The Trustless Computing
Certification Body Campaign
The Trustless Computing Certification Body Campaign is a core action of the Trustless Computing Initiative, aimed at catalyzing and coordinating wide multi-disciplinary and multi-stakeholder processes to define new uniquely comprehensive socio-technical standards, certification and certification governance frameworks for critical end-2-end ICT communications, AI and cyber-physical services for wide-market deployment, as well as targeted lawful access systems and critical infrastructure.
Such standards are meant to achieve unprecedented, ultra-high and constitutionally-meaningful levels of assurance, and assurance measurability; while preserving or increasing targeted cyber-investigation capabilities, preventing malevolent use, and overall increasing public safety.
For a full picture, read or contribute to our late-drafts being co-written with Bart Preneel, CapGemini, Tecnalia, EIT Digital, and more:
- The Manifesto of Trustless Computing (9-pages gdoc); which summarizes a full
- Proposal for a Trustless Computing Certification Body (over 50 pages gdoc).
- Intro Slides (PDF)
HOW: The Trustless Computing Certification Campaign is being promoted through:
- The Free and Safe in CyberSpace global event series, launched on Sept 24th 2015 in Brussels with its 1st EU Edition, with amazing world-class speakers. It was followed in October 16th 2015 by a 1st LatAm Edition in Brazil, and by an US Edition in New York next July 21st 2016, and then again in Brussels on Sept 22-23rd 2016.
- A 1M€ funding proposal to H2020 DS-01 CSA Assurance and Certification for Trustworthy and Secure ICT system, that we submitted on April 2016 and was “almost” approved, by getting on “reserve list” :-(.
- The promotion of a 4-19M€ TRUSTLESS R&D proposals, as detailed in our roadmap, to build an initial open target architectures that complies and validates those standards, and enables its adoptions for large scale industry adoption.
TRUSTLESS?!: By “trustless” computing, we mean computing without the need or assumption of trust in anything or anyone, except in the intrinsic resistance of the organizational processes critically involved, as recognizeable by moderately informed and educated citizens. Key intuition is that the trustworthiness of critical computing systems can be reduced to that of the citizen-accountability and technical-competency of ALL critical organizational processes involved in its entire lifecycle and operation.
IMPACT: Aims to (a) achieve unprecedented and constitutionally-meaningful levels of actual and perceived assurance and (b) promote open target architectures for wide-market deployment; while (c) only moderately increase disadvantages to the user and to the service provider; and (d) overall increase targeted cyber-investigation capabilities, and overall increase public safety. It will facilitate the emergence of open ultra-high assurance target architectures, that can greatly improve certification efficiency, lower user costs, and increase ecosystem resiliency, and establish EU as an ethical and economic leader in critical computing for wide societal use and impact.
THE PROBLEM: Current IT standards, standard setting and certification processes have one or more of the following shortcomings:
- do not certify any complete end-2-end computing experience and device service and lifecycle, but just parts of devices, server-side service stacks or components;
- do not include hardware design and fabrication phases;
- are developed in opaque ways by standard organizational processes that are only very indirectly (and inadequately) user- or citizen-accountable, and subject to various undue pressures;
- make dubious crypto requirements, such “national crypto standards”, including custom elliptic cryptographic curves, that leave substantial doubts about the ability of certain national agencies (and potentially others) to bypass them;
- certify devices that are embedded into or critically connected to other devices that are not subject to the same certification processes;
- have very slow and costly certification processes, due to various organizational inefficiencies and to the fact that they mostly certify large (and often new) proprietary target architectures, rather than extension of certified and open ones.
NEW PARADIGMS: We have identified some high-level guiding paradigms to guide the analysis and framework recommendation activities. Certified TRUSTLESS computing services, devices, lifecycles and the certification body would comply with the TRUSTLESS Binding Paradigms:
- assumes that extremely-skilled attackers are willing to devote even tens of millions of Euros to compromise the supply chain or lifecycle, through legal and illegal subversion of all kinds, including economic pressures.
- provides extremely user-accountable and technically-proficient oversight of all hardware, software and organizational processes critically involved in the entire lifecycle and supply chains;
- provides extreme levels of auditing intensity relative to system complexity, for all critical components; and includes only publicly verifiable components, and strongly minimizes use of non-Free/Open-source software and firmware.
- includes – in the SW/HW stack below and at the OS level – only open innovations with clear and low long-term royalties (<15% of end-user cost) from patent and licensing fees, to prevent undue intellectual property right holders’ pressures, lock-ins, patent vetoes and ensure low-cost;
- includes only highly-redundant hardware and/or software cryptosystems, whose protocols, algorithms and implementations are open, long-standing, extensively-verified and endorsed, and with significant and scalable post-quantum resistance levels.
- Is continuously certified by an extremely technically-proficient and user-accountable independent standard/certification body.
SERVICE CLASSES & LAWFUL ACCESS: The new standards setting and certification processes will initially certify only specific service classes of end-2-end IT services addressed at specific market sub-domains, in full compliance with the EU Charter and local constitutions:
- A. Pure P2P Communication Service, without anyone’s access, by design, to user encryption keys, except the user himself;
- B. Hybrid P2P Communication Service, which provide voluntary, discretional (i.e. in addition of what is required of current laws) availability by the provider to evaluate and approve constitutional – no more no less – lawful access requests, through independent citizen-accountable processes with extreme safeguards against abuse. See example of suitable safeguards are described in the CivicRoom concept; centered on the express on-site approval of a jury of 5 or more random-sampled citizens, instead of the Provider’s attorneys as done today.
- C. Targeted lawful access Services, including all critical technological components and organizational processes critically involved;
- D. Ultra- critical Internet-connect cyber-physical systems and individual endpoints, in complex and dynamic environment, including for IoT, narrow AI, critical infrastructures.
WORKING DRAFT PROPOSAL: We are evolving such paradigms in initial provisional high-level but binding standard setting and certification concepts in the TRUSTLESS Paradigms, which currently deal with service classes A and B. A as well as a live version of an initial TRUSTLESS Computing Certification Proposal v. 2.0 (live gdoc) , that deals with service classes A, B and C.
OPEN TARGET ARCHITECTURES & ECO-SYSTEMS. These will sustainably enable and facilitate wide-market availability of constitutionally-meaningful levels of user-trustworthiness, by promoting radically open and resilient open target architectures. Since new paradigms and certification bodies would make little make sense if no compliant, open and full set of technologies exist, the process will greatly benefit from the non-profit TRUSTLESS R&D project parallel development of an initial complete set of compliant HW/SW tech and processes, and open for use by any willing provider on the basis of clear and open terms. After the initial go to market of the resulting consortium, the resulting technologies -based on a P2P architecture – will be available to anyone under FLOSS licenses and clear low long term IP terms, to be offered for example as a P2P service without anyone’s access, by design, to user encryption keys except the user himself, according to current laws. Nonetheless, the resulting Trustless Computing Consortium, and the resulting Trustless Computing Certification body, will only offer and certify device/service offerings that include an extremely innovative processes to enable to comply to constitutional – no more no less – lawful access request.
GOVERNANCE MODEL: The citizen-accountability and technical-proficiency of the governance and organizational processes governance of such new standard setting and certification bodies is by far the most important requirement of its sustainable effectiveness and success in promoting societal benefits. For such reason, it is is currently driven primarily by individual experts and activists that respond to such requirements. In time, we plan to attract: (1) a few private or academic entities with unique or advanced technical expertises; (2) a few key civilian and state security national agencies in democratic nations; (3) major global digital rights NGOs and experts; other expert stakeholders. Such new standardization and certification organization would ideally be driven by a democratic mix of public, private and/or relevant international non-profit.
 The US Defence Science Board, the highest US public authority in IT security, clarified at page 38 of its 2013 Cloud Security Report (PDF) how any attempt to realize high-assurance cloud services must consider end-user devices (page and the hardware supply chain (page 38) as an integral part of the cloud service. It says “client hardware security is just as essential for cloud computing as the security of its servers”.
 The EU Cyber Security Strategy (PDF) says “It is key to ensure that hardware and software components produced in the EU and in third countries that are used in critical services and infrastructure and increasingly in mobile devices are trustworthy, secure and guarantee the protection of personal data” as well as “The EU will place a renewed emphasis on dialogue with third countries, with a special focus on like-minded partners that share EU values. It will promote achieving a high level of data protection, including for transfer to a third country of personal data. To address global challenges in cyberspace, the EU will seek closer cooperation with organizations that are active in this field such as the Council of Europe, OECD, UN, OSCE, NATO, AU, ASEAN and OAS“. — The current Italian National Cyber Strategy also calls for major international cooperation at p.24-25 (PDF)
 NIST Cybersecurity Framework Update of Dec 5th 2014 (pdf) says: “Perhaps the best way to build on this [international awareness] is to promote the Framework and its application through international organizations. This would include standards development organizations (e.g., ISA, IEC), professional societies such as the Automation Federation and IEEE, and industry trade associations, which typically have multi-national or global companies as members.” and also “Supply Chain Risk Management was readily recognized as a complex, broad cybersecurity concern worthy of collective action. However, participants and RFI respondents urged that any efforts to explicitly address supply chain risk in the Framework should recognize the global nature of technology and avoid guidance based on country of origin, which would impede international commerce.”
 A November 2014 report, Technological Sovereignty: Missing the Point?, by Global Public Policy Institute and Open Technology Institute, has analysed the severe downsides of such approaches, even of EU-leading approaches such as current “IT Security Made in Germany” public strategies:
Initiatives such as “IT Security Made in Germany” suggest that domestically produced services and items are more secure and trustworthy than those produced abroad. However, like the location of data storage and routing, it is not the location of production and supply chains that guarantees protection from surveillance or espionage, but the actual security standards. Locally produced security products can include as many, if not more, vulnerabilities than those of foreign companies. While this measure will make it harder for foreign intelligence agencies to build in backdoors, it does not prevent local intelligence or law enforcement agencies from doing so. Any backdoor will increase the general insecurity of these products. These proposals, often labeled as especially secure, risk providing a false sense of security to customers, depending on their implementation.