[tor-dev] [dappy] Willing to chat with tor devs, about name system issues/solutions

Sun Mar 27 20:50:25 UTC 2022

1) the purpose of trusting a network company is a replacement for having to trust a unique company, which is basically how the DNS works. You have a .com or .net you trust Verisign + your registrar + the DNS resolver of your clients. In dappy those three things disappear, and are melt into a dappy network member and the blockchain beneath it.

2) If 33%+ of the companies collide to censor haribo.dappy haribo.dappy will not be resolved by dappy browser, co-resolution will fail. Dappy does not address all the problems in the world. It addresses some of them, like all DNS attacks, registrar attacks, registries attack, and aldo censorship to a certain extent.

3) This is a very good question. Yes they could share a replicated database, dappy could work this way. The very good thing of using blockchain is that you don't have to care about the payment system, it is all integrated. Plus you can integrate web3 and tipping in the web applications very easily as well (dappy network members are simply nodes of the blockchain).

4) I don't know which existing systems you are refering to. There are other DNS on the blockchain projects, they are less focus on the accuracy of resolution, and more on blockchain ownership.

5) Don't know about this thing on bitcoin, I'll check. One thing for sure is that dappy needs a smart contract platform. Things you can do on bitcoin are too limited.

6) It is the co-resolution final operation. "Reconciliation of the answers" is probably more explicit.

7) Phishing is removed through three ways:
- dappy only supports a-z0-9 characters goögle cannot exist.
- dappy will provide very simple authentication systems similar to webauthn but simpler. (passwordless, based on signatures, and domain name scoping).
- a "designated authority" system were you can define a domain name as an authority, and the browser automatically fetches the blacklist/whitelist from this domain name.

8) In remaining 10% you have a computer / OS being corrupted, the dappy network colliding (though it's not really an attack). Or some specular attacks occuring at the same time on 66%+ of the dappy network members.

9) Yes anonymous, on rchain blockchain (live very soon) rchain.coop . It does not provide the same anonimity level as monero/zcash though.

11) correct me if wrong please: round-robin is a load-balancing feature, not resiliency feature. When dappy browser receives 20 A records it is able to do rotation over them. You can have 20 replicates of your website, and if 10 are down, the clients don't see any difference. Do DNS / browsers have something similar ?

12) Everything is 100% https / e2e in dappy : the resolution/lookup system as well as the actual browsing with the server.

13) your browser and the browsers of people that visit your site grarpamp.dappy do not need to trust pathrock network, nor dappy. They must trust that the majority of the dappy network will not collide to perform a spoofing/takedown/censorship on the website. This is mainly it. It is exactly like all blockchains : you don't trust a single node, but a network instead. The goal is to be 10/20/more, not to stay just 3.

14)  FABCO is my company, we are aprt of the dappy network.

15) no one must pay to join, and they are not paid by FABCO to join neither. There is nevertheless an economic inceptive models for dappy network members to validate (respond to reuests, have robust infrastructure). This is a huge problem in the DNS : only rich corporations run free DNS resolver.

16) it is not part of the GPL/MIT family. Purists will not label it as open source. Dappy browser is just 1 repo out of 8/9, all the rest is MIT. Dappy browser may go MIT someday.

17) cool that you dive in the code ;) yes we are not live yet, the co-resolution right not is centralized. But the code is there.

I'll stop here and reply to the rest another time. Feel free to join the discord as well, this is all very interesting feedback/questions. https://discord.gg/8Cu5UFV

Raphaël

------- Original Message -------

Le jeudi 24 mars 2022 à 05:50, <yanmaani at cock.li> a écrit :

> Reply inline:
>
> On 2021-12-24 14:38, Raphaël Fabre wrote:
>
> > We are the only name system in the world that does co-resolution,
> >
> > that's the way we found to maintain a consistent name system, and also
> >
> > avoid censorship and phishing.
> >
> > Our system has the following properties:
> >
> > - blockchain-based name system: it simply means that mapping is
> >
> > globally consistent, name management is distributed in the sense that
> >
> > a blockchain handles it, the resolver just connect to this blockchain.
>
> 1) What is the purpose of trusting a "network of independant companies"?
>
> 2) What if these companies collude to censor you?
>
> 3) If you can trust them, why do you need a blockchain? For trusted
>
> groups, there's much simpler K-of-M systems to just distribute a SQL
>
> database.
>
> > - Systematic co-resolution (not rotation): lookup request are always
> >
> > addressed to a network of independant agents: there are many instead
> >
> > of a single one.
>
> 4) How does this compare to existing systems?
>
> 5) By your definition, do other blockchain-based systems fail to support
>
> "co-resolution"? By my understanding, Electrum for Bitcoin uses a
>
> similar algorithm, but with better security guarantees.
>
> > And then there is consensus at browser level. This
> >
> > prevents 90% of attacks or attempt of censorship/phishing.
>
> 6) What is "consensus as browser level"?
>
> 7) How can the same system prevent both censorship and phishing?
>
> Phishing consists in having a domain which is subjectively "wrong" by
>
> human standards (e.g. "goggle.com" instead of "google.com"), whereas
>
> censorship consists in blocking a domain that people voluntarily want to
>
> access. It seems to me that whatever system is used to implement the
>
> former can also be misused to achieve the latter.
>
> 8) What is meant by "90% of attacks," and what are the remaining 10%?
>
> > - Anonymous registrations
>
> 9) Are these registrations anonymous (e.g. Monero), or merely
>
> psuedonymous (e.g. Bitcoin)? Are two "anonymous" registrations by the
>
> same entity linkable?
>
> 10) Is there a mechanism to anonymously obtain the crypto-token used for
>
> registering the name?
>
> > - Load-balancing of names: you can attach 20 IP addresses to your
> >
> > name, dappy browser will try each one of them until it gets a
> >
> > response.
>
> 11) How does this differ from existing systems, such as the DNS?
>
> > - 100% encrypted/https
>
> 12) Is this a feature of the naming system?
>
> > Censorship cannot happen, neither at the storage location (blockchain)
> >
> > or on-the-fly at resolution time (co-resolution)
>
> I am also curious about the following passages from your website:
>
> Re: "The companies that secure the dappy name system"
>
> (https://dappy.tech/)
>
> 13) Does this imply that I need trust "pathrocknetwork" et al to be a
>
> good, honest, etc service provider? If so, what reason do I have for
>
> doing so, and what reason does the system have for requiring me to do
>
> so?
>
> Re: "You don’t need to trust us, the trust is distributed in a network
>
> of independant companies" (ibid)
>
> 14) One of the companies listed under the previous heading is "FABCO".
>
> Are they independent?
>
> 15) Do the other two companies received any financial compensation from
>
> anyone in consideration of their participation? If so, does this affect
>
> their impartiality or independence?
>
> Re: "Please read the license file. It is based on Metatask extension
>
> license and limits commercial/for-profit usage to 5.000 users."
>
> (https://github.com/fabcotech/dappy)
>
> 16) Is this an open-source license?
>
> Re:
>
> https://github.com/fabcotech/dappy-lookup/blob/master/src/dappyNetworks.ts
>
> 17) There appears to be only one hardcoded resolver for each network in
>
> this file. What's going on here?
>
> Re: "This page focuses on the ideas that make dappy different from
>
> current legacy systems as well as blockchain-based competitors."
>
> (https://dappy.tech/ideas-and-breakthroughs/)
>
> 18) To which blockchain-based competitors are you comparing? I believe
>
> that all of these except "CSP at the name system level" have been done
>
> before by various projects.
>
> Re: "By doing a multi-request instead of a unique client-server request,
>
> a client is able to read from a public database that he does not have
>
> locally (the state of a blockchain), without having to trust any single
>
> entity." (https://fabco.gitbook.io/dappy-spec/glossary/multi-request)
>
> 19) How does this compare to existing solutions, such as Merkle tree
>
> inclusion checks, which can trustlessly give verifiable answers in a
>
> single query given the latest block hash?
>
> 20) If all the nodes queried collude to lie, can this be detected?
>
> Re: "Partial token offering, and whitepaper release (January 2022)"
>
> 21) Where can I find the whitepaper?
>
> Re: "The general documentation consists in two document, the protocol
>
> overview page on dappy.tech that can be seen as a light white paper, and
>
> the general documentation on gitbook, that is technically more
>
> concrete."
>
> 22) Where is the protocol overview page?
>
> 23) Where is the concrete documentation on gitbook? The "Dappy protocol"
>
> page (https://fabco.gitbook.io/dappy-spec/glossary/dappy-protocol)
>
> says: "The Dappy protocol is right now a very generic term because it
>
> has not been standardized in any way."
>
> In conclusion, I am very bothered by this, because it is much too vague
>
> for me to be able to analyze it properly. The provided documentation
>
> fails to answer the most obvious questions that come to mind:
>
> - Who decides who owns a name?
>
> - How much does it cost to register a name?
>
> - Once registered, for how long does it last until you have to renew it?
>
> - If you own a name, can it be taken from you?
>
> - Is it possible to change these rules, and if so, by whose consent?
>
> - How does this compare to previous efforts, in terms of quality of
>
> implementation and in terms of what trade-offs and design decisions are
>
> made?
>
> It saddens me, because, from reading your website, it appears as if you
>
> have a financial incentive in promoting this project ("To fund the
>
> growth of the team dappy is releasing 20% of the Utility Tokens that
>
> will govern the platform"). It seems like the existence of such
>
> incentives would also be a powerful motivator to re-invent wheels, while
>
> denying that any prior art has ever existed in the past.
>
> This leads to an unfortunate situation where, as Drew DeVault put it
>
> (https://drewdevault.com/2021/04/26/Cryptocurrency-is-a-disaster.html),
>
> "developers are no longer trying to convince you to use their software
>
> because it’s good, but because they think that if they can convince you
>
> it will make them rich".
>
> The proliferation of such projects reduces overall trust in society,
>
> with the end result that people stop engaging with new ideas that are
>
> presented to them, in much the same way as how telemarketing has
>
> resulted in a decrease in the willingness to answer phone calls from
>
> strangers.
>
> (This is, of course, only true if the ideas are bad.)
>
> Best,
>
> Yanmaani
>
> P.S.:
>
> > Happy to chat
> >
> > Merry Christmas
> >
> > Raphaël Fabre
>
> Better late than never, but it's unfortunate that the message took so
>
> long to be delivered. I think it causes problems in terms of maintaining
>
> a discussion if the delay is months long, but it might just be a problem
>
> on my end.