On Jun 12, 2009, at 22:19, Brian Warner wrote: > Revocation is a complicated topic. As Kevin said, it basically > requires an > intermediary, which might either be a single proxy/gatekeeper or > something > distributed (like an intermediate tahoe directory that you can later > empty).
A directory cannot be used for revocation: a client can always scan it and remember every cap it contains (perhaps by putting them into a different directory), or remember the current-version shares of the directory itself. The only revocation-like behavior deleting from a directory gets you is: IF: - the client has not looked at the directory since the to-be- revoked child was added, or has not recorded the caps in it - and there are not enough storage servers providing shares of the old version of the directory to retrieve it THEN you have successfully used deletion to revoke access. This seems weak enough to be practically useless. -- Kevin Reid <http://homepage.mac.com/kpreid/> _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
