hojas/BBO/Musig V2 Proposal.md


Summary:
- We move over to Nunchuk multisig, which is safe and way more convenient.
- We start with fresh keys and signers.
- We formalize commitments that signers need to abide by.

# New design

- TLDR: we use nunchuk and its collaborative multisig wallet functionalities.
- For a quick demo of how signing TXs will be like, see this video between 43:52-47:20: https://www.youtube.com/watch?v=K4KrcYWr9G0
- For full details:
	- You can watch the full video on Nunchuk by BTCSessions: https://www.youtube.com/watch?v=K4KrcYWr9G0
	- You can Nunchuk docs: https://resources.nunchuk.io/
- Multisig details (x-of-y) will be defined depending on willingness of admins to be signers.
- A TXs simulation gets done every month with a few signers to "grease the groove" and force signers to prove they are ready-to-sign.
- It is proposed to define a max amount of 0.25 BTC (~7K€) to be held in this musig. If more money appears, I suggest we explore having an even more safe musig besides this one. The details don't need to be agreed upon now, but the max amount should.

# Signer commitments

- I will make my best effort to respond to signing requests in less than 3 days.
- I will keep offline backups of my keys.
- I will keep a backup of the multisig config.
- If I ever lose my backups, I'll let the signer team know immediately.
- If I ever suspect my keys or my devices have been compromised, I'll let the signer team know immediately.

If a signer fails at these commitments, he should either drop his role himself or the signers group should decide if he should be forced to do so.

# Migration plan

- All signer candidates must follow the instructions below, steps 1 to 5 before November 15th.
- Accounting dep creates the Musig V2 wallet.
- Signer candidates fulfill steps 6 and 7.
- Once our quorum is ready, we make a TX to move from Musig V1 to Musig V2. Old signer team signs it and broadcasts it.
- Musig V1 can be discarded.

# Instructions for signers

1. Install nunchuk
2. Make a nunchuk account with an anon email and save credentials for both the nunchuk and email account.
3. Add "signeroflastresort@protonmail.com" to your agenda.
4. Create a new key of type "software key". Back it up offline.
5. Wait for accounting dep to prepare the multisig.
6. Once accounting dep prepares the multisig request, add your key.
7. Once the multisig is created, you create a backup of the multisig configuration in BSMS format (not to confuse with your keys.)
8. Done. Multisig is ready.
stuff 2023-12-09 19:27:21 +01:00
			`Summary:`
			`- We move over to Nunchuk multisig, which is safe and way more convenient.`
			`- We start with fresh keys and signers.`
			`- We formalize commitments that signers need to abide by.`

			`# New design`

			`- TLDR: we use nunchuk and its collaborative multisig wallet functionalities.`
			`- For a quick demo of how signing TXs will be like, see this video between 43:52-47:20: https://www.youtube.com/watch?v=K4KrcYWr9G0`
			`- For full details:`
			`- You can watch the full video on Nunchuk by BTCSessions: https://www.youtube.com/watch?v=K4KrcYWr9G0`
			`- You can Nunchuk docs: https://resources.nunchuk.io/`
			`- Multisig details (x-of-y) will be defined depending on willingness of admins to be signers.`
			`- A TXs simulation gets done every month with a few signers to "grease the groove" and force signers to prove they are ready-to-sign.`
			`- It is proposed to define a max amount of 0.25 BTC (~7K€) to be held in this musig. If more money appears, I suggest we explore having an even more safe musig besides this one. The details don't need to be agreed upon now, but the max amount should.`

			`# Signer commitments`

			`- I will make my best effort to respond to signing requests in less than 3 days.`
			`- I will keep offline backups of my keys.`
			`- I will keep a backup of the multisig config.`
			`- If I ever lose my backups, I'll let the signer team know immediately.`
			`- If I ever suspect my keys or my devices have been compromised, I'll let the signer team know immediately.`

			`If a signer fails at these commitments, he should either drop his role himself or the signers group should decide if he should be forced to do so.`

			`# Migration plan`

			`- All signer candidates must follow the instructions below, steps 1 to 5 before November 15th.`
			`- Accounting dep creates the Musig V2 wallet.`
			`- Signer candidates fulfill steps 6 and 7.`
			`- Once our quorum is ready, we make a TX to move from Musig V1 to Musig V2. Old signer team signs it and broadcasts it.`
			`- Musig V1 can be discarded.`

			`# Instructions for signers`

			`1. Install nunchuk`
			`2. Make a nunchuk account with an anon email and save credentials for both the nunchuk and email account.`
			`3. Add "signeroflastresort@protonmail.com" to your agenda.`
			`4. Create a new key of type "software key". Back it up offline.`
			`5. Wait for accounting dep to prepare the multisig.`
			`6. Once accounting dep prepares the multisig request, add your key.`
			`7. Once the multisig is created, you create a backup of the multisig configuration in BSMS format (not to confuse with your keys.)`
			`8. Done. Multisig is ready.`