poztter.org

component · model

Survivorship.

All components · Master Zone · Delegation · Why this model

Survivorship is how POZ replaces "the one key that can do anything" with a flexible, threshold-based model that makes recovery and revocation first-class concerns.

groups, keys, values

Each master key in the record belongs to a survivorship group (an uint8 ID) and carries a survivorship value — the "voting weight" of that key within its group. A modification is authorized when the signing keys within any one group have values summing to ≥100.

Groups are evaluated independently. Signatures from different groups cannot be combined. The same key may appear in multiple groups with different values — the same physical key can play different roles in different recovery paths.

The rule, in full. For a proposed change, walk every group in the Master Zone. If the valid signatures from members of any single group sum to ≥100, the change is authorized. Stop. If no group reaches the threshold, the change is rejected.

patterns

sole ownership

One key, value 100. Simple. No recovery.

GroupKeyValue
1Hardware token100

multi-signature

Three keys with values that only reach 100 when all three sign.

GroupKeyValue
1Engineering34
1DevOps33
1IT33

Any two together reach 67 — short of the threshold. All three are required.

primary + recovery

A high-security key for daily use, a recovery group for if you lose it.

GroupKeyValue
1 (Primary)Hardware token100
2 (Recovery)Family member 140
2 (Recovery)Family member 240
2 (Recovery)Family member 340

Day to day, the hardware token signs alone. If it's lost, all three family members together (40+40+40 = 120) can recover the record. Two of them alone cannot (80 < 100), preventing minority collusion.

trusted agency

The user must sign, plus one of several trusted third parties — and no agency can act alone. This is where poztter.com comes in: it offers agency keys you can opt into.

GroupKeyValue
1User50
1Agency A50
2User50
2Agency B50

The user is the common requirement of every group. Either Agency A or Agency B can partner with the user to sign — but neither agency can do anything alone, and they cannot collude across groups (signatures from different groups don't combine).

PATTERN KEY LOSS SINGLE COMPROMISE GROUPS Sole ownership 1 key · 100 LOCKED OUT TAKEN OVER 1 Multi-sig 3-of-3 34/33/33 LOCKED OUT SURVIVES 1 Primary + recovery hw 100 / 3×40 RECOVERS SURVIVES 2 Trusted agency user + A / user + B RECOVERS SURVIVES 2
fig 01 · resilience at a glance. Sole ownership is the only pattern that fails both ways. Adding a recovery group is the single biggest improvement you can make.

why ≥100

The uint8 value field can hold 0–255, but the protocol fixes the threshold at 100. That choice gives you intuitive ratios — half-and-half splits, thirds, the M-of-N patterns above — while leaving headroom for "this single key counts as everything" (value ≥100). It also avoids floating-point arithmetic in the verification path.

recovery from compromise

If an attacker compromises one key in a multi-signature group, they still can't reach 100 alone. The legitimate holders use the remaining keys (if those still sum to ≥100) or a different survivorship group to revoke the compromised key and re-secure the master.

Revoking a compromised key requires meeting the threshold of the current Master Zone. If the compromised key is needed to reach that threshold, a backup group is essential. Configuring at least two groups is strongly recommended for any multi-key setup.

see also