Memory of trusted checkpoints

[jaekwon]

Proposal: Keep the providers untrusted, but create a separate storage system (to which the Certifier has a ref to) that can be used to store certified checkpoints.

Goal:

• Allow for e.g. Cosmos Hub to check the integrity of AppProofs on previous hashes.
• Consider garbage collection of very old checkpoints

I think we can just create a single TrustedStore struct that takes a go-db DB, with NewTrustedStore() taking arguments for tweaking garbage collection... but maybe there are other solutions.

[ethanfrey]

Very good suggestion. We need to have a clear set of trusted point, and a way to grab the trusted seed closest to a given header, so we can run the verification from there. This is a large and useful expansion of InquiringCertifier.

I also wonder about proving blocks back in time??? Given one valid block, I can always follow the hashes to the previous blocks and now even need to check signatures. This is simple, but requires downloading every header.

Can we use some similar signature algorithm to go back in time?

eg. If I have a known set of validators for height H, and I am presented with a signed header at height H-m, and there is say 80% overlap of the validator sets... is it safe to jump back like that? It would be cool, but I'd love a solid review of the security of this approach by @jaekwon and @ebuchman

[adrianbrink]

An comment that came up on ethermint. https://github.com/tendermint/ethermint/issues/45

[ethanfrey]

Okay, as part of fixing #20 I did the first step here.

We now store the trusted store (properly verified seeds) separately from the seed source (node rpc, import, etc.). However, this is still just written as flat files to the db and not to any go-db source. And I have not yet enabled initializing the certifier from a non-latest seed.

But will work on this more in the next week or two.

[ethanfrey]

Fixed with commit 726cef5