[ripple/rippled] Add a ‘domain’ field to validator lists: (#2619)

> That isn’t proof of anything. Hosting a ripple.txt is NOT a prerequisite for operating a validator and never has been.

I agree, “proof” was maybe too strong of a wording. It would have been proof if they had published the file, its absence is not proving that they are or aren’t running a validator.

> As it stands now, Ripple, as a validator list publisher, is attesting that they have verified that the validator nHUFzgC9fDw2MEDaiv9JMdBFhtJ6DMKoUCpS8gPGi6tkfbqmTyis is operated by Bahnhof.

On a page with `Information is provided “as is” and solely for informational purposes only.` in its footer and without publishing anything other than a `✓` character as proof. This PR would change that checkmark into a field in a signed json file, nothing more, nothing less.

> You know what? I’m done engaging with you.


I’m just trying to find out how this would work out:

> This change actually improves things: the publisher, whom the user trusts to publish a list, is attesting that a given validator corresponds to a particular domain and cryptographically signs that attestation; **if the publisher of the list lies, there will be cryptographic proof of that lie and we can all decide what to do moving forward.**

My reasoning is that it doesn’t improve things, since there is no way on the outside to proof that someone is lying, only to claim that someone is lying, for example in the way I did, with the following reasoning/indications:

* Bahnhof doesn’t list a validation pubkey on their site, in neither the canonical location (`ripple.txt`) or anywhere else (even though it would be simple/easy to do so, e.g. in the announcement blog post)
* The only “attestation” published by Ripple is a checkmark character on an `informational only` page
* That page also uses technical terms rather broadly, with the example that `ripple.com/build/xrp-test-net` is a “verified domain” as of today
* No signatures (that potentially already exist) are published by Ripple or Bahnhof, even though it would be easy and secure to do so
* Bahnhof is not shown on https://ripple.com/xrp/market-performance/ (but a lot of organizations that not even Ripple claims are validating are listed there, so maybe these logos represent something else or are just examples)

The indications for Bahnhof running a validator are:

* A blog post by Bahnhof from ~1 year ago that they are “part of a growing network of validating organizations”
* Ripple’s claims (on the validator registry) that the validation pubkey that hashes + encodes to `nHUFzgC9fDw2MEDaiv9JMdBFhtJ6DMKoUCpS8gPGi6tkfbqmTyis` belongs to `www.bahnhof.se`

The latter is also the only mention of Bahnhof’s public key.

You might (or rather: likely do) have more insight or trust in the process than me of course. Still, adding a domain name to the validation list blob doesn’t make it any easier to prove or disprove if Bahnhof is validating with that pubkey or if Ripple is honest about this.

An “easy” proof that Ripple is lying would be a signed statement from the private key that they don’t belong to Bahnhof (then again: It could have been stolen, which is outside of Ripple’s control)
An easy proof that they are acting faithfully would be to attach the TLS cert, the validation pubkey signed with the cert key, the domain and the domain signed with the validation key to this blob. Then the trust would need to be placed with the TLS CA and some discrepancies (e.g. a wildcard cert being used to sign such a statement) could be found out.

Until then, while it might be possible to claim a lie, there is no proof of a lie (or of the absence of it!). This then boils down to trust, politics and people writing long posts on the internet, not cryptographic proof…

It is only useful for display purposes, it does not significantly increase the accountability but further increases the amount of trust necessary in the validation list provider.

This post was last modified on July 8, 2018, 9:36 am