Currently, Jael's algorithm for determining the keys to a ship is as follows: - If the ship is a galaxy, star, or planet, check Azimuth - If the ship is a moon, ask their sponsor - If the ship is a comet, hash their key and check it's equal to their address I propose we leave moons and comets alone, but change the algorithm for galaxies, stars, and planets to: - If the ship has been spawned on Azimuth, check Azimuth - Otherwise, ask their sponsor Note galaxies must always be on Azimuth since they have no sponsor that could be asked. The advantage of this is that inviting someone is dirt cheap -- just run |ticket. The main disadvantage is that someone invited this way could have their ship taken away by their star, and they can't escape. A partial mitigation would be for the star to give the planet a signed message that you can present to the Azimuth contracts which lets you spawn that specific planet. This way, if you decide you want to be master of your own destiny, you can do so unilaterally -- you just need to foot the gas bill. Of course, the Azimuth contracts check whether the message is signed by the current spawn proxy or ownership key, so if the star changes those, the message is invalid. You could preregister these messages on chain (which is morally equivalent to transferring ownership but maintaining sponsorship and key info off chain), but this requires a tx and so is dramatically less scalable. It's probably acceptable to simply build loud alarms. You're monitoring chain state anyway, so if you're one of these planets and you notice (1) your star has changed management proxies or (2) your planet has shown up on chain, then it should beep loudly at you and display a repeating warning explaining what happened and what that means. Specifically, for (1) you should expect to receive a new signed message from your star; for (2) you should been expecting this and you need to run |rekey. --- At some point we should make a small change to Azimuth to add a toggleable flag, letting you descend back to pure-urbit status if you wish (eg to reduce gas costs). We could use the Claims contract for this. There could even be in-between states, eg where ownership and escaping is on chain but network keys come from your sponsor. In this case, your star could force you to breach but couldn't steal your planet. We should think of this as a spectrum, a sort of choose-your-own-identity-model. For now we could just have those two options, but I envision more: - Eth1 contract like Azimuth now: maximum interoperability but expensive - Optimistic rollups: cheaper but less interoperable - Ownership/sponsorship in rollup but breaches only on Urbit: even cheaper but could be breached by malicious star - Everything on Urbit: dirt cheap but not sovereign Could even add other blockchains as options as long as you have a clear priority list. --- Other notes: - This makes urbit-only planets equivalent to moons from both a security and technical perspective. - From a technical perspective, this makes the flow from galaxy/star/planet to moons continuous. We already have the machinery to ask sponsors for their children's keys. - This sort of planet can only be issued by a star on the network, since everyone needs to ask the star for the keys. - This sort of planet may have a different reputation profile. On the one hand, an on-chain planet incurred gas cost and took more work. On the other hand, an off-chain planet must have a good relationship with its star, who would probably disown them if they were too abusive. - While you’re an off-chain planet, your star can actually recover your planet if you lose it. This could be useful as a rudimentary social recovery system -- presumably the star is going to be careful about their own custody, and they may have an existing relationship with the planet, at least good enough to re-issue them the planet.