Custodian

[cedricfung]

Enable the kernel custodian. The key is a threshold multisig custodian between kernel nodes. And kernel nodes change everyday, the custodian can do a new key setup everyday.

Another possible solution is to leave the custodian key unchanged, unless some custodian changing threshold kernel nodes changed. Let's say we have 42 nodes, and the multisig threshold is 29, and the custodian changing threshold is (42-29)/2=6. So if 6 kernel nodes changed, the custodian needs a new multisig setup.

Kernel nodes change only considered changed when its custodian identifier changed, custodian identifier is similar to the payee key or something, not the same as the signer key.

[cedricfung]

All kernel nodes should have the consensus that when the custodian evolution threshold reached, they should wait for the new custodian key generation.

The custodian key should be bind to network-id and the current nodes transactions queue, after the generation, there should be a custodian key evolution transaction snapshot in the kernel.

[cedricfung]

1. The extra should be the evolution binding message.
2. Can have multiple outputs, all must be CustodianEvolution type
3. The output body should be a signature with algorithm name, curve name and hex public key.
4. The signature algorithm can be Schnorr or BLS, and curve may be secp256k1, edwards25519, or anything.

[cedricfung]

The custodian withdrawal transaction can only be submitted by the domain, then the custodian should ensure this domain has enough balance, and the balance not below some threshold.

Let's assume the kernel has a total balance of 100BTC in the UTXOs, and the domain can't withdraw unless the remaining is more than 70BTC.

Whenever a UTXO is spent on the withdrawal submit transaction, the total balance is dropped, so the threshold.