A while ago I was discussing the issue of how many wallets do not handle multisig transactions very well (or at all), and I believe that one of the major reasons why is that each service/wallet needs to create its own multisig coordinator to handle them, or explicitly delegate to an existing service. But what if we put the power back into the hands of the people, so to speak, to choose how they want to handle multisig transactions. Every use case is different, so maybe it makes sense to allow users to decide what service should handle their multisig. It could be an internal accounting service where unsigned transactions aren't made public, it could be a completely open multisig service like @dzham 's Hydra or Constellation, or a bridge to a tool like @MisterTicot 's cosmic.link -- or it could be a niche security service like StellarGuard. After some discussion about adding StellarGuard support to the Account Viewer ( https://github.com/stellar/account-viewer/pull/68#issuecomment-411414041 ) we talked about some possibilities to making this process agnostic to any particular vendor and came up with the following sketch of what it might look like: Look up a data field on the account that is originating the transaction. EX: "multisig_coordinator" 1a) If that field does not exist, do not continue with this process. That field should be a domain that has a stellar.toml file. EX: "stellarguard.me" The stellar.toml file contains a separate field for multisig_endpoint or something similar. EX: MULTISIG_ENDPOINT=" https://stellarguard.me/transactions/new " Submit the transaction to that endpoint in a standardized format (details TBD, but probably POST xdr or a SEP-0007 style URI, maybe with some callback) That service is then responsible for coordinating the rest of the signatures, and then submitting to the Stellar network once the transaction thresholds are satisfied, or possibly submitting a callback. Details of how the coordination is done is up to the service itself. Basically, the idea is that users that want to use multisig will explicitly opt in to a multisig service by setting that data field in a way that fits their needs (this is similar to the way that StellarGuard adds an inactive signing key to indicate that the user wants to use StellarGuard) I'd like to start collecting some feedback on this idea, and if it has merit I'll propose it officially as a SEP.

StellarGuard Hi, I may have a good news for you. I'm working on a SEP for on-chain signature sharing. As you may know, oc-multisig is configured by up to three account entries (on-chain): config:multisig holds the public key for collection account config:multisig:network holds the network on which collection happens (public, test or passphrase) config:multisig:server may be used to pass the URL of an horizon instance Now the SEP specify that oc:multisig can eventually something else than a public key, in which case network and server fields should point to an off-chain signature & transaction service. The goal is indeed to introduce support for services such as Dhzam one. I'm going to publish the proposal I a couple of days. I think we could work together to refine the off-chain support.

A vendor-agnostic way to bootstrapping multisig coordination

StellarGuard

A while ago I was discussing the issue of how many wallets do not handle multisig transactions very well (or at all), and I believe that one of the major reasons why is that each service/wallet needs to create its own multisig coordinator to handle them, or explicitly delegate to an existing service.

But what if we put the power back into the hands of the people, so to speak, to choose how they want to handle multisig transactions. Every use case is different, so maybe it makes sense to allow users to decide what service should handle their multisig. It could be an internal accounting service where unsigned transactions aren't made public, it could be a completely open multisig service like @dzham's Hydra or Constellation, or a bridge to a tool like @MisterTicot's cosmic.link -- or it could be a niche security service like StellarGuard.

After some discussion about adding StellarGuard support to the Account Viewer (https://github.com/stellar/account-viewer/pull/68#issuecomment-411414041) we talked about some possibilities to making this process agnostic to any particular vendor and came up with the following sketch of what it might look like:

Look up a data field on the account that is originating the transaction. EX: "multisig_coordinator"
1a) If that field does not exist, do not continue with this process.
That field should be a domain that has a stellar.toml file. EX: "stellarguard.me"
The stellar.toml file contains a separate field for multisig_endpoint or something similar. EX: MULTISIG_ENDPOINT="https://stellarguard.me/transactions/new"
Submit the transaction to that endpoint in a standardized format (details TBD, but probably POST xdr or a SEP-0007 style URI, maybe with some callback)
That service is then responsible for coordinating the rest of the signatures, and then submitting to the Stellar network once the transaction thresholds are satisfied, or possibly submitting a callback. Details of how the coordination is done is up to the service itself.

Basically, the idea is that users that want to use multisig will explicitly opt in to a multisig service by setting that data field in a way that fits their needs (this is similar to the way that StellarGuard adds an inactive signing key to indicate that the user wants to use StellarGuard)

I'd like to start collecting some feedback on this idea, and if it has merit I'll propose it officially as a SEP.

MisterTicot

StellarGuard

Hi, I may have a good news for you.

I'm working on a SEP for on-chain signature sharing. As you may know, oc-multisig is configured by up to three account entries (on-chain):

config:multisig holds the public key for collection account
config:multisig:network holds the network on which collection happens (public, test or passphrase)
config:multisig:server may be used to pass the URL of an horizon instance

Now the SEP specify that oc:multisig can eventually something else than a public key, in which case network and server fields should point to an off-chain signature & transaction service.

The goal is indeed to introduce support for services such as Dhzam one.

I'm going to publish the proposal I a couple of days. I think we could work together to refine the off-chain support.

dzham

StellarGuard

Sounds like a recipe for disaster ?

Seriously though, if the initiator specifies a coordinator, everyone else must support it.
So, we're still in a position where wallets have to support all different kinds of coordinating services.

MisterTicot

dzham Well and could make a library that support 2 or 3 reliable protocols with different properties. And if the way to pass transactions/signatures to a server is standardized into a SEP we could leave the doors opens for challengers.

StellarGuard

dzham Mind elaborating on your disaster scenarios?

Right now we are here: https://www.xkcd.com/927/

But where I think this approach could help with that is that your service will define what endpoints to call in the toml file so that there doesn’t actually have to be 8 different client libs that bridge these different services — there can just be a single one that allows you to send to many different services.

Hydra sounds like it will be a great solution for public multisig coordination — but as we discussed in a github issue a few months ago, everyone who uses multisig does it in a slightly different way, so it’s hard to build a one size fits all approach that works. I think this scheme (or any scheme that lets the user decide) provides the flexibility to help with that.

dzham

MisterTicot

What about just collaborating on making one service?
Why does everyone have to compete with everything on Stellar?

dzham

(Re-iterating, the whole raison d'être of a service like Hydra is to be vendor agnostic, to be decentralized -- Cut off one head, there's still ten more servers running.)

MisterTicot

dzham That's exactly the reason why I decided to extend conf:multisig fields usage to use them with off-chain solution: to support Hydra when user choose to enable it.

MisterTicot

dzham Well it's true I've got that bad feeling about each one doing its own thing as well. On the other hand I still think on-chain solution brings its own possibilities as we already discussed, and the solution is ready and functional. I understood Hydra got properties that makes it a better solution in various cases and found this way to make things works together with low friction.

dzham

MisterTicot

Hydra stores collected signatures in a distributed database, and needs direct access to a stellar-core for queries.

Besides, we have different scopes. Hydra tracks (and notifies users of) the signing progress, and (optionally) submits a transaction when it has enough signatures.

dzham

StellarGuard Right now we are here: https://www.xkcd.com/927/

I was just thinking about posting that one before. That's the Stellar ecosystem in a nutshell.

Cajga

dzham StellarGuard (@StellarZac) This is a very negative side effect of the SBC and the possible support that you can get from Stellar.org in case you are "useful" for the community. When we are talking about money everyone tries to build a solution which fits into his vision about how to get more money and it is not really about the best solutions and fun any more.
One way to overcome this is to have an entity which clearly drives the direction. This could be Stellar.org (SEPs are clearly not working well as for example here is the SBC "winner" DKIF SEP without ANY feedback from SDF) or some kind of community "architecture" board/group/whatever.

And to be on topic as well about multi-sig coordination: a reliable decentralized off-chain solution which implements a single protocol is a clear winner above any other solutions (unless SDF decides to implement it in core or horizon somehow).

StellarGuard

Cajga Just to clarify -- this particular post doesn't have anything to do with the SBC or the prospect of money of any kind. Maybe you're speaking in generalities (maybe about the 100 different wallets out there), but this is purely designed to solicit feedback on one solution for a problem that I encountered. Also, as they say: competition breeds innovation. I also don't intend to go building this out and integrating it into StellarGuard without clear support from the community or even the SDF, so at least you won't have to worry about another disparate implementation in the wild.

I do think a system like Hydra will be a great addition to the ecosystem and probably cover a large number of use cases, but this proposal is actually not really concerned about how to do multisig coordination, but is instead about how to kickstart the process off in the first place.

It sounds like in your ideal world, the community would decide on one particular multisig coordinator with a set of features, and then every wallet would be expected to interop with that. I don't think that's a realistic scenario -- someone will always have some set of features that they want out of it (privacy, timeouts, multi-factor authentication, etc...) that the general case doesn't solve for.

If you have some reasons why you think this idea is completely broken/won't work, I really, truly am open to hearing them.

MisterTicot

Cajga

It is unlikely to be implemented in core because it already have lot of computations to handle.

I'm surprised that so few people understand the point of on-chain solution. Beside working fine for average use, this is especially usefull in order to implement various kinds of smart contracts. It's not only about which solution is superior on average: there's simply a range of use case that call for such a tool.

Cajga

@StellarGuard I was talking in general how SBC fuels the "100 wallet problem". It was not related to your proposed solution (that is why I put the "on topic" wording after that).

StellarGuard this proposal is actually not really concerned about how to do multisig coordination, but is instead about how to kickstart the process off in the first place

In my opinion, this is exactly one of the main issues with this proposal. Both in my ideal and real world, multi-sig coordination (for me this includes the kick-off part as well) should be a very simple thing.
The problem is that we have already so many solutions/services which are using or would like to use it and you are trying to find a solution which is flexible enough to satisfy all of them. Your proposal seems to solve some part of this (the kick off part ? ) but does not solve the remaining parts which will cause other issues like:

different implementations of the remaining part of the "multi-sig" coordination problem. Someone will want links someone will want XDR in POST, someone will want a newer version of the "link protocol" which includes something else as well. Even if you release some well written easy to use libraries someone will have a new idea and if the system flexible enough to incorporate it, there will be always new implementations. And as @dzham said, everything will have to be supported by all the services which would like to use this "flexible" coordination.
what if multiple services which are implementing their own protocols are required to be involved in one transaction. Each multi-sig coordinator will need to be able to now how to behave with other multisig coordinator in these cases
most of the entry-points will be centralized endpoints. Even if they use the same libraries and protocol implementations they may differ from the need of error handling point when they are down. Some may implement some persistent queuing mechanism in front to make sure that he can do the signing if one of his micro service is down for some time but some will need you to resend the transaction again

In my opinion, we need to step back one step (do not try to support all the existing solutions/service) and have a solid foundation for multi-sig coordination with a single and simple protocol and adjust the existing services (or write new ones). Like, if it would have been included in core from the beginning.

A reliable, decentralized service which does this sounds a really good direction to me. dzham's Hydra seems to be a good candidate for this but we do not know enough details yet to be able verify this.

MisterTicot

Cajga

what if multiple services which are implementing their own protocols are required to be involved in one transaction. Each multi-sig coordinator will need to be able to now how to behave with other multisig coordinator in these cases

A logical answer is that the transaction source account define the signature coordinator for that transaction.

Once again the point of @StellarGuard proposal is not to make a forever-extending library supporting all possible coordinators. On the contrary, it is to harmonize the way coordinator are setup by users and supported by wallets. Whatever way you put it someone may come with an interesting alternative at some point, and that's actually a good thing. So this proposal is a step toward not having to implement multiple protocols by giving a way for new services to be directly compatible. Now you can tell it's not solving it completely. That's right, but I can't tell how it is a reason not do it.

There's a thing I don't get: why thinking that this would oppose to Hydra anyway? That's simply not the case. It could very well be a way to propel it. Because in any case competing solution are already existing and Hydra is simply one of them. You're not going to impose it to the hundredth wallets by force, are you?

I noticed that devs often expect that their solution is going to be the only one that everybody will use because it is they best. While it make sense for low-level standards, it's unrealistic when it comes to external services.

Cajga

MisterTicot

MisterTicot A logical answer is that the transaction source account define the signature coordinator for that transaction.

Theoretical example: the transaction source account is naming hydra as transaction coordinator. But one of the accounts who has to sign the multi party transaction wants to use a second key to sign and this signature is coordinated by 3rd party service coordinator (like stellarguard) so there should be a point when hydra should hand over the transaction to the 3rd party coordinator which coordinates the signing.

MisterTicot why thinking that this would oppose to Hydra anyway?

I've never though about it like that and I believe I did not write (or at least did not want to) anything which says this. This proposal would fuel multiple implementations which is not good in my opinion, that's all.

MisterTicot I noticed that devs often expect that their solution is going to be the only one that everybody will use because it is they best. While it make sense for low-level standards, it's unrealistic when it comes to external services.

This is the key point here. For me the multi-sig coordination is much more a low-level protocol than something which should have multiple external implementations. The best would have been to have it fully built-in in the core but having a decentralized off-chain solution is pretty close to that.

MisterTicot

Cajga

Theoretical example: the transaction source account is naming hydra as transaction coordinator. But one of the accounts who has to sign the multi party transaction wants to use a second key to sign and this signature is coordinated by 3rd party service coordinator (like stellarguard) so there should be a point when hydra should hand over the transaction to the 3rd party coordinator which coordinates the signing

This could happen as well with one source account using 2FA and one transaction coordinator, so this is not tied to that specific proposal.

StellarGuard is not a signature coordinator: it is a two-factor authentication service. In this context, it is basically a co-signer and should behave as such. There's also the fact that two-factor authentification should happens when source is signing, not at a later time. Then the signatures should be sent to the coordinator, either by the signer wallet or by Stellar Guard itself. There's no reason for Hydra to pass signatures to StellarGuard.

More generally, for a transaction with multiple sources that have multiple signers, every signer would send transaction to the transaction source coordinator. This is a neat way to harmonize things over wallets, as we neutralize their power to impose their own coordinator.

This is the key point here. For me the multi-sig coordination is much more a low-level protocol than something which should have multiple external implementations. The best would have been to have it fully built-in in the core but having a decentralized off-chain solution is pretty close to that.

Well I think I agreed with that, as it was also the conclusion last time we did discuss the subject.

However, practically it ends up to be an external service which means that various wallets now use different solution, and none of those solution actually got the authority and credibility to impose itself as the only one.

Now the only way I can imagine to put things back together is to having a well-defined abstraction to achieve inter-operability.

So my point is that we should start from were we are, not from were we should have been. And that implies a bit of cooperation...

I'd like to expose my situation to bring some light on the core issue being discussed here.

I wrote a genetic signature sharing mechanism that works fine. You couldn't make anything closest to a native implementation, so I think it is very good. As a user, it's exactly what I want.

Now, as a wallet developper I know that supporting only my solution would lead to further fragmentation in the ecosystem and I'd like to avoid that. That's why I'm looking for a way to abstract signatures sharing so I can support multiple solution at once and achieve inter-wallet compatibility.

While I think Hydra is a good project on the paper, an answer such as "It is superior, throw your stuff away." is not going to work for me. Actually if we go this way I do think on-chain signature collection is better: that's why I did it. And probably someone else think this or that is better.

So we end up facing the same issue again: either each one try to dominate the scene believing it will achieve a monopoly, either we make an effort to cooperate and make it work across our tools.

It remember me about web browsers history, purposely differentiating themselves and preventing harmonization in an attempt to achieve domination. That's this kind of spirit that leads to fragmentation, not the fact that several solutions exist.

Then the most selfish failed while the most cooperative ones united around common practice and took their market shares ?

dzham

MisterTicot StellarGuard is not a signature coordinator: it is a two-factor authentication service. In this context, it is basically a co-signer and should behave as such. There's also the fact that two-factor authentification should happens when source is signing, not at a later time. Then the signatures should be sent to the coordinator, either by the signer wallet or by Stellar Guard itself. There's no reason for Hydra to pass signatures to StellarGuard.

A 2FA-signer is just another signer. Doesn't matter when it signs, could be the first one, could be the last one, could be the only one that doesn't sign. The important thing is the setup, making sure that the source account won't operate without it.

StellarGuard

dzham Sidebar here - but the reason I require the account owner to sign the transaction first before I accept it is to avoid people being able to submit transactions on your behalf and spamming you with emails.

MisterTicot

dzham I was referring to the fact that the 2FA usual flow is to be validated when signer sign, not at a later time.

dzham

StellarGuard

I'm just saying how signatures work in Stellar. Stellar-core doesn't know that a signer is 2FA or not. They're all the same.

Having a StellarGuard user-flow where the "2FA signer" only signs if the "primary signer" has signed first makes all the sense, and would still work for something like Hydra.