(Illustration by Gaich Muramatsu)
Hello Greg. On Fri, Mar 11, 2005 at 09:16:16AM -0500, Greg Troxel wrote: > Here, your concern seems to be that the client can be sure that the > bits in the file, and the metadata, have been authenticated by the Exactly. > server. To really do this, you'd have to keep track of for which user > a file was authenticated, since one user can't know that another's key > isn't compromised. > One could use the SHA-1 hashes to avoid refetching the file, if the > issue is just authenticity. Very good points! Essentially venus should not let a user access a cached object unless it has verified the hash over this user's connection. As Venus already does token verification and access rights caching, it should be a rather trivial change. (Jan, wouldn't it?) If we explicitely disallow application of System:Anyuser rights when an uid does not have cached access rights, it will be safe. If we'd implement another change I was pleading for (e.g. http://www.coda.cs.cmu.edu/maillists/codalist/codalist-2004/6811.html) to avoid expiration of the cached rights at token expiry, then it will be convenient as well as safe! > FWIW, I use IPsec from clients to server, partly for this, but mostly > to get real confidentiality. I want to be able to walk to any reasonably maintained computer, whose administrator ran "coda-client-setup" once, use Coda and feel safe. It is perfectly possible, isn't it? For the moment IPsec may be the only option, but I don't think it is feasible to expect IPsec being setup in a proper way everywhere. And I would like to avoid it myself. Best regards, -- IvanReceived on 2005-03-11 09:49:08