diff options
Diffstat (limited to 'doc/todo/delay_some_uploads_to_prevent_correlation.mdwn')
| -rw-r--r-- | doc/todo/delay_some_uploads_to_prevent_correlation.mdwn | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/doc/todo/delay_some_uploads_to_prevent_correlation.mdwn b/doc/todo/delay_some_uploads_to_prevent_correlation.mdwn new file mode 100644 index 0000000..5b9e324 --- /dev/null +++ b/doc/todo/delay_some_uploads_to_prevent_correlation.mdwn @@ -0,0 +1,19 @@ +In backup, only upload to some servers immediately, and delay the rest +for up to several days, with some uploads of chaff, to prevent +collaborating evil servers from correlating related shards. + +How many servers should be uploaded to immediately? The safe answer is at least +M (--neededshares); that way the secret key does get backed up immediately. + +Uploading to less would be more secure, but risks the user thinking it +finished backing up the key, and eg, wiping their laptop. So careful +messaging would be needed in this case. + +Might just upload M-1 shares immediatly, and show a dialog saying, the +backup will be completed next Wednesday, or click here to finish it now. + +---- + +Also, when there are multiple chunks, they are currently uploaded in order. +That could easily be shuffled, with server A getting its share of chunk 2 +first, server B its share of chunk 3 first, etc. |