[tahoe-dev] Tahoe and restricting uploads

[Nathan]

Hello,

It occurred to me there might be a simpler scheme to restrict uploads
to a grid versus the current accounting design.  (It may actually
entail something just as complicated, but I'm interested to hear
responses.)

As a caveat, I haven't read the design doc, but skimmed it and recall
from conversations that it involves accounting, reference counting,
plus various cryptographic mechanisms.

The idea is to represent the ability to create a new file or directory
as a capability.

A minimalist implementation would re-use the same mechanism that
enforces write-cap ownership to alter files or directories.  However,
instead of a proof of write-cap ownership depending on a particular
file or directory, it would depend on something grid-wide.

I imagine altering this idealized API:
mkdir() -> writecap
new_file() -> writecap
update_file(writecap, contents) -> nil
update_directory(writecap, linkname, destcap_or_nil) -> nil


The alteration would only change the mkdir and new_file operations to:
mkdir(creationcap) -> writecap
new_file(creationcap) -> writecap


A minimal implementation might configure the creationcap by requiring
the user to place a public key representing the grid-wide creation
capability prover into their tahoe config.  The grid owner would
carefully hand out the private key.

Note, this api design would allow nodes which have a writecap but
*not* a creationcap to alter directory links or update file contents.


Is implementing this simple?  Does it represent a meaningful axis for
representing capabilities?

To me, it seems it solves the particular use case.