spruceid / kepler

Decentralized storage based on permissioned data overlays called orbits.
https://kepler.xyz
Apache License 2.0
80 stars 14 forks source link

Discuss Orbit Discovery and Management #13

Open wyc opened 3 years ago

wyc commented 3 years ago

Metadata

What data define an orbit? Here are some ideas:

Discovery

How do you find an orbit? Here are some ideas:

Public Orbits - meant to be discovered and and accessed by anyone

Private Orbits - meant to be selectively disclosed

Management

How are orbits administered? TBD

cc @chunningham

chunningham commented 3 years ago

Re: Discovery, I've been thinking something like the following:

does any of this make sense?

chunningham commented 3 years ago

Re: metadata, the auth policy log commitment and admin/host lists are essential to include. A tree hash of contents would allow for explicitly checking consistency between hosts (something IPFS already does but that other storage backends may not (e.g. multiple separate S3 buckets operated by non-cooperative hosts)) so might be a good option, but it would require a much more regular state transition to make that check timely (basically introducing block/confirmation time). given a deletion capability tho it might be essential. A human-readable name might also be useful in the metadata.

wyc commented 3 years ago

@chunningham recording our conversation here for future design sessions.

Potential short-term orbit ID strategy: hash the client PKH concat w/"orbit secret" that the client picks. This could be static for something like tzProfiles, provided by the tzProfile frontend.

Orbit resolution architecture--kind of similar to DIDs. Here's one example of how it could work:

  1. Every change to the Orbit State (latest merkleroot hash, hosts policies (who are the replicators?), content access policy, etc.) is a signed patch/CRDT/delta/etc. The patches can hold some kind of evidence of existence at a point in time, such as a blockhash from Bitcoin, Tezos, Ethereum, etc.
  2. For our orbit type, it starts with a default state that the patches continue upon.
  3. Patch state build with correct patches (signing was authorized correctly and data layer consistent) and the most recent evidence of existence wins.
  4. We can access the list of patches from a KV query with the Orbit ID as the key. This could be public or permissioned depending on use case.
wyc commented 3 years ago

From our discussion, here are the roles for orbits:

Here are rough metadata structures:

Signed object capabilities can contain cryptoscript/ioscript as an unlocking mechanism, not dissimilar from bitcoin's Script. E.g., cryptoscript to allow a download of a JPG for an NFT owner:

FA2Asset -> AssetId -> VPSigner -> Bool
getOwner  -- consumes FA2Asset and AssetId, pushes TezosAddress to stack iff successful
asTezosAddress. -- consumes VPSigner, pushes TezosAddress to stack iff successful
assertEqual  -- consumers TezosAddress and TezosAddress, throws nothing iff successful

This could be embedded in something like a ZCap and the "VPSigner" could be equivalence checked to the NFT asset's owner.

wyc commented 3 years ago

Discovery about orbit discovery: Here is the orbit string:

tz:${INDEX}:did:...
tz:KT1...

The DID included MUST resolve to a DID document with an authentication method using an Ed25519 public key, secp256k1 public key, or P-256 public key. A BLAKE2B (digest-size = 20) hash of that public key is also acceptable. Examples of conforming DID methods include did-tz and did-pkh(:tz). The orbit config lives at the ${INDEX}th smart contract deployed which conforms to the Kepler Orbit TZIP (TBD). If this orbit config does not exist, then there is a default Orbit Config TBD.

If KT1 approach is taken, then the smart contract at that address MUST implement the Kepler Orbit TZIP (TBD).

Open questions