On Sun, Mar 10, 2019 at 09:43:43AM +0900, Karl-Johan Alm via bitcoin-dev wrote:
> Keeping the PoW rule and moving the signature would mean DoS attacks
> would be trivial as anyone could mine blocks without a signature in
> them

Sure, but anyone could also just connect their lite client to a trusted
node (or nodes) on signet.  The nodes would protect the clients from
missing/invalid-signature DoS and the clients wouldn't have to implement
any more network-level changes than they need to now for testnet.

For people who don't want to run their own trusted signet nodes, there
could be a list of signet nodes run by well-known Bitcoiners (and this
could even be made available via a simple static dns seeder lite clients
could use).

> On Sat, Mar 9, 2019 at 5:20 AM Matt Corallo <lf-lists@mattcorallo.com>
> wrote:
> > A previous idea regarding reorgs (that I believe Greg came up with)
> > is to allow multiple keys to sign blocks, with one signing no reorgs
> > and one signing a reorg every few blocks, allowing users to choose
> > the behavior they want.
> 
> Not sure how this would work in practice.

This post from Maxwell could be the idea Corallo is describing:

    https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-August/016348.html

I read it as:

  - Trusted signer Alice only signs extensions of her previous blocks

  - Trusted signer Bob periodically extends one of Alice's blocks
    (either the tip or an earlier block) with a chain that grows faster
    than Alice's chain, becoming the most-PoW chain.  At some point he
    stops and Alice's chain overtakes Bob's fork as the most-PoW chain

  - User0 who wants to ignore reorg problems starts his node with
    -signet -signers="alice", causing his node to only accept blocks
    from Alice.

  - User1 who wants to consider reorg problems starts his node with
    -signet -signers="alice,bob", causing his node to accept blocks from
    both Alice and Bob, thus experiencing periodic reorgs.

  - There can also be other signing keys for any sort of attack
    that can be practically executed, allowing clients to test their
    response to the attack when they want to but also ignore any
    disruption it would otherwise cause the rest of the time.

  - As an alternative to particular signing keys, there could just be
    flags put in the header versionbits, header nonce, or generation
    transaction indicating how the block should be classified (e.g.
    no_reorg, reorg_max6, reorg_max144, merkle_vulnerability, special0,
    special1, etc...)

(If something like this is implemented, I propose reserving one of the
signing keys/classification flags for use by any of Bitcoin's more
devious devs in unannounced attacks.  Having to occasionally dig
through weird log messages and odd blocks with other Bitcoin dorks on
IRC in order to figure out why things went horribly sideways in our
signet clients sounds to me like an enjoyable experience.  :-)

-Dave