-
Notifications
You must be signed in to change notification settings - Fork 2
threshold of accountable duplicity
The threshold of accountable duplicity (TOAD) is a threshold number M
that the controller declares to accept accountability for an event when any subset M
of the N
witnesses confirm that event. The threshold M
indicates the minimum number of confirming witnesses the controller deems sufficient given some number F
of potentially faulty witnesses, given that M >= N - F
. This enables a controller to provide itself with any degree of protection it deems necessary given this accountability.
Note that what may be sufficient for a controller may not be sufficient for a validator. To clarify, let MC
denote the threshold size of a sufficient agreement from the perspective of a controller and let MV
denote the threshold size of a sufficient agreement from the perspective of a validator. Typically, MV >= MC
.
A controller declares TOAD in its key event log (KEL) during the key inception event and may edit it during subsequent key rotation events.
A highly available system needs some degree of fault tolerance. The purpose of the threshold of accountability is to enable fault tolerance of the key event service with respect to faulty behavior by either the controller or witnesses. The principal controller fault exhibits duplicitous behavior in the use of its keys. In this case, the threshold serves as the threshold of accountable duplicity. The threshold lets a validator know when it may hold the controller accountable for duplicitous behavior. Without a threshold, a validator may choose to hold a controller accountable upon any evidence of duplicity which may make the service fragile in the presence of any degree of such faulty behavior. The primary way that a validator may hold a controller accountable is to stop trusting any use of the associated identifier. This destroys any value in the identifier and does not allow the controller to recover from an exploit. Recall that the one purpose of rotation keys (pre-rotated unexposed) is to enable recovery from compromised interaction signing keys. A compromised interaction signing key may exhibit duplicitous behavior on the part of the controller. A threshold of accountable duplicity enables a validator to distinguish between potentially recoverable duplicity such as the use of a compromised signing key and non-recoverable duplicity such as the use of a compromised rotation key. This better protects both the validator and the controller and improves the robustness of the service.