Replying to Avatar Silberengel

The admin issue is what makes it tough. If someone can get to it and they control the encryption key, then they can leak it.

So, you need to anonymize or obfuscate it and/or isolate it programmatically and/or physically, as well as encrypt it.
Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 9mo ago

i know you are a bit excited about this but after you think it all through for a while, digest it, you will have some good insights

i think that nip-86 was not really quite the right direction to go with this issue, it really needs a bigger plan than just addressing the superficial requirements, because of the threats that could be involved

for sure, limiting risk can be easily achieved by only having one owner who has superseding rights and technical skill to detect and remedy problems

the more people you give administrative rights, the less powerful administrative rights have to be

Reply to this note

Please Login to reply.

Discussion

Avatar
Silberengel 9mo ago

Ideally, even a person who can leak the decrypted data wouldn't be able to make sense of that data.

Avatar
Silberengel 9mo ago

Like, if you used multisig. 🤔

Avatar
Silberengel 9mo ago

Or batch discovery. Hmm. The server holds the key, maybe, and three people hold the server key.

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 9mo ago

this is a painful rabbithole you are diving into there

we have to define our threat model, and you must not think outside of it for reasons you are experiencing

we have to trust our server's physical security, for example, or otherwise we have to have physical hardening on our servers, which is a great increase in cost

it can be mitigated by making encryption schemes that defeat physical breaches, but there is limits to how strong you can make this security, especially with scale, cryptography gets astronomically expensive at scale, the math is absurdly expensive compared to simple ordinary computations, the overflows and so forth involved tend to be in the dozens if not hundreds of cycles per operation

Avatar
Silberengel 9mo ago

Yeah, that's why we want different machines. Then you move the threaten more internal, which is easy to manage with permissions.

Avatar
Silberengel 9mo ago

LOL you know how much I love this logic stuff.

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 9mo ago

you have work to do i seem to recall, stoppit

Avatar
Silberengel 9mo ago

Okay okay.

Just realized that you could brute-force list discovery by just trying to AUTH with any active npub.

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 9mo ago

yes, "privacy protected" means that every user is an entry point