Skip to content

Commit

Permalink
Apply suggestions from code review
Browse files Browse the repository at this point in the history 
Co-authored-by: Robert Zaremba <[email protected]>
  • Loading branch information
@sunnya97 @robert-zaremba
sunnya97 and robert-zaremba authored Nov 3, 2020
1 parent 2ace2a7 commit 6274240
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion docs/architecture/adr-034-change-pubkey.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ Proposed

## Context

Currently, in the Cosmos SDK, the address of an auth account is always based on the hash of the public key. Once an account is created, the public key for the account is set in stone, and cannot be changed. This can be a problem for users, as key rotation is a useful security practice, but is not possible currently. Furthermore, as multisigs are a type of pubkey, once a multisig for an account is set, it can not be updated. This is problematic, as multisigs are often used by organizations or companies, who may need to change their set of multisig signers for internal reasons.
Currently, in the Cosmos SDK, the address of an auth `BaseAccount` is based on the hash of the public key. Once an account is created, the public key for the account is set in stone, and cannot be changed. This can be a problem for users, as key rotation is a useful security practice, but is not possible currently. Furthermore, as multisigs are a type of pubkey, once a multisig for an account is set, it can not be updated. This is problematic, as multisigs are often used by organizations or companies, who may need to change their set of multisig signers for internal reasons.

Transferring all the assets of an account to a new account with the updated pubkey is not sufficient, because some "engagements" of an account are not easily transferable. For example, in staking, to transfer bonded Atoms, an account would have to unbond all delegations and wait the three week unbonding period. Even more significantly, for validator operators, ownership over a validator is not transferrable at all, meaning that the operator key for a validator can never be updated, leading to poor operational security for validators.

Expand Down Expand Up @@ -61,3 +61,5 @@ Breaks the current assumed relationship between address and pubkeys as H(pubkey)
* Will require that PubKeys for an account are included in the genesis exports.

## References

+ https://www.algorand.com/resources/blog/announcing-rekeying

0 comments on commit 6274240

Please sign in to comment.