Den tor 24 maj 2018 01:45Gregory Maxwell <greg@xiph.org> skrev:
I am having a bit of difficulty understanding your example.

If graftroot were possible it would mean that the funds were paid to a
public key.  That holder(s) of the corresponding private key could
sign without constraint, and so the accoutability you're expecting
wouldn't exist there regardless of graftroot.

I think maybe your example is only making the case that it should be
possible to send funds constrained by a script without a public key
ever existing at all.  If so, I agree-- but that wasn't the question
here as I understood it.

I have to admit I not an expert on this field, so some of my concerns might not be relevant. However, I think Wuille understood my points and his reply answered my concerns quite well. I'm only asking for the optional ability to prove you're not using these constructions (because some uses requires committing to an immutable script), and that already seems to exist. So for the future implementations I only ask that this ability is preserved. 

I think such a proof don't need to be public (making such a proof in private is probably often better), although optionally it might be. A private contract wouldn't publish these details, while a public commitment would do so.