-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Best way to serialize "connect info"? #614
Comments
bech32 encoding would make the QR bigger. An interesting option would be a custom encoding that compatible with alphanumeric QR encoding that only needs ~5.5bit/char. e.g.
vs. |
Ideally, joining a federation should be as simple as scanning and trusting a cryptographic peer id (hash/multihash of a public key) via an out-of-bounds mechanism from a guardian you trust. So the QR code would just need to be the size of the hash function used. Any other configuration data (even connection endpoints) could be fetched (and verified) using the peer id. For example directly from the guardian node (after connection endpoint lookup via a DHT). See my thoughts in #744. |
I also wonder if the real world use of Fedimint would require that at least one guardian approves/peers a member using their "member peer id" as well? I'm not sure many guardians would want the federation they are responsible for to be joinable by anyone who has the "Federation Code" (think of DoS, Sybil attacks, privacy leaks, ...). So eventually the onboarding/peering process needs to be an interactive protocol... |
Just in case there is some confusion, Fedimint isn't a p2p protocol, there are two classes of participants:
Guardians can not join at will. Currently they are a fixed set defined at setup. Eventually there could be a dynamic join mechanism where guardians can add/remove others through a vote. Users on the other hand can join at will but don't have any responsibilities, so it's not too bad if anyone can join. The privacy properties of the federation also make it impossible to enforce any access restrictions. The best we can do is hiding the connect QR code in apps if the federation is closed and only let guardians share the join QR code. |
Sure. But I was wondering if a fedimint federation could inherit some of the robustness properties of a p2p application so that a minority subset of guardians could temporarily leave (unavailable, disconnected) while the remaining guardians can still drive forward consensus due to threshold signatures. And if you employ an authenticated pubsub (Publish/Subscribe) protocol for guardian message exchange, not all guardians need to maintain a stable connection to all other guardians. |
That's exactly the goal 😃 I think we achieve it as long as everyone has a public IP with the current network stack. I just wanted to make sure we are on the same page since "Sybil attacks, privacy leaks" read like you could mean guardians joining at will. |
No, more like random users could cause (high) costs for the federation guardians? Like a lot of unnecessary e-cash transactions to try a denial-of-service against the federation. Or easily figure out which lightning gateways are used by the federation (peg-in and pay ln-invoice). A lot of this stuff can be mitigated if only authenticated users can join. |
Yeah, unfortunately naive implementations of authentication would break privacy. We'd need a scheme that authenticates each request but doesn't allow correlation of different requests of the same user but still allows detecting DoS. That sounds like a really fancy cryptographic scheme if it can exist at all under acceptable trust assumptions (it would certainly weaken privacy which is currently information theoretical, not even an attacker with infinite compute and access to all guardians can break it). |
But this means fedimint would have a hard requirement on Tor or I2P, else that correlation can always be done via IP address of the request. |
Yes, that's tracked in issue #391. |
Currently we use the following JSON encoding to allow clients to "join a federation":
This basically just JSON-encodes the parameters to
WsFederationApi::new()
. Once a client has aWsFederationApi
, it can download configs from all federation servers?What is the optimal way to encode this information?
max_evil
can be derived from the peer count viahbbft::util::max_faulty()
, so that really doesn't need to be included. (could be removed fromWsFederationApi::new()
as well ...0
in[0,"wss://fm-signet.sirion.io:443"]
is just a "peer id" which can also be implied by order of the array.Might be easier to copy/paste if we bech32m-encoded it? Maybe the error-correcting would help, too? But then it's harder to inspect it visually...
The text was updated successfully, but these errors were encountered: