Proposal for NP Self-declaration

The problem

A secure and sustainable operation of the IC requires (1) maximal decentralization and (2) that Node Providers (NPs), who own and operate the network’s nodes, behave in the interest of the network.

What does maximal decentralization mean? It means maximizing the number of the independent NPs and diversifying the geographies, jurisdictions, and datacenters (DCs) where the nodes are operated.

In a fully decentralized network, onboarding of a Node Provider (NP) is managed entirely by the Network Nervous Systems (NNS). This means that anybody who wants to become a NP needs to submit a proposal that will be voted upon by the community. The main question then is: how to decide whether to accept or reject a new NP into the network? That’s where we would like to have your feedback on as community.

The goal - assessment of a new NP by the community

We propose to take a three level approach that will help the community to assess whether a new NP should be onboarded:

1. Automatically validate part of the technical configuration of the NP during onboarding.
2. Financial stake by the NP through investment in node hardware.
3. Self-declaration of identity and good intent.

First, there are a lot of items that can be validated automatically during the onboarding of a NP, in particular the configuration setup and location of the NP. These can be included as part of the autonomous onboarding process that we are currently working on (see blog post Node Decentralization Status).

Second, new NP will have a substantial stake in the IC through the investment in HW Infrastructure for running their nodes. As described by Dom in his recent article (Blogpost Dom), NPs are not required to stake ICP, but the HW investment ensures that the NP has sufficient incentive to ensure to run nodes efficiently and reliably. This level of NP assessment has already been implemented through the current NP reward system, and will be refined in the future. To learn about this, please refer to the Forum post update on Node Decentralization (see here).

A financial stake as described above might not be enough to dissuade malicious node providers from colluding to break a subnet. Therefore, as a third level of assessment, we propose to the community that NPs are asked to present a self-declaration when requesting the NNS to be added to the network. In this, NPs:

• state their identity and business entity;
• accept that they are liable for the financial damage and harm caused in case they maliciously collude with other node providers to subvert the functioning of the network;
• accept that they understand that deliberately subverting the protocol, by modifying code, colluding with other malicious node providers, or otherwise, constitutes the misuse of a computer system.

We believe that a self-declaration will greatly increase security to the benefits of all stakeholders in the IC network, ranging from NPs to developers and entrepreneurs building on the network.

The way forward

With this forum post, we present a proposal of a self-declaration template (see draft on the IC wiki: Node Provider Self-declaration) and invite the community to give feedback. What does the community want to see and know from a NP before an informed decision can be made as to whether to accept or reject the NP into the network?

Once we have collected sufficient feedback and adapted our proposal accordingly, we plan to submit a motion proposal with the intention to turn the self-declaration into a community-approved procedure. Should this motion proposal be accepted, the community is encouraged to reject any NP application not complying with the template or not providing credible data as requested by the template.

We are very much looking forward to your feedback!

That looks good!

I think we need something that ties the self declaration to the node provider key, otherwise the same self declaration could be submitted for multiple node providers, and voters can’t really tell which one is the “real” one.

In a DC, along with NPs, is it also important to decentralize nodes based on the ISP they use to connect to the internet?

A couple questions:

1. What happens if a provider violates the self declaration? Is he sued? If so by who?

2. Is the declaration legally enforceable in all juridisdictions? If not does that mean NP in those areas won’t be able to run a node?

3. How will the NNS verify the providers’ legitimacy? What’s stopping someone from using fake/stolen IDs to submit a NP request?

I kind of agree, but the whole premise of the IC is that it uses “deterministic decentralization” to carefully construct subnets using nodes in different jurisdictions and operated by different principals. That allows the IC to drastically reduce subnet sizes to achieve high performance without (theoretically) sacrificing security guarantees.

This is in stark contrast to blockchains like Ethereum, where decentralization is “non-deterministic” because anyone (even anonymous) can participate in consensus at any time.

I think the IC’s model is more realistic about things, as you can’t completely divorce the virtual world from the physical world (otherwise it leads to situations like >50% of Ethereum nodes running in centralized clouds). Not sure if this NP self-declaration is meant to be legally enforceable though.

I woudn’t be so sure about that, deterministically identifying individuals is not an easy task, especially for a DAO. Imho if banks can be fooled by bad actors so can the NNS, NP doxing themselves also open up another kind of attack vector, cause now they can be bribed or blackmailed.

I think that’s a smaller issue than some make it out to be, staking pools having lots of VP and being OFAC compliant is a much bigger one. ETH like chains have a capitalistic approach to determine where nodes are hosted: the simplest and cheapest option becomes the meta, if tomorrow Google or AWS were to ban ETH nodes they’d just move elsewhere with minor disruptions to the network, on the other side if running IC nodes became illegal for whatever reason, the protocol would require significant changes to make it run in a different environment and that’d cause major disruptions.

If it’s not, then it’s the same as writing “trust me bro” on a piece of paper, completely useless.

They can be currently already be bribed and can advertise their participation if they wish to do so, so I’m not sure what the added risk is there.

On the blackmail side a NP being blackmailed or targeted by a criminal organization or government is a serious risk. Imagine the NSA says that they need to break into 1/3 of the nodes on a subnet for reason X, or a specific node to retrieve canister data (very difficult, but the US government might be able to do this?).

It’s that much simpler if the nodes have already doxed themselves.

On the other side, realistically I think the ship has sailed in terms of privacy from the node provider side given all of the recent developments and shady players that crypto seems to attract. Living in the US, I’d prefer to be able to hold nodes legally responsible, even if this risks that my government or other parties can more easily track them.

I understand how this might be problematic in other nations, but if that’s the case then I don’t want nodes to be running in areas with rampant crime or that are at risk of becoming absorbed by a surveillance initiative.

If there’s too many nodes in subnet in a single country, then that’s a decentralization problem.

Wouldn’t they need 2/3 to actually control the chain?

Thank you for spending time trying to improve the ICP and sharing your concerns.

Now I have few questions :

Can someone tell me why this third level of assessment is doable or even useful ?

• People providing service as NP know they have to be in good faith or kicked out
• Identity is unverifiable
• Do you even know how much money/hardware is needed to do arm to the IC ?

Wouldnt it be smarter to start by checking if the incentives aren’t already enough ?
Isnt there any risk by making this onboarding harder ?
Is it now the right time to think about it ?
Have you done a proper SWAT analysis ?
Would this move make it harder for people to onboard ?
As a NP do you want your identity to be available online ?
Is that not just another administrative constraint that come from the 19th century ?
Is this template even fillable in every countries ?

With love,

xx

Could the KYC Application process be leveraged here?

i) Create an Internet Identity (II)
ii) Submit II for KYC Identification - https://support.dfinity.org/hc/en-us/articles/5006142379284-How-do-I-submit-a-KYC-application-
iii) Node Provider application is tethered to KYC’d II.

I get this

IMO the meaning and benefits of transparency have yet to be understood by the broader crypto community.

Anonymous Node = hidden, opaque = compromises can occur and persist without Network knowing
Known Node = open, transparent = compromises are known enabling Network action

Network Resilience is created through the distribution of nodes across multiple jurisdictions.

Key Question: could Node Operators be free to state and select which Subnets they host in order to PREVENT exposure to legal liability within their geographical jurisdiction, which would in turn enable developers to deploy dApps on Subnets within favourable legal jurisdictions? And to be explicit… if a dApp is considered illegal by EVERY JURISDICTION IN THE WORLD the Node Providers and End User MUST be made aware of this… and to be explicit:

No, DYOR is not an appropriate answer. It’s a copout/fallacy/obfuscation bad actors/scammers effectively deploy in the pursuit of self-interest/greed/incompetence.

IF a globally illegal dApp is considered morally/culturally acceptable by us (the people), we (the people) need to know about it! It should be discussed on a transparent crypto powered platform, not tucked away in the corner of an opaque network governments can claim is tainted, disreputable and dishonest.

But wouldn’t that mean the IC is no longer a sovereign network ruled by the NNS, but a network running on the goodwill of the governments of countries were DCs are located? That’d be a big paradigm shift and should be publicly advertised.
If NNS governance becomes a facade cause voting against a governments’ will results in hundreds of nodes going down then the IC is much less of a blockchain as most intend and more of a trustless computing platform where devs can run software and have realistic guarantees its execution won’t be tampered with and users can verify the software they’re interacting with does what they are told and both devs and node owners can’t change that without them noticing.

This could be more than enough for many use cases, but when the IC has been and currently still is sold as an alternative to existing L1s, which offer another set of features like immutability and uncensorability then I can’t help but feel cheated a bit.

Anonymous nodes = safety in numbers provided by statistics and game theory
Known Node = illusion of safety provided by an imperfect and cheatable system (KYC)

The concept of “favourable juridisction” goes against the vision Dom initially advertised:

If we lived in a world defined by ourselves, you would be right. However, we live in a world defined by others. Specifically, a world defined by governments, which have a monopoly on law creation and the violent enforcement of these laws.

Dfinity understands the necessity of compliance, evidenced by the KYC process they established.

It is essential we foster the conditions for longevity. If NPs registered today in order to be compliant with local jurisdictions but in the future it became unnecessary there would be nothing to stop them from dropping off line and re-deploying nodes anonymously.

One of the reasons crypto was created and attracted so many (before and fraudsters opportunists joined the party) was precisely to get away from that.

Now if Dfinity has different plans for the IC I’m cool with it, the platform still has use cases and amazing tech but they shouldn’t claim to have solved the trilemma or compare the IC to other projects which have a different scope.

There would be years of fine tuning the network to work with a different set of assumptions to stop them. Dfinity is focusing its manpower to improve the protocol to work better under the current topology of the network: tokenomics, cycle pricing, finality, block size, etc… are fine tuned for a permissioned network with powerful nodes running in data centers with guaranteed up time, moving to anonymous nodes throws all of that away, it might be possible in the future to have anonymous nodes on dedicated subnets, but it’s unclear how well they will perform and by that point clearthere could be other protocols, which have focused their efforts on a decentralized vision only, that are just a better fit.

Again I’m not saying it’s a bad choice, only time will tell, but Dfinity should be honest about what the IC is and aims to be, cause I see a cognitive dissonance between recent communications and the pre Genesis pitch.

Of course the IC has solved the trilemma. These other choices are not for lack of a solution to the trilemma problem.

It is absolutely appropriate to pursue an ideal which is superior to the nation state model.

I put this journey into the same context as the Industrial Revolution.

It will take decades.

Let’s create the conditions for growth and adoption today, tomorrow and next year. Our future selves can deal with the issues five, ten, twenty and thirty years hence.

You are right, but there is an important observation that must be taken into account:

At this moment in time most of our daily commercial activities (and those of NPs) are not limited to environments that support SmartContracts. We are in a transitionary stage in which the legacy system is an inescapable practical reality.

That is true, but what worries me the most is the consequences might not even be there in IC case cause:

1. Identifying people reliably in a decentralized manner is very hard if not impossible.

2. It’s not sure if and how the self-declaration is legally enforceable.

Even as an temporary solution, the system proposed by Dfinity seems flaky and might eventually be exploited once the network holds enough value. If the 2 points I’ve mentioned aren’t solved, there is nothing stopping a well funded organization from adding many nodes under different NP accounts other than the sum of money required to buy enough rigs to obtain a subnet’s control.

It is if subnets’ node count stays the same and without automatic node rotation between subnets. The latter has already been discussed and might be eventually be implemented, on the other side a node increase big enough to make anonymous node as safe if not safer than deterministic decentralization is unlikely to happen for 2 reasons:

1. As the subnet grows in size time to finality increases too, this could be solved by implementing something out of Dfinity’s original design for the IC: randomly sized committees.

2. With bigger subnets, the tokens minted to pay the node providers would increase linearly, I’m already not certain whether the IC can become deflationary in its current state, let alone if subnets had between 400-1000 nodes in them (number of nodes planned in the original design), that’s a x30-x70 increase in minted tokens per subnet, so either operational costs for devs would have to be increased or providers rewards decreased, both by a LARGE margin. That is in my opinion unfeaseble with the current protocol revenue structure.

Everything that isn’t crypto is legacy. From purchasing a building, getting local business licenses, paying for energy and paying employees, leasing a car and buying lunch.

But @Motokoder, everything in life is transitory because the Status Quo is “change”. The world your great-grandparents inhabited as adults was not the same the world your grandparents inhabited as adults which was different from the one of your parents inhabited, etc…

But we have digressed massively.

The original question was for comments on the content of a form to be completed by future NPs.

I think it is a good idea.