When I use a 3rd party wallet and I see request to export the public key, is the key being exported the root xpub i.e. m/0 or a public key further down into the hierarchy? e.g. I don’t want MyEtherWallet having access to my root xpub which could in theory give them access to all my account balances across all coin types.
Thanks @Petosiris but I’m asking which public key in the hierarchy i.e. at what depth. i.e. if myetherwallet was malicious could it view the balances of all bip32 address space?
Well, exporting your public address make it possible to view all transactions connected to it on the blockchain, but this isn’t regarded as malicious, just a privacy concern.
More info: Account public key - Trezor Wiki
Thanks @Petosiris but I don’t feel like you’ve answered my question. With an HD wallet you have multiple levels of public keys with the xpub at the root. I understand the privacy risk of exposing your xpub, that is why I’m asking the question. I expect that Trezor exports the public key at m’/44’/60’/ and not the xpub at m/0 but I’d like confirmation.
I don’t know the answer to that. I’m just a beginner myself and have a lot to learn. Maybe someone else here knows?
This is not possible, even if MEW did query the key at m/0.
Notice the ' characters in the path, as in, m/44'/0'/0'/0/0, or m/44'/60'/0'?
These indicate a hardened, or “private”, derivation.
When you export an xpub at certain level, it’s possible to derive all unhardened steps below. So if you export m/44'/60', you can derive m/44'/60'/0, m/44'/60'/0/0, etc.
However, it’s impossible to derive m/44'/60'/0'. To do that, you would need the corresponding xprv, which is never exported.
Similarly, if the root key at m/0 or even just m was exported, it’s useless because the other party cannot get from m to m/44' without the xprv.
To answer the question: MEW is allowed to ask for the root xpub, but it’s not asking for it, because the root xpub can’t be used to get your addresses.