On Tue, Feb 26, 2013 at 8:38 PM, Patrick R McDonald <[email protected]> wrote: > > As a redundant array of clouds becomes more and more a reality, thanks to the > efforts of Least Authority Enterprises and others, Simon's thread popped a > thought in my head. How do we protect ourselves against attacks from service > providers who have full root access on one or more of our storage nodes?
It is helpful to phrase the question in such precise terms. Now that I understand it, my answer is that you basically can't protect information that you send to a remote host, from the owner of that host. I like to mentally model it as talking to a remote guy and telling him facts, words, numbers, and asking him to remember them and tell them back to you later. You can't effectively enforce any controls on what else that guy does with those facts, words, numbers. You can't prevent him from thinking about them, and you can't prevent him from telling them to other people. Now, what we do in Tahoe-LAFS is, we never tell the guy the actual words (cleartext) that make up our files! Encrypt everything, tell him the ciphertext, and then don't worry about what he does with the ciphertext. Your other thread about "What authority does a storage server have?" is the right way to think about it. I think Kevin Reid's post on that thread was very informative. Regards, Zooko _______________________________________________ tahoe-dev mailing list [email protected] https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
