Blockstack Dapp Rating


#1

We’ve had discussions about how we should define what a Blockstack app is, so that we know what to look for when we’re allowing Dapps on our app store (Dapp store?).

What if we had a rating system?

Here’s a rough draft so this makes sense. A dapp might be rated out of 4 points:

  1. You use Blockstack identity correctly (+1)
  2. You use Gaia storage, encrypted where relevant (+1)
  3. Once the app is loaded on the client, you never make an external API call that sends user data to a remote server (+1)
  4. You don’t use marketing analytics software without explicit user consent (+1)

This would be a quick and easy way to express how decentralized an app is.

@yukan @larry @ryan @patrick @xan


#2

Below are the contents of a document @ryan circulated with some initial thoughts as to definition of a Blockstack Appliction.


What is a Blockstack Application?
A Blockstack application:

  • Has you sign in with an identity you control
    • (Blockstack Auth)
  • Stores and encrypts your personal data under your control
    • (Blockstack Storage)
  • Uses cryptocurrency for payments
    • (Blockstack Transaction API)
  • Limits and clearly communicates the scope of behavior tracking and data logging
    • (Content Security Policy enforcement)

Qualities:

  • App developer doesn’t have access to your data
  • Lack of trusted third parties

Aspects of privacy:

  • DNS lookups
  • Cookies that can follow me across sites
  • Third parties being able to see the apps I use
  • Behavioral tracking
  • Location tracking
  • Companies being able to see my data in their database

I think a clear narrative is very important so that it consumers understand what they’re getting when they use a Blockstack App. A rating system makes it unclear what exactly a Blockstack App delivers. What it delivers depends on the rating and that requires investigation and thought on the part of the user.


#3

Hypothetical: I build an app that uses blockstack auth and storage, and has enforced a content security policy, but I use Stripe because my current operations process is built around traditional payment systems. It would be a huge painpoint for me to switch to cryptocurrency for all payments. Is this no longer considered a Blockstack app?


#4

Another option is to create badges that the app can display for each of the boxes they check. Coins, for instance, could display an auth and storage badge, but not the content security policy badge.


#5

Would definitely prefer badges with features that an app uses. A rating system implies a certain order which might lead developers to use some features the app just doesn’t need. Badges are more formal and meaningful than ratings :slight_smile:


#6

I like this list. I would add one point related to letting you own your digital assets and only using P2P payments. Could be something like this:

“You use blockchains for all payments and digital assets.”

Another point could be added if the app bundle is versioned and hashed and published to a decentralized domain name system. No apps on Blockstack would currently qualify for this but this is where we want to go.

Could also maybe combine the one about external API calls with the one about analytics software since they’re very similar.

Adding on to this… the four main points from my Blockstack Berlin presentation were:

  1. Bring your own device
  2. Bring your own ID
  3. Bring your own data
  4. Bring your own assets

Here’s a proposed updated set of 5:

  1. You use Blockstack identity correctly (+1)
  2. You use Gaia storage, encrypted where relevant (+1)
  3. You use blockchain assets for all in-app payments and digital asset ownership (+1)
  4. You never make external API calls that send user data to remote servers without explicit user consent (including analytics) (+1)
  5. The app is loaded on the client as a hashed and versioned bundle that could be obtained from multiple sources (+1)