Root Causes 206: What Is Web3?

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

February 14, 2022

Web3 refers to the concept that online content can be attributed to specific known publishers, regardless of web site or online channel. In this episode we discuss the fundamentals of Web3, including self-signing protocols, authorization of content, blockchain, definitive authorship, consensus algorithms, and meat from space.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanWe want to talk about Web3.

Jason SorokoThat's a term that's been bouncing around for a while. If you're watching business channels, if you're watching anything about Facebook Meta, if you've been watching, a lot of things. Mark Zuckerberg was talking about it. We've got a lot of people who are high up in US mega tech throwing around that term. And it kind of sounds and feels like a marketing term, but in a way, it's a way of organizing some ideas. It's a way of categorizing some work and some trends that are happening right now, Tim. I want to put it into perspective and then we're going to talk really specifically about why it applies very much to this podcast.

Tim CallanI think that's great. As a reminder, of course, Web2 was a term that came out probably in the early 2000s and the idea was the web moved from being a publishing platform to an interactive platform, essentially. It’s where user-generated content and everybody became a publisher to some extent, and that was this idea of Web2. So obviously, the Web3 concept is trying to build on that history. For those of us who remember that history. But what do we mean when we say Web3, today, Jay?

Jason SorokoSure, Tim. Web3 is going to be a world where there's not just user-generated content, which is what we see today, but the authority over that content is also user-generated. Isn't that interesting? So let's really go back in history and talk about like, because I'm old enough to remember Web1. Web 0.5. Like, I remember that. In fact, Tim, I remember Kermit. I remember Archie. I remember Linx. My very first website that I ever, if you want to call it, browsed to, was on Telnet at CERN, they invented the World Wide Web. In fact, the idea of a hyperlink within Telnet was my first experience with that technology. So, I go back to literally the very beginning. And then my very first experience of using a web browser was not Netscape. In fact, my first experiences for quite a while of the web, had nothing to do with graphical interface. It was entirely on a UNIX system using Linx. I still like Linx. But I liked the speed of it. Anyway, let's, let's move on. Web1. Let's put this into context here.

That was host-generated content and host-generated authority. If you think about it there's a great article I want everybody to go look at by Jay Graber. It's on Medium. Just go search that and you'll find a terrific article that she wrote. I am going to be basically paraphrasing some of her ideas in that article. So full, full absolute credit to Jay Graber.

So Web1. Let's call that the hosted web. In other words, Tim, if you wanted to put information out on the internet, you had to be the host. You had to run your website and you had to create the content. So, it was host-generated content. You made the content. And also, the authority over that content was well, because it came from me and my site, in other words, my server, my web address, well, it came from me. It was read-only probably. Your website is probably read-only. It was HTTP something and you put your content Tim's infosite.com. People could go to your site using Netscape, whatever browser of their choice, and they looked at your content and that was pretty much the end of the interaction.

Remember, there was the hosted web now we got the posted web. I found it jarring at the time when most people put their content up on social media. So, Facebook became gigantic because of the fact that you didn't have to create that website. So now we've got yes, user-generated content, but host-generated authority. In other words, Facebook could shut you down. Facebook could advertise you or not advertise you. Facebook basically owned your posts.

Tim CallanPromote your posts. Demote your posts. Yep.

Jason SorokoEverything. So that's Web2.0. The hosted web. Now the posted web. Web3. How about this, Tim? This was a great suggestion by Jay Graver - the signed Web. User-generated content just like Web2 but user-generated authority. Big change and what is allowing this? And notice, I haven't said the word blockchain yet? Even though I'm talking about Web3. Isn’t that interesting? We are going to go there, though. What really makes Web3 Web3 is this idea of self-certifying. It’s based on self- certifying protocols that allow user-generated authority. So, Tim, think about this. A content hash. You got a file. It's been hashed. It's been signed by your private key. Can prove that user – you - authorized its creation. It did not require an intermediary.

Tim CallanSo, it doesn't have anything to do with who I am or what I do or where I'm located in the world, but if I own that private key, I am that unique publisher, if you will, and if I publish something else with the same private key, it can be proven that it's the same publisher.

Jason SorokoSo, Tim, at that point, does the host mean anything anymore?

Tim CallanBecause you're saying I put these things wherever I want, and I've got some kind of unique signature that people can check. I am wherever I am, I put this on Facebook, I put this on Reddit. I put this somewhere else, and it's signed and it all is ultimately attributed back to that same author.

Jason SorokoYou and I spent most of our lives in a client server architecture. And what I'm saying to you, Tim, is when you self-certify data, you're basically enabling the trust to reside in the data itself, not in where you found it.

Tim CallanSo, in other words, I start to pay more attention to the author, the known author, or maybe publisher is a better word, because that might not be the original content creator, but the known publisher, rather than, as you said, the site. Rather than the container where it sits.

Jason SorokoIt could even be, Tim, that the author could be some even other third party. Really, the entity that is signing the content is saying I authorize this content. I think that's the best way to say it, because the author of the content could be even someone else.

Tim CallanExactly. Or the same author could publish as different entities. Let's say I have different brands, if you will. And those would now be decoupled from each other.

Jason SorokoYou got it, Tim. So, you know what? I think we've established this. Web3, my goodness, if you listen to anybody, Web3 is whatever my product is. That's what you're gonna listen to. And that's normal.

Tim CallanThat’s always what happens. We just talked about this with passwordless a couple episodes ago. Absolutely.

Jason SorokoYou got it. So this podcast goal number one is to dissuade anybody from thinking that Web3 is purely a marketing term that based on whatever some vendor you listen to first, Web3, if you really want to use that term - and we're, regardless of whether you use the term - we're seeing a trend, where, again, where Web2.0 was, you make the content but somebody else authorizes it. Web3 is going to be no, there's going to be user-generated content where the user can authorize it, and everybody can see and prove that it was authorized. And it's going to be based on the idea of document signing. It's analogous to document signing that we know and love and we've talked about many times on this podcast.

Tim CallanIt’s like DocuSign or like Code Signing. There's so many ways to unpack this, Jay. Is this happening now? Let's start there.

Jason SorokoIt is. It absolutely has and it is. So, let's get the humongous elephant out of the room. Let's talk about blockchain. And then we're going to talk about the other real technologies that are coming in that are not blockchain, but still are involved in this idea of self-certify.

Tim CallanLet's talk about blockchain.

Jason SorokoBlockchain. Alright.

A lot of people think that Web3 is synonymous with blockchain. I don't think it's entirely true. It's only one self-certifying toolset. But here's the thing, Tim. It's a little bit too heavy-handed for all the use cases. It does too much. So, think about it for a second. Remember in Web2.0, you have to create a user account in a centralized system.

Well, blockchain basically replaces that with a cryptographic key pair. We talked about how when you create a cryptocurrency, for example, you're essentially creating a private key/public key and your central user account is a hash of the public key. Remember, we talked about that?

So, Tim, let's say you have a something that you want to share. A piece of whatever it is. You want to establish the fact that you want to trade some Bitcoin or you want to trade an NFT. Well, your ability to sign with the corresponding private key in blockchain is that root of trust. Proving someone controls the account.

Tim CallanAnd you're that someone? Yes.

Jason SorokoThat's the basis. This sounds like oh, man, isn't that the basis of self-certifying? Well, let's talk about the stuff you may not necessarily need in just straight up Web3 that blockchain does have. So, think about this. What makes a blockchain blockchain is the consensus algorithm. Really, that's enabling everybody to agree on a global state. In other words, rather than Web2.0, where it was just a database, a centralized database that somebody centralized, had centralized control over, in this model with blockchain, you do not have to trust each other because that global state is published and provable because of the consensus algorithm. But also, you do not have to use that centralized database at all. You can completely decentralize the node and publish this data anywhere. And mathematically, it's just true. Alright. We know that. I’m still not into new territory here. But think about it as well - blockchain also allows timestamping, which in other words, you know when a transaction happened. Well, you have to ask yourself, is that important, Tim? Let's say you created a piece of artwork, and you wanted to share that with me and you wanted to prove that you were the authorizer of that artwork.

Tim CallanI would say that it may or may not. So, for example, if I put up my predictions about the Olympics, and who is going to win what event, then timestamping is extraordinarily important because either I'm a genius, or I'm a fraud.

Jason SorokoYou know what? Dead on example of where a timestamp would really, really come in handy in that analogy. But there's a lot of use cases where a timestamp is just a piece of infrastructure that's like maybe I don't need it. But then there's also the concept of uniqueness. Like blockchain consensus algorithms, the blockchain itself, there is a concept of uniqueness. In other words, in the distributed ledger, you're able to see that one person, or one entity owns a part of a Bitcoin, or owns one NFT at a given point in time. So that timestamp, the uniqueness, that's all stuff I like the distributed idea. I liked the self-certifying idea. But maybe I don't need the timestamp. Maybe I don't need the uniqueness. Therefore, Web3 isn't just about blockchain. There are other self-certifying protocols that are out there that are more lightweight. I think you're going to start to see some of these things.

What I always like to do is let's go back to something we know, or something that we're a lot more familiar with. I know we've talked about PGP in the past, Tim, which is where if you and I want to exchange a secret, let's say the most perfect example, let's say I'm a dissident in a certain part of a country that doesn't like me, and I want to get a secret out to a Western journalist. The problem is yes, we can encrypt. I certainly can encrypt my message. The problem is, how do I get it to you? How do I get it so that you can decrypt it? Well, we need to exchange our private/public keys. I keep my private key. I need to get you my public key. We've talked about this on this podcast before. How do you typically do that? I could put it on my Twitter handle. Some means of communication, I would get you this public key and then we can start to exchange secrets. Once you then just have in that way you now are getting content that you know I signed. With document signing certificates in the world of PKI that we know and love, there's a similar analogy there. It's just instead of a crypto key, it's done with a certificate and it's centrally managed. Therefore, there's less problem with having to exchange our public keys because typically that's done through an infrastructure. So, let's then move on.

I'm gonna give you some examples of some other self-certifying protocols that are not necessarily blockchain. You're gonna love this one, Tim. IPFS. And that acronym is the interplanetary file system. Isn’t that awesome? So, the question there is, how do I peer to peer share files? Well, you and I could do that right now. We talked about tailscale not that long ago. But again, there's some centralization going on there. So, think about it like this, if YouTube is Web2, IPFS is kind of the Web3 version of it.

And let me explain. Web2 utilizes location-based addressing for files and it's based on you having a centralized user account that is hosted by somebody that you don't have control over.

Web3, instead of using a location-based addressing for files, Web3 is content-based addressing. So instead of Tim, you saying, hey, you going into a search engine and saying, give me a picture that looks like this. Give me a picture that has worded tags that are x, y and zed? Well, how would I ask Web3, give me a picture that has the hash of ABC123, whatever the hash is representing that file? In other words, you can start asking about content addressable Web3. Isn't that interesting? Rather than having to care about client server architecture, all you care about is the cryptographic address of the content.

Another way of saying it is, I want to address the content by the content itself and in so doing, you are also involving who is the authorizer of - -

Tim CallanI mean, in this scenario, that's really what you're doing. Let's break content into two chunks. There is the thing to contain. There's the speaker and the thing spoken. So, you're saying I can search for a speaker because I have a reliable handle that I could use and I could say, I want everything. For whatever reason, I want to know what the following speaker or publisher has to say, and I will look for that and I can get that. The thing spoken, of course, is just whatever it is.

Jason SorokoHowever, that is absolutely true because you could essentially look up, the public key of the person who did the hash. Give me all content that was involved like that. However, there's also the content itself - the thing spoken.

In other words, YouTube does a marvelous job at helping you with the discovery of their centralized location of files.

That's what YouTube is. What YouTube Web3 would be - the analogy would be, we're going to help you to do discovery of content, but where it's hosted, how it's hosted, who knows? It turns the whole idea of on its head of things that are censorable. What's missing from this, Tim, is that is exactly what you're struggling through, and I'm struggling through here, which is there's really no good discovery mechanism yet for the content.

Tim CallanThat’s what I was gonna say - where is this recorded?

Jason SorokoIt's the same problem with PGP. Where do I go look up the public keys? Because that's essentially what the addresses are.

Tim CallanThis is where I come back to my - again, speaker and things spoken. I'm sorry if I'm using bad nomenclature here. But, if I built an audience that really cared what I had to say, and I wanted to authenticate that I was this true author - - a good example of this is Q. How do you know it's really Q. And so, whoever Q is, a lot of people care is this sincerely from Q or not? If there were a mechanism and you could sign it uniquely and then at that point, you could publish wherever you wanted to publish, and people would say, this is really this person, then that itself could become how a lot of people would seek out information. Like I can see that and I get that working. Then it's what you said, I’ll just put it on my Twitter handle.

Jason SorokoSo, Tim, all of a sudden, your equivalent of a YouTube channel, which is what you would do is - -

Tim CallanIs anything. It's the world.

Jason SorokoIt's the world and all of a sudden, it's like, well, I just want all content that's been published by this public key.

Tim CallanI like this guy. For whatever reason, I want to know what this person has to say. I believe they're credible, or I think they're knowledgeable, or I enjoy it. I think their music is good. I think their art is good. I think their jokes are funny. Whatever it is. And that becomes youre, youre reason for selecting. You’re selecting - again, I will say an author, but it's not necessarily an author. It could be a publisher, it could be somebody, it could be somebody who curates content. Under those circumstances, you're a good content curator. I like the stuff you pick. It appeals to me. Under those circumstances, that would be how I would choose. Like you said, that's, that's now my equivalent of a channel. Instead of my channel being on YouTube, my channel is just anywhere in the world.

Jason SorokoSo now I'm on your channel. Because there's another layer beyond this. What happens if I click on you know, and this is an imaginary world we're talking about here. So, you have now allowed me to discover some content of yours and I want to consume that content. So, I'm going to presumably click on it. The computers, our computers now have to do something interesting, which is, let's do the IPFS exam. It's a peer to peer sharing of files, but - -

Tim CallanAcross planets. Between planets. Or intergalactic, excuse me.

Jason SorokoThat’ll be Web4.

So here we are. You’re now saying, alright, there's this file I created and it has a hash of x. I probably won't have to see this because all I care about is the content. So, I click on it. Essentially, what's happening here is you're telling my computer, by the way, the hash that you want to look up is this - X, Y, Z. And then my computer will go off and say, alright, go search the world for any file that has this hash and then I will know that you were the publisher and whatever you claimed about it is true. It is the real content. You don't have to be hosting it. In fact, it could be hosted in some sort of distributed file system that couldn't care less about you or me. It’s just saying, hey, I am the internet and here's a file with this particular hash and you asked for it, you got it.

Tim CallanIt could move around. It could be if somebody found it. So I'm an author of short stories. I publish short stories on online literary magazines. And there's a few problems with that. One of them is sometimes the content disappears. Whoever is hosting it stops hosting or stops publishing it, and then it's just gone. Another one is I have found my stuff other places. Somebody liked my story and put it on their website. It's just there. It's my story. And there it is. All of that stuff would go away. If somebody wanted, if somebody liked my story and wanted to put on their website, great, do it because it's still uniquely identifiable as being from me.

Jason SorokoI think one of the challenges you're still going to run up against him is people can take portions of your analogy.

Tim CallanIn that analogy, you could go copy the words. Yes. But at least there would be less of that, and for somebody who is not malicious, it's probably easier just to take the content as it is.

Jason SorokoRight, Tim. But think about it. There is an importance in saying this is the definitive content. There will be other technologies to be able to say, hey, who is copying a piece of my content? There's already good AI that people are developing around that. And that's a totally separate topic right now. But what we are talking about here is you can claim the definitive, this is the truth, this is the file, this is what I published. If there are derivatives of this, I'll go find those with an AI but if you want to buy content, for me that's legit, this is the definitive way of determining that I am who I say I am.

Tim CallanOr it's as you know the publisher intended. I'm thinking of another example. There's a marvelous short story I absolutely loved and it's got a little bit of a denouement in the end. There’s a punch line and then there's a couple lines after the punch line. And if you look this up story up online, chances are good the version you will find has had that denouement removed, as people have decided it's better without it, even though the author originally wanted it there. And there's some value in saying, even if I agree that it's better with those last couple of lines removed, there's some value in saying this is the thing that the author created.

Jason SorokoAbsolutely. And of course, in the topic of document signing, when you're signing content, this is the world that you and I from, I mean that's the whole basis - -

Tim CallanAbsolutely. You can’t have people changing that. Yes, I get you on all of that. I mean it seems like there's a couple of advantages here. One that we talked about, I talked about some of the things that are from my personal experience - pendants on that channel or that site, and things moving around and being portable. It also feels though, like there's a newer – and you were alluding to this, I think - there's a control aspect. So, if my favorite site, if YouTube decides that it doesn't want my content up there for whatever reason, it can take it down. But if what matters is who is speaking and how they tagged it, then there's lots of other places for this content to go and that level of power for these, let's call them site operators, for these channel maintainers, is vastly diminished.

Jason SorokoCensorship, resistance is a part of this. Again, that could be a whole podcast. But, that's a bullet point we should throw in there. Essentially, think of it like an NFT, where a domain you own is essentially the equivalent of the equivalent of an NFT, where, again, and it's almost impossible to censor, because where is it hosted? Well, it could be hosted in multiple places or anywhere. It's not a web hoster, or it's not your typical web hoster that could be subpoenaed by law to take down a domain because it breaks a law or hurts some politician’s feelings, or whatever it is that people censor things for. This is the world we're looking at, Tim, and there's a lot of examples of that.

Tim CallanSo again, the surface on this topic but the one that screams at me is to say, look, this is a great idea and if I were writing a science fiction novel, I could just declare that this is how it is, and everybody would accept that. But if this is a thing we want to exist in the real world, what are the steps between here and there?

Jason SorokoI think the initial steps have already begun, which is blockchain kicked off, let's call it what it is. Bitcoin, as a killer app for blockchain, kicked off decentralized computing in a much more major way than it ever had been in the past. Consensus algorithms taught us how we can work in a world where you and I don't even have to trust each other. We don't have to go through an intermediary. Those are gigantic implications.

The next step here, Tim, and what we're talking about is Web3, which is now alright, all that heavy infrastructure that's great for a cryptocurrency may not be needed to do this kind of self-certifying, user-centric, user-hosted, user- authoritative web. You don't need blockchain. Blockchain can absolutely be part of it, and it will be part of it. But there's also all these self-certifying protocols. We just mentioned a few. IPFS. Another one I can mention is hypercore protocol. I know, those of you listening who really know what you're talking about, will skewer me for saying it, but please forgive me. It's like lightweight blockchains without the consensus algorithm. That's a grotesque oversimplification of what's going on here. But those kinds of protocols are popping up everywhere and I personally can't even keep up with the speed at which these things are coming out. The problem is and, Jay Graver actually mentioned this very, very clearly in her article, and I want to go back and reference that because it's kind of the inspiration for this part of this podcast. That could be a whole other set of podcasts, Tim, is what are the problems that need to be solved so that this isn't science fiction? Part of what needs to be done here, though, that's applicable to this podcast, and it's within the scope of this conversation is how do you trade those public keys easily? How do you protect those private keys properly? Here's a trillion-dollar idea. I don't even think I'm exaggerating. The search algorithms for Web1 and Web2. So, search algorithms mean they came out of Web1. Show me all the websites where you know the word Tim Callan is used. Crawling, crawling all these server locations looking for those words, and there'd be a centralized database and you could search that and terrific search engines. Well, how's this going to work in Web3? I think, Tim, right now, everything is very, very, very machine readable. All these hashes, all these public keys, that's difficult stuff. Then the automatic association of how do I sign my things? Well, in the document signing world, we have a lot of that solved, but it's not decentralized. What needs to happen is because it's decentralized, because it is, you own the authority, Tim, and you're hosting it, but it's not necessarily in an easily addressable system? How do I get to your content? How do I easily discover you? Because right now that’s what makes Web2 work so well.

Web3 will work well when that whole problem of discovery is solved. That's only one of maybe four or five other problems that needs to be solved but it's the one I want to bring up here, because it involves the connection between content and people, and their public key identities and their hashed content, addresses, et cetera. Whoever solves that, well, there's your next trillionaire.

Tim CallanThat's like, that's almost like a new kind of search engine essentially. You could imagine something that has to take and aggregate, find - locate an aggregate, this information for these files, for want of a better word, these chunks of content.

Jason SorokoSo if you're a science fiction writer writing about this right now, Tim, what kind of a future search engine is it? Is it one where like major search engines we see today, they monetize based on advertising, they monetize based on the fact that they have an algorithm that favors paid search terms versus not? Or is this going to be one of these spirit of decentralized computing, where it's like, no way, man, it's just based on search accuracy? Who knows? Something tells me that big US megatech has already - -

Tim CallanI think people who make lots and lots and lots of money from search, will want to make this money too.

Jason SorokoAbsolutely and there is a place for profits. There's a place for, hey man, I provide this service and I want my cut. I don't think there is anything wrong with that. What I will say though, is man some of these issues around difficulty of censorship, and who really is hosting it, these are major barriers to currently the way things are done and by either governments or regulations or even by big mega tech themselves. So, it is going to be a different world but that's why I wanted to have this podcast. It's very related to document signing and the rest of what we do in PKI, Tim. It's all about crypto keys. Interesting stuff.

Tim CallanIt's very interesting stuff. And as you can see, we've literally barely started to explore this topic. I am 100% confident we are going to be returning to this because we could deep dive on a dozen things we talked about today and a dozen other things I'm thinking of that we didn't even get to. So, to be continued for sure.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!