Root and publisher key scheme
As part of the audit, we were consulted for ideas on how to address potential design and operational issues. One such topic of discussion was how to design against publisher key compromise. In this situation, a publisher may mismanage their publishing key, allowing an attacker or insider to access the key and begin publishing fraudulent entries to the protocol.
After some discussion and deliberation, we came up with a proposal to have publishers register two keys—a root key and a publisher key. The publisher key would actually allow for publishing entries to the oracle. The root key would only be able to set a given publisher's publishing key. The idea would be that publishers would keep their root key in cold storage, locked away. This would keep the key very safe and away from accidental leakage. Publishers would then use their publisher key on live systems to actually publish entries.
If this key ever need be rotated, the publisher can do that entirely themselves by using their root key to configure a new publisher key with the oracle. Optionally, an additional mechanism to rotate the root key with itself could be envisioned so that publishers can be particularly careful with the root key if they fear it has been compromised as well.