[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-docs] branch master updated: new, simplified backup proposal
From: |
gnunet |
Subject: |
[taler-docs] branch master updated: new, simplified backup proposal |
Date: |
Fri, 06 Nov 2020 17:43:17 +0100 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository docs.
The following commit(s) were added to refs/heads/master by this push:
new acb799f new, simplified backup proposal
acb799f is described below
commit acb799f34f2d576b39203012d0c603ffaf31a232
Author: Florian Dold <florian@dold.me>
AuthorDate: Fri Nov 6 17:42:35 2020 +0100
new, simplified backup proposal
---
design-documents/005-wallet-backup-sync.rst | 6 +-
design-documents/009-backup.rst | 105 ++++++++++++++++++++++++++++
design-documents/index.rst | 1 +
3 files changed, 111 insertions(+), 1 deletion(-)
diff --git a/design-documents/005-wallet-backup-sync.rst
b/design-documents/005-wallet-backup-sync.rst
index 26dbbf1..20fce37 100644
--- a/design-documents/005-wallet-backup-sync.rst
+++ b/design-documents/005-wallet-backup-sync.rst
@@ -3,7 +3,11 @@ Design Doc 005: Wallet Backup and Sync
.. warning::
- This is an unfinished draft.
+ This document is deprecated. We have decided to first
+ implement backup, and tackle sync later.
+ The multi-device sync described in this document would lead
+ to a bad/unexpected user experience that does not justify the
+ conceptual / implementation complexity.
Summary
=======
diff --git a/design-documents/009-backup.rst b/design-documents/009-backup.rst
new file mode 100644
index 0000000..7ec8be2
--- /dev/null
+++ b/design-documents/009-backup.rst
@@ -0,0 +1,105 @@
+Design Doc 009: Wallet Backup
+#############################
+
+Summary
+=======
+
+This document describes the backup system used by Taler wallets.
+This is the second, simplified iteration of the proposal, which leaves
+out multi-device synchronization.
+
+
+Requirements
+============
+
+* Backup must work both with and without Anastasis
+
+ * When not using Anastasis, the user is responsible for keeping
+ their wallet's root secret safe.
+
+* Arbitrary number of backup providers must be supported
+* Minimize information leaks / timing side channels **if** requested by the
user
+* Minimize potential to lose money or important information
+* Since real-time sync is not supported yet, wallets should have a feature
+ where their whole content is "emptied" to another wallet, and the wallet is
+ reset.
+* Even without real-time sync, the backup data must support merging with old,
existing wallet
+ state, as the device that the wallet runs on may be restored from backup or
be offline
+ for a long time.
+
+
+Solution Overview
+=================
+
+Each wallet has a 64 byte wallet root secret, which is used to derive all
other secrets
+used during backup, which are currently:
+
+1. The sync account key for a sync provider, derived via the sync provider's
base URL.
+2. The symmetric key used to encrypt the backup blob
+
+If the user chooses to use Anastasis, the following information is backed up
in Anastasis:
+
+* list of used backup providers
+* wallet root secret
+
+
+Supported Operations
+--------------------
+
+* **restore-from-anastasis**: Start Anastasis recovery process. This requires
+ the wallet backup state to be "uninitialized".
+* **restore-from-recovery-secret**: This requires the wallet backup state to
be uninitialized.
+* **add-provider** / **remove-provider**: Add/remove a sync provider from the
+ list of providers. Adding a provider will cause payment(s) to the provider
+ to be scheduled according to the provider's terms. If the wallet backup
+ state is "uninitialized", adding a provider will set the backup state to
+ "initialized" with a fresh wallet root key. Changing the provider list will
+ also update the backup provider URL list in the anastasis core secret.
+* **abandon** / **takeover**: When the user wants to stop using a wallet on a
particular
+ device, another wallet can "take over" by reading the recovery secret of the
abandoned wallet.
+ The abandoned wallet marks explicitly in its backup blob that it is
abandoned.
+ Abandoning a wallet will set the backup state to "uninitialized".
+* **backup**: Do a backup cycle.
+
+
+Backup Format
+-------------
+
+TBD. Considerations from :doc:`005-wallet-backup-sync` still apply,
+especially regarding the CRDT.
+
+
+Initial User Experience
+-----------------------
+
+The user will be asked to set up backup&sync (by selecting a provider)
+after the first withdrawal operation has been confirmed. After selecting
+the backup&sync providers, the user will be presented with a "checklist" that
+contains an option to (1) show/print the recovery secret and (2) set up
Anastasis.
+
+The wallet will initially only withdraw enough money to pay the
+backup&sync/anastasis providers. Only after successful backup of the wallet's
+signed planchets, the full withdrawal will be completed.
+
+
+Open Questions
+==============
+
+* Should the wallet root secret and wallet database be locally encrypted
+ and protected via a passphrase?
+* What happens if the same Anastasis user has multiple wallets? Can Anastasis
somehow
+ support multiple "instances" per application?
+
+Future Work
+===========
+
+* Incremental backups?
+
+ * Instead of one big blob that always needs to be read/written, we could
have (1) a
+ limited length append-only journal and (2) a merkle tree so that the
backup blob can
+ be updated incrementally once the journal is full.
+ * Leaks more information and is more complex.
+
+* Real-time synchronization, either over some signaling server
+ or P2P connectivity (WebRTC, etc.)
+
diff --git a/design-documents/index.rst b/design-documents/index.rst
index 38825b2..55dd8c1 100644
--- a/design-documents/index.rst
+++ b/design-documents/index.rst
@@ -18,3 +18,4 @@ and protocol.
006-anastasis-ux
007-payment
008-fees
+ 009-backup
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-docs] branch master updated: new, simplified backup proposal,
gnunet <=