Node going offline without a penalty

After rading details about how nodes will work I have a couple questions.

  1. Under what circumstances can a node go offline without being punished?

  2. Is it possible to have a spare node to replace a failed node in the event the hardware breaks or otherwise replace a failed node without penalty?

Context for my question

“First, for a node to become a worker eligible to run computations, it must first securely generate an Ethereum compliant ECC key-pair to be used as a persistent identity. This key-pair is generated inside an SGX enclave, and should never leave it. To persist across sessions, we will seal the key in the host’s system.”

This thread discusses the concept of timeouts, and how they can be set in a way that doesn’t add too much latency to the network. The gist of it is that we can set the time-out window long enough, after which a node is penalized, but at the same time we allow nodes to complete computations as fast as they can to collect more rewards. This seems to be a reasonable balance between protecting nodes and ensuring efficiency.

For the second question - we’ve been discussing a mechanism to solve this. The idea is to separate a worker custodian/identity key from the proving key that resides inside of the enclave. This would allow a user to assign a new enclave in the case that the original machine is down. A potential improvement on this is to allow a user to manage multiple worker machines/enclaves for a single custodian key. While interesting, I don’t believe we will prioritize this for the first mainnet.

That would make the lives of node runners much easier / ideal. The last part / possible improvment is something i’ve wondered about. I can see why it’s not an immediate priority though. Thanks!