Just because you dont see a bunch of people defending wenzel on the forums, doesnt mean many people dont agree with his position on some of these matters. Most just dont want to get involved in the drama and trolling in the forums.

Nevertheless you guys will contine to troll anyone who disagrees with anything your boss says. Carry on

@bjoernek I fully support posing these questions to node providers.

I couldn’t say it better than @Gian has in his response, especially the following:

Dear all,

Many thanks for all the valuable feedback provided both here in the forum and in the last Node Provider Working Group on Monday April 14th !

Based on your feedback, we have updated the question list for assessing node provider independence, which is provided below. Additionally, we are including the complete, revised node provider self-declaration form, now enhanced with a clause on lawful sources of funds and wealth, following legal advice.

Please review the updated materials and share any additional thoughts. In parallel, we are consulting with audit firms on the questions and review process.

Detailed Comments on Changes:

• We have clarified the distinction between public and private parts of answers as requested.
• Question Q5 on Overlap of Financing has been updated to make it clear that an overlap is only relevant if the financing is provided by another node provider.
• Based on community feedback, we introduced a new question, “Q6: Other Relationships.” Unlike questions Q1-Q5, the disclosures from Q6 will not automatically result in clustering. This question is intended to enhance transparency by allowing node providers to disclose other relationships not covered by the previous questions.

Looking forward to your comments!

—-------------

Extended Node Provider Self-Declaration

Introduction (New)

The Network Nervous System (NNS) is committed to the principles of decentralization to enhance the overall security and reliability of the ICP network. Moreover, node machines must not be funded or controlled by criminal entities, as these critical infrastructure components form the foundation upon which the integrity of the entire ecosystem depends. To achieve these goals, comprehensive disclosures from node providers are required. In particular, node providers are required to

• Confirm their identity
• Commit to providing the required hardware and honest operations, as specified in the IC Network guidelines.
• Confirm lawful source of funds and source of wealth.
• Assess potential overlaps with other node providers.

As part of the governance structure, the Network Nervous System may vote to:

• Remove node providers that violate these principles or provide untruthful responses.
• Appoint legal representation to pursue such node providers.

Identity and Compliance Declarations

• (A) Statement of Identity (as current)
  • Please provide the following detailed information about your entity:
    • Entity Name
    • Representative Name
    • Position within Entity
    • Entity Address and Location
    • Country (which should not be a sanctioned country)
    • Commercial register Number
• (B) Statement of provision of node machines (as current)
  • I hereby guarantee that I shall provide node machines in accordance with the required Hardware Configuration for running the IC Network, as described on the IC wiki (see Node Provider Machine Hardware Guide).
• (C) Statement of good intent (as current)
  • I guarantee to the world that I shall honestly operate the node machines I provide, and that should I behave dishonestly, for example by deliberately interfering with my node machine(s) to prevent them correctly processing ICP protocol messages, in collusion with others or alone, that I will be liable to users of the network, and to other node providers, for any damages caused.
  • I further declare I am aware that any deliberate interference with a node machine, which causes it to incorrectly process ICP protocol messages, represents a misuse of that hardware, and of any hardware it interacts with, and that in some jurisdictions, that may constitute a crime.
• (D) Confirmation of Lawful Source of Funds & Wealth (New)
  • Public Disclosure
    • We, [Legal Entity Name], confirm that the capital and operational funding used in association with this node originates from lawful sources under the laws applicable in the jurisdiction where the node provider is registered and where the data center is located. We attest that we are not using the node for illicit activities, and that the ultimate beneficial ownership structure has been disclosed truthfully.
  • Private Disclosure (for an auditor)
    • Origin of funds: Explain the origin of the funds used to establish and operate the node provider. Detail sources such as personal savings, business income, inheritance, or investments.
    • Origin of wealth: Explanation of how the entity accumulated its total wealth (e.g., ownership of a business, inheritance, sale of property).
    • Provide supporting documentation, such as bank statements, tax statements, audited financial statements, transaction histories, or notarized statements, that allows an auditor to verify the legitimacy of these funds.
• (E) Confirmation and Update Commitment (New)
  • I, [Legal Name], hereby confirm that I am authorized to sign and submit this document on behalf of the Ultimate Beneficial Owner (UBO). I further commit to updating this self-declaration in the event of any material changes, such as a change in the UBO.

Assessment of Independence (Ultimate Beneficial Ownership) (New)

• Q1: UBO Ownership & Control
  • Public disclosure
    • Please list the Ultimate Beneficial Owners (UBOs) of the node provider entity, along with their full legal names and countries of residence. Please include any individual who
      • Holds ≥25% direct or indirect ownership; or
      • Otherwise controls the entity’s decisions (e.g., via a management position such as CEO, CFO, COO, board membership, a trust arrangement, or other legal agreements).
  • Private disclosure (for an auditor):
    • Add an ownership structure chart allowing to review the ownership structure until the top and including any intermediary.
    • In case of a Trust structure, please confirm the identity of the beneficiaries, settlor, trustee and protector of the Trust
• Q2: Overlap of UBOs with Other Node Providers
  • Is any UBO of this node provider also a UBO of another node provider?
  • If yes, provide the legal name of the other node provider(s).
• Q3: Family Ties
  • Is any UBO of this node provider directly related (e.g., spouse, parent/child, sibling) to an UBO of another node provider?
  • If yes, specify the relationship and the node provider(s) in question.
• Q4: Corporate Structure
  • Public Disclosure
    • Are there holding companies, parent companies, or subsidiary relationships that also have stakes in other node providers?
    • If yes, specify the relationship and the node provider(s) in question.
  • Private disclosure (for an auditor)
    • Provide the related ownership structure/chart as per Q1.
• Q5: Overlap of Financing
  • Public Disclosure
    • Does any other node provider, or UBO of another node provider, provide loans or debt financing to this node provider?
    • If yes, name the legal person(s) involved.
    • Please specify the duration of the financing.
  • Private Disclosure (for an auditor)
    • If the node provider utilizes debt financing, identify the lending entity.
    • Provide all relevant documentation concerning the debt.
    • If the lender is not a publicly listed bank or a well-established financial institution, provide the name of the UBO of the lending entity.
• Q6: Other Relationships (Does not lead to automatic clustering)
  • Does any UBO of this node provider have any family, personal or business relationship with a UBO of another node provider where this relationship was not required to be declared in the previous questions or has any UBO of this node provider assisted in the onboarding of another node provider?
  • If yes, specify the node providers in question.
  • Note: Friendships and acquaintances formed as a consequence of becoming a node provider need not be declared.

Thanks @bjoernek, can I ask why this part is considered private?

@bjoernek, regarding Q6: When you say “Does not lead to automatic clustering”, then you imply that manual clustering may be considered. Would you require public answers to even more questions, not listed in Q1-Q5, in order to make this decision? Who would make such a clustering decision? Will we all have a debate on the forum about the details of every “Other” relationship?

My recommendation would be to add specific Yes/No questions, if you feel that the current list (Q1-Q5) is not complete.

The whole point of having a list of well-defined Yes/No questions is to disclose the material/important relationships, and not to have a free-for-all on the forum about the details of the “other” relationships that we don’t have to disclose. Details about these family, personal or business relationships you ask about in Q6 should remain private.

@bjoernek, please provide more clarity regarding Q6 and possible clustering decisions. It wasn’t discussed in the Node Provider Working Group meeting. We as Node Providers need clarity to the extent of public disclosures.

I believe that the UBO information should be made public to allow the verification of the interdependence among node providers. However, the more detailed ownership structures are primarily relevant for auditors to validate the UBO declarations and do not seem necessary for the general public. Hence, to protect privacy, I suggest that these detailed ownership structures do not have to be publicly disclosed.

The information disclosed in Q6 is not intended to result in clustering, as the criteria for clustering are specified in Q1-Q5. This question provides node providers with an opportunity to disclose any additional relationships beyond friendships and acquaintances that have formed through their roles as node providers.

If significant new patterns emerge from the disclosures in Q6, the community may consider adapting the rules accordingly.

This is not the intent of the question. The purpose of Q6 is to capture any relationships that are not addressed by the predefined criteria in Q1-Q5, giving the opportunity for a comprehensive disclosure.

I’m trying to wrap my head around how this will work. How will the community validate that a meaningful audit has taken place? Will auditors have known neurons?

This is unacceptable to many Node Providers.

Comprehensive disclosure needs to be well defined as a series of YES/NO questions so that Node Providers can assess the extent of the public disclosures required by the community.

This is exactly the reason why its unacceptable for Node Providers - any disclosures here will just lead to more questions from the community, and they would demand an inappropriate public debate about the specific “other” relationship (family, personal or business).

I’m not sure what you’re saying, could you clarify? It sounds like you’re saying - so that Node Providers can assess how much they can get away with keeping private. Why does anything in this topic need to be private?

Okay, so why not just let them ask their questions. Transparency in this respect is the only way the 13-nodes-per-subnet model works. ‘Node Provider independence’ needs to be held to public scrutiny, or it can’t be assumed to be a feature of the IC (but it literally needs to be).

Perhaps some distance is needed for the people deeply involved with this currently.
Reading all this makes it sound like applying banking regulations to a decentralized network in order to catch a few bad actors for which there isn’t any evidence in the first place. Even if there are family connections between a few gen2 node providers this doesn’t make them bad actors given they followed the rules when they onboarded.

The probability that a bad actor is going to the length of infiltrating the network via setting up tons of shell companies, buying node equipment, going through the onboarding process then somehow landing with enough nodes in a single subnet to do some damage goes towards 0. Please enlighten me what the potential damage even is.

There is a way higher probability that a bad actor just pulls up the subnet he wants to target and has now a great directory of exactly who to target in order to take it over. This can be done via compromising machines, social engineering, extortion etc. It happened already on networks where e.g. a 3/5 multisig was guarding lots of funds. So, if anything we should rather advocate for having less data easily publicly accessible regarding the identity of the node providers.

This doesn’t mean a check for connections between node providers shouldn’t be done. The option already mentioned is a 3rd party auditor checking these and then giving node providers a green light if there are no conflicts. 3rd party auditors are standard in business. There are reputable firms that do exactly this and the community can then rely on the verification by a professional. This eliminates the risk of having more than 1 node controlled by a single entity in a subnet, which to my understanding is the main concern here.

Disclosure: Gen1 node provider who went through full KYC/KYB onboarding with Dfinity in 2020

I must agree with DavidB, the complications created with disclosing more and more personal information publicly does open the node providers for additional security risks, specifically in less developed countries where Node Providers were prepared to take the risk in order to decentralize further. Not all of us has 1st world safety levels when it comes to personal security. Lets keep it inhouse (out of public discussion) and have auditors confirm independence of ownership to satisfy the concerns raised.

Sure. Doesn’t mean that the relationship should be concealed though.

Please show your workings

In the future Subnet Membership proposals are likely to no longer be necessary (the decentralisation coefficient calculations will be handled on chain without the need for a proposal, other than to specify and maintain the algorithm). Frequent automated subnet node shuffling would be a useful feature at this stage, significantly reducing the window within which such an exploit could be exploited. If deemed necessary, it would even be feasible to anonymise node membership within subnets (given that the protocol itself would be capable of managing conformity to the IC target topology).

Basically, you’re confusing membership of a node on the network with membership of a node within a subnet. The former should be public, transparent, and reasonably verifiable on demand by the community (in terms of claims about identity and independence). The latter need not be (in a future where it’s handled by the protocol).

Not sure what do you want to see here. Even if you think this is somehow possible while my experience in this space over the last 9 years tells me it’s not.
No new nodes got added to the network for about a year or so. All gen1 node providers were KYCed by dfinity. The theory then must be someone infiltrated the network between gen2 onboarding and over a year ago with enough nodes to land randomly in a single subnet. So lets entertain this thought. What exactly would this entity then wait for over a year so far? What are they trying to do? Please show your workings
How would this be prevented by doxxing every node provider? Wouldn’t the malicious entity just fake their documents to stay undiscovered?
Beside that I’m not aware of a single other network in which validators/node providers get doxxed publicly and for sure not their UBOs and CEOs personally. It’s pretty baffling to me that the privacy concerns are getting just handwaved. Good look trying to combine this with GDPR.

Can we just wait with this whole discussion then till the shuffling is implemented before we go to drastic steps which endanger the network more than what it prevents? If this is implemented are most dangers then eliminated anyway?
Beside that “the community” so far seems to be a handful of people who demand full public doxxing while the whole node provider community clearly doesn’t want their private information in a public directory. Seems like most would be okay to go through KYC via a 3rd party (for gen1 again).

Sounds like you’re very much out of the loop. I would suggest:

• Learning about what the IC Target Topology is, and the foundational assumptions that it rests on and why (there’ll be no shortage of info if you do a search)
• Appreciating that the IC is unlike any other blockchain you’re familiar with (as few as 13 nodes taking part in consensus)
• Appreciating that many nodes have changed hands recently, which is why these concerns have come to the fore
• Appreciating that it would be very easy to nudge nodes that you own into the same subnet if they appear to be owned by different people
• Appreciating that if you control 5 nodes in the same subnet, you can easily attack it in order to damage the reputation of the IC (it’s not unreasonable to expect that some people would pay substantial sums of money to see this happen)
• Appreciating that if you control 9 nodes in the same subnet you control consensus on that subnet (what you say goes as far as block are concerned)

No, it’s pointless if we can’t get the foundations right (which is what this current movement is about)

I’m aware of all this and not at all out of the loop. I’m following all developments quite closely.

Again what would be the real risk here? How would someone manage to get his 5 nodes voted in replacing current nodes? IF that is somehow managed what is the risk? Is it just halting a subnet? The whole Solana Network halted several times in the past and it didn’t result in much damage. This would be only a single subnet.
If someone goes to all this length to halt a subnet he gets banned with all his nodes over 5 node provider entities and the nodes get replaced by other node providers.
So even if the super unlikely scenario somehow happens the damage would be limited and the threat actor eliminated.
This all sounds like a totally theoretical approach to a very low probability scenario and the proposed measures wouldn’t even prevent a real bad actor. It just gives the false feeling of security since something was done to prevent the theoretical threat.
Beside all these theoretical thought processes there was not a single downtime of a subnet because of the mentioned problems. Why is there after 4+ years of the IC running now a desire to change the fundamentals of the whole system esp. retroactive? There were few forum posts with allegations and not a single one of these was withstanding little bit scrutiny. I could perhaps understand if the process gets improved for new onboarded nodes. But forcing current node providers who onboarded under a specific set of rules and have long term commitments to absolutely insane privacy violations shouldn’t even be entertained. I can clearly tell you that most will just refuse to doxx publicly UBOs and CEOs. Perhaps you personally don’t care about privacy but it is a fundamental right and it was once a core pillar of the whole crypto movement. It’s quite sad to see this fully undermined in this context.
Again this literally tries to set up a banking style compliance department. Banks do this in order to fulfill government regulations and its very costly. Now some community members want to implement government style surveillance willingly on a web3 project? But that’s not all: They also want the collected data to be made public. Like mentioned in my first post perhaps take a few steps back and realize what’s demanded here.