Jeremy Welch (CEO Casa) and Jameson Lopp (CTO Casa) re join me in this episode to talk about Casa Wealth Security Protocol and Casa Keymaster. We talk about various points related to securing your Bitcoin: 

  • Design Principles and Decisions
  • Key risks
  • Casa Keymaster and Basic Multi Sig set up
  • Multi sig, multi location, multi device
  • Going seedless
  • Privacy
  • Roadmap

Casa, Jeremy and Jameson links:

SLP Bitcoin Custody Series:

Sponsor links:

Stephan Livera links:

Podcast transcript sponsored by

Stephan Livera: Jeremy and Jameson, welcome back to the show.

Jeremy Welch: Stephan. How are you man?

Stephan Livera: I’m Good,

Jameson Lopp: great to be here.

Stephan Livera: So, we are recording here in Riga, just before the Baltic Honeybadger 2019. So, yeah, look guys, I wanted to get you guys back on and talk about the Casa security or Casa wealth protocol rather, and also just, what’s going on with Casa these days. So, maybe, Jeremy, you just want to just give a quick overview on where the company’s at and what’s going on.

Jeremy Welch: Sure. So, just this past week, or about a week ago, we released this, Casa wealth security protocol. We’ve had some other updates around the Multisig side and also around Sats app and around, some updates to the node. But one of the biggest things we’ve done in the last few weeks, is release this document that really expands through the full security model, the features that we chose. We actually chose to go ahead and elucidate all of the features that we didn’t choose to use too, because there are specific reasons why we did those and this should just help.

Jeremy Welch: There’s a lot that we usually walk our clients through. Anyone that comes to us, they… most of our clients actually know all the things that are in this doc already. But for the kind of majority of the population, majority of the bitcoin community, they’re not aware of this. And we just thought that putting it in a document form, making it really easy to access and then also update. And as we learn, as we work with customers, we’ll update this from year to year, but it makes it really easy to kind of have a kind of ruleset to really, kind of gauge against. So-

Jameson Lopp: Yeah, I mean this is part of what I think is like the real value add of Casa as a system where we have focused a lot on both the technical and the like user interface design, such that a user could just come into Casa and start using it, and basically have this huge benefit of the wealth of knowledge of like 50 pages of technical decisions that have been made around the security model. But of course we have people who are securing a large amount of wealth, within our system and in many cases they want to then further dig down into, to actually understanding why the system is designed the way that it is. And this, like Jeremy said, basically explains those decisions that we’ve already had to describe to a lot of our customers over the past couple of years.

Stephan Livera: Fantastic. Yeah, and I’ve had a chance to read through the document. I thought it was really nicely written. In the document, you speak through the three alternatives, right? So you’ve got kind of do it yourself, custodial storage, and then other commercial sovereign storage systems. And another thing that struck out to me is also just the comparison with Glacier Protocol. So my previous interview was with Diogo Monica, the maintainer of Glacier Protocol.

Stephan Livera: And it strikes me, as I was reading the documents, the Casa document, it’s essentially talking about how there are certain trade-offs that we make using Glacier Protocol. Actually one of the key ones is the difficulty of usability and the difficulty of setting up. And I think that’s one thing that I view Casa as doing, is you guys are really helping with the usability of a high security option. Do you want to discuss about that?

Jeremy Welch: Sure. So this… everything we built around the Casa Wealth Security Protocol, is in direct response to, and kind of an extension of the learnings from Glacier Protocol. So Jacob Lyles, who created the Glacier Protocol is on the team, helped us write this document, helped us really pull a lot of the resources together whenever we first built this. But we use, we actually use Glacier Protocol as a kind of, basis to start working from.

Jeremy Welch: And a lot of companies have done this in the past. A lot of, even exchange companies used Glacier Protocol early on as foundations for their cold storage. And we just saw that it’s rock solid, but it’s very hard to implement and execute, and set up a where we wanted something that, usability. If we’d go through kind of our threats and we kind of identified these 13 core threats, one of them is, just working from like what we call a child or pet attack, or these kinds of usability issues of needing to be kind of, idiot proof in a sense, right?

Jeremy Welch: And Glacier Protocol is just really extensive. And so from that perspective, it does, it will always say that, we actually are, I don’t even think we’ve announced that publicly yet, that we are kind of co maintaining with Diogo and those guys with Glacier Protocol.

Jeremy Welch: But we kind of did the learning from there, and then we’ve tried to extend it and specifically, in the direction of where the Anchorage guys and they built a phenomenal product, phenomenal company, and, they’re really focused on the enterprise side. We’re kind of extending in the side of the consumer and the side of the individual small teams, for kind of maximum security. And we talk wealth security instead of just bitcoin because bitcoin is the core focus, and that’s what we’re focused on.

Jeremy Welch: But it’s really, it’s around, bitcoin as data and, these threats are going to be true of any type of data, kind of going forward and kind of personal wealth but–

Jameson Lopp: I think that you could potentially describe Casa as seeking to find the optimal practical security solution. When it comes to security, if you’re really trying to go for like fully trustless fully minimizing the risk of anything going wrong, then you take it to the extreme. Basically, you can get to the point of, well, you basically need to be writing your own software, or at least auditing all the software using, and then even the more extreme as well on the hardware side, you basically need to be like fabricating your own hardware to make sure that nobody has tampered with that.

Jameson Lopp: Cause. I mean, we’re at the level of complexity these days with the hardware that nobody really knows everything that’s going on. And so the question is like, where do you draw the line of, well, I’m going to assume that everything below this level is working and can be trusted. And for us, we’re kind of raising the line a lot higher and saying, well, we are, going to assume that, if we spread out your key generation, and management across multiple different providers, then you’re lowering the risk to a point that you don’t really need to worry about things like supply chain attacks or low level hardware issues.

Stephan Livera: Mm-hmm (affirmative)- Yeah. And to me, even reading the wealth protocol, wealth security protocol document that came clear to me, there was this concept of defense in depth, right? It’s saying, how do you set up your security in such a way that any individual failure will not compromise you totally. That you can afford one failure or before you lose your wealth.

Jameson Lopp: You need to have a more flexible system because bitcoin and the sovereignty that it gives to you is also highly inflexible, and unforgiving when it comes to mistakes. And that’s why it seems like the bigger risk of loss in these systems is actually due to ignorance and user mistakes as opposed to actual attack and theft.

Stephan Livera: Right, yeah. So there’s that idea that you’re more likely to screw yourself out of your own coins if you’re trying to do Multisig and you make a mistake with it. I think even Andrew Chow on the previous episode mentioned that he had difficulties trying to get Multisignature with multi hardware wallets working, and he is himself a quite competent technical developer. So if it’s hard for him, it’s going to be hard for anyone, right? So, there’s definitely some components around that. Let’s talk a bit about the, some of the design principles from the document. So you’ve got here minimal knowledge.

Jeremy Welch: Yeah. And it’s… there’s a lot around minimizing data on Casa. It’s both for privacy reasons, but also for can’t be evil reasons, right? That’s one of our kind of core company principles. But we have a set of system design principles, and anybody, we’re touching on a few things from the document. Anybody can go download this. You just Google Casa wealth security protocol or I think it’s,, I think–

Jeremy Welch: But you can check this out and kind of follow along. But we… there’s a lot more here, but kind of the high level there is that, Alena has this term, from, don’t collect what you can’t protect. And for most companies, most, even just from the side of people exploiting it for their own purposes, this can’t be evil principle is what we’re talking about there.

Jeremy Welch: You need to minimize data. So minimal knowledge just really means that we’re going to have minimal knowledge overall of data period. And usability of security is another one. Just thinking about export support, it’s not just about even like the software, it is about the integrations of the data, but it’s also about working with humans and humans being part of that system too and having experts, sovereignty as a principle. And cinema alignment, again, that kind of aligns with can’t be evil. If we can’t even attack you or an internal, employee can’t even attack you. Then that just changes the logic tremendously if the data’s not even there.

Jeremy Welch: It changes the logic tremendously, versus if a, kind of internal employee, is going to have to be tested regularly whether they want to exploit, data. So like keeping those system design principles, and then looking at the total number of threats. And we had about 13 total threats, that we consider, is how we then chose the kind of selected features.

Stephan Livera: Yeah. And there’s also the principle of usability is security. So did you want to touch on that around how in making it more usable, you actually are making people more secure. So a quick example, I think it’s probably fair to say a lot of people have looked at Glacier but have not executed glacier, because it takes a certain level of patience, diligence to execute. And I think that is a key point from Casa all the way.

Jameson Lopp: Well and basically every step that you have to take is a potential mistake. So, the simpler you can make it, the more, when I think of usability I think of, when we’re building actual software interfaces, that humans are using, you are creating a series of paths that the user can go through. And at Casa, we’re trying to limit it to paths that include the best practices that include a lot of these, security principles so that what you’re really doing is you are trying to throw away as many foot guns as possible.

Jameson Lopp: Within the like infinite number of possible decisions that a user could make when they’re setting up and executing their own storage. So many of these paths make it possible for you to, screw up in a catastrophic way. And we’re basically just trying to create guardrails that prevent the user from even going off onto this pass in the first place

Jeremy Welch: While still maintaining the sovereignty. That was like an important point and that’s why this kind of full system design principles, you have to keep them in balance. And it really does have to be balanced because there are certain things you can do to improve usability, but that take away control from the end user, going fully centralized, it’s way more usable. I mean, let’s be frank. It’s just, Coinbase and just throwing someone a regular login is way more usable on the surface.

Jeremy Welch: But it immediately takes away sovereignty, immediately takes away control. It immediately creates a can’t be evil situation to where, someone could take coins. And so doing that balance of making sure it’s usable while at the absolute extreme that we can while also maintain that sovereignty is really important while minimizing data. And we’ve even gone as far even from the legal structure of the company, the, we have this, open data policy, our privacy policy, we kind of wrote a totally new type of privacy policy.

Jeremy Welch: And, that’s the open source. Other companies can copy that, but we’re trying to go through kind of every step of the way to build up this stack, in terms of the design of the overall system, and the incentives even for the internal employees to again, address these 13 threats.

Stephan Livera: Let’s talk a little bit about some of the, I guess, what are some of the big threats in your mind and what were some of the ones that are most obvious, for the user? So I guess, just off the list here, there’s a few SIM hijacking that’s a big one lately, supply chain attack. That’s something where a lot of people are concerned about that and trying to have different hardware wallets and different software that they’re working with. Data, credential loss, or even, being attacked on your… the platform that you’re using. Did you have anything you wanted to kind of highlight?

Jeremy Welch: Well, I mean I think that, of ones that are listed, the most common one is just simple data loss. And so that’s why we believe having a geographically distributed set of hardware devices that are easy for the user to visualize and think about, how are these actually distributed, that gives you a level of redundancy and robustness that is going to exceed, 99% of other people who are just keeping all their keys in one place.

Stephan Livera: Right. I suppose let’s just for, I think most listeners might have heard the other episodes, but just in case they haven’t, the basic overview, you’ve got the silver and gold, which is the two of three basic Multisig, and my understanding there is they have one hardware wallet, and they’ve got one key on their phone. And then one key is the Casa recovery key in that model, and then taking it up a notch to the… as a platinum and diamond.

Stephan Livera: And that is the $1,800 level and the $5,000 level, that is a three of five set up. We have three hardware wallets in that model. There is one key held on the user’s mobile phone, and the fifth key is held by, it’s the Casa recovery key. So I guess let’s just talk to maybe the two of three model. I think one concern I’ve heard from bitcoiners is that… oh, hang on, does Casa have two of my three key, two of the three keys? How can I be sure that I hold two of three?

Jameson Lopp: Well, you can be sure that you hold two of three. We also have a export functionality, on the mobile key. I suppose, however, it’s impossible to prove that Casa doesn’t have, the mobile key. That is one thing that you would have to “Trust us on.” And so this is another good reason of why there are trade-offs here. We do intend to add ability to have two different hardware devices, so you could then have a greater assurance that you have two of the keys and there’s no way Casa could have two of the three. But right now, that assurance is best provided by the three of five model.

Stephan Livera: Okay.

Jeremy Welch: And we kind of rolled this out intentionally, from the three of five where we were able to, build up a user base and work directly with clients. We have direct client relationships. It is kind of like a private banking relationship. We learn a lot from client preferences. We’ve done a tremendous amount of testing before we rolled it out to people publicly. But then we also learned a ton from even just the first several months. And, we’re now, over a year of being public.

Jeremy Welch: It’s, I guess it’s almost like 1.5 years of being public. And all of that, that wealth of knowledge we’ve kind of scaled up. We always intended to scale. And we actually have, a single key of mobile key as well. That’s, is just, again, it’s a single key.

Jeremy Welch: It’s on the phone that’s actually used in… it’s the same key that’s shared with our Sats app. So, if you want Sats app it’s just really fast spending, and then key masters that kind of fully Multisig. But even the way we rolled that out, as we again started with the three of five most premium multisig, and then we slowly rolled out. We had to have three. We had the single key solely rolled those out. We rolled out the two of three specifically to gold customers first, to make sure that that was usable.

Jeremy Welch: We also… we mentioned before the multi location multi-device multisig model. The reason around that again is in terms of these 13 threats, that model is what mitigates those threats the best. And there’s a weird trade-off, where with the mobile device, if you’re going to use a mobile device, from the principle of the usability side, you actually want to maximize usage as soon as you decide to even use it.

Jeremy Welch: Because of the fact that you can also maximize kind of usability. Now that mobile device as a single device, is your phone is potentially connected to the Internet. We do have customers that choose to keep that off at all times, never really connect to the Internet, and that effectively does act similarly to a hardware wallet. But it’s effective, it’s a really fancy hardware wallet. But we, for most people they keep it as a regular key. And people have asked us about that question too. And what that comes down to is that, it’s also true that Apple or Google and most, it’s either a Google phone or an Apple phone, that people are using. They could even try to exploit that key. And as soon as you put that key on the platform, you want to maximize the features that are available there.

Jeremy Welch: So we’ve done that now on the phone and for the two of three, it’s specifically designed, it’s not designed to hold millions of dollars. It is designed to hold somewhere between, say, $1,000 and around $100,000. Sometimes the last, we do have people that, put even a little less than a hundred thousand dollars on the three of five. Right?

Jeremy Welch: So we have, there’s a range of what people are comfortable with, but, it is designed to be an entry level version of like just getting started with multisig. That’s why we decided, hey, let’s… we will use the, mobile key and then one hardware wallet. And for most people that started using this, they’d never used multisig before. So it was already a learning experience. We had a lot of people that upgraded immediately after and they were like, “Oh yeah, get it now.” Why there need to be multiple keys.

Jeremy Welch: We will be rolling out a version that does have the two hardware wallets, but we wanted heavy testing around just that single version first before we do that. But you know, these are great questions and–

Jeremy Welch: The community has been… is always phenomenal about asking and figuring out these kind of nooks and crannies of questions. And again, that’s why we released this document, is that there’s a lot more, even beyond some of these questions that customers are asking. And so we just want to kind of constantly put these forward and bring these for ourselves and have that level of transparency. And so even as we’re adding more features, we expect to get a lot more of these questions.

Stephan Livera: Yeah, sure. And I think it might be good just for the listeners who are not familiar, just to understand what is the way the mechanism works. So they might be thinking, “Oh, do I need to bring all three keys into one place at one time?” But actually it’s more like you individually do the signatures. Do you want to just talk through the process?

Jameson Lopp: Yeah. So you know, when you’re creating a transaction with the keymaster app actually initializing, it’s like any other transaction. You can scan a QR code, you can manually input data. But, basically you set those initial details of the amount and the output destination, and then you’ll apply your initial signature there with the key that’s on the device. And, most likely while you’re using either, biometric or face id or pin input to basically unlock, the mobile device so that you can access the key which we keep secured, via the secure hardware elements that are on the, phone.

Jameson Lopp: And so then what you have is a partially signed transaction. It’s not valid for broadcasting on the bitcoin network. You then have to go figure out, what other devices do I want to use to add a sufficient number of signatures that it becomes valid.

Jameson Lopp: And, essentially, tap within the app on the device you want to use, and you say, “Hey, I want to add another signature from here.” We’ll then, generate a short lived, unique link that you can use to essentially go find that device wherever it is, plug in into a laptop, click on the link, add the signature, and then continue that process until everything is done. And of course it can get more complicated if you’ve lost devices and need to have, help from Casa, that enters into a different, logical like recovery process.

Jameson Lopp: But, under normal circumstances, you’re basically just going to be traveling around, getting enough hardware devices that you can reach that threshold. And the other thing about making this a really usable system is that we also have health checks available. We have the ability for the user to essentially do key rotations and swap out devices that get lost or broken or compromised without even having to reach out to Casa for help. It’s just a simple wizard that you can walk through within the app.

Jeremy Welch: And this turns into even more of a reason to use the mobile device, is that we realize that people carry their mobile devices with them everywhere and out of any… arguably, sometimes even more than a birth certificate or a social security card or a government ID people keep track of their phones always on their person. And whether it’s candy crush data or, some… maybe it’s a favorite photo or something, they’re valuables, data valuables that are already on those phones and people treat them, very personally.

Jeremy Welch: And they protect those devices. And from that side, people usually have it on them. And so if they’re traveling from one location, say it’s a home to an office or to a this third location that could be even in a different city, they’re going to have their phone on them.

Jeremy Welch: They’re going to use that as a communication tool. And so using that as the guide tool to be totally asynchronous and sign, you could go, you could sign kind of the first one on one day, go two or three days later if you wanted to in a totally different city and signing, and then you’ve maintained the distance between those two signings. And within that time span, that also means an attacker has to maintain that distance.

Jeremy Welch: It is true that an attacker could hold you at gun point or do something more aggressive, but even in that case, they’re still going to have to try and go these distances. And the more time that’s, we’re just raising the bar there, the more time that’s required to go these distances, and the more people, the more places you have to go, the higher likelihood that someone gets caught. Someone gets noticed. You could, whether it’s actually kind of saying safe words and we even have… like that’s part of our service around us as we even have safe words and specific process and emergency lock down buttons and all these other features that are built in.

Jeremy Welch: But it comes to that usability of having the asynchronous nature where you can go different places. But having the usability to where you’re always kind of seeing the command center kind of on the phone.

Stephan Livera: Yeah. I think that’s the other thing is all that maybe… might not be apparent that a customer can sign up in a more pseudonymous way. Can you talk to that?

Stephan Livera: Sure. So, at Casa we are not a bank or a financial institution, we’re a software service provider, within the context of actually managing keys, Casa only ever has one out of n of your key set. And in those keys are always kept completely offline and requires, manual human recovery process to be going through. Usually a process that take can take multiple days. This is also, configurable by each user and how they want that to be done on the Casa side.

Jameson Lopp: But, the general gist of it is that Casa is going to be helping the user help themselves. This is the best way that I know how to put it. The downside to this is that, whenever you’re into a situation, where you are not taking the time or don’t have the level of knowledge that you can do everything all by yourself without asking anyone for help, obviously that’s going to be the best privacy.

Jameson Lopp: But if you want to save time, if you want to have expert guidance, then there has to be some sort of communication. There has to be at least some sort of pseudonymous email address or other communication, end point for us to have back and forth. So while we are not a financial institution and we don’t do AML KYC, we don’t actually care about your government identity. We do need to have some way to communicate with you in case something goes wrong. You know, if like Jeremy said, if you hit the emergency lockdown and we basically refused to allow any signatures to be added for anything, then you’ll need to go through a process in order for us to unfreeze the account.

Jameson Lopp: Or if you lose a sufficient number of devices that you need Casa to dig the cold storage key out and sign it, you’ll need to go through additional processes because at that point, if we believe that you may have been compromised, we need to ask for some other, non identifying questions, but some sort of authentication questions, whether it’s things that, you know, special phrases or words, or even, you know, photos of either yourself or objects or you know, it’s basically any type of unique identifiers that you are comfortable with using. That would be difficult if not impossible for an attacker replicate

Jeremy Welch: You know our lawyers. I will throw out there that, a lot of times, especially around products, you don’t really hear that, “Oh, the lawyers that are really great job of innovating here.” But we really did have a phenomenal amount of help from Gunderson and a few other lawyers, law firms that really helped us. With them a lot of money thinking through what’s the minimal amount of data that we can capture that would still be serviceable, still be… would still match up with any legal requirements in terms of our terms of service and our ability to provide a service, but without needing additional data that could become potentially exploitable. And from that end, we do have a photo verification feature, but you could take a photo of a cup or something else, right? that you’re going to use as, “Hey, like it’s still me.”

Jeremy Welch: You don’t have to take a photo of yourself. All those photos are locked down and are, and you know, internally we have a ton of… this is totally separate. We have a ton of practices around key signing, code signing, commit signing. But we also, lock down those photos and the data information or the information on the customers is also all encrypted separately.

Jeremy Welch: And so even accessing that information is really hard internally from the limited information that we have. But we did kind of reach this, and that’s why we publish the open data policy. Because we reached this kind of what we found to be a totally new level of what could be possible as a company to operate and still respect that sovereignty, and kind of respect the privacy of the end user.

Stephan Livera: Yeah, I mean that’s a great focus. I think the next question is something that most people don’t want to think about, but it’s something we do have to think about. It’s inheritance planning. It’s many people who are bitcoiners they… irrationally, we just think, “Hey, I’m going to live forever.” But how is constant thinking about that, in terms of passing it on for that person’s family or heirs?

Jameson Lopp: Yeah, I mean that’s actually an entirely separate project. I think we briefly touched on it here, but, we’re eventually going to be having probably a very similar document, like the well security protocol accepted. It is specific to inheritance. I mean–

Jeremy Welch: We do have, I mean it’s like we haven’t talked about this publicly, yet. And that’s actually the reason why we approached Jacob in the first place was not actually directly around our protocol. We were like, look like you’ve built Glacier Protocol. He was an old friend of mine and we’ve learned a ton from this. We’ve been thinking about inheritance a lot, and so we do have an inheritance protocol that we have not really announced publicly. I guess it’s out there now.

Jeremy Welch: But we do have an inheritance protocol and similar to the document that you see here, we are mapping this out and we’ve been testing it and you can dive into more of the details, but I guess we should just… if we’re going to address the question, we should probably just talk about it, straight up that we have the–

Jameson Lopp: Right, it’s a similar type of history where, we have been working with clients to best understand what their needs are, and how we can leverage the, traditional inheritance processes to be more compatible with these new technologically sophisticated sovereign setups. And so the, I guess the ultimate conflict between having this ultimate, self-sovereign setup where you’re the only one who has access to it, is that you’re the only one who has access to it. And so, you need to figure out a way that you can have a set of trusted people that you believe will not all collude against you to be able to access your funds, if for whatever reason you become incapacitated.

Jeremy Welch: And we actually do include this as one of the 13 threats is inheritance failure. We view that as a threat that you build up this wealth and then it’s just easily stolen at the end of your life. That’s a problem or that it’s totally lost at the end of your life. There are several unfortunate circumstances. I think Matthew Mellon is probably the largest, I think that’s known. I think that was, I don’t think that was in bitcoin. It was in something else, but it was something like $500 million that was lost. So this is starting to become a real issue. I mean, and we think it does go beyond right now we are focused on Bitcoin, but this is, at some point this is even going to be the legal documents that you have and the photos that you have and all these other digital family heirlooms that you have will also be passed down in a similar way.

Jeremy Welch: So it is a really big problem. There’s a lot of people doing great work here. Pamela Morgan’s been doing great work here. A lot of people. And we’ve tried to take a unique tack in both having our full service and the full protocol that we already have. But then also all the resources that we’ve already spent around lawyers talking to those same lawyers, working with independent customer lawyers, with the state attorneys. We’ve been doing this for, it’s probably been, what, six, eight months.

Jameson Lopp: Yes. This gets a lot more complicated, A, because you have jurisdictional differences.

Jeremy Welch: Right.

Jameson Lopp: And B, because everybody has a different family, a different–

Jeremy Welch: Exactly.

Jameson Lopp: Individual personal setup. And this is why we’ve been going a lot slower on this side where we’ve been trying to figure out, how do we make it customizable for people while still trying to, like I said, minimize those foot gun paths. It gets more difficult to keep people within well-vetted guidance when there is a wider array of possibilities and decisions that have to be made.

Jeremy Welch: And a lot of times your inheritors, they may not even want to keep the bitcoin. Right. And who are you to actually choose for them? If we’re talking about individual sovereignty, who are you to infringe on their sovereignty and their choice? That would be, I think in all of our minds it would be very unfortunate case just depending on timing and what different, everybody pretty much the team and talking about hyperbitcoinization and all this stuff and just like just changes in Bitcoin price. It’s usually just so, one or two days out of the year that have the widest swings. And so the timing could just be horrendous. If someone’s just like, “Oh, I’m not even going to think about this, and then five days later it changes.” But you do still in those cases losing family relationships, losing, these things are more valuable than wealth and are arguably scarcer than even the 21 million Bitcoin.

Jeremy Welch: And so really trying to be very careful about those and thinking about the inheritors and thinking about the, if they want to pass them down, if they want to keep them. Most of them, it’s one thing to educate a bitcoiner on keys and multisig it’s an entirely different thing to educate an inheritor on all of this stuff and even in state attorney. So we’ve been mapping all of that out and really thinking through the onboarding process from both the legal side, the customer side, the direct customer side, the inheritor’s side. And then also even thinking about the regulatory side and how you can minimize data, minimize trust but also satisfy, because there are a lot of requirements when inheritors pass wealth.

Jeremy Welch: And this is the different jurisdictional side. So I think it’ll be a little while longer before we go really public with everything there. But you can expect a similar amount of detail. We started, we actually decided to push out this Casa wealth security protocol because we said hey, the similar level of detail that we’re going through on the inheritance side, we could just address the core multisig and then these two documents would really fit well together.

Stephan Livera: Fantastic. And just while we’re still on the topic of security as well, I think we definitely want to also cover off the idea of being seedless. So that is something that’s probably a little alien to many bitcoiners because the typical set up that they’re thinking of is, “Oh I’ve got my hardware wallet and I’ve got my 24 wallet seed.” What’s the difference with Casa and why seedless?

Jameson Lopp: Sure. So anyone who has set up a hardware wallet before is familiar with that first step where it gives you your 12 or 24 word backup seed phrase. And what we really decided was that when you get through that process, the hardware device basically says, okay, write this down and keep it in a safe place. There’s this entire mountain of knowledge hidden under that simple word keep it in a safe place. Is that, like we’ve been saying basically the entire time now we’re trying to raise up the bar higher so that the users don’t have to think about all of these security considerations of managing these private keys. And essentially a seed phrase is all of the keys to the kingdom.

Jameson Lopp: So if the user has to manage the seed phrase and think about physical attacks and physical loss and all of that, then that just becomes another exponential blow up in the number of decisions that the user has to make. And by just completely throwing the seed phrase out the window and leaving it secured in hardware devices and via secure enclave on a mobile device. It just makes it a lot easier for us to reason about the security model. And since when we’re thinking through the security model, we don’t want to have to trust the user. And the various decisions that they’ve made. That once again, it just, it narrows down the possibilities and the foot guns really. So, it is an alien thing for people who have been in the space for a while. We hope that it becomes a more common thing. But it’s also an alien thing to have a flexible multisig setup that is easy to do key rotations. And that’s the main reason that we believe that seedless is okay, if you pair it with a way to flexibly, replace lost seeds.

Jeremy Welch: And so we wrote, and with full hardware wallets full support I mean, that’s one reason why this is an entire system. It’s not just about the software even the incentive system around a yearly fee for us as a company and providing a level of service. It’s all designed around this long term alignment between customer and company. And we do a lot of things that again, we outlined here in the document, but we do maintain extra stock of hardware wallets. We don’t want to be in a case to where someone’s, you can go order any time from any other company or just buy one off of a store and rotate that in and it works perfectly fine. But we also maintain stock just in case someone, they might be traveling, they might be in an international country to where they can’t typically get access. And we now have global logistics expertise. We have customers in over 60 countries and we’ve dealt with shipping, crazy shipping problems pretty much everywhere around the world now.

Jeremy Welch: And so we now have that access to get you a device if something fails and you need to rotate something in. We’ve built out a full wallet sweep feature, you can go UTXO, by UTXO very detailed, really fast wallet sweeps. And it’s the combination of that with the hardware wallet, ease of use with the mobile key with, and everything built together that makes this a manageable fast response system. But it just really shifts the model, two framings that I use, I think about this is that if you think about, there’s nothing bad, inherently bad about seed phrases. The reason they were designed in the first place is because you were dealing with what was effectively a one of two system.

Jeremy Welch: Where you had the hardware wallet and then you had the seed phrase, but you only had one device and it was a one of one system, right? And by shifting to multisig, you end up in a situation to where you would have five total keys and five total seed phrases and then you’re protecting 10 total items. And because you have this ability to… It’s a three of five. So if you lose one key, it’s okay, you can just rotate and sign with the other keys. That’s something that you didn’t have, that’s a feature that you didn’t have in a case of a single hardware wallet.

Jeremy Welch: So that’s where we adapted this. But the trade off there is that you then have to shift from being, okay, we’re going to protect everything that’s here right now, and just restore you to the exact same state. You have to shift the design of the system to being something that responds rapidly readapts rapidly. And we actually, again, we noticed that out of actually doing direct customer interaction and research, because we looked at when people were actually recovering single Trezors or Ledgers, what they would do is, to say they lost a device. They would lose a device, they would go find their seed phrase, they’d buy a new device, they would reload the seed phrase and they would immediately have a second device that they sent funds to.

Jeremy Welch: And so there’s eight steps there to get to that second device. To send funds to the second device and then they’d wipe the old device. So they’re already doing this key rotation process. They’re just not thinking about it. And we can simplify that down from about eight or nine steps into just three to where it’s okay, one key is lost. Okay, we’re not going to worry about that one anymore. Just rotate in a new key send funds. So it drops it down to three. And although it is a little scary for people that have only used a single key for a long time overall, it’s just much faster.

Stephan Livera: Yeah. So I guess I might just talk through that just for the listeners who might not be clear on what’s going on there. So for example’s sake, the person is using a three of five, and they believe that one of the keys has been tampered with or lost whatever. So you would then have to say that key is now gone and now essentially what you would be doing then is spending out of the remaining set into the new five keys set. Which now has a new hardware wallet instead of that one that has been stolen or lost or tampered et cetera.

Jeremy Welch: Right.

Jameson Lopp: Yeah. The new three out of five set would still have four of the same, public key sets as the previous and you’re just rotating out that one that has been compromised.

Jeremy Welch: But it becomes a totally fresh set of addresses, totally new set of addresses because even with it just that one key different you’re in a totally different domain in terms of your address set and your funds until you’re back to full level of safety. And I do want to mention that we, again, we rejected, there’s a bunch of features, different key schemes that we ended up rejecting. And this is actually one of the reasons why around just general key sharding that we did reject some of that. Is that you lose a lot of flexibility around your recoverability, your ability to rotate, in a case to where you’ve given out a bunch of different key shards, and then you decide, oh, wait a second, I actually need to rotate this.

Jeremy Welch: Then you have to go back and give out a bunch more key shards where if you’ve given out for, you have a lawyer, you have a friend or someone else, you’ve given one hardware wallet to them. You could rotate your other sets of keys and that person could still hold the same device and they don’t have to change a thing, right? But you’re in a totally new address set. You are able to move the funds and that person doesn’t have to do anything–

Jameson Lopp: It’s just a more flexible system.

Jeremy Welch: Way more flexible. And you, there’s just a lot you can do. It doesn’t mean, again, key sharding. It can be great. And even within the context of a full multisig, it can be great. And we’ve thought about some different implementations of maybe taking one key out of your multisig and doing some key sharding. But I think the key sharding as a whole, the other big weakness there that a lot of people haven’t really factored in is that if your key is breached before you do the key sharding.

Jeremy Welch: So if there’s a supply chain attack or there’s any of the kind of 13 attacks we’ve listed, if that key is somehow discovered you may be in a case to where it’s 10 years down the line. Everything is key sharded you never knew that it was ever compromised, but that one time it was compromised, and then 10 years down the line and it doesn’t matter, you’re pwned.

Stephan Livera: You were owned from the beginning.

Stephan Livera: Yeah, you are owned from the beginning you didn’t even know it. And you had all this work where as soon as you do multisig and as soon as you do five fresh key creations, you’ve just completely eliminated that possibility.

Stephan Livera: Yup. And so I guess one of the things there is with, if somebody wants to do, Shamir’s secret sharing and they split it into three of five shards let’s say now it becomes a lot more difficult for them to change after the fact.

Jeremy Welch: Right.

Stephan Livera: That’s one of the, I guess that’s one of the things you’re getting out a shard, but then later maybe I’m not friends with one of those guys anymore. I fall out with him. I have still got to find a way to rotate out of that set and I would now have to go to each of those friends to give them each a new piece.

Jeremy Welch: Right.

Stephan Livera: Whereas in a Casa model, I suppose it’s like you’ve got different hardware wallets and you’re managing it through that and in doing so you could even just completely disregard what you could again, disregard one of those hardware keys and rotate in a new key into that set and now you’re good to go.

Jeremy Welch: Yeah. You could reject an individual one key and replace just that person’s key. Where if you’re talking about a full key sharded set, you would, if you were trying to do the same thing from just a key sharded set up, you’d have to go actually replace everybody else’s too.

Stephan Livera: Yeah.

Jeremy Welch: So it just, it gives you a lot more flexibility. And we have more team based features that are basically around, we have a lot of customers that are either family offices or they’re just families and it’s a spouse or to a brother and sister or if you’re in a small team and we’re building more linkages between how people interact with those keys and how they can view the different actions that are happening, reminders, there’s a ton to build out there. And then again, that ties directly into the inheritance side, and just thinking through this full security model.

Stephan Livera: Fantastic. Let’s talk a little bit about sovereign recovery. So I understand with Casa, there is the sovereign recovery process, which is essentially, it’s an email and you have, I think, is it the xPubs and essentially the redeemed scripts and so on. And you would, the user at this point would pick up Electrum and then they would bring their hardware wallets together and spend into their own set. Can you talk to that process a little bit?

Jameson Lopp: Right. So, in order to spend out of three of five, obviously you have to have three of the sets of private keys. But the thing that I think a lot of people might not know is that you have to have all of the public key sets. So when you initially create a wallet, or whenever you need this information, if you lose it at any time you can export it again from the keymaster app. Will essentially give you step by step guide to use open source software along with all of the public keys.

Jameson Lopp: So then all you have to do is recreate your wallet and then plug in one device at a time and go through a similar type of process to basically sweep all of those funds and then send it to whatever new setup you want. And it’s fairly standard actually if you go to, then we have a copy of the process on there. We’re using completely standard multisig redeem scripts, so there’s nothing special required there. All you really need to know are your specific extended public keys and then the derivation scheme that we use.

Jeremy Welch: And we don’t, one note again, just in the level of detail in that Email, we assume that your Email could be totally pwned compromised. And so there are only two pub keys that are actually sent in the Email that has the full instruction set and then the others you recover either directly from your devices or within the app. But we are really trying to build even that process out. Someone could attack you from that side. So we’ve done that very piecemeal and very carefully too, but you always have full control. So if Casa disappears, if somehow there’s Internet access is limited in your country, there are tons of scenarios and even within these extreme scenarios you can still have full control, but you also get that usability of having a full service, full software sweep full people behind you when things are going well.

Stephan Livera: Fantastic. I think there’s probably just two key things I think. And these again, trade offs that are being made for to make it easy for the user. But I think just for the listeners, just to make sure that they’re aware, I guess they should be aware that one, the privacy aspect, they are doxing their coins to Casa. That’s probably the main, probably one of the big trade offs that they have to consider. They’ve got to obviously entering into it with open eyes because they’re getting the additional security of multisignature.

Stephan Livera: And I think the other one at a more subtle level is this idea of if you run your own node, you are defending your chosen rule set. And theoretically if some, if a company, if you’re with a company and that company decides to go with SegWit2x and so on which chain, which fork would you be on? So some of those questions as well. But I think those would be a trade off that the user thinks about in order to get the additional multisignature and the guidance through the process. Would that be a fair summary?

Jameson Lopp: Sure. At the moment and of course people are probably familiar with the fact that we also sell the Casa node. Now one of the things that we’re doing over time is continuing to integrate all of our products and services together more and more. And it’s definitely a desire we’ve had demand for it for a while and that we’ve wanted to do in the long term is to offload as much of the coordination and trust away from the Casa servers, and actually onto the Casa node. So, I think it’s only going to be a matter of time before you’re able to connect key master to your Casa node much in the way that you can connect Sats app to your Casa node right now. Though that’s sats app is going through lnd, which is talking to bitcoin core. Whereas on the key master side it would be more talking directly to bitcoin core basically to do the verification of receipts of transactions

Jeremy Welch: From the privacy aspect, because this is a really interesting point. There are multiple reasons to want to maintain privacy. Definitely the biggest one is just as a pure attack vector. The second one is just keeping people out of your shit and trying to block transactions trying to block. And that’s for anybody that’s used to KYC, AML, loss of data. You can’t even go spend if you want to, there are numerous cases where people just wanted to go spend 10, $20,000 on buying a new product or a car or house or whatever, and they could barely, they could, it took them awhile to get the money out. Even when they got it out. They were still getting hounded for it, “What are you using this for?”

Jeremy Welch: And majority of people out there in the world are good. There are some criminals, there are even more criminals that use cash than use bitcoin. But privacy is important for people. It’s important. And the way we think about it, again, we minimize the total amount of data. Now on the flip side of that though, on the flip side of the optimizing for privacy, once you come in the door we do think that there will be a world to where you will be able to assume that every, you go into a wealthy neighborhood, middle class neighborhood even some poor neighborhoods, right? It doesn’t matter. People are going to assume that every house in that neighborhood regardless of socioeconomic status has some bitcoin.

Jeremy Welch: And the same way that today you would go to any house and any attacker is going to think, “Oh man, there’s high end TVs probably in these houses.” There might be jewelry, there might be family heirlooms there’s wealth in everyone of these houses. We’re going to reach a state, we think pretty soon within five or 10 years to where that’s just the case. And so I think that the conversation around privacy is going to be something more around you are going to selectively disclose parts, not everything and that ability to selectively disclose certain portions. Some people may feel comfortable actually using their real name and their real Email address. Other people want to not use that. We don’t again require KYC or a driver’s license or anything else.

Jeremy Welch: So you do have that flexibility, but we are going to get to a world to where people, some people will do more or less, but that control is going to be important but almost everybody will have something. And so this idea that of just totally hiding out, and no one ever knowing that you have Bitcoin is going to become harder and harder because everyone’s just going to have Bitcoin. It’s just a question of how much. So I described that whole process because when we were initially thinking about designing the multisig and keymaster in the service. We thought through were like, okay, if we get five, 10 years out, what’s this going to look like and a private banking service is going to give you all the control.

Jeremy Welch: You have all the data control, you make the data choices that are right for you. But for certain people it will be common for some things to be there. And if you want to have a level of service to where you do have a private banking level, you can pick up the phone anytime you can get engineering support, you can get a direct question support on, this one cousin or one brother that you know is terrible technically and you want some extra recommendations on how to use, you don’t even have to say the name of the brother, but there will be certain amounts of information that are shared. And I’m just trying to create the flexibility for that to be there while the customers still have control of their data or control that end choice. But yeah, so that’s the world that we’re trying, that we’re thinking where things will go. And we’ve tried to back into how do we give them as much flexibility as possible while still maintaining privacy, but giving that choice there.

Stephan Livera: In terms of roadmap, I think the Coldcard is a crowd favorite. So, I know there’s been testing on that. You are planning to include that as a potential, as part of the customers set as well?

Jeremy Welch: Yes.

Jameson Lopp: Yeah, definitely. Right now we have ledger and Trezor support. And so people will have either one ledger an two Trezor or two Trezor or two ledgers and one Trezor, basically a mix of the different products there. But of course it would be even better if it was one Ledger, one Trezor, one Coldcard.

Jeremy Welch: And we think, again, as we’ve planned out, we do think there’s going to be a world where there’s going to be 20 different manufacturers. Yeah. There are going to be some maybe smaller manufacturers, maybe medium sized manufacturers. I think that we’re going to get to a world where Samsung and Sony and all these name brand manufacturers are going to have key signing devices. So we’re building for that and getting partially signed Bitcoin transaction support into the system. Being able to fully support Coldcard is a priority. We’re working on that really hard. And we’ll be releasing news around that as soon as, relatively soon. But that is a big request. There’s more integration, so between the node and between keymaster that we’ll do a lot of testing there.

Jeremy Welch: Before that, I think that we will have more news around the inheritance side if people have questions on that or anything else. You just Email and we can touch on any questions around where things are going. But there’s even more stuff around. So we do have in the document, we have a list of remaining attack vectors that we are trying to work around. And we do have mitigations around those, but there’s additional work or even around address spoofing, that we’ve even, one of the reasons why we use mobile keys is it’s actually, it is harder to do address spoofing.

Jeremy Welch: We actually re-derive on both the end client and on the server side, it’s still possible, but it’s definitely minimized. But there’s even more work we can do in simplifying and making it easier to validate addresses across both Casa system and across, say your sovereign recovery set up or another system just before you’re even transferring funds on. And there’s a ton of work to do, but I think that the way we think about this wealth security protocol document as it lays out, the both the remaining attack vectors that we can continue to address and the areas for work, other features that we can add in. And then also we’ve got Taproot and Schnorr and that’s going to make things easier too. So we’ll be, we’re working towards supporting those.

Stephan Livera: When it comes to some of these coming technologies as well. I think the document mentions, some ideas around what could be done with that. I’m just trying to find that now. Yeah, so that’s the one I was keen to ask about. Does multisignature transactions on the blockchain looking like standard transactions with Schnorr signatures as well. So that’s another thing right now where currently multisignature transactions are distinguishable on the blockchain.

Jeremy Welch: Yeah.

Stephan Livera: But hopefully it sort of gets to that point where everything starts to look the same and then it’s a bit more.

Jeremy Welch: And you can analyze traffic even by number of keys, set up of keys. One thing that, even one reason why we mapped out this rollout of three of five and then two of three and then even a single signature is that we actually provide some cover in a sense by having more multisig transactions overall. We actually provide some cover for larger balances or larger customers. And the more people that are using multisig, the more exposure you have from a code perspective. And even from a support perspective of, there’s a lot that comes from more usage. And so I think that this broadening that market is actually an important point around this specific topic.

Stephan Livera: All right, so look is there anything else you guys wanted to bring up? I think we’ve kind of spoken to a lot of different points. So, yeah. If you’ve got anything else that you want to bring up around where, perhaps just where Bitcoin custody is going over the next few years. What does what does it look like in your mind?

Jameson Lopp: Well, I mean, I think unfortunately a lot of Bitcoin custody is going to be institutionalized Custody with trusted regulated third parties, and we see ourselves as fighting against that tide. It’s going to be difficult to do. I think just a lot the big money from traditional finance and investments is going to end up going with that model because that’s what they’re used to or possibly even legally required to do. But this is why we have focused on the individuals more though because there isn’t really anything like that in the traditional financial world.

Jameson Lopp: We believe there’s a much larger gap where, custody with trusted third parties is a fairly well understood thing, that people have been doing that for hundreds if not thousands of years. But trying to take a lot of those principles and make them usable by the average person who isn’t eating and breathing custody day in and day out, I think the, really challenging thing where there’s a lot of value to be gained.

Stephan Livera: Yeah.

Jeremy Welch: Yeah, I think that you can think of it as a historically security and privacy have really almost been like a luxury good. In the sense that there have been titans of industry who own their own banks or there have been queens and kings who had their stash of both food and cash and gold and there have always been these kind of having that level of access, privacy, wealth. It was a select few that had that level of control. And what we’re specifically trying to do, we know that there are going to be institutions that come in and they are going to be institutional products and we’ve laid out the attack vectors that even those institutional products will face.

Jeremy Welch: And some of those will be tested and will fail. And we do believe that a lot of individuals will shift most of their personal wealth into doing some multisig or some self controlled keys because of this, on the long-term. But to get there, we have to, again, if that core problem is that privacy and security have historically been a luxury good and it’s been problematic on or just hard to do, we have to make it easier. And that’s what we’re set out to do is bring that level of wealth control and that level of security and privacy to anyone at any cost. And that goes all the way down. I mean, we’re going to go as far as we can to bring the cost of running multisig service and the options around that as low as possible. So that we can get it to really anyone in the world. And then there will just be differing tiers based on how much wealth you’re storing and the security trade offs around that.

Stephan Livera: Fantastic. Well look, I think that’s I’m going to do it for this one. How about you guys? Tell my listeners were can they find you, obviously I’ll put the links in the show notes, but it’s nice to just speak out the links as well.

Jameson Lopp: I am often on Twitter with the handle @lopp you can also find me and a ton of educational resources about Bitcoin at

Jeremy Welch: Yup. And so I’m @jeremyrwelch on Twitter and then we also have at @CasaHODL on Twitter. And you can, if you have any questions on this stuff, is the easiest resource. Hit us with your hardest questions. Go read the security protocol, try to figure out any flaws you can hit us with all those questions. I mean, that’s what it’s there for. And you can just google Casa Wealth Security Protocol and find that it’s a pdf. It’s really easy to read and that’s what it’s there for. So dig in and let us know your questions.

Stephan Livera: Fantastic. Well, look. Yeah, thanks for the work you guys are doing to help make the bitcoiners out there, more secure and more educated. So, thanks for that and thanks for joining me today.

Jeremy Welch: Thanks for having us on man.

Jameson Lopp: Thanks.

Leave a Reply