namecoin / namecoin.org

Namecoin.org website in Jekyll -- send PR's to beta branch, then merge into master and gh-pages
https://www.namecoin.org/
Other
17 stars 36 forks source link

Namecoin FAQs update request #131

Open muneeb-ali opened 7 years ago

muneeb-ali commented 7 years ago

First of all, thanks for all your work maintaining Namecoin - it looks like the project is improving a lot and you guys successfully moved over to Namecoin Core.

I’m commenting because we’ve recently been getting questions about the FAQ page on Namecoin.org from our open-source community and, after answering these questions several times, we feel that it’s important to engage with the Namecoin community and update some content on the Namecoin website.

It seems like you’re not following Blockstack that closely and are in the process of updating the DHT comparison (as Blockstack doesn’t use a DHT). Below are some other points that are listed in the FAQs that should be addressed:

1. Consensus codebase: Completely new codebase.

Blockstack’s codebase is not completely new. The project went into production in March 2014, and many improvements and bug fixes have gone into the codebase (while 70,000+ users used the system). Blockstack also has a bug bounty program, and we have on-going security audits. It’d be really cool if Namecoin developers can do code audits and submit any issues through our bug bounty program!

2. Do the developers run services that hold users’ private keys?

The Onename app was meant to make the (initial) name registrations smoother. However, Onename is on its way out, to be replaced by a graphical registrar that lives completely client-side. Since 2015, all development focus has been on the CLI and Portal (the GUI), both of which have local wallets.

Private keys on Onename are encrypted with a password only the user has. So Onename doesn’t technically hold private keys, just encrypted blobs that are useless without the users’ passwords. In comparison, Coinbase actually holds private keys. Exchanges can send bitcoin without the user's permission. This is not the case for Onename. Further, users can transfer their names out of Onename to a local wallet, once registered. We’re pushing everyone towards local wallets!

3. Funded by an investor who has endorsed cryptographic backdoors and who considers ROT13 to be a “serious” and “intriguing” security mechanism.

Fred Wilson (the man quoted here) is actually not a direct investor and is not involved with the company in any official capacity. Albert Wenger represents the USV fund, and he has been very supportive of an open internet. It’s also a diverse group of investors, including Naval Ravikant, Lux Capital, DCG, and others---and they’re very supportive of decentralization in general.

Ultimately, we are happy to be compared with projects like Namecoin and others. We just respectfully request that the information on Blockstack is presented fairly and objectively. We would happily honor any such request as well :-)

It was great seeing Jeremy at the Decentralized Web event in SF and hope to cross paths again soon!

JeremyRand commented 7 years ago

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Hi Muneeb,

I'm preoccupied with some other (unrelated to Namecoin) stuff this afternoon/evening, so don't have the ability to evaluate the requested changes right now, but I'll look into this ASAP. Thanks for the feedback!

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJY6ACmAAoJELPy0WV4bWVw7msP+wbtpEzdwF/hJYoEXuta0TtI Ginqpau+LQaYESabcyGKGw4COy9yc7gpk+6LYH6t/IjJkA/XvMH8gC9lnaKtr6Dd NpA/Z6toR3s4/pgua660QzDdQ42SH3WIbPhBBbBgcen3qaqYqmwUe02CpRqOhNX8 g5POX+7kYA6HV7eyG7EAfLXVSZhcw8a3YPJvxot3/ZKBI/555pXk/3/+2lAZ7SVn 5HN/BfuovjQgEDdgfvpHUWG1yslHN7dVhjt8Snktlg5v1aD6KRaHVtWbMpXjISbZ v7wrCeNGZ3FEQ1rIL3zG1IajOquiCfZD4MHpuwBFAiI86TNQM4I0astjQTO/CCED 5rx4/UBOeq7aZiq1V5P9kr2y16L+iWhkoN4E0kbcRij5zRYRHBj2pe9s3ahgFxDX dfINSOI3uk9knnmz4ahH35PukgWy2N7KUBKbelbhp40lbfOwlvETiNAuiHcRvkd+ /wTgQ9WUkUr+OIXiw/9AnunkC/U2H+Xtut2xF7lMxEarmzlzbrG8/iUHwy+HD33x mDUPSyiny7/HpiKBYjpGY00b8KGHO4MOW6YunI7OUWAJolxbN6aeTH6vwzx5NodX dHqJc1emZjMJ1HWY/ivLVazqN2A9V4yE7MhONnwgGavbGCKIZoPe1OciDe0559f3 TAhQdR/PD237b3P/6YZR =RHOR -----END PGP SIGNATURE-----

muneeb-ali commented 7 years ago

Thanks for the quick response! And take your time. We just found ourselves repeating answers to these questions in our Slack so thought that it might make sense to reach out.

JeremyRand commented 7 years ago

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Hi Muneeb,

Apologies for the delay in replying. I've looked at your feedback, here are my replies.

It seems like [you’re not following Blockstack](https://www.reddit.com/r/Namecoin/comments/63mjhn/ error_in_the_namecoin_faq/?st=j16jriav&sh=bf3dda2a) that closely and are in the process of updating the DHT comparison (as Blockstack doesn’t use a DHT).

I have no objection to updating the FAQ to remove the mention of Blockstack's (now former) use of a DHT.

1. Consensus codebase: Completely new codebase.

Blockstack’s codebase is not completely new. The project went into production in March 2014, and many improvements and bug fixes have gone into the codebase (while 70,000+ users used the system). Blockstack also has a bug bounty program, and we have on-going security audits. It’d be really cool if Namecoin developers can do code audits and submit any issues through our bug bounty program!

AFAIK, the intended meaning of that statement is that Blockstack isn't forked from a pre-existing project (like Namecoin is from Bitcoin), and that as a result Blockstack developers are responsible for all (or nearly all) of the Blockstack codebase, whereas Namecoin developers are only responsible for the changes that Namecoin makes from Bitcoin (Bitcoin developers are responsible for the rest of the codebase). I see your point that the word "new" might be misinterpreted to mean in the temporal sense; I have no objection to revising it to make this less ambiguous.

2. Do the developers run services that hold users’ private keys?

The Onename app was meant to make the (initial) name registrations smoother. However, Onename is on its way out, to be replaced by a graphical registrar that lives completely client-side. Since 2015, all development focus has been on the CLI and Portal (the GUI), both of which have local wallets.

I don't claim to be an expert on motivation for the use of Onename, but I was always under the loose impression that Onename made a profit, and that profit was one of the motivations to run Onename. In any event, that's great to hear that Onename is deprecated; I'm happy to revisit this issue once Onename is decommissioned.

Private keys on Onename are encrypted with a password only the user has. So Onename doesn’t technically hold private keys, just encrypted blobs that are useless without the users’ passwords. In comparison, Coinbase actually holds private keys. Exchanges can send bitcoin without the user's permission. This is not the case for Onename. Further, users can transfer their names out of Onename to a local wallet, once registered. We’re pushing everyone towards local wallets!

This sounds like a similar threat model to what is often incorrectly called "zero-knowledge web services". (I strongly dislike the term I just quoted, since "zero-knowledge" has a very different meaning to cryptography people, but I mention the term here since the term has metastacized to large parts of the Internet.)

Services with this threat model are mildly more secure than services that store unencrypted private keys on the server, but are nowhere near as secure as locally installed software. I have no objection to revising the wording to make this more clear.

For the record, Monero offers a similar application (MyMonero). If MyMonero is ever extended to support MoneroDNS (which we have a comparison to on our FAQ), I would support a similar comparison for that section as what we list for Blockstack. (Even though Namecoin regularly collaborates with Monero.)

3. Funded by an investor who has endorsed cryptographic backdoors and who considers ROT13 to be a “serious” and “intriguing” security mechanism.

Fred Wilson (the man quoted here) is actually not a direct investor and is not involved with the company in any official capacity.

I just Startpaged for "fred wilson onename" and found the following links in the top 10 results, which seem to describe him as an investor:

https://web.archive.org/web/20160422144543/https://avc.com/2014/11/featu re-friday-distributed-identity/

https://web.archive.org/web/20170418092648/https://bitcoinmagazine.com/a rticles/onename-launches-blockchain-identity-product-passcard-1431548450 /

https://web.archive.org/web/20170222085144/https://www.recode.net/2015/7 /5/11564092/fred-wilson-the-next-reddit-will-likely-be-built-on-the-bitc oin

https://web.archive.org/web/20161109181856/https://blogs.wsj.com/moneybe at/2014/12/02/bitbeat-blockchain-based-id-app-reimagines-internet-identi ty/

https://web.archive.org/web/20160820105611/http://www.coindesk.com/fred- wilson-blockchain-applications-still-biggest-opportunity-bitcoin/

It's not clear to me what you mean by "direct investor" and whether the adjective "direct" has a specific semantic significance (I admit that the world of investing is not a field I follow at all). That said, while I'm aware that journalists regularly get things very wrong, if Fred is not an investor in Blockstack, it would certainly appear that there is a concerted media campaign (including by Fred himself) to make people think that he is. It is unclear to me what exactly the motivation for such a concerted misinformation campaign would be.

Albert Wenger represents the USV fund, and he has been [very supportive](http://continuations.com/post/26345602836/declaration- of-internet-freedom) of an open internet.

I just checked the link to Fred's endorsement of backdoors that we currently cite. That specific article by Fred links to a previous article by Albert, which also endorses cryptographic backdoors. That article by Albert is at:

https://web.archive.org/web/20160318165939/http://continuations.com:80/p ost/139510663785/key-based-device-unlocking-questionidea-re-apple

It’s also a diverse group of investors, including Naval Ravikant, Lux Capital, DCG, and others---and they’re very supportive of decentralization in general.

I'm aware that Digital Currency Group is also an investor of Chainalysis, which is a company that profits from violating people's privacy on behalf of repressive governments.

Given the above, I'm NACKing any request to remove the mention of Fred's endorsement of backdoors, but I will look into adding a mention of Albert and Digital Currency Group as well. Thank you for bringing their involvement to our attention.

Ultimately, we are happy to be compared with projects like Namecoin and others. We just respectfully request that the information on Blockstack is presented fairly and objectively. We would happily honor any such request as well :-)

Agreed. Note that, as a matter of policy, I don't have unilateral control of the Namecoin website, so I can't push changes without asking other developers to look at them. I will ping some other Namecoin developers and ask them to take a look at this thread, so that we can get the needed changes made.

It was great seeing Jeremy at the Decentralized Web event in SF and hope to cross paths again soon!

Definitely -- I'm looking forward to the next DWS, whenever it happens.

Cheers!

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJY9e3BAAoJELPy0WV4bWVwA7oP/iRnSNElmG9DdPgWXbSVlI9z x7B4bapbuwqW4djxDziiZ27ygj0/1WjtkGxEh4uW04hTINoTc8kUvIwrOEDf3cgc Z/GDE0UkXpG3aw0l6yrpPpypHZVbIpg0w2EcvjawiQuS7wYtSLNKYSdHgvguQ/fW 8r63oR9+x6uLEwFzh3nqA17dztMGSgmDIChvPaLOmRyvGMM9PyLVQayjK3CNyoKw BCE5+IotPP/9939Se3jYqoDSLYLyhWOwddO6Kgzas7uqMvSE+5vKoGP3SQkwWeNP bd8lslNzL23Op4pwOkMUj+HUbmAgDqdgpO2TwvOi3zUuuwBRltHCA8jQ5krgEEuN Q3X+hTQVdSsnZ0nqWuudyReYray5h3TL+S6or+OZmMiJCI8zmKhhDfGRiLQp8bsC 3HrUhBDezbAgBSolwZ2hRIJ+OF2ybwUK2gVOiV5xmiAbqBbchuX1WRLl0z9PoLT7 gHejncUy5MGMsnkDpU4gp9r8JKS1x1ui06/U64U4BNPV8JsAiDHFhxCpVpLoTzLY 6f6CErIT8mJf7KdNOioW0t4fzWozKymeI9seY3bdfbyX1QS9UKljaunMZ1EuyCuz yxY/vBch+iJvEyMBPo+g53W9TIsdxSKRNtEUt9IiUywf1vgCGGvi4hAdGNayBe3g S7g1Z29AfyVFwVsvcGPF =qdOk -----END PGP SIGNATURE-----

brandonrobertz commented 7 years ago

It seems like you’re not following Blockstack that closely and are in the process of updating the DHT comparison (as Blockstack doesn’t use a DHT).

There also appears to be some confusion about what exactly "Atlas" is. Further, all the Blockstack whitepapers either say DHT or give a vague notion of off-chain "storage".

Overall, I don't support a drastic rewrite of the page as I consider it to still be mostly correct given Blockstack's whitepapers and documentation. There's a lot of "on its way out" and "technically" in @muneeb-ali's post. I don't feel comfortable removing warnings about wallets, for example, without some kind of documentation supporting it and an announcement clearly stating that you no longer have access to users' privkeys. The same goes for the rest.

muneeb-ali commented 7 years ago

@JeremyRand wrote:

I see your point that the word "new" might be misinterpreted to mean in the temporal sense; I have no objection to revising it to make this less ambiguous.

Thanks, looking forward to the new wording.

@JeremyRand wrote:

In any event, that's great to hear that Onename is deprecated; I'm happy to revisit this issue once Onename is decommissioned.

We'll update you when new registrations are stopped on the Onename app and all existing/new users are directed to the desktop client.

@JeremyRand wrote:

It's not clear to me what you mean by "direct investor" and whether the adjective "direct" has a specific semantic significance (I admit that the world of investing is not a field I follow at all).

Fred is a partner at a fund, Union Square Ventures, along with 5 other partners. USV is an investor. Albert is the point-person who represents USV (not Fred). Also, there is a long list of investors (50+) that includes individuals and VC funds. Picking on 1-2 specific investors seems odd to me, especially when the investors have no direct say in the direction Blockstack takes. I'll let you guys decide what is fair. The impression that you're currently giving is that "this 1 investor is behind Blockstack and he supports backdoors, so Blockstack can have backdoors". This is nowhere close to reality. You should list all 50+ investors and also specifically list what control do they have over the project (they have zero control given how the investment is structured).

@JeremyRand wrote:

Note that, as a matter of policy, I don't have unilateral control of the Namecoin website, so I can't push changes without asking other developers to look at them.

Yes, absolutely. You should get feedback from everyone. I'm actually glad that this discussion publicly exists now because even if you don't push changes to your website. People can discover this thread and, after reading the details, make up their own mind about how accurate the descriptions on the Namecoin FAQ are.

@brandonrobertz wrote:

There also appears to be some confusion about what exactly "Atlas" is. Further, all the Blockstack whitepapers either say DHT or give a vague notion of off-chain "storage".

We don't have whitepapers (yet). There are research papers that were peer-reviewed and published at CS conferences. They get archived and we can no longer update them. If there was a whitepaper we would be able to update it and post a new version. We announced the Atlas network and deprecated the DHT in the v0.14 release which is the latest stable release and public knowledge.

I think I've pretty much listed all arguments I wanted to list and don't have much else to add. I'll let you guys decide what changes to accept and what to reject. I'm sure you'll make the fair calls.

Thanks for your time and for taking a look. Really appreciate it and hope to meet in person again soon.

JeremyRand commented 7 years ago

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Noting that I haven't forgotten about this ticket, just been preoccupied with some non-Namecoin stuff the past week that has limited my time to deal with this ticket. Hoping to get back to this soon.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZAa+bAAoJELPy0WV4bWVwcYAQAMPKVjhY+hGzM+xmCotWu71c qLOzbnOatOeVahEektVx8oDzxrhQ7/EZ/icF9ofk2QzmQbsiLsQfx7wCA4k7MBY2 1ZS616MCE5L+5+m36kOK6OBeJGyz9cB0MSr2KjsgNSnYblB8QyPJ2FHkmaUPFUQ/ p3/SEMddSi01UKBJQ7T1PkXJh3lcy8JQozAJeA3KtbBebBZQj99zPAf7XtOMaD+R ybglCQ3H5/XeSUphA/zUXmtye2S+yMKvNUXe4P6tRMzxVQtDbpWhLDhdoYopWWic z+49azdmrtefGzFMm/Nyl4rC8WFSVtDwuoNW0ezLT61nmW8jgoxHfxygfjJ2ekVH BcwCpLqQJPzxRFeZFzkwzxpfSPK69wgYJzn+aqE4O1OYwJFMByfqpP9XqH1wFN/v xGDwSGbMk/h4ycz8JdBcgInTxLkrS4fANN11ZHEbu9pncs0qlUNBVh+RBSqfXX8h KUt+AD9qUTRyEEfUpNStueH/YmP2lfRfuvAujw171MuNdciqIW+frtNhdfBg72hl x3TFq2TQ+LwTRTN4M4VLRn5f9AqAdguU8vLAbhpOMwyOzDPfzHKRNqrpZihgOGwT qtPD3VzaRfZJoUl7mw+u/GbxXf7Fd95wZUOGO04I9ZVdHBdQfn0dJViudrscjRch yLf9RWSkjgsa3W3ttpp+ =Q+6a -----END PGP SIGNATURE-----

JeremyRand commented 7 years ago

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Noting for the record that Onename's documentation pretty clearly implies that the keys are held by the Onename server during the registration process and that the name is only transferred to user-controlled keys after the Blockstack registration is completed by Onename. @muneeb-ali , is that accurate?

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZEDRDAAoJELPy0WV4bWVw+iwQAM+b3mS5Pm0ZyjH3WQ8zOXQN tWrg9wgZvdwRTJb5j1QipFQei/M0LGKLnyk7xPTh9wWk1Y1dCD8Rys2Gdy3Kzh9P aj75buJ4ITFmCB7T22gerxbZBHAa2lls3RFp1JKeFHTCjggIumQN1hHOzVTsqpz5 YGCHTbHHwKnnizGZoie1rMT4BewlYLJuoY9ngjiD+E2kv0Hhi4Vmb9hgLn+Nc7nM 4gymm+H8xVt8OkTv0r+Xo9bolebn+vMgXwF3TlbY6wwMKUCQze0G0yUrjIzilm8n lfqX18Zm0GUad/dAbBxXSyokXsvhentgGa6G35lYnwXCkjJ/GKOg5lhOgWAS8PXZ sD4rIuZhwcWalXZi3Fr7phCby55Se2Uhn5YvXtAlgLAsC4WtjCTJ8sioW59kCBy7 wYGLA+zniK/z/W0S68ZVuJ3ld3pxqjY+rtQz8vxAINxHNAscrzsVuuXPbAzGus7Q dmdj2sX6TakWxzj0hwAmV2BSi8E/ernGbbAqw9crDum+LO/g14tKMuflzBj20nqu cWrH7koOiq8S97wuVgPINWbcH0zvS9Kl3JFAN4yYMyDmzH/t3sRZzgIUcxNrYPRY ajczt9lToocXIqkj6S+na9GaP9or7slZvL7OKpilSeLqpQbrwkR4n8knpXyuVuqQ 8esh8ue0CQfteiQ7up5c =cAPh -----END PGP SIGNATURE-----