On 8/1/11 10:16 PM, Joseph Ming wrote: > The opposite question is also relevant I think: what extra precautions > does tahoe take to protect the user from losing their root cap? If I > understand the design correctly, without the root cap (or access to > some stored cap somewhere) the user won't be able to access any of > their data (or the portion of their data for which they don't have > caps).
Correct. The general tahoe design (when you use the usual "everything under one dircap" approach) distills *all* your security down into that one rootcap. We felt that was the simplest possible tool to provide, giving users the best chance of correctly understanding how the system works and therefore the best chance of using it correctly. The Tahoe Security Mantra is: Knowledge of the rootcap is both necessary and sufficient to retrieve your data. There's a tension between availability (being able to get to your data) and confidentiality (making sure that other people cannot get to your data). Having a single rootcap doesn't erase that tension, but it boils it down to a single short string, which makes it easier to use other tools to decide on which side of the availability/confidentiality spectrum you want to land. If you're most worried about forgetting your data (e.g. sentimental photos of your grandchildren that you don't mind the whole world seeing), then you'll want to store as many copies of your rootcap as possible: mail it to yourself and your family, write it in a scrapbook, publish it in the wall street journal, just flood it out to the whole world. If you lose your email account, your computer, even your whole house, you can still go to any library and get a copy of that newspaper and rebuild your client and type in the rootcap and retrieve the data. On the other hand, if you're most worried about other people seeing that data (e.g. details of your evil plan to conquer the world, which you'd rather self-destruct than let the League Of SuperDuperHeroes learn), then you'd keep no more than one copy of your rootcap, in some highly secret and/or hard-to-reach place. Maybe inside your head (but they're too long for that). Maybe printed out in a safe deposit box (but what if the bank president is part of the League?). Maybe in a safe rigged to catch fire if someone gets the combination wrong. Of course, you might feel somewhere in the middle about your data, so you might take an intermediate position. E.g. you might keep a single backup copy printed out in a safe-deposit box: if your computer dies, you can recover access with a new computer, a trip to the bank, and some typing. And you might have both kinds of data, so you might put them in separate directories and manage the two rootcaps differently. > Assuming I store everything in tahoe and never share my caps with > anyone else and then my harddisk where my cap was stored dies is > stolen etc., have I lost everything? Yes. > Is there some other way to try to recover my data, maybe by scouring > all nodes involved in storing it for caps that belong to me? Nope. If that were possible, then the "necessary" part of the Mantra wouldn't be true. Storage nodes don't get to see the plaintext of anything they help store, so they don't know the contents of directory nodes and couldn't help with such a search. > Are users encouraged to save a copy of their root cap somewhere other > than their harddrive? Is there any mechanism to help the user do > something like that? Yes, and not directly. Tahoe itself is like a raw tool: there's plenty of room for layering additional tools on top of it. Early on (at AllMyData) we discussed providing a basic secret-splitting tool (based upon e.g. http://en.wikipedia.org/wiki/Secret_sharing) that would take your privately-held rootcap and generate maybe 5 postcards, which you'd mail to different friends (ideally who don't know each other), and then later you could rebuild the rootcap by having at least three of them read you back the contents. We never got around to building it, though. Personally, I'd just print out ~/.tahoe/private/aliases (and a copy of your tahoe.cfg, which isn't secret, to make it easier to rebuild the client) on paper, and store it in a safe or safe-deposit-box. If you keep all your data under the one rootcap listed in private/aliases, then you only have to do this once, and never need to touch it unless you lose the disk. cheers, -Brian _______________________________________________ tahoe-dev mailing list [email protected] http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
