[tahoe-dev] Web gateway should keep its caches encrypted?

[Jeremy Fitzhardinge]

In poking around with http range requests, I noticed that the web 
gateway will (on occasion) locally cache files in unencrypted form.

Now in normal use that's perfectly OK because web gateways are trusted 
with our unencrypted data and so having the data present in that form 
should be OK.

But my mental model of a gateway machine is that it's just a stateless 
waypoint which doesn't store anything local.  If I have a setup where 
there's a gateway machine within my network serving several machines, I 
would expect it to not have any persistent memory of my data, and so 
when it comes time to replace the HD I don't need to worry about 
scrubbing the disk, at least for Tahoe's sake.  (Let's assume swap has 
been dealt with.)

Therefore, I think the gateway should keep the cache files encrypted and 
only decrypt them on the fly as they're being sent to its clients.  I'm 
not sure what the key should be, but it should be per-file and transient 
(derived from the cap/root hash/something else?) rather than some local 
state (which would defeat the purpose of encrypting in the first place).

Thoughts?

Thanks,
     J