Traditional thinking neatly divides blockchains into “permission-less” and “permissioned” models, which are often synonymous with “open” and “closed”. But a recent interaction between Carlos Arena of R3 and Jesus Ruiz of Alastria on the nature of blockchain governance brought Ruiz’s recent paper on blockchain governance called “Public-Permissioned blockchains as Common-Pool Resources” to my attention. In his paper, Ruiz argues the established categorisation of “public with no formal identity” versus “permissioned with identity” is too simple and that an entirely new category of network governance exists. That is, it is possible for blockchain technology to be deployed in a public network (public in the sense that it is open to everyone within reason and bounded by a liberal set of rules), while still enforcing a well-known and permanent identity for each of the participants.
It’s great to see this thinking, since it maps exactly onto the governance model we chose for the independently governed and not-for-profit Corda Network Foundation . Disclaimer: while I work for R3.com, the company behind the open-source Corda, in this post I write as a Director of the Foundation and its first Chairperson.
Ruiz begins with a proposal for a taxonomy of blockchain governance, elegantly drawing out a orthogonal difference between the openness of participation and the importance of an established identity on the network.
“A Public-Permissioned blockchain network is a new type of network filling the gap between the Public-Permissionless networks (like Bitcoin or Ethereum) and the Private Consortium networks….A Public-Permissioned blockchain network combines the permissioning from private consortiums with a decentralized governance model, trying to achieve the best properties of both models.”
Yes! Nicely put!
To understand how this applies to Corda Network, we must look briefly at our governance model, and the drivers for governance design. We had identified the benefit to all Corda users of an openly accessible ‘internet’ of nodes in 2017, soon after R3 had completed initial designs for Corda and then open-sourced the software. A blockchain network is a very sticky environment; even the standard migration of internal IT systems is incredibly complex and expensive, especially if the business concerned has built its operations around the IT system. But migrating blockchain networks is even harder, because the whole point of blockchains is to provide provenance and trust without relying on a third party, so the trust must also be migrated along with the data. In other words, it is not as straightforward as exporting historic data from one system and importing it onto another. If migration is hard, then participants have to plan to stay put on the network, potentially for the lifetime of their system. We believed participants would demand stability in the governance of the network and a say in how the network was priced as a prerequisite to joining it, and this was confirmed in conversations with the Marco Polo, B3i and Contour groups which have built on Corda.
In short, the network had to be not only truly independent from R3, it had to be visibly and permanently so.
Ruiz goes on to quote Navarro’s paper “Network Infrastructures: The Commons Model for Local Participation, Governance and Sustainability” in identifying 2 key principles of such public-permissioned blockchain networks:
Non-discriminatory and open access: Access is non-discriminatory, even if it is not free because pricing is determined using transparent mechanisms, typically cost-oriented. Access is open because everybody has the right to join and use the infrastructure according to the access rules.
Open participation: Everybody has the right to join the community to participate in the construction, operation, provision and governance of the infrastructure. The network should be inclusive, open to participation of any entity independent of size or sector of activity.
So how do these principles map into the Corda Network governance model?
First, Corda Network is open to access for almost all organisational legal entities, regardless of location, industry, size or composition. Since Corda Network is governed by an independent Foundation, located in the Netherlands, it is required to undertake sanction screening of entities according to European sanction screening lists. But the onboarding process for Corda Network only checks three trivial things: first, the entity exists; second, it is not sanctioned; and third, the request is being made by a representative of the entity. Because of the privacy-preserving design of Corda, Corda Network does not know about (and has no way of finding out) what trade is being conducted, or what CorDapps are being used to transact between parties.
It is not enough to say that a network is open to access in principle. It also has to be open to access in practice, and that means making it affordable. The Corda Network Foundation has worked hard on a non-profit price model that seeks only to recover the costs of operating key technical services like a directory service.
Second, the governance of the Foundation is itself open to participation. Rather than have direct referenda to determine technical policy changes (and we’ve seen how voters can tire of referenda!), we decided to have a representative board of directors, elected from amongst the participants. The board was established a year ago, and is nearing the end of its transition period when selection moves from nomination by early business networks to election by the participants. We put in place some rules to force diversity of board members; there are limits to the numbers of directors from any single industry, geography or organisation size, and R3 has a permanent place at the table, as the organisation which funded the building of the network and acts as a steward for the Corda codebase.
So, if we can agree Corda Network fulfils the “open” aspect of a public-permissioned blockchain, how does it meet the permissioned (identity) aspect? Every node is required to hold an identity certificate, which is issued by the network as part of the onboarding process. This gives the participant permission to join the network, since the node must present a TLS certificate derived from its identity certificate when connecting to peers. There is a single identity per participant, which is reflected in the network map (a similar facility to DNS) and allows nodes to look up the IP endpoint of a counterparty node by well-structured X500 name. It’s crucial that network participants understand and can verify who they are transacting with, and the formal legal entity existence check and corresponding X500 name help establish this confidence. While Corda supports certificate revocation, this is not intended to be used except at the controlled and verified request of the certificate holder, defined in the operating procedures of the network. The identity certificates themselves have very long expiry dates, since we know that expiry can be incredibly disruptive, and unplanned expiry causes much more damage than the benefit of expiry of stolen keys.
So far, I’ve tried to demonstrate that Corda Network is a great example of a public-permissioned network, one which has been running for a year and is now seeing an uptick in the number of production transactions. It aligns extremely closely with Ruiz’s model, but there are two additional aspects which are possibly different.
First, most transactions on Corda Network arise from a “Business Network”, where a software vendor or consortium forms a separate governance structure for a particular application. Corda Network is designed to get out of the way of these Business Networks and limit itself to the governance of base identity and common technical standards only. The Business Networks can add application-level identity, membership, pricing, and governance rules specific to them, and this is an important reason for Corda Network to remain open at the base level. But it also means that participants need to understand the layering of rules, and that a Business Network may be less permissive than the underlying infrastructure network.
Second, Ruiz argues that public-permissioned networks require on-chain governance implementation, although his paper limits discussion to IBFT (Istanbul Byzantine Fault Tolerance) used as a basis for transaction consensus, rather than consensus of broader network rule-setting. At least one on-chain governance application has been built using Corda (Cordite by Lab577) and we’re keen to implement it as a running service for Corda Network Foundation, but will continue to handle voting events for rule changes conventionally until at least later in 2020. On-chain governance is great for scale, and for maintaining a permanent and transparent record of decision-making activities, but it is not essential for all aspects of successful blockchain governance. Ruiz concludes by noting a “complementary off-chain governance processes”, and we heartily agree with the idea of using on-chain governance where it makes most sense.
We’re keen to share ideas with Alastria and other public-permissioned networks. We know we haven’t got everything right, since in many areas we are breaking new ground, so we’re receptive to feedback and hearing what has worked elsewhere. Please get in touch, especially if you are have made the wise choice to use Corda!
How “public-permissioned” blockchains are not an oxymoron. was originally published in R3 Publication on Medium, where people are continuing the conversation by highlighting and responding to this story.
Sign up for our newsletter to receive the latest R3 news, updates, and materials
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
|__cfruid||session||This cookie is set by the provider Cloudflare. This cookie is used for load balancing and for identifying trusted web traffic.|
|ARRAffinity||This cookie is set by websites that run on Windows Azure cloud platform. The cookie is used to affinitize a client to an instance of an Azure Web App.|
|cookielawinfo-checbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|
|JSESSIONID||session||Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.|
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
|bcookie||2 years||This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.|
|lang||session||This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.|
|language||This cookie is used to store the language preference of the user.|
|lidc||1 day||This cookie is set by LinkedIn and used for routing.|
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
|_BUID||1 year||This cookie is used to store a universal user ID to identify the same user across multiple clients' domains.|
|_ga||2 years||This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.|
|_ga_1ECB5XX5W0||2 years||This cookie is installed by Google Analytics.|
|_gat_UA-87760032-2||1 minute||This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.|
|_gcl_au||3 months||This cookie is used by Google Analytics to understand user interaction with the website.|
|_gid||1 day||This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.|
|_hjAbsoluteSessionInProgress||30 minutes||No description available.|
|_hjFirstSeen||30 minutes||This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.|
|_hjid||1 year||This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.|
|_hjIncludedInPageviewSample||2 minutes||No description available.|
|_hjIncludedInSessionSample||2 minutes||No description available.|
|_uetsid||1 day||This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.|
|_ym_d||1 year||This domain of this cookie is owned by Yandex.Matrica. This cookie is used to store the date of the users first site session.|
|_ym_isad||20 hours||This domain of this cookie is owned by Yandex.Matrica. This cookie is used to collect information about the user like his characteristics, behaviour on page and targeted actions.|
|_ym_uid||1 year||This cookie is by Yandex.Metrica. This cookie is used to set a unique ID to the visitor and to collect information about how visitor use the website. Thus it help to track the user and the collected informationn is used to improve the site.|
|CONSENT||16 years 5 months 12 days 10 hours||These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.|
|pardot||past||The cookie is set when the visitor is logged in as a Pardot user.|
|vuid||2 years||This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.|
|yabs-sid||session||These are cookies used by Yandex Matrica script belonging to the company Yandex. This cookies are used to measure and analyse the traffic of the website by giving information about how the users use the website.|
|yandexuid||1 year||This cookie is used to identify the users. This cookie collects information about how visitors use the website. This information is used for internal analysis and site optimization.|
|ymex||1 year||This cookie is set by yandex. This cookie is used to collect information about the user behaviour on the website. This information is used for website analysis and for website optimisation.|
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
|_fbp||3 months||This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.|
|anj||3 months||No description available.|
|bscookie||2 years||This cookie is a browser ID cookie set by Linked share Buttons and ad tags.|
|fr||3 months||The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.|
|i||10 years||The purpose of the cookie is not known yet.|
|IDE||1 year 24 days||Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.|
|MUID||1 year 24 days||Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.|
|NID||6 months||This cookie is used to a profile based on user's interest and display personalized ads to the users.|
|personalization_id||2 years||This cookie is set by twitter.com. It is used integrate the sharing features of this social media. It also stores information about how the user uses the website for tracking and targeting.|
|test_cookie||15 minutes||This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.|
|uuid2||3 months||This cookies is set by AppNexus. The cookies stores information that helps in distinguishing between devices and browsers. This information us used to select advertisements served by the platform and assess the performance of the advertisement and attribute payment for those advertisements.|
|VISITOR_INFO1_LIVE||5 months 27 days||This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.|
|YSC||session||This cookies is set by Youtube and is used to track the views of embedded videos.|
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
|_uetvid||1 year 24 days||No description available.|
|AnalyticsSyncHistory||1 month||No description|
|ARRAffinitySameSite||No description available.|
|bEkAYwpdRGcM||1 day||No description|
|LEAfgqMGWpwUs||1 day||No description|
|li_gc||2 years||No description|
|lpv413292||30 minutes||No description|
|metrika_enabled||session||No description available.|
|UserMatchHistory||1 month||Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.|
|visitor_id413292||10 years||No description|
|visitor_id413292-hash||10 years||No description|
|visitorId||1 year||No description|
|yt-remote-connected-devices||never||No description available.|
|yt-remote-device-id||never||No description available.|
|yuidss||1 year||No description available.|