[Monotone-devel] Re: Security is hard. Let's work on policy branches any

monotone-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Monotone-devel] Re: Security is hard. Let's work on policy branches any

From:	Bruce Stephens
Subject:	[Monotone-devel] Re: Security is hard. Let's work on policy branches anyway.
Date:	Thu, 12 Apr 2007 12:36:54 +0100
User-agent:	Gnus/5.11 (Gnus v5.11) Emacs/22.0.95 (gnu/linux)

"Nathaniel J. Smith" <address@hidden> writes:

[...]

> Example 7:
>
> ...so actually, you don't even need more than two heads to get
> crazy-hairy cases.  Here's an example that involves just three
> nodes...:
>
>         +abc
>          / \
>       -c/   \-a
>        /     \
>       a1      b1
>               |
>               |+a
>               |
>               c1
>     
> Here a1 is trusted wrt c1, but c1 is not trusted wrt a1.  So
> presumably we should eliminate d1, leaving us with {c1, b1} as our
> candidate head set.  However, a1 is _not_ trusted wrt b1.  So
> presumably we should eliminate a1 as well, leaving us with just {b1}.
> But then, maybe c1 should be trusted again...?  Or what...?

OK, so *-merge tells you about the merged case, and now you're worried
about unmerged heads.

But can't you just ignore that?

i.e., in the above case, just stick with +abc and complain to the
user?  I guess I'm imagining some statefulness: maybe my workspace
remembers not just its branch and revision, but also the most recent
policy branch revision.

Maybe it's OK then just to update the policy branch like an ordinary
branch (so at b1, you'd update it to c1)?

That means I might miss the critical -c change from c1, or the
critical -a change from b1.

But that might happen for other reasons.  In the PKI world (presuming
one doesn't assume OCSP or something else requiring connectivity), you
mitigate that using times: a CRL says when I ought to get an update.

A reasonably monotone equivalent might be to (optionally) mark a
revision (maybe include this in the revision itself, rather than
attached with a certificate which might get lost) with the revision of
a policy branch.  In that case, monotone might require that I use a
policy revision that's a descendent of the specified revision?

i.e., when something important happens requiring a policy update, you
mark the net.venge.monotone revision accordingly, to make sure people
get the updated policy (or at least know about it).

[...]

[Prev in Thread]

Current Thread

[Next in Thread]

[Monotone-devel] Re: Security is hard. Let's work on policy branches anyway., Bruce Stephens, 2007/04/11
- Re: [Monotone-devel] Re: Security is hard. Let's work on policy branches anyway., Justin Patrin, 2007/04/11
- [Monotone-devel] Re: Security is hard. Let's work on policy branches anyway., Bruce Stephens <=
  - Re: [Monotone-devel] Re: Security is hard. Let's work on policy branches anyway., Timothy Brownawell, 2007/04/13
    - [Monotone-devel] Re: Security is hard. Let's work on policy branches anyway., Bruce Stephens, 2007/04/13

Prev by Date: Re: [Monotone-devel] [ANN] guitone-0.6 released
Next by Date: [Monotone-devel] Re: xmtn: Emacs integration via DVC
Previous by thread: Re: [Monotone-devel] Re: Security is hard. Let's work on policy branches anyway.
Next by thread: Re: [Monotone-devel] Re: Security is hard. Let's work on policy branches anyway.
Index(es):
- Date
- Thread