Allow node operators to update validator account keys

[anilcse]

Summary

Currently, the validator account key is mapped one-time and cannot be changed/updated. This Account key is the only source for multiple validator specific actions like withdraw commissions, editing validator, unjail etc which are in the interest of automation for validators (who doesn't like automation? 🥇). But it is proned to be compromized when automating these actions, risk vs reward, many may not consider automation as an option. This is just one case where we might need to expose account keys to scripts/software and there could be more.

Problem Definition

If these keys are compromized for some reason, there's no way for node-operators to recover from this loss irrespective of how secure their validator keys are, ..... I agree private keys are means to be not-compromised. But, if there's a way for recovery, we should definitely allow that considering human-mistakes in the software world! A one and only authorized key should not be the only solution for node-operators. Validators are the heart of the system, the community should protect them too. There can be ways to protect against threats. As long as the node operator can prove their ownership via a defined process, this should not be a limitaion and should allow them to update their keys anytime.

Proposal

I was thinking about this from a node-operator perspective and thought of putting it it everyone's notice. Following strategies might work (there could be better ways):

Option-A: Allow MsgAuthorization to create an authorizer to a new key and authorize it to do perform all sort of actions. This new key will have all the permissions as the original account but original account cannot perform any actions directly. Only newkey will have the permission to do any actions but on behalf of the oldkey

Option-B: Create a gov process to allow validators to approve a node operator's new account address as the owner for that node. Any valdiator can create a transaction MsgSuspendValidatorAccount, which will flag the account and cannot allow any transactions unless the gov proposal goes through / fails.

Potential Issues:

• Tracking singing info

P.S: We can even think about delegated prevotes, precommits.

---

For Admin Use

• Not duplicate issue
• Appropriate labels applied
• Appropriate contributors tagged
• Contributor assigned/self-assigned

[alexanderbez]

What is an account key? Validators have a consensus keypair and an operator keypair. This seems like a duplicate of #3863.

[anilcse]

What is an account key? Validators have a consensus keypair and an operator keypair. This seems like a duplicate of #3863.

Ah, you are correct @alexanderbez , I missed it in my search somehow. Yes, I was referring to operator keypair.

[alexanderbez]

No worries @anilcse. Feel free to add anything to that issue if you feel anything is missing 👍

[zakarialounes]

Why this issue is closed? Could be very useful!

[alexanderbez]

Because it's a duplicate of #3863