►
Description
Identity, Capabilities, & Private Data - presented by @ianopolous at IPFS þing 2022 - Building Apps on IPFS - https://2022.ipfs-thing.io
A
So
on
that
the
topic
of
the
the
problem
of
public
cipher
text,
so
we've
solved
that
problem.
I
actually
talked
about
that
yesterday.
In
our
talk,
I
can
briefly
mention
it
here.
I
actually
cut
up
most
of
that
from
this
talk,
but
yeah
so
to
focus
on
applications,
but
I'll
give
you
a
super
quick
overview
of
pegos.
It's
a
global
peer-to-peer,
encrypted
file
system
and
application
protocol
being
a
file
system.
Everything
has
a
unique
path
which
begins
with
your
username
fine
grained
access
control.
A
A
You
get
real
deletion,
so
the
the
public
ciphertext
thing
so
we've
added
a
new,
a
new
layer
of
access
control
at
the
block
level
in
ipfs,
so
you
can
control
who
can
even
get
the
raw
ciphertext
blocks
through
ipfs,
so
we
had
to
extend
bitswap
for
that
and
yes,
so
now
your
if
your
your
data
in
peergos,
only
the
people
who
you
give
a
capability
to
to
to
to
read
that
file
can
actually
even
retrieve
the
cipher
text.
A
So
yeah,
what
do
we?
What
do
we
mean
by
applications?
So
they
should
be
user,
run
user
owned
and
possibly
unique
in
this
view,
but
they
should
be
untrusted,
so
apps
shouldn't
be
able
to
exfiltrate
private
data.
A
Apps
shouldn't
have
to
worry
about
identity
or
login,
or
storage
access
control
or
encryption
writing.
Apps
should
be
easy
right.
A
A
A
So
this
is
this:
is
the
execution
model,
so
the
the
idea
is
your
your
end.
User
is
logged
into
peergas
in
the
browser
and
that's
the
the
main
tab
on
the
left,
the
main
main
context
and
that's
the
thing
that
can
get
data
from
the
network.
It
doesn't.
We
don't
do
peer-to-peer
stuff
directly
in
the
browser
for
privacy
reasons,
for
we
don't
have
a
broadcast
uip
address
or
anything
like
that.
So
that's
handled
by
the
server,
but
everything
the
server
is
treated
as
untrusted.
A
So
everything
the
client
gets
whether
it's
a
hash
or
a
signature
or
whatever
is
is
checked
in
the
client
code
and
in
terms
of
an
app
so
the
way
we
do
this.
So
we
want
to
isolate
different
apps,
both
from
the
main
phos
context
where,
for
example,
your
keys
are
and
your
data,
but
also
from
other
apps
and
as
we've
learned
from
the
recent
years,
you
have
to
worry
about
things
like
side
channel
attacks.
A
So
this
absolutely
has
to
be
a
separate
operating
system
level
process
than
the
main
tab
and
that's
quite
hard
to
guarantee
in
browsers
these
days.
But
but
you
can
with
some
recent
additions
to
browsers,
and
so
the
basic
idea
is.
We
have
a
generated
sub
domain
and
this
works
on
localhost
as
well,
so
you
don't
have
to
have
a
wildcard
certificate
on
a
public
server
and
the
the
generated
subdomain
is
basically
a
hash
of
the
human
readable
path
for
the
app
that
you're
running.
A
So
those
are
the
they're
paths
in
the
peergas
file
system,
so
those
are
unique
anyway.
The
hash
is
then
unique,
and
so
you
get
your
isolation
that
way
you
can
also
within
an
app
you
can
add
an
extra
like
isolation
parameter
to
get
a
different
hash
as
well.
If
you
want
so,
for
example,
one
of
our
apps
is
is
a
web
browser
in
the
browser
and
it
wants
to
isolate
its
websites
from
each
other,
so
it
has
an
extra
the
isolation
parameter
and
so
yeah.
A
The
basic
idea
is
that
by
default
an
app
has
no
permissions.
It
can't
do
anything.
All
it
can
do
is
read
its
own
assets,
and
so
the
other
critical
thing
is
the
the
green
box,
the
the
sandbox
there
that's
locked
down,
so
that
an
app
also
can't
make
external
connections
to
to
the
web,
because
that
you
could
just
trivially
exfoliate
data,
and
so
the
idea
is
that
the
server
serves
up
the
same
static
code
for
all
sub
domains,
and
all
that
does
is
set
up.
A
So
yeah
we've
just
talked
about
most
of
that
yeah.
So
by
default
an
app
can
just
read
its
own
assets,
app
permissions.
So
if
you
want
to
have
more
more
more
interesting
stuff,
you
can
grant
an
app
a
permission
to
store
basically
persist
data
in
your
space,
so
this
means
it's
an
app
specific
folder.
The
app
can
read
and
write
arbitrary
files,
whatever
it
wants,
enter
into
that
folder,
so
that
could
be
save
games
or
settings
or
whatever
another
one
is
to
edit
a
chosen
file.
A
So
this
means
it's
basically
like
the
user
says.
I
want
to
open
this
file
with
this
app
and
the
app
can
then,
during
that
invocation,
edit
that
particular
file
or
there's
another
one
which
is
read
chosen
folder,
so
that
could
be
like
a
gallery
or
a
music
player,
or
something
like
this
so
far,
those
first
three
they're
one
player
mode.
So
that's
just
you
and
your
app
you
and
your
data
and
your
app.
A
It
gets
more
interesting
with
the
fourth
one,
which
is
you
can
exchange
messages
with
friends,
and
these
are
all
so
there's.
Basically,
we
already
have
a
chat
protocol.
It's
you
know.
It's
it's
all
encrypted.
It's
it's
cidt
based
inside
the
encryption
on
on
top
of
piergos,
but
the
app
doesn't
have
to
know
about
that.
It
just
says
I
want
to
create
a
chat
and
with
with
some
friends
who
might
have
the
same
app
installed,
and
you
can
then
send
asynchronous
messages
this
way.
A
So
you
could
use
that
to
do
you
know
multiplayer
turn-based
games
or
something
it's
not
real
time,
so
you
can't
use
it
for
network
doom
or
something
like
that.
We'll
work
on
that
one
we
do
have
plans
for
that,
but
not
yet
so
yeah.
This
is.
I
mean
this
is
all
hot
off
the
press.
Literally
we
released
this
sandbox
two
weeks
ago,
so
there's
lots
more
lots
more
to
come.
A
A
First
of
all,
so
I've
already
got
two
apps
installed.
What
have
we
got?
One
is
an
image,
editor
and
a
clone
of
winamp,
and
so
when
you
say
you
can
also
register
for
file
types
in
in
that
manifest
file.
A
Let's
see
here,
this
is
some
audio,
so
if
I
go
down
here,
I've
installed
this
winamp
app.
So
I
can
now
view
this.
This
file,
which
happens
to
be
a
song
in
winamp
and
we'll
see
if
this
works.
A
A
A
You,
don't
you
also
don't
have
to
you,
can
run
apps
in
place.
You
don't
have
to
install
them
if
they
don't
need
any
permissions.
So,
for
example,
this
is
doom.
A
So
you
can
see
we're
working
our
way
up
to
network
doing
this.
This
is
single
player
too,
but
anyway
you
you
get
the
idea,
and
this
is
so
the
cool
thing
with
these
apps
is
the
server
doesn't
see
the
app
assets,
so
the
apps
themselves
are
private.
That
might
also
trigger
something.
So,
let's
close,
that.
A
I've
got
a
question
about.
Maybe
I
missed
something,
but
where,
where
exactly
are
those
apps
running?
Is
it
just
fully?
This
is
fully
in
the
browser,
so
it's
the
app
in
its
entirety
in
order.
A
An
app
is
so
so
so
these
these
are
the
apps
here.
This
is
pre
some
pre-installing
them,
so
I
can
show
you
so,
for
example,
the
image
editor
or,
if
I
wanted
to
create
my
own
app,
I
would
just
go,
create
a
folder
in
here
and
then
do
whatever
format:
okay,
yeah
so
yeah.
Basically
it
has
the
assets
folder,
which
is
the
assets,
that's
all
the
standard,
html5
stuff
and
then
there's
this
magical
file,
the
the
manifest
the
json
file,
which
we
can.
We
can
look
at
in
another
app.
The
text
editor.
B
C
Through
server
or
is
it
sound.
A
So
every
previous
instance
runs
and
and
what
installs
and
runs
its
own
ipfs
instance-
and
everything
happens
by
that.
C
Yeah
so
in
the
same
way,
the
digital
boots
out
the
js
ipfs
in
browser-
and
you
have
your
roots
in
and
every
device
would
then
just
lean
on
the
same
page
of
the
of
the
invest
protocol.
A
And
so
yeah,
the
other.
The
thing
that's
cool
is
so
you
can.
As
I
mentioned,
an
app
is
just
basically
a
website,
so
you
can
view
websites
natively
in
peergas.
So
this
is
again.
These
assets
are
served
from
pagos.
The
server
doesn't
see
them
because
they're
all
decrypted
locally,
but
I've
got
the
full
website
in
there
and
in
a
similar
way
that
you
can
share
anything
in
pagos
via
secret
link.
You
can
also
share
websites,
let's
see
if
we
can
do
this
and
I'm
imagining
there's
a
permission
model
for
the.
A
A
You
so
the
secret
link,
that's
mainly
for
sharing
with
people
who
are
not
on
pagos.
If
they're
on
pagos,
you
can
do
in-band
sharing.
So
this
is
the
sharing
screen
here,
so
I
can
type
in
username
of
who
I
want
to
share
it
with,
and
this
this
remembers
who
it's
been
shared
with,
read
or
write
or
whatever,
or
you
can
share
with
groups.
So
there's
friends
or
followers
of
the
default
groups,
but
you
can
also
do
custom
groups
but
yeah,
so
the
secret
link,
let's
see
if
this
works.
A
A
C
And
basically,
this
is
the
peer
goss
application
running
on
desktop.
A
Well,
this
is
running
on
pagos.net,
but
this
is
just
a
yeah.
You
could
run
it
on
localhost
as
well.
C
A
C
C
A
You
can
do
offline
reads
in
principle,
but
not
rights
unless
you
well
so
our
plan,
for
that
is
to
do
do
that
on
an
application
specific
level.
So
if
an
application
knows
it's
using
a
cdt,
that's
fine!
You
do
what
you
want,
but
at
the
raw.
What
was
it
doing
here?
File
system
level,
then
yeah.
A
Cool,
that's
basically,
I
think.
C
That's
something
that
I
had
in
my
giant
list
of
random
things.
I'd
like
to
have
eventually,
but
and
just
basically
used
html5
manifest
file
with
a
few
extra
vendor.
Extensions
that
might
be
interesting
for
us
to
use
is
that
kind
of
what
that
manifest
violence.
What
are
they?
What
are
the
extra
approvals.
A
Basically
yeah,
I
mean
it's
very
similar
to
something
like
android,
so
it'll
have
the
permissions
that
you
want,
whether
there's
an
icon
for
it
or
not,
and
any
like
file,
extensions
or
mime
types
that
you
want
the
app
to
register
for
the
author,
the
install
source.
So
you
can
get
updates.
C
C
Do
capabilities
if
we
can
have
some
consistent
language
for
some
of
that?
That
would
be
super
useful
and
you
know,
like
my
thinking,
is
developer
option
like
hey.
If
we've
already
got
people
we're
using
html5
pwa
manifest
files,
then
yep
we
can
consume
all
that.
There's
probably-
and
I'm
not
smart
enough
about
this,
yet
yada
yada
yada
ipld,
something
that
comes
in
there,
but
is
that
the
correct
answer
I
like?
I
feel.
C
A
A
First
thing
I
was
going
to
say
is
not
from
ipfs
but
more
more
primitives
in
web
crypto,
825
and
and
maybe
even
some
post
quantum
stuff
would
be
nice,
but
I'll
give
that
30
years.
B
B
A
Right
so
yeah
I
mean
so:
we've
been
thinking
about
this
for
years
and
basically
yeah
the
the
kind
of
privacy
we
want
from
libya
to
peer.
There's
a
there's,
a
group.
Some
did
some
work
of
this
a
few
years
ago,
p3
lib
on
anonymity
within
libid
appear
something
like
that
would
be
awesome,
and
so
the
way
we
would
use
that
is,
you
might
have
seen
yesterday.
In
our
talk,
we
only
really
use
the
block
api.
A
We
would
have
an
extra
parameter
to
all
the
api
calls,
which
is
the
anonymity
class,
and
that
would
basically
determine
the
the
onion
identity
that
this
that
that
request
would
be
routed
through,
and
so
you
could
you
can
the
application
to
decide.
I
want
you
know
these.
These
bits
of
data
should
be
not
connectable
by
the
external
network
because
they're,
for
example,
from
different
people,
and
you
don't
want
them
to
there's
friendship,
connection
to
be
leaked
or
that
kind
of
thing,
as
well
as
obviously
protecting
things
like
your
ip
address.
Yeah.
C
C
Wanted
that
viewer
we've
heard
that
feedback,
so
there's
the
engine
switch
folks
who
wrote
the
seminal
local
first
software
yeah
I'll,
actually
add
that
to
the
links
you
have
about
everyone.
It's
kind.
C
Yeah,
and
that
seems
problematic
to
us
yeah
and
by
the
way
you're
like
asking
600
strangers.
B
I've
got
another
question
and
you
might
have
answered
this,
but
paragraphs
to
me
seems
like
it's
focused
on
specifically
on
users
for
their
data,
but
is
there
a
story?
For
you
know
this
track
is
building
apps
on
ipfs.
So
what
about
building
apps
on
pure
dots
like?
How
do
I
build
an
app
and
share
it?
And
then,
potentially
you
know
profit
from
some
app
that
I
distribute
to
your
gas
users.
Is
that.
A
Yeah
so
so
apps
they're
just
a
folder
of
staff
on
pagos
and
we
you
know
it's
a
private
file
system.
We
have
access
control,
so
you
can
control
access
to
your
app.
So
if
you
want
to
charge
for
your
app,
for
example,
you
can
do
that.
We
don't
have
payments
in
band,
but
you
can
do
that
out
of
band
and
just
share
share
the
app
using
the
access
control.