People talk about trust a lot. The gist being, the less we have to trust something/someone, the better.
So where does that leave us? I am making a website, the goal of which is that you should not have to trust anyone in order to use it. There is really a lot of work that goes into making something trustless — like multiple full time jobs at multiple companies.
This has gotten us data structures that are "self verifying". Meaning, you can look at a data structure, and you can verify that it was created by who it says it was — the owner of the corresponding private key.
Importantly, you can check this anywhere. Any application or website that knows how to read the keys can tell you if a given written message is valid. So we are not trusting my website there. We don't need to trust that my website returns the correct data; we can check it ourselves, independently, and be certain.
That said, there is a lot that goes into knowing how to read and verify some keypair. And you need to know more info in order to map the given public key to a meaningful identity.
That is the future — being able to map a given public key to various domain-specific identities. Right now there are the beginnings of some baby steps in that direction — the UCAN spec.
Anyway, back to the trust issue. Where does that leave us? A lot of this is theoretical, honestly, planning for a future that does not exist yet. For example, anyone can verify some data + identities. But what services actually do verify it? Ideally the world would have myriad native apps & web apps that are able to tell you if a given piece of data is valid. But we are not there yet.
trustlessness
What are we trusting when we use a "trustless" website? We are trusting that the website owners have not suddenly changed the source code to something malicious, unless you disable javascript and read the source code before loading a website (ie, that's not going to happen). We are trusting the various layers of infrastructure built around serving us websites — github, netlify, miscellaneous other hosts. Trust in the sense that they are serving the correct bytes.
social trust
What we did there is we pushed the trust out of the application, and into the social layer. We are trusting the various companies invloved, which are really just human-created ideas, specific to this time & place in civilization.
In the application itself, we do the same. We don't let any random strangers look at your content, but what is stopping someone from screenshotting your picture and distributing it? Nothing technical — this is pushed into the social level. You are trusting the person with whom you are sharing a post to act in respect to your social contract.
That's where things get messy, from a software view. How can we codify something as complex as human interaction, and a lifetime of interactions with someone else? The solution is to not try. Let humans do the thing they are good at — analyzing social interactions — and as for web software, it can eliminate trust as much as possible, so that you know exactly who you are trusting.
