Brian Warner wrote: > So I'd argue that this scheme results in a verifycap that's half as > strong as the readcap.
.. and, finally catching up with your subsequent messages, I think we agree on this one :). > I'll take a look at the mutable diagram separately. On the mutable diagram: what if we compute the signature over (K1enc,ciphertext) instead of merely over (ciphertext)? When we wouldn't need to hash K1enc into V'. And, if I can apply the same red X as I did for the immutable diagram (removing SI from the hash that computes V'), then we're down to V'=H(Kverify), which is exactly what we have in the current mutable-file scheme (writecap, readcap, and verifycap all contain a hash of the pubkey). I think we're hitting the same tradeoff here. By folding the pubkey into R, we're making all its bits do double duty, so we can get n bits of integrity out of the n-bit R value (in addition to their n bits of confidentiality). But it also means that we can't derive the storage-index from just the pubkey (to preserve the ability to derive it from R), which means the server loses its validation abilities. The mutable scheme does retain the offline attenuation, though, which I like :). ah, such difficulties.. -Brian _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
