-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow node operators to update validator account keys #7356
Comments
What is an account key? Validators have a consensus keypair and an operator keypair. This seems like a duplicate of #3863. |
Ah, you are correct @alexanderbez , I missed it in my search somehow. Yes, I was referring to operator keypair. |
No worries @anilcse. Feel free to add anything to that issue if you feel anything is missing 👍 |
Why this issue is closed? Could be very useful! |
Because it's a duplicate of #3863 |
Summary
Currently, the validator account key is mapped one-time and cannot be changed/updated. This
Account
key is the only source for multiplevalidator
specific actions like withdraw commissions, editing validator, unjail etc which are in the interest of automation for validators (who doesn't like automation? 🥇). But it is proned to be compromized when automating these actions, risk vs reward, many may not consider automation as an option. This is just one case where we might need to expose account keys to scripts/software and there could be more.Problem Definition
If these keys are compromized for some reason, there's no way for node-operators to
recover
from this loss irrespective of how secure their validator keys are, ..... I agree private keys are means to be not-compromised. But, if there's a way forrecovery
, we should definitely allow that consideringhuman-mistakes
in the software world! Aone and only
authorizedkey
should not be the only solution for node-operators. Validators are the heart of the system, the community should protect them too. There can be ways to protect against threats. As long as the node operator can prove their ownership via a defined process, this should not be a limitaion and should allow them to update their keys anytime.Proposal
I was thinking about this from a node-operator perspective and thought of putting it it everyone's notice. Following strategies might work (there could be better ways):
Option-A: Allow
MsgAuthorization
to create an authorizer to anew key
and authorize it to do perform all sort of actions. This newkey
will have all the permissions as the original account but original account cannot perform any actions directly. Onlynewkey
will have the permission to do any actions but on behalf of theoldkey
Option-B: Create a
gov
process to allow validators to approve a node operator's new account address as the owner for that node. Any valdiator can create a transactionMsgSuspendValidatorAccount
, which will flag the account and cannot allow any transactions unless the gov proposal goes through / fails.Potential Issues:
P.S: We can even think about delegated
prevotes
,precommits
.For Admin Use
The text was updated successfully, but these errors were encountered: