> my read on the utility of rog's proposal is that you could then > pre-exchange the crypto key via secure channel (real live handoff or > whatnot) and then send root scores around freely over things like > email. unauthorized parties reading your email then don't get your > venti data.
if you want users, groups and access control, isn't the fs the place to go? i'm trying to see how doing fsey things at the venti level would be useful, but i don't see it yet. > the scheme has the advantage of being minimally intrusive, but it does > seem to be like putting the fix in the wrong place. i'd rather see an > authenticated connection mechanism, which would likely require more > changes (how do you store accounts and credentials? how do you feed > them to things like a fossil at boot?), but would have the same > benefits and more (i'd like to provide some clients read-only access, > for example). i don't see the need for accounts or credentials (again, i think the fs is there to provide those things). but tls would be a good idea if you plan on venti access across any potentially hostile network. you can steal scores off the wire. i also don't see why it wouldn't be trivial to add a venti-tls port and have venti just push tls. am i still missing something? - erik
