Changes between Initial Version and Version 1 of Ticket #958


Ignore:
Timestamp:
2010-02-15T06:29:51Z (15 years ago)
Author:
zooko
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #958 – Description

    initial v1  
    11Make it possible to mark a cap as moved-permanently, including possibly to a cap of a newer version.
     2
     3Described in http://allmydata.org/pipermail/tahoe-dev/2010-February/003910.html as follows:
     4
     5{{{
     6Dear people of tahoe-dev:
     7
     8I've been hosting my blog on Tahoe-LAFS since July, 2008. That's 18
     9months now! Amazing. There are now a lot of copies out there of the
     10URL to my blog, which is:
     11http://testgrid.allmydata.org:3567/uri/URI:DIR2-RO:j74uhg25nwdpjpacl6rkat2yhm:kav7ijeft5h7r7rxdp5bgtlt3viv32yabqajkrdykozia5544jqa/wiki.html
     12. (The URL to my blog includes, of course, the read-cap to my blog.)
     13
     14I was thinking recently about what will happen we deploy New Cap
     15Design and I want to upgrade my blog to take advantage of the new
     16style caps. When I do so the read-cap will have to change. I would
     17want to preserve the unforgeability property -- the guarantee that if
     18you have the read-cap to my blog you can't be tricked into accepting a
     19forged document that was generated without the write-cap to my blog.
     20
     21Of course, I could just add a new blog entry in my old blog saying "My
     22blog has now moved to $HERE, please update your bookmarks
     23accordingly.", with the new read-cap. This would preserve the
     24unforgeability property, but it can take a long time for everyone in
     25the world to update their bookmarks, and the longer it takes the
     26longer those people would be vulnerable to forgeries (by an attacker
     27who succeeds at cracking the RSA digital signatures that provide the
     28unforgeabilithy of my old blog). Also, asking them to do this is a
     29hassle, so I would not do it unless the old cap style had become
     30*really* old and troublesome -- I would keep using the old cap for a
     31long time just to avoid this "manually asking people to change their
     32links".
     33
     34Also, this text "My blog has now moved to $HERE" is not standardized
     35and machine-readable, so you can't write a script that will reliably
     36detect this sort of note and update your bookmarks for you.
     37
     38Then I had an idea: secure HTTP 301 Moved Permanently!
     39
     40We could extend the Tahoe-LAFS cap format so that when you ask for the
     41current version, there is a special symbol along with a new read-cap
     42(out-of-band of the file contents so that there is no ambiguity about
     43file contents versus the 301 Moved Permanently symbol). This special
     44symbol means that the client should download the new read-cap,
     45remember for future reference that any attempt to load the old
     46read-cap should instead use the new read-cap, and then (if possible)
     47fetch the contents of the file using the new readcap.
     48
     49Note that this dovetails very nicely with my previous proposal for
     50write-cap revocation (#954). If you are going to issue a secure LAFS
     51301 Moved Permanently, then you also want to petrify that file so that
     52nobody can later change it.
     53
     54Note that the part about the client "remembering for future reference"
     55suggests the existence of a client-side database which records the
     56fact that a specific URL has been 301'ed and optimizes out the step of
     57looking up the old location next time. This might fit in well with the
     58backupdb, which already likes to remember a few key facts about files
     59and directories to optimize backups. It might also be a good idea to
     60update parent directories which point to that file or directory with
     61the 301 information (#956).
     62
     63This is a forward-compatibility issue because, as in the case of my
     64blog, the sooner we can rely on this feature the easier we can upgrade
     65to future versions of caps. I've created #958 to track this issue.
     66
     67Regards,
     68
     69Zooko
     70
     71http://allmydata.org/trac/tahoe-lafs/ticket/954# revoke write authority
     72http://allmydata.org/trac/tahoe-lafs/ticket/955# use client-side
     73storage to defend against rollback attack
     74http://allmydata.org/trac/tahoe-lafs/ticket/956# embed security
     75metadata in parent directory
     76http://allmydata.org/trac/tahoe-lafs/ticket/957# embed security metadata in URL
     77http://allmydata.org/trac/tahoe-lafs/ticket/958# LAFS 301 Moved Permanently
     78}}}