cloudpeers / tlfs Goto Github PK

useful properties we care about

• confidentiality
• authenticity
• forward secrecy
• deniability
• post compromise secrecy

properties of BEC are:

• self-update
• eventual update (#53)
• convergence
• atomicity (#46)
• authenticity
• causal consistency
• invariant preservation

leaving this for after the mvp. we have a system of vouching that works well enough for the mvp

use signatures to perform acl checks is now possible. for this we need to take a bit more care to ensure convergence in the presence of revocations.

I guess this will be easier once the radix tree lands

by reusing dots byzantine nodes can cause havoc

• convergence root read permission / causally apply
• convergence partial read permission
• convergence revocation (replay) / key rotation
• convergence accross different schemas
• prune oplog and registry based on safe present
• unjoin scheduling

For some types (most, see below), the length is always the same. For other types, having a length prefix messes with the sort order. So it would be good if we could get rid of the mandatory length prefix and suffix in paths.

Prepreq for fixing #72

pub enum Segment {
    /// Document identifier.
    Doc(DocId), // fixed size
    /// Peer identifier.
    Peer(PeerId), // fixed size
    /// Randomness used to ensure path uniqueness.
    Nonce(u64), // fixed size
    /// Boolean primitive.
    Bool(bool),  // fixed size
    /// Unsigned integer primitive.
    U64(u64),  // fixed size
    /// Signed integer primitive.
    I64(i64),  // fixed size
    /// Utf8 string primitive.
    Str(String), // variable size, length prefix?
    /// Policy statement.
    Policy(Policy),  // fixed size?
    /// Path identifier.
    Dot(Dot), // fixed size
    /// Positional identifier.
    Position(Fraction), // variable size, inline varint encoding
    /// Signature primitive.
    Sig(Signature), // fixed size
}

Fraction was created to insert at arbitrary points into an ORArray (#59). As the len is encoded inside the path segment prior to the bytes, this breaks the ordering inside the sled tree, which the ORArray implemention relies on.

Before the ORArray can really be used, this must be fixed.

for the mvp we need some way of discovering local peers and adding them to the document. just giving them permission isn't enough without some mechanism to notify them?

• complete feature / add some tests
• cursor api
• note taking app demo

• use libp2p-broadcast to send messages on apply/unjoin to all connected peers subscribed to a document
• on connect and periodically, perform an unjoin with another connected peer

• A Generic Undo Support for State-Based CRDTs
• Merkle Search Trees: Efficient State-Based CRDTs in Open Networks
• webauthn: https://webauthn.guide/

The only situation where a set with more than 1 entry can happen is if somebody changes the value for a dot, which is an adversarial scenario.

I am quite confident that if somebody can edit the dot store he can cause all kinds of issues. So we don't consider this at this time and deal with it later in a more principled way.

related: #29

• documentation
  • getting started (flutter/react todoapp)
  • api reference (dart/js/rust)
  • topic based guides

astro looks quite interesting

support for atomic transactions (read committed transaction isolation)

• build shopping list app with picture tasks

in a non byzantine setting we should always converge

related to #40, #35

depends on #28

When implementing join, I can do many things using very fast radix tree ops. E.g. removing expired from the store can be done with a single tree op instead of a loop.

E.g. this loop

        for buf in causal.store.iter() {
            let path = buf.as_path();
            if !self.expired.contains_prefix(path) && !causal.expired.contains_prefix(path) {
                if !self.can(peer, Permission::Write, path)? {
                    tracing::info!("join: peer is unauthorized to insert {}", path);
                    continue;
                }
                self.store.insert(&path);
            }
        }

can be turned into this:

        let mut store = causal.store.clone();
        store.tree_mut().remove_prefix_with(&self.expired.tree());
        store.tree_mut().remove_prefix_with(causal.expired.tree());
        for buf in store.iter() {
            let path = buf.as_path();
            if !self.can(peer, Permission::Write, path)? {
                tracing::info!("join: peer is unauthorized to insert {}", path);
                continue;
            }
            self.store.insert(&path);
        }

However, operations that involve permissions at present still involve querying permissions for every path.

It would be quite useful if we had a way to produce a tree for a permission and a peer, and then perform bulk operations for that tree. This would not change except when permissions are changed.

E.g.

let writeable = self.writeable(peer, Permission::Write);
store.tree_mut().retain_prefix_with(&writeable);

right after creating a document spurious unauthorized erros may be thrown

• setup ci
• edit doc title
• edit todo title
• ui tests
• multiuser demo

reduce trust in cloudpeer by storing and performing join/unjoin on an encrypted crdt. this requires a deterministic encryption scheme with the disadvantage of suceptibility to statistical analysis. This can be mitigated by mapping low entropy path segments to high entropy random path segments. A suitable cipher would a nonce reuse resistant cipher like aes-gcm-siv.

recover from accidental or malicious data addition/removal

updates are applied in causal order

related to #40