Tent 0.4 notes #202
Comments
|
Streaming will be via Server-Sent Events. Groups are used for permissions and will support referencing groups published by other entities. |
|
I've been thinking about Groups and have been using Instant Messaging as a way to think through how they could work. In IM, groups are used to keep messages within the group. In fact, the idea of a public post does not exist since messages must be addressed to one or more people.
|
|
|
I still want static groups as in #184 |
|
@danielsiders Slightly related. Are there apps that you believe should be bundled with (part of) a Tent server? You mentioned a group management app. It seems pretty foundational yet it is probably at a higher level in the technology stack than the Tent server. |
|
For PGP, will keys be stored as Tent posts or are they more deeply tied to the server? |
|
@tjreo I won't speculate on the features that should be part of admin apps (which I think is what we're really talking about, app bundling is about content creation rather than admin utilities) until the app ecosystem is more robust. Without a wide variety of apps, we won't know what the standard experience will be and therefore what kind of utilities are generally needed. We're still working out which parts of PGP will be exposed in what ways, need to poke around at some of the intricacies in the RFC. |
|
@poweruser82 I just reread #184. I don't think you've made a case for this. Please provide clear use cases where dynamic groups would cause problems or static groups would create new possibilities. Groups are permissions. Not being able to dynamically modify permissions means needing to delete entire posts to remove a user's access. That means lots of broken links and a huge burden on apps for housecleaning. |
|
Couldn't apps implement static groups by exploding the group and adding every entity explicitly to the permissions property? |
|
@seanmonstar absolutely. from #184 : "It's trivial for an app to hardcode permissions by adding all members of a group to a post's permissions when that behavior would be desirable. Otherwise, dynamic permissions are the norm" |
|
@danielsiders @seanmonstar I updated #184 |
Tent SignaturesTent v0.4 uses the Ed25519 elliptic-curve public-key signature algorithm to sign posts. Each entity has a keypair generated and stored by the server. Posts are signed automatically by the server (using the canonical JSON). The public key is stored in a "key post". This post may be mentioned by other entities by signed "trust posts" in order to pin keys and create a web of trust. Keys may be revoked by creating a new key post and updating the previous one with a revoked flag. All legitimate posts must be re-signed after a key change, with the exception of previously revoked key posts (these must be signed with the revoked key). Servers must reject posts with invalid and revoked signatures. Servers may reject posts with no signature. An endpoint is added that provides channel binding to TLS. This endpoint signs the server's current TLS certificate with the entity's signing key. The endpoint provides a lightweight, decentralized alternative to the X.509 certificate authority model by leveraging the Tent web of trust. |
|
Thank you for the update. What I'd love to see is a picture that shows all of the moving parts. Are we saying that all posts (not sure what legitimate means in this context) must be resigned once a new key is derived? |
|
@tjreo "legitimate" means not forged (if it was revoked because it was compromised). All posts must be re-signed with the new key after the old one is revoked. This can happen totally asynchronously (even lazily on read). |
|
We're still working out the specific mechanic for flagging posts as unauthorized (besides revoking the key and deleting any unauthorized posts). I'm also very interested in thoughts on what the defined "trust levels" should be. PGP uses a single axis. On the modern internet does it make sense to separate persona from physical world identity? e.g. I've met this entity in person and corroborated their key vs used out of band digital verification? |
|
The web of trust idea is fantastic. Do you plan for this to interact with PGP keys at all, or is it a completely separate web? It'd be a bit of a shame to have two distinct trust webs that can't verify each other.
This is a great question. I've always thought that the identity we want to verify isn't so much what's on your birth certificate, it's that you are the same person with whom we have an established history of interaction. In meatspace, we conflate the two and it mostly works thanks to societal customs, but online it hardly matters if you're using your real name or a pseudonym. That said, I don't know if a second axis is needed. It would certainly be more complicated. Could be that the Unverified/Casual/Careful system would still work fine, especially if it's rebranded to something like:
|
|
@iangreenleaf it'll be separate from PGP--most of what PGP specifies isn't applicable to Tent. Tent also allows users to control the permissions on their endorsements of other users keys, PGP expects them all to be public and uploaded to servers. However you could sign your Tent key with your PGP key so PGP users can verify you're the same person. |
|
How do you think about guardians' Bruce Schneiers' note 5 : http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance |
|
@redaktor Public-key crypto is required for cryptographic signatures. We are not using the NIST/NSA ECC spec, we're using a completely independently developed algorithm with nothing up my sleeve constants generated by a completely independent entity (D. J. Bernstein). |
|
👍 |
We plan for 0.4 to include:
Development on the reference implementation and technical notes won't happen for at least a month, but now's the time to offer comments.
The text was updated successfully, but these errors were encountered: