Yes I’m aware of the disconnect in terms of who exits a coin. That doesn’t affect my point about openness of signing committee, size, participation etc. The whole point of my OP is that my risk as a user is not only my own exit but others’, too. Similarly, my defense, if I have one, is a broad enough participation in the covenant emulation that I can be convinced that 1 of n is strong enough. I think it is strong enough in practice in a one-time-then-delete scenario, with open participation. With both of those being false: not one-time-only signing rights, not open participation, I think it is orders of magnitude weaker and you may as well just use a multisig federation for everything (I might be convinced that’s not literally true … but it seems pretty close!).
We did initially consider designs with a fixed signer set that also allowed anyone to participate in the signing ceremony as a volunteer. But this turns out to be non-trivial and doesn’t actually improve trust assumptions: griefing a MuSig2 signing ceremony is easy, and there’s no way for the rollup to verify that all volunteer signers were actually included. So the attack I mentioned earlier is still possible.
I mean, ROAST exists for this very reason. And I think (though I’d have to search a bit) there have been other proposals for similar robust co-signing protocols.
You might say “ROAST is not battle tested/implemented” (I don’t know), but that brings me to:
Bear in mind: I am not saying that ‘the absence of these other features is not OK’ or ‘the presence of this particular simplified safety valve is not OK’. There’s a reason I opened my post with a reference from the Clementine whitepaper: it’s your design, not only your current implementation, that says an always-live signing committee has the right to exit the coins at any time. (So in that sense the “implementation” section of this forum was the wrong one?). I don’t understand why this design is interesting. The BitVM mechanics appear to be largely cosmetic; the system as a whole does not inherit trust from it because it can (and usually will) simply be bypassed.
Back to some details:
there’s no way for the rollup to verify that all volunteer signers were actually included.
That’s not a good reason to remove openness imo. As I mentioned, you can have real world identities sign over participation; if you don’t see enough evidence that the quorum is heterogeneous you can choose to stop participating. It’s imperfect but it’s vastly better than a closed set which is open to concentrated attack, targetting all coins, over arbitrarily long time.
Also you wrote this in the earlier post. I didn’t respond, but I should have: that doesn’t address the question, surely: “signers verify” means you’re trusting the signers. That’s what we’re discussing (what I’m saying is not really OK).