iroha icon indicating copy to clipboard operation
iroha copied to clipboard
verified publisher icon hyperledger

Permissionless accounts: registration-free model

Open s8sato opened this issue 1 year ago • 7 comments

I think the point is the domain membership screening. How should a new account apply for and be allowed to join a domain? In terms of authority, there will be a gap between transferring one's own asset to a new account and registering a new account, especially in "private domain". So as you pointed out, the admission process should be managed by a different authority than the sender of the first transaction that mentioned the account.

One idea is that each domain has its own admission policy as a trigger that "activates" a new account in response to the account creation event. Admission policies may vary from domain to domain e.g.

  • No screening
  • Wait for approval of the domain owner
  • Wait for approvals of m of n domain members

In any case, as I implied, I'm going to create a new issue on this and remove the 2nd commit from this PR

Originally posted by @s8sato in https://github.com/hyperledger/iroha/pull/4411#discussion_r1562173269

s8sato avatar Apr 12 '24 09:04 s8sato

Related discussions so far:

  • https://github.com/hyperledger/iroha/pull/4411#discussion_r1565403959
  • https://github.com/hyperledger/iroha/pull/4411#discussion_r1568375676
  • https://github.com/hyperledger/iroha/pull/4411#discussion_r1575812237

s8sato avatar Apr 24 '24 05:04 s8sato

current implementation policy


struct AccountId(PublicKey)

struct Domain {
    accounts: Map<AccountId, Account>,
    // snip
}

struct Account {
    id: AccountId,
    domain: DomainId,
    // snip
}
  • A provisional account is assigned to default domain
  • Register<Account> is an instruction to change account.domain
  • Unregister<Account> is an instruction to reset account.domain to default

background

It seems unnatural to expect a multihash@domain address before the account is allowed to belong to the domain. multihash address for accounts would be ideal at the moment. However, this implies Map<AccountId, Account> directly under the world. I'm not sure if a single top-level storage can withstand billions of accounts that Iroha ultimately aims for. I'd keep the accounts map under each domain, accept both multihash and multihash@domain input, and convert multihash to multihash@default. A drawback would be that address must include not only ID (multihash) but also domain

s8sato avatar May 20 '24 07:05 s8sato

I'm not sure if a single top-level storage can withstand billions of accounts that Iroha ultimately aims for.

Can't fully agree since when having all accounts in the one place we can better optimize their layout. Also with our current Storage it's more beneficial to have more granular data. Right now update in account imply whole clone of the domain.

A provisional account is assigned to default domain

What about permission interaction of assets and accounts?

Like suppose that we have some domain my_domain, and we have asset my_asset which is only allowed for account in my_domain. We want to transfer this asset to offline account my_account. On transfer my_account would be assigned to default domain and transfer would fail. Do we want to support this case?

Erigara avatar May 20 '24 12:05 Erigara

Indeed, it can be misimplementation to equate the domain membership and the account activation e.g. someone can stash an account to another domain and an admin of the original domain can no longer revoke permission of the account.

Instead, domain (candidate) should be fixed from when the account is provisional. Also, I'll consider shallow storages that maps account ids, in relation to implementing account activation

s8sato avatar May 21 '24 07:05 s8sato

  • retitled to align with the original requirements described in #1594
  • changed implementation policy as described in https://github.com/hyperledger/iroha/pull/4668#issuecomment-2165073957

s8sato avatar Jul 02 '24 06:07 s8sato