> information can't leak in principle, but root scores are dangerous, which > is why open-access venti servers are problematic - if such a score > *does* happen to leak, then unconditional access to all your data has > also leaked.
If I understand correctly, this line of discussion is primarily motivated by the idea of an open-access venti server. And it looks to me like we're basically getting to the point where we're recognizing that to make that happen would require some very deep changes to venti and it's underlying concepts. It sounds like a perfect place for an intermediary server. The venti itself doesn't need to be open- access if there's a proxy server that is. The proxy can communicate with the clients using any unique identifying key. It doesn't have to be the same as the score the back-end venti uses. And the proxy can do any kind of authentication you want it to. Maybe I'm misunderstanding the problem we're trying to solve, but if the objective is to provide open venti access but the necessary protection mechanisms really belong elsewhere, it seems reasonable to create the elsewhere and not incorporate them into venti. Just a free observation (and worth every penny). BLS
