Guide icon indicating copy to clipboard operation
Guide copied to clipboard

Published 20 hours ago verified publisher icon BitcoinDesign

Glacier protocol - replace with a more user-friendly multi-sig solution

Open sbddesign opened this issue 3 years ago • 7 comments

image

While I think Glacier Protocol is a very interesting project, I also think it's an example of a highly-technical solution with UX to be desired. I think it seems out of place in the Savings section of the Personal Finance page.

The point of this section is to indicate that the greater the level of security, the greater the level of complexity. Would it make more sense to include an example of a 3-of-5 multi-sig setup? For example, perhaps we portray it as consisting of 3 hardware wallets, 1 mobile wallet, and 1 custodied key. Something like this is easier for the user to setup and maintain, but still conveys the feeling of complexity.

sbddesign avatar Oct 12 '21 21:10 sbddesign

Totally agree Glacier protocol is extremely advanced and very involved.

moneyball avatar Oct 12 '21 22:10 moneyball

I'd go with 2 of 3 for savings as the guide is mostly focused on products for individuals. I think 3 of 5 is overkill for an individual are more suited for businesses, trusts etc.

Personally I would have:

- Daily spending: A standard LN wallet with a spending account - Monthly budget: Standard LN wallet with a separate account with some kind of payment restrictions or just a separation from daily spending accounts funds. - Emergency funds: Single hardware wallet maybe with a passphrase for extra security - Savings: 2 of 3 multisig wallet using a mobile app + 2 hardware wallets (or one hardware wallet and one desktop generated wallet as the redundant backup key.)

Bosch-0 avatar Oct 13 '21 06:10 Bosch-0

From the page content:

It is an extreme example, but it illustrates how complex great security can be.

The reason for having it was to discuss the extremes, as it might be helpful for designers to get both ends of the spectrum presented. But it is not appropriate for savings, as it is categorized now. How about we come up with something new for savings, and keep this extreme setup at the bottom?

GBKS avatar Oct 13 '21 12:10 GBKS

@GBKS

From the page:

This section views Bitcoin through the lens of traditional finance to help us build mental models, define behavioral patterns, and ultimately better understand what kind of products we should be making.

If Glacier is taken out of Savings, which personal finance category does it become assigned to? Do we add a new category beyond Savings?

sbddesign avatar Oct 13 '21 13:10 sbddesign

@Bosch-0 I guess it depends on your threat model and how we define "savings". If we define emergency funds as being 3-6 months salary, I like the idea of 6 months salary being secure from physical coercion; therefore, multi-sig. I think of "savings" as an amount of money ranging from making a down-payment on a house all the way to leaving behind for one's children; therefor, ultra multi-sig, and perhaps one of these keys sits with a custodian or lawyer.

sbddesign avatar Oct 13 '21 13:10 sbddesign

How about "Wealth storage for ultra rich?" 😀 Considering Bitcoin is often described as "Savings technology" I actually like this section to not just provide one recommendation, but show the diverse solutions Bitcoiners have come up with. I'm just rambling though, feel free to take or ignore my input as you see fit to get this page in good shape.

GBKS avatar Oct 14 '21 09:10 GBKS

I like the idea of 6 months salary being secure from physical coercion;

I think for most people hardware wallet with passphrase does this. It acts as a sort of 'pseudo' multisig and also allows for dummy accounts loaded with funds that can given to an attacker if needed. 3 of 5 multisig is heavily overkill for individuals imo - that's a lot of keys to store, keep track of etc.

Savings can be 1 key on phone, 1 key with lawyer, 1 key in safety deposit box or something. 3 of 5 should be institutions.

If Glacier is taken out of Savings, which personal finance category does it become assigned to? Do we add a new category beyond Savings?

I'd have it maybe as just a footnote in savings saying something like 'This is how extreme some setups can get' and link off to a deeper dive if readers wish.

Bosch-0 avatar Oct 15 '21 03:10 Bosch-0

How about this? Picking up on Stephen's initial comment:

Would it make more sense to include an example of a 3-of-5 multi-sig setup? For example, perhaps we portray it as consisting of 3 hardware wallets, 1 mobile wallet, and 1 custodied key.

image

GBKS avatar Sep 23 '22 06:09 GBKS

The savings outlined in that image is overkill for personal finance imo. That's getting more into the realm of treasury / business territory. I'd just make it one hardware signing device and stick with 2 of 3

Bosch-0 avatar Sep 25 '22 04:09 Bosch-0

Hey @GBKS I am acquainting myself with the codebase, and I understand that you are working on this. But is there anything I can do here? Thanks a lot!

Aut0R3V avatar Nov 08 '22 16:11 Aut0R3V

Alright, so how about this?

For emergency funds, recommend the app, hardware wallet + custodial key.

image

And for savings, go for full self-custody via desktop, app, and hardware wallet.

image

This allows us to show two different 2-of-3 multi-sig configurations and security models on the page.

GBKS avatar Dec 08 '22 11:12 GBKS

@GBKS I like the Emergency Funds. Makes sense: you might need to access it more frequently, so you want to be able to get to it through your smartphone or have the custodied key be used in a pinch.

I find the Savings wallet strange. For something like "savings" which is a use-case beyond just emergency funds, seems like you'd want extra security. Why have 2/3 of the keys in the set running on hot devices connected to the internet? Seems reasonable to have 2 or maybe even 3 hardware wallets.

sbddesign avatar Dec 14 '22 18:12 sbddesign

But I agree with the general principle that they're both 2-of-3 multisigs, just with different devices for each.

sbddesign avatar Dec 14 '22 18:12 sbddesign

Was just having a look at the bitcoin design guide to understand some of these concepts. Would the 1 custodied key be referring to a key that is stored automatically on the cloud? Similar to this image in the guide: PersonalKeys Link

It might then be an idea to include an image of a key in the cloud to match with the page currently in the bdg or refer to it as "automatic cloud backup".

Agree with Stephen for the Savings one; to keep much/some of the setup offline. Perhaps a two different suggestions for savings might be an idea. One for the security conscious and one for the highly security conscious.

mouxdesign avatar Dec 19 '22 13:12 mouxdesign

@sbddesign I like that proposal based on the logic of having two offline devices. Here's an updated image.

image

I'll put together a PR for this tomorrow. Last call for changes. This seems like a tricky one to get consensus on, but let's get up an improvement on what we have right now, which is the total-overkill Glacier Protocol.

@mouxdesign the custodian key is held by a service provider. For example, a Muun wallet is a 2-of-2 setup. You hold one key, they hold the other one. Both keys are required to make transactions. When you make a transaction, they automatically sign it. Since they only hold one, they can't mess with your funds. But if someone steals your key, you can tell Muun and they will stop signing transactions, rendering the wallet inaccessible to the thief.

GBKS avatar Dec 19 '22 16:12 GBKS

OK, I created PR #959 for this. It's different than my last comment above. Main reason is that we have a savings wallet reference design, so we should just use that for the savings wallet example here. Then I turned the emergency wallet example into a 2-3 multi-key with a desktop app and 2 hardware wallets. Reviews appreciated. Thanks in advance for your sharp eyes and whip-smart comments.

GBKS avatar Dec 20 '22 07:12 GBKS