Samizdat is a platform for the self-hosted, peer-to-peer, cryptographically-secured internet of the future. We provide ways for people to communicate with one another without corporate intermediaries -- without even the DNS or the PKIX systems.

Our software must be understood both in terms of what it does for users, and how it is done.

We provide decentralized internet services for use by autonomous communities. These are ordinary internet services like email, chat, voice-over-IP, DNS, wiki, blog, and so on. We package them up in an easy-to-use form, so that anyone can run them.

More importantly, we do this using standard, interoperable protocols, creating a framework for future development and integration. Our implementation serves as a prototype for the next generation of the internet: one based on cryptographic trust.

The potential waiting to be unlocked by cryptographic techniques is immense. My goal in the article that follows is to explain the possibilities.


First, I apologize to the reader. I will attempt to avoid technical language, but this will not be entirely possible. My task is difficult, and so yours must be.

What is Samizdat?

The focus of Samizdat is to solve "the conundrum of every public key infrastructure" -- key distribution. Samizdat provides a fully-automated key distribution system. But what does this mean? Why does it matter? These questions are answered in detail below, but first I will give some examples of what Samizdat makes possible.

Use cases

In Kindergarten we learned not to bring any unless you bring enough to share with everyone. Someone tell that to gmail and eBay! When software developers implement internet services, they should make it possible for everyone to host these services, not just themselves. Code is law, and everyone has the right to influence the laws that affect them.

Services implemented through Samizdat will always have this property. Here we discuss some concrete possibilities.

Case study: Debian GNU/Linux

Debian GNU/Linux -- which is the technological basis of Samizdat -- was created in 1993 as a non-profit organization. It manages one of the most, if not the most, widely-deployed OS distribution (Debian is the "upstream" of all servers and PCs used at Google, for example). Debian is organized as a constitution democracy.

Although founded in the USA, Debian is an international organization with three thousand members from around the globe. To join, every member is required to have an OpenPGP key, which must be signed by another member. Each developer receives a single vote in general resolutions (legislation) and in the election of various executives (Project Leader, Release Manager, Project Secretary, etc.). Votes are held in accord with the Debian Constitution, which provides for its own amendment by supermajority.

OpenPGP keys are a fundamental part of the integrity of this democratic system. The Debian Constitution states, "Every proposal and sponsoring email must be signed with the cryptographic key that lives in the Debian keyrings. The keyrings are part of the authoritative answer to who is or is not a Debian developer."

Cryptography allows this kind of organization to exist and to hold global elections of high validity and transparency entirely through the internet. This capability is available to Debian developers because they are highly technical people, and expected to learn how to use cryptography as part of their role. However, technology like Samizdat could enable similar organizational structures to include nontechnical users without sacrificing the strong integrity guarantees necessary to scale such processes into the thousands.

Social scenarios

  • Community organization; small group formation
  • Autonomous voting systems without central authorities
  • Journalist and source
  • Local affinity groups "merge"
  • Promise money, with accountability: decentralize Kickstarter, eBay, etc.
  • Invitation-based systems made available to all

Institutional scenarios

  • Bank signs credit report, statement of balance
  • Local government issues key signatures based on government-issued ID. Can be used for local government web sites to exclude users outside its jurisdiction.
  • Remote access to the board meeting -- with voting

Personal scenarios

  • Access your own data remotely
  • Casually share access to your local LAN; e.g., to share files
  • Create communication links between your contacts; e.g., a locally-hosted chat room
  • Enable password-free access to your web sites (blog comments, wiki, etc.) based on OpenPGP.

What is public key cryptography?

Samizdat is an easy-to-use system that requires no understanding of cryptography by its users -- ease of use without such knowledge is, indeed, a core design consideration and goal of the project. However, cryptography is central to what Samizdat does, how it differs from existing crypto-systems, what it enables users to do, and why it has such significant future potential. It is important to understand a little bit about cryptography to understand why Samizdat matters.

Public key cryptography provides two distinct functions: encryption, which is used to make data private; and digital signatures, which are used to prove identities. That is, digital signatures are used to make sure you know you're talking to the right person, rather than an identity thief or impostor.

The second function, identity, is vital to the first. In order to encrypt a document or communication, it is necessary to have the public key of the recipient. Digital signatures are used to prove that the key used for encryption belongs to the person you think it does. They allow keys to be distributed over the network, which is necessary if encryption is to function without pre-arranged key exchange.

The importance of cryptography

The popular image of cryptography seems to focus on encryption and privacy. While these are important, the importance of identity should not be overlooked. Identity is the foundation of trust: financial trust (credit), reputation, and accountability require, first of all, the correct determination of identity. Identity systems are the first prerequisite of voting systems, credit systems, and communities. Without identity, a group of people is not a community, but a crowd.

Whether we are concerned with privacy or trust, to bring these properties to the digital world requires us to have each others' cryptographic keys. Today, only a small fraction of the population -- mostly programmers and "IT" people -- have public keys available for distribution. Samizdat functions in an automated way, so that these "early adopters" have a mechanism by which to share their own public keys within their social network -- without requiring complicated expositions of how to use them. Eventually, we can look forward to a time where public keys are as ubiquitous as Facebook credentials -- and more useful.

Commercial internet services using ?https (such as eBay, gmail, Facebook, etc.) depend upon their keys being distributed to their clients, but their own users do not have this same capability. Instead, users have passwords -- one for each service -- and identities which are derivative of these commercial internet services. The users' identities are fragmented, not transferable, and not under their own control. (If eBay decides to raise its rates and you want to sell through a competitor, you have no way to take your hard-won "feedback" with you! Yet if you had this capability, you might not need a third-party like eBay in the first place.)

Commercial internet services depend for key distribution on something called PKIX. Fundamentally, the PKIX operates on the only principle by which a public key cryptosystem can be fully-automated: public keys are distributed along with software. For example, public keys are included in web browsers.

Web browsers do not include a set of public keys for every web site in the world, however. Instead, they include one of a few hundred "trusted root certificate authorities," or CAs. The CAs are commercial services which, for an annual fee, will sign certificates for web sites. (The certificates expire, requiring costly renewal.) The web browsers check the signature on the certificates in order to provide secure access to web sites.

Samizdat similarly uses the mechanism of distributing public keys along with software. Its unique innovation is to also distribute private keys along with software -- a different key with each copy of the software -- so that the recipient of the software can prove his or her identity later. Samizdat makes the key distribution system work "both ways." This enables "peer-to-peer," decentralized systems.

Web of trust

There are two opposing concepts in the establishment of cryptographic trust chains: PKI, and "web of trust."

PKI model: hierarchy; tree

The PKI model imagines a single, or a set, of trusted "root" certificate authorities. Every user of the system has total trust in every root certificate authority. The root certificate authorities then create other certificate authorities, which are less trusted, insofar as the roots can revoke or limit the scope of their certificates.

In order to be trusted by the system, the only solution for a user is to get a signature of his or her keys from one of these certificate authorities. That signature will typically have an expiration, and the CA will charge a fee every time it needs to be renewed. The barriers to certificates for ordinary users under PKI are sufficient that almost no one has them.

OpenPGP certificates are much more commonly possessed by ordinary users, because anyone can make one with freely available software.

Web of trust model: mesh; rhizome

The "web of trust" model is most easily understood by analogy to Facebook. Web-of-trust encodes a "social network" as a cryptographic trust chain. You exchange keys with your social peers, who in turn do the same, and so on. No individual is in a privileged position to be trusted more than any other. However, because unknown individuals cannot be trusted not to sign keys falsely, the system requires multiple verifications to be safe. Thankfully, human communities are structured in such a way as to make this possible, so long as sufficient numbers of people actually use the technology.

Facebook already operates on this principle, and has proved how large it can scale when usability concerns are solved. Any user can create a Facebook account with any name (even if it is already "taken") in an attempt to impersonate someone else. However, because the impostor will not be able to get the real person's social connections to "friend" the impostor, the impostor account will be obviously suspect, impersonation will be transparent, and the approach is highly likely to fail.

To quote wikipedia:

a web of trust is a concept used in PG, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy of such). As with computer networks, there are many independent webs of trust, and any user (through their identity certificate) can be a part of, and a link between, multiple webs.

To quote Phil Zimmerman, creator of OpenPGP:

As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.

Critical mass

Social network systems -- such as Facebook, and such as the OpenPGP web of trust -- can become quickly pervasive after obtaining a "critical mass" of users. This is a result of the "network effect" -- adding more users to the system makes the system more useful, so that adoption accelerates rapidly after a certain point.

OpenPGP has already obtained a critical mass of users within the sphere of computer programmers. No other web of trust system could hope to replace it in that sphere. However, the difficulty of use -- a result of the lack of automation -- has prevented the OpenPGP web of trust from spreading into the "mainstream," non-technical userbase.

This does not have to be. PGP does not have to be hard to use. It can be integrated into existing systems and operate transparently, "behind the scenes," just like existing PKIX deployments. To accomplish this integration is the task of Samizdat.

The Rhizome: how Samizdat distributes keys and software

A rhizome is a biological structure that reproduces by extending itself outward, maintaining a connection between the old and new life. Grass is a rhizome, and the rhizomal nature of the spread of grass is the basis of the phrase "grass roots," referring to a way that a trend can spread through human society.

Samizdat implements a rhizome in almost a literal sense. It is self-replicating -- it provides its own means of distribution.

Each computer running Samizdat is a distribution point for the entire Samizdat code base. It is, furthermore, a distribution point of the entire development environment of Samizdat, in the form of a bootable LiveCD. (Or, optionally, a network-accessible apt repository.)

Samizdat is "rhizomal" because the LiveCDs are are not identical, but instead each one is unique, with the "child" connected to its "parent" through a cryptographic chain in the OpenPGP web of trust. Because Samizdat integrates OpenPGP key exchange with IPsec key exchange, this also means that the machines are connected on a secure VPN. Email, chat, web access, and the ability to further develop the Samizdat system are all made available automatically between the two systems, and done so with high levels of cryptographic security.

In order to make modifying Samizdat as simple as possible (thus encouraging outside contribution), each distribution point serves also as an integration point for accepting "downstream" changes. This mechanism, like the others, is intended to be full service with zero configuration. It works through the established "git" revision control system, which we have modified to allow anonymous submissions without pre-authorization. We believe github.com, and wikipedia before it, have shown the potential of this approach to encouraging contribution; but we have implemented it on a decentralized, peer-to-peer basis, using cryptography instead of a centrally-controlled user database.

We believe that this ease of modification will give Samizdat an evolutionary "meta-advantage" in the future: once it is deployed widely, it will be able to evolve rapidly, incorporating feature ideas from diverse sources.

How Samizdat integrates cryptographic authentication with existing technology

  • standard, portable identities

  • standard network protocols

  • standard server software

Samizdat is a software platform which provides identity services based on OpenPGP. From this foundation, Facebook-like services can be implemented, but also email, chat, voice-over-IP, software distribution, and other network services.

Our general strategy with Samizdat is to integrate a single global authentication system into standard services provided by Debian GNU/Linux. We use OpenPGP identities as the basis of trust, but leverage these to provide IPsec connectivity and authenticated IP addresses. Then IP-based security becomes possible in all server applications. IP-based security is already widely-implemented in existing software, and easily-implemented where it is absent. This means Samizdat can expect to provide OpenPGP-based authentication to almost all system software, often without making any changes.

Technical details: Samizdat leverages OpenPGP in other ways as well: through DNSSEC and DANE, we distribute SSHFP, ?TLS, and other key types, enabling the use of OpenPGP identities in web browsers, fileservers (?rsync), shell servers (?ssh), and source control (git). By using standard protocols and key types, we get integration of our global identities with all of this software "for free"; by linking all keys through the OpenPGP keyring, we get web-of-trust integration "for free"; and by automating the key distribution system (and implementing a novel system whereby OpenPGP keys can self-authenticate), we can build a web-of-trust "social network" that can include everyone, even people who do not understand cryptography.

The approach that Samizdat takes is much more general than that of ?typical peer-to-peer applications. These typically couple together an application, and the network infrastructure it requires. Samizdat provides the network infrastructure separately, and allows ordinary, unmodified (or only slightly-modified) applications to operate on top of this infrastructure.

Not only does this provide access to a huge base of existing software with minimal investment of effort, it also means that Samizdat can interoperate with other implementations of the standard protocols that Samizdat uses as network infrastructure. These implementations typically exist for every major platform: Windows, MacOS, Android, even the iPhone.

For example, Samizdat cannot itself run on Mac OS X (directly, without using a VM), but it is still possible that Mac OS X could be configured to access a Samizdat-provided IPsec VPN and access Samizdat services over standard protocols using that VPN. Furthermore, Mac OS X could be configured to use the unbound DNS server, which could be configured to access ?Samizdat's DNS system through the IPsec VPN. All of this could in principle be automated, but it could also be performed today, with no more difficulty than currently exists when these systems are set up manually.

(In the future, we expect users of Mac OS X to implement automated systems for configuring access to Samizdat systems without hassle. If that does not happen, we could do it ourselves.)

What Samizdat provides today

The following functionality is present on existing Samizdat systems, and is automatically configured and fully-operational without explicit user action:

  • IPsec connectivity (secure VPN)
  • ?SMTP (email)
  • chat (jabber/?XMPP) servers automatically connected between users
    • Standard chat clients (such as pidgin) are compatible
    • Users on "friend" systems are automatically added to the chat roster
  • ssh host key exchange, and ssh client key exchange.

    This is the authentication mechanism of numerous server technologies:

    • git (source control)
    • rsync (file transfer)
    • sshfs (shared filesystem)
  • ?anonymous rsync and git access, providing a peer-to-peer substitute for github.com

    Note: anonymous users are not granted privileged access, but can submit changes analogous to github's "pull requests."

  • Decentralized DNS

    Each Samizdat node has a self-authenticated namespace, and can share subdomains under this namespace. "Friend" systems can be given names in this space, and through this mechanism, access to a "second hop" or ("friend of a friend") in the social network is possible (and a third hop, and so on).

What Samizdat enables tomorrow

Samizdat will continue to integrate more existing server software with our authentication system. We will also develop custom server software atop the OpenPGP web of trust when existing solutions are not available or suitable. Looking at specific areas of development, we are particularly excited about the possibilities of creating ?cryptographic voting systems, and ?cryptographic credit systems.

Our long-term master plan is to attempt to duplicate the basic functionality of all major centralized services, on a p2p/federated basis. We understand that we cannot do this ourselves; but we can integrate the work that has been done by others, rapidly expanding the capabilities offered by our system.

  • Voting: integration with Loomio, frictionfreedemocracy.org, and/or other systems for collaborative legislation
  • Kickstarter/eBay/etc. => OpenPGP-based credit/feedback/reputation system
  • Youtube/vimeo => MediaGoblin
  • Integration of wiki software (mediawiki, ikiwiki)
  • Facebook-like "feeds"
  • Dropbox-like functionality using ?git-annex and Tahoe-LAFS

We believe anyone should be able to host these kinds of services, easily and without paying anyone for the privilege. We further believe that enabling the public at large to control such servers on a community basis will allow communities to invent or discover new forms of collaboration and communication beyond what we can imagine. Decentralization is the key. Code is law -- democracy in the internet age means putting code in the hands of the people.