Membership by Invitation

Learning Library Design Patterns
, , ,
#1

Problem

A group of people wants a strong ‘membrane’ around themselves — the power to invite people in and usher people out. This is important for the group integrity: the people who show up can influence governance, privacy, and quality of day-to-day interactions.

Solution

Appoint a Progenitor to issue a Privilege Certificate that lets the bearer join the network. Optionally allow the progenitor to delegate this privilege to existing members.

Implementation

Create a ‘join’ privilege certificate type that grants an agent permission to join a DHT. An agent must include a valid certificate of this type in their agent ID entry. In order to be valid, it needs to be recognised by a legitimate authority that derives from the DNA’s root authority (see Progenitor for details). If the agent ID entry fails validation, the existing DHT peers will ban the agent from the network before they have the chance to access any privileged information.

Warnings

The DHT isn’t entirely protected from the new agent’s eyes — they do need to know the IP addresses of a few existing nodes in order to connect to the network and publish their agent ID for validation. Depending on your group’s needs, this might create a privacy leak.

Related patterns

This pattern doesn’t specify any particular way for privileged members to deliver a certificate to invitees. The Lobby pattern can help with that.

3 Likes
Private vs Public DHT
Member Whitelist
Holochain hackathon, Prague, September 6th - 8th
Asynchronous messaging, small groups and encryption
Capability Delegation
Private by Default
#2

Hi @pauldaoust!

Can you elaborate on this a little bit more? What are the scenarios in which the new agent can do harm to the DHT? And is there a concrete example of how a privacy leak could happen in this case? thank you!

#3

I’m thinking of the point at which the new agent has to discover the network. I imagine this would usually involve a bootstrap node that doesn’t mind being public, but then that bootstrap node is supposed to give the new agent the IPs of a few neighbours so it can start gossiping with them. If I, as a new node, get the IP addresses of a few members, I can compare them to the peer table of other apps I belong to and discover that these nodes also belong to those other apps.