Time Capsules and Trust

2024-02-13

---

One of my VMs runs a copy of Windows XP that has had no OS or security updates since 2014. Recently I wanted to deploy a separate XP VM with as mny updates included as possible. I didn't have an installation disc on hand, so I searched for an image online. Believe it or not, there are still some communities that actively develop and release custom builds of Windows XP, in an effort to keep the OS usable as a daily driver. I was able to find one such community, secure an ISO from November 2023, and install it successfully.

The community changelog noted that their most recent release included a certificate updater and root certificates that were valid as of August 2023. My 2014 VM does not have these certificates; I can still use networking tools on it like local FTP or SSH, but I can't browse the modern HTTPS-based Internet, even if I visit sites that don't use Javascript. This is an interesting problem to me: the problem of trust.

When I think of long-term computing projects, I tend to classify them in one of two ways. "Durable computing" has the goal of creating a technology that is still operable and useful after decades of continuous use and maintenance, while "time-capsule computing" has the goal of creating a technology that is still operable and useful after decades of no use or maintenance at all. I expanded on these categories in a previous log about long-term computing.^

In that log, I imagined a computer that is not booted once for 40 years and considered what would be necessary to bring it to a useful state after that time gap. The biggest challenge in such a scenario would be getting the device to interface successfully with current devices. Computers are largely considered useless if they have no means of getting information onto or off of them--it doesn't have to be via the Internet, but at least through floppies, thumb drives, over a telephone modem, through a satellite uplink, or something similar. But how would that computer know who to talk to and if those endpoints can be trusted?

Trust is dynamic by nature. A Web site or IP address may be trustworthy at one point in time but lose that trust in the future. It could happen dramatically, such as if the site becomes compromised and starts serving malicious data. But it can also happen simply and almost imperceptibly, like if the service suffers extensive downtime or is retired. On the other hand, a previously-untrustworthy address might come under the control of a respectable authority that can make it trustworthy again. Bad nodes in a proof-of-work system can mend their reputation by consistently sharing vetted data, as can peers in a decentralized network with good behavior.

This is a problem we experience in everyday life as well. One might have had a close friend in school, only to fall out of communication with him and discover years later that he had become a drug addict or a womanizer. Meanwhile, the lunchroom bully might have straightened up and become a pastor or a community leader. When visiting one's hometown after some decades, one may find that the once-safe parts of town are now quite dangerous, while previously-poor sections are now heavily gentrified and highly desirable to live in. Some businesses close or backslide in quality, while others open or re-open with a new, upright image. Highly-functional buildings and infrastructure degrade with exposure to the elements. Political or celebrity scandals happen; economies fluctuate; the list goes on and on.

The modern Web handles the problem of trust using root certificates and other central authorities. However, communication with those authorities and the establishment of trust with them comes from a continual stream of OS and application updates. Time-capsule computers, by design, do not have this luxury. If they establish trust by certificate at all, I suspect their paradigm will be more similar to trust-on-first-use (TOFU), the same model used by Gemini. But it seems more likely to me that time-capsule computers would want to communicate using channels more stable than the TCP/IP-based Internet.

Regardless of the communication method used, as more time passes, it becomes increasingly difficult for a time-capsule device to establish trust independently. A current computer can establish trust with other endpoints without much difficulty after a few years of no use, but once the timescale reaches decades, some external intervention is almost always needed to get the computer back online, if it can do it at all. Time-capsule machines are designed to be usable after decades of no use or updates, but a lack of updates also means a lack of information about other peers. What if those peers are gone, or have gone rogue? An external source of information would be required to make determinations like that. In other words, the time-capsule computer can't establish trust indepedently after arbitraty-long amounts of time have passed.

It seems to me that the only way for time-capsule computers to remain interoperative indefinitely is to either trust communications by default or use TOFU. Relying on central authorities of trust simply does not work long-term.

^ Long-term Computing

---

Up One Level

Home

[Last updated: 2024-10-06]