Certisfy - Bringing IRL trust to the web

We are expanding our previous experiment to include people who posses PGP keys hosted at certain domains. For now we are whitelisting Keybase.io, meaning if you have a Keybase PGP key it can be used to procure a trust anchor certificate via the Certisfy app. It should be noted that this is strictly experimental, meaning most certificates will likely at some point be suspended or out right revoked if it seems they are being used to issue untrustworthy certificates.  The allowance of Keybase is not ideal since there is no id proofing and there is no reason to assume the person behind the Keybase key is a suitable trust anchor. It is however something used by folks interested in cryptographic solutions related to internet trust and security, so at least for experimentation it is appropriate. To validate a certificate request with your Keybase PGP key, first use your Keybase key to sign the following text (no trailing or leading spaces): Using public key hosted at ${PGPPubkeyURL} , ...

Chrome's Android mobile browser has added an AI overview feature that generates marketing content on the fly for web pages.  I barely noticed the little icon and even when I did, it wasn't obvious what it might be for, curiosity got the better of me and I clicked.    Delight and fear followed. It almost sounds as if the models generating the dialogue could have been trained on NPR content. Here is a recording of the audio.  In our attempt to make the concept behind the Certisfy app approachable, we settled for wordiness within the app that explains every feature in accessible language. This ends up working well as a source for AI summary and playback.  The disconcerting feeling for me stemmed directly from the delight I felt listening to a compelling AI pitch for Certisfy! A feeling of "it is too good to be true" , even when the AI distillation of the service is quite accurate.  The polish of the dialogue is such that we could in effect post this to s...

Over the years we've experimented with ideas that leverage what can be thought of as civic trust infrastructure to address trust related problems on the Internet.  Previously we created a browser extension and proxy service that allowed users to use access to their IRS  Get Transcript ONLINE  access as a way to procure trustworthy cryptographic ID certificates.  Essentially treating access to the Get Transcript ONLINE service as automatic ID verification and using that to issue (via a web proxy) ID certificates.  We also developed the trust relay protocol , a similar approach that leverages existing sources of trust as a means to address internet trust challenges. These experiments ultimately lead to the development of the Certisfy app and service. We have launched another significant experimental approach, leveraging .gov email addresses as a mechanism for bootstrapping a cryptographic trust chain . Think of this as a sort of  web of trust implementa...

Just as we are plagued by data breaches because of our reliance on secrecy as our model of trust assertion instead of just-in-time information verification, we are similarly plagued by scams related to our inability to verify unknown contacts.  Calls, text messages, emails, etc from unknown sources are now a major source of scams, cyber extortion and such. As was demonstrated here , Certisfy stickers backed by cryptographic certificate signatures can address this type of trust problem too. If for instance your doctor's office or other place of business that you have a legitimate business relationship with calls you, they can simply begin the message with a sticker code such as below. You can put that sticker code in the Certisfy app and verify the identity and related information, including for the contact source identifier (phone number, email address...etc).  If a message doesn't start with a verifiable sticker code, you drop it immediately, this effectively kills all such ...

We continue to be plagued by data breaches, password and credit card dumps, healthcare records...etc. One of the reasons many of these breaches continue to be devastating and effective for cyber criminals is because our current information use infrastructure/architecture relies on secrecy as the primary mode for preventing the misuse of information. Secrecy simply means only the people who have the right to use a bit of information have access to it, when that assumption breaks down as it does with data breaches, the related information can lose some or all its value. For instance a compromised credit/debit card number means getting a new number. A compromised password database means changing the passwords...etc Secrecy has its use as a privacy preserving mechanism but is fairly flawed as an information usage authentication mechanism. The idea of secrecy as the mechanism for controlling the use of information is deeply ingrained, so much so that even people who should know better often...

Notice I referred to "digitized" instead of digital, this is a very important distinction. These services essentially offer ways to transport handwritten scribbles into digital processes. They can be anything from attaching a Microsoft paint scribble or a scan of one written on a piece of paper, to custom font generation that makes  your signature look like you are a former president of the united states. I wont mention any such services by name but if you've purchased a house or engaged in any sort of contract paperwork activity (leases..etc) you have likely encountered these services. Last I checked, one of these companies is worth north of $40B, no doubt reflecting the size of the market for such services. First, what is the purpose of any signature? as the name suggests, it is primarily to ascribe provenance to something, be it an abstract thing such as a legal agreement expressed in writing or a physical object such as a painting. We also use the notion of signature ...