FIGURE 29: ZOOKO'S TRIANGLE
Figure 29: Zooko's Triangle shows Zooko’s Triangle conjecture: The vertices indicate the three desired properties of human-meaningfulness, decentralization, and security. Any name system can lie on any edge of the triangle and have two vertices adjacent to it, but not all three. We will now proceed to illustrate by way of example various systems that go from lacking all three properties, to having all three properties, in order to illustrate the meaning of the conjecture and to show that it is, in fact, false (Swartz, 2011).
Clearly, a name system can lack all three properties. An example name system lacking all of these three properties is the IP-naming system in a local network using DHCP (Droms, 1997). It is not decentralized, as a centralized router is used to manage the names and can, for example, deny service or block specific IP addresses at will. It is also not secure, as IP addresses can be spoofed in the Internet Protocol by simply constructing a custom packet that contains as source the IP address to be spoofed (Tanase, 2003). Finally, it is not human-meaningful, as IP addresses are a simple series of numbers and not memorable.
Several real-world systems exhibit one of the three desired name properties.
The plain old DNS system (Mockapetris, 1987) has one of these properties, namely human-meaningfulness. DNS is not decentralized, as the root nameservers essentially control the whole hierarchy of the system and can be commanded to dissolve names.
Furthermore, nodes within the hierarchy are in central command of the names that belong to them, and there have been numerous instances of domain name seizures. For example, a famous case with political underpinnings was the theft of Kim Dotcom’s Megaupload domain name (Sisario, 2012) (Graeber, 2012). In addition, DNS is not secure, as the
or the data link layer are able to easily modify data by performing a man-in-the-middle attack (DNSCurve Team, 2009).
The PKI system used in TLS for HTTPS is an example of a system which exhibits only the second such property, security, where certificate key fingerprints are treated as the names.
Clearly, key fingerprints are not human-meaningful. Key fingerprints are also centralized, with a set of root certificates being the central points of failure. In this case, lack of decentralization is evident in the fact that PKI is hierarchical. While this centralization is generally undesirable, it was successfully used for good purpose in the comodohacker incident (Bright, 2011) by browsers, in which a certificate was invalidated successfully through legal orders and agreement. This centralization has allowed vendors to remove certain certificates from the hierarchy root at will (Nightingale, 2011). yet it is not human-meaningful. Indeed, a tor hidden service (Dingledine, Mathewson, &
Syverson, Tor: The second-generation onion router, 2004) name is secure in the sense that noone can immitate a name. In particular, because names are derived by hashing the public part of an asymmetric cryptographic key (Dingledine & Mathewson, Tor Protocol Specification, 2015), and controlling a name requires being in control of the respective private key. As such, stealing a name would require brute-forcing an asymmetric private key. Furthermore, the system is decentralized because no central authority is in control of the names. Each hidden service is truly owned by its creator and no legal power can take it away from them. Finally, names are not human-meaningful, as they are the output of a cryptographic hash function.
mDNS, a simplified DNS system to be used by small devices (Cheshire & Krochmal, 2013) is both decentralized and human-meaningful, but not secure. In mDNS, no central authority decides on the names, but each device can claim its own name, hence it is decentralized. As the names can be choosen by the devices themselves, they are human-readable. Finally, noone prevents a device from choosing the same name as another device, and hence the system is not secure.
DNSSEC, a secured version of DNS (Arends, Austein, Larson, Massey, & Rose, 2005) hopelessly under deployment for decades is a naming system which is both secure and human-meaningful, but not decentralized. DNSSEC inherits the centralization properties of DNS, yet it also introduces security by digitally signing DNS records when they are exchanged.
The following table summarizes the ways in which the Zookoo properties can be satisfied, with a relevant example for each combination:
TABLE 4: ALL COMBINATIONS OF ZOOKO'S PROPERTIES IN NAME SYSTEMS
Human Secure Decentralized Example
No No No DHCP IP
No No Yes Mesh MAC
No Yes No PKI
Yes No No DNS
No Yes Yes Tor
Yes No Yes mDNS
Yes Yes No DNSSEC
Yes Yes Yes Namecoin
Namecoin
Namecoin makes it possible to have names that exhibit all three of the desired properties (Slepak).
Namecoin is a bitcoin fork (Gilson, 2013). In fact, it is the first fork of bitcoin. By using a blockchain, it arrives at decentralized consensus and hence, similarly to bitcoin, cannot be brought down by central authorities or the law. Namecoin is secure. This security is
ownership of a private asymmetric cryptographic key. The public key that corresponds to this private key is first published to the blockchain when a name is first registered (“name_new” operation). Further updates to the name require proof of ownership of the private key whose respective public key was published during registration. Updates to names can include changing the value the name corresponds to (similar to how DNS associates names with IP addresses), or transfering ownership of the name to a new key.
Finally, human-meaningfulness is achieved by allowing each user to choose their desired name freely. The names are registered in a first-come-first-serve basis by enforcing a blockchain-based policy similar to the prevention of double spending in bitcoin.