Good morning Jose,

> Hi ZmnSCPxj,
>
> first of all: do you ever sleep? ;-)

It seems possible, that, I do not.


> b) Master accounts are included in the white paper as a feature for a future 
> release.
> The roadmap is not set yet, but I’d like to include a first release of the 
> protocol that only covers the most basic features, to make it simpler and 
> safer for wallet developers.
> Master accounts aren’t a priority, since they are more oriented towards 
> scaling the proposal, and that is far from being a problem yet.
> So, this feature is not well defined for now. However, as presented in the 
> white paper, the ‘service provider’ has really no control over your money.
>
> He would basically do a just a few things:
>
> -   Aggregate the account info (up to 2048 individual accounts per master 
> account).
> -   Hash every account info, sort them, and calculate the Merkle root of a 
> tree containing them all.
> -   Create a JSON document containing the information of all the sub-accounts 
> included in the pack.
> -   Make that JSON document publicly available, probably with a https: URL 
> (That’s called an Authoritative server)
> -   Finally, create and publish a TX that contains a pointer to the 
> Authoritative server, and the Merkle root of the set of accounts.
>
>     The service provider would have NO control whatsoever of your funds, nor 
> can he block payments, etc.
>     There is some sort of delegation, but no trust involved here. The Merkle 
> root protects agains any attempt of tampering with the account data.

This does not seem to mesh well with the other non-Master parts of the 
protocol, where further updates on the single account backed by a funding TXO 
are performed by spending the funding TXO and creating a transaction with 
`OP_RETURN`.

In addition, I would like to suggest as well that instead of `OP_RETURN`, you 
could instead use "sign-to-contract".

Sign-to-contract is simply that, when signing, instead of selecting a random 
`r` and computing `R` as `R = r * G`, you select a random `r` and a contract or 
other message `c`, and compute `R` as `R = r * G + h((r * G) | c) * G`.
Then the user can provide the message `c` independently of the signature, via 
another mechanism, and reveal `r * G` and `c` and point to the signature as a 
commitment to the message `c`.
Although, it does have the drawback that using sign-to-contract require a 
different layer / overlay network to broadcast messages `c`, but it does reduce 
the cost on the blockchain layer, which is always a good thing.
Similar issues are faced by the RGB project, for instance, and defiads 
explicitly uses a separate overlay network when transmitting advertisements 
(both RGB and defiads use the opposite pay-to-contract, which tweaks the pubkey 
rather than the ephemeral `R`).

>
>     The account’s TX won’t ever disappear from the blockchain, so your 
> account info will always be there.
>     Worst case scenario, the service provider disappears and users can’t 
> download the Json document containing your account information.
>
>     To mitigate this issue, the white paper suggests the creation of mirror 
> servers.

How about control transactions on top of the funding txo?
Who is able to make further control transactions?
If the service provider gives the user full control of the control transactions 
on top of the funding txo, then it outright loses the money it put in the 
funding txo and might as well operate as a full exchange.
If the service provider retains even partial control, then it can refuse to 
cooperate with the user and the user will be unable to update his or her 
account.

This is not fixable by the use of mirror servers.


> d) Regarding your comments on the possibility of adding the output index in 
> the account ID, I still don’t see the need for the use case of easypaysy 
> (since, by definition, easypaysy accounts must have exactly one input and two 
> outputs).

Do you mean, that if the user makes a control transaction to change the details 
of the account, then the user is forced to change the easypaysy identifier?

My initial reading of your whitepaper is that the easypaysy identifier refers 
to the funding txo that roots the further control transactions.
If so, the funding txo is not necessarily a one-input two-output transaction.
If not, then each time a control transaction changes the details of the 
easypaysy identifier, the identifier itself is changed.0


> If you are interested, please contact me, preferably privately since I 
> wouldn’t want to become much too off topic in this dev-list

I still do not see why it would be off-topic to the devlist.

Regards,
ZmnSCPxj

_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Reply via email to