diff options
Diffstat (limited to 'doc/sphinx/introduction.rst')
-rw-r--r-- | doc/sphinx/introduction.rst | 44 |
1 files changed, 24 insertions, 20 deletions
diff --git a/doc/sphinx/introduction.rst b/doc/sphinx/introduction.rst index bfff83a..cf1630a 100644 --- a/doc/sphinx/introduction.rst +++ b/doc/sphinx/introduction.rst @@ -54,24 +54,28 @@ to recover their core secret. The recovery document --------------------- -A **recovery document** includes all of the information a user needs to -recover access to their core secret. It specifies a set of **escrow -methods**, which specify how the user should convince the Anastasis server -that they are "real". Escrow methods can for example include SMS-based -verification, video identification or a security question. For each escrow -method, the Anastasis server is provided with **truth**, that is data the -Anastasis operator may learn during the recovery process to authenticate the -user. Examples for truth would be a phone number (for SMS), a picture of the -user (for video identification), or the (hash of) a security answer. A strong -adversary is assumed to be able to learn the truth, while weak adversaries -must not. In addition to a set of escrow methods and associated Anastasis -server operators, the **recovery document** also specifies **policies**, which -describe the combination(s) of the escrow methods that suffice to obtain -access to the core secret. For example, a **policy** could say that the -escrow methods (A and B) suffice, and a second policy may permit (A and C). A -different user may choose to use the policy that (A and B and C) are all -required. Anastasis imposes no limit on the number of policies in a -**recovery document**, or the set of providers or escrow methods involved in +A **recovery document** includes all of the information a user needs +to recover access to their core secret. It specifies a set of +**escrow methods**, which specify how the user should convince the +Anastasis server that they are "real". Escrow methods can for example +include SMS-based verification, video identification or a security +question. For each escrow method, the Anastasis server is provided +with **truth**, that is data the Anastasis operator may learn during +the recovery process. Truth always consists of an encrypted key share +and associated data to authenticate the user. Examples for truth +would be a phone number (for SMS), a picture of the user (for video +identification), or the (hash of) a security answer. A strong +adversary is assumed to be able to learn the truth, while weak +adversaries must not. In addition to a set of escrow methods and +associated Anastasis server operators, the **recovery document** also +specifies **policies**, which describe the combination(s) of the +escrow methods that suffice to obtain access to the core secret. For +example, a **policy** could say that the escrow methods (A and B) +suffice, and a second policy may permit (A and C). A different user +may choose to use the policy that (A and B and C) are all required. +Anastasis imposes no limit on the number of policies in a **recovery +document**, or the set of providers or escrow methods involved in guarding a user's secret. Weak adversaries must not be able to deduce -information about a user's **recovery document** (except for its length, which -may be exposed to an adversary which monitors the user's network traffic). +information about a user's **recovery document** (except for its +length, which may be exposed to an adversary which monitors the user's +network traffic). |