Overall in favor, although so far I haven’t seen a solution that is obviously desirable for all callers.
If you use this method from a canister, it will be executed in the “middle” of a block. Do you even have a hash tree of the state then to return a pruned response?
Actually, if you return no certificate, there is no need for the hash tree to have a certain root node. Therefore no need to have any pruned tree nodes. In other words, you can just create a fresh tree consisting of just the requested data.
But at this point the question is: why even return an unwieldy data structure like a hash tree when there is no certification around? Why not something more easier to digest, like Candid?
And continuing this train of thought leads again to roughly where we we are now.
Hmm, the more I think about this, the more I believe we need to solve this at a more fundamental and general level. It should be possible to describe the canister state in a high level way (Candid), and then get all that we need. And next time we add something to the state, everything about data formats and certification follows. This scheme and associated tooling would then also help canister developers who are then facing the same issue.
What would that entail:
- (Possibly) pick a subset of Candid types, call them certifiable.
- Define a (simple) query language for them, similar to
read_state, to select fragments of such a value.
- Define a mapping from these abstract Candid values to our hash tree. This needs to be compatible with the above query language (i.e. a certificate reveals only the query result and that it is indeed the right result for this query, including the negative case).
- In replicated calls, simply return Candid as now.
- In non-replicated calls, return the hash tree representation of the same candid value, plus certificate.
If we can pull this off the whole replicated vs. certified distinction disappears on the application level. But it’s not trivial, unfortunately.
But if we don’t do this, and suddenly important functionality is now no longer reachable via our common high level interop system, we are again weakening the coherence vision of the IC…
Minor wording nits:
Not quite true, some parts of the state tree are only accessible via suitable authentication (in particular, ingress call status).
Do you mean it’s parameters, i.e. “state tree paths”? Or rather the internal “input”, e.g. which data structure it reads from?