Creating this topic for discussion around this signal proposal: https://dxvote.eth.link/#/xdai/proposal/0x727d9839ca308dc5e015d4be457116c5c19431a137d6fe1f89a40be14532f459
The signal proposal reimburses me for the amount ($19.50) I’ve paid Tutanota for the encrypted email service so far, and designates @dxdao.link emails as an official avenue of communication used by DXdao contributors. The email service is already fully functional and being used by some contributors, and the official designation is to show others outside the DAO that emails they receive from Contributors using it are legitimate. @Arhat pointed out before that otherwise, it opens up the DAO to impersonation if someone unrelated to the DAO registers a domain such as DXdao.fun and sends emails from it. This signal proposal shows that DXdao.link is not such an impersonating domain.
To be clear, the signal proposal does not create any obligation to use the email service - contributors remain free to use it or not use it as they so choose. I have no problem with contributors who do not wish to use it for various reasons, and I understand your concerns. But for those who do wish to use it, it’s a useful tool that helps elevate the legitimacy of the DAO as a whole by increasing professionalism and verifiability in communications. In addition to end-to-end encrypted private email, Tutanota includes an end-to-end encrypted private calendar, and DXdao.link’s Tutanota plan now includes sending event invites with this calendar and the option to share entire calendars.
I’m personally against a DXdao email address - due to the fact that it cannot be really held in a decentralized way. Some of my concerns:
- The domain itself has to be held by a trusted party – this trusted party could terminate all service at any time by removing or altering MX records.
- The email service itself also has to have an admin, that creates new user accounts etc. Unfortunately, I’ve previously had my email deleted and recreated – used to impersonate me.
- Custom domains can be easily spoofed – are SPF, DKIM and DMARC records setup to address spoofing?
- The domain appears to have been registered with a US domain name registrar https://www.namesilo.com/
- The email service appears to be in Germany.
- Germany and the US are among the worst offenders of privacy / illegal spying.
- From a quick search Tutanota does not use PGP for email encryption – so the only E2E email encryption they offer is between Tutanota users.
I understand that such a matter has some urgency elements, i.e. acquiring the domain to avoid squatting. Yet, I think the idea should have been discussed more before taking actions on it – particularly to avoid you spending money on domains and services and then face a risk of not getting refunded. The amount in this particular proposal is negligible – and I would have been in favour of refunding you the costs, even though I disagree with the proposal, because I believe you had good intentions.
Also, is an xDai proposal with 0.6% (the only person who voted was Caden himself) sufficient to pass such a proposal? Our future schemes that pass quicker, have a minimum quorum required to pass.
Indeed. I didn’t favor this proposal, but I was leaning a little towards the neutral, so I abstained from voting against either. And this begs the pertinent question you raise: Since we have different schemes with different parameters, in the unlikely event when a proposal is posted with the wrong scheme and it’s not voted against but passes, would it be deemed invalid, how can that be made official?
We should also have a guide helping explain the different schemes and the type of proposals that would be valid/invalid for each.
I know the situation isn’t ideal. Ideally, we would use a decentralized email provider, but the only one of these I could find - https://ledgermail.io/ - is just a sort of front-end for existing email accounts, and doesn’t actually create new email accounts with a custom domain. That being said, anyone can sign up for Ledgermail with their @dxdao.link account, which would ensure that the domain owner can’t possibly read their emails, since they’re end to end encrypted. Tutanota already has this, but is of course centralized like every email provider I know of that allows custom domains.
No one is obligated to use the @DXdao.link email service if they feel the benefits of having a professional and verifiable email aren’t enough to outweigh the downside of centralization. Also, if another contributor wants to register another DXdao-related domain and pass a signal proposal to designate that as another official email provider to further distribute control, I wouldn’t be opposed to that either. The signal proposal I passed simply states that one way DXdao contributors communicate is through @dxdao.link email addresses, it doesn’t say it’s the only official way.
- Custom domains can be easily spoofed – are SPF, DKIM and DMARC records setup to address spoofing?
In answer to this @fluidDrop, yes, I’ve set up all of these records so that any spoofing would be clearly fraudulent, and go straight to the spam folder or not be delivered at all. Custom domains are the industry standard used by most organizations and companies to verify that communications are coming from a member of that org. Here’s the checks on the records I’ve set up for this which show that I configured them properly:
In conclusion, because others can set up their own email service which can also be official - which cannot be done with all of the other centrally controlled services DXdao uses including Discord, Keybase, and Twitter - this email service already has the potential to be more decentralized. So if you’re in favor of continuing to use Keybase, which can be deleted by the one person who controls it at any time - same with Discord and with Twitter - then you should also be in favor of giving contributors the option to have professional, verifiable email accounts if they choose to use them. Again, no obligation if you don’t feel it’s worth the risk of centralization. With this, you have a choice to use it or not, but you have no choice to use Keybase and Discord.
I agree with @fluiddrop’s view here. I’m sorry I didn’t vote on the signal proposal because – like @Arhat – I was initially neutrally against it. After thinking about the domain issue more, I would vote against another signal proposal for a DXdao email domain.
I would, instead, support that each contributor be reimbursed for any domain associated with a legal entity that he or she establishes to conduct business with DXdao. The entity and email address can also be used to interact with other DAOs (it’s generally a good practice when interacting with unregistered defi orgs).
Emails are an important signal of professionalism. However, DXdao shouldn’t maintain an email domain through centralized servers. It goes against our basic principles on decentralization.
This is a great idea for contributors who have the time and know-how to set up their own custom domain and email service @Tammy. But this doesn’t mean we should force everyone to do this, and reduce contributor’s options for the emails they use. Which, to be clear, the @dxdao.link service is just another option which contributors can use if they so choose. I don’t see what rugpulling the dxdao.link service accomplishes.
To frame it another way, the signal proposal which I passed essentially said “DXdao contributors may have a DXdao.link email address, and use it for verifiable communication.” So to argue against it now, you must be saying “DXdao contributors must NOT use a dxdao.link email address for verifiable communication.” Which of these choices gives contributors more options and more freedom?
The problem here is that a signal proposal indicates on-chain DAO support for an initiative. I don’t believe that this proposal has the DAO’s support for two important reasons:
The reasons @fluidDrop listed above are all very persuasive. A DXdao,link email is a centralized service. Also, I can see a myriad of issues with determining who uses it. Who gets one and who doesn’t? If the process if super loose and open (which i generally prefer), anyone that uses the email and contacts a third party will have more validation that the person represents DXdao, which may or may not be the case. I also think that caving on decentralization with something as minute as an email undermines the great pains DXdao has gone through to create decentralized front-ends, deploy contracts in a decentralized manner, and use on-chain governance without a multisig. These are just some examples.
Here, the initiative was proposed and voted on only by you. This demonstrated a failure in our governance because that is in effect a centralized decision. I’ve said this before regarding other on-chain proposals, but really any proposal that is made and solely voted on by one stake holder IMO does not reflect the DAO and should be considered invalid.
This has all gotten far more complicated than I intended it to. Pull up a seat and I’ll tell you the story of dxdao.link:
- I wanted an official email address so when I reach out to people like Augur, they can see I’m part of the DAO and not just some random anon cold emailing them from my personal email
- I thought, “Why not share this email with the DAO, they’ll love it!”
- Part 2 clearly brought a lot of unanticipated problems, with people saying I need to do a signal proposal because the DAO has not approved of this sharing
- Fine, I do a signal proposal
- I check on it with less than 24 hours left, and no one has voted on it. SMH, I vote for my own signal proposal since if it expires with no votes then where do I even go from there
- 2 more days of voting go by and still no one else votes on the signal proposal. I execute it myself. Decentralized governance FTW
- People come back to my signal proposal 2 weeks later and say it’s invalid, and against the principles of the DAO and all that. FML
I’ve run out of energy discussing whether or not I should be allowed to share my awesome email address with y’all or not. I’m not going to unilaterally rugpull the other contributors who are already using it (who I wish were a bit more active supporting this whole initiative ), but if the DAO votes to do it then I will have no choice and I’ll follow the word of the DAO.
Is this crazy cool community the bleeding edge of DAOs or what… :}
Last week was: “Are you really a DAO if you don’t have daylight savings and time zone problems?” This week’s special is: “Are you really a DAO if you don’t have a long forum thread on use of emails?” The icebreaker keeps ploughing through more ice. ‘Snowpiercer’ may sound cooler, but it’s too soft for the analogy. The matter isn’t personal, it is developmental on a higher level. Perhaps the community would need to innovate yet again. I’m hopeful. The recent NFT solution built by some of the DAO’s devs during the EthLisbon hackathon might even come handy. Tell me you’re a part of the DAO without telling me you’re a part of the DAO.
I always appreciate how you like to take things on. I know you had the best of intentions, but there’s just some complexities that came up along the way that don’t really make that signal proposal IMO all that valid.
I suggest that you still create an LLC or C-Corp (a legal entity), if you haven’t already, and create an email address related to that. I know Augur, etc. may not initially recognize you as a member of DXdao based on the email, but it’s an easy explanation that hasn’t really stopped me from working with anyone. Not sure if it’s stopped others that I’m aware of either.
Happy to help where I can