[tahoe-dev] Giving away the farm (was Re: Google Summer of Code 2010 -- Ideas Needed!)
Brian Warner
warner at lothar.com
Sun Mar 14 20:05:39 PDT 2010
Zooko O'Whielacronx wrote:
>
> My point is that we have this problem not because we used the
> capability access control model, but because we made sharing maximally
> easy in the first version of the user interface, and now we need to
> figure out how to make sharing less easy, or more context dependent,
> or something.
Yeah. The idea of having distinctive prefixes like "URI:DIR2-RO" and
"URI:DIR2" was to give the cut-and-pasting person something to look for,
to see what exactly they're about to share. But those prefixes are
pretty hard to spot, especially when you're pasting a 143-character
string.
Shorter caps could help here, as would making the "type" portion of the
cap more visible (which depends upon what sort of URIs we're creating..
if they have to start with "tahoe:" then perhaps the type could be in
caps, so "tahoe:RO-DIR" vs "tahoe:DIR" ?).
But as Zooko and others point out, it's really about front-end
functionality. Tahoe's filecaps are great low-level primitives to work
with: easy to understand (especially for programs), with clear
semantics. But they're a hassle for humans to see and manipulate
correctly. Tahoe's web interface (the "WUI") is really bare-bones: when
I show it to people, I explain it as an "engineering interface" that's
mainly used to check on what your other "real" frontends are doing. It's
not something you'd want to actually use. Allmydata customers had the
JS-based frontend that made things much prettier (and, incidentally,
only provided sharing through a highly-centralized server-based tinyurl
scheme).
A better frontend, potentially written in JS and served via tahoe's
public_html/ feature, would not show filecaps in the URL bar or
encourage cutting caps out of the HTML page. Each object that could be
shared would have a pair of icons next to it: a green one for readcap,
and a red one for writecap. Dragging that icon to some other application
would result in a copied filecap. Even better, Tahoe could have some
built-in secure sharing mechanism, so you'd drag the file icon to the
picture-of-your-buddy icon, and cryptographic mechanisms unseen would
convey it to the user of your choice with confidentiality, integrity,
and even limited revocability (which would help the cases when you
dragged the red icon instead of the green one).
I'm slowly prototyping a secure-sharing scheme for some other (mozilla)
projects.. if I get something working that would make sense for Tahoe,
I'll post details here.
cheers,
-Brian
More information about the tahoe-dev
mailing list