity on Ruby language features with the unreleased Ruby 3.4, and we're very excited for the future of the project.
Basically if you have the actual "factual" information, use it directly instead of hoping the LLM will accurately extract it and use it as part of a function call. In this case they already know what the accurate URLs are, just use it.
Where I currently work, our function calls regularly fail only to succeed flawlessly on a retry. (I believe we’re on the order of 10s of millions openai calls a day)
These are non-deterministic systems. I wouldn’t even trust them to accurately extract text until you did a beam search or something similar to kind of average out different LLM outputs
This might hide identity from the person requesting the info, but not from the trusted authority. In theory the authority could collect data on where requests are coming from, or where the certs are used. To my knowledge, there's no way to completely hide identity while also verifying an attribute and ownership.
There are actually ideas using crypto to provide proof of properties without a trusted entity having to know what the proof will be used for, and without the requester of the proof being able to learn more about the identity. E.g. (in french) https://linc.cnil.fr/demonstrateur-du-mecanisme-de-verificat...
Now i think it is still either a dangerous slope, or it will end up inefficient, because of credential sharing; the typical modern idea to avoid that is to require the user to have a locked smartphone, wich is quite an intrusive requirement.
This is close. But I believe an attacker could use the signature to tie it back to a user if the gain access to the trusted authority information. There's no way to do it truly anonymously. Even the article recognized its pseudonymous.
I don't see anything in that link explaining how one could verify age while remaining anonymous to all parties. How does one verify the age is correct and associated with the true person? It also seems the cert is for specific sites. So doesn't that mean the identity provider (trust anchor?) who verified the age now has a list of which sites you're using your certs on sinc eyou must define a reciever (recipient domain?)? Maybe you can explain the flow in an example?
>So doesn't that mean the identity provider (trust anchor?) who verified the age now has a list of which sites you're using your certs on sinc eyou must define a reciever (recipient domain?)? Maybe you can explain the flow in an example?
When a trust anchor does verification and issue you the certificate, you get a PEM file, their connection to the process is done. Yes they know who you are but can't track what you do with the certificate after they issue it to you.
On the other hand if you were to use that certificate to commit a crime, the signature will provide access to the trust chain, thus law enforcement could use it to find you by reaching out to the issuer. This is a feature not a bug, it combines privacy and accountability, no different from conventional non-digital world expectations.
The use of receiver id, happens after you have the certificate, the issuer is not involved. The receiver id is for the benefit of the receivers of signatures from your certificate, it allows them establish a sticky anonymous cryptographic identity for you without knowing who you are, this is a way again to have privacy while having accountability. This demo touches on the approach: https://www.youtube.com/watch?v=92gu4mxHmTY
Reach me via my profile if you're interested in knowing more.
Yeah, so the government can track you, and really anyone who gains access to the signature and trust chain can track you. The trust anchor also has to verify your identity to verify your age in order to issue the PEM file.
So to answer my original question - no, you can't anonymously verify age. Someone has to verify your identity (a central authority in my comment, which in your system is a trust anchor) and your signature can be tracked back to you (as a fearure).
I missed your concern about pure anonymity in the whole process, the answer is NO.
You can't have such a system that is totally anonymous, it is private but not anonymous. This means it is largely anonymous but for instance law enforcement might be able to track you down...I happen to think this is a good balance though I am sure not every one agrees.
It's not just law enforcement though. With the way the laws are today, you could have the trusted entity selling that data if they're partnered with some consumers. If you save the cert usage (on the consumer side) you could eventually utilize it if the trusted entity changes hands, policies change, etc. The government is also a potential malicious actor depending on which government and how you want to define malicious.
Of course there are other issues in the chain concerning anonymity, like ISPs.
Whenever this comes up, the focus is on simply opposing the idea. I think perhaps devoting energy to solutions that can address both the concern of safety and privacy is also worth considering.
The internet is going to be a fundamental part of human life I would argue indefinitely. The need for robust information verification is not something we're going to be able to do without.
The question is, would solutions end up being effective ones or ones that "work" but create all sorts of other problems? The worse outcome in my view would be that we all end up being required to use big tech companies as gate keepers for our digital lives.
Now for my pitch :). Cryptographic certificates are a solution option that CAN bridge this gap.
Respectfully, you are making the error of assuming it is a technical problem when it is a political one.
The problem the government have is the masses trust those bad people over there more than our trusted and approved government experts over here, and they think this is a communication problem and not a problem of substance.
I would agree that technical measures for trust are necessary, but the gov should not be allowed to be the arbiter of who gets to trust who - that is a fundamental freedom that must be left to individuals.
>Whenever this comes up, the focus is on simply opposing the idea.
Well, because the idea is fundamentally unsound. Nobody can keep such a database secure, and certainly not the Canadian government, champions of ineptitude that they are.
It doesn't require maintaining a database. The certificates can be in a registry but also can be on your device without being in a registry. In any case, the security is not associated with a database or anything of the sort.
Yes if you lose your keys you do have to get new certificates and if possible revoke the lost keys. Revoking certificates will require either a revocation code that is issued when you get the certificate or you can use a copy of your private key to issue a revocation request.
If you don't have a revocation code or a private key for the cert you wish to revoke, it will require administrative access to the certificate registry to mark the cert as revoked. That feature is currently built into the platform but not something accessible because of the obvious challenges.
Your private keys are only known to you, certificate revocation is just an annotation that says to someone who receives a signature associated with that certificate to not trust the certificate.
All private keys are generated and stored only on your device.
Okay so we've established there must be a central registry, since it's a certainty that somebody's 65 year old mom will lose her phone and her certs and keys with it.
How does your system protect against attackers claiming to be my mom?
> Whenever this comes up, the focus is on simply opposing the idea
What are you saying? We have been proposing solutions since immemorial times. If it's bad for the kids to have access, why it is not bad for the adults? If you can answer that question the solution should be evident.
> Whenever this comes up, the focus is on simply opposing the idea. I think perhaps devoting energy to solutions that can address both the concern of safety and privacy is also worth considering.
This implies you have to be concerned about safety. But I don't believe seeing anything [they would voluntarily watch] on a computer screen can inflict serious harm to anybody, no matter the age. I advocate for universal (without exclusion of any age group) right for anonymous access to whatever information already is publicly available.
> But I don't believe seeing anything [they would voluntarily watch] on a computer screen can inflict serious harm to anybody, no matter the age.
You can believe whatever you want but a whole lot of people including me do believe watching shit, voluntarily or otherwise, harms you. Plenty of evidence for it.
I actually do believe everything does harm you in at least some minuscule degree (even things that help you in a way or many, harm you in another). Even breathing does. Yet the degree of harm is not substantial enough to justify prohibition and all the downsides coming from trying to enforce it.
Being a generally normal person I also feel I wish kids see no porn yet as soon as I direct my attention to this feeling and question it I recognize it has no rational reason whatsoever, it's just as subjective as a preference can be. Banning a specific kind of content would be as reasonable as banning a food I personally don't find tasty, even if the majority feels the same - should we waste everyone's effort and sacrifice everyone's rights in such a case?
I seriously doubt seeing porn before 18 (which, by the way, is and will always be inevitable, no matter how hard we try, every interested teenager will find a way) these things сan cause any of these. And even if it could, lack of interest in real world sexuality sounds almost as great as lack of need to eat: a whole new world of possibility, autonomy, spare time and other resources instead of depending to another thing the world can use as a button to subdue you and drag you into wasteful consumption and playing unnecessary non-ergodic gambles people in sober state of mind would prefer to avoid.
What about the zombie state of mind of when you have the urge to visit a bathroom to empty your overwhelmed colon/bladder? Isn't it way more sane to just do it and forget it than to walk around obsessed with such urge for hours and days requiring others to participate in the process?
There's a "rule of a thumb" I learnt as an adolescent: as soon as you feel attracted to somebody - jerk off and cool down so you become way more sober and do less stupid things. In particular - always jerk off before going to a date: if you still feel interested - this has a chance of being a meaningful relationship, otherwise this was just a stupid hormone play. And I never really needed porn to implement this, imagination was enough.
How is anyone else going to know that the public key I hand them belongs to a person that satisfies whatever requirement they are checking? For example, if someone wants to verify my age, how do they know the public key I hand them belongs to a person that meets the age requirement?
Some third party is going to have to verify that that's true. Which means some third party is going to have to have access to my private data, to verify that my public key belongs to a person whose private data meets whatever requirements are being asked about. That third party will end up being a big tech company.
Your example about CAs is not relevant because CAs only need to verify that someone has control of a particular web endpoint. They don't need to verify the private information of whoever that person is. So the information they need is much less intrusive than the information a third party who is going to attest that public keys belong to people meeting things like age requirements would need to have. Yes, once a third party has attested to your age certificate, they aren't involved with how you use it--but that third party has to have a lot more private information about you to be able to make that attestation, than CAs currently have about website operators.
Do note that the reference here to CA is a conceptual reference, in other words it refers to a trusted entity who can verify certain bits of information (like your age or identity) then issue certificates for it, "trust anchor" is the lingo Certisfy uses for CAs.
Hostnames are what TLS certificate CAs such as DigiCert verify ownership of then issue certificates for; the same concept can be applied to any kind of information, including private information.
For instance a state DMV could choose to be a Certisfy "trust anchor"/CA and issue you a cryptographic certificate for your driver's license to be used for IRL identity anchoring.
So no, a "trust anchor"/CA need not be a big tech company, in fact if such a concept is deployed at scale a large class of entities can/should play the role of "CA", including people doing it as part of a business service.
There is zero chance that a legally mandated certificate scheme won't require centrally-managed certificates to prevent the underage from loading illegally shared keys onto their devices.
Certificates are not things that are centrally managed.
If you get a certificate from a CA (DigiCert, AWS,Google...etc), they hand you the certificate after necessary verification but otherwise have nothing to do with how you use (TLS traffic) it.
The same with something like age verification. Once you have a certificate that attests to your age (as of certificate issue date), the issuer has nothing to do with how you use it, the receiver of signatures generated from that certificate (via private key) can verify it without any interaction with issuer.
As for misuse, that's certainly a concern but it can be addressed via the issuing process. Certisfy does address this issue.
A fundamental requirement for making a certificate scheme work is that certificates are anchored to IRL identity via identity anchor certificates in a privacy preserving manner. You can read up on the approach here: https://cipheredtrust.com/doc/#pki-id-anchoring
> Certificates are not things that are centrally managed.
Of course they can be. That they aren't _necessarily_ centrally managed is a neat fact about the math, but has little bearing on what sort of system the political process will end up endorsing, and _that_ is what I'm saying has no chance of not being centrally managed.
The government will end up requiring that only Trusted Parties be permitted to handle loading the key material into Approved Devices, and that parties requiring age verification only permit use with Approved Devices. Mark my words, this is how it will hit the streets, if it ever does.
Did you just forget that CAs exist? They are centralized. You always have to trust SOMEONE. Even if it's the person that wrote the CA software being used, or the supply chain that provided the software to a vendor, or or or. See what I mean?
The CAs being centralized is not a problem. They do the verification and issue the certificate. The privacy concern stems from using the certificate and CAs are not involved in that process.
Yes you do have to trust someone and the CA is the trusted entity for doing the verification, but once they do the verification and in effect encode that verification onto a certificate, their role is done.
Meh, while I think he has some misunderstandings about the role of CA's, I'm not sure you're doing any better: you can certainly use certificates in a decentralized manner; I use them every day for ssh. No third parties are involved at all.
But decentralized CAs for identity verification still have the same problem, you have to trust someone. They said zero-trust, which I don't think is possible.
Except that being on a phone I can't scan a QR code being displayed on the same device.
But basically you're saying that I need a QR code for each site I'm using? That's not obvious from reading the blog post. And still doesn't address that someone else could use the same code on the same site?
Also I don't think I understand what "the secrecy of your social insurance number/credit card doesn't matter as long as nobody else can generate a certificate for it" means. Is that assuming everyone only accepts certificates and not the raw information anymore?
I'm sure fraudsters would happily take credit card numbers even without being able to generate certificates.
Yes a fraudster will happily take a stolen card but it will be of no use to them if they try to use it via Stripe for instance to post a charge but Stripe requires a cryptographic signature for a certificate for the card :)
So sure the card processor has to require the signatures to make it effective. In other words the secrecy of the card number becomes irrelevant if it requires a certificate signature before it can be used, only the owner of the card has the private key on their device to generate the signature. Secrecy is still useful for privacy.
Thanks for the explanation, still for my own sanity I hope this is not the digital future.
Also still doesn't address that if a minor needs an age proof for xyz.com they couldn't use mine. Whereas at least a photo ID in the real world would require some similar looks.
The reason it comes up is because it's the proverbial wolf in sheep's clothing. Conservatives have an agenda to remote porn from the internet at all costs. They also want to kill anonymity on the internet and if you frame it properly then you can push through their agenda.
Not sure about the legal details of his case but this could indeed be good for any appeals he may file.
While we like to think of the law and its application as a dispassionate process that only looks at the facts, the sense that someone has been harmed plays a big role in the process and jury decisions.
This development weakens any arguments around harm to others, it could also strengthen arguments in favor of incompetence as opposed to malfeasance when it comes to explaining what actually happened to investor money.
would a comprehensive object construction platform with schema support and the ability to hookup to a compiler (ie turn object data to code for instance) be a useful tool in this domain?
I do wonder however, I see a couple of the profiles listed show 500+ patents.
Does this indicate that we are now in an era of full fledged "IP spam" or can you argue that inventors have in fact historically been under-rewarded by the difficulty of filing patents? Otherwise that is a lot of patents for someone who isn't building a spacecraft :)