Video: Identity, Capabilities, & Private Data - @ianopolous

00:00:04

so on that the topic of the the problem of uh public cipher text so we've solved that problem i actually talked about that yesterday in our talk i can briefly mention it here i actually cut up most of that from this talk but um

00:00:17

yeah so to focus on applications but i'll give you a super quick overview of pegos it's a global peer-to-peer encrypted file system and application protocol being a file system everything has a unique path which begins with your

00:00:28

username fine grained access control it's pure capability based you don't need to rely on a server to enforce these capabilities just maths it's quantum resistant

00:00:41

auto scaling gdpr compliant you get real deletion so the the public ciphertext thing so we've added a new uh a new layer of access control at the block level in ipfs

00:00:54

so you can control who can even get the raw ciphertext blocks through ipfs so we had to extend bitswap for that um and yes so now

00:01:06

your if your your data in peergos only the people who you give a capability to to to to read that file can actually even retrieve the cipher text so we we

00:01:20

for years now we had read and write caps but now we have a lower one which is mirror caps and that's the thing that stops the public cipher text problem so yeah what do we what do we mean by

00:01:35

applications um so they should be user run user owned and possibly uh unique in this view but they should be untrusted uh so apps shouldn't be able to

00:01:49

exfiltrate private data i should be able to take an untrusted app run it over my private data and not worry about that data being stolen or exfiltrated

00:02:01

uh apps shouldn't have to worry about identity or login or storage access control or encryption writing apps should be easy right so our view of apps is

00:02:14

an app is just a folder of html5 assets which itself is stored in pegus so the apps themselves are private you can make them public if you want but by default it's private so you could for example charge for an app

00:02:28

by using the underlying access control the only extra thing that's not standard html5 is just a manifest file which is json with some metadata so they're requested permissions things like a

00:02:41

title icon this kind of thing so this is this is the execution model so the the idea is your your end user is logged into peergas in the browser

00:02:55

and that's the the main tab on the left the main main context and that's the thing that can get data from the network um it doesn't we don't do peer-to-peer stuff directly in the browser for

00:03:08

privacy reasons for we don't have a broadcast uip address or anything like that so that's handled by the server but everything the server is treated as untrusted so everything the client gets whether it's a hash or a signature or

00:03:19

whatever is is checked uh in the client code and in terms of an app so the way we do this so we want to isolate different apps both from the main phos context where for example your

00:03:32

keys are and your data but also from other apps and as we've learned from the recent years you have to worry about things like side channel attacks so this

00:03:46

absolutely has to be a separate operating system level process than the main tab and that's quite hard to guarantee in browsers these days but but you can with some recent

00:03:59

additions to browsers and so the basic idea is we have a generated sub domain and this works on localhost as well so you don't have to have a wildcard certificate on a public server

00:04:13

and the the generated subdomain is basically a hash of the human readable path for the app that you're running so those are the they're paths in the peergas file system so those are unique anyway

00:04:25

uh the hash is then unique and so you get your isolation that way um you can also within an app you can add an extra like isolation parameter to get a different hash as well if you want

00:04:37

um so for example one of our apps is is a web browser uh in the browser um and it wants to isolate its websites from each other so it has an extra uh the

00:04:50

isolation parameter um and so yeah the basic idea is that by default an app has no permissions it can't do anything uh all it can do is read its own assets

00:05:02

and so the other critical thing is the the green box the the sandbox there that's locked down so that an app also can't make external connections

00:05:13

to to the web um because that you could just trivially exfoliate data and so the idea is that the server serves up the same

00:05:25

static code for all sub domains and all that does is set up this service worker on the on the subdomain which then communicates with the main peergos tab via post messages

00:05:41

and so then in the past context the the the trusted context that's where the apps permissions are enforced can it do whatever it is we'll talk about what the permissions are in a minute um and then yeah then that service worker

00:05:56

then loads your app on the same sub domain because that's how service workers work and as far as the app is concerned it's things that's just talking to a normal http server with there's no encryption or anything

00:06:09

that just doesn't know about uh so yeah we've just talked about most of that um yeah so by default an app can just read its own assets app permissions so

00:06:24

if you want to have more more more interesting stuff you can grant an app a permission to store basically persist data in your space so this means it's an app specific folder the app can

00:06:39

read and write arbitrary files whatever it wants enter into that folder so that could be save games or settings or whatever uh another one is to edit a chosen file

00:06:53

so this means it's basically like the user says i want to open this file with this app and the app can then uh during that invocation edit that particular file

00:07:06

or there's another one which is read chosen folder so that could be like a gallery or a music player or something like this so far those first three they're one player mode so that's just

00:07:19

you and your app you and your data and your app it gets more interesting with the fourth one which is you can exchange messages with friends

00:07:30

uh and these are all so there's basically we already have a chat protocol uh it's you know it's it's all encrypted it's it's uh cidt based inside the encryption on on top of piergos but the app doesn't

00:07:44

have to know about that it just says i want to create a chat and with with some friends who might have the same app installed and you can then send asynchronous messages this way

00:07:56

so you could use that to do you know multiplayer turn-based games or something it's not real time so you can't use it for network doom or something like that uh we'll work on that one um

00:08:09

we do have plans for that but not yet um so yeah this is i mean this is all hot off the press literally we released this sandbox two weeks ago so uh there's lots more lots more to come uh if you want to read more about it

00:08:23

well there's the pegos generic link but also apps you can just go to our book book.pegos.org features apps.html

00:08:35

and i'm going to try a demo alright so i'm logged into pergos here first of all so i've already got two apps installed what have we got uh one is an image editor

00:08:50

and a clone of winamp and so when you say uh you can also register for file types in in that manifest file so for example if i go

00:09:02

let me just uh let's see here this is some audio so if i go down here i've installed this winamp app uh so i can now view this this file which happens to be a song uh in

00:09:22

winamp and we'll see if this works and we'll see if my sound works doesn't so that's that's a winner in pap um [Music]

00:09:52

that's that's gone so yep hopefully we're under the threshold for that yeah so that's one app what was the other one i had was an image editor so let's go into

00:10:07

media we've got some images okay yeah tui image editor so whatever we can open some image editor there's the image we could whatever do some some stuff and edit it and save it i won't

00:10:29

go through that um you don't you also don't have to you can run apps in place you don't have to install them um if they don't need any permissions um

00:10:42

so for example this is doom via js dosbox so you can see we're working our way up to network doing this this is single player too but uh

00:11:10

anyway you you get the idea and this is so the cool thing with these apps is the server doesn't see the app assets so the apps themselves are private um that might also trigger something so

00:11:21

let's close that um i've got a question about uh maybe i missed something but where where exactly are those apps running is it just fully this is fully in the browser so it's

00:11:36

the app in its entirety in order to run in a client is in my peer gas file system yeah an app is so so so these these are the apps here this is pre some pre-installing them so i can

00:11:50

show you so for example the image editor or if i wanted to create my own app i would just go create a folder in here and then do whatever format okay yeah so yeah basically it has the assets folder

00:12:02

which is the assets that's all the standard html5 stuff um and then there's this magical file the the manifest the json file which we can we can look at um

00:12:15

in another app the text editor yeah actually you could if you could uh you can log in through any device is it through uh server or is it sound so every previous instance runs uh

00:12:53

and and what installs and runs its own ipfs instance um and everything happens by that yeah so in the same way uh the digital boots out the js ipfs in browser

00:13:05

and you have your roots in and every device would then just lean on the same page of the of the invest protocol right

00:13:16

yep uh and so yeah the other the thing that's cool is so you can as i mentioned an app is just basically a website um

00:13:40

so you can view websites natively in peergas so this is again these assets are served from pagos uh the server doesn't see them because they're all decrypted

00:13:52

locally but i've got the full website in there and in a similar way that you can share

00:14:04

anything in pagos via secret link you can also share websites let's see if we can do this and i'm imagining there's a permission model

00:14:17

for the friend that i share a link to my website too so that only joe admin can access it right or well it's capability based so a secret link anyone who has that link the

00:14:29

capabilities in the url itself okay uh not like not tied to a id or anything like that no pure capabilities you can revoke access by rotating keys um

00:14:44

just keep track keep that index of the links and who i share it too and then revoke it you so the secret link that's mainly for sharing with people who are not on pagos if they're on pagos you can do in-band sharing so this is the sharing screen here so i can type in

00:14:57

username of who i want to share it with and this this remembers who it's been shared with read or write or whatever or you can share with groups so there's friends or followers of the default groups but you can also do custom groups

00:15:09

um but yeah so the secret link let's see if this works we need we might i might need to i think i'm going to need to adjust something first so this is a secret link to a folder so it didn't auto open it but

00:15:29

we we can do that and if i just take this link so now it has the app that i want to open it with in the url so if i close that and

00:15:42

go to another browser we don't have any we don't store any state in in the in the browser anyways so there's nothing shared between tabs

00:15:55

then this should open the website automatically and basically this is uh the peer goss application running on desktop

00:16:07

uh well this is running on pagos.net but this is just a uh yeah you could run it on localhost as well no what i mean is that you have to have that the peerdocs application installed no okay so this just works in

00:16:20

any standard browser that's one of our things is we want anyone to be able to use it so we want to avoid web extensions uh having to install stuff that's a great thing i think that's also very much one of the things that we said is

00:16:32

should work in every browser including mobile as our baseline but in this case all of the publishing and everything like that you need to have the um desktop app

00:16:44

so the web view is read only i each user has a home server which is responsible for storing their data and provides the current source of truth you can do

00:17:06

offline reads in principle uh but not rights unless you well so our plan for that is to do do that on an application specific level so if an application knows it's using a cdt that's fine you do what you

00:17:19

want but at the raw what was it doing here file system level then yeah all right that's working cool uh that's basically i think

00:17:37

[Applause] instance running in um no so we don't run any anything in the browser because we don't want to broadcast ip addresses so it's running on on the server so you

00:17:53

can connect through any server you like and if you do any rights those will get proxied to your home server basically yeah at least two things that i'd like to like

00:18:06

but the manifest file seems really interesting that's something that i had in my giant list of random things i'd like to have eventually but and just basically used html5 manifest file with a few

00:18:22

extra vendor extensions that might be interesting for us to use is that kind of what that manifest violence what are they what are the extra approvals basically yeah i mean it's very similar to something like android so it'll have

00:18:35

the permissions that you want whether there's an icon for it or not um and any like file extensions or mime types that you want the app to register for uh

00:18:47

the author um the install source so you can get updates uh love to figure out like anything that we can do to basically be like

00:19:02

we use the same format yes that would be good like that would be amazing yeah because we've just made this up and especially we do capabilities if we can uh have some consistent language for some of that that would be super useful

00:19:15

and you know like my thinking is developer option like hey if we've already got people we're using html5 pwa manifest files then yep we can consume all that there's probably

00:19:26

and i'm not smart enough about this yet yada yada yada ipld something that comes in there but is that the correct answer i like i feel like yeah just this i feel need that

00:19:40

structure yeah it's still new so i don't know what that means but that's what i heard just saying those words until someone like fixes it make it an ideal instructor uh amazing um um

00:19:57

uh pain so so i captured a couple from uh uh from book like bit swap challenges and browser support [Laughter] what would you like to not have to

00:20:16

do completely on your own what would you like to consume upstream what do you want to see from the ipfs ecosystem to make things better what are you going to tackle or need to tackle on your own the first thing i was going to say is not from ipfs but more

00:20:29

more primitives in web crypto 825 um and and maybe even some post quantum stuff would be nice but i'll give that 30 years i imagine just

00:20:46

understanding a slight bit about architecture you know you're hosting a server which means load balance here which means all the typical web 2 stuff so if you could get rid of that that would be great right but

00:20:58

you're not doing that because why uh we don't have to have a load balancer if you're self-hosting you can it's your own broadcasting your ip right so like how did we solve that in ipfs so that you could just run an idea that's

00:21:11

noted right so yeah i mean so we've been thinking about this for years and basically yeah uh the the kind of privacy we want from libya to peer there's a there's a group uh some did some work of this a few

00:21:25

years ago p3 lib on anonymity within libid appear something like that would be awesome and so the way we would use that is uh you might have seen yesterday in our

00:21:37

talk we only really use the block api we would have an extra parameter to all the api calls which is the anonymity class and that would basically determine the the onion identity that this that that

00:21:51

request would be routed through and so you could you can the application to decide i want you know these these bits of data should be not connectable by the external network um

00:22:04

because they're for example from different people and you don't want them to there's friendship connection to be leaked or that kind of thing as well as obviously protecting things like your ip address um yeah

00:22:16

so you're generally the view that running ips's architecture today in a browser is just just a bridge i personally don't then wouldn't do that yeah i just wanted that viewer

00:22:28

we've heard that feedback uh so there's the engine switch folks who wrote uh the seminal local first software yeah i'll actually add that to the links you have about everyone it's kind you can see the architectural pieces

00:22:49

except their big issue is like okay cool you've got encrypted yeah um and that seems problematic to us yeah and by the way you're like asking 600 strangers

00:23:12

we could improve that slightly i've got another question um and you might have answered this but um paragraphs to me seems like it's focused on

00:23:26

specifically on users for their data but is there a story for you know this track is building apps on ipfs so what about building apps on pure dots like how do i build an app and

00:23:39

share it and then potentially you know profit from some app that i distribute to your gas users is that um yeah so so apps uh they're just a folder of staff on

00:23:50

pagos and we you know it's a private file system we have access control so you can control access to your app so if you want to charge for your app for example you can do that we don't have payments in band but you can do that out of band and just share share the app

00:24:04

using the access control based on some payment system absolutely yeah awesome thank you