Hi Greg, On Thu, Jun 15, 2023 at 12:39 PM Greg Sanders wrote: > > Would it then still be necessary to restrict the annex to a maximum size? > > I think it's worth thinking about to protect the opt-in users, and can > also be used for other anti-pinning efforts(though clearly not sufficient > by itself for the many many pinning vectors we have :) ) > Thinking about the most restrictive policy that would still enable annex-vaults (which I believe has great potential for improving bitcoin custody) and is in line with work already done, I get to: * Opt-in annex (every input must commit to an annex even if its is empty) -> make sure existing multi-party protocols remain unaffected * Tlv format as defined in https://github.com/bitcoin/bips/pull/1381 -> future extensibility * Only allow tlv record 0 - unstructured data -> future extensibility * Limit maximum size of the value to 256 bytes -> protect opt-in users Unfortunately the limit of 126 bytes in https://github.com/bitcoin-inquisition/bitcoin/pull/22 isn't sufficient for these types of vaults. If there are two presigned txes (unvault and emergency), those signatures would already take up 2*64=128 bytes. Then you also want to store 32 bytes for the ephemeral key itself as the key can't be reconstructed from the schnorr signature. The remaining bytes could be used for a third presigned tx and/or additional vault parameters. Can you think of remaining practical objections to making the annex standard under the conditions listed above? Joost >