poztter.org

philosophy · essay 06

Survivability.

All essays · ← Cryptography & revocation · Trust the data ↺

With so much dependence placed on the owner of a POZ record — and with the inevitable possibility that controlling keys may be compromised — POZ holds the philosophy that mistakes can happen, and recovery must be possible. Identity is meant to be long-lasting; it has to survive its own failure modes.

the failure modes

Anything that holds a private key can lose it. Hardware tokens get misplaced. Phones get dropped. Laptops get stolen. People die. And even the best-protected key can be stolen by a sufficiently determined attacker — eventually, every secret is breakable. A protocol that doesn't account for these scenarios is one good incident from disaster.

The POZ position is to plan for these scenarios from the start. Recovery isn't a procedure you bolt on after the cryptographic system; it's part of how the system is configured before anything goes wrong.

distributing the master, layer one

Distributing the ultimate authority of the master record is the first safeguard. POZ's threshold model lets the master zone be controlled by multiple keys, no single one of which is sufficient alone. Each key carries a survivorship value; authorization requires a set of keys whose values sum to at least 100.

This is flexible. One key at 100 is the simplest case — sole ownership, no distribution. Three keys at 34/33/33 require all three to act together. Two keys at 50/50 require both. A hardware key at 100 plus a recovery group of three keys at 40/40/40 gives a primary path (the hardware key alone) and an independent recovery path (the three recovery keys together, since 40+40+40 = 120). Each configuration encodes a different threat model.

A · SOLE OWNERSHIP one key, value 100 hardware token 100 SURVIVES — nothing. one key, no recovery. LOSE KEY → LOCKED OUT B · MULTI-SIG · 3-OF-3 three keys, 34 / 33 / 33 engineering 34 devops 33 IT 33 SURVIVES · one key compromise attacker with one key alone ≤ 34 < 100 C · PRIMARY + RECOVERY group 1: hw key · group 2: 3×40 GROUP 1 hardware token 100 GROUP 2 · RECOVERY 40 40 40 SURVIVES · hw key loss group 2: 40+40+40 = 120 ≥ 100 D · TRUSTED AGENCY user + agency A  OR  user + agency B GROUP 1 user 50 agency A 50 GROUP 2 user 50 agency B 50 SURVIVES · either agency disappearing no agency can act alone (50 < 100)
fig 01 · four patterns covering the common cases — sole ownership, multi-sig quorum, primary plus recovery, and trusted-agency. Each encodes a different threat model.

survivorship may still fail

Even a well-distributed master may fail. A natural disaster takes out a recovery key in the same place as the primary. A coordinated attack succeeds against multiple keys at once. Some catastrophic failure leaves the record unable to reach its own threshold.

POZ incorporates this as a possibility. Pure replacement of your POZ record and identity is always available as a last resort — but it means reestablishing every contact, every binding, every trust relationship from scratch. The cost is high. To prevent that total loss, the POZ record has the ability to re-establish control of even the highest master zone authority.

planned re-establishment

This recovery path of last resort isn't automatic. It must be the desire of the original owner, and planned ahead of any incident. But for users who care about long-lasting identity, the option is available — and it preserves the identity itself, with its attestations, its history, and its links to other records intact.

The specifics of how this works are technical, but the philosophy is simple: a captured master zone shouldn't necessarily mean a captured identity, if the owner planned for that possibility before it happened. A POZ record is meant to outlive any individual cryptographic configuration — by anticipating that configuration's eventual failure and providing a way through.

the principle behind it all

Survivability is, in some ways, the most important POZ philosophy. Trust the data, identity ownership, cryptographic revocation — all of these depend on the identity being durable enough to be worth trusting in the first place. An identity that can be permanently erased by a single mistake isn't a real identity; it's a costume.

POZ wants the identity to be long-lasting and trustworthy. Real enough that other people invest in trusting it. Resilient enough that those investments survive when something — and something always does — goes wrong.

the user's responsibility

None of this works automatically. A user who configures a POZ record with one key at value 100 and no recovery group has built themselves a beautiful single-point-of-failure. The protocol supports recovery; it doesn't force it.

The right tooling can make this much easier — wizards that explain the trade-offs, defaults that include a recovery group, warnings before a single-key configuration is finalized. POZ software should encourage survivable configurations and make single-key sole ownership a deliberate, informed choice rather than the path of least resistance.

Back to all essays · Read Trust the data again to see how the whole picture connects.