[tahoe-dev] Access control and permissions on a tahoe grid
Kevin Reid
kpreid at mac.com
Fri Jun 12 19:38:26 PDT 2009
On Jun 12, 2009, at 22:19, Brian Warner wrote:
> Revocation is a complicated topic. As Kevin said, it basically
> requires an
> intermediary, which might either be a single proxy/gatekeeper or
> something
> distributed (like an intermediate tahoe directory that you can later
> empty).
A directory cannot be used for revocation: a client can always scan it
and remember every cap it contains (perhaps by putting them into a
different directory), or remember the current-version shares of the
directory itself.
The only revocation-like behavior deleting from a directory gets you is:
IF:
- the client has not looked at the directory since the to-be-
revoked child was added, or has not recorded the caps in it
- and there are not enough storage servers providing shares of the
old version of the directory to retrieve it
THEN you have successfully used deletion to revoke access. This seems
weak enough to be practically useless.
--
Kevin Reid <http://homepage.mac.com/kpreid/>
More information about the tahoe-dev
mailing list