- From: David Schwartz <davidjoelschwartz@gmail.com>
- Date: Sat, 16 Nov 2013 15:08:04 -0800
- To: public-webpayments@w3.org
- Message-ID: <CAFqPj4N2LB9F2N5BMhdmd9bcCZG6tp3GEiAdde5uQghauNH=wg@mail.gmail.com>
Andrew Miller <amiller@cs.umd.edu<amiller@cs.umd.edu?Subject=Re%3A%20Ripple&In-Reply-To=%3CCAF7tpEz_WSvJ_DoD9qRyxd%2BYt0nELFqW6WjuettMKVY12WO6BA%40mail.gmail.com%3E&References=%3CCAF7tpEz_WSvJ_DoD9qRyxd%2BYt0nELFqW6WjuettMKVY12WO6BA%40mail.gmail.com%3E>> wrote: 3. Ripple, on the other hand, takes yet another approach. There's no > global administrator, but nor is there a well-understood public > competition. Instead, individual users are supposed to configure their > clients to identify particular servers they have determined they > trust. Here's where it gets really murky, and I can't figure out any > set of assumptions that actually lead to robust functioning of the > network. What if users entirely disagree with which servers they > trust? Are they on two different networks or the same one? If an > individual doesn't do their due diligence, and carelessly approves bad > servers, are they individually affected or does it affect the overall > network? I really wish more people were looking into this rather than > ignoring it, because I suspect it's not sound (although I haven't come > up with a super clear explanation why not), and if the underlying > assumptions aren't sound then does it matter if the frontend UI is > great? > Users can entirely disagree on which servers they trust. That won't put them on two different networks unless there is no indirect overlap. One user, for example, could choose only to trust Bitstamp if they want. And another user can choose only to trust Ripple Labs. If you assume both Bitstamp and Ripple Labs are competently administered, they will always agree with other, and thus the two users will always agree with each other as well. (Not that I'm suggesting anyone do this. I'm just showing that direct overlap is not required. The majority of entities you trust just need to be competent.) If a server operator chooses bad servers, they negatively impact themselves and anyone who has decided to trust them. But so long as you don't have a supermajority of conspiring or broken servers on your trust list, the worst thing that will happen is that you will deny yourself service. > Unfortunately the only set of assumptions I can think of that lead to > this actually working is where every one essentially picks the same > default list, and the servers on that list are actually trustworthy. > This is the "centralized" option, where the default list determines > who participates, and no user has any incentive to deviate from the > default list, either by adding some newcomer they individually trust > or by removing default servers they don't trust. Everyone using the same list obviously works just fine. However, surprisingly little overlap is needed and the network is still robust. For example, we simulated with 1,000 validators, each picking 32 of the other nodes randomly to use as a trust list. There were no problems whatsoever. We then tried with each picking 12 other nodes randomly. Again, no problems whatsoever. All these topologies result in everyone trying to come to an agreement with everyone else. The algorithm is surprisingly robust. One key reason is that if there's absolutely no reason a transaction shouldn't be included in the consensus set, every honest validator will choose to include it. If there's any reason it shouldn't be included, then there's no harm in excluding it, since every honest validator will just vote it into the next consensus set anyway. So you can opt to exclude transactions with a very low threshold to preserve agreement. Every server operator values correctness as the highest priority. Money must not be teleported from one account to another. Transactions must be properly signed. But given that, every legitimate server and server operator values agreement as the next highest priority. Our plan is to get a few organizations to choose validators using an open process with clearly defined criteria. The server software will ship, by default, with several of those organizations configured. It will pull their current list, impose local policy (to ensure variation in jurisdiction, organization type, and the like) and choose validators with a probability based on, among other things, how many of those lists include them. This will ensure human decision making is involved, the process remains open, new participants can get in, and there are no central authorities. (Just organizations people choose to trust to save themselves effort so long as the decision continues to make sense). See https://ripple.com/forum/viewtopic.php?f=1&t=3881&p=19414#p19420 David Schwartz
Received on Sunday, 17 November 2013 13:51:30 UTC