Skip to main content

Posts

Build Your Own Trust Chain

We have added the ability to create custom trust chains in Certisfy that are verifiable independent of the Certisfy PKI root. These trust chains will lack the identity component of trustworthy Certisfy certificate so owners of such chains are responsible to implementing their own identity procedures. Receivers of claims from such custom trust chains will have to whitelist (bookmark in Certisfy) the root certificate in order for claims from those certificates to pass verification. Use cases for custom trust chains are many. Software package supply chain trust There is currently an ongoing challenge around software supply chain security, ie developers integrate software libraries and components into their own applications and solutions are faced with the prospect of unwittingly including malicious vulnerabilities. The problem ultimately boils down to the difficulty of ensuring the people who have write access to these packages are trustworthy. This would remain an ongoing problem requiri...
Post a Comment
Read more
Recent posts

Trusted URLs Via Cryptographic Signatures

With Certisfy sticker functionality, ie the ability to publish cryptographic signatures as claims, users can share trusted URLs by leveraging the verification tied to trustworthy claims. URLs can be included in trustworthy claims and posted for anything for which a user wants to project trust. They can also be restricted to sources(ie referrer) so that the link can't be fraudulently reposted elsewhere. When you include links in a claim that you want to associate trust with, users will first be able to verify the link provider via the claim and then decide whether the link and associated information is trustworthy. In an AI saturated online space, there is significant value in a link/url being able to provide a strong signal of authenticity or trust. A trusted creator or a journalist can post links tied to a Certisfy verification as a means to project trust and expand reach. With verification links backed by high quality trust projection, we can have in essence a verified web. Here...
Post a Comment
Read more

Private Messaging In Public Forums

We have introduced private messaging over public forums in Certisfy, ie you can create and post encrypted messages in public(online) forums via Certisfy private message links.  You can also add a Certisfy link to your profile (or an appropriate place such as a web page) that will allow someone clicking on it to create a message that can be encrypted and sent/posted where appropriate. To allow others to encrypt messages for you, you'll first have to create a certificate if you don't already have one. Then copy an encryption URL from the certificate that you then share with others who may want to send/post a private message to you. In cases where a private message link is via an non-trusted source (internet at large), it is best to link private messaging to verified IDs (could be anonymous), that way a user can be sure their private message is going to the expected party.  This ability is supported by allowing users to trigger the message encryption from a verification scre...
Post a Comment
Read more

How Notaries Can Be A Part Of Online Information Verification

Hey Notary! Certisfy is a cybersecurity startup offering a service that facilitates online trust by enabling people to project trust and verify information using cryptographic certificates.  No worries, you don't need to know anything about cryptography to understand and use it :) The verifications are done by entities we call trust anchors, we think notaries could make an ideal trust anchor cohort to perform these verifications, at least for basic verifications such as identity, location, age...etc.  For instance if you have been following the news lately you may have noticed efforts being made to require age verification for online services.  With Certisfy, notaries could perform these age verifications and issue certificates for them. The certificate holders will then be able to use the Certisfy app to prove they meet the age requirement for a given service. This is not a notary "training" hustle, there is plenty of that in the space. :) Rather, it is an opportunity t...
Post a Comment
Read more

Using Keybase and PGP To Build Certificate Trust Chains

We are expanding our previous experiment to include people who posses PGP keys hosted at certain domains. For now we are whitelisting Keybase.io, meaning if you have a Keybase PGP key it can be used to procure a trust anchor certificate via the Certisfy app. It should be noted that this is strictly experimental, meaning most certificates will likely at some point be suspended or out right revoked if it seems they are being used to issue untrustworthy certificates.  The allowance of Keybase is not ideal since there is no id proofing and there is no reason to assume the person behind the Keybase key is a suitable trust anchor. It is however something used by folks interested in cryptographic solutions related to internet trust and security, so at least for experimentation it is appropriate. To validate a certificate request with your Keybase PGP key, first use your Keybase key to sign the following text (no trailing or leading spaces): Using public key hosted at ${PGPPubkeyURL} , ...
Post a Comment
Read more

Chrome AI Playback: Delightful, Wild and Disconcerting

Chrome's Android mobile browser has added an AI overview feature that generates marketing content on the fly for web pages.  I barely noticed the little icon and even when I did, it wasn't obvious what it might be for, curiosity got the better of me and I clicked.    Delight and fear followed. It almost sounds as if the models generating the dialogue could have been trained on NPR content. Here is a recording of the audio.  In our attempt to make the concept behind the Certisfy app approachable, we settled for wordiness within the app that explains every feature in accessible language. This ends up working well as a source for AI summary and playback.  The disconcerting feeling for me stemmed directly from the delight I felt listening to a compelling AI pitch for Certisfy! A feeling of "it is too good to be true" , even when the AI distillation of the service is quite accurate.  The polish of the dialogue is such that we could in effect post this to s...
Post a Comment
Read more

Using .gov Email Addresses For Age And Information Verification

Over the years we've experimented with ideas that leverage what can be thought of as civic trust infrastructure to address trust related problems on the Internet.  Previously we created a browser extension and proxy service that allowed users to use access to their IRS  Get Transcript ONLINE  access as a way to procure trustworthy cryptographic ID certificates.  Essentially treating access to the Get Transcript ONLINE service as automatic ID verification and using that to issue (via a web proxy) ID certificates.  We also developed the trust relay protocol , a similar approach that leverages existing sources of trust as a means to address internet trust challenges. These experiments ultimately lead to the development of the Certisfy app and service. We have launched another significant experimental approach, leveraging .gov email addresses as a mechanism for bootstrapping a cryptographic trust chain . Think of this as a sort of  web of trust implementa...
Post a Comment
Read more