tahoe-lafs/trac-2024-07-25
2
0
Issues 1.1k Wiki Activity

[Imported from Trac: page NewCapDesign, version 29]

Zancas 2013-01-23 19:48:10 +00:00
parent de817b65b6
commit fe1d0d1efb
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
NewCapDesign.md

@ -236,7 +236,7 @@ several lower bounds on the length:
trivial. Another way to think about this is that if our filecaps were
verbose s-expressions, these caps could be expressed as "(readonly
(mutable cryptobits))" and "(directory (readonly (mutable cryptobits)))".
* Don't provide an affordance for diminishing caps by editing them, or else make sure that the actual effect of doing so is the same as the intended effect. This actually happened to an LAE customer: they sent us a transcript of their shell session which had their write cap init, and they truncated off the right-hand side of the cap, intending to thus preserve confidentiality of their data. Unfortunately for them, the right-hand side of the (current) write cap format is the integrity-checking bits, not the write-authority bits! The remaining left-hand-side of the cap that they sent was enough to let us (or anyone else who saw their mail) read and overwrite all of their files. This wouldn't have happened if the cap had been a compact thing with no visible separations, like "tahoe:WD1WDDy975ZJkrU7XZTxAB39kmnfxYk3zDb", or if it had been ordered so that the most powerful bits were left-most <-(right-most? -zancas).
* Don't provide an affordance for diminishing caps by editing them, or else make sure that the actual effect of doing so is the same as the intended effect. This actually happened to an LAE customer: they sent us a transcript of their shell session which had their write cap init, and they truncated off the right-hand side of the cap, intending to thus preserve confidentiality of their data. Unfortunately for them, the right-hand side of the (current) write cap format is the integrity-checking bits, not the write-authority bits! The remaining left-hand-side of the cap that they sent was enough to let us (or anyone else who saw their mail) read and overwrite all of their files. This wouldn't have happened if the cap had been a compact thing with no visible separations, like "tahoe:WD1WDDy975ZJkrU7XZTxAB39kmnfxYk3zDb", or if it had been ordered so that the most powerful bits were right-most.
* provide for verifycaps, repaircaps, and traversalcaps (#308, #217).
Repaircaps in particular may require a grant of storage authority, which
might entail a cap format that can accept arbitrary extra non-hierarchical