From ben at mord.io Thu Jan 11 17:29:38 2018 From: ben at mord.io (Benjamin Mord) Date: Thu, 11 Jan 2018 12:29:38 -0500 Subject: [Lightning-dev] BOLTs and meaning of "MUST" in potentially adversarial contexts Message-ID: One thing I find useful in RFCs is a brief discussion about the meaning of terms like MUST, SHOULD, MAY, etc.. as used in the subsequent protocol definition. But in the traditional approach to protocol design we first assume cooperative nodes, and then later attempt to retrofit security when we are surprised (yet again) to find not all nodes are operating in good faith. Initial definition of "MUST" in RFCs thus implicitly presumes good faith, inadvertently inviting implementers to lower their guard. But of course, integrity despite presence of adversarial nodes is an explicit design goal of the lightning network. When a BOLT says that a lightning node MUST do some X, what does that mean exactly? I'm thinking it means we should stigmatize it as "non-compliant" with protocol consensus as documented in BOLTs, whenever we discuss the implementation. I think violation of a MUST should be considered hostile. I think a MUST encourages nodes to fail a channel or connection upon observing a violation of that MUST, and even to take implementation-specific defensive measures as deemed appropriate by implementers (so long as they have cryptographic evidence that the violation is not forged). But in no way does a MUST assure implementers that they may assume this MUST will be respected by remote nodes, as it is not the purpose of MUST to convey that cryptographic safeguards or such elsewhere in the protocol design have arranged to force adherence.. Does that sound right? Is it worth stating explicitly somewhere, along with definitions of SHOULD, MAY etc? Sorry if these definitions are already stated someplace that I overlooked. -------------- next part -------------- An HTML attachment was scrubbed... URL: