Please note, community questions taken verbatim unless otherwise indicated.
Question: We went through your audit requirements from “The Great Celo Stake Off: The Details” and I noticed that you have in plan to support Ledger Nano X. Not sure if HSM is going to be supported as well.
Anyway, my main concern is related to Ledger Nano X capability to be able to sign 24/7 transactions if this is going to be the only one supported. I mean Nano X was not designed for this purpose. It has a retail purpose. HSM was designed only for that which makes it a better option, expensive one, what so ever.
Also if you opt for a dedicated machine on a data center, instead of a colocated one, most of the services are not accepting to plugin your Ledger even if the machine itself has an internal USB port. The main reason is the wire connection. It applies for a colocated machine as well, since the wire connection represents a risk, still.
What plans do you have to mitigate this risk, besides adding to the machine a hot standby Ledger? Are you going to support the HSM?
Answer: Specifically, the plan is to support the Ledger Nano X for BLS signatures, which are used in the last step of consensus. These signatures can be computationally expensive, and the fully programmable HSM space is pretty small.
From the available options, the Nano X seems to be the most suitable hardware device capable of supporting BLS signing over the curve used in Celo (BLS 12-377).
There are a few more fully programmable, performant, secure hardware options possibly coming in 2020 that may also be suitable for this task.
Question: Any hints with regards to this statement just for researching purposes “There are a few more fully programmable, performant, secure hardware options possibly coming in 2020 that may be suitable for this task.” ?
Answer: I think NXP has a relatively new secure processor that folks are excited about
Question: Any plans to support cloud HSMs (like AWS)
Answer: The challenge with cloud HSMs is that they are generally proprietary, which requires influencing the roadmap of the company designing and producing those HSMs. Suggestions on how to get BLS 12-377 support for those HSMs are welcome!
Question: Do you recommend having a 4 vm setup? validator, proxy, attestation and accounts all on separate instances? also do you recommend all instances to be 4cpu/8g ram?
Answer: The C Labs team would definitely recommend the first 3 nodes to run on separate machines. Since Celo is launching with a capacity of 100 validators, these play an essential role in the security of the protocol and their hardware set-up should reflect that. Eventually, the protocol will support multiple proxy nodes per validator, which means that proxies will spin up and down as needed and thus should not be running any other critical services. For the validator, the optimal setup is to run in a colo, but it will work to run in a VM.
For the accounts node (“local machine” in instructions), I would do whatever you believe leads to your account keys being the most secure. In my opinion, this would be running the node on a machine that you have physical access to, and keeping your keys on hardware wallets (not yet supported in Dec 2019). Note that the accounts node does not need to continue to run after the validator is set up, as it’s only used to broadcast the transactions that configure the validator.
Question: Can we request more gold during the TGCSO to test different scenarios
Answer: Unfortunately not. In order to make the Stake Off fair to all, teams get the same amount faucted for the duration of the stake off.
Having said this the faucet amount should allow teams 4,000 cGLD on-top of min required lockup amounts to play around with. Also, if you’re validating and voting with locke gold, you should be getting epoch rewards, which you are free to use as you like
Question: Under what name is the validator listed on ethstats?
Answer: It should be <YOUR_VALIDATOR_NAME>-proxy.
The name is configured in the “—ethstats” flag that is used when running the validator node.
You can also set the name with the CLI if you didn’t do it during set up or want to change it: celocli account:set-name <YOUR_VALIDATOR_NAME>
Question: Can we share a single attestation service btw multiple validators ?
Answer: Ideally not. The recommendation is one attestation service per validator.