Hashing It Out
Hashing It Out

Episode 29 · 4 years ago

Hashing It Out #29: Universal Logins - Alex van de Sande

ABOUT THIS EPISODE

Alex va de Sande is a UX designer and developer for the Ethereum foundation who has come up with a new, clean way to provide universal login capability to any decentralized application. Using a combination of standards such as ERC725 identity contracts and his proposed ERC1077 and ERC1078, he has created a way to login across any application using a single login mechanism. We go over his system, his views on the challenges behind adoption that UX can solve, and the future of DApps as they begin implementing standards such as universal logins.

Links https://universallogin.io/ https://twitter.com/avsa https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1078.mdhttps://github.com/ethereum/EIPs/blob/master/EIPS/eip-1077.md

Entering. Welcome to hashing it out, a podcast where we talked to the tech innovators behind blocked in infrastructure and decentralized networks. We dive into the weeds to get at why and how people build this technology the problems they face along the way. Come listen and learn from the best in the business so you can join their ranks. Hello Everyone, episode twenty nine of Hashing it out. As always, I'm here with my cohost, Colin Cuche. Say Hello Colin. Hello Colin Nice, and today's guests. We have alex find descent from he is a UX designer for the etherium foundation. Many of you already know who he is, but we want to talk to him about universal log ins and space in general. So welcome to the show. Why don't you give our audience a quaking quick introduction as to like who you are, how you got introduced to the etherium space and what you work on currently? Hey, Hi Curry, Hi Colin, thanks for letting me be in the show. I've been on the faith for a while now. I've been working with the foundation since two thousand and fourteen, so there was before with you network launched, but after the presail and I am pretty sure I was, I am one of the first designers and I think it was one of the one of the first employees in the people to be employed and salary in the foundation. So I've been here for a while and I'm I always been focused on how do how can we make this hope it's even think, less complicated than more simple for the any other even if that means it gets more complicated for for the engineers, and that's what I've been doing for for some time. They're that sounds definitely like you x designed engineers will make it work whatever, and users actually agree. Like it's a tough hunting task to try and make these very complicated systems understandable to people who might not need to know how the grid details that they currently have to so my hats off to you. That's a very difficult, difficult task to take on. Well, also, I am outso sort of a developer. So I I am very skept a skeptical of designers who can't code, because not because I not that I think everyone needs to cold because I think you need to at least understand what's what's happening under the hood. So you are not that guy that just thinks, oh, engineer will solve it right. I think that's that's a very exactly a common thing where where we're both both designers and engineers, like the engineer will get it, oh, will build this thing, and then the designer will just throw a little like code of you explained on it and it will be easy to use. And in the other hand, designers who don't understand, like the cold and UNDERLEAF, can be the the sort of people who I'm going to just build a solution and it's like the engineer who magically make it work and I don't care about real word limitations, and I think you need to be somehow a bridge between those two words. What's difficult about that that that kind of this, this whole space is drastically different than how people have grown intuition when using the Internet, which means that, as a U Exerciter, you have to then deliver, deliver applications or use cases to them that give them the ease of use and convenience that they're they're associated with, while also providing security implications of holding your own keys, being responsible for your own information and data and a kind of abstract way, a lot of the difficulties associated with like using blockchain infrastructure. Right now it's it might opinion it's, as a u x person, this is the most difficult space to be in, but also might be quite like the most exciting because you're abling a lot of people really new ways of interacting with other people and taking your taking control over their own lines again. But it's just incredibly difficult. Have you what you're connect to? which what's been your experience in that? I think I agree with you. I think it's exciting because there's a lot of work to be done right and I think in other areas it's sort of come in. I mean if you come in Anso the like a web developer now and one to build like a new social network and it's not blocking related, you sort...

...of know all the places where people have been right. So that's that's how the flow, that's where you start. That's the best luggin scenario. That's the best there. There there's a ton of research on how do you make the best sign up screen? So the user is sign ups easily right now, and I think in blockchain the watching is sort of the opposite place, where everyone started starting at the basics right everyone starting at okay, let's let's suppose that every user is a single private key and that's that's my user. And then you start questioning. Oh wait, wait, what's what does that mean? What? What does signing up mean? What is on boarding me? And and then you have to recreate a lot of those those steps, and I think it's an interesting challenge and and it's and it's fun. I'm very happy I've I am in this face. What's more to that is that you actually like this technology is built on public and Private Creek Rhotography, which which has a lot to do with signing on to things or authenticating yourself for access to things, which means that we can then improve further on previous ways of doing things. Outside it was just a simple using them and password, which everyone is. It's very easy to do. There's a lot of communists of having a password, but like having public and private corek photography baked in at the foundational layer allows you to expand on that and make things much, much more secure or even or even easier in some cases, and I think we'll get into that. We're going to do like universal log ins, but like what? What? How do you feel about that I really believe that what we are doing is thought of going in making a very wrong way of trying to reinvent a bunch of like we are sort of ring venting a lot of that technology in the web because we really believe that it can be done much better, in a much more secure way, and we want to like and and I think by the end that we end up ring vent in the will will have a system that is more secure than what we have right now. But it can be but it can be as easy, or even easier and more eiser friendly than what we have right now. Right I really believe that we have the opportunity because I really think that the the things we are doing are not just because, oh, we like we want to blockchain things, so blockchain needs to be more complicated. Oh let's do private, private key, because everyone is a criminal one we don't want like the government spire on us. I really think that if if you were inventing the web right now, if you go back to to deny knees, I go Baba to the s and like, I would, I, I would, I would bet that actually, those were missing pieces back then. Write those are no you need. You should be using public key PROGETO cryptography films. To beginning. You should be training. You should be thinking about how your users are secure. You should be thinking about how do we keep like your data private? How do you avoid living or digital trails everywhere? How do we avoid getting our information being just gathered and owned by a single huge company? Right, because I I think that is the right way of doing it, of building a common infrastructure that the end will have a better web for it. Absolutely, but the problem back then was a lot of these things that we're doing now they weren't really feasible back then. Mean that there's a lot of first off, there's lot of innovation that happen between now and aim. Could you imagine, if you don't, you know, a lot of our hashing on M D five? You know? And to that point, if you've ever speaking to any gray hairs, sometimes, like I've actually had cover a several times, had conversations with some gray hair developers who are still kind of stuck in the computing power of the time and who I said, yeah, I just md five all these screen shot ships because it was really easy and quick and I didn't really need to share it anywhere and they're like md five. I'm like yeah, and I go I know it's insecure. They go no, it's just too expensive. It cost so much computing power to do an MB five. I'm like, dude, it's like two thousand and fifteen. It's not. That's not the same thing. We can't so, like a lot of these cryptography techniques used to be a little more expensive than they even aren't are now? Are that? Well, they're the same cost, but computing power has got up, our resources are more available. Were able to do new things and to that point, like, I feel like to get back on the UX train, because they really want to make this comment. As any bay seems you guys watch slow Com valley at all, because there's this there's a wort episode where the Pied Piper develops their APP and they release it to the world and they only they w the user testing that they...

...do. Yeah, I know, yeah, they only shared it with other developers and other developers like wow, this is amazing, and so they got positive feedback from a very narrow focus group and when they release it to the wild, to the rest of the world, they nobody could freaking understand it. The only one who could understand it. What we're developers, and I feel like that's exactly the problem we're facing right now in the barrier to adoption is the user understanding what it's adopting and why, and that is definitely user experience problem. So you have one of the more interesting areas in the space, in my opinion. I totally agree. I have I remember watching that episode as it air and I was identifying so much of it. I was like this is this is my work, because there's there's a specifics theme and found very, very telling both of to the coon valley and or industry, where the they is this product, as as I said, and they were running like a user testing and the users during the USABILITY group, they're not getting it. And then the main developer just jumps into the room and then they he starts giving a one hour lecture on on the basis of everything and by the end of it, after a two hours talking developers, everyone is excited about it and I I connect very deeply with that sensation because I have been there. I've been in situations where I get into a room where people have no idea what I'm about to talk about and then I need to give like a forty minutes lecture on why blockchain is this, why it's fun, why it's cool, and then in the end I ended up with a five minute them over of a very complicated APP and then everyone was excited right and I think that's exactly the moment we are on, where we are like where we are very excited about it, but it's such an out of like they are experience that nobody else gets it. Yeah, and I feel like the real challenge isn't going to be that. See, the top twenty percent are probably going to drive the adoption for the last eighty percent, but we're only even reaching out to the top one percent right now. And if we get communicateick that tow twenty percent within five minutes, then the top eighty percent will probably the lower eighty percent will probably accept whatever experience you give them as being the best because they listen to the twenty percent who drive innovation, the early adopters, whatever you want to call them. But the problem is even those that twenty percent capture isn't there yet and we're it's struggling. It's difficult for me because I talked to other engineers who aren't in blockchain and they just kind of roll their eyes and I still feel like I'm fighting this like crypto currency Bitcoin, you know, love Ewe, kind of like Oh that lovey w but this libertarian sort of like like free market rule everything will destroy the banks and all this kind of stuff, and they don't understand that there's a whole other innovation here that we are leveraging with blockchain, through smart contracts and through decentralized storage mechanisms such as IPFs or storage or what have you, that out will enable a new way of building things, a new paradigm, and they don't understand the advantage to that. So they look at things that ago. Why am I going to give up my mainframe system when you know the response time on a theorium is fourteen seconds per block, with a limit on how many how much gas could be consumed. I can't get the transactional throughput that I need. There's only five D K that transactions I could get through per per days for day. Yeah, per day. So it's like that's that's not enough. But I'm like, okay, hold on, there's a whole other like there's a there's an innovation side of things here. You need dump money into researching this stuff. The problem is typically a presentation issue. So I'm really excited for your work and I hope that you could, coulddense even those five minutes into less than ten seconds so that people can just instantly get it. I haven't. I have another part of that. That's that's maybe we're too early for this type of thing, like is the tech ready for us to be focusing so much time and effort into designing for the end user? When? When? Right? I think, realistically speaking, what the end user, when we have massive adoption, is going to be interfacing with something that's layers on top of what we have now, and the UX design is like what? Who is? Who is it actually for? Should it be for an end user, or should it be for developers who were building the layers on top of the like the infrastructure we're building now? Okay, I'm want to go back to phone from column thed because I want to author. That question is the great question. But let's go back to Tom and Callin said before hurry and I think like when, when? When? And trying to convey to other people why we need that. where I am trying to avoid this whole Oh, it's libertaring from marketing and trying to get something in diversal. I love the example of Facebook, because facebook has last last...

...over a billion active users and I think at some point they were nearing two billion active users, and I mean to billion people. If you if you get every social security number that you have in the US, if you add it to every day equivalent of the social security number in Brazil and probably in the whole of South America, you and then you add every single identity system, digital identity system in the European Union, you will not get to to be don people right. That's how many users facebook has information right now. And it's not only that. For a lot of people, especially they can developing countries, facebook is the the Internet right. FACEBOOK is the entrance for the Internet. For a lot of those people. That is also there's also the way they have access to all the freedoms that the Internet gives us, right freedom of speech, freedom of religion, freedom of commer commerce, freedom of just being able to talk about politics or sell stuff with other people. I'm just talking about like your little guy who sets up an instagram shop. Every one of those people have their whole identity and digital life tied to a single company and that single company is majorly control by one single person, and it's crazy that like we have this one person that, if they fill the side, can just turn the key and the side. You know what I think? All of those, this whole category of actions that people are doing, it's I don't want them in my platform right and that's that's obviously now how we can move together forward with the Internet. If you want the Internet to base this global phenomenon where everyone has access and freedom and a count information that we can now it, it cannot work if it's just control by like one single Mark Lookerberg. And so I think you should get back to Corey's question. But this, this kind of brings something up that really to me, is something we have to communicate, is that we've been designing systems wrongly for identity, meaning that we haven't been building our privacy with the idea that somebody could violate a central users or or even, as a central user, violate its end users trust. And so since we've been designing system comes with this trusted element of centralization and like yeah, we give our information to facebook, facebook's got it. We give our information to Equifax. Equifax will never get breached. That's crazy. And then they want up getting breached or they want up getting manipulated in some way. Are they wind up selling their date, selling data to people that we don't feel are using that data in a are using idea to swape pull it political elections, and so we're not building our infrastructure of identity and information related to a person's independent identity in a way that will facilitate long term, you know, benefits to society and eventually everything will get hat. So if we build things in a hackproof way, I don't want to call it hack proof, but with the idea that you're putting your information out there and you are responsible for protecting your information, then they attack vectors you and then you must be accountable. So I feel like this whole narrative of like centralization versus de Socialization is very difficult to explain. I love the fact that you use facebook, because I actually use that regularly myself, but it's all about how we're architecting things and people don't understand that there's another way, and that's what I feel like I'm trying to fight, is that there's another way, guys. There's another way to do this and they kind of still see this fantasy or nobody will put all their information on the block chain. It's public, like there's another way to do it, since private, like you, I don't know. It just feels to me like people don't accept that there is another way yet and communicating that stoll difficult. Yeah, but and even even if you start with the assumption that, look, it's people, we never take care of their own private key. People are not capable of that. But we can start with assumption of let's not trust the central party for that right. There is that there are intermediary steps in between. Every ow information is on mark lookerbird's personal computer. To everyone is an expert and cryptography and they manage it. And I think the interesting thing is that we sort of facebook starts at their end and then they are like, oh no, but we are doing it in more secure a with your adding more very verriers make sure that your data is safe. And we are starting in the other and the other end where everyone is responsible for their...

...own private data, and then we are trying to make it a little little bit more easier, a little bit more accessible, a little bit more universal, and adding schemes where Oh, you're trusting this party, but here's here the vectors of the trust. You trust them to do this, but not that. That's the limit on their trust. You can remove that trust at any point and we are at every step of the way. We Are we are, we are trying to go slowly and we are we're sort of going the same direction. But I think what I think order in our way, will get there eventually. I think it's possible for us to start with the blockchain, is crypto crazy word, and get to a place where it universally accessible. I think that's more believable than believe that faith book will just become super faith super secure and will be always be able to trust Mark Zuckerberg. Yeah, that makes sense. I mean I feel like back in a circling back to my question. That is the reason for you x design at the stage is basically making key management something that's that's reasonable thing to do for the end user, because if we start where, at the layer where everyone needs to secure their own things, and because people aren't ever going to all become cryptography experts, there may be a general gain in understanding and knowledge over across the board, but it's not feasible to believe everyone's going to become an expert and have full understanding. So the UX design, the types of things of interfacing with private keys and the space layer infrastructure, is important because it allows people, that allows us to come up with solutions that work in a secure manner for the everyday user. So as we keep building things that it's easy, it's easy to on board them. Is that I mean? I feel like that's that's why U X sign at this stage is important. Is there anything else that I may have missed her? Is that completely off base? Yes, I I think that here's a thing. Right. We also are always thinking about like the average there. I believe that there is this myth of the average user. Right, believe people believe that there is this average user elsewhere. There is perfectly encapsulated by your grandmother, and whenever we reach your grandmother, we've reached everyone. And I don't think it's that that's the right way to of doing it, because I think US design is important since the beginning. I think it's important on every step of the way. Is just we are slowly expanding who the users are. At some point, I like one of my one of the first things I did and when it's yours launched, I was helping do the to the website and just to install and run it here and run run an olde you had to run, you had to install, like all it was very completely had to open a common line and type five, ten, ten lines of cold and I push them and I helped them to reduce that to one or two lines installation. That is UX design right, reducing ten, ten, ten, ten lines in the common line to too. That's sort of US design, because there are users, I mean not everyone is an equal developer. There are people who can open the command line and copy paste stuff, but not necessarily can. Can Pay ten things and the bug every step of the way right it. So we can start with look, there's a little huge developer and there's that the guy who's just starting is curious, wants to open he's able to open it, open the terminal. Okay, we're we are done. If this guy we've solved that problem. Now can we go to the next step, where someone is had tech savvy enough to be able to download a software and sink up their chain and and test something and they want to be able to get their presay wallet off there like after USB drive and save a backup elsewhere and then get to an exchange without using the command line. Can we do that? Can we solve that? Yeah, we can solve that and I will. I was working on that. And then we you go over like the next level. Oh, is that the kind of user that wouldn't Stall Firefox? That's the kind of user that would install a chrome extension. And then I think at some point we need to get to the kind of user that doesn't want to install anything, that doesn't want to download anything, or is not. It's not. It's not technical capable of that, and I think you cannot expect to jump directly to that guy if you haven't solved all the issues with and if you have having solved and learned from all those other more advanced users whose U X design matters right. I don't think you. X design is just making it shiny and pretty for for your grandmother. is also making sometimes. I'm just making it so that someone whole wants to learn more...

...about it. You and can follow an easy to like an easy to follow Tatario. That's part of UX did. I'm so to relate a story that actually might like help. Could that said, down a bit. I don't know, it's a really good point. Is Back in one thousand nine hundred and ninety nine, like two thousand and two, two thousand and three, something like that, I worked at a particle accelerator facility and Important News and Virginia who, and this was like my first job as a web development in turn, and a lot of the scientists they're refused to do just the most basic things. It was strange. They didn't put they didn't enable cookies, so every time I tried to do certain types of redirects it would fail. The application for them is some of them insisted on using links as a browser, which I don't know if you know what that is, but it's a command line browser. So it had absolutely no graphical capability whatsoever. And so my target audience for those, for for for any application I built, there was a moving target. So if I was building it for the science community, I had to make it as basic as possible. These guys wanted literally nothing, bare bones, just get it out there, get it working, simple forms, as basically as humanly possible. But I was building for the ch our staff, then it's a totally different target audience. And so I think what we're trying to identify here's how can we move that target audience, put that target audience for these decentralized applications into the hands of people who want to use them now and not worry about the people who won't want to use them right now, but still broaden that gradually until we get a good paradigm going for anybody who wants to adopt it. And that will take years, but I think it's I think it's an interesting problem. So you know, Kuda's to you. One of the things that you know, I think is key to a lot of this is I've I built a decentralized application last year for a customer and one of the pain in the ass things to deal with was that they didn't have there was no good way to do logins. So I basically had a hard code or store, some methodol it, some method of keeping a local copy of of accounts and those accounts would have to have their wallets in a folder on the decentralized application locally and and it yeah, the you, I was good for selecting his accounts, but adding and removing those was kind of a pain in the butt and people didn't understand it and it was very much barrier. So I wonder if you could talk a little more about how you're solving that problem with universal logins and talk about EPS behind it. Okay, so back I'm going onto the bit of the sorry, and I think it's the bling part. On though the thing, because we talked about the average, either the top, like the early adopters, as if it's everyone is on a line and everyone is is from like I'm very smart to I'm very dumb, right, and I think that's not the way to approach it, because there are people, and I'm pretty sure you met them, like there are people who are are like high, high particle physicists who can, who work in a particle accelerator, but will not be able to. Are Not able to set up their own email account. We're not able to set up your own email account in line, is right, and everyone is sort of like that. Right. You might be a cryptography its bird, that doesn't mean that you understand other areas. And even someone who has like real problems, right, someone who's working, maybe someone is is very good at working on on their field, right, they have they have far more problems. They have to worry about either if they are pigs are going to die or not. They don't really want to have to deal with all those things and and we we just want to be able to get them away, for them to be able to sell their farm product out there. It doesn't mean that they're done. They probably have a lot of more knowledge that we have no idea on. It's just that they don't have the bandage to learn all those new stuff. We just want to just want to simplify. And then so going back to universal against, one of the things that I have spent the last years, since I've done a lot of things that they are found. But my main project, on and off with during all those tears though those years, was missed, which is a browser, which is like a wallet. It's if you go to do not org, that's like the main link that there is. You download the wallet. There is also a browser behind it and and we have always been trying to do how we can make the simplest, simplest thing possible. But there's there is there is a barrier there, which is the first thing that you need to do is download song right, you need to download or browser. You need to...

...download men and act extension. Maybe maybe you need to download iphone APP, need to download something, and most people do not want to download anything. They just want to go to a website and sign up. And I really wanted to think about how can we in a way figure out solution that we're down boarding is very easy, it is very simple and these are doesn't needs down, not nor download anything. It doesn't need to write down a seed phrase or they don't need to buy each which is also like a huge problem. Right. I'm pretty sure that if you work on this, is why that some of your clients probably ask you. Why? Why do I need to buy this stuff? Right? I don't want to have to buy this new equipto crypto currency thing to build your my destiny lights. APP Well, in my current case a it attend these private the theium networks. But yeah, that would be that. That's pretty much why I use private the theium networks is because they just want to prove to people that this is worth investing in. So it's not going on the main net. If it were, they would have to buy a bunch of Eath, which is a floating target of cost compared to the Fiat world, which still dominates our pricing structure. So yeah, no, I definitely would like who way did not have to pay or have to have them even aware of, you know, what's in their wallet. Also, another problem is that, like most, more people have multiple, multiple device, right. So they have their iphone, they have their iphone, they have their laptop, they have a desktop. And even how do you transfer your your account from one to the other? Is a complicated thing because we don't want people typing private keys. They can privately from one place and take it taken to the other. And and also the whole management of private keys has this thing I called the quiptop paradox, right, because we are telling people this private he's super important and you need to have a backup, right. You need to have a backup, so if you lose it, you lose all your money. But if you do too many backups and you'll forget it and you put it in your Gmail Account and your gym a with Hack, if you put it on I cloud, if you put it on on too many US besticks, it can link and then your money out of all lost. So we have this crazy thing where you need to make just the right amount of copies, right, you make too many of of them. It's leaked, you loose, you lose all your money. You make two few of them you have a some problems with their device, you lose o your money. And the solution and pushing to other to others, is is quite its actually it's something new. Is something that being around for a while, but I'm just trying to standardize it. Is the idea and instead of keeping your funds and in private keys, you keep them on some sort of CRUC proxy contract, which is basically a Moodissey contract that allows you to just say it's a proxy contract that has called behind it. The idea is that on every device you own, every device that you're using, you keep a different private key. You don't back them those private key ups. You keep the private key as buried as you can in each device safe you can each device, and then use those private keys not to keep any eacher but just to sign message and then you send that message the proxy contract, and the proxy contract has the capability of understanding, Oh, this is assign message asking me to do x, Y or Z, and that's that's what I and it's able to do it. We're called in those those sign message metal transactions, which is basically a transaction. That is a it's almost a second layer of a sign reduction, right, you are you're just you're not signing a transaction, you're signing a message telling a contract to do a transaction in your behalf. It's just auth education. That's very that's very basic level. It is very it's very similar to having an authorization token. It's very similar to having every device has analization token and you're just giving autotization tokens, which is good because it means that if you lose one of the devices, you didn't lose all your money, you just lose lost one authorization token. And the longest you have the capability of generating more, more autification tokens, you can create more of them and there's not another cool thing of that is that the someone needs to actually deploy those transactions on chain, right, but that doesn't mean that he needs to be you. What you can do if you take those those metal transactions, give it to anyone literally that has either and they can be the one pain that cost for you. And, because we're talking about a smart contract, one thing that you can...

...do is you can sort of riff fund that person with some other tokens and which comes back to your your issue, where, like a lot of business, they don't they don't mind having costs associated with what they're doing. They don't want to buy eater because they have no idea how much either will be costing. And this, this, this whole architecture, will allow you to actually run a whole APP just uni, just using die, because what you can do is that you can keep dye on your let's say die or any other token really in your account, and then your sign messages and paying those messages with some other token which is on the eater. So how does this get around the whole need to back up for twenty keys problems? So let's say I have authorized account on my on my cell phone, I have an authorized account on my laptop, I have an authorized account of my desktop and I have an authorized acount of my tablet. Okay, that's cool. Let's just assume their different accounts. I think that correct. Yeah, okay, but I lose my cell phone, what do I do? So the year here is that? So there are multiple ways in which you can which you can set it up right. So one of the things you can do is, if you have already five devices you could have. You can have, you can have a requirement to have at least two or three devices be able to sign in order to add them. Add any device. So if you lose your cell phone, we still have access to your IPAD and your desktop. Let's say, you can still use both of those two to add a new add a new device to it, to add your your new phone. And another thing you can do is you can still do backup, but you can do a backup of keys that were never lying. So the idea is, instead of trying to back up the the every key in every device, what are you doing stead you generate brand new keys, you print them or you like, put them somewhere very safe that it's never aligned printed, lemonade it, keep it in your mother's house, in our bank, whatever, and then you can use that as a last last resource recovery. So if you lose all your devices in a fire, you can still have access to those. If you can still have access to those recovery codes, it's you. You can recover your account with the add the vantage is that, because those recovery codes were never online in the first place, they were just generated offline, you were sort of tricking use. You. You're tricking users into doing, like the Bat, the most Securay, because what I'm doing that we can create a very easy flow for the user that in the end they created a moody sick they create the paper backup, which is a colde storage, and they didn't need to realize any of those words or even know what they what they mean. Right. They didn't know that they were creating what if they? They didn't know what a code storage is. But still we're sort of tricking users into it. Some one interesting thing that this kind of spawns in my head is that, since we're assuming a world with multiple devices for this, because you know, a single device, this doesn't really seem to carry as much weight. But if you have multiple devices, this does seem to carry some late, at least to me at this point. Maybe, maybe other argument for that. I gree I am a feeling that we are moving toward not only of mootip with avice the for por either, but per person, but that most the vice is our single users. Like you, we don't have the idea where we have a shouted computer or moldable people lugging unlog out in the more so the the the idea that POPs in my head is, okay, let's assume a minimum number devices of say, for maybe that's not reasonable, but I think you could share, hear what I'm saying, and maybe you can even share with friends or something like that. To make this happen, we could use share keys to sort of encrypt and then send out the recovery codes, so that you don't actually have to have a physical copy of the Recovery Code. You can just retrieve it through some sort of key sharing mechanism which will enable you to decrypt the actual recovery code at will, and this way you don't have to actually physically ever pronounce anything. As long as you have a minimum number of devices which have a key share for your recovery code, you can recover that recovery code. Well, there's a there's a lot of there's there's a whole all slew of protocols, the procedures you could use for doing authentication across multiple devices or backups for that matter, but the key, I the key idea here is that you're having a proxy contract that actually holds things and it's almost a permissions layer for interacting with anything on the blockchain that is only does things through various devices that have...

...been authenticated, which is which is nice, because you can do permissions around various devices which have different security profiles, like my cell phone isn't a secure as my ledger, things like that, or you know what I mean. And so and that's and that's reasonable for people, because different accounts have different amounts of money in them, which have different amounts of risks, which have different amounts of security, and so there should be different permissions around the I guess at testations those private keys can make also because we are always thinking of like the bays unit is a private key. We are always trying to think him in terms of equippedop promotives. Right. So if you start saying about about like Oh, we can do a show me, show me your secret sharing way of sharing the key. So you need to actually print the keys. You can send them around. That's that's nice and you can do that. But more importantly is that all the logic is actually in a contract, so you don't need to like you can actually build much more complex recovery mechanisms where you don't need to to resore to those Scrypto rematives. You can still use a key sharing method. But another thing you could do in theory, where it and I think I believe some, some some from APPS are actually developing it, like status and thing like that, is you can set up a trusted friends came where you say, look, I trust that person, that person, that person, that person, and if those those person, those three people, can come together and agree, they can recover my device. which did the difference between that and just doing a secret sharing with them? Is that at any pot because if it's a because it's it's just smart contract logic. At any point you could, in theory, add more trusted friends or remove them, or even add things like saying, look, I am this is my account, this is my family members, and my family members are only allowed to try to recover access to my account if my main all my main keys, do not make any transaction in an in like a full year. Right, that's a more complex logic that you cannot do with Crypto primitives, but you can do smart contracts and it sort of makes sounds in a in in order day to day were because, oh yeah, that's sort of how inheritance works, right, if I die and if I don't touch my keys for a whole year. Then, like my my those have any members that I big, they are able to come together unthought of, have access to by it to my account, and I think it's important. Think's important to remember that we are talking about contract logic that can be upgraded, that can be created, the new that Colin, that can be anything that you want to to sort of an any recovery scheme that you can you can just create on top of it. Well, I love that. I worry about the security of smart contracts and when people start implementing arbitrary code as the permissions layer for dealing with things on a dealing with their funds and blockchain, that those contracts could be have have severe security vulnerabilities inside of them and like we're still not sure of all of the security guarantees of the contract language itself or the evm and so on and so forth, and that's that's a moving target as well. So, like this is the right way to handle, in my opinion, the right way to handle having custodian of funds and this type of technology, but it's also it's still very risky because you don't have strong guarantees around the contracts themselves. Well, this brings up something that. Raise your hand. There's only three of us here, but don't tell me if you've used any functionality, any smart contract which required turing completeness? Anybody? I know I haven't. I mean I've done it for experiments, but I want to being too costly, so it's not even worth it. I mean, do we really need recursion capabilities? Do we need really need infinite loops? Rightly, I don't. I think it's too early to say whether or not we need it, because a lot of the use cases that a turing complete version. I feel like that's that's another problem. Like that's that's something else you can totally do either in other ways or with an another Edm. That's more risky and there's a risk associated with it, but to me right now it seems like just a simple language I packed which isn't turn complete, informally verifiable, would probably benefit the system as it stands right now. So there the thing we are we are sort of like in both of your questions you're sort of questioning why do we have more contract at all, right, or can we trust more contract at all to do the things that...

...they are they want to do, and I know I see where you're coming from, but I have to degree. I think that we want to be able, and I'm not talking about do we need to incomplete, complete or not, but, like point is, we do need reach. I do really think that I reach environment where you can create more complex logic is good, is interesting and if allow us to create a lot more things than you couldn't do before or this whole on the whole, universal in the scheme that I describe. It's very hard to do if you don't have a very sophisticated, more contract logic that allows you to do to do things. And I'm not saying that every single user who write up their loans more contract right. That's not what I'm saying. What I'm saying is that we can create a system that allows expendability. We can create a system that say look, this is the basic system that allowed, where the user has control of their funds and they can create and there there a couple of extensible functions where they can say, look, I want to have, I want to create a key that I'm giving it to. Let's say I'm I'm taking this key and giving to a subscription magazine that I want and I'm authorizing that key to do to take us x amount of mine. Perfect. I'm using that other key. I'm and giving that under is a key authorization. Just play with Crypto Kitties, right. That's key. Can Can, can sell our crypto keys, can bring my crypt kitties. The only thing it cannot do is it cannot buy, because it would require an extra key to confirm. And you can create tools extra that extra logic. And of course, every time you add that extralogic you need to be careful that you you're not you're not introducing you bugs. But I think we can create a Basil base system that is a lot more complex that what we have right now with just base, cryptographic primitive, but it's still is simple enough that we can audit it. We can we can make formal proofs around it to make sure it's safe. This the spect. This reminds me of a couple conversations. I had a Devcon with grid plus and their last one basically hardware device. Have you did you? Did you talk with them or see them, because a lot of what their functionality is based on? The last one is what you which what you're implementing a universal logains and I feel as though this is becoming kind of push to the forward, push the front of things we need to be worried about. Would a grid plus. It's a consensus spoke called good plus, which is doing the energy. And their last one is a hardware device that is doing permissions around key management and and I mentioned this because as multiple companies and people work on these types of problems, then they need to come together to come up the standard so they can be used across all of these different implementations. Yeah, that's that is sort of so the way I started doing this whole universal again thing with mostly because I started seeing I started seeing all those solutions of origin in places. I was just doing my thing where I tore a gold people when I help them with dim projects, and I a lot of people had basically the same. The thing is shoes. So I want to do this, but I don't want to have either. And I want to do this, but I want to have waderful users. And I would say, look, you can do a fo their solution for this, you can do design message, you can do AC recover and I just sign a message and you can pay, you can create your token and you can pay fees on your token with the other token. All you need is a layer. And then they would ask me, Oh wait, how do I do that? Oh, look, status has a great AC recover thing that other token. There they have EC you have a way which space fees. Is it Okn self that other guys doing an identity proxy that allows you to expand. Have more the bookies and and I would receive blank stres because they were they were like, dude, I just learn how to make a your c twenty token like thirty minutes right. I you cannot tell me that I need to like learn how to make a destantralized relayer and at work. And then I decide, look, there are a lot of very good solutions that people are working and they are not compatible. So I really want to create standards for that, and that's how how I end up writing to your C's about it. Standards are quite powerful. I mean, I think I am. I am my personal opinion, the RC twenty standard was the catalyst for the entire, if they like Krrypto, cryptocurrency boom, because it lowered the pair of...

...entry and alloted people to build infrastructure around trading these types of things. Because they all agreed on how to do it and you get a shitcoining. You get it, but everybody gets a shit going. And why I want what has potentially like negative consequences. It did a lot for the entire space in terms of bringing totention, massive innovation in terms of how we do things and built a lot of infrastructure and it's all around, in my opinion, a single standard at that. Those are Carbul that's that's not at all accidental. Right. That is sort of like the purpose of a tim in the beginning with like a lot of people were we forget that people were already building shitcoins before it and Kain came wrong, right, but the idea that before, in order for you to do to say, launch dodgic coin, what you needed to do is you need to to fork, like Bitcoin core, and then you needed to have your own mining infrastructure and you need to confronce miners, need to convenience exchanges, and you remember those days people. Right. So it oh, I want to create a new coin for everyone in Finland, well, Greenland, right, like FIA coin was an air drop for everyone in like Finlander, yeah, or greenland or something like that. And then it was hard because you needed to have your own your own wallet, Your Own Mining Software. You're a mining thing. And then and then you need to solve like PTP connections and when it's even comes, just that will look we are going to deal with the whole infrastructure and you just build this new thing on top. I mean you all you want to just to build a token. The knife part of it is that, like, once you have a token, that you can use any teen wallet of Support Soken. You can use any if you don't exchange the supports token, and then the infrastructure is already there. Right. So exactly what you you, you said, but that they is sort of like the purpose of it here. And what's to build? That was to build. How can we we allow people to share the infrastructure they are building so that they can only need to focus on what we can do is novel and interesting. So let's assumes, let's got a happy path. Your UX designer, you, you UX design, and maybe even just like just socially design, so people start using universal logans and proxy contracts the way that you, you hope and expect them to, and your c seven hundred and twenty five identity. Let's assume we got down the happy path. What do you think the consequence is that be? What will be your Shitcoin? Okay, so the question you're making is, what do I think is the is the like if everything in saying gets popular and gets adopted, what sort of bad outcome I expect? Is that why you're asking? Yeah, because I think everybody kind of could have predicted shitcoins and like I feel like in this I kind of have an idea where this would go, but I don't know yet and I'm kind of I just want to see if you have any predictions with regard to that. You every thought? So the whole idea is that I want to make on boarding very, very, very easy. Right, the demo that it gives to people is that you can, like you, you log into website and all you need to do is if type these name you have in, then the next queen you will receive the few tokens and then the next screen you already like clicking a button allows hooting interacts more contract and uses that token that you just received for that. So it means that in like thirty seconds and and three two clicks, basically you are write interacting with our contract. So my ideas, I really want to make smart contract and I would say that if I succeed on that, probably the first thing that would happen is we will probably multiply a lot of bad build. Oh goodead, I thought you're going to see someone else. I wouldn't say culability. That by your problem. I think that's parallel. We can go into that. But I think will probably things like, like a lot of people like using pyramids, Pyramids and other like trading things and and probably like what actually what would be the the lower be very to and you would be probably a wallet where everyone can create their own wallet, everyone can create their own predictional mark at, everyone can create their own different drives exchange. Probably we're going to see a lot of like bad that you and games and bad at you and products and things that are a little bit of like quipped Kitty. I think Quipplo Kitty generator a whole new juration of game which is nothing but just buy and fell stupid stuff. Right. I can see it making it Cryplo kitty even more popular, like could could lactable athlet or even more probably lowing the barrier entry to people get to get...

...these things and trade them and in the process of doing that, you're kind of like create an exact rational and juberance around them, because people can do it exactly, which then leads to a scaling issue, because Crypto kitties broke the network at the time when, whenever big because we end up by yeah, what if? What if the blockchain network basically becomes clogged with everyone trying to use these things that it basically have no real utility, at least for now, and then it kind of buttons out into use cases that have good utility but only operate under under locasities, and that's that's as a problem. It's going to be solved visually. That could only be good for bitcoin. Honestly, the that kind of thing happens, the price goes up, so the market is supposed to balance itself out, and that's cool at all, but we still want to use the stuff. So I feel like things like layer two solutions and more things I can fur are going to be useful until we get some better scaling solutions on the layer one side. Oh yeah, leas, then I feel like layer twos can be essential. You could, you can use this technology with layer two technologies. This this doesn't these are excluding each other. That's kind of a nice part about it also, if you that is the sort of good problem to have, because I would say, and here's the truth, there are a lot more people working on scalability than people working on UX design and on boarding, and I think those are equally important, because there's no point the whole point of I think the alternative is much worse because if you fix scalability before I fix on boarding, will have a network that can handle billion of transactions but doesn't have a hundred thousand users, right, and I think that's that's even worse. What's the point of having slability if you can reach a meetium users? A bit on users maybe, and I would say that the opposite, where we solve on boarding before we solve scalability. I don't think that's going to happen because there are a ready solutions to that problem right now. Right you can do side chains, you can do, you can do, you can do and one of the things that are interesting about the upsolog insolution is that you can actually have the same address for or your proxy identity emotiple we give and network, so you can have you cann't you can use the thing address and win could be in main math, in your side chain, in your profable authority, five subchain thing like that, and you can sort of use the thing identity in the thing log in in all of them, and that's really useful for things like plasma chains. And yes, that and actually even cooler is that if we could kneel this down really you can create a general state channel to another contract on another chain network entirely and do asset transfer that way pretty simply and only have one system which maintains the sort of like yeah, that could be cool for an atomic swompsite the type system. It's just easily managed, because right now it's kind of a pain in the button my opinion, but now I don't know, kind of thinking about that. That that that is a good property of this for sure. Well, we're hitting about an hour now. There any questions that we should have asked you? We hope you hoped we asked you that. We didn't matter. I'm saying no, I think. I think we had a night conversation. Well, I don't know there's any particular question that people you. I think we heat all the usual question that where where that goes, but on the obvious next part is what's the exteps? What are you? What do you hope happens now that you've could? You've been going around, we saw you have the status Acton, you're at De con, you've been going around trying to teach people about universal logins. Now that you have like kind of this minimum Bible product of people to implement them, how do we get it into people's hands? What do people need to do in order start pushing this forward and making it a real thing? So one important thing to understand that some people don't don't get it clear when I speak it on the first time. The universal against is not one solution. Is Not like one way of doing it's not one app that you download where everything goes through that APP right, and and there are other solutions that do that, but it's not that. It's really just a common architecture. I hope a lot, I'm hoping a lot of people are adopted and I yeah, and I've been doing that this whole tour where I went coop to life, I went to to deaf con, I went to the desanthlize finance and it, I went to and I'm doing a lot of a lot of that and my hope is that I really want to have some some players in the team ecosystem use that and adopted. I think that's going on.

That's going on because I've been talking with a lot of people in different companies, some people like status or noises or smaller companies, and they're all very excited about this idea of having a common standard where everyone can can can share. And one of the things that they lie because they the idea where you go and into the status and then doing the unboarding process, that is gives you a status, use their name and then the next thing that happens is that you go to Nazis, let's say, and you can use your status the other name in another. So it's almost if you were on boarded one in any APP you can, you are ready on board of them every tune APP and I think that's something that excites a lot of people because it really helps multiplies on warning effect. So my good. So that actually I know that we're coming to the end here and I shouldn't probably be asking more questions, but just kind of triggered something else in me that I've dealt with a long time going. I brought up on the show several times that back in two thousand and five I try to develop something called them online Karma. DOTNET DIDN'T PAN out. Wrong timing. Right idea, I feel, where you know, your reputation kind of went with you from site to site to site, and so you didn't have to fragment between make your Ebay rating and your Amazon Rating, and you're you know, web forum XYZ rating, and they all kind of kind of build a centralized way of managing that. What do you feel about reputation at tied to your log and do you feel like those things are something? And tracking where your login's been used in the history of your log in? How does that integrate into your vision for this? There are true things. They're right. I think the first one is that I think which is I think you should awe and I think it's obvious for anyone who's probably listening to this podcast agree in which should on your own day data right, like your Huber Rating, should should not be your should be your rating, should be your reputation as a driver should not belong to bursh not be your huber rating, because it creates an if you're right, like you, if you have a good reputation as a as a driver, you should be able to go to another driving network and use your reputation and there your chance company or in Insurance Company, or just remove remove locking from from Uber, right. Why do you have to start a new if you want to create go to a Uber comparitor. I think that's that's that's a wrong, wrong approach. So I think it should belong to you and also but in the other hand, I think that's something that the dealport guys are really, really, really like spreading the word. Is that we should also avoid making it on chain as much as possible. We should try to make a lot of those reputations. Should be very careful of them, especially if you're talking about something that is on chain forever, because, like right now, what can be a good reputation can be like in ten years, can be turned against you some somehow. And I think they're they're great when examples on things like Oh, you are, you were refugee ones, you scape your country and now you go back to your country and thinks turn bad again. Then suddenly you, you are in this there is this universally accessible list of how of vulnerable population, right because you belong to this religion, you live in that place and then suddenly, because you were a refugee once and you had any had reputation online totally, that become the two of oppression. I think we need to do we need to be careful of that. Do you think any times just let against that? I don't think the problem is the legislation. I think the problem is that be very, very careful of whatever information you put on chain and avoid putting personal information on chain at all costs. And I think that comes back to privacy, right. That comes back to having like if you can have an att a station, is it, it's probably better to have an off chain at a station that just say look, I have I've been carrying this, this this signature than I can share with other people than just to have a central at the station thing on the blockchain, right. So just give people so, give people prove, not necessarily put them on the blockchain. So that's that's when one important message to people who are thinking about reput on chain uptations. Don't let yeah, I haven't say don't. Let just say it against what you can do, but lets just say it against informing users of what they are doing. That's kind of like something that I think will probably happen in the future. Now, because how would I know, as you know, article physicists who can't even start my email, whether or not the information I'm I'm submitting is going on chain or whether they or not as going in, you know, let's just say,...

...even a layer two chain, or whether or not it's it's it's just going to not be committed in that way. Like how do I know this? How would I be able to determine that? And I don't feel like APP developers will do that responsibly, especially since there's value in not doing it responsibly. I think we need to. I think our goal here as like we are technical writers, we are we you have a technical podcast or go here, if to educate developers and try to teach them how to do it responsibly. Otherwise, who end up with legislation? Like I think it would be better for everyone if at developer or thingply responsible and don't do things like that, so that we don't need to end up having some sort of lagafilation for upon us by by people who don't really understand all the stubilities of the system and end up killing good ideas among with the bad ones. Yeah, I hate to be the single cynical one in the room, but I have now wear bytes on my computer because there's a lot of asshole developers out there and I think there's always going to be asshole developers who find a way to get something on chain which is dirty and will try to either blackmail, extort or, you know, I don't even know how they blackmail it, but like it's just like responsibility on the hands of developers. Developers, not only even good developers, make mistakes. You know, I feel like we were at something that ultimately will lead to a legislation, whether or not we want it. Too. I agree with you little legislations better, but you know, we need liability in the system in order to, you know, take action and sort of you. But I would say that the reason we are in this situation is exactly because we have a bunch of information in central database, is that we're connected or collected by people and that every time they use a luggins and the something they don't care about their own their where they data is nicked in and we are sort of like there is this this wave of legislation trying to come in with developers. I'm not saying that all is legulations bad. I'm not, like I read Colibert Heron, but my point is that there is there are people who are trying to just say let's just stop it on that front. But I think you can do it on the other front and say, look, the main problem here is that users are like browsers or insecure. If is that we are building a system where data is not start on us, under the User's control, but it's store on machines whoever. We don't know who controls it. So one of the things we can try to do is give to to users so that they can can come throw their privacy and can be sure who, who is even accessing what information they are creating. I think that's that's what I'm going going with. Yeah, yeah, I see is eating nutrition labels to tell us what we're feeding the blotching. You know, that's a I don't say we're going to tell them what they canny can't do, but but you don't eat. The users need to know the best place to have the Nidudial label will probably be on your brows not on the on the applayer. Right. Will probably be something that you are you're running at browser UN Bebo telly. Look here made is being liked, here is how which information you are with sharing, and here's here are the things we can do to avoid this right and I think that's that's where we can that's exactly what I'm currently working on. Its status is providing that information and a local context so people have much more understanding guarantees around the information they spread and and and when you build on infrastructure like this, you'll have emergent social behavior that that is better for the hole as opposed to the individual who gains the data. If everyone holds around data, they will eventually become used to understanding what data they exposed with the interactive things. When you build things on a centralized infrastructure, that social behavior is not emergent because it's not up to the it's an offloading of responsibility to someone else to handle that type of information. And that's why people like the way they do on the Internet. And I'm just going to say I don't think the browser is the right place for it, because I don't think browsermaker should be playing whackamle with how adapt developers are trying to get around certain notifications and I feel like ultimately, the liability for any depth you release is on the deapt developer, not the browsermaker, not not the end user needs to be informed and I believe that the end the responsibility to inform your debt users of WHO's of what's going on in your DAP is ultimately up to the dept developer, not a person who writes a browser. They should not be both that developers. That's why I want my browser to be a shield, because I know, yeah, you can have it fronts, but that's where the inconsistency of reporting comes in. So if they, if you find that information is being submitted to the chain and they didn't say, Hey, your information would be in smitted the chain, there's liability on that apter. That's the beauty. That's the...

...beauty. Don't the value isn't held by the by the depth developer. Ever, that's the whole point. Is that if someone if they want to do something like that, if you hold the information and you hold the permissions that information, you'll always know what the DAP is trying to do. That's that's the whole point. And so if, as a depth developer, your job is not to figure out all the potential ways in which you could screw somebody. It's just providing a service because you don't have control over all of the value. Your value isn't it is. It is a transitional medium. You transform value of one kind to another kind, and if you don't do that properly, the user will know because they have control over all the data. I think I just see too many attack factors there. Well, so I don't know, we'll see. I'll be that's maybe that's a dietribes conversation we can have. God, I really, I really, I don't trust developers being kind all the time and I feel like if they can get your information somehow, yeah, we'll submit it on chain and will baid way. But if they can find a way to do it, you know where, they're also submitting into their information database. That's that's that's where I kind of like, okay, if we trust the chain, we also have to trust the DAPP. I don't think that that works. The APP is a proxy for the chain. The chain itself is the truth, but we can't trust the developers in their code and we need to put liability on them for behaving properly. Well, I've I think it can all be true, right, we can. We can have, we can we can try to solve the problem mole front. Yeah, I agree with that. Now there's there's no like one stop shop solution for all of this. It's definitely a mixture of all things. Yeah, and it's good to have people multiple points of view on that and different ways of thinking and different trust models for their own internal internal ethos, because, you know, that's how we build better software. So, yeah, I like this conversation. Alex. how can people reach you? I haven't on twitter, a VF A. I'm you can stark. Start there and I'm probably in other places through and a website for universal agains, universal against dot Io. Simple enough. Thanks for coming on a shower enjoyed its. Thanks for Thank Collin.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (128)