Jason: Thank you for your thoughtful message.
I made a mistake yesterday by describing only the lowest layer of the Tahoe-LAFS architecture and, when my bus arrived at work, sending the mail without first making clear that this was only the lowest layer. Tahoe-LAFS includes a "secure distributed directories" layer on top of the "secure distributed immutable files" that I already described, and then it also has a RESTful API, a command-line interface, and a web user interface. Then on top of *that* there are many different things built on top of Tahoe-LAFS, including a Windows client that integrates into the Windows filesystem, a plugin for the "duplicity" backup tool, Shawn Willden's nascent new backup tool, and more [1]. These layers solve some of the problem that you point out, and I'm sorry I gave you an inaccurate target in my previous mail. Despite this handicap, many of your criticisms are still valid, because the fundamental availability-vs.-confidentiality trade-off that you describe is one of those "abstraction-piercing" problems, so none of the added layers of Tahoe-LAFS are able to completely solve it. For what it is worth, I don't think Cleversafe's approach completely solves it either, as I think Shawn Willden and Brian Warner have pointed out -- the abstraction-piercing problem keeps going on up through authentication, user interface, corporate policy, etc. etc! As a thought experiment, consider that one *could* write a new layer on top of Tahoe-LAFS that used secret-sharing to split a cap into secret shares. Then the composition of the Tahoe-LAFS "secure distributed storage" layer along with the secret-sharing of the cap would have similar properties to Cleversafe. I've often wanted to do that so that users of allmydata.com's backup services would have a third option instead of just "allmydata.com keeps my key safe for me" and "I keep my own key and take my chances". The reason I never did it yet is that I don't see how to integrate it smoothly enough into UI/customer experience/etc. How would a customer who wants to backup their files to allmydata.com deliver the various shares of their secret to various locations -- email them to friends? It sounds like too much confusion and too much work for the average backup customer, who after all is really trying to buy simplicity and peace-of-mind, not to invest a lot of time learning a new tool! Okay, now I gotta go to work again. :-) Regards, Zooko [1] http://allmydata.org/trac/tahoe/wiki/RelatedProjects _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
