[tahoe-dev] accounting and ambient client authority

Greg Troxel gdt at ir.bbn.com
Fri Jun 10 07:26:16 PDT 2011


  What do people think? Ambient storage authority or pass in a storagecap
  with each request?

This points out that the WUI is doing two things currently:

  offering a convenient means of access for the owner of the node

  offering access to people not trusted by the owner


Actually, it offers access to those who can run processes on the
computer hosting the node (and thus connect to 127.0.0.1) or to some
broader set of people (internet-wide, firewalls).

So, unless the WUI is limited to the unix uid that owns
$nodedir/private, it seems that any node-wide privileges are wrong.

As to embedding capabilities in URLS, I've always found that dangerous
(because browsers do not treat URLS like passwords, and capabilities
must be protected as if they are passwords), and your concern about
storage caps leaking when you share a readcap to me just points out that
usage of the WUI is fragile from a security viewpoint.



Another issue, perhaps orthognal: are storagecaps grid wide, or do I
have to get a separate storagecap from each server?  It seems like one
could have a bilateral agreement, or a grid-mediated multi-party
agreement.  The social construction of volunteergrid{,2} seems to be a
multi-party agreement, but it may be that even with such an agreement
pairwise storagecaps can be used to implement it.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20110610/6d736e8a/attachment.pgp>


More information about the tahoe-dev mailing list