Something I hadn't really considered before (I'm sure old news to security folks) is that there's an information-theoretic security principle with content-addressable storage that is reminiscent of object-capability security. You can't "guess" content hashes in an ideal oracle CAS (i.e. no timing leaks/side channels). So you can only access content by querying the CAS if you either already have the content or if you received a content hash from someone or somewhere else.
Conversation
Notices
-
Embed this notice
Per Vognsen (pervognsen@mastodon.social)'s status on Wednesday, 19-Mar-2025 02:36:55 JST 
Per Vognsen
-
Embed this notice
Per Vognsen (pervognsen@mastodon.social)'s status on Wednesday, 19-Mar-2025 02:36:55 JST
Per Vognsen
So if you don't know anything, you're completely stuck. You need at least one root hash. And if that's valid you get at the content and from there you can do the usual thing of following hash-links to get other content. But you have a kind of transitivity or downward-closure principle that seems almost the same as with object-capability security. Like, I obviously understood this is how Git and other CAS systems work, I just hadn't formulated it to myself as an information-security thing.
-
Embed this notice
Per Vognsen (pervognsen@mastodon.social)'s status on Wednesday, 19-Mar-2025 02:36:55 JST
Per Vognsen
To extend the analogy I guess you can also add to this revocable capabilities if you selectively indirect through a mutable oracle store with random GUIDs as keys and content hashes as values. You should end up with some kind of forward-secure version of the downward-closure property where you can only access content which is reachable from known content hashes without going through revoked links.
-
Embed this notice
All GNU social JP content and data are available under the