Changes between Version 25 and Version 26 of NewCapDesign


Ignore:
Timestamp:
2011-11-22T19:02:30Z (12 years ago)
Author:
zooko
Comment:

add desideratum: Don't provide an affordance for diminishing caps by editing them, or else make sure that the actual effect of doing so is the same as the intended effect.

Legend:

Unmodified
Added
Removed
Modified

  • NewCapDesign

    v25 v26  
    222222    while {{{tahoe cp tahoe:blah local/foo.txt}}} copies from a child of
    223223    the "tahoe:" alias).
     224'''Note that double-slash means "there is a naming authority" (see RFC 3986). I think most people's understanding of caps is that there is no naming authority (i.e. a remote server which you completely rely on to decide what value a name within its domain should denote). I suppose we might fit the semantics of RFC 3986 if we claim that the thing we have there (which will probably be a crypto value derived in complex ways from the plaintext of the file and/or a public key) *is* a naming authority.'''
    224225  * I'd like to make it easy to layer uses on top of one another: since
    225226    directories are just a specific way of interpreting the contents of a
     
    235236    verbose s-expressions, these caps could be expressed as "(readonly
    236237    (mutable cryptobits))" and "(directory (readonly (mutable cryptobits)))".
     238  * Don't provide an affordance for diminishing caps by editing them, or else make sure that the actual effect of doing so is the same as the intended effect. This actually happened to an LAE customer: they sent us a transcript of their shell session which had their write cap init, and they truncated off the right-hand side of the cap, intending to thus preserve confidentiality of their data. Unfortunately for them, the right-hand side of the (current) write cap format is the integrity-checking bits, not the write-authority bits! The remaining left-hand-side of the cap that they sent was enough to let us (or anyone else who saw their mail) read and overwrite all of their files. This wouldn't have happened if the cap had been a compact thing with no visible separations, like "tahoe:WD1WDDy975ZJkrU7XZTxAB39kmnfxYk3zDb", or if it had been ordered so that the most powerful bits were left-most.
    237239 * provide for verifycaps, repaircaps, and traversalcaps (#308, #217).
    238240   Repaircaps in particular may require a grant of storage authority, which