Right now delete is an empty payload, but the server can send that for any record. We can ensure that the client issued the delete by encrypting the payload. Would it be okay to just tag the data as delete in plaintext for the server to clean, but still somehow prove that only somebody with access issued the delete? A bonus would be to avoid replay deletes too.
Summary: Only allow clients to issue delete records but allow servers to clean them up → Only allow clients to issue delete records
Target Milestone: --- → 1.2
Created attachment 430776 [details] [diff] [review] v1
Assignee: nobody → edilee
Status: NEW → ASSIGNED
Attachment #430776 - Flags: review?(mconnor)
Created attachment 431449 [details] [diff] [review] v1.1
Attachment #431449 - Flags: feedback?(edilee) → review?(mconnor)
http://hg.mozilla.org/labs/weave/rev/c8d528f14dab Don't specially serialize/not encrypt delete records and store the deleted flag as part of the cleartext payload.
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Whiteboard: [has patch][has review]
Component: Firefox Sync: Crypto → Sync
Product: Cloud Services → Firefox
You need to log in before you can comment on or make changes to this bug.