Replies: 7 comments 9 replies
-
I can see why some federations might want to limit the user accounts in general, but using account tracking as a way to limit abusable APIs seem like a shortcut that extremely damages the privacy preserving properties of ecash. |
Beta Was this translation helpful? Give feedback.
-
As commented on #1440 (comment), introducing the payment of fees seems to be a solution for 99% of the problems. The idea is very simple: just follow bitcoin model and introduce a "mempool" where transactions are sorted and processed according to the fee contained in the transaction. But what about people that don't have any cash? This a problem that could be solved in multiple creative ways. The trivial solution is just to consider a zero fee transaction something valid but that will only be processed if the federation is idle (i.e mempool is empty of transactions paying fees). This also allow us to migrate the consensus in a backwards compatible way: older clients that don't understand fees will be paying zero fees and will have their transaction delayed if the federation is very busy, encouraging them to uprade to a newer client version. Another complementary solution to above is just to sell invite codes in some to-be-specified protocol. So any client joining the federation will necessarily have some ecash. |
Beta Was this translation helpful? Give feedback.
-
I have a strong preference towards fees (when possible) to solve it instead of something account based or degraded service-like. If something like that were to be introduced, instead of account based, issuing a bulk of blind signed authorization tokens and distributing them one way or another could help. Some reasonable number that normal users won't hit. Or give a variety of them for different purposes. Such as a few 'audit tokens' when you receive a big amount, or a bunch of 'lightning-locked token requests' when you join a federation. And these tokens can be increased as fees are paid to the federation. A rough idea that I don't necessary endorse but I'm in the process of adding blinded authorization tokens myself and would suggest something not privacy-damaging being added to federations by way of accounts. |
Beta Was this translation helpful? Give feedback.
-
The biggest problem with fees was that it introduces... well... profit, turning Federation into semi-business. In cases where this is possible it solves a lot of problems, sure. |
Beta Was this translation helpful? Give feedback.
-
So there's basically three options then?
|
Beta Was this translation helpful? Give feedback.
-
Related discussion #1440 |
Beta Was this translation helpful? Give feedback.
-
I posted some thoughts on DoS protection in the original discussion. Accounts kill privacy, so are far from an ideal solution imo. #1440 (comment) |
Beta Was this translation helpful? Give feedback.
-
Multiple problems I've been thinking about, but in particular #4289 recently, are making me think that Federations need pseudonymous user accounts.
It's just really hard to protect Federation from the abuse if all users are indistinguishable, unaccountable and can be created at will.
As things are currently, without Tor, the normal users can kind-of identifiable by their IP addresses anyway, and it doesn't seem to bother anyone all that much.
After all ecash notes are unlikeable anyway. Also - given that users can use OOB transfers, not every transaction even needs to go through the mint anyway, and amounts paid can be faked be reissuing extra notes / split the remint, etc.
Guardians would gain an ability to control the amount of users and also ability to keep Federation private (for friends and family). Account keys could be leaked/shared, but that use would count towards the quota for a given account, so damage would be limited.
Rate limiting can be done individually per-peer, so it doesn't touch the consensus. Malicious peer could not enforce rate limits, but that can be detected and malicious peer can be held accountable.
Federations (peers) could keep a quotas for "unregistered" users if they desire. Client would only need to present the registered account signature if the Federation is hitting the limits for unregistered accounts (is possibly being abused or invite-only by choice). If a Federation is abused quota would limit the damage while allowing registered users to continue to use Federation.
The users could submit txes to one random peer, and honest peers would not keep the any association of submitted transactions. So unless peers collude and it would be hard to link all the actions of one account together.
Accounts could be registered with each guardian individually to avoid touching the consensus at all (better privacy for everyone). For each guardian a client could appear as a different ID altogether for better privacy.
An invitation to a Federation would contain one time use invitation codes for each peer.
By tracking accounts Federation could reliably tell user if they ever joined given Federation before, so recoveries would be reliable. Similar with backups - thanks to limiting number of users these would become somewhat reliable and predictable.
Beta Was this translation helpful? Give feedback.
All reactions