[tor-dev] [dappy] Willing to chat with tor devs, about name system issues/solutions

Thu Mar 24 04:50:01 UTC 2022

Reply inline:

On 2021-12-24 14:38, Raphaël Fabre wrote:
> We are the only name system in the world that does co-resolution,
> that's the way we found to maintain a consistent name system, and also
> avoid censorship and phishing.
> 
> Our system has the following properties:
> 
> - blockchain-based name system: it simply means that mapping is
> globally consistent, name management is distributed in the sense that
> a blockchain handles it, the resolver just connect to this blockchain.

1) What is the purpose of trusting a "network of independant companies"?
2) What if these companies collude to censor you?
3) If you can trust them, why do you need a blockchain? For trusted 
groups, there's much simpler K-of-M systems to just distribute a SQL 
database.

> - Systematic co-resolution (not rotation): lookup request are always
> addressed to a network of independant agents: there are many instead
> of a single one.

4) How does this compare to existing systems?
5) By your definition, do other blockchain-based systems fail to support 
"co-resolution"? By my understanding, Electrum for Bitcoin uses a 
similar algorithm, but with better security guarantees.

> And then there is consensus at browser level. This
> prevents 90% of attacks or attempt of censorship/phishing.

6) What is "consensus as browser level"?
7) How can the same system prevent both censorship and phishing? 
Phishing consists in having a domain which is subjectively "wrong" by 
human standards (e.g. "goggle.com" instead of "google.com"), whereas 
censorship consists in blocking a domain that people voluntarily want to 
access. It seems to me that whatever system is used to implement the 
former can also be misused to achieve the latter.
8) What is meant by "90% of attacks," and what are the remaining 10%?

> - Anonymous registrations

9) Are these registrations anonymous (e.g. Monero), or merely 
psuedonymous (e.g. Bitcoin)? Are two "anonymous" registrations by the 
same entity linkable?
10) Is there a mechanism to anonymously obtain the crypto-token used for 
registering the name?

> - Load-balancing of names: you can attach 20 IP addresses to your
> name, dappy browser will try each one of them until it gets a
> response.

11) How does this differ from existing systems, such as the DNS?

> - 100% encrypted/https

12) Is this a feature of the naming system?

> Censorship cannot happen, neither at the storage location (blockchain)
> or on-the-fly at resolution time (co-resolution)

I am also curious about the following passages from your website:

Re: "The companies that secure the dappy name system" 
(<https://dappy.tech/>)

13) Does this imply that I need trust "pathrocknetwork" et al to be a 
good, honest, etc service provider? If so, what reason do I have for 
doing so, and what reason does the system have for requiring me to do 
so?

Re: "You don’t need to trust us, the trust is distributed in a network 
of independant companies" (ibid)

14) One of the companies listed under the previous heading is "FABCO". 
Are they independent?
15) Do the other two companies received any financial compensation from 
anyone in consideration of their participation? If so, does this affect 
their impartiality or independence?

Re: "Please read the license file. It is based on Metatask extension 
license and limits commercial/for-profit usage to 5.000 users." 
(<https://github.com/fabcotech/dappy>)

16) Is this an open-source license?

Re: 
https://github.com/fabcotech/dappy-lookup/blob/master/src/dappyNetworks.ts

17) There appears to be only one hardcoded resolver for each network in 
this file. What's going on here?

Re: "This page focuses on the ideas that make dappy different from 
current legacy systems as well as blockchain-based competitors." 
(<https://dappy.tech/ideas-and-breakthroughs/>)

18) To which blockchain-based competitors are you comparing? I believe 
that all of these except "CSP at the name system level" have been done 
before by various projects.

Re: "By doing a multi-request instead of a unique client-server request, 
a client is able to read from a public database that he does not have 
locally (the state of a blockchain), without having to trust any single 
entity." (<https://fabco.gitbook.io/dappy-spec/glossary/multi-request>)

19) How does this compare to existing solutions, such as Merkle tree 
inclusion checks, which can trustlessly give verifiable answers in a 
single query given the latest block hash?
20) If all the nodes queried collude to lie, can this be detected?

Re: "Partial token offering, and whitepaper release (January 2022)"

21) Where can I find the whitepaper?

Re: "The general documentation consists in two document, the protocol 
overview page on dappy.tech that can be seen as a light white paper, and 
the general documentation on gitbook, that is technically more 
concrete."

22) Where is the protocol overview page?
23) Where is the concrete documentation on gitbook? The "Dappy protocol" 
page (<https://fabco.gitbook.io/dappy-spec/glossary/dappy-protocol>) 
says: "The Dappy protocol is right now a very generic term because it 
has not been standardized in any way."

In conclusion, I am very bothered by this, because it is much too vague 
for me to be able to analyze it properly. The provided documentation 
fails to answer the most obvious questions that come to mind:

- Who decides who owns a name?
- How much does it cost to register a name?
- Once registered, for how long does it last until you have to renew it?
- If you own a name, can it be taken from you?
- Is it possible to change these rules, and if so, by whose consent?
- How does this compare to previous efforts, in terms of quality of 
implementation and in terms of what trade-offs and design decisions are 
made?

It saddens me, because, from reading your website, it appears as if you 
have a financial incentive in promoting this project ("To fund the 
growth of the team dappy is releasing 20% of the Utility Tokens that 
will govern the platform"). It seems like the existence of such 
incentives would also be a powerful motivator to re-invent wheels, while 
denying that any prior art has ever existed in the past.

This leads to an unfortunate situation where, as Drew DeVault put it 
(<https://drewdevault.com/2021/04/26/Cryptocurrency-is-a-disaster.html>), 
"developers are no longer trying to convince you to use their software 
because it’s good, but because they think that if they can convince you 
it will make them rich".

The proliferation of such projects reduces overall trust in society, 
with the end result that people stop engaging with new ideas that are 
presented to them, in much the same way as how telemarketing has 
resulted in a decrease in the willingness to answer phone calls from 
strangers.

(This is, of course, only true if the ideas are bad.)

Best,
Yanmaani

P.S.:
> Happy to chat
> Merry Christmas
> 
> Raphaël Fabre

Better late than never, but it's unfortunate that the message took so 
long to be delivered. I think it causes problems in terms of maintaining 
a discussion if the delay is months long, but it might just be a problem 
on my end.