[tahoe-dev] Access control and permissions on a tahoe grid

Kevin Reid kpreid at mac.com
Sat Jun 13 02:38:26 UTC 2009


On Jun 12, 2009, at 22:19, Brian Warner wrote:

> Revocation is a complicated topic. As Kevin said, it basically  
> requires an
> intermediary, which might either be a single proxy/gatekeeper or  
> something
> distributed (like an intermediate tahoe directory that you can later  
> empty).


A directory cannot be used for revocation: a client can always scan it  
and remember every cap it contains (perhaps by putting them into a  
different directory), or remember the current-version shares of the  
directory itself.

The only revocation-like behavior deleting from a directory gets you is:

IF:

   - the client has not looked at the directory since the to-be- 
revoked child was added, or has not recorded the caps in it

   - and there are not enough storage servers providing shares of the  
old version of the directory to retrieve it

THEN you have successfully used deletion to revoke access. This seems  
weak enough to be practically useless.

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>





More information about the tahoe-dev mailing list