On 12/08/2013 11:38 AM, Andreas Gal wrote: > Ryan Kelly wrote: >> On 11/08/2013 4:36 PM, Andreas Gal wrote: >>> once we went >>> through one flag day and have the data stored in cleartext we can do >>> arbitrary storage format and wire protocol format changes. >>> >>> Worst case we have to operate two services against the same data store >>> (reving the wire format), or the same service against two data stores >>> that we cross replicate (reving the storage format). >> >> This seems to be implying cleartext storage of the data on our servers, >> which is fundamentally at odds with the user stories as written. > > The user stories ask for recoverable passwords, which means Mozilla > stores encrypted data plus the actual keys, so we can get to the > cleartext data as needed to do arbitrary storage conversions.
They also require that data can be opted-out of this recoverability; by default for passwords, and optionally for all data types if the user requests it. So I don't think we can depend on server-side decryption to get us out of trouble in the general case. Ryan _______________________________________________ Sync-dev mailing list Sync-dev@mozilla.org https://mail.mozilla.org/listinfo/sync-dev
