Open ItalyPaleAle opened 5 years ago
For the time stamping related component of the Auth0 implementation, perhaps it would be feasible to use an RFC2161 trusted timestamp authority. See the following links for some interesting notes on somewhat related issue: https://stackoverflow.com/questions/11913228/how-can-i-use-rfc3161-trusted-timestamps-to-prove-the-age-of-commits-in-my-git
The primary benefit of that approach is there a number of RFC2161 compliant servers out there so that if one of them fails, there are alternative providers available.
@halmos Thanks, I think this is an interesting part of the problem. However, it wouldn't let me remove the dependency on Auth0 quite yet, as it's important that the client app never sees the key stored inside Auth0 (at the moment) until the time is right. The challenge is that we're working with JS code, which could be modified too easily on the client.
Currently, Hereditas has a dependency on Auth0. While this should not pose a security risk (Auth0 stores the application token but never sees the user passphrase, so even if an attacker managed to break Auth0, they wouldn't have enough information to decrypt the data), it represents a single point of failure. What if Auth0 went out of business? What if they changed their APIs? (I find this last point quite unlikely, given that we're using OAuth2 which is an industry-standard, but in the long run it might be possible).
We need Auth0 for two separate reasons:
I am not aware of any alternative solution that doesn't require having a dependency on a specific external provider, for example something decentralized or portable.
A possible solution could involve some sort of blockchain technology. At the moment, I do not believe the decentralized, blockchain-based web is mature enough for us to use it. There are too many competing technologies, evolving fast and often with unstable APIs. Also, the user experience is still far from what we'd need for Hereditas, since our end-users (that need to unlock boxes) aren't necessarily tech-savvy.