--
To unsubscribe from this group and stop receiving emails from it, send an email to dev+uns...@urbit.org.
Woah, that's a solid-looking proposal, ~timluc. Thanks for sharing! I may respond in more detail later (and I certainly invite others to do the same!), but for now I'll just gently agree with "probably need to be pared down on those grounds".
I wanted to share some points that came up in tlon-internal chat, to help clarify the situation and what kind of thinking goes on about this. Not all of us fully agree on these things, so don't take this as gospel!
tldr: using pre-spawned/custody'd planets dramatically improve the user experience without taking away sovereignty from those who care.
From Galen's opening email:
Doing this means we're spawning to wallets that we control, then handing those to newcomers. This is obviously far from ideal in terms of custody. But it gives us a way to bring new people on the network for the time being. If they decide they want to secure their planets, they can rekey later.
It's no real secret that Tlon has been working on becoming an Urbit hosting provider. Reasonably, hosting providers might want to shy away from doing key custody, because it detracts from the "100% sovereign" Urbit vision, and can be a big liability.
Realize though, that Urbit key custody has always been one of the business models on the table, for people wanting to provide services in this space. Would you trust your grandmother with her own private keys? Would she _care_ about managing those herself? For the bulk of "normal users", having someone (or some entity) take care of their keys for them is simply too convenient. It dramatically reduces the risk-cost of "what if I lose my keys", to the point where it's like a car: losing your car keys doesn't mean losing access to your car, as long as you can still prove it's yours.
You might already see how this is a good fit for hosting. You're already trusting the host with your running ship. Trusting them with the keys that own that ship is only a small step beyond that, and makes the whole process much more convenient.
Of course, the way we'll be setting this up (and I hope other hosting providers will too) will allow users on-demand access to their keys. If they fall into the digital sovereignty rabbit hole and realize they no longer want to trust their service provider, they can just get out. Take the keys, sign a one-time $50 transaction, and "upgrade" your planet to a fully sovereign one. Imagine if Coinbase let you do this...
—
~palfun-foslup
https://urbit.org
Honestly, I find the idea of key custody revolting. _However_ it is pragmatic. A few things should be pointed out about the "pre-spawning" planets proposal.
1) Key custody is a service that people want and that is really what we are talking about. This is a service to avoid the problems we are currently encountering due to insane gas prices. This is not necessarily a forever solution. However, it's likely that even in the glorious urbit based pki future that some people will not want the hassle of handling keys. I certainly don't, though I will continue to handle my own keys. This management is enough of a pain in the ass to turn people off of the idea of booting a planet. Not to name names.
2) You don't have to use one. If you or your friend you want to get on to the network isn't comfortable having a planet that on a wallet someone else has they can rekey or even just buy a planet from someone else who isn't pre-spawning.
3) Tlon does not own all the planets. Even if we wanted to, we could not pre-spawn every planet on the network. I myself have stars that will not have pre-spawned planets and I'm sure the majority of other people do as well. The vast majority of planets will never have this potential problem of key custody.
Digital sovereignty is a core pillar of the urbit philosophy. We remain committed to this and this is a short term Tlon solution to a current problem. You can imagine a world where the urbit foundation would do this as well, offer key custody services to help offset the costs of their work.
I have no good way to end this email.
Mark <mark@tlon.io> writes:
Woah, that's a solid-looking proposal, ~timluc. Thanks for sharing! I may respond in more detail later (and I certainly invite others to do the same!), but for now I'll just gently agree with "probably need to be pared down on those grounds".
I wanted to share some points that came up in tlon-internal chat, to help clarify the situation and what kind of thinking goes on about this. Not all of us fully agree on these things, so don't take this as gospel!
tldr: using pre-spawned/custody'd planets dramatically improve the user experience without taking away sovereignty from those who care.
From Galen's opening email:
Doing this means we're spawning to wallets that we control, then handing those to newcomers. This is obviously far from ideal in terms of custody. But it gives us a way to bring new people on the network for the time being. If they decide they want to secure their planets, they can rekey later.
It's no real secret that Tlon has been working on becoming an Urbit hosting provider. Reasonably, hosting providers might want to shy away from doing key custody, because it detracts from the "100% sovereign" Urbit vision, and can be a big liability.
Realize though, that Urbit key custody has always been one of the business models on the table, for people wanting to provide services in this space. Would you trust your grandmother with her own private keys? Would she _care_ about managing those herself? For the bulk of "normal users", having someone (or some entity) take care of their keys for them is simply too convenient. It dramatically reduces the risk-cost of "what if I lose my keys", to the point where it's like a car: losing your car keys doesn't mean losing access to your car, as long as you can still prove it's yours.
You might already see how this is a good fit for hosting. You're already trusting the host with your running ship. Trusting them with the keys that own that ship is only a small step beyond that, and makes the whole process much more convenient.
Of course, the way we'll be setting this up (and I hope other hosting providers will too) will allow users on-demand access to their keys. If they fall into the digital sovereignty rabbit hole and realize they no longer want to trust their service provider, they can just get out. Take the keys, sign a one-time $50 transaction, and "upgrade" your planet to a fully sovereign one. Imagine if Coinbase let you do this...
—
~palfun-foslup
https://urbit.org
--
~rapfyr-diglyt
https://urbit.org
After this email, I have some more responses and a few more scenarios to describe (unilateral censorship attempts and poor orderer availability in a self-hosted system, and analysis of double-spends in the planet IOU system), but I'll put this out there for now as an example of how I'm thinking about this topic.Philip, you mentioned that no matter what the ostensible rules are, a galaxy might always decide that a transaction is immoral and refuse to sign it. This is an excellent point, and I agree wholeheartedly. The Urbit network is a group of people. That group of people will make decisions based on some combination of local law, personal ethics, self-interest, and sheer caprice.The network is set up so that the galaxies are the people to look to when making decisions that affect the network as a whole. Decisions about managing the PKI will inevitably fall primarily to the galaxies. The galaxies might decide to censor or otherwise censure a planet, a star, a galaxy, or a whole subnet. They could also fail to come to consensus, resulting in a fork.Let's play out some scenarios in which galaxies want to censor someone. This will help us think through the similarities and differences among proposed solutions for managing the PKI.Scenario: ~nus goes nutsThe owner of ~nus has had a psychotic break due to overexcitement from arguing about Hoon's four-letter variable naming scheme. Since then, he's been poaching cute endangered animals, spamming the network with denial of service attacks, providing spotty service to his stars, trying to propagate various Byzantine faults, proposing the appointment of his horse to the galactic senate, and cutting in line in the grocery store. There's even a rumor that he murdered his neighbor in Belize.The other galaxies have had enough. The first thing they do is add ~nus to the list of addresses whose packets should be rate-limited to prevent the incessant DoS attacks. They push this out to the network, so now the vast majority of stars and planets now ignore all packets from ~nus. Only the few people who have manually disabled the network's standard spam protection app will see packets from ~nus now.When the galaxies censure ~nus in this way, most of ~nus's stars quickly try to escape. A few stars stay, either because they're secretly controlled by ~nus (a galaxy can always spawn a star to a private key it generated itself), or because they share ~nus's belief that the reptilians have taken over the earth, so they remain loyal to him.If one of these stars has a change of heart later, it might be difficult for it to escape later, since it has tainted its reputation through association. The price for these assets will likely be lower too, since this star doesn't have an established relationship with a galaxy in good esteem.After a while, ~nus's owner goes broke. Most of his stars have left, so his repeated revenue has been drastically reduced. There's a good chance that in a lucid moment, he'll try sell the galaxy to cut his losses. Unfortunately for him, but fortunately for the network, this galaxy is not worth as much as it was when its owner was acting in the best interests of the network. Who wants to own a galaxy whose name is associated with such horrible acts?Someone eventually buys ~nus for a low price and makes some effort to distance himself from its former owner. He makes some donations to some wildlife preserves, stops spamming the network, and takes on a few stars pro bono for a while to demonstrate that the quality of service has improved. After a while, the other galaxies feel confident that this is not only a new public key for ~nus, but a new person who owns it. Nature is healing — habitat destruction slows now that ~nus's old owner can't fund it anymore, and this corner of the network has reestablished legitimacy.But maybe that's too optimistic. Let's consider the case where ~nus's owner is determined not to sell his hard-earned galaxy to some reptilian, no matter what. Some ill-tempered stars and planets from all over the network join his "hunt all mammals to extinction" movement and amplify ~nus's denial of service attacks.A few times, ~nus claims he's selling his galaxy, trying to pretend the new owner is less odious, but he actually just transfers it to some other address he owns. A few people get snookered into buying some of ~nus's stars for a price that's higher than they can resell, since once they realize ~nus is still owned by the same person, they try to escape.Then, raising the stakes, ~nus and his band of band of nihilist ne'er-do-wells in his subnet start trying to blackmail the other galaxies into voting his way. Now the galaxies realize that they need to take more draconian measures to save the network.The next step they can take is to remove ~nus's ability to vote. Unfortunately, ~nus's owner is still trying to blackmail other galaxies, even though his node can no longer vote. So the galaxies can escalate a few more steps, including forbidding ~nus from selling his assets (or maybe preventing sale other than to known-decent public keys), with the last resort being a forcible transfer of ~nus and its subnet.At this level of conflict, a fork is probably inevitable. ~nus and his subnet don't want to be shut down, but the rest of the network doesn't want them there. The other galaxies decide to clear the PKI state of ~nus and his subnet, putting the addresses up for auction and sharing the revenue from the sale. There's a good chance they'd allow ~nus's planets to escape without forcing a sale, since they might be removed enough from ~nus that they're not considered culpable or a burden to the network.~nus and his minions deny the authority of these other galaxies and form a schismatic Urbit fork — maybe they appoint ~nus as antipope of Urbit Classic. The two networks can't communicate unless some people decide to run bridge nodes, which would involve something like a NAT, which bears an odd resemblance to the current internet.The other galaxies would likely be relatively satisfied with this solution, since from their perspective the network would be whole again. Like all drastic action, is likely to cause potentially serious collateral damage. It's not something they'd do lightly, which is good, because a fork would be traumatic for the network. In a case like this, though, it might be the best course of action, and it's difficult to predict what these sorts of politics will be like at scale.Thus concludes this scenario. Note that nowhere in this description did I mention how the galaxies are storing the PKI, since as far as I can tell, that choice has almost no material effect on these dynamics. Any cryptographic arrangement for managing the PKI is merely an attempted implementation of the will of the network, as represented by the galaxies as the Schelling point of decision-making.If the galaxies had previously voted to freeze the Ecliptic contract, then when they want to expropriate ~nus, they'll launch a new modified contract and push out an OTA that switches everyone to that. Maybe it's marginally more expensive than making a decision like that in a self-hosted system, but if a couple hundred galaxies pitch in, even with current gas prices I don't think it would be prohibitively expensive — or they could switch to a cheaper system, such as a self-hosted one.