> -----Original Message----- > From: devl-bounces at freenetproject.org > [mailto:devl-bounces at freenetproject.org] On Behalf Of Matthew Toseland > Sent: Thursday, November 13, 2008 6:55 PM > To: Discussion of development issues > Subject: Re: [freenet-dev] [freenet-cvs] > r23509-trunk/plugins/WoT/introduction > > On Thursday 13 November 2008 17:32, xor wrote: > > > > > -----Original Message----- > > > From: devl-bounces at freenetproject.org > > > [mailto:devl-bounces at freenetproject.org] On Behalf Of Matthew > > > Toseland > > > > + private synchronized void downloadPuzzles() { > > > > + Query q = db.query(); > > > > + q.constrain(Identity.class); > > > > + q.constrain(OwnIdentity.class).not(); > > > > + q.descend("lastChange").constrain(new > > > > +Date(System.currentTimeMillis() - 1 > > > * 24 * 60 * 60 * 1000)).greater(); > > > > + q.descend("lastChange").orderDescending(); /* > > > This should choose > > > identities in a sufficiently random order */ > > > > > > You may need some and()'s here. Have you tested this query? > > > > > > W.r.t. randomness, how about having a random number as a > member of > > > each identity? You could even change it when you download > a puzzle > > > for it, admittedly at some performance cost... > > > > > > I thought that each line of that query will automatically > be and()ed, > > have not tested the code yet due to the lack of a puzzle > factory and > > UI. > > > > > > + for(Identity i : allIds) { > > > > + /* TODO: Create a "boolean > > > providesIntroduction" in Identity to use a database query > instead of > > > this */ > > > > + > > > if(i.hasContext(IntroductionPuzzle.INTRODUCTION_CONTEXT) && > > > i.getBestScore(db) > MINIMUM_SCORE_FOR_PUZZLE_DOWNLOAD) { > > > > > > getBestScore()? Does that mean the best from any of the > > > OwnIdentities? > > > Shouldn't you specify one? It is essential that there be > no way for > > > an attacker to connect different OwnIdentities together ... > > > > A "Score" object is per-OwnIdentity. So if you have 5 > OwnIds then the > > database will contain 5 Score objects for each Identity. > > Therefore, getBestScore() receives the best Score an Identity has > > received from any OwnIdentity. > > > > Using an OwnIdentity in this query WOULD connect the > decision of which > > puzzles to use to the OwnId which is chosen, this is not > what we want, > > is it? > > This is exactly what we want, isn't it? We want it to be hard > for an attacker to connect any OwnIdentity with any other > OwnIdentity i.e. we want to do the announcement purely from > the point of view of the new OwnIdentity which is being announced.
You are right. I will change it. I had the wrong assumption on my mind that the new identity is competely new and has no web of trust yet but thats nonsense :)
