Canton Party Resolution Protocol - PR#171
Canton Party Resolution Protocol - PR#171pdomenighetti wants to merge 20 commits intocanton-foundation:mainfrom
Conversation
first commit Signed-off-by: Paolo Domenighetti <paolo@freename.io>
initial commit Signed-off-by: Paolo Domenighetti <paolo@freename.io>
formatting Signed-off-by: Paolo Domenighetti <paolo@freename.io>
formatting Signed-off-by: Paolo Domenighetti <paolo@freename.io>
txt tuning and review Signed-off-by: Paolo Domenighetti <paolo@freename.io>
txt tuning and review Signed-off-by: Paolo Domenighetti <paolo@freename.io>
styling Signed-off-by: Paolo Domenighetti <paolo@freename.io>
styling Signed-off-by: Paolo Domenighetti <paolo@freename.io>
styling Signed-off-by: Paolo Domenighetti <paolo@freename.io>
styling Signed-off-by: Paolo Domenighetti <paolo@freename.io>
pdomenighetti
requested review from
hythloda,
isegall-da,
stas-sbi,
tkatrichenko and
waynecollier-da
Real CIP submission after error in uploading. Signed-off-by: Paolo Domenighetti <paolo@freename.io>
correction after wrong submission Signed-off-by: Paolo Domenighetti <paolo@freename.io>
styling anf formatting fixes Signed-off-by: Paolo Domenighetti <paolo@freename.io>
formatting and styling fixes Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
Signed-off-by: Paolo Domenighetti <paolo@freename.io>
meiersi-da
left a comment
meiersi-da
left a comment
There was a problem hiding this comment.
Very nice work @pdomenighetti ! Thank you 🙏
I believe this has the right ingredients, and will result in a great improvement for the ecosystem after a few rounds of polishing. See my comments to drive a first iteration.
Some of the comments hint at scope that we might be able to remove: e.g, encrypted fields. In my experience, keeping scope tight is very valuable to focus our limited attention on the pieces with the highest ROI; and deliver the overall improvement in a timely fashion.
|
|
||
| This CIP focuses on the naming and resolution mechanics. Trust evaluation, issuer classification, verification policies, and encrypted metadata are defined in the companion CIP-YYYY (Party Identity Verification). | ||
|
|
||
| A shared technical specification accompanies both CIPs: [CPRP-spec.md](./CPRP-spec.md). |
There was a problem hiding this comment.
Not part of this PRs files. Should it be?
| | `n` | Specific name within the namespace | `default`, `treasury`, `trading-desk-3` | | ||
|
|
||
| Examples: | ||
| - `mainnet/dns:goldmansachs.com:default` |
There was a problem hiding this comment.
| - `mainnet/dns:goldmansachs.com:default` | |
| - `party:<canton-party-name-space>:<canton-party-prefix>` | |
| - `mainnet/dns:goldmansachs.com:default` |
consider the benefit of injecting the party names in a uniform way into this system as well. This ensures every party has always at least FQPN referring to them.
There was a problem hiding this comment.
cool, a built in party resolver would mean every Canton party automatically gets an FQPN like mainnet/party:: with no registration needed (so always resolvable) Would be T4 trust. i'll add it.
There was a problem hiding this comment.
consider avoiding the mainnet/ prefix, as parties are not bound to networks. You might use party: without a qualifier or use protocol/party. Or perhaps avoid even stating that as party and just use the Canton concept: uid:, which stands for Universal Identifier, and is cryptic enough so that people don't attach too many unwarranted concepts to it.
There was a problem hiding this comment.
i will keep the protocol syntax/composition rules in a separate review session just for complexity in managing reviews. I will proceed like this: answer to comments. apply agreed changes to both CIPs and SPEC not related to protocol syntax then we may iterate specifically on that :)
| | `resolve` | namespace, name | `ResolutionResult` | Forward lookup: name → Party ID + metadata | | ||
| | `reverseResolve` | partyId | `ReverseResolutionResult` | Reverse lookup: Party ID → registered names | | ||
| | `resolveMulti` | queries[] | `ResolutionResult[]` | Batch resolution (latency optimization) | | ||
| | `changelog` | since timestamp | `ChangelogEntry[]` | Credential changes since a given time | |
There was a problem hiding this comment.
Are these HTTP methods? Can you add references to their specification?
There was a problem hiding this comment.
They're logical interface methods. the spec also maps into HTTP endpoints. will make this explicit in the CIP text.
|
|
||
| ### Profile Rendering Guidelines | ||
|
|
||
| Profile claims (`cns-2.0/name`, `cns-2.0/avatar`, `cns-2.0/email`, `cns-2.0/website`) are informational only and MUST NOT be interpreted as verified identity attributes. Verification status is determined exclusively by CIP-YYYY's trust evaluation, not by profile content. Display names SHOULD be ≤64 Unicode characters. Avatars SHOULD be `https://` URLs; applications MAY additionally support `ipfs://` URIs. |
There was a problem hiding this comment.
The cns-2.0 prefix is not defined. Do you mean the namespace of PixelPlex's CIP? Consider defining the symbolic names for these in a preamble to avoid confusion.
There was a problem hiding this comment.
right, this is confusing as written. cns-2.0/* was our working name for the profile claims while PixelPlex is defining in their CIP (PR #169). Will add a preamble to both CIPs when defining namespaces
| - Org-scoped: Corporate LDAP/directory service exposed via the resolver interface | ||
| - Validator-configured: Pre-loaded at the validator level for all apps on that node | ||
|
|
||
| Address books provide display names only — they cannot override trust tier or verification status (those come from CIP-YYYY). |
There was a problem hiding this comment.
What about profile information?
|
|
||
| Given a `ComposedResolutionResult` from CIP-XXXX's composition engine, the trust evaluator: | ||
|
|
||
| 1. For each credential in the result, checks on-ledger state (active, archived, expired) |
There was a problem hiding this comment.
Why not make the composition engine only query for active, unexpired credentials in the first place?
| The highest-trust automated verification path for institutions: | ||
|
|
||
| 1. Party publishes DNS TXT record: `_canton.<domain> TXT "party=<party_id>"` | ||
| 2. SV nodes verify the DNSSEC chain and confirm the record exists |
There was a problem hiding this comment.
Is it required up front to the SV nodes to implement the DNS verification, or could we define the default DNS verification policy to be a quorum of featured resolvers?
|
|
||
| Supports both Legal Entity vLEI (LE) and Official Organizational Role vLEI (OOR). | ||
|
|
||
| ### Encrypted Fields |
There was a problem hiding this comment.
What are two example use-cases for these encrypted fields? Why can these use-cases not be handled via application specific on-ledger communication? e.g., onboarding to a trading app requires the specification of shared parameters for settlement instructions.
| ### ResolverFeaturedStatus | ||
|
|
||
| Records SV-approved featured resolver status. Fields: `resolver_operator` (Party), `resolver_id` (Text), `approved_by` (DSO Party), `approved_date` (Time), `renewal_deadline` (Time), `network` (Text). Choices: `RevokeStatus`, `RenewStatus`. | ||
|
|
||
| ### CollisionArbitration | ||
|
|
||
| Records governance decisions on disputed name mappings between featured resolvers. Fields: `arbitrated_name` (Text), `winning_party_id` (Text), `losing_resolver_id` (Text), `decision_rationale` (Text), `arbitrated_by` (DSO Party). Published as T1 authority. |
There was a problem hiding this comment.
As on the other CIP: consider how to encode this as a credential in a credential registry; and double-check whether it even needs to be in the DSO registry.
|
|
||
| Why post-quantum encryption: Canton's institutional users (DTCC, Goldman Sachs, HSBC) hold assets with multi-decade time horizons. ML-KEM-768 provides NIST-standardized post-quantum security for encrypted metadata that may remain sensitive for decades. | ||
|
|
||
| Why separate from resolution: Resolution and verification are independently useful and independently evolvable. An explorer resolves without verifying. A compliance tool verifies without resolving (it receives a Party ID directly). Coupling them would force unnecessary dependencies. |
There was a problem hiding this comment.
"An explorer resolves without verifying." I'm less sure about this. A good explorer might well want to do verification as well to provide better information to its users.
2 participants
PR from Freename AG