[chrisco255]

It's interesting to me the amount of energy people spend on convincing themselves that a technology (POW) that didn't even exist 12 years ago and ran on home PCs up until 7 years ago is somehow responsible for wildfires in California or deforestation in Brazil. DID has little to do with Bitcoin. I don't even know if it's the best option, but clearly the lack of decentralized identity on the web has been significant in propagating corporatist monopoly ownership and influence over the web. Nitting about an integration with one particular blockchain (DID works with multiple) is not productive and it's a distraction from the core point of the proposal.

At any rate, I've become fairly convinced at this point that something like ENS (https://ens.domains/) is better suited for a decentralized identity. Optionally registering a simple domain name via a smart contract and signing in to services with a public-private key pair (such as an Ethereum address) is a far superior experience to anything I've seen as far as simplicity goes. I don't need to give up personal contact info. I have ownership of my address. I can create new addresses if I need. I can augment my ENS-linked domain with social media info or website info and that is all stored on-chain. However, one-click sign in doesn't require hitting the chain, just requires signing a message. It's pretty elegant. I just think it needs more standardization.

[geofft]

> It's interesting to me the amount of energy people spend on convincing themselves that a technology (POW) that didn't even exist 12 years ago and ran on home PCs up until 7 years ago is somehow responsible for wildfires in California or deforestation in Brazil.

I'm not sure why years of time matters. Rapid growth is extremely common in technology.

How much time did you need to spend convincing yourself that a microblogging website that didn't exist 12 years before 2016 and was constantly crashing 7 years before 2016 had become a major influence on world politics, up to the level of the US presidency? Hopefully not more than a few seconds.

How much time would it take to convince you that one BTC, which did not exist 12 years ago and was worth $300 7 years ago, hit more than 200 times that amount this year? Does it seem impossible?

The ecological argument against Bitcoin-style consensus is short and fairly obvious from Satoshi's paper. The innovation in that paper (compared to existing techniques like Merkle trees) was the ability to stop double-spend attacks by "mining" chains of transactions. This requires making sure that no single participant - not even the financially-meddling central banks that Bitcoin is supposed to provide an alternative too, and the might of their governments - can mine at a rate higher than the network. This immediately produces an incentive for both the network to make use of as much computational capacity as possible to keep itself safe, and for any attacker to amass enough computational capacity to mount an attack.

The incentive goes up as the block reward goes up, which it has been doing in terms of real value (e.g., number of Big Macs you can buy with a reward), even though the reward denominated in BTC goes down over time.

Therefore, Bitcoin-style consensus, if it works, is necessarily a major consumer of worldwide computational power, and as long as computers require energy, it is a major consumer of worldwide energy, which isn't really a thing we have an excess of.

That's the entire argument. It doesn't take you very much time - unless, of course, you're incentivized to keep trying to find counterarguments.

[eoo]

There's a non-sequitour in your depiction of an attack. Gaining 50% of hashing power is not that interesting unless you really want to prevent someone from using their Bitcoin. And you can only prevent them from using it while your attack is sustained. When someone has gained ~50% of the hashing power, they only can do a small number of attacks [1], that are only profitable under external conditions, and even then, extremely risky unless you have a lot more than 50%.

There really are no arguments for a race-to-the-bottom boundless energy spenditure. The equilibrium point is the market's appreciation of the service of securing a network of inflationless, politically neutral money, which is a pretty cool thing to have in our world of tyrannic governments.

[1]: https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_...

[geofft]

I didn't say 50%.

Simply, there is some level at which an attacker has enough computational power to pull off an attack, and such an attack is fought off by the legitimate participants in the network having enough computational power to make the attack unfeasible. Whether that's 50%, or even lower as the section you linked to suggests ("someone with only 40% of the network computing power can overcome a 6-deep confirmed transaction with a 50% success rate"), or higher as you claim, that point exists.

The service of securing the network, as you put it, consists solely in having enough non-malicious computational power to make attacks unfeasible. Right? Or is it something else?

If it does, then my argument stands. In order to be secure, Bitcoin needs the legitimate participants of the network to out-compute the illegitimate ones. Whether that's a one-to-one race, or a ten-to-one, or anything else, doesn't matter. The euphemism "securing the network" means nothing other than amassing computational power.

If it is really true that attacks from attackers having lots of computational power are infeasible, and that it's not necessary for the network to have lots of computational power in order to "secure the network," then, quite simply, proof-of-work Nakamoto-style mining isn't necessary at all. You can do something like Stellar or (as I understand it, which I admit is not well) Lightning where transactions are confirmed and protected against double-spend by defining the problem in a different way that doesn't require mining. If that approach indeed works, then the objection in TFA stands - the spec should not encourage proof-of-work systems.

Frankly, given that we're talking about decentralized identity and not about currency, and there's no double-spend equivalent in proving one's identity (I think?), it seems like Nakamoto consensus should be totally irrelevant here. Maybe inflationless, politically-neutral money is a great thing to have as a form of money, but what makes it a great form of decentralized identity?

[eoo]

1. My point is that you lost me here:

> This immediately produces an incentive for both the network to make use of as much computational capacity as possible to keep itself safe, and for any attacker to amass enough computational capacity to mount an attack

This seems false to me. Could you elaborate on what incentives you see at play here?

On another note, I feel one of the finest design details of Bitcoin is that its "decentralization-failure-mode", a.k.a. under a 50ish-percent-attack, is technically indistinguishable from normal operation.

2. The DID spec doesn't require the use of Bitcoin. So we agree with your last statement-disguised-as-question. Thus, it shouldn't have been listed as a reason for the rejection of the proposal (which spawned this thread)

[geofft]

1. Are we agreed that "securing the network" means "having enough computational power that an attacker cannot out-compute us," and conversely that the security threats that Bitcoin protects against are via attackers out-computing the legitimate network? And that these measurements of computational power are opposed to each other (i.e., if the legitimate participants have more and more computational power, attacks are harder, and if an attacker has more and more power, the network is less secured)?

If yes, doesn't it follow that there's an incentive for the people who want a secure network to secure the network - by gaining more computational power - and for the people who want an attacked network to prepare to conduct attacks - by gaining more computational power?

(If no, again, why Nakamoto consensus instead of something else?)

2. Correct, but there seem to be multiple "blockchain" methods listed at https://w3c.github.io/did-spec-registries/#did-methods , and the spec itself suggests that you can verify a signature from a revoked key if the signature was timestamped via a ticking blockchain (like Bitcoin's).

If it's true that the spec doesn't require the use of Bitcoin or other Nakamoto-style blockchains, which I agree seems to be the case, then I agree with you that it shouldn't be a reason to reject the spec - but also it seems like the reviewer's comment could be easily addressed. Just say that the W3C won't standardize any Nakamoto-consensus-based specs because the technology is wasteful and not specifically helpful for this particular purpose. (The reviewer is also asking the W3C not to standardize any centralized specs, like the ccp/Baidu one or the GitHub one, which also seems like a reasonable request and an easy thing to fix.) Then the reviewer could withdraw those objections.

(Note that for timestamping, Certificate-Transparency-style logs can address that without mining: https://transparency.dev/ Right now the spec says "for example, it was anchored on a blockchain," without defining the word "blockchain," which most people interpret as a Nakamoto-style one. IMO it would be good if the spec instead mentioned CT-style logs. It's a small change, it wouldn't change the semantic content of that sentence, and it would address the objection that the spec encourages technologies that require mining - it's the only mention of blockchains in the core spec.)

[eoo]

1. I'm not sure we agree on that... Bitcoin doesn't protect against attacks, it provides you with a relatively simple model to measure the cost of attacks.

At equilibrium, any Bitcoin network participant will look for two fundamental things: (a) being able to move their own assets and (b) relative market price stability of their bitcoin. In case of a sustained 50% attack, both properties start to crack, but not completely. But after the attack, they are regained -- (a) immediately, and (b) eventually.

Consider the attacker to be a government, for example, an actor with a relatively high amount of resources, and the Bitcoin participant a dissident citizen of such government. The dissident wouldn't like to have its assets frozen by the government (through strict censorship of the dissident's transactions), so the market value for Bitcoin drops comparatively to how wealthy was the dissident selling its bitcoin savings. But, also, the dissident might avoid selling if they have enough financial capacity to withstand the attack.

In order to carry out such attack, the government needs to increase its energy spending on Bitcoin, up to the point where the attack is successful for a prolonged period of time. Bitcoin production is intrinsically bound to energy generation, thus to its economic realities (variability of demand, climate conditions, political affairs, just to name a few).

It would cost a government X dollars a day, or Y watts a day, every day, minus the price of the coins generated to attack the network. I estimate X to be the total miner rewards: at the time of writing, 38M USD [1]. Y seems to be at around 456 GWh [2]. Is it worth it for your adversary? That number is the dissident's security parameter. As long as their savings are less valuable than the cost of the attack and they can sustain the attack financially, the dissident should be fine (or really scared about an enemy irrationally spending a lot of energy/money with the purpose of just preventing them to access their money temporarily).

In the end both miners and users just want the chain to move forward. If one particular actor or coalition potentially prevents it, users/miners outside the coalition (if they detect it) would raise their investment to continue chugging blocks.

I think there are no "legitimate" vs "attacker" uses of hashing power. It's more about coalitions between miners and how costly/profitable would it be for them to centralize the network, and how hard is it on the other participants to coordinate a decentralized counter-attack (which ends up profiting them). But eventually, the equilibrium between all participants is to spend as little money/energy as possible. And if it's not decentralized it becomes censorable: next, it loses its value: now who's gonna want to mine something worthless?

2. We see it the same way. I'd add that if Bitcoin is staying around (I don't think it can be shut down), one solution is to use Open Timestamps or other hacks that don't require "block real estate", thus in no way compete with transactions, essentially piggybacking the PoW and getting the timestamp for free.

[1] first result I got for "block rewards Bitcoin last 24 hours": https://bitinfocharts.com/bitcoin/

[2] first result for "24 hour bitcoin consumption watts": https://digiconomist.net/bitcoin-energy-consumption

[Jerrrry]

Which is why, almost tautologically, it doesn't matter the power expense of blocks or even individual transactions.

If a micro-coin becomes possibly promising, someone will dump 12gW into it a year until the consumption matches it's appreciation. May as well have the work be useful or artificially difficult for good or better reasons.

[sprayk]

I don't really like ENS (or any of the blockchain DNS facsimiles) for decentralized identity. ENS doesn't really have a story for verification of socials or other wallets, and there's no way to look up your ENS domain or eth addr from any of those other identities stored as records on an ENS domain.

Ceramic[0] (a sort of mutability layer on top of IPFS) solves this off-chain by using your crypto wallet to authenticate a DID (their DIDs are known as 3id[1]) which can have a list of socials and crypto wallets associated with them (using their IDX[2] system and the schemas called alsoKnownAs[3] and cryptoAccounts[4], respectively), and the validations are made possible by systems called IdentityLink[5] (verifies similar to Keybase) and Caip10Link[6] (sign a message with your wallet) (respectively). The Caip10Link also allows reverse lookup of a DID from a blockchain address. A reference implementation of these systems in action can be found at https://self.id/ .

Grain of salt: I'm working on a project that makes heavy use of Ceramic.

[0] https://developers.ceramic.network/learn/advanced/overview/ [1] https://github.com/ceramicstudio/js-3id-did-provider [2] https://developers.idx.xyz/learn/overview/ [3] https://github.com/ceramicstudio/datamodels/tree/main/packag... [4] https://github.com/ceramicstudio/datamodels/tree/main/packag... [5] https://developers.ceramic.network/tools/identitylink/overvi... [6] https://developers.ceramic.network/streamtypes/caip-10-link/...