Create 2026-05-13.md#790
Conversation
| - Niko: Keys for personal data is simple. Complex when one needs to control who can Read, who can Write. On NextGraph, for READ purpose, we encrypt each update separately with a random symmetric key; then pass this key to all people involved in the doc, by encrypting the symmetric key with each public key; we have an ACL list with all the participants with READ access to the doc and their public keys; we send the update and the encrypted key to them. For WRITE, same we have ACL with list of participant of the doc who have WRITE access; but writer need to sign the update with their key, otherwise the client rejects the update; signatures also add integrity for the reader (updates are temper proof); like in git we make a trail of all the updates/commits. Then we sometimes need to rotate keys, when changing READ or WRITE permission, otherwise previous permission still applies. | ||
| - eP: you implemented WAC in java, I'll be curious how the WAC plays with encryption. specially with LDP containers. | ||
| - RZ: ... How does ACL synchronize ? | ||
| - Niko: NG not implemented WAC for now. Did it for ActivityPod, but for now this would break e2ee so not implemented. If we start with private/public key for user and start with CRDT updates, good start, but this is costly because need crypt operation on each update. Later we can talk about optimization. |
There was a problem hiding this comment.
why does e2ee break authorization?? That does not sound right to me. e2ee is an additional layer to authorization in my mind...
Do you specifically refer to NextGraph? Could we clarify that here before merging, please?
There was a problem hiding this comment.
I wouldn't say it breaks but effective access is based on who can decrypt the information. Having access to encrypted blobs doesn't count IMO.
There was a problem hiding this comment.
And yet, having access to encrypted blobs or not makes a difference from a security perspective.
I believe you have advocated for proper threat modelling in the past ;)
There was a problem hiding this comment.
From my understanding it's not about WAC or ACP or else, it is that Solid is just not compatible with e2ee for now. The sentence should be understood as "if I must implement WAC in NG, then I would have to remove e2ee feature to make it work"
@uvdsl would that be better if I reformulate it that way ?
There was a problem hiding this comment.
And yet, having access to encrypted blobs or not makes a difference from a security perspective.
Preferably it shouldn't disclose anything, but let's not dive into on this thread
I believe you have advocated for proper threat modelling in the past ;)
Yes! We need to start with a diagram https://www.w3.org/TR/threat-modeling-guide/
3 participants
No description provided.