| | 269 | == Typical Delegation Patterns == |
| | 270 | |
| | 271 | We've identified 5 kinds of point-to-point delegation operations, described |
| | 272 | [DelegationOperations here]. Types 1, 2, and 3 involve creating a new |
| | 273 | certificate (authorizing some private key to perform some set of operations). |
| | 274 | Type 4 involves giving a public key to someone else and having them start |
| | 275 | accepting requests that are signed by the corresponding private key. |
| | 276 | |
| | 277 | In the friend-net use case, we expect that type-4 delegation will be used |
| | 278 | everywhere. When Alice sets up a storage server and wants to let Bob start |
| | 279 | using it, Bob will give her a public key, and Alice will drop that public key |
| | 280 | into her server's config with a note that says "accept requests that are |
| | 281 | signed by the corresponding private key". If Bob also wants Alice to be able |
| | 282 | to use his storage space ("reciprocity"), then Alice will give a public key |
| | 283 | to Bob. |
| | 284 | |
| | 285 | In the commercial grid case, we want to achieve some isolation between |
| | 286 | clients and servers: we will be adding new clients and servers constantly, |
| | 287 | and it is important that configuring both is cheap. Requiring a client update |
| | 288 | for every new server (or a server update for every new client) is |
| | 289 | unacceptable. So in this case, we define an "Account Manager", with its own |
| | 290 | private key. We use type-4 delegation to have all storage servers delegate |
| | 291 | authority to the account manager (by dropping the AM's pubkey in the new |
| | 292 | storage server's cert-roots directory). We then use type 1 (or 2 or 3) |
| | 293 | delegation to grant authority to the clients: the AM signs a certificate that |
| | 294 | names each client's public key, and gives that certificate to the client: |
| | 295 | this certificate is called their "membership card". Each client, when it |
| | 296 | needs to upload a file, will then send their membership card and a signed |
| | 297 | request to the storage servers. |
| | 298 | |
| | 299 | == User Experience == |
| | 300 | |
| | 301 | Since Alice (who is running the storage server in our example) is who starts |
| | 302 | with full authority over that storage server, we would like the act of |
| | 303 | delegating authority to Bob to be expressed with a message from Alice to Bob |
| | 304 | (and not the other way around). Since the most likely form of delegation |
| | 305 | (type 1) involves a public key being sent in the opposite directory, we need |
| | 306 | to define a user-friendly command that can establish a communication channel |
| | 307 | for the two nodes to achieve the desired delegation. |
| | 308 | |
| | 309 | So Alice will type {{{tahoe invite Bob}}}, and her node will create an |
| | 310 | Invitation object for Bob. This object is single-use, persistent (until |
| | 311 | claimed), and remembers the pet name "Bob". It gets an unguessable swissnum, |
| | 312 | and the command then emits a FURL that references this object. Alice sends |
| | 313 | the invitation FURL to Bob via any convenient secure channel. |
| | 314 | |
| | 315 | Once Bob has received the invitation, he pastes it into an invocation of |
| | 316 | {{{tahoe accept-invitation Alice}}} (where "Alice" is his pet name for the |
| | 317 | person who sent him this invitation. Bob's node will then contact the |
| | 318 | Invitation object and claim it by sending Bob's public key to Alice. Alice's |
| | 319 | node will add Bob's public key in her root-certs directory, allowing Bob to |
| | 320 | use storage space on Alice's server. Her node will also record "Bob" as the |
| | 321 | pet name associated with this pubkey, so that her Usage display will report |
| | 322 | the usage of Bob instead of the less-useful "pubkey |
| | 323 | j7sta2uvcr345znqwfwlxitnii". |
| | 324 | |
| | 325 | The default friend-net behavior is reciprocity, so unless this is disabled in |
| | 326 | the command arguments, the Invitation process will also deliver Alice's |
| | 327 | pubkey into Bob's root-certs list, and add "Alice" and her key to Bob's |
| | 328 | pet-name table. |
| | 329 | |
| | 330 | Other material may be exchanged during the invitation process. A pair of new |
| | 331 | Tahoe directories can be established as an "inbox/outbot" pair, to let Alice |
| | 332 | and Bob exchange files securely (associated with the pre-established |
| | 333 | petnames). A FURL referencing an arbitrary object can be established for |
| | 334 | later expansion use (perhaps to enable real-time communication): while not |
| | 335 | useful in the current release, by establishing one during the initial |
| | 336 | invite/accept process, later releases will be able to build upon this secure |
| | 337 | reference. |
| | 338 | |
| | 339 | All CLI tools should have web-form equivalents, which will probably require |
| | 340 | that a set of authority-bearing non-file-related web pages must be defined. |
| | 341 | The easiest way to accomplish this is to have an unguessable "control URL", |
| | 342 | stored in NODEDIR/private/control.url, and put all these authority-bearing |
| | 343 | pages (with "Invite" buttons, etc) as children of the control URL. The user |
| | 344 | would run "tahoe show-control-url" (or "tahoe webopen control-url" or |
| | 345 | something) to access it. |
