Open burdges opened 2 months ago
burdges
commented
2 months ago We could likely solve this entirely outside substrate, just in the choice of recommended linux distribution, but it's still worth discussing the defaults like who we ask for times, and how they're combined.
burdges
commented
2 months ago Around "decentralized" sanity checks, we know three network strategies by which validators share their times:
Again NTS alone likely suffices for now.
bkchr
commented
2 months ago We could likely solve this entirely outside substrate, just in the choice of recommended linux distribution, but it's still worth discussing the defaults like who we ask for times, and how they're combined.
This sounds like something that should be added to the validator guide. So, they activate it correctly etc.
- Use babe/sassafras - Least precise sanity check, but very robust since babe/sassafras keep running if grandpa fails. Cardano proposed this, and Handan explored something very similar, so likely this suffices.
Yeah this is something we discussed already way back before genesis of Polkadot AFAIR.
Network Time Security (NTS) should probably replace vanilla NTP. See rfc8915. We should look over the existing Implementations:
We should sample time from multiple sources too, which NTS should support since NTP always did. It's maybe worth looking at exactly how NTP/NTS combines multiple sources too: If they use a median then that's wonderful. We'll think about it if they do something else.
We need to chose the default list of secure time services too, so cloudflare, google, etc, but also some in Europe, Asia, South America, etc.
We know actual decentralized approximate time protocols, which likely make sense eventually, but they could still be attacked if all the validators have their NTP sources biased, so NTS remains important, and NTS alone gets us much of the way there. I'd expect they merely provide sanity checks on NTS in practice.