Thanks for the idea, @claudio. I haven’t considered this option.
Right now it is not clear whether we can manage to get secure caller_id
in cross-subnet calls or not.
I think we have the following options:
A. We manage to make caller_id
secure in cross-subnet calls. There is an idea by @bogwar on how to support secure/repeated cross-subnet queries with replication factor of f+1
in a subnet with 3f+1
nodes. That would be something between non-replicated and fully replicated execution mode. I’ll write up a detailed explanation of the idea.
B. We are not able to make caller_id secure in cross-subnet calls.
- B.1 [dynamic caller-id]: Replace
caller_id
with the anonymous principal is cross-subnet calls, but keep it valid in same-subnet calls. - B.2 [caller-id signed by node]: Follow @nomeata’s suggestion that there is no critical regression in security if the node is able to query what any canister that it is hosting can query.
- B.3 [disable caller-id for composite queries]. This is your suggestion.
The plan is to make option A work because that maximises the usefulness of composite queries. If that fails then fall back to B.1 or B.2.
As @skilesare mentioned, it seems that option B.3. will greatly reduce the usefulness of composite queries even in cases when the caller_id
is guaranteed to be secure (same subnet calls and calls from users).