From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1UZQDG-0003zv-Ol for bitcoin-development@lists.sourceforge.net; Mon, 06 May 2013 18:32:38 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.215.177 as permitted sender) client-ip=209.85.215.177; envelope-from=adam.back@gmail.com; helo=mail-ea0-f177.google.com; Received: from mail-ea0-f177.google.com ([209.85.215.177]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1UZQDE-0003Lr-Sj for bitcoin-development@lists.sourceforge.net; Mon, 06 May 2013 18:32:38 +0000 Received: by mail-ea0-f177.google.com with SMTP id o10so1844750eaj.22 for ; Mon, 06 May 2013 11:32:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition :content-transfer-encoding:in-reply-to:user-agent:x-hashcash :x-hashcash:x-hashcash:x-hashcash; bh=Gqjra9io9loEdnwwDs7r7gQ3bKal07pkPYynDik9rl4=; b=pOCq41nITgcdL3Wm/fkxLa/VQg1RXunMIyssXYEuZ7YOyAM8KN+fzlNWUDuHbLHxOK w3Yqa/MTL0vxipLVBMvsCdeRjxG2gkylwkKzI57Xm4YOAW17PrpGlopMCj3rYsMy+lLd eki1BbzmXDDF+2RkmXP+D+3JaVZTUwURCVCu4g30X12nELvNvT+LqM79NZHy6ZIJbhi+ v+x7Jdfprnoe/PFO2+J2zr6NBKcq5UrMfM6CqsgL9twnaVm6pZ4zW1xg6IrryXI7dTOn yAPXxtcTlF5glrHLSv2UTj4Hr3vfjB2XgIVsfGMIM6HJJn6JTpk7FdUUOptVHBSd+9aC eLMw== X-Received: by 10.14.22.7 with SMTP id s7mr63429817ees.32.1367865150490; Mon, 06 May 2013 11:32:30 -0700 (PDT) Received: from netbook (c83-90.i07-21.onvol.net. [92.251.83.90]) by mx.google.com with ESMTPSA id e50sm34902127eev.13.2013.05.06.11.32.28 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 06 May 2013 11:32:29 -0700 (PDT) Received: by netbook (Postfix, from userid 1000) id 66EF82E064D; Mon, 6 May 2013 20:32:25 +0200 (CEST) Received: by flare (hashcash-sendmail, from uid 1000); Mon, 6 May 2013 20:32:22 +0200 Date: Mon, 6 May 2013 20:32:22 +0200 From: Adam Back To: Gregory Maxwell Message-ID: <20130506183222.GB3797@netbook.cypherspace.org> References: <20130506161216.GA5193@petertodd.org> <20130506163732.GB5193@petertodd.org> <20130506171943.GA22505@petertodd.org> <20130506175331.GB22505@petertodd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Hashcash: 1:20:130506:gmaxwell@gmail.com::ruK3tBDPeMacaiRX:0000000000000000000 0000000000000000000000001ybA X-Hashcash: 1:20:130506:pete@petertodd.org::jjBEuJH0OfLIRsSl:0000000000000000000 0000000000000000000000009lZD X-Hashcash: 1:20:130506:bitcoin-development@lists.sourceforge.net::7q2dJO4aYDap9 hn2:000000000000000000002X9l X-Hashcash: 1:20:130506:adam@cypherspace.org::ja5UjgkUaU9WBkgo:00000000000000000 0000000000000000000000005D2D X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (adam.back[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1UZQDE-0003Lr-Sj Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Discovery/addr packets (was: Service bits for pruned nodes) X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 May 2013 18:32:38 -0000 btw with nodes for transport security you might use self-certifying keys. Referring to Zooko's triangle, then the key is the node identity. Similar to a bitcion address. So then just another ECDSA key and use emphemeral ECDH for transport authenticated with the nodes key. Maybe there can be some value to reputation to a node - eg it can charge a higher micropayment for its p2p network services, a node with a good reptuation could charge a higher micropayment for relaying (though bitcoin itself probably doesnt like micropayments as bloating the transaction log). Another ZKS era idea I had was to have a gossip protocol for users to find out what other people think about the trustworthiness and reliability of nodes. If that info is distributed via gossip over multiple channels and network connections over time, and kept in something like a gnutella host cache (just a cache of random info with some eg random replacement policy) it becomes very hard for a dishonest node to censor evidence of its low reputation. It is best as Gregory said to be able to directly prove, and punish by block-chain validation, because that is more smart-contract like. Bisbehave and nodes wont connect to you or lose somehow. But what exactly could you prove about a node? You dont really know if a node is an originator for a double spend, it could be relay. And for privacy and security you cant expect the node to use its coin address private key. Hmm: maybe one could use a Brands private credential with offline double spend detection, with the reputation but not coin address of the node disclosed, and the nodes coin address embedded in the proof. Each node could be is own CA, providing a ZKP. If the node ever double spends a coin, it loses its reputation as the coin address is revealed. btw another old idea was to require proof of the existance of the private key of a high value coin in the double-spend revealed information. Then basically to get a higher good-behaviour bond, the node ties up more coins, and if a node cheats, the first person to discover this collects the forfeited good behaviour bond. Adam ps I have an opensource openSSL based Brands (& Chaum) credential library at http://www.cypherspace.org/credlb/ I didnt actually implement the ECDL version, just the DL version, but that is not so hard, and its on my todo list. (There is also a strong RSA assumption version, also not implemented). On Mon, May 06, 2013 at 11:01:22AM -0700, Gregory Maxwell wrote: >> 1) Non-repudiation is only useful with fraud proofs, and they will have >> to be thought out for everything the node might claim. > >That isn't so. If a node is reliably rogue I can go manually gather >evidence and people can manually take action against it. Consider the >DNSseeds, right now fraud proofs really wouldn't matter— the limited >amount of trust put in those things is based not on "oh no, nodes will >ignore you in the future if you're bad", it's based on the ability of >misconduct to sully the operator's reputation. > >But without non-repudiation the ability to tie reputation to good >behavior is fairly limited especially if they perform targeted >attacks. "Wasn't me" > >Instead— I'd argue that non-repudiation is always useful when there is >trust. It's things like fidelity bonds— a trust generator that depend >on automatic enforcement— that are only useful with fraud proofs. > >> Anyway, the concept of a per-node identity keypair is the first step >> towards non-repudiation, and implementing SSL transport. > >Yea, indeed, per-node keys are useful for a bunch of things. Care is >needed to avoid problems like deanonymizing use over tor with them. > >------------------------------------------------------------------------------ >Learn Graph Databases - Download FREE O'Reilly Book >"Graph Databases" is the definitive new guide to graph databases and >their applications. This 200-page book is written by three acclaimed >leaders in the field. The early access version is available now. >Download your free book today! http://p.sf.net/sfu/neotech_d2d_may >_______________________________________________ >Bitcoin-development mailing list >Bitcoin-development@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/bitcoin-development