[tahoe-dev] [cap-talk] time-based authority

Kevin Reid kpreid at mac.com
Tue May 12 17:27:11 PDT 2009


On May 12, 2009, at 18:45, Zooko O'Whielacronx wrote:

> Now, there is an easy way to layer some such revocation on top of
> Tahoe -- just run a web proxy (e.g. Apache) and give people URLs,
> possibly unguessable urls or tiny urls, pointing to that web proxy.
> Then you can remove items from your url database to revoke access to
> them.  Allmydata.com runs a tiny url service front-end on their
> production grid, but as far as I know they've never revoked any tiny
> urls.

Note, however, that you can't (afaik; I haven't actually dived into  
the architecture to really know) currently put those URLs into a Tahoe  
directory, because Tahoe directory items aren't arbitrary URLs.

http://allmydata.org/trac/tahoe/ticket/683 -- hint hint. You have just  
presented another use case.

> Another way to implement something similar to this is to use Tahoe's
> garbage collection feature to delete the (ciphertext) share data even
> while the person holding the cap retains the decryption key.  This
> could be seen as a kind of expiry.

This is not revocation:

  1. anyone running a storage server or having previously downloaded  
shares can hold onto the ciphertext, so deleting shares has no  
guaranteed effect, and you're only removing data that they could have  
already downloaded and decrypted anyway. (There is value in this --  
"oops, I uploaded this private data, delete it before anyone downloads  
it" -- but it is not a guarantee, not even the sufficiently-good- 
guarantee of crypto-with-a-decent-number-of-key-bits.)

  2. It does not disable access to a shared resource /which continues  
to exist and be shared except for the revoked access/, which I proffer  
as a sketchy definition of revocation.

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>




More information about the tahoe-dev mailing list