From 48d27016365690c3270ccdfe9db7719da82ae310 Mon Sep 17 00:00:00 2001
From: whatisRT <andre.knispel@iohk.io>
Date: Mon, 20 Nov 2023 15:17:57 +0800
Subject: [PATCH 1/4] Guard security-relevant protocol parameter changes behind
 SPO votes

---
 CIP-1694/README.md | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/CIP-1694/README.md b/CIP-1694/README.md
index 4364b4c1e..cc54ac45b 100644
--- a/CIP-1694/README.md
+++ b/CIP-1694/README.md
@@ -1246,7 +1246,7 @@ that has been granted to the current constitutional committee.
 
 Governance actions are **ratified** through on-chain voting actions.
 Different kinds of governance actions have different ratification requirements but always involve **two of the three** governance bodies,
-with the exception of a hard-fork initiation, which requires ratification by all governance bodies.
+with the exception of a hard-fork initiation and security-relevant protocol parameters, which requires ratification by all governance bodies.
 Depending on the type of governance action, an action will thus be ratified when a combination of the following occurs:
 
 * the constitutional committee approves of the action (the number of members who vote `Yes` meets the threshold of the constitutional committee)
@@ -1292,6 +1292,7 @@ The following table details the ratification requirements for each governance ac
 | 5<sub>b</sub>. Protocol parameter changes, economic group         | ✓  | $P_{5b}$ | \-       |
 | 5<sub>c</sub>. Protocol parameter changes, technical group        | ✓  | $P_{5c}$ | \-       |
 | 5<sub>d</sub>. Protocol parameter changes, governance group       | ✓  | $P_{5d}$ | \-       |
+| 5<sub>e</sub>. Protocol parameter changes, security group         | \- | \-       | $Q_{5e}$ |
 | 6. Treasury withdrawal                                            | ✓  | $P_6$    | \-       |
 | 7. Info                                                           | ✓  | $100$    | $100$    |
 
@@ -1399,6 +1400,11 @@ the maximum threshold of all the groups involved will apply to any given such go
 The _network_,  _economic_ and _technical_ parameter groups collect existing protocol parameters that were introduced during the Shelley, Alonzo and Babbage eras.
 In addition, we introduce a new _governance_ group that is specific to the new governance parameters that will be introduced by CIP-1694.
 
+There will also be a special _security_ group. Any protocol parameter
+is assigned to exactly one regular group, but all protocol parameters
+that interact with the security guarantees of the system belong to the
+security group as well.
+
 The **network group** consists of:
 * maximum block body size (`maxBBSize`)
 * maximum transaction size (`maxTxSize`)
@@ -1435,6 +1441,17 @@ The **governance group** consists of all the new protocol parameters that are in
 * minimal constitutional committee size (`ccMinSize`)
 * maximum term length (in epochs) for the constitutional committee members (`ccMaxTermLength`)
 
+The **security group** consists of:
+* `maxBBSize`
+* `maxTxSize`
+* `maxBHSize`
+* `maxValSize`
+* `maxBlockExUnits`
+* `minFeeA`
+* `minFeeB`
+* `coinsPerUTxOByte`
+* `govActionDeposit`
+
 <!-- TODO:
   - Decide on the initial values for the new governance parameters
 
@@ -1760,6 +1777,10 @@ We solve the long-term participation problem by not allowing reward withdrawals
 * Rework which anchors are required and which are optional.
 * Clean up various inconsistencies and leftovers from older versions.
 
+#### Security-relevant changes
+
+* Guard security-relevant changes behind SPO votes.
+
 ## Path to Active
 
 ### Acceptance Criteria

From f51aff1feef30937e8a38a164c8e5f4bbdb990fd Mon Sep 17 00:00:00 2001
From: whatisRT <andre.knispel@iohk.io>
Date: Thu, 21 Dec 2023 14:21:36 +0100
Subject: [PATCH 2/4] Replace the 'security group' by 'security relevant
 parameters'

Also clarify that the proposal policy only applies to protocol
parameter updates and treasury withdrawals.
---
 CIP-1694/README.md | 39 +++++++++++++++++++++------------------
 1 file changed, 21 insertions(+), 18 deletions(-)

diff --git a/CIP-1694/README.md b/CIP-1694/README.md
index cc54ac45b..5992d0a83 100644
--- a/CIP-1694/README.md
+++ b/CIP-1694/README.md
@@ -1044,6 +1044,9 @@ proposal types. For example, if the community wishes to have some hard
 rules for the treasury that cannot be violated, a script that enforces
 these rules can be voted in as the proposal policy.
 
+The proposal policy applies only to protocol parameter update and
+treasury withdrawal proposals.
+
 <!---------------------------           DReps          ------------------------>
 
 ### Delegated representatives (DReps)
@@ -1292,15 +1295,31 @@ The following table details the ratification requirements for each governance ac
 | 5<sub>b</sub>. Protocol parameter changes, economic group         | ✓  | $P_{5b}$ | \-       |
 | 5<sub>c</sub>. Protocol parameter changes, technical group        | ✓  | $P_{5c}$ | \-       |
 | 5<sub>d</sub>. Protocol parameter changes, governance group       | ✓  | $P_{5d}$ | \-       |
-| 5<sub>e</sub>. Protocol parameter changes, security group         | \- | \-       | $Q_{5e}$ |
 | 6. Treasury withdrawal                                            | ✓  | $P_6$    | \-       |
 | 7. Info                                                           | ✓  | $100$    | $100$    |
 
-Each of these thresholds is a governance parameter.
+Each of these thresholds is a governance parameter. There is one
+additional threshold, `Q5`, related to security relevant protocol
+parameters, which is explained below.
 The initial thresholds should be chosen by the Cardano community as a whole.
 The two thresholds for the Info action are set to 100% since setting it any lower
 would result in not being able to poll above the threshold.
 
+Some parameters are relevant to security properties of the system. Any
+proposal attempting to change such a parameter requires an additional
+vote of the SPOs, with the threshold `Q5`.
+
+The security relevant protocol parameters are:
+* `maxBBSize`
+* `maxTxSize`
+* `maxBHSize`
+* `maxValSize`
+* `maxBlockExUnits`
+* `minFeeA`
+* `minFeeB`
+* `coinsPerUTxOByte`
+* `govActionDeposit`
+
 > **Note**
 > It may make sense for some or all thresholds to be adaptive with respect to the Lovelace that is actively registered to vote.
 > For example, a threshold could vary between 51% for a high level of registration and 75% for a low level registration.
@@ -1400,11 +1419,6 @@ the maximum threshold of all the groups involved will apply to any given such go
 The _network_,  _economic_ and _technical_ parameter groups collect existing protocol parameters that were introduced during the Shelley, Alonzo and Babbage eras.
 In addition, we introduce a new _governance_ group that is specific to the new governance parameters that will be introduced by CIP-1694.
 
-There will also be a special _security_ group. Any protocol parameter
-is assigned to exactly one regular group, but all protocol parameters
-that interact with the security guarantees of the system belong to the
-security group as well.
-
 The **network group** consists of:
 * maximum block body size (`maxBBSize`)
 * maximum transaction size (`maxTxSize`)
@@ -1441,17 +1455,6 @@ The **governance group** consists of all the new protocol parameters that are in
 * minimal constitutional committee size (`ccMinSize`)
 * maximum term length (in epochs) for the constitutional committee members (`ccMaxTermLength`)
 
-The **security group** consists of:
-* `maxBBSize`
-* `maxTxSize`
-* `maxBHSize`
-* `maxValSize`
-* `maxBlockExUnits`
-* `minFeeA`
-* `minFeeB`
-* `coinsPerUTxOByte`
-* `govActionDeposit`
-
 <!-- TODO:
   - Decide on the initial values for the new governance parameters
 

From 46aa7d9ce3672b4c4dd228fdd54e67b5c9deb729 Mon Sep 17 00:00:00 2001
From: whatisRT <andre.knispel@iohk.io>
Date: Tue, 16 Jan 2024 16:35:38 +0100
Subject: [PATCH 3/4] Minor fixes and additions

---
 CIP-1694/README.md | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/CIP-1694/README.md b/CIP-1694/README.md
index 5992d0a83..c4015b7cd 100644
--- a/CIP-1694/README.md
+++ b/CIP-1694/README.md
@@ -963,7 +963,7 @@ As discussed above, the Constitution is not yet defined and its content is out o
 ### The constitutional committee
 
 We define a _constitutional committee_ which represents a set of individuals or entities
-(each associated with a pair of Ed25519 credentials) that are collectively responsible for **ensuring that the Constitution is respected**.
+(each associated with a Ed25519 or native or Plutus script credential) that are collectively responsible for **ensuring that the Constitution is respected**.
 
 Though it **cannot be enforced on-chain**, the constitutional committee is **only** supposed to vote
 on the constitutionality of governance actions (which should thus ensure the long-term sustainability of the blockchain) and should be replaced
@@ -1024,12 +1024,17 @@ expiring every year.
 Expired members can no longer vote.
 Member can also willingly resign early, which will be marked on-chain as an expired member.
 
-The system will automatically enter a state of no-confidence when the number of non-expired
-committee members falls below the minimal size of the committee.
-For example, a committee of size five with a threshold of 3/5 a minimum size of three and two expired members can still
+If the number of non-expired committee members falls below the minimal
+size of the committee, the constitutional committee will be unable to
+ratify governance actions. This means that only governance actions
+that don't require votes from the constitutional committee can still
+be ratified.
+
+For example, a committee of size five with a threshold of 3/5 a minimum size
+of three and two expired members can still
 pass governance actions if two non-expired members vote `Yes`.
-However, if one more member expires then the system enters a state of no-confidence,
-since the two remaining members are not enough to meet quorum.
+However, if one more member expires then the constitutional committee becomes
+unable to ratify any more governance actions.
 
 The maximum term is a governance protocol parameter, specified as a number of epochs.
 During a state of no-confidence, no action can be ratified,
@@ -1319,6 +1324,7 @@ The security relevant protocol parameters are:
 * `minFeeB`
 * `coinsPerUTxOByte`
 * `govActionDeposit`
+* `minFeeRefScriptsCoinsPerByte`
 
 > **Note**
 > It may make sense for some or all thresholds to be adaptive with respect to the Lovelace that is actively registered to vote.
@@ -1780,9 +1786,12 @@ We solve the long-term participation problem by not allowing reward withdrawals
 * Rework which anchors are required and which are optional.
 * Clean up various inconsistencies and leftovers from older versions.
 
-#### Security-relevant changes
+#### Security-relevant changes and other fixes
 
 * Guard security-relevant changes behind SPO votes.
+* The system does not enter a state of no confidence with insufficient
+  active CC members, the CC just becomes unable to act.
+* Clarify that CC members can use any kind of credential.
 
 ## Path to Active
 

From 1fd6ef68adb0a41a3fc31c416bf9953ccc18a218 Mon Sep 17 00:00:00 2001
From: whatisRT <andre.knispel@iohk.io>
Date: Mon, 29 Jan 2024 14:27:24 +0100
Subject: [PATCH 4/4] Fix outdated wording

---
 CIP-1694/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CIP-1694/README.md b/CIP-1694/README.md
index c4015b7cd..a9b22c02f 100644
--- a/CIP-1694/README.md
+++ b/CIP-1694/README.md
@@ -1395,7 +1395,7 @@ In addition, each action will include some elements that are specific to its typ
 | Governance action type                           | Additional data                                                                                                                                                                                 |
 |:-------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | 1. Motion of no-confidence                       | None                                                                                                                                                                                            |
-| 2. New committee/threshold                       | The set of verification key hash digests (members to be removed), a map of verification key hash digests to epoch numbers (new members and their term limit), and a fraction (quorum threshold) |
+| 2. New committee/threshold                       | The set of verification key hash digests (members to be removed), a map of verification key hash digests to epoch numbers (new members and their term limit), and a fraction (new threshold) |
 | 3. Update to the Constitution or proposal policy | An anchor to the Constitution and an optional script hash of the proposal policy                                                                                                                |
 | 4. Hard-fork initiation                          | The new (greater) major protocol version                                                                                                                                                        |
 | 5. Protocol parameters changes                   | The changed parameters                                                                                                                                                                          |