Showcase PlexiMail

Introduction

This is to showcase PlexiMail, which we have been working on for over two years and is now ready for Phase I of Beta release. It is an end-to-end encrypted, ICP Canister-based, trustless secure email service with metadata cloaking and electronic notarization. This bit of jargon highlights how thoroughly we’ve reimagined traditional “free” email services, which are arguably the most influential Internet products fueling Surveillance Capitalism. PlexiMail offers a completely backdoor-free approach to email services by leveraging recent technological advances, particularly blockchain and ICP Canisters.

We call this new approach Privacy as a Self-Service or PaaSS, emphasizing the “Self-Service” aspect of this privacy-centric framework. It features a Fat Client based on open source, enabling users to perform Self-Service, and an ICP-Canister-based central server that runs on minimal resources and is fully transparent. It’s important to note that while an open-source client is often assumed to be backdoor-free, true security comes from the transparency of the server logic, which only ICP Canisters and Smart Contracts can guarantee. Our implementation is provably secure and backdoor-free, thanks to ICP Canisters. Architecturally, we simply can’t “do evil” because the server’s transparency prevents it.

Due to the “Self-Service” challenges inherent in a truly privacy-centric implementation, we have put together this write-up to help our users with their initial configuration effort. Please review our approach to see if we are on the right track.

We are committed to keeping the PlexiMail suite both open and free, delivering a turbocharged email experience without compromising on privacy. Unlike other free email services, PlexiMail is designed with no backdoors or surveillance, ensuring a truly secure and private communication platform. While PlexiSign may involve some commercial licensing, we intend to offer PlexiMail as a high-performance, cost-free service. Your feedback will be greatly appreciated.

References

Product Introduction Video: Introducing PlexiMail by Ai-Fi Net

Blog: The Unbearable Lightness of Privacy

Blog: Best Ai-Fi Security Practices

Beta Release: https://ic.ai-fi.cc

Open Source in Github: Planned, pending on license terms.

The Privacy as a Self Service (PaaSS)

The above outlines the conceptual email system we are familiar with, illustrating the various elements involved in sending an email from Gmail to a partner using Outlook. We interact with our chosen email provider through an email client (Sender/Receiver), which primarily functions to communicate with Gmail or Outlook so that we don’t have to worry about email storage or the routing required to reach our remote partners—both of which were prohibitively expensive until recently. We enjoy these cost benefits and the ability to reach our remote friends for free, in exchange for allowing Gmail and Outlook to access the content of our emails as they are routed around the globe. The green block in the middle represents the email Federation function, enabling different email services to work together. However, the layout depicted above reveals a perfect ‘backdoor’ architecture. It has never been just an email delivery mechanism, but rather an "e-postcard” system, with content visible for all to see, potentially including all the services in the Federation. Gmail and Outlook can see whom we are emailing and what topics we discuss. The entire history of our email interactions with friends and partners is permanently recorded.

To avoid being turned into a “product”, we need to avoid this “free” service model.

The concepts of “privacy” and “security” are highly nuanced and often misunderstood. In our daily lives, we face questions like: Does installing a lock on your front door make your house safe? Are two locks safer than one? How many locks are needed to ensure security? Should I install a surveillance camera as well? These uncertainties easily extend to our online world as well.

PlexiMail is an initiative designed to help us break away from backdoor architectures and proactively reclaim our privacy. This commitment to privacy requires effort—there is no free lunch. To support this, we advocate the Privacy as a Self-Service (PaaSS) framework, with “Self-Service” being the operative word, which leverages all the tools and resources provided by the PlexiMail service network.

Users of PlexiMail must first fully participate in defining their security and privacy profiles, carefully reviewing all configuration options before making the final trade-offs in deploying their personalized PlexiMail services. In other words, setting up PlexiMail is a bit of a project, but it’s worth it! First, however, we need to understand the basic tools available to us. This document explains how PlexiMail works and its design principles. The actual configuration details are provided through a wizard, which you’ll encounter on your first visit to the website at https://ic.ai-fi.cc.

Let’s dive into the architectural elements of PlexiMail that our users need to be aware of in order to take full advantage of the system.

• The standard format of a PlexiMail address is: 0xf0aa9bd4577d0ba6eaa51750028c8fe79c51b148@ai-fi.cc, leading with the long string before the domain specifier “@ai-fi.cc”a self-generated “address”, which is actually an Ethereum blockchain address.
• As the PlexiMail addresses are the only exposed information of a user, which is a bit unwieldy, your daily PlexiMail operations would mostly use their identifiers locally defined in your list of Contacts, such as the “Alice” and “Bob” in our example.
• The domain specifier, namely “acme.com”, is the mail stop where PlexiMail users check and receive their email delivery notices. Architecturally, a PlexiMail may have multiple mail stops. The “ai-fi.cc” is publicly shared and available to all users.
• Another major departure of PlexiMail from the traditional service-provider-centric “free” email architecture is the distribution of email storage spaces. The PaaSS framework requires the central service elements like those notification domains (e.g. acme.com) to be minimally involved in the creation of the email content and the specific delivery details. The PlexiMail emails are not forwarded to a central server, only their delivery notifications. The actual content is stored locally, owned and controlled by each user privately (as in 0.1). Since those mail stops such as ai-fi.cc or acme.com function simply as relays for notification requests made by many faceless burner avatars, they are not capable of learning any metadata such as any of sender’s PII, the receiver’s, where and how the content is located, etc.
• Before a sender can send PlexiMail to their partners, they need to give the recipient a heads-up based on the TOFU (Trust On First Use) protocol so that the recipient would accept the email notification on reception. This allows users to build their own social circles through the TOFU protocol, one by one.
• The recipient retrieves the email content from the sender’s storage directly.
• Once an email arrival notification has reached the recipient via the notification domain, it remains in a queue until the recipient retrieves it. The notification will be removed from the queue after a fixed timeout period.

We hope you appreciate the ‘provable’ data-free nature of PlexiMail, supported by the ICP Blockchain Canisters:

• Most PlexiMail functions, including email drafting, storage, and content retrieval, are incorporated into a “Fat Client,” which is open source and buildable by individuals. PlexiMail web client is only a reference implementation.
• PlexiMail delivery occurs in two steps: first, through a notification mechanism that alerts the recipients, and then through content retrieval, which transfers the content directly from the sender’s private storage end-to-end. This email notifier is the only server element, represented by a few streamlined ICP smart contracts, which are also open source. However, being open source does not automatically guarantee the authenticity of the deployed server code. Only the transparency of smart contracts, like those provided by ICP Blockchain Canisters, can offer this guarantee.

A Parallel Internet

PlexiMail represents our first venture into creating a Parallel Internet where privacy is critically at risk. It is not a futile attempt to replace the public Internet, which is dominated by Surveillance Capitalism. Instead, it is a serious effort to establish a private dimension where individuals can extend their personal lives into the digital world. The PaaSS framework necessitates a clear demarcation between the public domain and our private spaces. Users are strongly advised to be mindful of this boundary at all times while managing both free public emails and PlexiMail on their devices.

The Fat Client

We’ve introduced the concept of the Privacy as a Self-Service (PaaSS) framework to highlight the shift in user responsibility compared to traditional provider-centric email services. Since the PaaSS framework emphasizes “self-service,” one might wonder if this would overly complicate the client application. However, this concern is alleviated by our intelligent design, which features a “fat client” and conceals the complexity within a layered architecture. Being “fat” in terms of function inclusion, we try very hard to mask most of the complexity under the user interface. But relocating important logic to the client side does not make the client complicated.

Our PlexiMail client is web-based and directly interacts with the ICP smart contract “cloud” as the backend without a dedicated server. This browser-based web interface makes PlexiMail available to our users at any locale on any platform. Users’ “PaaSS Wallets” where all the private keys are stored reside in the secure enclave, a protected region of memory within a computer system, isolated from the rest of the system and operating system to help protect against various attacks, such as malware and hacking attempts. It also takes advantage of Passkey and an additional cloud access key called “Krypton” to further strengthen the cloud access. Users’ secret data are triple protected.

Some of our users even run PlexiMail from a USB stick with any USB Linux stick, bootable from any Wintel hardware. When properly configured, PlexiMail is completely cloud based and leaves no traces on the device it runs on.

Identities, Accounts and Smart Contract

General

Identity is a multifaceted concept that encompasses both how we perceive ourselves and how we present ourselves to the world. Our identity can evolve over time and vary across different contexts. PlexiMail identity refers to how we present ourselves through PlexiMail as a communication medium. Our digital identity may differ from our offline identity, which can be linked to Personally Identifiable Information (PII). PlexiMail allows us to curate and control the aspects of ourselves that we choose to display.

PlexiMail is designed to cleanly segregate our PlexiMail identities from our offline identities to prevent any digital exhaust while interacting with other PlexiMail users. In scenarios where offline identities are required, such as for eSign or eContract activities under PlexiSign, we utilize a permissionless framework built on ICP Canisters/SmartContracts. This framework facilitates multi-factor authentication to ensure legal validity.

Addresses and Avatars

We use the term addresses and avatars interchangeably to represent our digital identities in the PlexiMail spaces. Those are inherently “burner addresses/avatars” in the sense that they are not linked to any Personally Identifiable Information (PII). They are meaningful only in the social context constructed by the owner through the TOFU protocol manually, one avatar at a time. Those addresses can be discarded for whatever reason the user deems necessary.

Before a sender can send PlexiMail to their partners, they need to give the recipient a heads-up based on the TOFU (Trust On First Use) protocol, so the recipient will accept the email notification upon reception. This allows users to build their own social circles through the TOFU protocol, one by one. The initial TOFU heads-up must be conducted “out of band,” meaning through a channel other than PlexiMail. This first TOFU handshake is a critical step in operating your PlexiMail application. Take all necessary precautions to preserve the “burner” nature of your PlexiMail addresses. Under the application’s Settings, in the “Address” subsection, you will find several options to assist with this initial TOFU process. Alternatively, you can use the PlexiMail Bridging function, which allows you to send an encrypted email to your partner conveniently with minimal exposure, provided the risk is acceptable.

Part of the first TOFU interaction involves exchanging the identity “fingerprint” of the participating parties, which must remain consistent for all subsequent messages. Factors that may affect a party’s fingerprint include loss events (such as the loss of phones or device failure) and identity mismatches.

Each address or avatar may be authenticated through its associated and self-managed, matching cryptographic private key.

The PlexiMail Bridge

The PlexiMail system does not fully participate in the traditional Email Federation. A public email account like Gmail or Outlook cannot reach a PlexiMail address. However, a PlexiMail account can send emails to a public email address through the PlexiMail Bridge functions, provided that the recipient’s email domain is not a PlexiMail domain. To send an email to a public email address, a “passcode” is required for the recipient to decrypt the email and ensure that the destination email domain cannot access the content. This passcode should be securely communicated to the recipient through a separate “out of band” channel.

Internet Identities on ICP Blockchain

A PlexiMail user must first obtain a PlexiMail account before starting taking advantage of all the tools. To be truly data-free, permissionless and backdoor-free, all PlexiMail’s central service elements are deployed as Smart Contracts or Canisters on ICP Blockchain. Running with the PlexiMail canisters on ICP, all users are required to adopt the ICP Internet Identity (account) as the basis for keeping track of all the user resources such as their Web3 storage, payment options, PlexiMail contacts and all the historical data and records.

ICP Internet Identity is protected on various platforms through different options. We recommend opting for Passkey standards, which use self-managed cryptographic key pairs with 2FA authentication. Although Passkey is touted as the next-generation replacement for passwords, it is still relatively new to the general public. To create an Internet Identity for PlexiMail, please refer to the details on your platform to determine the best configuration.

Private Storage

All components of the PlexiMail server are designed as data-free implementations. Specifically, PlexiMail email delivery notifications are deployed as ICP Blockchain Canisters/Smart Contracts, while the actual email storage is privately owned by the users and is hosted through several Blockchain (Filecoin) based Web3 storage providers, such as:

1. Lighthouse Storage
2. Web3.Storage.

Web3 Storage allows PlexiMail users the option to define their storage requirement per their project needs in terms of size and data retention, which is made affordable by the tokenization technology offered through the Filecoin blockchain.

Both Web3 storage providers listed are subscription-based, tokenized storage services, each offering a free tier to attract private individuals. Lighthouse.storage features a more flexible API, allowing our fat client to set up the free tier with minimal effort. In contrast, Web3.storage provides a generous amount of initial free storage but requires users to enter their credit card details even for the free tier, as well as additional effort to obtain an ‘API Token’ before the subscription can be set up.

Once the initial free-tier allowance is used up, both Web3 storage solutions may trigger an error condition in PlexiMail, prompting users to acquire/purchase more storage space from their chosen Web3 storage provider. The process for obtaining additional space from either provider is well documented on their respective websites.

Each PlexiMail account is configured with and linked to a Web3 storage subscription, currently supporting lighthouse.storage and web3.storage as previously described.

Cryptons

"Data stored in a user-subscribed Web3 storage is protected through a locking mechanism called Crypton. This mechanism allows users to encrypt their data with arbitrary cryptographic strength while still retaining its portability. For more information about this mechanism, refer to Best Ai-Fi Security Practices (also found in the References section).

UX

Configuration Wizard

Our PlexiMail client is web-based and directly interacts with the ICP smart contract “cloud” as the backend without a dedicated server. This browser-based web interface makes PlexiMail available to our users at any locale on any platform. Users’ “PaaSS Wallets” where all the private keys are stored reside in the secure enclave, a protected region of memory within a computer system, isolated from the rest of the system and operating system to help protect against various attacks, such as malware and hacking attempts. It also takes advantage of Passkey and an additional cloud access key called “Crypton” to further strengthen the cloud access. Users’ secret data are triple protected.

Some of our users even run PlexiMail from a USB stick using any USB Linux distribution, bootable from any Wintel hardware. When properly configured, PlexiMail is completely cloud-based and leaves no traces on the device it runs on, as it does not require a dedicated app.

Upon entering the PlexiMail application website, you will be presented with a wizard that guides you through the configuration steps in detail. If you have reviewed the basic background information in the previous sections, you should be able to follow these steps and make the necessary trade-offs in configuring PlexiMail according to your security and privacy profile.

Main Screen

“PlexiSign” displayed here is an eSign application, one of the many possible applications that extends the function of PlexiMail. It takes advantage of the privacy-centric, permissionless, data-free characteristics of PlexiMail, augmented with an Email based workflow infrastructure, to implement an end-to-end protected eSign/eContract product. Eliminating the service cloud and extending the popular Signal Protocol with metadata anonymization, the PlexiSign blend of digital identity, customizable multi-factor authentication, end-to-end PlexiMail encryption, message registration and contract notarization leads naturally to the strongest eSignature solution most resembling the traditional, immediate, and face-to-face negotiation process without involving any service providers, widely recognized as the low hanging fruits for snoops, cyber attacks and a variety of compromises, not to mention the intrusion into the Lawyer-Client confidentiality. CryptoSign closes the gap in scenarios where insider confidentiality is of critical concern such as mergers and acquisitions, price biddings, IP transfer, offshore outsourcing and many others.

PlexiSign is in Alpha, not yet released.

Settings

TBD