an end run around zookos triangle

An end run around Zooko’s triangle

Zooko’s Triangle
describes three properties of naming systems. Zooko states that you
can choose any combination of two properties but you lose the third.

Zooko may be entirely right that a single system cannot overcome this
limitation. However, using Eccentric Authentication in combination
with other cryptographic systems we can do an end run around
it. This way we overcome the limitations of a single system and reach
our ulimate goal of: 1: Secure, 2: Decentralized and 3:
Human-meaningful names on the internet.

This blog (tries) to explain how we can reach that goal.

The triangle

Zooko’s triangle states that there are three properties of
naming-systems, of which you can choose only two. The properties are:

  1. Unique: each name maps to one unique value; (Zooko calls this one

  2. Decentralized: There is no central authority on the names;

  3. Human meaningful: you can read the name on the side of a bus and
    type it in at home.


  • Decentralized and human meaningful: “Mom” and “Dad”. Each one of us has
    their own ‘values’ for the names “Mom” and “Dad”; You lose uniqueness;

  • Unique and human meaningful:, or These names
    would point to the same well known identities for most of the worlds’
    population. But it requires central control to map the names to
    IP-addresses for their web servers. This central control can take away the names at will;

  • Unique and decentralized: This would be the totally unreadable names
    of your documents in Google Docs with their unpronouncable long
    character strings. Not something to put on the side of a bus to be
    remembered correctly later that evening.

The triangle specifies the holy grail of naming systems: to create a
world wide mapping between human readable names and values without
relying on a third party that can take away names at will.

In human terms: To make sure that the same name always point to the same thing. All the time, everywhere.

With Eccentric Authentication we use a two-level approach.

The first level is the uniqueness requirement for the local CAs. Each
name that a CA signs must be used only once at each CA. Whenever
someone signs up for a certificate at a local CA, he publishes that
certificate with the username@@sitename at the Global Registry of
Dis(honesty). It allows the world to verify that the CA doesn’t create

The second level comes from tying the CAs into DNSSEC. This makes
domain names point to only one CA at every point in time. No one can
change a domain name without the whole world to notice it.

Together with the Registry, we can validate that all the certificates
that bear a certain domain name are signed by the same CA-root. The
DNSSEC and the Registry work together to detect deviations from the
uniqueness requirement.

once signed, no way to take back

Once you have a certificate from a CA, there is no way anyone can take
it back. As soon as you’ve got the certificate, it’s set in stone. If
the CA signs another public key with the same name, it will be
detected at the Registry. This single act of singing will taint the
whole CA as untrustworthy. It means than no one will use that CA

Even though the CA becomes dishonest. A certificate that you already
use to communicate with others is still usefull. Every party you
communicate with remembers your certificate. And your computer
remembers the certificates of the people you communicate with. Once
you’ve exchanged the certificates, there is no need to look them up
again. The Registy is there to help people validate certificates at
introduction. Once introduced they stay valid. Only once in a while,
you’d check out the registry to see if any of the CAs has gotten