← Back to Main Documentation Security Index

Private Key Use Cases Analysis

Created: Sun 27 Jul 2025 08:25:00 CEST
Document Version: 1.0 - Initial comprehensive analysis
Security Classification: Critical Security Analysis
Target Audience: Security Team, Developers, Product Managers, Architects
Author: Paul Wisén

See Also: HD Wallet Trust Boundaries for implementation guidelines

Executive Summary

This document provides a comprehensive risk assessment of all identified private key use cases in the Plings HD wallet system. Each use case is analyzed for trust implications, risk level, and implementation recommendations.

Key Finding: Not all technically possible private key operations are safe to implement. Trust boundaries must guide feature development.

Use Case Classification Framework

Risk Assessment Criteria

1. Authority Legitimacy

  • Legitimate: Party has clear business/legal authority for the operation
  • Questionable: Authority exists but scope is unclear
  • Illegitimate: No legitimate authority for the operation

2. Temporal Scope

  • Pre-sale: Operation valid only during manufacturing/distribution
  • Warranty: Operation valid during warranty period
  • Post-sale: Operation remains valid after ownership transfer
  • Emergency: Operation valid only in specific emergency situations

3. Trust Impact

  • Low: Owner would expect and accept this operation
  • Medium: Owner might question but generally accept
  • High: Owner would likely object or feel betrayed

4. Abuse Potential

  • Low: Limited scope, difficult to abuse
  • Medium: Some potential for misuse with safeguards
  • High: High potential for malicious abuse

Risk Level Matrix

Authority Temporal Trust Impact Abuse Potential Overall Risk
Legitimate Pre-sale Low Low LOW
Legitimate Warranty Low Low LOW
Legitimate Emergency Low Low LOW
Legitimate Post-sale Medium Medium MEDIUM 🔄
Questionable Post-sale High Medium HIGH
Illegitimate Post-sale High High CRITICAL

Detailed Use Case Analysis

✅ LOW RISK - Safe for Implementation

Use Case 1: Payment Recovery

Authority: Legitimate (payment system operator)
Temporal: Emergency only
Trust Impact: Low (owner expects payment system to work)
Abuse Potential: Low (limited to stuck payments)
Overall Risk: LOW ✅

Scenario: PDA (Program Derived Address) system fails, leaving funds stuck at identifier address.

Trust Rationale:

  • All parties (Plings, manufacturer, plant) have legitimate interest in payment system functionality
  • Owner expects payments to be recoverable if technical issues occur
  • Operation is limited to emergency situations only

Technical Safeguards:

def validate_payment_recovery(identifier_path: str) -> bool:
    # Must prove PDA is actually stuck
    if not is_pda_stuck(identifier_path):
        raise PaymentNotStuckError("PDA is functioning normally")
    
    # Must prove funds are actually at identifier address
    if get_balance(identifier_path) == 0:
        raise NoFundsError("No funds to recover")
    
    # Must specify legitimate recovery address
    if not is_valid_recovery_address(recovery_address):
        raise InvalidRecoveryError("Recovery address not authorized")
    
    return True

Implementation Recommendation: ✅ IMPLEMENT IMMEDIATELY

  • Essential for payment system reliability
  • Clear technical safeguards prevent abuse
  • Limited scope reduces risk

Use Case 2: Warranty Claims

Authority: Legitimate (warranty provider)
Temporal: Warranty period only
Trust Impact: Low (owner expects warranty service)
Abuse Potential: Low (limited to warranty terms)
Overall Risk: LOW ✅

Scenario: Object signs warranty claim with usage data for manufacturer validation.

Trust Rationale:

  • Manufacturer issued warranty and has obligation to honor claims
  • Owner expects manufacturer to validate warranty claims
  • Operation limited to warranty period and covered issues only

Technical Safeguards:

def validate_warranty_claim(identifier_path: str, claim_data: dict) -> bool:
    # Must be within warranty period
    if not is_warranty_active(identifier_path):
        raise WarrantyExpiredError("Warranty period has expired")
    
    # Must be warranty-covered issue
    if not is_warranty_covered(claim_data['issue_type']):
        raise WarrantyExclusionError("Issue not covered by warranty")
    
    # Must include valid usage data
    if not validate_usage_data(claim_data['usage_data']):
        raise InvalidUsageDataError("Usage data invalid or tampered")
    
    return True

Implementation Recommendation: ✅ IMPLEMENT IMMEDIATELY

  • Clear business justification
  • Temporal limits reduce risk
  • Owner expects this functionality

Use Case 3: Supply Chain Verification

Authority: Legitimate (during custody period)
Temporal: Pre-sale only
Trust Impact: Low (owner expects provenance)
Abuse Potential: Low (pre-sale operations only)
Overall Risk: LOW ✅

Scenario: Manufacturing proof, quality control signatures, shipping verification during production.

Sub-cases:

  1. Manufacturing Proof: Plant signs “I manufactured this object”
  2. Quality Control: QC station signs “I approved this object”
  3. Shipping Verification: Logistics provider signs “I shipped this object”

Trust Rationale:

  • Operations occur during legitimate custody period
  • Owner benefits from provenance and quality assurance
  • Creates valuable audit trail for object history

Technical Safeguards:

def validate_supply_chain_operation(identifier_path: str, operation_type: str) -> bool:
    # Must be during pre-sale period
    if object_is_sold(identifier_path):
        raise PostSaleOperationError("Supply chain operations not valid after sale")
    
    # Must be legitimate supply chain party
    if not is_authorized_supply_chain_actor(current_actor, operation_type):
        raise UnauthorizedActorError("Actor not authorized for this operation")
    
    # Must be appropriate operation for current stage
    if not is_valid_for_current_stage(operation_type, get_object_stage(identifier_path)):
        raise InvalidStageError("Operation not valid for current manufacturing stage")
    
    return True

Implementation Recommendation: ✅ IMPLEMENT IMMEDIATELY

  • High value for supply chain transparency
  • Pre-sale limitation eliminates post-sale trust issues
  • Creates competitive advantage

🔄 MEDIUM RISK - Research Required

Use Case 4: Time-Limited IoT Operations

Authority: Questionable (post-sale technical operations)
Temporal: Post-sale with time limits
Trust Impact: Medium (owner might accept with safeguards)
Abuse Potential: Medium (depends on implementation)
Overall Risk: MEDIUM 🔄

Scenario: Object performs autonomous operations (payments, data attestation) with manufacturer-derived keys, but only for limited time after sale.

Trust Challenges:

  • Owner didn’t explicitly consent to post-sale manufacturer control
  • Unclear when manufacturer authority should expire
  • Potential for unauthorized operations

Potential Solutions:

# Option 1: Time-based expiration
def autonomous_operation_with_expiry(identifier_path: str, operation: dict) -> bool:
    sale_date = get_sale_date(identifier_path)
    if days_since(sale_date) > AUTONOMOUS_OPERATION_LIMIT:  # e.g., 30 days
        raise AuthorityExpiredError("Manufacturer authority expired")
    
    return perform_operation(identifier_path, operation)

# Option 2: Owner opt-in required
def autonomous_operation_with_consent(identifier_path: str, operation: dict) -> bool:
    if not owner_has_consented_to_autonomous_ops(identifier_path):
        raise ConsentRequiredError("Owner must explicitly enable autonomous operations")
    
    return perform_operation(identifier_path, operation)

Research Required:

  • Legal implications of post-sale autonomous operations
  • User consent mechanisms
  • Technical implementation of authority expiration
  • Integration with ownership transfer system

Implementation Recommendation: 🔄 RESEARCH PHASE

  • Defer implementation until trust model is resolved
  • Conduct user research on acceptable autonomous operations
  • Explore owner-controlled key derivation alternatives

❌ HIGH RISK - Blocked

Use Case 5: Object Retirement/Disposal

Authority: Illegitimate (post-sale owner decisions)
Temporal: Post-sale indefinitely
Trust Impact: High (owner would strongly object)
Abuse Potential: High (permanent object destruction)
Overall Risk: CRITICAL ❌

Scenario: Manufacturer uses private key to mark object as “retired” or “destroyed” years after sale.

Trust Breakdown Example:

1. Chinese factory manufactures smartwatch
2. Consumer buys watch in Sweden
3. 3 years later, factory marks watch as "destroyed" on blockchain
4. Consumer's valuable object is now marked as worthless
5. Consumer has no recourse

Why This Is Dangerous:

  • Manufacturer retains permanent control over object state
  • Owner has no way to prevent or reverse malicious destruction
  • Violates principle of ownership autonomy
  • Could be used for market manipulation or revenge

Safe Alternative:

# ✅ SAFE: Owner-controlled retirement
def retire_object_by_owner(owner_signature: str, identifier_path: str) -> bool:
    # Verify signature is from actual owner
    if not verify_owner_signature(owner_signature, identifier_path):
        raise UnauthorizedError("Only object owner can retire object")
    
    # Verify owner's intent with additional confirmation
    if not owner_has_confirmed_retirement(identifier_path):
        raise ConfirmationRequiredError("Retirement requires explicit confirmation")
    
    return mark_object_retired(owner_signature, identifier_path)

Implementation Recommendation: ❌ PERMANENTLY BLOCKED

  • Violates fundamental ownership principles
  • High potential for abuse
  • Alternative ownership-based solution exists and is safer

Use Case 6: Ownership Transfer via Private Keys

Authority: Illegitimate (ownership is separate from keys)
Temporal: Post-sale indefinitely
Trust Impact: High (owner would view as theft)
Abuse Potential: High (unauthorized ownership changes)
Overall Risk: CRITICAL ❌

Scenario: Manufacturer uses object’s private key to cryptographically “transfer” ownership to another party.

Trust Breakdown Example:

1. User buys expensive item from manufacturer
2. Manufacturer uses object private key to sign "ownership transfer"
3. Blockchain shows object is now "owned" by someone else
4. Original owner has lost their property without consent

Why This Is Dangerous:

  • Confuses cryptographic capability with legal ownership
  • Manufacturer could “steal” objects cryptographically
  • Undermines entire ownership system
  • Creates legal and financial liability

Existing Safe Solution: The organization + NFT ownership model already handles ownership transfer correctly:

# ✅ SAFE: Ownership transfer via organization system
def transfer_ownership(from_org: str, to_org: str, object_id: str, signed_agreement: str) -> bool:
    # Verify both parties have signed transfer agreement
    if not verify_transfer_agreement(signed_agreement, from_org, to_org):
        raise InvalidTransferError("Transfer agreement invalid")
    
    # Update database ownership
    update_object_owner(object_id, to_org)
    
    # Transfer NFT if it exists
    if has_nft(object_id):
        transfer_nft(get_nft_mint(object_id), from_org, to_org)
    
    return True

Implementation Recommendation: ❌ PERMANENTLY BLOCKED

  • Redundant - existing ownership system works correctly
  • Dangerous - enables ownership theft
  • Confuses technical capability with legal authority

Use Case 7: Unlimited IoT Autonomy

Authority: Illegitimate (indefinite post-sale control)
Temporal: Post-sale indefinitely
Trust Impact: High (owner expects device autonomy)
Abuse Potential: High (unlimited unauthorized operations)
Overall Risk: CRITICAL ❌

Scenario: Manufacturer retains ability to make autonomous payments, sign contracts, or attest data on behalf of objects indefinitely after sale.

Trust Breakdown Examples:

Example 1: Autonomous Payments
- Smart car makes parking payments using manufacturer-derived keys
- Manufacturer could theoretically make unauthorized payments
- Owner cannot revoke manufacturer's payment authority

Example 2: Data Attestation
- IoT sensor signs environmental data with manufacturer-derived keys
- Manufacturer could sign false data to manipulate markets
- Owner cannot verify data authenticity independently

Example 3: Contract Signing
- Smart appliance signs service contracts using manufacturer-derived keys
- Manufacturer could commit owner to unwanted agreements
- Owner bound by "agreements" they never consented to

Why This Is Dangerous:

  • Permanent manufacturer control violates device autonomy
  • Owner cannot trust device operations
  • Potential for financial fraud and manipulation
  • Violates privacy and autonomy principles

Safe Alternative - Owner-Controlled Keys:

# ✅ SAFE: Owner-derived autonomous operations
def autonomous_operation_owner_controlled(owner_master_key: str, identifier_path: str, operation: dict) -> bool:
    # Derive key using owner's master key, not manufacturer's
    operation_key = derive_owner_key(owner_master_key, identifier_path)
    
    # Sign operation with owner-controlled key
    signature = sign_operation(operation_key, operation)
    
    # Owner has full control and can revoke access
    return execute_autonomous_operation(signature, operation)

Implementation Recommendation: ❌ BLOCKED UNTIL ARCHITECTURE CHANGE

  • Requires fundamental change to key derivation model
  • Current manufacturer-derived approach is unsafe
  • Future owner-controlled key system needed

Implementation Decision Matrix

Immediate Implementation (✅ Safe)

Use Case Risk Level Implementation Status Priority
Payment Recovery LOW ✅ Approved HIGH
Warranty Claims LOW ✅ Approved HIGH
Supply Chain Verification LOW ✅ Approved MEDIUM

Development Guidelines:

  • Implement with comprehensive validation
  • Include temporal and scope safeguards
  • Document trust assumptions clearly
  • Add monitoring and audit logging

Research Phase (🔄 Evaluate)

Use Case Risk Level Research Required Timeline
Time-Limited IoT Operations MEDIUM User consent mechanisms, legal analysis 3-6 months

Research Questions:

  • What autonomous operations would users accept?
  • How long should manufacturer authority persist?
  • What consent mechanisms are needed?
  • How to integrate with ownership system?

Permanently Blocked (❌ Unsafe)

Use Case Risk Level Block Reason Alternative
Object Retirement CRITICAL Violates ownership autonomy Owner-controlled retirement
Ownership Transfer CRITICAL Enables ownership theft Organization + NFT system
Unlimited IoT Autonomy CRITICAL Permanent manufacturer control Owner-controlled keys (future)

Block Rationale:

  • Violate fundamental trust principles
  • High potential for abuse
  • Safe alternatives exist or can be developed

Monitoring and Validation

Required Safeguards for Approved Use Cases

1. Temporal Validation

class TemporalValidator:
    def validate_payment_recovery(self, identifier_path: str) -> bool:
        return is_emergency_situation(identifier_path)
    
    def validate_warranty_operation(self, identifier_path: str) -> bool:
        return is_warranty_active(identifier_path)
    
    def validate_supply_chain_operation(self, identifier_path: str) -> bool:
        return not object_is_sold(identifier_path)

2. Authority Validation

class AuthorityValidator:
    def validate_actor_authority(self, actor: str, operation_type: str, identifier_path: str) -> bool:
        if operation_type == "payment_recovery":
            return actor in ["plings", "manufacturer", "plant"]
        elif operation_type == "warranty_claim":
            return actor == get_warranty_provider(identifier_path)
        elif operation_type == "supply_chain":
            return is_authorized_supply_chain_actor(actor, operation_type)
        else:
            return False

3. Scope Validation

class ScopeValidator:
    def validate_operation_scope(self, operation: dict, operation_type: str) -> bool:
        if operation_type == "payment_recovery":
            return self.validate_recovery_scope(operation)
        elif operation_type == "warranty_claim":
            return self.validate_warranty_scope(operation)
        elif operation_type == "supply_chain":
            return self.validate_supply_chain_scope(operation)
        else:
            return False

Audit and Monitoring Requirements

1. Operation Logging

def log_private_key_operation(identifier_path: str, operation_type: str, actor: str, operation_data: dict):
    audit_log.info({
        "timestamp": datetime.utcnow(),
        "identifier_path": identifier_path,
        "operation_type": operation_type,
        "actor": actor,
        "operation_data": redact_sensitive_data(operation_data),
        "validation_results": get_validation_results(),
        "risk_assessment": assess_operation_risk(operation_type, actor)
    })

2. Anomaly Detection

class PrivateKeyAnomalyDetector:
    def detect_anomalies(self, operation_history: List[dict]) -> List[str]:
        anomalies = []
        
        # Detect unusual operation frequency
        if self.detect_high_frequency_operations(operation_history):
            anomalies.append("HIGH_FREQUENCY_OPERATIONS")
        
        # Detect operations outside normal patterns
        if self.detect_unusual_operation_patterns(operation_history):
            anomalies.append("UNUSUAL_PATTERNS")
        
        # Detect unauthorized actor attempts
        if self.detect_unauthorized_actor_attempts(operation_history):
            anomalies.append("UNAUTHORIZED_ATTEMPTS")
        
        return anomalies

3. Owner Notification

def notify_owner_of_private_key_operation(identifier_path: str, operation_type: str, operation_summary: str):
    owner = get_object_owner(identifier_path)
    
    notification = {
        "type": "PRIVATE_KEY_OPERATION",
        "identifier": identifier_path,
        "operation": operation_type,
        "summary": operation_summary,
        "timestamp": datetime.utcnow(),
        "can_be_revoked": can_operation_be_revoked(operation_type),
        "appeal_process": get_appeal_process_info()
    }
    
    send_notification(owner, notification)

Future Considerations

Evolution Toward Owner-Controlled Keys

Technical Requirements

  1. Owner Key Derivation: Method for owners to generate their own keys
  2. Authority Transfer: Mechanism to transfer authority from manufacturer to owner
  3. Revocation System: Owner ability to revoke manufacturer access
  4. Secure Elements: Hardware-based key storage for autonomous devices

Migration Strategy

# Future: Owner-controlled key derivation
class OwnerControlledKeySystem:
    def derive_owner_key(self, owner_master_key: str, identifier_path: str) -> str:
        # Owner derives keys independently of manufacturer
        return derive_key_from_owner_master(owner_master_key, identifier_path)
    
    def transfer_authority(self, identifier_path: str, from_manufacturer: str, to_owner: str):
        # Transfer cryptographic authority at time of sale
        disable_manufacturer_keys(identifier_path, from_manufacturer)
        enable_owner_keys(identifier_path, to_owner)
    
    def autonomous_operation_owner_authorized(self, identifier_path: str, operation: dict) -> bool:
        # Only owner-authorized autonomous operations
        owner_key = get_owner_key(identifier_path)
        return verify_operation_signature(operation, owner_key)

Summary

Private key use cases must be carefully evaluated against trust boundaries. Phase 1 operations (payment recovery, warranty claims, supply chain verification) are safe for immediate implementation with proper safeguards. Owner-controlled operations require architectural evolution to ensure proper trust boundaries.

Key Principle: Just because we can derive private keys doesn’t mean we should use them for all possible operations. Trust boundaries must guide implementation decisions.

Documentation Status: Comprehensive analysis complete
Next Phase: Implement approved use cases with monitoring and safeguards
Review Required: Security team approval and ongoing risk assessment