Iām strongly in favor of a possibility to rotate consensus keys. Thanks for opening a topic, @bharvest! How much effort do you think this would take to implement? I could imagine it has quite some influence on the slashing module, right?
This is something I have looked into before. In an ideal world we would be able to rotate both the consensus keys AND the account keys - the latter is hard because the valoper key (thus, the account key) is used as a key in many places; the former I suspect requires changes to both tendermint and the SDK.
The āoldā key however does not need to be kept around indefinitely - only for max_evidence_age if I am correct?
I would say this is a very strong idea for funding from the community pool.
Perhaps an extension of this is that when a validator is tombstoned, they are able to return to signing from the same valoper key (as this is where delegations are registered) by rotating out the tombstoned consensus key (thus not necessarily lose all delegators - nothing stops them from moving away of course)
account key is equal validator operator key. The validator operator key is the permanent identity of a validator so it cannot be rotated.
But I think mapping of account key and validator operator key can be rotated(original account key can submit a tx to map a new account key for controlling the validator operator key) I think this can be another security extension. In short, the account key is just a tool to control the validator operator, hence rotation makes sense.
tombstone intention is to prohibit validator to doublesign several times in short period. Therefore I am not sure it is a good thing that rotation allow revive of tombstoned validator.
if only consensus key changes are recorded in blockchain, it is not a big data to hold. Also as @joe-bowman said, only latest 3 weeks of mapping changes can be keeped.
Whilst this is true now; I believe it is something we have to tackle at some point. It would mean changing all delegations - and other references to the valoper key - at the point of change (so it is computationally heavy - it needs to be an expensive operation), but I donāt think it is infeasible, just a larger challenge than consensus key change
I somewhat agree, but there must be a way to handle repeat double-sign prevention without tombstoning a validatorsā identity (+ brand + reputation, etc.) indefinitely. Perhaps with the ability to rotate account keys does away with this requirement entirely - but this is likely a later discussion
validator operator key only has public key and has no private key to handle the validator
instead, validator owner can map any account key to the validator operator and be able to rotate this handle key.
There is no private key for validator operator so there is no need to rotate the validator operator key, but only rotating handle key is needed.
Also we need to clarify what tombstone can affect the validator and delegator. Does it have to allow validator key rotation to restart validating without changing its identity?? If so, why tombstone exists??
The intention of tombstone is not very clear so it is difficult to clearly define validator key rotation spec.
I really cannot understand the idea of key=account in blockchain space begun by satoshi. If you have a bank account, the acc number(public key of address) is completely independent with the otp key. Users map any arbitrary otp key with his/her account. Otp is Not an account and account is Not a key. Most blockchain key/account structure is really counter-intuitive and wrongly-designed as a financial service.
āIf you lost your private key, it is your fault. Be responsible.ā - this is very irresponsible design of a system. It is a flaw and we should try our best to allow users become āirresponsibleā(at least much less responsible) about his/her private key management. It is the responsible system for users.
Thanks for the points. Both points are definitely necessary condition for this feature.
And we decided to simplify the topic to only rotation of consensus key(not including rotation of validator operator key) because rotation of valoper<>walletkey mapping can be achievable by subkey feature.