Hello Jan,

> I also do not like the idea of allowing unlimited access to locally
> cached objects during disconnection to work around the token expiry /
> lack of rights revalidation. If I go home and use cunlog on my desktop,
> I do that to be sure that no-one but a local root can access files that
> are cached by venus. If full access would be allowed while disconnected
> then someone can simply unplug the network cable, possibly pass a faked
> token to venus and gain access to all my files. The only way to prevent

I don't think anybody ever proposed that :)

A sneaky user would have to become your uid to do it,
It is not sufficient to pretend to be your Coda identity.

You see, "uid" above is the local one, nothing else, and token presense
just could allow using those cached rights.

cunlog or not cunlog, root can read the files anyway, but not anybody else.

> We might end up simply creating new ways to circumvent the security
> model provided by tokens and ACLs.

I do not yet see that it is the case.

> If that is so, we can then just as
> well simplify the whole thing by ripping all of the user, group, acl,

It is not so, as far as I can see :)

> But seriously, I agree that there is a problem in this area. It is just
> that the proposed solutions just don't feel right to me.

I am not convinced you would loose any security by allowing venus
to give your cached files to somebody with your uid...

On the other side, I am pretty much convinced the "uid based rights
persistency until an explicit token revalidation" would eliminate
a lot of otherwise unnecessary headache.
Yes, I am still pretty much convinced about the word "unnecessary" :)

Best regards,
and thanks for Coda!
--
Ivan