[tahoe-dev] Deletion in the Elk Point cap protocol

David-Sarah Hopwood david-sarah at jacaranda.org
Tue Oct 6 04:43:13 UTC 2009

David-Sarah Hopwood wrote:
> David-Sarah Hopwood wrote:
>> b) its contents are obsolete and you no longer want people to rely on
>>    them, even though it isn't important whether they know the contents.
>> c) you have a legal and/or moral obligation to no longer store the
>>    contents or otherwise contribute to providing access to them.
> Define an "undeletion attack" to be an attack that reinstates a deleted
> share in such a way that it can still be read by an existing read cap.
> Provided undeletion attacks are not possible, the fact that an attacker
> can retain copies of shares does not prevent deletions for reason b)
> and/or c) from being effective:
> in b), the fact that an attacker holds copies does not prevent deletion
>        of the original shares (if they cannot be undeleted) from acting
>        as a signal that the content is obsolete.
> in c), servers that were asked to delete their shares of a file are no
>        longer contributing to providing access to the content. If an
>        attacker knew the plaintext then it can re-upload it, but only at
>        a new storage index, so that existing read caps are invalidated.
>        Attackers who do not know the plaintext or read cap cannot
>        re-upload it. This adequately discharges the server operator's
>        obligations.

I meant also to clarify that supporting destroy caps does not prevent
a server operator from deleting any share for any reason. For instance,
if a server operator were given a legitimate reason to delete a share
by some authority such as the police, they would presumably do so without
needing to see the destroy cap. The problem that destroy caps solve is
that without them, the creator of an immutable or add-only share cannot
prove to a server that they are they are entitled to delete the share
just by virtue of being its creator (or authorized to do so by the creator).

Also, the process of deleting a file using its destroy cap would be
automatic, whereas deleting a share from a particular server without the
destroy cap would require manual intervention by the server operator.

David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the tahoe-dev mailing list