Canton Party Resolution Protocol - PR#171
Canton Party Resolution Protocol - PR#171pdomenighetti wants to merge 23 commits intocanton-foundation:mainfrom
Conversation
first commit Signed-off-by: Paolo Domenighetti <paolo@freename.io>
initial commit Signed-off-by: Paolo Domenighetti <paolo@freename.io>
formatting Signed-off-by: Paolo Domenighetti <paolo@freename.io>
formatting Signed-off-by: Paolo Domenighetti <paolo@freename.io>
txt tuning and review Signed-off-by: Paolo Domenighetti <paolo@freename.io>
txt tuning and review Signed-off-by: Paolo Domenighetti <paolo@freename.io>
styling Signed-off-by: Paolo Domenighetti <paolo@freename.io>
styling Signed-off-by: Paolo Domenighetti <paolo@freename.io>
styling Signed-off-by: Paolo Domenighetti <paolo@freename.io>
styling Signed-off-by: Paolo Domenighetti <paolo@freename.io>
pdomenighetti
requested review from
hythloda,
isegall-da,
stas-sbi,
tkatrichenko and
waynecollier-da
Real CIP submission after error in uploading. Signed-off-by: Paolo Domenighetti <paolo@freename.io>
correction after wrong submission Signed-off-by: Paolo Domenighetti <paolo@freename.io>
styling anf formatting fixes Signed-off-by: Paolo Domenighetti <paolo@freename.io>
formatting and styling fixes Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
meiersi-da
left a comment
meiersi-da
left a comment
There was a problem hiding this comment.
Very nice work @pdomenighetti ! Thank you 🙏
I believe this has the right ingredients, and will result in a great improvement for the ecosystem after a few rounds of polishing. See my comments to drive a first iteration.
Some of the comments hint at scope that we might be able to remove: e.g, encrypted fields. In my experience, keeping scope tight is very valuable to focus our limited attention on the pieces with the highest ROI; and deliver the overall improvement in a timely fashion.
|
|
||
| This CIP focuses on the naming and resolution mechanics. Trust evaluation, issuer classification, verification policies, and encrypted metadata are defined in the companion CIP-YYYY (Party Identity Verification). | ||
|
|
||
| A shared technical specification accompanies both CIPs: [CPRP-spec.md](./CPRP-spec.md). |
There was a problem hiding this comment.
Not part of this PRs files. Should it be?
| | `n` | Specific name within the namespace | `default`, `treasury`, `trading-desk-3` | | ||
|
|
||
| Examples: | ||
| - `mainnet/dns:goldmansachs.com:default` |
There was a problem hiding this comment.
| - `mainnet/dns:goldmansachs.com:default` | |
| - `party:<canton-party-name-space>:<canton-party-prefix>` | |
| - `mainnet/dns:goldmansachs.com:default` |
consider the benefit of injecting the party names in a uniform way into this system as well. This ensures every party has always at least FQPN referring to them.
There was a problem hiding this comment.
cool, a built in party resolver would mean every Canton party automatically gets an FQPN like mainnet/party:: with no registration needed (so always resolvable) Would be T4 trust. i'll add it.
There was a problem hiding this comment.
consider avoiding the mainnet/ prefix, as parties are not bound to networks. You might use party: without a qualifier or use protocol/party. Or perhaps avoid even stating that as party and just use the Canton concept: uid:, which stands for Universal Identifier, and is cryptic enough so that people don't attach too many unwarranted concepts to it.
There was a problem hiding this comment.
i will keep the protocol syntax/composition rules in a separate review session just for complexity in managing reviews. I will proceed like this: answer to comments. apply agreed changes to both CIPs and SPEC not related to protocol syntax then we may iterate specifically on that :)
| | `resolve` | namespace, name | `ResolutionResult` | Forward lookup: name → Party ID + metadata | | ||
| | `reverseResolve` | partyId | `ReverseResolutionResult` | Reverse lookup: Party ID → registered names | | ||
| | `resolveMulti` | queries[] | `ResolutionResult[]` | Batch resolution (latency optimization) | | ||
| | `changelog` | since timestamp | `ChangelogEntry[]` | Credential changes since a given time | |
There was a problem hiding this comment.
Are these HTTP methods? Can you add references to their specification?
There was a problem hiding this comment.
They're logical interface methods. the spec also maps into HTTP endpoints. will make this explicit in the CIP text.
|
|
||
| ### Profile Rendering Guidelines | ||
|
|
||
| Profile claims (`cns-2.0/name`, `cns-2.0/avatar`, `cns-2.0/email`, `cns-2.0/website`) are informational only and MUST NOT be interpreted as verified identity attributes. Verification status is determined exclusively by CIP-YYYY's trust evaluation, not by profile content. Display names SHOULD be ≤64 Unicode characters. Avatars SHOULD be `https://` URLs; applications MAY additionally support `ipfs://` URIs. |
There was a problem hiding this comment.
The cns-2.0 prefix is not defined. Do you mean the namespace of PixelPlex's CIP? Consider defining the symbolic names for these in a preamble to avoid confusion.
There was a problem hiding this comment.
right, this is confusing as written. cns-2.0/* was our working name for the profile claims while PixelPlex is defining in their CIP (PR #169). Will add a preamble to both CIPs when defining namespaces
| - Org-scoped: Corporate LDAP/directory service exposed via the resolver interface | ||
| - Validator-configured: Pre-loaded at the validator level for all apps on that node | ||
|
|
||
| Address books provide display names only — they cannot override trust tier or verification status (those come from CIP-YYYY). |
There was a problem hiding this comment.
What about profile information?
|
|
||
| Given a `ComposedResolutionResult` from CIP-XXXX's composition engine, the trust evaluator: | ||
|
|
||
| 1. For each credential in the result, checks on-ledger state (active, archived, expired) |
There was a problem hiding this comment.
Why not make the composition engine only query for active, unexpired credentials in the first place?
| The highest-trust automated verification path for institutions: | ||
|
|
||
| 1. Party publishes DNS TXT record: `_canton.<domain> TXT "party=<party_id>"` | ||
| 2. SV nodes verify the DNSSEC chain and confirm the record exists |
There was a problem hiding this comment.
Is it required up front to the SV nodes to implement the DNS verification, or could we define the default DNS verification policy to be a quorum of featured resolvers?
|
|
||
| Supports both Legal Entity vLEI (LE) and Official Organizational Role vLEI (OOR). | ||
|
|
||
| ### Encrypted Fields |
There was a problem hiding this comment.
What are two example use-cases for these encrypted fields? Why can these use-cases not be handled via application specific on-ledger communication? e.g., onboarding to a trading app requires the specification of shared parameters for settlement instructions.
| ### ResolverFeaturedStatus | ||
|
|
||
| Records SV-approved featured resolver status. Fields: `resolver_operator` (Party), `resolver_id` (Text), `approved_by` (DSO Party), `approved_date` (Time), `renewal_deadline` (Time), `network` (Text). Choices: `RevokeStatus`, `RenewStatus`. | ||
|
|
||
| ### CollisionArbitration | ||
|
|
||
| Records governance decisions on disputed name mappings between featured resolvers. Fields: `arbitrated_name` (Text), `winning_party_id` (Text), `losing_resolver_id` (Text), `decision_rationale` (Text), `arbitrated_by` (DSO Party). Published as T1 authority. |
There was a problem hiding this comment.
As on the other CIP: consider how to encode this as a credential in a credential registry; and double-check whether it even needs to be in the DSO registry.
|
|
||
| Why post-quantum encryption: Canton's institutional users (DTCC, Goldman Sachs, HSBC) hold assets with multi-decade time horizons. ML-KEM-768 provides NIST-standardized post-quantum security for encrypted metadata that may remain sensitive for decades. | ||
|
|
||
| Why separate from resolution: Resolution and verification are independently useful and independently evolvable. An explorer resolves without verifying. A compliance tool verifies without resolving (it receives a Party ID directly). Coupling them would force unnecessary dependencies. |
There was a problem hiding this comment.
"An explorer resolves without verifying." I'm less sure about this. A good explorer might well want to do verification as well to provide better information to its users.
init Signed-off-by: Paolo Domenighetti <paolo@freename.io>
ContextIn the working group, we’ve spoken about implementing a “DNS/ENS clone”, but it’s worth unpacking that, while these aim to solve the same problem, they are fundamentally different implementations DNSTakes a hierarchical approach.
ENSA centralised authority but decentralised governance via its DAO.
the CPRP approach (this CIP)The Freename CIP put together a comprehensive document about what seems to be a third way — a federated resolution approach. It may be that the federated model is the best fit for the specific needs of the Canton network, but think that if we do want to create a standard at this juncture, we first need a discussion outlining the pros/cons of each approach:
Adoption of this CIP as-is begs the question that that is the approach that we want to take network-wide, when we haven’t explicitly decided on that. We think that only after we’ve decided on our “philosophy” to address naming do we think we should get into the level of CIPs. Before getting into more technical feedback, we feel that the core architecture of this CPRP model is comprehensive and has real merit, but that it’s aimed at the wrong problem — multi-resolver consensus would be a fantastic fit for verification and it’s there a lot of their core principles come into their own:
This is great information to display as additional verification, but it shouldn’t form the backbone of name resolution in our view — naming should be canonical & unambiguous to drive the most user value on the network. We’d encourage the working group to look again at our higher level goals for a naming standard first before getting to the CIP approval stage. Technical feedback on this CPRP CIP specificallyIn the last meeting, we received feedback that we weren’t engaging with the process, so in the interest of doing so, we wanted to offer feedback on this CIP as it exists today in addition to the reframe above. If we assume that this federated identity model is the chosen approach for name resolution we have some questions/considerations on the implementation as outlined, such as: GriefingThe risk of griefing — i.e. a resolver acting in bad faith giving a deliberate divergent resolution to force dApps to display a conflict — is that the barrier to entry for a permissionless resolver is essentially nil, but then there is an asymmetrical burden placed on dApps or the governance process of resolvers to solve for this.
SquattingSquatting — sitting on in-demand names to extract value — feels like it’s a potentially worse problem than with DNS as the system by design is based on weights.
This would be a perfectly reasonable resolution strategy under the framework but is liable to create a lot of potential conflicts. Governance
RegistryA minor one, but the preamble to the CIP under “missing layer” mentions “Digital Asset is building credential formats and a registry” but then it further down mentions a It’s currently unclear how these are meant to interact as a source of truth, if at all. Is this CIP expecting names to be stored via Digital Asset’s registry CIP, via its own contracts or some combination of both? Ambiguity on namesEven with only good faith actors, there are times that end-users can get a different answer to “who is
Collision detection is described as a mitigation, but it’s really more of a recoverable failure mode of the system — in practice, it means pushing the problem back on to the end user at execution time and largely negates the value proposition of a naming system (that non-technical end-users don’t need to interact with the network at the level of hints/fingerprints).
This undermines the purpose of names within the system to begin with. While other aspects of name resolution (like display metadata) may mitigate this, they don’t solve for it — it’s also a forcing function, meaning that I as a user would have to go through some level of verification or metadata storage to make my name worthwhile. Some institutional users of the network may wish to make use of heavy verification layers, but in our opinion, name resolution shouldn’t need to rely on metadata or verification for its utility. Tokenomics
For example, if it’s in my financial interest to create a lot of resolvers and get end-users to register on each (e.g. TwitterResolver, GithubResolver, LinkedInResolver) — it’s not insurmountable to guard against this, but we need to consider what those guardrails as part of this CIP (or in tandem with it as another CIP) XNS alternative — Sketch of approachOur initial go-to-market implementation was:
Our short-term goal for this was to get name resolution live on the network and provide utility as soon as possible, but our vision has always been to have a roadmap to decentralisation so that Axymos are not the sole gatekeeper or custodian of naming on the network. To extend this process to allow for decentralisation, we have been looking at a model similar to ENS:
As a sketch of what this process could look like…
All of this would need to be fully fleshed out as a CIP proposal if that’s the direction we agree we’re interested to take. We’re aware that, any CIP would need to address similar points to what we’ve raised above re: the Freename CIP, such as governance over…
In the interest of expending effort where it will have the most value, we want to answer the question of “what approach is being endorsed as a standard” (if any, at this time) before drafting something more in-depth that may become moot. If the working group feel that a fuller alternative CIP is needed to compare approaches and move the discussion on we can look into that. |
after review Signed-off-by: Paolo Domenighetti <paolo@freename.io>
after review Signed-off-by: Paolo Domenighetti <paolo@freename.io>
meiersi-da
left a comment
meiersi-da
left a comment
There was a problem hiding this comment.
Thanks a lot for the extensive detail in the provided CIPs.
I've done a pass over CPRP-resolution in particular. The ideas look comprehensive, but I have not yet had enough time to engage with them to fully understand how they would work in practice and where their snags are. Looking forward to doing so once the time is available.
| - `mainnet/dns:goldmansachs.com:default` | ||
| - `mainnet/vlei:784F5XWPLTWKTBV3E584:default` | ||
| - `testnet/freename:acme-bank.canton:treasury` | ||
| - `mainnet/party:<namespace>:<prefix>` (built-in, every party gets one automatically) |
There was a problem hiding this comment.
How do you distinguish between mainnet/party and devnet/party ? or are these resolvers available in all networks, which is definitely an option.
| | Component | Purpose | Example Values | | ||
| |-----------|---------|---------------| | ||
| | `network` | Prevents cross-environment confusion | `mainnet`, `testnet`, `devnet` | | ||
| | `resolver` | Identity source that backs the name | `dns`, `vlei`, `freename`, `self` | |
There was a problem hiding this comment.
What is self ? there's no example for that below.
| - `testnet/freename:acme-bank.canton:treasury` | ||
| - `mainnet/party:<namespace>:<prefix>` (built-in, every party gets one automatically) | ||
|
|
||
| The `.canton` namespace examples: `alice.canton` (individual), `goldmansachs.canton` (institution), `treasury.acme.canton` (delegated subname). Users type `alice.canton` — the full FQPN is infrastructure-level, invisible to users, like IP addresses behind DNS. |
There was a problem hiding this comment.
Content makes sense. The paragraph itself comes a bit out of the blue. Could there be some text missing?
| | Quorum | Resolution succeeds only when N resolvers agree on the same Party ID | High-security applications | | ||
|
|
||
| Two reference strategies are defined in the spec: | ||
| - `INSTITUTIONAL_DEFAULT` — parallel mode, strict collision policy, requires DNS or vLEI |
There was a problem hiding this comment.
What's the argument for not using the address book first for this mode as well?
|
|
||
| ### Profile Rendering Guidelines | ||
|
|
||
| Profile claims (`cns-2.0/name`, `cns-2.0/avatar`, `cns-2.0/email`, `cns-2.0/website`) are informational only and MUST NOT be interpreted as verified identity attributes. Verification status is determined exclusively by CIP-YYYY's trust evaluation, not by profile content. Display names SHOULD be ≤64 Unicode characters. Avatars SHOULD be `https://` URLs; applications MAY additionally support `ipfs://` URIs. |
There was a problem hiding this comment.
Unicode has a lot of typo-squatting space, and weird behavior in undefined ranges. Do you know what the latest guidance is for allowing Unicode in names?
| A `.canton` name carries the following semantics: | ||
|
|
||
| 1. Uniqueness: Within a single resolver, a `.canton` name MUST map to exactly one Party ID. Across resolvers, collisions are handled per Section 8. | ||
| 2. Network-scoped: A `.canton` name is scoped to a specific Canton network. `acme-bank.canton` on MainNet is distinct from `acme-bank.canton` on TestNet. | ||
| 3. Verification-independent: A `.canton` name can be unverified (self-registered), partially verified, or fully verified. The verification status is determined by the trust model (Section 5), not by the `.canton` suffix itself. | ||
| 4. Resolver-agnostic: Multiple resolvers MAY offer `.canton` names. Freename might offer `acme-bank.canton` while another resolver offers the same name. Collision management (Section 8) handles this. |
There was a problem hiding this comment.
Collision management (Section 8) handles this.
That sounds like lots of collisions are bound to happen. What's the argument why that won't be a problem?
|
|
||
| CPRP provides the following extension points for future asset and API naming CIPs: | ||
|
|
||
| Asset naming: The FQPN format `<resolver>:<namespace>:<name>` can accommodate asset identifiers by introducing asset-specific resolvers. For example: `token-registry:canton:acme-bond-2026` could resolve to an asset contract ID rather than a Party ID. A future CIP would define: |
There was a problem hiding this comment.
Note that assets are identified by
-- | A globally unique identifier for instruments.
data InstrumentId = InstrumentId
with
admin : Party
-- ^ The party representing the registry app that administers the instrument.
id : Text
-- ^ The identifier used for the instrument by the instrument admin.
--
-- This identifier MUST be unique and unambiguous per instrument admin.
deriving (Eq, Ord, Show)
Thus the assets are essential sub-names of the name of the admin party. I wonder though how to best fit them into the current scheme of building FQPNs. Do you have a good idea?
| "cprp/trust-anchor": "T4", | ||
| "cprp/endpoint:token-admin": "https://api.dtcc.com/canton/v1/token-admin", | ||
| "cprp/entity-type": "custodian", | ||
| "cprp/capability": "custody,settlement,issuance", | ||
| "cprp/jurisdiction": "US" |
There was a problem hiding this comment.
| "cprp/trust-anchor": "T4", | |
| "cprp/endpoint:token-admin": "https://api.dtcc.com/canton/v1/token-admin", | |
| "cprp/entity-type": "custodian", | |
| "cprp/capability": "custody,settlement,issuance", | |
| "cprp/jurisdiction": "US" | |
| "cprp/endpoint:token-admin": "https://api.dtcc.com/canton/v1/token-admin", |
AFAIS, the URL is the only information required. Can we limit the publication to that one only?
| A Canton app that also integrates with Ethereum can now correlate identities across chains: "The entity at `0x742d35Cc...` on Ethereum is the same entity as `party::acme-bank::...` on Canton, verified by signature." | ||
|
|
||
|
|
||
| ### Appendix B: Software Architecture |
There was a problem hiding this comment.
Wow! Thanks for this detail. I have not yet done a detailed pass due to a lack of time.
| #### E.1 Milestone A1 — CIP & Resolution Architecture ($50,000 / 6 weeks) | ||
|
|
||
| ``` | ||
| MILESTONE A1 DELIVERABLES (Grant A) |
There was a problem hiding this comment.
Let's move grant requests out of the CIP.
That is prone to create confusion.
|
Thank you @dave-axymos for the detailed and valuable input. It hints at an important distinction in the problem space:
For the "import" problem, we can define standard verification methods, which in turn then imply that resolvers are expected to agree by default. The CPRP proposal seems to fit this problem quite well. We still do need to look at the concerns you mention like the economic model, avoiding grievances by T4 resolvers, and others. For the If this decomposition makes sense, then we can actually split the work, and make the best of both worlds, wdyt? |
Hi @meiersi-da, thanks. I think that distinction makes sense alright, and our "worry" was definitely more around 2) than 1) alright - we can definitely see the value in being able to link external sources of truth as a verification layer ("the party ID you entered tallies with X LLC on Companies House or Y profile on Twitter" etc.) Thanks |
| } | ||
| ``` | ||
|
|
||
| The app presents both options to the user: "Multiple parties found for 'acme-bank.' Please select the correct counterparty." The user selects the Freename-backed result and the app proceeds. |
There was a problem hiding this comment.
two small comments here — the example is assuming one good faith bank and one phishing attempt (party::imposter). It could also be two good faith actors having a natural collision.
e.g. both TSB and TSB might legitimately register tsb.canton (and via featured resolvers of the same weight, if they were using different sources).
Or more likely, as a retail end-user, you could have multiple people looking to register dave.canton (where in this case there's less metadata to act as a fallback verification)
Following up on @dave-axymos and @meiersi-daI do not understand why we need a uniform resolution proposal. These resolution algorithms, will fundamentally rely on who is issuing a given token and what the consumers of those tokens want with respect to an acceptable trust model. It seems very early to try and standardize how an entire network SHOULD resolve claims. Wrt to the genera import question.@meiersi-da I disagree with
There are very different claims of
Suggestion.Can we have a standalone CIP that focuses on creating |
4 participants
PR from Freename AG