Hi @shleger
We have described the trust assumptions of Canton towards a domain here: Overview and Assumptions — Daml SDK 2.0.0 documentation
Your application will run on a Canton participant node that uses the three services provided by a domain to synchronise the state with other participants (sequencer, mediator, topology manager). It doesn’t matter to the Canton participant whether the domain is implemented on Postgres or on a distributed ledger. The only difference is around the trust assumptions (and obviously ease of deployment and operation).
The contracts themselves are not tied to a domain, but rather can float between domains (preview feature): the domains are more the temporary agreement where changes to contracts will be communicated through.
Therefore, we regard domains to be more like a commodity, like your internet provider. You pick the one you trust to provide the service required. Trust can come from a Byzantine Fault Tolerant (BFT) implementation or from a trusted operator. If you change your opinion on a domain, you move away.
As such, the domain itself doesn’t really know what is being run over it. It doesn’t do any Daml validation nor does it actually have access to the messages that are sent over it. The messages are end-to-end encrypted between the participants and the domain just ensures that if participant1 sends a message to participant2 and participant3, they will receive the message in the same order (guaranteed total order multi-cast).
In that sense, we have consensus happening on several levels:
- consensus among the validating participants about the validity and conflict of the transaction happens always just between the participants (communicating their verdicts via the mediator): PoSH (proof of stakeholders).
- consensus of the order of the “encrypted messages” that are sent between the participants happens on the sequencer (part of the domain).
So your choice of domain only influences the second consensus, not the first.
Therefore, for most applications, a Postgres domain is actually totally sufficient and a perfect choice… And if you change your mind later, you can still setup a BFT domain subsequently.
I hope this answers your question.
Ratko