Hi, I started working and I implemented user api part. There is at https://gitorious.org/~mjaskurzynski/owncloud/mjaskurzynskis-owncloud/commits/firefox-sync-service. Could you give me feedback (code quality, coding style etc.)?
WBR Michal Jaskurzynski 2012/5/8 Michiel de Jong <[email protected]>: > right! oh, i hadn't thought of that option. treating the ownCloud > instance as a Sync client device rather than as (only) the Sync > server. i still think it breaks the security model though. > > if you're going to store the data without encryption on an always-on > server like ownCloud, then why not just use transport layer > encryption? Mozilla Sync goes through the painful restrictions imposed > by end-to-end encryption because no trusted server is available. if > you start trusting the server, then it's silly to keep encrypting the > data at rest. > > i mean i don't want to poop the party if people want to implement it. > you can certainly do it. i'm just saying that from an architecture > perspective it's a bit silly. because the key would be right next to > the encrypted data. > > On Tue, May 8, 2012 at 1:52 PM, Stephan Schulz <[email protected]> wrote: >> Great to have that discussion over here. I partly disagree with Michiel. If >> a user decides to trust his own cloud on his own server by storing the >> private key on it, it is very similar to trusting another instance of >> Firefox on a different computer by providing the key there. That of course >> does only apply if the user is also the owner of the own cloud, but that >> might often be the case here. >> What would be great if the user can decide to trust the ownCloud instance or >> not, by providing the user the option of both possibilities. >> >> Stephan >> >> >> ----- Original Message ----- >>> On Tue, May 8, 2012 at 7:45 AM, Timmeey <[email protected]> wrote: >>> > I don't think that it is possible to access these firefox sync data >>> > if we use the Firefox sync API. Coz by design everything gets >>> > encrypted by firefox it Self. >>> >>> exactly. it's host-proof hosting. ownCloud does not get to see the >>> data. the advantage is that if your ownCloud server gets hacked, your >>> bookmarks and potential other things you may have in there are still >>> safe. >>> >>> > >>> > Maybe there is a Way. If we find a way for the users to get the >>> > encryption key Out of firefox, Then they could give it to owncloud >>> > for "on the fly decryption" of the Data. >>> > >>> >>> no, that would totally break the design. the idea of Mozilla Sync is >>> that you store your private stuff on an untrusted server, using >>> host-proof hosting. if you start giving the private key to the data >>> server, then you end up with something that's broken. >>> >>> it is definitely an interesting goal to have your bookmarks and >>> browser settings on your ownCloud, but the way to achieve that would >>> be to allow a "don't encrypt" option in Mozilla Sync. It would also >>> be >>> very interesting to tie that in with the webfinger app and Mozilla >>> Persona. >>> >>> but if you're purely looking at using ownCloud for Mozilla Sync, then >>> IMO you need to respect its end-to-end encryption design. >>> _______________________________________________ >>> Owncloud mailing list >>> [email protected] >>> https://mail.kde.org/mailman/listinfo/owncloud >>> > _______________________________________________ > Owncloud mailing list > [email protected] > https://mail.kde.org/mailman/listinfo/owncloud _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
