On Thu, Aug 29, 2013 at 02:44:37PM +0200, danimoth wrote: > On 29/08/13 at 03:09pm, Nikos Fotiou wrote: > > A suspicious user may wonder, how can he be sure that the service > > indeed uses the provided source code. IMHO, end-to-end security can be > > really verifiable--from the user perspective--if it can be attested by > > examining only the source code of the applications running on the user > > side. > > > > I agree with you and I propose a simply protocol which follows your > statement: > > - encrypt your data with a simmetric cipher and a private and robust key > - make an hash of the encrypted data and store it securely (no loss > possibile) offline > - upload the encrypted data over some service. > - download the encrypted data when you need it, check the hash and > decrypt with the key used in the first pass. > > In this (simple) case, what is run server side does not nullify security > properties (confidentiality and integrity in this example), provided > that what is run user-side is "ok".
The Least-Authority Filesystem does all of the above. We have some pretty good docs: https://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/docs/about.rst http://code.google.com/p/nilestore/wiki/TahoeLAFSBasics https://tahoe-lafs.org/trac/tahoe-lafs/wiki/FAQ Regards, Zooko _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography