TBD54566975 / dap

Decentralized Agnostic Paytag
12 stars 3 forks source link

Making DAPs more Decentralized #44

Open decentralgabe opened 1 month ago

decentralgabe commented 1 month ago

I want to start by saying I'm a supporter of DAPs. Naming has been a problem in the payments, crypto, and decentralized identity community for a while. For DAPs to succeed, and differentiate themselves from prior solutions, they need to be decentralized--this isn't controversial since it's in the name. I believe that DAPs don't live up to their name today. This is OK, it's early days 😄.

That said -- with this issue I aim to outline a number of issues and corresponding recommendations to align the DAP spec more closely with principles of decentralization, making it more resilient, and secure. This list is not exhaustive, but it should be a good starting place for analyzing the decentralizedness of DAPs.

In no particular order of importance...

1. Multi-Registry Redundancy

The current single-registry model introduces a central point of failure, and centralization risk--decentralization is a measure of how many people can tell you "no." With the current design that answer is "one organization."

Recommendation:
Register DAPs across multiple redundant registries from different providers. For example, @name/test.app could be replicated across @name/terst.app, @name/toost.app with consistent values.

Considerations:

Multi-registry redundancy provides resilience against failures or censorship risk, reduces lock-in, and improves portability. DAPs without redundancy cannot be considered decentralized.

2. Decentralized Root Registry

There's a need for a robust, decentralized registry mechanism that doesn't rely solely on centralized systems like businesses (Cash App) or domain registrars (DNS).

Recommendation:
Implement a decentralized "root" registry using one of the following approaches:

  1. Distributed Hash Table (DHT) with a reputation system based on verifiable hashes (similar to this)
  2. Blockchain-based solution (i.e. integration with ENS, Handshake, or other similar naming initiatives)

The root registry would serve as the authoritative source for a user's identity, with other registries acting as pointers or replicas. A decentralized root registry = an authoritative source of truth without relying solely on centralized providers.

3. Single DAP as the Default Model

The current design may lead to users having multiple DAPs when interacting with different providers, potentially causing fragmentation and undermine the purpose of a unified, self-sovereign identity that's human-friendly (see https://github.com/TBD54566975/dap/issues/39).

Recommendation:
Promote a model where users maintain a single primary DAP that points to multiple payment addresses. While supporting multiple DAPs for specific use cases (privacy, personas), the default should be "one true identity" for payments.

A single, primary DAP per user simplifies the user experience, strengthens the concept of a unified digital identity for payments, and aligns with SSI principles. Users can maintain a consistent identity across multiple services without the need for multiple DAPs == a selling point.

4. DNS Agnosticism

The @local-handle/domain structure implies a reliance on traditional DNS, introducing centralization risks. DNS-based systems are vulnerable to control and censorship issues.

Recommendation:
Make the DAP system completely agnostic to DNS, capable of accommodating multiple name resolution systems such as GNS, ENS, Handshake, or others. Providing a base level of decentralization is important.

The 'default' can still be DNS based, and coupled with the other aforementioned proposals, is less of an issue. For those wishing to avoid replication, they can go direct to an avenue they already view as sufficient for their needs (like existing ENS or UMA).

5. Integrity Protection for DAP Records

Relying on any single provider for hosting the DAP introduces risks of tampering or malicious redirection. Current DID signatures alone are not sufficient to guarantee that the DAP has not been tampered with.

Recommendation:
Implement robust integrity protection mechanisms:

Strong integrity protection ensures that DAP records remain tamper-evident and verifiable, crucial for maintaining trust in the system.

6. Decentralized DID Methods

The use of did:web introduces unnecessary centralization and vulnerability to domain control or censorship (there are a ton of articles and real-world examples about the risks of relying solely on domain names, if you need sources let me know).

Recommendation:
Prioritize more decentralized DID methods such as did:dht, did:jwk, or even an enhanced did:web-type method like did:tdw. Add explicit language about choice/tradeoffs in DID method.

Using decentralized DID methods reduces dependencies on centralized infrastructure and aligns better with the overall goals of a decentralized system. Having multiple centralization points introduces signifacntly more room for failure (a central registry on top of a did:web, for example).

7. Data Authentication in Services

Data pointed to by a DAP must be authenticated to prevent tampering and malicious modifications.

Recommendation:
Implement auth and verification mechanisms for all data within the DAP ecosystem:

Verifiability as a base construct can ensure that data stored in services remains tamper-evident and trusted.

8. Simplify Data Representation

The use of JSON Canonicalization Scheme (JCS) adds unnecessary complexity and can lead to security issues.

Canonicalization introduces unnecessary complexity, risks, and performance hits. Deterministic encoding methods like CBOR offer simpler, more secure/efficient solutions for ensuring data consistency without transformations.

When we don't require full serialization, simpler approaches like predefined sorting rules or hash-then-sign methods can achieve necessary consistency without canonicalization's drawbacks.

Replace JCS with simpler and more efficient solutions:

Final Thoughts

Looking forward to discussing and hearing what you think 😄 .

aparkersquare commented 1 month ago

Lots of food for thought there, thanks for raising this @decentralgabe . Your points in items 1-4 have been on my mind for a while (I don't know enough about DIDs and web5 to comment on the later items).

When implementing DAPs for our hack week, having the resolution of a DAP be bound to a did:web made implementing the DAP resolution process easy, and hosting the DAP registry easy. But it was obvious that it is tightly dependent on DNS, and this part of DAPs isn't really "Distributed".

It occurred to me today that a DAP is currently defined as @handle/domain, and the domain is what couples it to DNS.

I think what we really want is the DAP to be defined as @handle/registry, where the registry can be resolved in a truly distributed/trustless way (decoupling it from DNS). The registry would also need to be implemented in a distrubuted/trustless way (otherwise individual registries would be susceptible to attack/denial), although the specific mechanism of the registry resolution and the registry implementation could potentially be different.

I think this relates directly to your point 4, so for me this seems like the key. I wonder though if the registry resolution and registry implementation are implemented in truly distributed ways, would we need cross-registry replication (points 1 and 2), which open up all sorts of issues (e.g. what if the registries have conflicting information?)?

I don't have much experience in this area at all, so this strikes me as a pretty difficult problem. Take resolving the registry. Is there any protocol that provides globally unique, human-readable "naming" that isn't centralized?

nostr comes to my mind, although in nostr the npub is the globally unique name and is not really human-readable. The human-readable (or "human-verifiable") part is (currently?) provided by NIP-05 which is tied back to DNS/web, so it isn't solving exactly the same thing (that I know of).

I started searching for more information on this problem, and I also came across ENS and handshake, which hadn't registered in my brain as I ready your post, but as I was looking back over your point 4 I noticed you had mentioned them.

Handshake sounds to me (after a very brief initial investigation) to be a potential match for the problem we're trying to solve, it being intended to decentralize DNS itself.

decentralgabe commented 4 weeks ago

I appreciate the thoughtful reply @aparkersquare. I don't have enough time right now to address all of your points, but I do want to respond to...

I wonder though if the registry resolution and registry implementation are implemented in truly distributed ways, would we need cross-registry replication (points 1 and 2), which open up all sorts of issues (e.g. what if the registries have conflicting information?)?

I don't have much experience in this area at all, so this strikes me as a pretty difficult problem.

google has an interesting project that I've wanted to make use of for a while that could help us address this -- https://github.com/google/trillian

the project is part of a larger concept (Certificate Transpraency - website is pretty good)

Take resolving the registry. Is there any protocol that provides globally unique, human-readable "naming" that isn't centralized?

the best we can do would be a federation, which is better than someone trying to create a new unique name-spacing system (which works as long as you use their system, of course). federations are fine because the decentralized options I've seen aren't really decentralized at all.