On Thu, Apr 2, 2015 at 2:40 PM, Anders Rundgren < anders.rundgren....@gmail.com> wrote: > > Obviously we need a model where the code is "vetted" for > DoingTheRightThing(tm). >
This is essentially about two things: trust and the capability to "vet". Both of these things cannot be solved conclusively, or without severe drawbacks as I'll show. The prevailing model of trust for vetting apps is app-stores. There the trust is hierarchical "I trust Apple, therefore I trust what they put in the app-store". A slightly more elaborate hierarchical trust scheme is SSL, but it's really the same thing. This model has several problems: - If Apple gets pwned, everybody who trusted apple is screwed. This might be judged as a six-sigma event in the case of apple, but in the case of SSL certificate authority it's a frequent occurence. - The one on top of the (shallow or deep) hierarchy of trust gets to extract rent from everybody else. Apple takes a $99/year + 30% with some conditions. Certificate authorities charge anything between $10 and several thousands for their services. - Responsibility of vetting flows to the top, where it creates a vetting bottleneck. It's for this reason that it can take you weeks, or months if you're unlucky, to get your app in the app store. It's quite perplexing to be technically able to push updates a dozen times a day, yet you can't because every update is gonna cost you money and two weeks (tm) till it hits your audience. The only alternative of a hierarchical trust system is a graph of trust relationships which is used to aggregate trust between two nodes in it. This is in principle a fine system, however, it too has a severe flaw. It cannot account for "good" nodes that successfully pretend to be good, and then one day turn bad. The revocation of trust in such a graph takes considerable time since it depends on all connected nodes to adjust their trust relationship. By the time that has happened, considerable damage may incur. It's for these reasons that trust/vetting based solutions cannot be used in a heterogenous M:N market that the web finds itself in. It creates hard to quantify risks, inconveniences everyone and puts up barriers to entry.