TSS Node risk control is an embedded risk control mechanism. Before TSS Node callback, the risk control policies will be applied to the key generation (i.e. KeyGen), key signing (i.e. KeySign), or key recovery (i.e. KeyReshare) request. Only requests that match the risk control policies will be approved. Otherwise, the requests will be rejected.
Based on your business requirements, you can decide whether to configure the TSS Node risk control policies.
TSS Node risk control can be configured using the configs/cobo-tss-node-config.yaml file. Please head to embedded_risk_control_rules and refer to the following for definition of specific configuration parameters:
embedded_risk_control_rules:
enable: false (whether to enable risk control; false by default)
key_gen: (KeyGen risk control policies)
reject_all: false (true: all KeyGen requests will be rejected; false: KeyGen requests will be check with following policies)
allow_list: (Risk control policies for KeyGen; request will be approved only if policies are matched)
- threshold: 2 (Signature threshold for KeyGen)
node_ids: (Node IDs of parties allowed in KeyGen)
- <Cobo TSS Node ID>
- <ThirdParty TSS Node ID>
- <Customer TSS Node ID>
key_sign: (KeySign risk control policies)
reject_all: true (true: all KeySign requests will be rejected; false: KeySign requests will be approved)
key_reshare: (KeyReShare risk control policies)
reject_all: false (true: all KeyReShare requests will be rejected; false: KeyReShare requests will be check with following policies)
allow_list: (Risk control policies for KeyReShare; request will be approved only if policies are matched)
- xpubkey: <EXTENDED_ROOT_PUBKEY> (Root extended public key for KeyReshare)
new_threshold: 2 (New signature threshold for KeyReshare)
new_node_ids: (Node IDs of parties allowed in KeyReshare)
- <Cobo TSS Node ID>
- <ThirdParty TSS Node ID>
- <Customer TSS Node ID>
Do note that <EXTENDED_ROOT_PUBKEY>, <Cobo TSS Node ID>, <ThirdParty TSS Node ID> and <Customer TSS Node ID> must be replaced with the actual parameters. The "<>" symbol should not be included.