Detached Signing Validator Design

[MeherRoy]

I'd like to propose an idea to make the life of validators easier.

Business Problem

A good validator possesses a large atom stake, is able to setup security infrastructure and validate with low network latency. Individually large atom holders may not be skilled at deploying secure key signing infrastructure. They will need to recruit a Sys Admin to maintain the validating nodes, connect to the network etc.

For instance, consider a hedge fund manager - financially savvy enough to buy atoms but not skilled at secure key signing infrastructure. A hedge fund manager cannot realistically delegate to an unrelated validator - the operational risk of having their LP funds slashed by an unrelated party is just too big. Hedge fund managers will need to be their own validators.

The interaction between SysAdmins and large atom holders creates a trust issue. Handing over control over private keys to SysAdmin makes the atom holder susceptible to be blackmailed by the SysAdmin - they could threaten to double sign unless a large side-payment is made.

Securing non-computer savvy large atom validators against threat of blackmail is an important problem that needs a satisfactory solution

A potential solution?

A detached signing validator design that separates the following two concerns across two different servers might work:

A. Validating server: Connects to the network, maintains the tx mempool, propose blocks and communicates with other nodes on the network.

B. Signing server: Only responsible for signing pre-commit and commit header. Receives "request to sign headers" over RPC, checks that it is not double signing, and then sends signed header over RPC. Does not validate transactions, create blocks or participate in the network.

If the combination of a validating and signing server can be made, our prototypical hedge fund manger could run the simple signing server themselves, and have the SysAdmin run the validating server. The attack surface of the signing server can be made very small, and the machine can also be physically secure against theft.

Is this a feasible design? What are the latency consequences of detached signing?

[zmanian]

ToDo: Define an RPC signing protocol that calls out to url to request a signature.

Recipient/hardware wallet code can enforce the invariant that never sign a message type twice at the same height.

This can minimize the surface area by which an attacker can use to black mail an operator.

[ebuchman]

This is being worked on in #1044, #1060, and https://github.com/tendermint/signatory.

Will close this issue in favour of those PRs