Re: [Ilc] Clarifications and thoughts purpose of ILC list

David Mazieres <> Thu, 23 February 2017 23:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7C8E4129C24 for <>; Thu, 23 Feb 2017 15:06:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id COdfpbt9aAnq for <>; Thu, 23 Feb 2017 15:06:55 -0800 (PST)
Received: from ( [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 24446129B9B for <>; Thu, 23 Feb 2017 15:06:55 -0800 (PST)
Received: from (localhost []) by (8.15.2/8.15.2) with ESMTP id v1NN6soO003582; Thu, 23 Feb 2017 15:06:54 -0800 (PST)
Received: (from dm@localhost) by (8.15.2/8.15.2/Submit) id v1NN6sRR020805; Thu, 23 Feb 2017 15:06:54 -0800 (PST)
From: David Mazieres <>
To: Ben Laurie <>
In-Reply-To: <>
References: <> <> <> <>
Date: Thu, 23 Feb 2017 15:06:54 -0800
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Subject: Re: [Ilc] Clarifications and thoughts purpose of ILC list
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: David Mazieres expires 2017-05-24 PDT <>
List-Id: "Discussion of mechanisms and applications for Internet-level consensus." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 23 Feb 2017 23:06:56 -0000

Ben Laurie <> writes:

>> Well, there's at least one existence proof, which is the SCP protocol we
>> use at Stellar.  SCP changes the question slightly from whether the
>> system is subvertible to who is being subverted, because it depends on
>> whom people trust.  E.g., if you trust TurkTrust and I trust the
>> conjunction of the ACLU and Google, you might get subverted because
>> TurkTrust has been known to issue bad certificates.  On the other hand,
>> even if Google somehow gets compromised, that won't subvert my view of
>> the world so long as the ACLU remains honest.
> OK, so here's where I get to confess that I don't understand Stellar,
> and, worse, I don't know anyone who does.
> Is there an idiot's guide somewhere?

Well, there is a cartoon guide, but I don't actually think it will be
useful in this context:

The canonical guide is of course the whitepaper, which is probably hard
to read:

Maybe the most accessible rendition right now is my Google tech talk:

> That said, the properties you claim are also trivially obtainable with
> a CT-like system, so I totally buy it can be done. But I don't see how
> this corresponds to the popular notion of "permissionless"? Not that I
> actually care, btw.

My understanding of CT may be out of date, but I thought CT was a
disjunctive system, as in any log can vouch for a certificate.  As I
envision Internet-level consensus, you could insist on, say, 7 out of 10
log authorities signing off something that guarantees publication of the

> a) it seems utterly disconnected with the standard view of
> "permissionless", so I think real care is needed with the charter.

I think the term permissionless may just not be useful in this context,
because even though it has been used to describe systems related to
Internet-level consensus, there are other potential solutions that don't
fit the permissioned/permissionless binary model.

> b) whilst I think everyone should choose who they trust, in practice
> this is mostly totally unusable. The ability to do it is not a system
> problem: you have an answer in Stellar, I have one in CT/Trillian.
> Others exist, I am sure. The problem is usability. Who chooses the CAs
> you trust, for example? Not you (for most values of "you"), that's for
> sure.

Well, in my ideal world the browser vendors would ship some reasonable
default, but if I'm paranoid, I can add the ACLU and EFF, etc.  More
importantly, it should not be a pure disjunction where any CA can issue
any certificate, but rather should require some threshold.  Here we are
veering into CT 2.0 territory, because that's not how certificates
currently work, but there are other transparency applications that could
use such a threshold model from the start.

What consensus mechanism does Trillian plug into?  I had assumed
Trillian was what an individual authority would do, but I could probably
use some education about the bigger picture.