-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CIP-0094? | SPO On-chain Polls #496
Conversation
86b1dd0
to
5baba83
Compare
The Cardano Foundation proposes a mechanism for polling Cardano stake pool operators on specific topics. Polls are done on-chain through transaction metadata and authenticated through stake pool credentials (either VRF public key similar to what's described in [CIP-0022](https://cips.cardano.org/cips/cip22) or Ed25519 cold key). The goal is to gather opinions on governance matters such as protocol parameters updates. This standard is meant to be an inclusive interim solution while the work on a larger governance framework such as [CIP-1694](cardano-foundation/CIPs#380) continues. See [proposed CIP](cardano-foundation/CIPs#496) for details. --- This commits adds three new commands: - create-poll: For the current governing entities, as a means to create new polls. - answer-poll: For participants who want to answer a given poll. - verify-poll: For anyone who seek to verify a poll entry (e.g. explorers) The commands are built to fit and play nicely within the cardano-cli. The poll and answers structures are based on transaction metadata and require to be embedded in an actual transaction. The added commands however only works from metadata and raw "GovernancePoll" envelopes.
The Cardano Foundation proposes a mechanism for polling Cardano stake pool operators on specific topics. Polls are done on-chain through transaction metadata and authenticated through stake pool credentials (either VRF public key similar to what's described in [CIP-0022](https://cips.cardano.org/cips/cip22) or Ed25519 cold key). The goal is to gather opinions on governance matters such as protocol parameters updates. This standard is meant to be an inclusive interim solution while the work on a larger governance framework such as [CIP-1694](cardano-foundation/CIPs#380) continues. See [proposed CIP](cardano-foundation/CIPs#496) for details. --- This commits adds three new commands: - create-poll: For the current governing entities, as a means to create new polls. - answer-poll: For participants who want to answer a given poll. - verify-poll: For anyone who seek to verify a poll entry (e.g. explorers) The commands are built to fit and play nicely within the cardano-cli. The poll and answers structures are based on transaction metadata and require to be embedded in an actual transaction. The added commands however only works from metadata and raw "GovernancePoll" envelopes.
This comment was marked as outdated.
This comment was marked as outdated.
I am also linking the following discussion: |
Indeed, we've purposely kept it simple here. Mostly because this is meant to be an interim solution so we don't want to set precedence for a more complex process and a new set of credentials that'll be dropped once another on-chain governance framework enters the picture. That is debatable, but it would be relatively easy to have a first registration of an Ed25519 credential and use that onwards.
Certainly not! That is a recipe for disaster. The next thing you get from that is people signing withdrawal requests or other disruptive actions without them knowing. This is why signing standards (e.g. COSE) always come with well-defined structures; We do not want people to sign arbitrary payloads. They always can through low-level libraries but higher-level interfaces such as the "official" cardano cli shall certainly not promote that as a benign command.
I am also from that school, but I got convinced by some others who actually prefer using their cold key for such an action as they see it as the right tool for the job. Hence the flexibility in the proposal; those who prefer using the VRF can, and those who prefer using their cold key can. I see good arguments for both. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✔️ This looks fine to me as both a reviewer and an SPO but will wait until the technical considerations are settled before submitting an endorsing review.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
I think it's ok to use the VRF key to provide a proof of possession of the VRF skey (which is what we are ultimately doing with the VRF proof). However, I agree with Duncan in that it is not a signature, so the wording should be very explicit and should be chosen carefully, as indeed misuse of the keys would have catastrophic consequences. If registering yet another key is a possibility, I'd prefer that. I don't like using the cold key for polls because we want to incentivise SPOs to have their cold keys in an air-gapped machine, but we also want to incentives SPOs to participate in polls. If polls happen often, we are not providing the right incentives. My order of preference of possible solutions would be (1) registering a new ed25510 key, (2) use KES key (which actually is meant to sign data to identify an SPO, (3) VRF key, and finally (4) the cold key. Using some sort of padding in the message, as @perturbing suggested, might be a solution against possible misuse, but does not solve the real problem. However, I understand that some people might want to have the highest level of identification guarantees for polls, therefore supporting the usage of cold keys. |
This comment was marked as resolved.
This comment was marked as resolved.
Thanks all for your feedback; I have addressed them directly in the CIP to make sure that the conversations are captured over time. Here's however a summary of the changes / additions:
|
if an SPO posts an answer that is not in the list of answers (for example the poll contains only 3 options 0,1,2, but SPO posts 5 in the field_3, which logic should be in this case? should we completely ignore this voice, and not take it into account at all (and take into account the SPO voice next time if the SPO sends the correct answer later), or should we take into account this voice as wrong/broken, and not take into account any other posts from this SPO? |
just mark it as "SPO is stupid" 😄 normally i guess it should be marked as invalid. the question is, should this appearance count to be the first one. or should the dashboards/tools only take the first valid one into account? |
@ashisherc there can be more than just the cold key hash in the required signers indeed. It doesn't invalidate the answers. There must be at least the cold key hash. @dmitrystas if an SPO submits a well formed but invalid answer then it counts as his/her answer but it doesn't contribute towards one of the existing choice. That means that even if they submit another (valid) answer, it is only the first one that is taken into account. |
@gitmachtl yep, only the 1st one |
@dmitrystas so valid is if the metadata is ok, the required signer is ok and the transaction is signed with the proper cold key. even if the answer in the metadata has an invalid value. correct? |
@gitmachtl as far as I understand Matthias' answer - yes, even in case the key 3 has an invalid (not from poll's option list) value. Only the required signers are important, and a well formed metadata with key 2 as poll hash and key 3 with answer. I broke the value for a one pool locally, just for a test to check how it works - it looks something like this https://prnt.sc/0VmWtRJjEFKm |
Indeed @gitmachtl; this is the distinction I make between well-formed and valid. A well formed submission can have an out-of-bound answer. I've written a crawler script which captures those validations. I am still on the fence as for whether we should allow multiple submissions in case of a well formed but invalid answer. I don't see any (security) reason to allow multiple submissions in that case and only consider the first well formed but valid answer. But there's also no strong reason to make validations more complicated than necessary... that's more room for mistakes. |
|
||
### Question structure | ||
|
||
A question is posted in a transaction's metadata using the metadata label `94` and the following metadata structure: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Has this use of label 94
been added to CIP-0010?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not yet! I originally wanted to validate the approach on cip-0094 before doing that but I guess it's now time. Thanks for the reminder 👌
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should, together with this CIP being set to active state
CIP-0094/README.md
Outdated
> | ||
> Only the first answer to a poll for each credential shall be considered. If multiple answers are found, only the first answer submitted (transaction & block ordering tallying) shall be considered. | ||
|
||
### Procedure and Duration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For me, what is missing from this specification is an explanation of the full poll flow, for example:
- how can SPOs can find new polls to vote on?
- how any ecosystem actor can verify the results of a poll?
- where does the report get posted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've addressed those points in separate documents and tutorial by now. Thing is, I don't necessarily want to take a strong stance about these in the CIP itself to not force one single approach.
The data lives on chain as transaction metadata which means that it's just the usual approach for any tool or builder to get access to it. We now even have dashboards in at least two explorers (adastat and cardanoscan) that are collecting and validating these data. And it's relatively straightforward with a chain sync. More tools will likely follow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the moment, every question with the label 94 appears on-chain for all to see. Technically, from this moment on, anyone - with a pool s key - can pick up this question and submit an answer. It is up to the publishing entity to set the cast and redelegation duration. But it is not up to this one entity to interpret or publish the result, because it has no right to decide about the interpretation or reaction of the other entities.
Like the question, all individual ballots are transparent and verifiable on-chain. The transaction format with the --required-signer-hash
ensures that only ballots validly signed by a pool end up on chain.
To make the on-chain data easily accessible for those who do not have a full indexing instance (e.g. dbsync) available, the CardanoFoundation has set up a github repository where an index file in json format is maintained. There you can find (for now) the cast/delegation epochs in a standardized machine-readable format. In addition, there is also the possibility to store list of all ballots that were considered valid summarized in one file, in order to give everyone easy access and the possibility of their own analysis and interpretation.
The methodology deliberately chosen in this poll design is a creative+inclusive+motivational iteration. This perhaps somewhat contradicts the common expectation that a CIP must be written (first define, then implement, then execute)
In this process, we deliberately wanted to present a maximally simple, straight executable thing, with lots of room for ideas. People should have the opportunity to get hands-on experience during the build process and participate in the rest of the design. At the beginning of the project it was still unclear whether this was only a one-time test run with the goal of incorporating the data and findings into the design of CIP-1694, or whether it would make sense to refine this CIP step by step for further test runs.
|
||
### Outcome | ||
|
||
The outcome of a poll will depend on its level of participation (in **terms of stake**). It is essential to understand that we explicitly call this a _poll_ / _survey_ and not a _vote_ to dispel any possible confusion. So it is akin to `1 Lovelace = 1 Voice` although we may chose to interpret data using different equations (e.g. giving more weight to pledged stake). How the data is interpret is deemed out of the scope of this proposal which aims mainly at producing the data-points. Further conversations and debates will be needed regarding interpretation of the data-points. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we explicitly call this a poll / survey and not a vote
Except in the Procedure and Duration
section where its referenced as a vote :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hehe, this is an addition I didn't write and missed the wording. But I'll correct it :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed this
replace vote/ballot by answer explain the current definition of answer and delegation durations
@KtorZ @gufmar This question is long-term for the CIP but also urgent because I'd like to submit the current mainnet poll based on the answer... The CIP deals with operational details like security, but it's also operationally important for poll responders to add metadata. What's the proper way of doing this? And would it therefore make sense for CIP-0094 to explain how to use it with CIP-0020 transaction messaging, assuming that's possible? Following the mainnet tutorial (dev portal version, currently more up-to-date) & adding a
doesn't seem compatible with
It would seem an important part of the voting process, especially with the popular "none of the above" category of our current mainnet vote, that explanatory messages with our votes be readable by the growing number of Tx message metadata parsers in pool explorers and wallets. So how can we combine the CIP-0020 messaging and CIP-0094 voting metadata structures in a single transaction? |
or option 2 - you can use no-schema-formed metadata
but don't forget to remove |
I wanna suggest an interesting idea for future SPO polls or any other things that needs an identification of an SPO. We talked about to sign messages with the VRF key in the past, and there were pros and cons about this. A few of us suggested to use a separate "registered" ed25519 voting key as a "stand in" to represent the SPO. The current poll issue with the pool cold key on the hw wallet got me thinking, and i think a wonderful solution would be to simply let the SPOs do a PoolUpdate-Registration with metadata attached. This metadata contains the voting key (or lets call it a representation key) - similar generated than CIP36. That way we have a proof on chain that the SPO is in charge of the right pool secret key, and we also have an association of that SPO/Pool to a normal ed25519 key. No VRF signing required. And it can be done by both, cli pool keys and by hw pool keys. I already tested the hw pool key side. Thoughts? |
I could write up a draft for a "Pool Authentication" CIP using such a metadata method. There could also be more information in it. Also would it be possible to combine multiple Pools together under one key if someone likes to do so. Having a standard ed25519 key makes many things easier for signing and without the risk to expose a cold key or the vrf key in the future for every kind of transaction that need such a proof. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The force-push does mess with the timeline a little, but I've read the latest individual commits and I think the last push includes the pending work based on the last SPO poll and the updates about "procedure & duration" with the revised graphic.
As a participant in the poll I think this CIP documents a successful process. Maybe the "second test run" mentioned in the Implementation Plan would be desirable before merging this, but personally I don't think it's required and that what we've seen so far would be enough to merge this as Active
(especially since it already is).
I really would, though, like to see the CIP document or at least mention how to include a 674
metadata statement along with the vote, since there was some practical uncertainty in the community about how to do this:
- (e.g.) https://adastat.net/transactions/1bae9602d83afed055697105d3489ea84aa9cad32670e3d0b00b8eefa1aa4928
- (e.g.) https://adastat.net/transactions/91830d967c667d04e69ab7b2d8f3a7e96eb8fc32067a36f6d07973f01ec22f55
- (discussion) https://forum.cardano.org/t/entering-voltaire-poll-experiment-live-on-mainnet/117879/10
... although it wouldn't strictly be a requirement for this CIP & maybe rather a separate CIP on collating & interpreting poll results.
* Draft SPO on-chain voting proposal Co-authored-by: gufmar * procedure and duration describe the ballot cast + redelegation epoch sequence * update procedure and duration replace vote/ballot by answer explain the current definition of answer and delegation durations * Update CIP-0094_procedure-duration.png * Draft SPO on-chain voting proposal Co-authored-by: gufmar * Update CIP-0094 to active * Document extra metadata via CIP-0020 (lbl 694) for polls + add entry to CIP-0010 --------- Co-authored-by: Markus <[email protected]>
* Draft SPO on-chain voting proposal Co-authored-by: gufmar * procedure and duration describe the ballot cast + redelegation epoch sequence * update procedure and duration replace vote/ballot by answer explain the current definition of answer and delegation durations * Update CIP-0094_procedure-duration.png * Draft SPO on-chain voting proposal Co-authored-by: gufmar * Update CIP-0094 to active * Document extra metadata via CIP-0020 (lbl 694) for polls + add entry to CIP-0010 --------- Co-authored-by: Markus <[email protected]>
Abstract
The Cardano Foundation proposes a mechanism for polling Cardano stake pool operators on specific topics. Polls are done on-chain through transaction metadata and authenticated through stake pool credentials (either VRF public key similar to what's described in CIP-0022 or Ed25519 cold key). The goal is to gather opinions on governance matters such as protocol parameter updates. This standard is an inclusive interim solution while the work on a larger governance framework such as CIP-1694 continues.
View rendered version