This week marked a significant step for Corda Network. We established a Foundation legal entity in Holland, which will take control over Corda Network from R3, and govern it for the long term.
I’d like to describe the beginning of the journey we’re on, and where we want to get to.
Some historical context
When Richard Brown, Mike Hearn, Ian Grigg and I first outlined Corda on a whiteboard, we thought of a distributed system of connected nodes, being used to manage any kind of agreement (and its evolution) between any parties. Our intention was to allow parties to say “I know what I see is what you see”. The important point was that these nodes were connected on a global network, where parties knew the identities of their trading partners. The diagram I drew in early 2016 to explain this is shown below, and it’s still pretty accurate, even several years later. It shows how banks, oracles, market infrastructure firms and regulators come together on a single network, able to transact directly with each other, and able to share services such as ordering services and gateways to other networks. Indeed, Corda software to enable gateways to XRP and SWIFT was open-sourced yesterday.
The reality we encountered when pitching Corda for early consortium RFP bids was that application builders and consortia didn’t see beyond the immediate network they needed for their own application. We saw these as standalone, or isolated networks, where participants would need to set up specific infrastructure for each use-case. Of course, we were glad to see Corda be adopted, but we soon realised the full value of the original vision, where anyone could transact with anyone else for any purpose, would not be achieved. We also learnt that a key concern of consortia and application vendors building on Corda was the issue of control and customer ownership. These pioneering groups are making a giant investment of time and money in building an application, and then building a coalition of the willing who are prepared to deploy the application and change their business processes at the same time. What they need in order to justify this is control over their consortium business network: its identity, membership, governance rules, branding, pricing, KYC process (know-your-customer), application technology and standards. This concern could only be solved if the Corda Network faded into the background, just as the internet itself has done, and gave business networks the space they needed to maintain control, and innovate.
Why does any of this matter?
For participants, if the business applications are running on separate networks, each has its own trust root, and this forms the basis of trust in the provenance of data, recognised by local participants. But this means there is a trust boundary which surrounds each application, and data history and proof of correctness cannot flow from one application to another, because participants in the destination network don’t understand the context and governance which controlled the data at its source.
A global trust root creates an enlarged trust boundary, and participants of business networks can then share standards and rules applied within this global boundary. This means that data originating in one business network may flow to another, and provenance of that data can be accepted in all of them. This sets the scene in which digitised assets (which in our terms are just Corda states, each with a transaction chain to reflect their history) can be verified by any future holder of those assets, and used to settle payment obligations arising in any application. The same applies to KYC and identity data, and will probably also apply to invoice data in the trade finance world, for example.
If digital assets and identity data can flow from one application to another, organisations can reuse them and save liquidity costs. For example, instead of holding Marco Polo Dollars which are different from LenderComm Dollars, and having a situation where the organisation accumulates a surplus in one application but can’t spend it in another, there could be Canadian Dollars which can be used in both. The issuing of assets on Corda has already been covered by Richard and Todd.
So we started to set up a global Corda network. The first was a test-network, using milestone releases of Corda at the start of 2017, even before Corda v1.0 was released. We wanted to make a Corda network tangible and real. We’ve constantly upgraded Testnet, and created several shared UAT (user acceptance testing) environments, and most recently, we’ve been running a production Corda network, using the latest version of Corda.
The cost of managing networks
We separated correctness validation and uniqueness validation in the earliest days of the Corda design, and the notary concept, which provides ordering and uniqueness validation, works as one or more shared services. All business networks and CorDapps need to specify a notary, and if they use the openly-available Corda Network notary service, they can focus on their own application and community, and not worry about building an operations team to manage a separate one. (As an aside, Corda doesn’t have an economic model which rewards block-producers; we can create blocks of Corda transactions to optimise performance, but in general we think of them as a batching mechanism, and the Corda model works on the basis of chains of transactions. This means the operating cost of the notary needs to be met by transaction charging.)
Likewise, if business networks use Corda Network, they don’t need to build and operate their own identity-issuance and map services. A team of operation and support engineers is needed to operate these on a 24/7 basis, and this adds leadtime, complexity and cost which cannot be shared with other business networks.
Finally, Corda requires a trust root. This needs to be managed to the very highest standards, since it underpins trust in all transactions on the network. Setting this up requires expertise and time: our trust root took about a man-year of planning, 2 engagements with global consulting and audit firms, 7 witnesses, duplicated and securely managed HSMs, storage vaults, videoing of a complex and long ceremony from 3 different camera angles — I think you get the picture. Business networks have a choice: they’re welcome to manage this themselves, but Corda Network makes this a shared resource.
Where does this leave governance?
Business networks considering using Corda Network have a number of concerns. One is that the network itself is a point of lock-in; there would be signifcant migration costs if participants ever wanted to move their Corda states out. So we thought hard about the kind of qualities Corda Network governance should have. In no particular order:
- Transparency: In my mind, there are two kinds of governance: implicit and explicit. Implicit governance happens with informal decision making, in corridors, where those ‘in the know’ make decisions without having to consult the rest. In some ways this is the governance model for “permission-less” distributed ledgers like Bitcoin. Some newcomers assume there is no governance at all; I say if you can’t identify the governance, it’s because you haven’t looked hard enough. All systems have someone who is ultimately in control, even if it is implicit. I dislike this model intensely, at least for business-critical systems. Corda Network has an explicit model, where all decision-making rules are written down (in legal Articles and Bylaws!) and must be adhered to. Furthermore, the governance, costs and fees for the network will be published.
- Openness: All users of the network should be treated the same, and all organisations undertaking legal business are welcome. No industry or geography should be excluded, within reason. Where this gets complicated is in giving access to organisations in sanction-screened countries, because the Foundation is domiciled in The Netherlands, and must therefore adopt EU sanction screening rules. But I don’t want the Foundation to become the enforcement arm of any one particular political administration, since then it is subject to the changing whims and vagaries of policy. Things look very different from Asia versus the USA.
- Fairness: We’ve build a detailed cost model which splits out the cost of identity issuance, support, and transactions. All costs associated with the operation of services of the network should be borne by those who consume the services — there should be no cross-subsidy, since this distorts behaviour in unhelpful ways. For example, some people have asked if the network could charge nothing up front, but meet all identity-related costs with a larger notary transaction fee. This doesn’t work, since we welcome third-party notary implementations, unless we are also willing to audit and tax them and create privacy concerns. Others have asked if, since the notary transaction costs could be “too cheap to meter” (a reference to expectations around electricity charging in the 60’s), we could cover transaction costs by charging more for every identity. This is unfair, since some participants will create millions more transactions than others, and represents a barrier to entry for everyone, killing off the idea of widespread adoption, and reducing the value of the network.
- Cost effectiveness: The governance model and technical services of the network should be as lean as possible. The goal of the network is to encourage Corda adoption; it is not to make profit, or impose a punitive rent on organisations 5 years after they committed to use it.
- Flexibility: The governance model will inevitably not be perfect the first time around, and since circumstances change, the governance will need to also. There is a tension between this and stability.
- Stability: Usage of distributed ledgers in business takes time: time to design, time to hold hands with trading partners and agree to implement together, time to make organisational changes to the business (e.g. removing reconciliation activity) to achieve the expected benefits. Deploying blockchain needs multi-year planning, commitment is needed, and application builders need to be comfortable their business plans won’t be compromised by sudden infrastructure pricing or control changes.
The creation of a Foundation, and passing of control over Corda Network from R3 to it, is an effective way of achieving these qualities. In an upcoming post, Carolyne Quinn will describe why a Dutch Stichting seems like the perfect fit, and describe how it works in practice. We’ll also continue to describe the journey we’ve planned from the early days of the Foundation, via a diverse transition board, to a fully democratic, elected board.