First IPDB Caretaker Meeting: Governance & Technology

On a chilly October morning in Berlin, a small group of hackers, lawyers, technologists, and thinkers met for the first time. They came from as far as San Fransisco to consider how to build something new: a scalable blockchain database for everyone to use, and the Interplanetary Database Foundation, the organization that will run it.

Why? Who was there? What was discussed? What was decided? We’ll fill you in below.

Why have a Caretaker meeting?

Almost exactly one year ago, Trent McConaghy and I started exploring the idea of a public instance of the federated “blockchain-ified” big data database that would become BigchainDB. Those what-ifs quickly turned into a mandate to make it happen. Trent and the BigchainDB team would build the technology, and I would build the organization to run the public instance.

Our earliest conversations focused on who should run the validating nodes and how they would be incentivized, but that spiralled outward quickly. We worked through organizational structure, funding models, policies and procedures, and more. We took inspiration and input from many people along the way, but the actual output is completely our own. The result is the IPDB Foundation.

I’m proud of what we have built so far. We’ve recruited exceptional Caretakers, registered as a not-for-profit voluntary association, established a real governance model, mapped around likely pitfalls, and have even launched an internal test network. Exciting projects are being built with IPDB in mind.

Until this meeting, IPDB has operated like a dictatorship with me in charge. It’s been very efficient, but a benevolent dictatorship is not a successful long term governance strategy. We needed two things from the Caretakers: the perspective offered by their wide range of experiences and backgrounds, and the accountability provided by having them ask why we made certain decisions and spotting conflicts we would have missed on our own.

Who was there?

When the meeting was called to order, we had a room full of experts in their fields from around the world, all ready to dive in to discuss the finer elements of running a global blockchain database.

Caretakers BigchainDB, COALA, Monax, OuiShare, and unMonastery sent at least one representative, from lawyers to policy experts to hackers (see photos below). Many other Caretakers expressed interest in attending but sent their ideas along by email.

We were also joined by Dr. Nina-Luisa Siedler, a corporate lawyer with DLA Piper who brought a wealth of experience in German law, and David Holtzman, the former CTO of Network Solutions and technical architect of the modern Domain Name System (DNS).

Day 1: Choosing Caretakers & making decisions

Day 1 attendees, from left: Trent McConaghy (BigchainDB), Constance Choi (COALA), Joachim Lohkamp (OuiShare/AGILE), Kei Kreutler (unMonastery), David Holtzman (architect of modern DNS), Jason Banks (Monax), Nina-Luisa Siedler (DLA Piper LLP). Not shown: Greg McMullen (IPDB/BigchainDB) and Troy McConaghy (BigchainDB).

After a quick round of introductions, the team got right to work.

Getting the right Caretakers

The first order of business was the Caretakers themselves. What makes a good Caretaker? How should we choose between applicants? How are they removed if they misbehave?

Early on, the group decided we should move toward greater decentralization as quickly as possible. We decided to expand the list of Caretakers from 15 to 100 in the first five years, with a plan to add 20 more each year.

We asked whether there were any kinds of organizations that could never be a Caretaker. The answer was no—for all kinds of organizations, we could think of examples that would be a great addition. So how do we keep out undesirables?

As a baseline, we agreed that only Caretakers who are deeply aligned with the mission statement set out in our articles should be allowed. A Caretaker must be committed to a decentralized internet, increasing transparency, and challenging censorship.

We decided that having a diverse set of Caretakers was important to keep any one set of interests from taking over the organization. We will maintain a majority of not-for-profit organizations, but also set targets for criteria such as region. We will aim for less than 25% in any country, less than 40% in any continent, and representation for every continent. Other criteria include whether the Caretaker will use IPDB for their own purposes, the size of the organization, and other values that align with ours. Except for the ratio of for-profits to not-for-profits, these targets are not hard caps, but soft targets.

Making decisions

Before IPDB becomes available to the general public, membership in and control of the IPDB Foundation will be turned over to the Caretakers.

We worked through the governance process, the delegation of powers to the board, and the Caretakers’ oversight function.

The Caretakers’ first job will be to elect a board of directors to carry out management of the IPDB Foundation, which can in turn hire staff to carry out day-to-day operations. For important decisions, the board can put out a call for comments from the Caretakers, who can provide guidance to help the board make appropriate choices.

One critical example are the processes for adding and removing Caretakers.

Applications to become a Caretaker are received by the board, which calls for public comment on the applications from existing Caretakers. After the comment period, the board will vote on whether the new Caretaker should be admitted.

The process for the removal of a Caretaker is triggered when certain “red flags” are brought to the attention of the board. These could include actions against the mission statement of the IPDB Foundation or that violate its rules, breaches of security standards, ongoing technical deficits, and so on. The board will call for public comment period, after which it makes a recommendation to either remove the Caretaker or require remedial action. The Caretakers will then vote on the board’s recommendation, and their decision will be carried out. Having the Caretakers vote on the board’s recommendation adds an additional layer of transparency and accountability for what is a major consequence.

Despite the important role of the board, the Caretakers retain a critical oversight function. They will have the ability to call a special meeting to replace the board if necessary. The threshold for calling the meeting will be set low enough to make this a realistic measure, so the will of the majority of the community can ultimately overrule the board.

Day 2: Nodes, updates, and keys

Day 2 attendees. Back: David Holtzman, Benjamin Bollen (Monax). Front: Constance Choi (COALA), Trent McConaghy (BigchainDB), Greg McMullen (IPDB/BigchainDB). Not shown: Jason Banks (Monax), Kei Kreutler (unMonastery), Joachim Lohkamp (OuiShare/AGILE), Troy McConaghy (BigchainDB), Nina-Luisa Siedler (DLA Piper LLP). Photo by Alberto Granzotto.

On day 2, the focus shifted to the technical side.

Operating a node

The day started started with a discussion of the technical expertise required to run a node. It was clear that the skills would be beyond some of the organizations that want to be Caretakers. Other Caretakers have a great deal of technical expertise.

We decided against a high level of technical expertise being a requirement. The contributions some Caretakers could make to governance and policy will far outweigh the burden of getting them up to speed technically.

To lower the technical bar, we agreed that good documentation for the setup and maintenance of a node will be critical. BigchainDB is currently creating the documentation for the code IPDB will operate on, but IPDB will need its own documentation to make the Caretaker’s job as easy as possible.

A “buddy system” for new Caretakers was also proposed. If the early nodes are more experienced at system administration, they can help the new Caretakers as they come online. As a bonus, this will help build community among the Caretakers.

Software updates

The question of software updates has troubled other blockchains. Bitcoin has been paralyzed by its scaling debate, while Ethereum has seen a contentious fork creating two rival chains: ETH and ETC.

With these issues in mind, it was agreed that IPDB will take a top-down approach to software updates, with the board setting out required updates. Nodes that are too far out of date will be ignored.

This top-down approach may be controversial, and could even seem to go against the ethos of decentralization. However, in this case there is a community-based mechanism for the Caretakers to choose the board members who will be recommending updates, and to remove those board members if they act inappropriately. We think this is an appropriate balance between giving the organization the power to act decisively with providing the community with recourse if that power is abused.


The generation, management, and revocation of keys was a significant topic for day 2. While there were no major decisions made with respect to key generation or management, critical issues were flagged for further consideration by the board and the Caretakers.

One particularly interesting proposal was that new keys could be generated by dedicated hardware devices, and only in the presence of an existing Caretaker. This would further the “buddy system” and ensure that generation was done according to acceptable standards.


When the meeting wrapped up on Friday afternoon, everyone was exhausted but happy. We had worked hard for two straight days, but we left even more excited about the possibilities than when we had arrived.

There is a lot of work left to do, and there are many more long days and nights ahead of us. But after this meeting, it was clear to everyone involved that IPDB is a reality, and the IPDB Foundation will be ready to govern it.