Skip to content

← Writing·JUN 2026·5 min

Is your multisig ceremonial grade?

What the internet's Root Key Signing Ceremony teaches us about multisig discipline — and how everyone gets ceremony-grade security.


Time for a little internet history.

In the very early days, the Internet was held together by trusted technical people. One person, hailed the "god of the internet" Jon Postel, effectively managed the DNS root — the master list that tells the world where every domain lives.

Jon Postel with all the TLDs that existed in 1994 on a single chart

In what is believed to be an act of civil disobedience in January 1998, amidst a brewing political battle over who should control the Internet (the U.S. government vs. the technical community), Postel performed a "test." He sent an email to the operators of eight of the twelve regional "root servers" around the world, instructing them to pull their data from his machine at the University of Southern California rather than the government-funded server (Network Solutions) in Virginia.

There was immediate redirection of power. Within hours, the majority of the Internet's directory system was being routed through Postel's server. To the average user, nothing changed, but structurally, Postel had effectively seized control of the Internet and defied the government.

This incident later led to the creation of ICANN, ensuring that internet governance must be decentralized to include different stakeholders, with technical architects around the world maintaining a seat at the table alongside governments. The internet's own "multisig" was created.

Fundamentally, this provided the means for highly skilled experts with governance responsibilities to act efficiently, with the necessary friction needed to control critical technologies. That is what multisigs do.

The internet multisig and the "ceremony"

The internet's "multisig" is the DNSSEC Root Key Signing Ceremony, a process ensuring no single entity can hijack the global directory. At its core is the Root Key Signing Key (KSK), which cryptographically signs the "Root Zone" to verify the authenticity of all top-level domains like .com or .org.

To prevent abuse, control is split among Trusted Community Representatives (TCRs) — global stakeholders who hold physical smart cards. Four times a year, a Key Ceremony occurs in high-security facilities. To access the master key stored in a Hardware Security Module (HSM), a threshold (typically 3-of-7) of TCRs must physically provide their cards.

This creates a physical M-of-N multisig: the DNSSEC root key cannot be flipped without a diverse group of humans, physical keys, and transparent public audits with video evidence.

Administered ceremonially, the custody and power associated with the DNSSEC root key is distributed by cryptography, physical access, human quorum, process discipline and transparency.

Multisigs are critical infrastructure to govern protocols on Ethereum

Ethereum has seen the creation of the next wave of world-changing decentralized protocols. Multisigs were needed as soon as protocol proliferation started.

Today, they are used not only for managing treasuries but also to govern protocols. Protocols like Aave, ENS, Optimism, Worldcoin, and Polygon all use Safe multisigs for protocol governance and upgrades, building their own versions of ceremonies, tooling, and processes.

Some of these protocols will arguably be of similar importance as DNS itself and will control value, data and identities that the world depends on. And they will depend on multisigs.

Everyone gets a multisig, but can everyone wield the power of multisigs?

Today, the Safe Multisig has ~$30B in TVL locked up in multisig vaults. This directly led to huge advances in DeFi and the creation of DAOs, unlocking the ability to manage assets together. A similar story is true for ecosystems like Solana, where the Squads multisig plays a similar foundational role. This effectively meant, that anyone could permissionlessly spin up a multisig and coordinate capital with other stakeholders or themselves.

But, while the Internet's Root Key ceremony relies on air-gapped hardware and ritualistic rigour, multisig management often lacks this "ceremony discipline."

We are plagued by blind signing, where signers approve transactions without verifying, and UI manipulation that tricks users into authorising malicious logic. Many "multisigs" fail due to poor setups (e.g., 1-of-1), operational key pollution (using production keys for everyday tasks), or a "rubber stamp" culture that treats signatures as a formality rather than rigourous audits. Issues extend to other important steps like diversification of signing devices, private key storage, signer rotation rule-sets etc.

Until we adopt ceremony grade tooling, discipline, processes and transparency, we aren't decentralizing power as we intend to.

Ceremonial grade tooling for multisigs is getting ready

A wave of innovation is emerging in the tool stacks that complements multisigs. A non-exhaustive list of tooling in the space of simulation, clear-signing and threat monitoring:

Yes, but how do we give everyone base level security?

Ceremonies are absolutely needed, but we even need more. If we truly are to scale self-custody, the answer to the challenges presented shouldn't only be "more tools" with the expectation that everyone becomes a low level technical expert. We need education, standards and ultimately some degree of abstraction to unburden the user.

Ultimately, we must build economically accountable models for experts to provide the ceremonial value to users, especially the less technical ones.

We need standards to see what multisig signers actually sign. Users need to understand what they sign. The Clear Signing Standard ERC 7730 — just released by the Ethereum Foundation with major signer wallets will go a long way in making transactions human readable.

Safe{Shield} by Safe Labs, has been pushing the boundaries of threat detection and simulation and are shipping improvements. This is what it looks like defending users in an active exploit →

Enter Safenet: the endgame remains a decentralization of the ceremony

Safenet beta was launched earlier this April with an aim to decentralize ceremonial grade rigour. It takes the '4-eyes principle' to an extreme by involving a decentralized set of participants and enforcing security through economics. Safenet will introduce a diverse set of transaction checkers using different threat detection models to provide the diligence, verification, and attestation of each transaction, so everyone can wield the power of multisigs.

As with security, it is never one silver bullet. But a mix of standards, tooling and decentralization is the three-punch answer to make multisigs ceremony grade.

Come to our secret ceremony. If you are in Berlin during the blockchain week, we are organizing a small matcha ceremony to talk about treasuries, protocols and ceremonies informally. DM me to be invited.

Special thanks to marco, Julian Grigo, rsquare and Tobias Schubotz for feedback and contributions.


Originally published on X.