From bc2b7f250ea18175271b14039f48ec88bc8f00ce Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 19 Mar 2021 15:03:32 -0400 Subject: [PATCH 1/3] news fragment --- newsfragments/3642.minor | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 newsfragments/3642.minor diff --git a/newsfragments/3642.minor b/newsfragments/3642.minor new file mode 100644 index 000000000..e69de29bb From 6aad53a5988da44943dc76434c0258d467c92217 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 19 Mar 2021 15:03:36 -0400 Subject: [PATCH 2/3] explain why this conclusion is fine --- docs/proposed/http-storage-node-protocol.rst | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/proposed/http-storage-node-protocol.rst b/docs/proposed/http-storage-node-protocol.rst index d0bd8cfd6..0c83dabbc 100644 --- a/docs/proposed/http-storage-node-protocol.rst +++ b/docs/proposed/http-storage-node-protocol.rst @@ -286,8 +286,13 @@ We considered making this ``POST /v1/immutable`` instead. The motivation was to keep *storage index* out of the request URL. Request URLs have an elevated chance of being logged by something. We were concerned that having the *storage index* logged may increase some risks. -However, we decided this does not matter because the *storage index* can only be used to read the share (which is ciphertext). -TODO Verify this conclusion. +However, we decided this does not matter because: + +* the *storage index* can only be used to retrieve (not decrypt) the ciphertext-bearing share. +* the *storage index* is already persistently present on the storage node in the form of directory names in the storage servers ``shares`` directory. +* the request is made via HTTPS and so only Tahoe can see the contents, + therefore no proxy servers can perform any extra logging. +* Tahoe itself does not currently log HTTP request URLs. ``PUT /v1/immutable/:storage_index/:share_number`` !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! From 0d2e9e8e6a77f102cf1f71a4a4fe5988f5577a9a Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 19 Mar 2021 15:41:24 -0400 Subject: [PATCH 3/3] match local prevailing convention for naming --- docs/proposed/http-storage-node-protocol.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/proposed/http-storage-node-protocol.rst b/docs/proposed/http-storage-node-protocol.rst index 0c83dabbc..0478f213e 100644 --- a/docs/proposed/http-storage-node-protocol.rst +++ b/docs/proposed/http-storage-node-protocol.rst @@ -290,9 +290,9 @@ However, we decided this does not matter because: * the *storage index* can only be used to retrieve (not decrypt) the ciphertext-bearing share. * the *storage index* is already persistently present on the storage node in the form of directory names in the storage servers ``shares`` directory. -* the request is made via HTTPS and so only Tahoe can see the contents, +* the request is made via HTTPS and so only Tahoe-LAFS can see the contents, therefore no proxy servers can perform any extra logging. -* Tahoe itself does not currently log HTTP request URLs. +* Tahoe-LAFS itself does not currently log HTTP request URLs. ``PUT /v1/immutable/:storage_index/:share_number`` !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!