Ask questionsFIP proposal: A more secure signature method of worker&post account
In Filecoin network，miners use worker and PoSt account to signature the messages. And the private keys of worker and post wallet have to be stored on the Lotus-miner server or other signature server for a long time. Once the server was attacked by hackers and the private key was stolen, The miner will suffer great loss of asserts.
We proposal a different signature method of worker wallet and post wallet by classifying the messages to protect the miner’s asserts.
In filecoin , there are two main work accounts: worker account and post account.
Worker account: miners use it to submit the PreCommitSector and ProveCommitSector messages when sealing the sectors. During these processes, miners need to provide the pledge of sectors and pay gas fee.（part of gas fee will be payed to the miner which packed the messages and the rest will be burned by transferring to f099）. Usually, these transactions are a kind of contract transfer.
Post account: miners use it to submit the SubWindowedPoSt messages. During these processes, During these processes, miners also need to pay gas fee.（part of gas fee will be payed to the miner which packed the messages and the rest will be burned by transferring to f099）. Usually, these transactions are a kind of non-contract transfer.
So we can classify the transfer messages as follows.
Working transfer : the transaction behavior of miner in the process of sealing the sectors, submitting the Posts and so on. Including providing the pledge of sectors, paying the gas fee.
Financial transfer : the transactions that are not working transfer. Such as miner A transacts to miner B, miner A transacts to individual account, miner A transacts to f099.
Therefore, we can make a definition by smart contract that if Worker account and Post account are doing some working transferring, which are contract transfer, they just adopt the Single signature. However, if they are doing some financial transferring, which are non-contract transfer, they are suggested to adopt the Multi signature.
By this way, we can effectively protect the miner’s asserts from loss when the private key of worker/post account was stolen.
Answer questions arsadmin
@Stebalien Thank you for your reply. As you mentioned I update that what I really want to say is the control key that can be more secure.
In our practical mining, usually we have two control keys. One is used to provide the gas fee when Sealing the sectors (messages linke PreCommitSector and ProveCommitSector), we usually call it gas address. The other one is used to provide the gas fee when doing the PoSt (messages like SubWindowedPoSt), we usually call it PoSt address.
So these two control keys need to have enough FILs to provide the gas fee. Once the miner was attacked by hackers and the control keys were stolen, The miner will suffer great loss of asserts.
So as mentioned above, when the control account send FILs during PreCommitSecotor\ProveCommitSector\SubWindowedPoSt and so on, just Single signature like now, it's OK. we can call these working transfer.
But if the control account want to send FILs directly to someone else with no working messages(like PreCommit\ProveCommitSector\SubWindowedPoSt). These kind of transferring(we can call them Finanical transfer) need to use Multi signature. So even the control keys were stolen, they can't get the FILs in the account.
if there is any doubt, please feel free to let me know.
Related questionsNo questions were found.