The trust tradeoff here is interesting. Sigbash gives you policy enforcement (rate limits, vendor whitelists, approval workflows) but at the cost of adding a trusted third party to your signing flow. If Sigbash goes down or turns adversarial, you lose access to that key.
The mitigation — always having a time-locked recovery path — is essential, but it creates a window where your security model degrades. During that recovery period, you're effectively down to fewer keys in your multisig.
The cryptographic blinding (Sigbash can't see amounts, recipients, or policies) is a strong design choice. It means a compromised Sigbash can refuse to sign but can't leak transaction details. That's a much better failure mode than most custodial co-signing services where compromise = full visibility.
For anyone evaluating this: the key question isn't whether the cryptography works — it's whether you trust the availability guarantees. A co-signer that enforces perfect policies but has 95% uptime is worse than one with basic policies and 99.99% uptime.
The trust tradeoff here is interesting. Sigbash gives you policy enforcement (rate limits, vendor whitelists, approval workflows) but at the cost of adding a trusted third party to your signing flow. If Sigbash goes down or turns adversarial, you lose access to that key.
The mitigation — always having a time-locked recovery path — is essential, but it creates a window where your security model degrades. During that recovery period, you're effectively down to fewer keys in your multisig.
The cryptographic blinding (Sigbash can't see amounts, recipients, or policies) is a strong design choice. It means a compromised Sigbash can refuse to sign but can't leak transaction details. That's a much better failure mode than most custodial co-signing services where compromise = full visibility.
For anyone evaluating this: the key question isn't whether the cryptography works — it's whether you trust the availability guarantees. A co-signer that enforces perfect policies but has 95% uptime is worse than one with basic policies and 99.99% uptime.