Open larrysalibra opened 4 years ago
stackatron
commented
4 years ago Hey @larrysalibra can you clarify a bit please?
– Encrypting data on server side instead of client side
How will you test? Radiks?
– Not encrypting data that should be encrypted
Seems a little more abstract. How would you test?
Walterion01
commented
4 years ago To add to @jeffdomke comment:
Can you share clauses of proper usage? My conclusion forms your propose is these to prevent locking out the user and prevent her right to the data:
Also, I like to have a automate tool maybe to check the network usage or files? To help for scaling and minifying human error.
larrysalibra
commented
4 years ago Hey @larrysalibra can you clarify a bit please?
In my view sending the app private key outside of the user's browser or encrypting on a server instead of on the users' device is improper use.
I'd ask some of the gaia team from PBC to clarify - this issue was raised by members of the PBC team.
How will you test? Radiks?
We will not actively test for this. If it comes to our attention either because we happen upon such behavior or someone brings it to our attention (in the past this came to our attention when PBC team members raised it with us).
We've also seen instances were the app writes to Gaia but this is being done improperly (ie. encrypting data on server side instead of client side, not encrypting data that should be encrypted). The security and data ownership benefits of Gaia come from client-side encryption, user control over those encryption keys and user control over the location of their Gaia hub.
Proposal: If we find that Gaia is used improperly, apps will be ineligible for app mining.