[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2384: anonymize Tub IDs when using Tahoe-LAFS with anonymity net like Tor or I2p

[Tahoe-LAFS]

#2384: anonymize Tub IDs when using Tahoe-LAFS with anonymity net like Tor or I2p
-------------------------+-----------------------
     Reporter:  dawuud   |      Owner:
         Type:  defect   |     Status:  new
     Priority:  normal   |  Milestone:  undecided
    Component:  unknown  |    Version:  1.10.0
   Resolution:           |   Keywords:
Launchpad Bug:           |
-------------------------+-----------------------

Comment (by warner):

 Current status: client connections to storage servers use ephemeral Tubs
 (thanks to #2759), so storage servers won't see tub-id correlations
 between subsequent boots of a single client.

 The !IntroducerClient, though, uses a static tub (with key stored in
 `NODEDIR/private/node.pem`) for all connections. So the Introducer can
 correlate connections across client reboots.

 Do folks think we can close this ticket as is, or should we use an
 ephemeral Tub for the introducer client too?

 (note that when Accounting happens, clients will get a persistent !Ed25519
 public key, and they'll sign their storage-server messages with it. But I
 think we can just declare that when `anonymous=true`, these keys are
 disabled, or regenerated at each boot, and you don't get to participate in
 any accounting-related tasks. Maybe we can add a `pseudonymous=true` flag
 which will allow persistent client pubkeys, but still enforce the other
 safety restrictions. In that world, servers could tell which clients were
 which, but that "identity" is still unlinked to the client's real IP
 address)

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2384#comment:5>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage