Update identity doc - ensure consistency of adds/removes #381
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
neekolas
reviewed
Dec 14, 2023
Co-authored-by: Nicholas Molnar <[email protected]>
neekolas
approved these changes
Dec 14, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Incorporating feedback from @neekolas, my summary of his ideas:
The most important thing about processing commits to add/remove members is consistency. When some members apply a commit and others reject it, the group state gets mangled.
The validation code must not rely on network requests to verify an added installation was not revoked - as this leaves open the door to race conditions where different group members get different results immediately after a revocation.
Let's allow revoked installations to be added, but group members should periodically check for revoked installations in the group, and publish a commit to remove them that all group members will apply consistently (this logic is already in the doc).
We should also be able to attach a revocation proof to remove commits so that members can validate removals without going to the network, in the same way that a credential is presented in add commits, so that members can validate adds without going to the network.
To shorten the time window after a revocation gets committed to every group, the installation performing the revocation should go ahead and update all the groups that it knows of (this logic is already in the doc).