From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: Date: Tue, 3 Feb 2009 11:13:09 -0500 Message-ID: <509071940902030813t3a35ea49g4bda782781c0bdd1@mail.gmail.com> From: Anthony Sorace To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Sources Gone? Topicbox-Message-UUID: 944e63dc-ead4-11e9-9d60-3106f5b1d025 erik wrote: > i'm not sure i understand. either you have the key (score) > and you can decrypt the whole cyphertext (read the file tree > below), or you don't. assuming of course that scores are too > hard to guess. so the solution is: don't give out the root score. my read on the utility of rog's proposal is that you could then pre-exchange the crypto key via secure channel (real live handoff or whatnot) and then send root scores around freely over things like email. unauthorized parties reading your email then don't get your venti data. the scheme has the advantage of being minimally intrusive, but it does seem to be like putting the fix in the wrong place. i'd rather see an authenticated connection mechanism, which would likely require more changes (how do you store accounts and credentials? how do you feed them to things like a fossil at boot?), but would have the same benefits and more (i'd like to provide some clients read-only access, for example).