Accidental double-signing mitigation

[amrali]

In tendermint/tendermint SocketPV.SignProposal and SocketPV.SignVote do not mitigate accidental double-signing (e.g., validator node crash before committing to WAL). Is it correct to assume that responsibility will be left to the CKMS/signer implementation?

If that's the case, will rpc::Request expose the vote's or the proposal's HRS as member variable(s) before launch? And will session::Session::sign support similar mitigation logic to FilePV.signProposal or FilePV.signVote in tendermint/tendermint?

I'm trying to get a sense of direction to follow.

[tarcieri]

Some discussion about that here:

tendermint/tendermint#1185

tl;dr: not before launch, but this is absolutely on the radar.

[amrali]

I'm afraid that's not what I'm addressing. Even with a single KMS instance (no HA, not even active/passive, just a single naive KMS) there must be a way to protect against accidental double-signing situations (similar to work done at FilePV), otherwise a node crash before committing to WAL means a validator getting slashed.

This is already available at FilePV.checkHRS, there just needs a similar version to add at SocketPV at tendermint core or at rpc::Request here. I'm asking which place should/will have that mitigation logic code (i.e., checkHRS). Are you saying we'll launch without any?

[tarcieri]

I have discussed keeping a checkpoint of the last signed block on the local filesystem for MVP with @ebuchman awhile ago, however the exact details of how that will work are still TBD.

We will definitely have something at launch.

[tarcieri]

I posted some tentative launch and post-launch plans on #60. I think they should address the use cases described here and in #29 (i.e. storing block height in an external database).

Closing this in favor of #60.